sign in sign up
<<
Home , Pretty Good Privacy, Strong cryptography

Pretty Good

Abstract:

This paper throws a brief outline on a system called which was invented by Philip Zimmermann in 1991. We first start with cryptography and then into the pretty good privacy, how it works its pros and cons and finally about some legal issues which the inventors had faced.

Introduction to cryptography: [4]

Cryptography is the study of various methods by which we can hide some amount of data. The major day-day uses of a cryptology are atm cards (A small piece of sim embedded into the card stores the entire data of us), hiding , forms a major use of cryptography (generally important army information is sent encrypted and then to read this message it is again decrypted back).

Now a day’s cryptography majorly deals with encryption of data. In olden days of army communications every army has to have their own way of encryption like some used to add 3 alphabets to every alphabet i.e. a is written as d so that enemies although manage to get the info, they can’t understand the message (even this is a type of encryption called Caesar’s shift cipher).In modern days where data is sent through unsecured networks, private data can’t be sent without encryption. The study securely encryption and decryption is known as cryptography and decryption is a technique to get back the encrypted data to normal data.

The main objective of cryptography is the receiver of message should clearly know that the message from the sender is not manipulated in the transfer of the message. Even while performing encryption and decryption there are chances of attacking an encrypting or decrypting device. Types of cryptography: Cryptography mainly depends on the amount of data it has to provide the security. is basically used by large companies and government organizations to transfer huge amount of data. The main advantage of strong cryptography is no one can decrypt the data without a proper decrypting device. Conventional cryptography uses one for encryption and decryption. It uses Caesar’s cipher. This is an old technique and it is not so secure to use compared to the present techniques. The major advantage of conventional cryptography is its speed. The major disadvantage is the safety of key. The sender and the receiver should know the key before they exchange these . For this again they have to rely on unsecured communications like telephone, courier. To remove this disadvantage then public key cryptography was introduced. In public key cryptography two keys are used one is public key and other is private key. Public key is used to encrypt the data and private key is used for decrypting the data. Hence although anyone gets the message it contains public key hence he can do nothing to the message.

Pretty Good Privacy: [5] [1]

It is a program which encryptes, decryptes and sends the signed and thus provides security to the email we send

How it works:

PGP has the features of both conventional and public key . Whenever an email is passed through PGP program steps it first compresses the email ,it is a good practise of compressing the email because we can send the compressed email faster and even it saves a lot memory. PGP then creates a key called session key, this key is a randomly generated key. This session key is encrypted with email it forms a cipher text. This cipher text is encrypted with a public key and this ends the encryption part of the email. The receiver uses his private key to recover the session key and then decrypts the cipher text to get back the actual mail. Keys:

There are public keys and private keys, we use to encrypt and decrypt the values in a program. Key combines with and i/p text to form a cipher text. More the size of public key more is the security, but even we should take care of the end user requirement, because if the size of the key is large then it takes a lot of time to decrypt. These keys are stored in hard disc in two separate locations one for public keys and another for private keys. These files are called key rings.

Digital Signature:

This is the major advantage of PSP. Every email which is sent is attached with a of the sender and even the sender can’t deny the message as it has his own digital signature.

Hash Functions:

Hash function is just an extension to the PGP. In the above context we get a huge data as o/p after decryption. Instead we use a hash function variable which controllers the size of the o/p message and then it is digitally signed. This is added with private key and sent to the recipient. Then again while decryption the signature is checked if any change occurs to the data in between the signature changes immediately hence now our data is still more secured.

Digital certificate:

In PSP every time the receivers receive a message it has to check for the digital signature and confirms whether it is true or not, but the receiver has to get this digital signature separately to check for this when this is sent through unsecured networks there is a chance of forgery hence we send a certificate, a certificate consists of a public key, the signature of the sender and two others who sign for the approval is true. Certificate distribution:

Generally for a small group of people it is better to exchange their certificates manually in hard discs or any other data storage devices, but for all large scale usage we go for certificate servers. A certificate server is a database of certificates and it allows certificates which comply with its policies. Even there is a public key infrastructure which provides both the certificate storage and ways for storing these certificates and returning them I mean the managing facilities. There are two different types of certificate formats like x.509 which includes certificate holders public key, serial number of the certificate, PGP certificates and other format is PGP which includes PGP version number, certificate holder’s public key, certificate holder information, digital signature of the certificate user, certificate’s validity period, preferred symmetric for the key.

Validity:

In PGP we have to constantly check for certificates is real or not, as there is a more probability of being a mistake. Validity tells the person that certificate belongs to a particular person. After checking for correct validation we can stamp it and send it to a server so that it becomes easy for others to see. Validity can be checked by use of fingerprints. In PGP fingerprints are stored in the form of numeric value hence we can just call the person and ask his fingerprint numeric value.

