Public Key (asymmetric) cryptography: A form of cryptosystem where two keys are used for encryption and decryption. One key is called a public key and the other one a private key. The public key is used to encrypt the plaintext and is published worldwide. The personal of this key is kept a secret. A sender would use the public key to send encrypted information to the user. The user (receiver) holds the private key (no one else has this key) and uses it to decrypt the ciphertext.
Hash Functions: Hash function is an algorithm that doesn’t use a key. A fixed-length hash value is used in calculated with the plaintext. This makes it impossible for the contents or length of the plaintext to be recovered.
August 15th 2004
Internet Search
Topic: PGP (Pretty Good Privacy)
Source: Web-site
- Read the rest of the article, An Overview of Cryptography. Came upon the topic trust models. Read about PGP (Pretty Good Privacy). Decided that would be my research topic.
-
Went back to . Followed the link PGP encryption
- Followed this two links, PGP Encryption for Beginners
, Brief Encryption and PGP tutorial
, How PGP works,
Visited links were bookmarked and the articles were saved inside my computer.
August 16th 2004
Internet Search
Topic: History of PGP
Source: Web-site
-
Used Google, search engine to search for the history of PGP. Followed this link
- Bookmarked the URL and saved the article inside my computer.
- Read article on the subject of history of PGP,
Adam Beck (2003, March 16)
History of PGP [WWW document]. URL
Here is the summary of the article.
PGP (Pretty Good Privacy) was written by Phil R. Zimmermann. In the first PGG, Phil Zimmermann combined RSA encryption with a symmetric key of his own to create Bass-O-Matic. The first version was weak and he used IDEA (International Data Encryption) to strengthen it. Later MD4, MD5, ZIP was used with the PGP for further improvements. Phil Zimmermann distributes the program to his friends who in turn loaded it up on bulletin boards. The program leaked outside the United States and RSA complains that PGP violates their public key patent. PGP was caught in many other legal and controversial problems, mainly for the United States Government. A legal defense fund (the yellow ribbon campaign) was set up to cover Phil Zimmermann legal expenses. The fund has now been closed since the investigation was dropped. MIT with Phil Zimmermann joined together to distribute a new version of PGP using RSAs RSAREF. PGP is now legal both inside and outside of the United States.
August 18th 2004
Internet Search
Topic: Why PGP (Pretty Good Privacy) was written
Source: Web-site
-
Used Google, to search for why PGP was written. Followed this link,
- Bookmarked the URL and copied the article to my computer.
- Read the article,
Phil Zimmermann (1995 July)
Why do you need PGP? [WWW document]. URL
Here is the summary of the article.
The article itself was written by Phil Zimmermann himself the creator of PGP. Phil Zimmermann states there is nothing wrong with a person asserting his or her privacy. A person should be able to send e-mail or confidential documents safely without the concern of other people reading its contents. Phil Zimmermann was worried that the government today is violating the privacy of the ordinary citizens. The government under the senate bill 266, 1991 proposed that all manufacturers of secure communications to insert backdoors into their products so that the government can read anyone’s encrypted messages. The bill reads,
‘In the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall insure that communication system permits the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law’
The bill was defeated after protest from civil libertarians and industry groups.
Phil Zimmermann stated that,
“If privacy is outlawed, only outlaws will have privacy”.
Intelligence agencies, defense contractors, arms dealers, drug traffickers and other corporate giants will only be able to afford military grade public key cryptographic technology. This leaves the ordinary citizen without a way to secure their privacy. Phil Zimmermann stated this to promote awareness of the privacy issue,
“PGP empowers people to take their privacy into their own hands. There’s a growing social need for it. That’s why I wrote it.”
August 21st 2004
Internet Search
Topic: How PGP works
Source: Web-site (offline content)
- After knowing the history and why PGP was written I went back to research on how PGP works. Read these articles.
Introduction to Cryptography, PGP 6.51 documentation (1990-1991)
How PGP Works [WWW document]. URL
Saint and Krans
PGP Encryption for Beginners [WWW document]. URL
Maniac (1999, November)
The Encryption and PGP Tutorial [WWW document]. URL
,
Here’s my understanding and summary on how PGP works.
PGP is a hybrid cryptosystem that uses both conventional and public cryptography. PGP contains two man process, encryption and decryptions.
Encryption
Step 1: When a user encrypts a plaintext, PGP compresses the plaintext. This saves transmission time and disk space.
Step 2: PGP then creates a session key which is a single use encryption key. The key is a random number derived from random movements of the mouse and keyboard you type on. PGP uses a fast conventional algorithm in conjunction with the session key to encrypt the plaintext to produce ciphertext.
Step 3: After the data has been encrypted, the session key is then encrypted with the recipient’s public key. The encrypted session key and the cipertext are then transmitted to the recipient.
Decryption
Step 1: The recipient uses his or her own private key to recover the temporary session key.
