What is PGP?
If you’re looking for a pretty good encryption standard, there are worse places to start
Pretty Good Privacy (PGP) is a highly-secure method of encrypting text-based data used by businesses and organisations all over the globe. It combines different cryptographic protocols such as hashing, data compression, symmetric and asymmetric key cryptography to provide users with a fast and easy method of secure communication.
Each user has a 'private key' and a 'public key' and the interaction between the two forms the basis of the method's security. Private keys remain with the user only, forming the only part of the system that can verify a user's true identity. If anyone else has access to a private key, they can decrypt any communication intended to the rightful holder, rendering the communication channel compromised.
You can think of public keys as telephone numbers, something you can freely give out so people know how to contact you. When encrypting a message, a user must do so with the intended recipient's public key, like calling the right phone to reach the right person. You can think of the private key as the phone's password, only the person with the password can answer the phone.
Because the public key is linked to the recipient's private key, only that user can decrypt the message. You encrypt with the public key to ensure it gets to the right person and decrypt with a private key so only the right person can see it.
Pretty Good Privacy was developed by computer scientist Phil Zimmerman in 1991, who wanted to create an open source encryption platform that could be used by anyone across the world, without having to pay huge fees.
It's now owned by security giant Symantec Group, and it is the antivirus developer that now is responsible for updating PGP to ensure it's sufficient to protect email communications. The company has also developed an open source variant - OpenPGP, which is used alongside the licensed version.
What is PGP used for?
PGP was primarily designed to encrypt email traffic however it can be used to protect a host of other text-based communications, including SMS, directories and disk partitions. It's also used as a way of securing digital certificates.
PGP operates across a number of different standards, the most popular of which is the open source OpenPGP standard. This is widely used to secure desktop applications such as Microsoft's Outlook and Apple Mail on Macs. There's also a Google-developed plugin that allows the standard to be used on its Chrome browser.
How does PGP work?
PGP works by placing coded layers of security on top of an application's text-based content.
In the case of an email client, PGP secures the content of a message using an encoding algorithm, scrambling the text in such a way that if it were to be intercepted it would be impossible to read.
With the content of an email scrambled, the corresponding key needed to unlock that code is itself encrypted, usually using a public key provided by RSA or Diffie-Hellman. The encrypted message, along with its encrypted key, are then both sent to the recipient.
Once the package arrives at the recipient's email client, the application uses a private key to unlock the email's encryption key, and then decipher the message. This is all done behind the scenes near instantaneously, without the input of the user.
Is PGP secure?
There has been some controversy over how secure PGP is. In 2011, researchers discovered that short encryption keys (32-bit or smaller) were unsafe to the extent some claimed they in effect offered no security at all.
This is because, with modern GPUs, it's easy for hackers to come up with a "colliding" (i.e. matching) key ID if the key in question is short. This doesn't mean PGP is fatally flawed, though - it just means a long key (greater than 32-bit) must always be used. If it is, then PGP works as intended and is secure - for now at least.
Most recently, hackers have discovered a hugely significant flaw in OpenPGP, the open-source variant of Symantec's licensed version. The flaw has been known to developers for over a decade and it could mean the end for the technology, according to those who built it. Hackers have found a way to flood keys with a huge amount of unnecessary data which will break the program (GnuPG) needed to use the technology.
"This is a mess, and it's a mess a long time coming," said Daniel Kahn Gillmor, a lead developer of OpenPGP. "The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers. We need significantly more defensive programming, and a better set of protocols for thinking about how and when to retrieve OpenPGP certificates."
Nevertheless, the licensed version of PGP is still a secure method of communications that you can rely on to deliver sensitive information to individuals without having to worry about it being read if it were intercepted.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now