[library/applicants_header.htm][library/home_header_code.htm]
[library/resources_menu.htm]

 
Telecom Training Center

Click here to learn more about Hill Associates, Inc.

 Security and Protection


Pretty Good Privacy (PGP)

Steven Shepard
December 1996

An edited version of this paper appeared with the title
"Pretty Good Privacy (PGP)" in the Burlington Business Digest, October 1996.

In recent years, the volume of information transmitted over public networks, private networks, and the worldwide Internet has increased exponentially. The annual rate of growth for Worldwide Web (WWW) traffic, for example, is nearly 350,000%, while the volume of information available on the Web doubles every 57 days, according to a study conducted by the Client/Server Economics Newsletter.

More and more, electronic networks are replacing traditional mail and courier services. Transmission technologies have advanced to the point that networks are fast, accurate, and globally ubiquitous, making them the transport medium of choice for many businesses. Today, the accurate and timely availability of information is often the single factor that helps a corporation maintain its edge in a growing sea of competitors. As a result, companies zealously guard their corporate databases, and are concerned about the protection of electronically-transmitted information. Out of this uncertainty has grown significant interest in network security, with particular attention paid to cryptographic techniques that convert plain text into "your eyes only" documents.

Cryptographic software has been available for years, but it has traditionally been cumbersome, complex, and costly to implement and maintain. Recent efforts by government security agencies that attempt to mandate a "back door" requirement in commercially available encryption software have met with loud protest from industry watchdog groups and staunch civil libertarians, all afraid that the availability of such an easy entry for law enforcement could lead to violations of first amendment rights. As a result of this concern, several publicly-available cryptographic software packages have emerged that do not offer back door access. One of them is called Pretty Good Privacy (PGP). PGP has enjoyed a great deal of interest of late because it is easy to install, readily available, and secure. It relies on a technique called "public key cryptography," which is far simpler to implement and maintain than prior encryption methods. It was written by Phil Zimmermann, a software engineering consultant in Boulder, Colorado, and is considered by Zimmermann to be "guerrilla freeware."

Traditional encryption, often called single-key cryptography, employs a single encryption key to both encrypt and decrypt the transmitted message. This means, of course, that at some point the key must be securely transmitted to the recipient so that they can use it to decrypt the received message. The Federal Government's Data Encryption Standard (DES) relies on a single-key technique.

Public key encryption systems operate differently in that there are two keys a publicly available key and a complementary secret or private key. Each of these keys unlocks encrypted messages created by the other. As part of the overall design, the public key can be made widely available. If person 'A' wants to send a private message to person 'B,' then person A uses person B's public key to encrypt the message. Person B uses their own private key to decrypt the received message, and since they are the only holder of the private key, they are the only person capable of decoding it. Not even the message sender can decrypt the message once it has been encrypted.

Message authentication is an inherent feature of PGP. To ensure that the correct person sent the message, the sender can employ his or her own private key to encrypt it. The recipient must then have the sender' public key to decrypt the message, thus ensuring that it was encrypted (and therefore transmitted) by the proper person and not by an interloper intent on information espionage. This technique is often referred to as a "secure signature."

These two steps, when combined, create a virtually foolproof confidential message. By first "signing" the message with the sender's secret key, then encrypting the "signed" message with the intended recipient's public key, PGP guarantees both privacy and authentication.

PGP is relatively easy to implement on most systems, and while the actual process is beyond the scope of this article, sufficient documentation is available on the Internet/Worldwide Web to make installation reasonably straight-forward. The actual PGP software is publicly available and readily downloadable. Be aware that the Federal Government closely monitors the proliferation of encryption software, and it is illegal to export the technology to many countries. In fact, for export purposes, the government classifies encryption technology as "munitions."

The actual use of the software is extremely simple. To encrypt a text file using the recipient's public key, simply type the following: 

     pgp  -e  textfile_name  recipient's_userid

Upon receipt of this command, PGP first attempts to compress the plaintext file, thus adding one more layer of difficulty for would-be cryptanalysts. It then searches the sender's public keyring file for a public key that has the recipient's userid, and uses it to encrypt the file. The result is a ciphertext file called textfile.pgp, where 'textfile' is the name of the original file. The recipient's private key must then be used to decrypt the message.

PGP is available for MS-DOS, VAX/VMS, UNIX, and Macintosh machines, although the Mac version is not as robust as those for other platforms. PGP was not designed for use on Graphical User Interface (GUI) -based operating systems, and the original version was somewhat buggy. A new improved release, however, is well underway and is significantly better.

Where to Get PGP:

MIT is the distributor of PGP version 2.6, for distribution in the United States only. It can be downloaded from net-dist.mit.edu, a controlled FTP site that is restricted and limited to ensure compliance with export controls. The software is found in directory /pub/PGP.

There are two compressed files in the standard release. For PGP version 2.6.2, you must get pgp262.zip which contains the MS-DOS binary executable file and the PGP User's Guide. For advanced users, pgp262s.zip contains all the source code. These files can be decompressed using PKUNZIP.EXE, version 1.10 or later. For UNIX users, the source code can also be found in the compressed tar file pgp262s.tar.Z.

About The Author: Steven Shepard is a Senior Member of Technical Staff with Hill Associates, a telecommunications education and consulting firm in Colchester. He can be reached at s.shepard@hill.com.

[library/footer_menu.htm]