Step 2: The user then uses the private key to decrypt the conventional encrypted ciphertext. PGP decompresses the data and thus recovering the original text.
Keys: A key is a data value which is used with a cryptographic algorithm to produce cipertext. The key size is measure by bits, the larger the key, the more secure the cipertext is. PGP stores the keys in an encrypted form.
Passphrase: Passphrase is a longer and much secure version of a password. Good passphrase are long ones using different combinations of alpha-numeric characters. A user private key is encrypted using a hash of the user’s passphrase as the secret key. The passphrase is used for decryption purposes.
August 25th 2004
Technical Report
Topic: N/A
Source: N/A
- Started writing the non-technical report.
September 2nd 2004
Technical Report
Topic: N/A
Source: N/A
- Completed the technical report.
September 3rd 2004
Non-technical Report
Topic: N/A
Source: N/A
- Started writing the non-technical report.
September 9th 2004
Non-technical Report
Topic: N/A
Source: N/A
- Completed the non-technical report.
September 10th 2004
Housekeeping
Topic: N/A
Source: N/A
- Went through the report one last time to check for errors. Added the references section.
September 15th 2004
Assignment Due Date
Topic: N/A
Source: N/A
- Submission of assignment.
3. Report
3.1 Non-technical Report
The emergence of the Internet and advances in digital data communications paved a new path in telecommunications. Technology made the transmission of information much faster and easier. However this information might be intercepted by a person with a malicious intent. This person might grab important personal items, such as your credit card number, password and so on. There must be a way for a person to protect his or her privacy. One such way is by encrypting the information. The concept of encryption has been around for a long time, as far back as the times of Julius Caesar. In his messages he would replace all the ‘A’ with a ‘D’, ‘B’ with an ‘E’ and so on. For those who didn’t understand the code (logic) behind it, they would view the message as an unintelligent message. Encryption at this age uses the same theory but with a much more advance method. One such encryption method, or a better term for this, cryptography, is the program Pretty Good Privacy (PGP). PGP was written by Phil Zimmermann and throughout this faced many difficult issues and controversies. To understand PGP better, we look at why Phil Zimmermann wrote the program in the first place.
Phil Zimmermann was aware of the privacy issues in the digital area. He stressed that there is nothing wrong if person chooses to assert his or her privacy and recognized the freedom of speech, freedom of the press, oppression and the right to be left alone. Phil Zimmermann was worried that the government today is violating the privacy of the ordinary citizens. One such worrying controversy is when the government (United States) under the senate bill 266, 1991 proposed that all manufacturers of secure communications to insert backdoors into their products so that the government can read anyone encrypted messages. The bill reads,
‘In the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall insure that communication system permits the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law’
Fortunately, the bill was defeated after protest from civil libertarians and industry groups. Phil Zimmermann believed that,
“If privacy is outlawed, only outlaws will have privacy”.
Intelligence agencies, defense contractors, arms dealers, drug traffickers and other corporate giants will only be able to afford military grade public key cryptographic technology. This leaves the ordinary citizen without a way to secure their privacy. To oppose and the prevent such appalling privacy issues, Phil Zimmermann stated this strong and powerful statement on PGP,
“PGP empowers people to take their privacy into their own hands. There’s a growing social need for it. That’s why I wrote it.”
Having understood why Zimmerman wrote the program we will go in depth into the topic of cryptography and encryption. To better understand the next part of the article, knowing this words (terms) will help in the process.
Plaintext/Clear Text: Data that is unencrypted, which can be easily understood.
Encryption: The process of manipulating the plaintext into cipher text.
Ciphertext: Unreadable data (makes no sense) that is the result of encrypted plaintext.
Decryption: The process of converting ciphertext into readable data (plain text).
Cryptography: The mathematical science use for encryption
Cryptanalysis: A mathematical way to crack encrypted data
Cipher: A mathematical function or algorithm used to convert plaintext to chipper text.
Cryptosystem: A cipher with its tools and algorithms.
Cryptography is the method used to encrypt/decrypt data so it can be safely transmitted across a network. This is important for data and telecommunications when communicating over un-trusted networks (e.g. Internet).
There are three main types of cryptographic schemes, conventional (symmetric) cryptography, public key (asymmetric) cryptography and hash functions. The Conventional (symmetric) cryptography is a form of cryptosystem method where a single key is used for encryption and decryption. The sender uses the key to encrypt the plaintext into ciphertext. The cipher text is sent to another person (the receiver). Upon receiving it, the receiver uses the key to decrypt the ciphertext into plaintext.
Fig 3.11 Conventional (symmetric) cryptography
Public Key (asymmetric) cryptography is a form of cryptosystem where two keys are used for encryption and decryption. One key is called a public key and the other one a private key. The public key is used to encrypt the plaintext and is published worldwide. The personal of this key is kept a secret. A sender would use the public key to send encrypted information to the user. The user (receiver) holds the private key (no one else has this key) and uses it to decrypt the ciphertext.
