What is PGP Encryption?
PGP Encryption?
Welcome back, my novice hackers!
PGP (Pretty Good Privacy) is a cryptographic method that lets people communicate privately online. When you send a message using PGP, the message is converted into unreadable ciphertext on your device before it passes over the Internet. Only the recipient has the key to convert the text back into the readable message on their device. PGP also authenticates the identity of the sender and verifies that the message was not tampered with in transit.
Before PGP, your Internet provider, your email provider, hackers, or the government could theoretically read your messages. PGP was developed in the 1990s to allow email and other types of messages to be exchanged privately. Today, PGP has been standardized into OpenPGP, enabling anyone to write PGP software that is compatible and interoperable with other implementations. Several OpenPGP-compliant developer libraries have been created to help programmers implement PGP encryption in their applications. ProtonMail is the maintainer of two of these libraries: OpenPGP.js, for the Javascript programming language (used in our web app), and GopenPGP, for Go language (used in our mobile and desktop apps). OpenPGP.js, in particular, is one of the world’s most widely used OpenPGP libraries and has been thoroughly audited by security experts.
Historically, PGP has been difficult to use, requiring additional software applications on top of your email provider or client. You also have to manually generate encryption keys and exchange them with your contacts. With ProtonMail, PGP is built in and runs automatically and invisibly to the user. When you compose an email to another ProtonMail user and click send, the message encryption and signature are applied automatically. You don’t have to do anything or need any specialized technical knowledge. ProtonMail makes PGP encryption, easy, convenient, and accessible to everyone.
USES OF PGP ENCRYPTION
One use of PGP encryption is to confidentially send messages. To do this, PGP combines private-key and public-key encryption. The sender encrypts the message using a public encryption algorithm provided by the receiver. The receiver provides their personal public-key to whomever they would like to receive messages from. This is done to protect the message during transmission. Once the recipient receives the message, they use their own private-key to decode the message, while keeping their personal private-key a secret from outsiders.
Another aspect of PGP is message authentication and integrity checking. Integrity checking is used to detect if a message has been altered after it was written and to determine if it was actually sent by the claimed sender. Because the email is encrypted, changes in the message will make it unable to be decrypted with the key. PGP is used to create a digital signature for the message by computing a hash from the plaintext and producing a digital signature using the sender’s private key. A person can add their signature to another person’s public-key to show that it is truly that rightful owner.
PGP also ensures that the message belongs to the intended recipient. PGP includes requirements for distributing user’s public keys in an identity certificate. These certificates are constructed so that tampering can be easily detected. The certificates can only prevent corruption after they have been made, but not before. PGP products also help to determine if a certificate belongs to the person that is claiming it, often referred to as a web of trust.
TOP 6 BENEFITS OF PGP ENCRYPTION
1. Sensitive information is always protected. It cannot be stolen or viewed by others on the internet. It assures that the information that is sent or received was not modified in transmission and that files were not changed without your knowledge.
2. Information can be shared securely with others including groups of users and entire departments.
3. You can be certain who the email is from and who it is for. PGP verifies the sender of the information to ensure that the email was not intercepted by a third party.
4. Your secure emails and messages cannot be penetrated by hackers or infected by email attacks.
5. Others cannot recover sensitive messages or files once you have deleted them.
6. PGP encryption software is very easy to learn how to use. With virtually no training, users are able to learn how to use it right away.
Digital signatures
There are two other aspects of PGP to note. The first is the digital signature. A digital signature proves to the recipient that an attacker has not manipulated the message or the sender. It does this by creating a unique number (the digital signature) using a combination of the sender’s private key and a mathematical redux (known as a message digest) of the plaintext message. If either the private key or the message is altered, the digital signature is invalid.
Trusting the public keys
Digital signatures help mitigate sophisticated attacks, but how can a sender know that the public key they’re using belongs to the person they think it does? After all, the server could easily give a bogus public key to the sender.
To solve this problem, we introduced Address Verification, which allows you to share your public key and digitally sign the public keys of others that you have personally verified. These trusted public keys are then securely stored in your encrypted contacts. Additionally, we’re working on a project called Key Transparency. It will automatically verify the public key of each recipient you send email to, without requiring any manual action. We’ll publish a blog post with more details about this feature once it’s ready.
How secure is PGP?
PGP is a battle-tested standard, and we can be virtually certain that even intelligence agencies like the NSA cannot break its encryption. (PGP was the encryption method of choice for Edward Snowden when he leaked classified documents to Glenn Greenwald.) While there have been security bugs with certain implementations of PGP, such as the infamous Efail vulnerability, PGP itself is very secure. ProtonMail has not been affected by any known vulnerabilities.
Like most other information security systems, the biggest weakness is the user. Often the simplest and most effective attacks are the least high-tech, as this comic illustrates. Phishing remains the most common kind of cyberattack, and PGP cannot protect you if your device or accounts are compromised. (Check out these email safety tips.)
Comments
Post a Comment