Pretty Good Privacy Abstract: This paper throws a brief outline on a cryptography system called pretty good privacy which was invented by Philip Zimmermann in 1991. We first start with cryptography and then into the pretty good privacy, how it works its pros and cons and finally about some legal issues which the inventors had faced. Introduction to cryptography: [4] Cryptography is the study of various methods by which we can hide some amount of data. The major day-day uses of a cryptology are atm cards (A small piece of sim embedded into the card stores the entire data of us), hiding passwords, encryption forms a major use of cryptography (generally important army information is sent encrypted and then to read this message it is again decrypted back). Now a day’s cryptography majorly deals with encryption of data. In olden days of army communications every army has to have their own way of encryption like some used to add 3 alphabets to every alphabet i.e. a is written as d so that enemies although manage to get the info, they can’t understand the message (even this is a type of encryption called Caesar’s shift cipher).In modern days where data is sent through unsecured networks, private data can’t be sent without encryption. The study securely encryption and decryption is known as cryptography and decryption is a technique to get back the encrypted data to normal data. The main objective of cryptography is the receiver of message should clearly know that the message from the sender is not manipulated in the transfer of the message. Even while performing encryption and decryption there are chances of attacking an encrypting or decrypting device. Types of cryptography: Cryptography mainly depends on the amount of data it has to provide the security. Strong Cryptography is basically used by large companies and government organizations to transfer huge amount of data. The main advantage of strong cryptography is no one can decrypt the data without a proper decrypting device. Conventional cryptography uses one key for encryption and decryption. It uses Caesar’s cipher. This is an old technique and it is not so secure to use compared to the present techniques. The major advantage of conventional cryptography is its speed. The major disadvantage is the safety of key. The sender and the receiver should know the key before they exchange these messages. For this again they have to rely on unsecured communications like telephone, courier. To remove this disadvantage then public key cryptography was introduced. In public key cryptography two keys are used one is public key and other is private key. Public key is used to encrypt the data and private key is used for decrypting the data. Hence although anyone gets the message it contains public key hence he can do nothing to the message. Pretty Good Privacy: [5] [1] It is a program which encryptes, decryptes and sends the email signed and thus provides security to the email we send How it works: PGP has the features of both conventional and public key cryptosystems. Whenever an email is passed through PGP program steps it first compresses the email ,it is a good practise of compressing the email because we can send the compressed email faster and even it saves a lot memory. PGP then creates a key called session key, this key is a randomly generated key. This session key is encrypted with email it forms a cipher text. This cipher text is encrypted with a public key and this ends the encryption part of the email. The receiver uses his private key to recover the session key and then decrypts the cipher text to get back the actual mail. Keys: There are public keys and private keys, we use to encrypt and decrypt the values in a program. Key combines with algorithms and i/p text to form a cipher text. More the size of public key more is the security, but even we should take care of the end user requirement, because if the size of the key is large then it takes a lot of time to decrypt. These keys are stored in hard disc in two separate locations one for public keys and another for private keys. These files are called key rings. Digital Signature: This is the major advantage of PSP. Every email which is sent is attached with a digital signature of the sender and even the sender can’t deny the message as it has his own digital signature. Hash Functions: Hash function is just an extension to the PGP. In the above context we get a huge data as o/p after decryption. Instead we use a hash function variable which controllers the size of the o/p message and then it is digitally signed. This is added with private key and sent to the recipient. Then again while decryption the signature is checked if any change occurs to the data in between the signature changes immediately hence now our data is still more secured. Digital certificate: In PSP every time the receivers receive a message it has to check for the digital signature and confirms whether it is true or not, but the receiver has to get this digital signature separately to check for this when this is sent through unsecured networks there is a chance of forgery hence we send a certificate, a certificate consists of a public key, the signature of the sender and two others who sign for the approval is true. Certificate distribution: Generally for a small group of people it is better to exchange their certificates manually in hard discs or any other data storage devices, but for all large scale usage we go for certificate servers. A certificate server is a database of certificates and it allows certificates which comply with its policies. Even there is a public key infrastructure which provides both the certificate storage and ways for storing these certificates and returning them I mean the managing facilities. There are two different types of certificate formats like x.509 which includes certificate holders public key, serial number of the certificate, PGP certificates and other format is PGP which includes PGP version number, certificate holder’s public key, certificate holder information, digital signature of the certificate user, certificate’s validity period, preferred symmetric algorithm for the key. Validity: In PGP we have to constantly check for certificates is real or not, as there is a more probability of being a mistake. Validity tells the person that certificate belongs to a particular person. After checking for correct validation we can stamp it and send it to a server so that it becomes easy for others to see. Validity can be checked by use of fingerprints. In PGP fingerprints are stored in the form of numeric value hence we can just call the person and ask his fingerprint numeric value. Trust: We have to trust the people in order to validate the certificate. Generally people trust CA to do all these things. There are various modes of trust models possible they are direct, hierarchal, web. Direct trust is nothing but the users trust certificate directly as the user must have known the other person. In hierarchal model CA knows some groups of users and it gives the stamp instead of these users. Web trust is a combination or it’s a hybrid model of both the above models. It is like a rotation process, for example we want a certificate and we sign ours then it becomes base for another and soon. Comparison between PGP and other cryptosystems: [2] In symmetric key or conventional cryptography only one key is used for both encryption and decryption where as in PGP we use two keys and in conventional system there is no digital signature concept both these makes it less secured compared to PGP. In asymmetric key it uses two keys one public and one private similar to PGP only change is asymmetric doesn’t have digital signature concept which makes it inferior to PGP. Even some inventors say that asymmetric key cryptography is the basic version of the present PGP. Security of PGP: [5] The PGP which is available now has a good security and it is accepted by many organizations and governments. Misuse of PGP can decrease the computer’s performance and hence the security. PGP can’t stop other to steal our data. The basic concept of PGP is identity verification which is done by creating ur own public key and getting signed with other person’s whom u know and public key can be now be accessed by any person who wants to send u a mail and we can check for the digital signature in the mail by seeing the signature of other person whom u know, then the mail is valid. Some big companies for their websites use ssc for this identity check and spent some millions of dollars for just verification of user identity. Legal issues surrounding cryptography PGP and its inventors: Not only PGP after from the very start of cryptography many legal issues are raised against it. For an example cryptography was prohibited to use in many countries because they say that sending data encrypted can be a serious threat to their national security. Even now there are countries like Russia, Singapore and Vietnam have their restrictions on usage of cryptography. After the World War 2 many countries understood the use of cryptography in defence. United States of America has put a restriction on exports of encryption systems.