PGP (network) stands for Pretty Good Privacy. It is an encryption software designed to provide privacy, security, and authentication for online communication systems. Phil Zimmerman is the name behind the first PGP program, and according to him, it was made freely available due to the growing social demand for privacy.
Since its creation in 1991, many versions of PGP software were created. In 1997, Phil Zimmerman made a proposal to the Internet Engineering Task Force (IETF) for the creation of an open-source PGP standard. The proposal was accepted and led to the creation of the OpenPGP protocol, which defines standards formats for encryption keys and messages.
Although initially used only for securing email messages and attachments, PGP is now applied to a wide range of use cases, including digital signatures, full disk encryption, and network protection.
PGP was initially owned by the company PGP Inc, which was later acquired by Network Associates Inc. In 2010, Symantec Corp. acquired PGP for $300 million, and the term is now a trademark used for their OpenPGP-compliant products.
How does it work?
PGP is among the first widely available software to implement public key cryptography. It is a hybrid cryptosystem that uses both symmetric and asymmetric encryption to achieve a high level of security.
In a basic process of text encryption, a plaintext (data that can be clearly understood) is converted into ciphertext (unreadable data). But before the process of encryption takes place, most PGP systems perform data compression. By compressing plaintext files prior to transmitting them, PGP saves both disk space and transmission time - while also improving security.
Following the file compression, the actual process of encryption begins. At this stage, the compressed plaintext file is encrypted with a single-use key, which is known as the session key. This key is randomly generated through the use of symmetric cryptography, and each PGP communication session has a unique session key.
Next, the session key (1) itself is encrypted using asymmetric encryption: the intended receiver (Bob) provides his public key (2) to the sender of the message (Alice) so that she can encrypt the session key. This step allows Alice to safely share the session key with Bob through the Internet, regardless of security conditions.
What Is PGP?
The asymmetric encryption of the session key is usually done through the use of the RSA algorithm. Many other encryption systems use RSA, including the Transport Layer Security (TLS) protocol that secures a great portion of the Internet.
Once the message's ciphertext and the encrypted session key are transmitted, Bob can use his private key (3) to decrypt the session key, which is then used to decrypt the ciphertext back into the original plaintext.
What Is PGP?
Aside from the basic process of encryption and decryption, PGP also supports digital signatures - which serve at least three functions:
Authentication: Bob can verify that the sender of the message was Alice.
Integrity: Bob can be sure that the message wasn’t altered.
Non-repudiation: after the message is digitally signed, Alice cannot claim she didn’t send it.
Closing thoughts
Since its development in 1991, PGP has been an essential tool for data protection and is now used in a wide range of applications, providing privacy, security, and authentication for several communication systems and digital service providers.
While the 2018 discovery of the EFAIL flaw raised significant concerns about the protocol's viability, the core technology is still regarded as robust and cryptographically sound. It is worth noting that different PGP networks may present varying levels of security.
