PGP (Pretty Good Privacy) can be used for signing, encrypting and decrypting almost anything, and it’s actually much better than “pretty good”!
Pretty Good Privacy (PGP) is a data encryption protocol that uses a combination of symmetric and asymmetric encryption to allow two parties to confidentially exchange data. PGP also allows a receiver to authenticate the identity of a sender and verifies that the message was not altered in transit. Contrary to what its name might suggest, it actually provides very robust, time-tested protection.
PGP was developed to prevent email providers, Internet providers, hackers, and governments from reading emails and other sensitive communications and allow journalists, whistleblowers, political activists, and others to confidentially exchange information electronically without fear that a capable adversary will eavesdrop. Since first published in 1991 it has become the de facto standard for email encryption.
PGP uses a secure key exchange protocol that is very well established and used extensively for securing communications on the internet (e.g. SSL, TLS). Certain email clients support PGP encryption natively, which makes sending encrypted emails very straightforward for users. When not supported by the email client, PGP can be difficult to use, because it requires additional software to manually generate the encryption keys and exchange them between communicating parties.
The best way to understand how PGP works is through an example. Let’s assume a sender wants to securely send data to a receiver:
- The sender asks the receiver to generate an asymmetric private/public key pair and send him the public key.
- The sender generates a symmetric key and encrypts the data to be sent. The sender then uses the receiver’s public key to encrypt the symmetric key used to encrypt the data.
- The sender sends the encrypted data (encrypted with the symmetric key) along with the encrypted symmetric key (encrypted using the receiver’s public key).
- The receiver uses his corresponding private key to decrypt the symmetric key and then uses the symmetric key to decrypt the data.
Why is the sequence described above secure? Why does it prevent someone other than the receiver from seeing the protected data?
Data encrypted with a robust symmetric key cipher (e.g. AES) and a sufficiently large encryption key (e.g. 512-bit key) is practically unbreakable, so only a receiver with the symmetric key can decipher the data. The encrypted data can be literally posted on the internet and freely accessible for download to anyone, and it will still be secure because, without the decryption key, there is no practical way to decrypt it.
PGP is a great way to securely exchange data, so long as the private keys are adequately protected and their owners have sole access to them. If the private keys are compromised, then someone can impersonate a sender and tamper with the data without the receiver knowing it.