PGP Encryption

By Dan Blacharski

Pretty Good Privacy encryption is used to encrypt and decrypt email, and authenticate messages with digital signatures. It can also be used to encrypt stored files. For years, PGP was the de facto standard for email security, and it is still widely used by both individuals and corporations. Although it was originally available as freeware, it was acquired in 2010 by Symantec, which offers a low-cost commercial version.

Keys and Keyrings

PGP -- and all of its open source variations -- is based on a public/private key model. A key, essentially a long string of characters, is used to encrypt clear text. In this model, the public key is used to encrypt data, and can be used by any sender. The private key, which is possessed only by the owner, is used to decrypt it. In this way, it is easier to send an encrypted message to anyone else using PGP. The public and private keys are stored in separate hard drive files called keyrings. As users start to communicate with more people who also use PGP, their public keys are all stored on the public keyring.

Difference Between PGP and GPG

GPG, or GNU Privacy Guard, offers a free alternative to the now-commercial PGP. GPG is an implementation of the OpenPGP standard, and as such is quite similar to PGP, with the biggest difference being that it is openly available and supported strictly by donations. Like PGP, GPG lets users encrypt and sign data and emails. It works as a command line tool, and as such is easy to integrate with a variety of applications, though the lack of a more graphical interface may make it even more difficult to use than the commercial PGP.

Alternatives to PGP

Though still widely used as of 2015, PGP is not the only game in town. Although Symantec now owns the commercial implementation of PGP, there are open source versions, including GPG and OpenPGP. Many security-minded individuals use the Tor proxy network, which has the advantage of being highly decentralized. Though many encryption solutions are available as open source programs, commercial versions are becoming popular as well. In addition to PGP itself becoming commercial, others are coming onto the market, including ZixCorp's encrypted email, which is offered as a software-as-a-service. It is simpler to use, although it requires a measure of trust in ZixCorp's own servers.

Pros and Cons of PGP

The biggest downside of PGP is its complexity for the end user. The keys come with expiration dates and require maintenance, and users need to keep a backup system -- and if the private key is lost, there is no way to decrypt messages. Of course, in order to use it, both sender and recipient need to be using PGP. An additional security flaw is that PGP email cannot be scanned by anti-virus software. This can be resolved, however, by deploying a decryption gateway server located in the DMZ. The decryption server decrypts the message, scans it for viruses, then once it is determined safe, sends it to the network. Some critics, including InfoSec Institute's noted security author Kim Crawley, note that PGP's model, which uses a public key along with a private key, may have some security drawbacks, though cracking the public key to obtain the private key would require enormous resources. Nonetheless, it can theoretically be done, so the public/private model has an inherent security limitation. Also, as an old standard with multiple versions in use, senders must pay close attention to the version in use.