Fig 3.12 Public Key (asymmetric) cryptography
Hash function is an algorithm that doesn’t use a key. A fixed-length hash value is used and calculated with the plaintext. This makes it impossible for the contents or length of the plaintext to be recovered.
Now we look at how PGP works. PGP contains two main processes, encrypting and decrypting. When a user wants to encrypt the data sent (plaintext), PGP compresses the plaintext. This is done to save modem transmission time and disk space. Data compression helps strengthens the cryptographic security. PGP then creates a session key which is a single use encryption key. The key is a random number derived from random movements of the mouse and keyboards the user types on. PGP then uses a secure, fast conventional algorithm with the session key to encrypt the plaintext. This in turn produces a ciphertext. After the data has been encrypted, the session key is encrypted with the recipient’s public key. The encrypted public-session key and the ciphertext are then transmitted to the recipient.
Fig 3.21 Encryption of data using PGP
In the decryption process, the recipient uses their own private key to recover the session key. The user then uses the same key to decrypt the conventional encrypted ciphertext. PGP decompresses the data and thus recovering the original text.
Fig 3.22 Decryption of data using PGP
PGP is a very strong and advance cryptosystem as is not recognized a as an internet standard (IEFT) and is known as OpenPGP. However technology is advancing at a rapid rate and astute humans might be able to crack the PGP system in the near future. To help prevent this, PGP documents and gives out the methods regarding its encryption. PGP uses complex keys and for its encryption to make cracking seemingly impossible.
3.2 Technical Report
PGP (Pretty Good Privacy) is strong encryption software created by Phil R. Zimmermann. PGP is a hybrid cryptosystem that uses both conventional and public key cryptography. It provides the speed of conventional private key encryption and the security of public key encryption. Due to the strength of the cryptosystem PGP is used by various organizations, companies and individuals.
PGP contains two main processes, encrypting and decrypting. When a user want to encrypt the data sent (plaintext), PGP compresses the plaintext. This is done to save modem transmission time and disk space. Additional to this data compression helps strengthens the cryptographic security. PGP then creates a session key that is only used for one time. The key is a randomly generated number derived from random movements of the mouse and keyboards that the user uses. The system then uses a secure and fast conventional algorithm with the session key to encrypt the plaintext. This in turn produces a ciphertext which is unreadable form of the original data. Once the data has been encrypted, the session key is encrypted with the recipient’s public key. The encrypted public-session key and the ciphertext are then transmitted to the recipient.
Fig 3.21 Encryption of data using PGP
In the decryption process, the recipient uses his or her own private key to recover the session key. The user then uses the private key to decrypt the conventional encrypted ciphertext. PGP decompresses the data and thus recovering the original text.
Fig 3.22 Decryption of data using PGP
With the use of public and private key encryption this solves two major problems, the sharing of keys and the relative ease of cracking older encryption methods. For someone to read a senders message (encrypted), both the sender and recipient have to share a key. Doing so, a person with malicious intent might intercept it and make the code useless. Older encryption methods were much easier to crack and the codes had to been very complex to foil attempts to crack it. To prevent this, PGP uses a key that is very large. This means the key is made up of a very large number of possible combinations (base 10). As you can see PGP security strength lies in its key. PGP documents and gives out the methods regarding its encryption. With the rapid advances in technology, the size of the key can be increased (to provide more security) if it’s deemed necessary.
If users keep their private key safely, is would be almost impossible to obtain the information. In order to ensure that the information is secured, PGP uses a paraphrase. A paraphrase is a longer version of a password and typically consists of multiple words. PGP then uses the hash code from the paraphrase as a secret key to encrypt the private key. This is security feature to prevent unwanted usage and access. The users have to enter their paraphrase to decrypt the private key in order to use it.
With the strength and flexibility of PGP, it is now recognized as an internet standard (IEFT) and is known as OpenPGP. Even though PGP is a strong encryption software there are still limitations to it. Proper methods and standards must be adhered to in the usage and implementation of the system. Any mistake might done during this process might compromise the protection of the plaintext. Additional to this, plaintext can be easily obtained and no cryptosystem protects the information at this form. Security and preventive measures such as not storing paraphrases in your computer and running scans to remove key logging utilities are good practices.
4. References
-
William Stallings, Business Data Communications, 4th Edition. 2001, Prentice Hall.
-
Robert Orfail, Dan Harkey, Jeri Edwards, Client/Server Survival Guide, 3rd Edition. 1999, John Wiley & Sons, Inc.
History of PGP
Adam Beck (2003, March 16)
Why do you need PGP?
Phil Zimmermann (1995 July)
An Overview of Cryptography
Gary C. Kessler (May 1998)
How PGP Works
Introduction to Cryptography, PGP 6.51 documentation (1990-1991)
PGP Encryption for Beginners
Saint and Krans
-
,
The Encryption and PGP Tutorial
Maniac (1999, November)