PGP

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991 while working at PKWARE, Inc.

OpenPGP

OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. The OpenPGP protocol defines standard formats for encrypted messages, signatures, and certificates for exchanging public keys.

GnuPG

GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications.

Introduction

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms.

Hashing

A cryptographic hash function is a hash function that takes an arbitrary block of data and returns a fixed-size bit string, the cryptographic hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the message, and the hash value is sometimes called the message digest or simply digest.

Common functions: MD5, SHA-1, SHA-2, SHA-3/Keccak

Data compression

In computer science and information theory, data compression, source coding, or bit-rate reduction involves encoding information using fewer bits than the original representation.

Uses: PNG, Zip, MP3, MPEG

Symmetric-key cryptography

Symmetric key encryption is also known as shared-key, single-key, secret-key, and private-key or one-key encryption. In this type of message encryption, both sender and receiver share the same key which is used to both encrypt and decrypt messages. Sender and receiver only have to specify the shared key in the beginning and then they can begin to encrypt and decrypt messages between them using that key.

Common Algorithms: AES, Blowfish, DES, Triple DES, Serpent, Twofish

Asymmetric-key/Public-key cryptography

This method of encrypting messages makes use of two keys: a public key and a private key.The public key is made publicly available and is used to encrypt messages by anyone who wishes to send a message to the person that the key belongs to. The private key is kept secret and is used to decrypt received messages.

Common Algorithms: RSA, DSA, ElGamal

Symmetric-key Illustration

Asymmetric-key/Public-key Illustration

How PGP encryption works

PGP encryption

When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

PGP decryption

Decryption works in the reverse. The recipient's copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext.

Symmetric-key cryptography Advantages

• Simple: This type of encryption is easy to carry out. All users have to do is specify and share the secret key and then begin to encrypt and decrypt messages.
• Encrypt and decrypt your own files: If you use encryption for messages or files which you alone intend to access, there is no need to create different keys. Single-key encryption is best for this.
• Fast: Symmetric key encryption is much faster than asymmetric key encryption.
• Uses less computer resources: Single-key encryption does not require a lot of computer resources when compared to public key encryption.
• Prevents widespread message security compromise: A different secret key is used for communication with every different party. If a key is compromised, only the messages between a particular pair of sender and receiver are affected. Communications with other people are still secure.

Symmetric-key cryptography Disadvantages

• Need for secure channel for secret key exchange: Sharing the secret key in the beginning is a problem in symmetric key encryption. It has to be exchanged in a way that ensures it remains secret.
• Too many keys: A new shared key has to be generated for communication with every different party. This creates a problem with managing and ensuring the security of all these keys.
• Origin and authenticity of message cannot be guaranteed: Since both sender and receiver use the same key, messages cannot be verified to have come from a particular user. This may be a problem if there is a dispute.

Asymmetric-key cryptography Advantages

• Convenience: It solves the problem of distributing the key for encryption. Everyone publishes their public keys and private keys are kept secret.
• Provides for message authentication: Public key encryption allows the use of digital signatures which enables the recipient of a message to verify that the message is truly from a particular sender.
• Detection of tampering: The use of digital signatures in public key encryption allows the receiver to detect if the message was altered in transit. A digitally signed message cannot be modified without invalidating the signature.
• Provide for non-repudiation: Digitally signing a message is akin to physically signing a document. It is an acknowledgement of the message and thus, the sender cannot deny it.

Asymmetric-key cryptography Disadvantages

• Public keys should/must be authenticated: No one can be absolutely sure that a public key belongs to the person it specifies and so everyone must verify that their public keys belong to them.
• Slow: Public key encryption is slow compared to symmetric encryption. Not feasible for use in decrypting bulk messages.
• Uses up more computer resources: It requires a lot more computer supplies compared to single-key encryption.
• Widespread security compromise is possible: If an attacker determines a person's private key, his or her entire messages can be read.
• Loss of private key may be irreparable: The loss of a private key means that all received messages cannot be decrypted.

Getting Started

Generating a new keypair

C:\Program Files (x86)\GNU\GnuPG>gpg --gen-key

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at 01/16/14 11:51:58 Malay Peninsula Standard Time
Is this correct? (y/N) y

Generating a new keypair

GnuPG needs to construct a user ID to identify your key.

Real name: alice
Email address: alice@mic.localhost
Comment:
You selected this USER-ID:
    "alice <alice@mic.localhost>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.

gpg: AllowSetForegroundWindow(8360) failed: Access is denied.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2014-01-16
pub   2048R/C08670A4 2014-01-15 [expires: 2014-01-16]
      Key fingerprint = B50C F9B4 0042 A5E9 35C5  8C98 DC54 379B C086 70A4
uid                  alice <alice@mic.localhost>
sub   2048R/06F2342F 2014-01-15 [expires: 2014-01-16]

Generating a revocation certificate

C:\Program Files (x86)\GNU\GnuPG\bin>gpg --output c:/revoke.asc --gen-revoke alice

sec  2048R/C08670A4 2014-01-15 alice <alice@mic.localhost>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> Sample key
>
Reason for revocation: Key is no longer used
Sample key
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "alice <alice@mic.localhost>"
2048-bit RSA key, ID C08670A4, created 2014-01-15

