PGP and Email Privacy

1
PGP and Email Privacy

• Qiao Chen
• SCSC455 Computer Security
• November 30, 2005

2
Why Do We Need PGP?

• When I communicate, it is personal, it is
  private, it is my business.
• Matter could be political, taxes, security, or
  illicit affair.
• Whatever it is, I want it confident.
• This privacy is as important as the constitution.

3
PGP Introduction

• Invented by Phil Zimmermann
• PGP stands for Pretty Good Protection
• PGP is a hybrid cryptosystem, combining features
  from public key cryptosystem and classical
  cryptosystem.
• Major components of PGP are its keys, digital
  signature and certified servers.

4
Keys

• Keys used in PGP are a really big number used in
  cryptography algorithm to encipher.
• Bigger the key size the better.
• PGP 6.5.8 has a default key size of 2048 bits,
  which is impossible to figure out.

5
Private/Public key

• PGP has a user friendly interface to generate
  keys needed.
• PGP users need a root key, memorized by the user.
• Good Root key example lVlU5TKILLI30I3
• PGP will use root key to generate the
  private/public key pair and then save them in
  encryption.

6
Key distribution

• Only public key can be distributed.
• The user Alice can email her key to others or she
  can give her public key to a trusted certified
  server.
• If Alice gets Bobs public key, Alice can first
  verify the key with a certified server Cathy.

7
Certified Server

• The certified server Cathy generates her own
  private/public key.
• Bobs public key is signed by Cathy using her
  private key Bob verifies this signing by using
  Cathys public key.
• Now Alice can make sure Bobs public key is real
  before she uses it.

8
Digital Certificate

• Certified server Cathy must make sure Bobs
  public key is real before she authorize it.
• Bobs submission should be in PGP certificate
  format and includes
• -PGP version number
• -Bobs public key, his personal information
• -A validity date, Bobs own signature
• -A symmetric encryption algorithm for key

9
Digital Certificates

• Bobs submission in formats recognized by PGP can
  be signed by single or multiple parties to
  recognize his authenticity.
• Two formats are
• -PGP certificates
• -X.509 certificates

10
Emailing (sending)

• Alice first gets her private/public key using her
  root key.
• When Alice does an encrypt and sign, an one time
  session key is generated.
• This one time session key is used to encrypt the
  plaintext message into cipher text.
• The session key is encrypted with Bobs public
  key, but before this...

11
Sending Email

• Alice first must verify Bobs public key with the
  certified server Cathy.
• Now the encrypted session key and the message are
  sent.
• Using PGP, Alice simply has to select her
  plaintext message and recipient, and simply do a
  encrypt/sign.
• The user friendly interface takes care of the
  intricate steps.

12
Receiving and Decrypt

• When Bob gets the ciphertext, all he does is
  select decrypt and verify on PGP program.
• In doing this, Bob decrypts the session key using
  his private key (gotten from entering his root
  key).
• Bob gets Alices public key from the certified
  authority Cathy.

13
Decrypt and Verify

• Alices public key decrypts the session key as
  well as verifies Alices signature to Bob.
• Session key decrypts the message.

14
Getting PGP

• PGP can be downloaded for fee and for free.
• Set up is easy, instructions are understandable
• PGP provides simple email privacy

15
References

• http//www.pgpi.org/doc/pgpintro/p10
• www-2.cs.cmu.edu/phoenix/amail/howItWorks.html
• ftp//ftp.pgpi.org/pub/pgp/7.0/docs/english/PGPWin
  UsersGuide.pdf
• http//www.pitt.edu/poole/PGP.htmstep5
• http//www.youdzone.com/signature.html