Trust:

We have to trust the people in order to validate the certificate. Generally people trust CA to do all these things. There are various modes of trust models possible they are direct, hierarchal, web. Direct trust is nothing but the users trust certificate directly as the user must have known the other person. In hierarchal model CA knows some groups of users and it gives the stamp instead of these users. Web trust is a combination or it’s a hybrid model of both the above models. It is like a rotation process, for example we want a certificate and we sign ours then it becomes base for another and soon. Comparison between PGP and other cryptosystems: [2]

In symmetric key or conventional cryptography only one key is used for both encryption and decryption where as in PGP we use two keys and in conventional system there is no digital signature concept both these makes it less secured compared to PGP.

In asymmetric key it uses two keys one public and one private similar to PGP only change is asymmetric doesn’t have digital signature concept which makes it inferior to PGP. Even some inventors say that asymmetric key cryptography is the basic version of the present PGP.

Security of PGP: [5]

The PGP which is available now has a good security and it is accepted by many organizations and governments. Misuse of PGP can decrease the computer’s performance and hence the security. PGP can’t stop other to steal our data. The basic concept of PGP is identity verification which is done by creating ur own public key and getting signed with other person’s whom u know and public key can be now be accessed by any person who wants to send u a mail and we can check for the digital signature in the mail by seeing the signature of other person whom u know, then the mail is valid. Some big companies for their websites use ssc for this identity check and spent some millions of dollars for just verification of user identity.

Legal issues surrounding cryptography PGP and its inventors:

Not only PGP after from the very start of cryptography many legal issues are raised against it. For an example cryptography was prohibited to use in many countries because they say that sending data encrypted can be a serious threat to their national security. Even now there are countries like Russia, Singapore and Vietnam have their restrictions on usage of cryptography. After the World War 2 many countries understood the use of cryptography in defence. of America has put a restriction on exports of encryption systems. Even the inventors of pretty good privacy Philip Zimmermann has to go to jail on the charge made by RSA security that the source is available on the and the inventor was investigated by FBI for several years. [6] Then in 1995 Daniel Bernstein went to court on free speech grounds on us government, which lead to the conclusion that for cryptographic algorithms is Protected under unite states constitution as free speech.

Even national security agency of us has involved in a cipper development and got a criticism that it prepared a weak cipper and which violated Kirchhoff’s principle and this special scheme included an escrow key which will be held by the government. Even digital rights is very important in cryptography as all the keys and source codes are protected under united states rights and even some famous Russian scientist was arested in us for voilating these rules

Applications of PGP:

Although the primary usage of PGP is encryption of slowly after 2002 many types of programs started to use PGP for encryption. The main encryption applications include email and attachments, digital signatures, full , folder security, protection for IM sessions, protection for files stored on network folders. There are also PGP desktop family which can do the features of PGP like security for instant messages, email, digital signatures, and folder security. Even there are servers of PGP which can give overall security to the files on server. Even this server can transfer mails even though there is no secure HTTPs. Not only PGP corporation there are many companies which implement PGP now some of them are GNU privacy guard, cgeep pro, ...

What are the pros and cons of PGP?

Pros • It digitally assigns a private key to the email so that no one can alter the mail.

• It verifies the sender’s identity to check for a reality of the sender.

• Nobody can decrypt my ml except he receiver since we encrypt through public key and decrypt with a private key.

• Highly secured in the current series of cryptography.

Cons

• Slow in process time compared to conventional systems.

Conclusion:

In this paper I had come up with a detailed view of cryptography, its history, various systems of cryptography (particularly pretty good privacy), various legal issues faced by the inventors. We also gave a brief look into the differences between various systems of cryptography. I had went into the much deeper concepts of pretty good privacy like various types of keys used, digital certificate and signatures and even the concepts like there validity and trust. We also say the various pros and cons of pretty good privacy and we thus conclude that pretty good privacy is much superior technique or system in all the present systems of cryptography.

References: [1] http://www.pgpi.org/doc/pgpintro/#p10

[2] http://www.giac.org/resources/whitepaper/cryptography/52.php

[3] http://en.wikipedia.org/wiki/Pretty_Good_Privacy#PGP_Corporation_encryp tion_applications

[4] http://en.wikipedia.org/wiki/Cryptography

[5] PGP & GPG [electronic book] email for the practical paranoid / by Michael W. Lucas

[6] http://www.philzimmermann.com/EN/background/index.html

Bibliography:

[1] Applied Cryptography and Network Security -- Hutchison, David

[2] Public Key Cryptography PKC 2009 -- Hutchison, David