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Exchanging Keys

C:\Program Files (x86)\GNU\GnuPG>gpg --list-keys

C:/Users/mic/AppData/Roaming/gnupg/pubring.gpg
----------------------------------------------
pub   2048R/C08670A4 2014-01-15 [expires: 2014-01-16]
uid                  alice <alice@mic.localhost>
sub   2048R/06F2342F 2014-01-15 [expires: 2014-01-16]

Exporting

C:\Program Files (x86)\GNU\GnuPG>gpg --output alice.gpg --export alice@mic.localhost

C:\Program Files (x86)\GNU\GnuPG>gpg --armor --export alice@mic.localhost
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQENBFLWBh4BCACqE8NFUmKgf3IGXjJSXjLiypsgsxwzL6vf6JIIuvh2IeM+UP4n
k+l2KiepnwEMhV0u3J6Cl3M1Na1hU6WtKj4sDWLd7wcJ9vVlzXdMd9C4XIAO7yxh
kxnfJQontdinAR8P1lmfVF+Z+C/hJ+W/zs8BMLXfcaj0lp0/R0plYyGblTeWL+uG
45mu5MwyhlcfTz3nitRAbPxOqFOezyKvzKfF3xC10Kq/36L6ooxiau/mxexSEYMA
IbB4be3577qqs1ARNTSum/6G7AEvc/A5chw5SSNBvAPdDlXBuSdi3YVURIHw8au/

Importing

gpg --import bob.gpg
gpg: key 9E98BC16: public key imported
gpg: Total number processed: 1
gpg:               imported: 1

Signing

C:\Program Files (x86)\GNU\GnuPG>gpg --edit-key bob@mic.localhost

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/443D753D  created: 2014-01-15  expires: 2014-01-16  usage: SCA
                     trust: ultimate      validity: ultimate
sub  2048R/20DD490D  created: 2014-01-15  expires: 2014-01-16  usage: E
[ultimate] (1). bob <bob@mic.localhost>

gpg> fpr
pub   2048R/443D753D 2014-01-15 bob <bob@mic.localhost>
 Primary key fingerprint: 22D5 D416 65C4 CFCA 292E  16FD 5088 BAA7 443D 753D

Signing

gpg> sign

pub  2048R/443D753D  created: 2014-01-15  expires: 2014-01-16  usage: SCA
                     trust: ultimate      validity: ultimate
 Primary key fingerprint: 22D5 D416 65C4 CFCA 292E  16FD 5088 BAA7 443D 753D

     bob <bob@mic.localhost>

This key is due to expire on 2014-01-16.
Are you sure that you want to sign this key with your
key "alice <alice@mic.localhost>" (C08670A4)

Really sign? (y/N) y

gpg> check
uid  bob <bob@mic.localhost>
sig!3        443D753D 2014-01-15  [self-signature]
sig!         C08670A4 2014-01-15  alice <alice@mic.localhost>

Encrypting

C:\Program Files (x86)\GNU\GnuPG>gpg --output c:\sample.enc --encrypt --recipient bob c:\sample.text

C:\Program Files (x86)\GNU\GnuPG\bin>gpg --armor --output c:\sample.asc --encrypt --recipient bob c:\sample.txt

Decrypting

C:\Program Files (x86)\GNU\GnuPG>gpg --output c:\sample.dec --decrypt c:\sample.enc

C:\Program Files (x86)\GNU\GnuPG>gpg --output c:\sample.dsc --decrypt c:\sample.asc

gpg: encrypted with 2048-bit RSA key, ID 20DD490D, created 2014-01-15
      "bob <bob@mic.localhost>"

Making signatures

C:\Program Files (x86)\GNU\GnuPG>gpg --output c:\sample.sig --sign c:\sample.txt

Verifying signatures

C:\Program Files (x86)\GNU\GnuPG>gpg --output c:\sample.dig --decrypt c:\sample.sig

gpg: Signature made 01/15/14 15:50:08 Malay Peninsula Standard Time using RSA key ID C08670A4
gpg: Good signature from "alice <alice@mic.localhost>"

Clearsigned signatures

C:\Program Files (x86)\GNU\GnuPG>gpg --clearsign c:\sample.txt

Verifying clearsigned signatures

C:\Program Files (x86)\GNU\GnuPG>gpg --verify c:\sample.txt.asc

gpg: Signature made 01/15/14 16:01:14 Malay Peninsula Standard Time using RSA key ID C08670A4
gpg: Good signature from "alice <alice@mic.localhost>"

Detached signatures

C:\Program Files (x86)\GNU\GnuPG>gpg --output c:\detached.sig --detach-sig c:\sample.txt

Verifying detached signatures

C:\Program Files (x86)\GNU\GnuPG>gpg --verify c:\detached.sig c:\sample.txt

gpg: Signature made 01/15/14 16:13:48 Malay Peninsula Standard Time using RSA key ID C08670A4
gpg: Good signature from "alice <alice@mic.localhost>"