Email Security Using PGP

- Prajakta Bahekar

Importance of Email Security

Email is one of the most widely used network service on Computer

Currently email message contents are not secure. Emails without encryption is similar to send mail by postcard.

Goal of Email Security

Confidentiality A message is concealed by

encoding it. Authentication

Ensuring that information is accessible only to authorized person.

Message integrity Ensures that the message

received is the same as the message that was sent

One possible solution : PGP

Pretty Good Privacy developed by Phil Zimmermann

PGP is a key encryption program mainly intended for email privacy and authentication.

PGP email encryption uses asymmetric key encryption algorithms.

A PGP key is a piece of data used to crypt and/or sign the message ; it has a keyid and contains the name and email address of the owner.

Why PGP ?

Its building blocks are made of the best available cryptographic algorithms: RSA, DSS, Diffie-Hellman. [2]

It is independent of operating system and processor.

A Web of Trust - A web of trust is a bunch of PGP keys plus the connections between them, formed by key signings.

PGP a Trust Model

PGP Operation – Authentication1. Sender creates a message2. SHA-1 used to generate 160-bit hash code 3. The hash code is encrypted with RSA using

the sender’s private key, and result is attached to message

4. Receiver uses RSA or DSS with sender’s public key to decrypt and recover hash code

5. Receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic

PGP Operation – Confidentiality1. Sender generates message and random 128-

bit number to be used as session key for this message only

2. Message is encrypted, using CAST-128 / IDEA/3DES with session key

3. Session key is encrypted using RSA with recipient's public key, then attached to message

4. Receiver uses RSA with its private key to decrypt and recover the session key

5. Session key is used to decrypt message

PGP Operation Summary

Signature Required?

Generate Signature

Compress the Message

Confidentiality required?

Encrypt the Message

Message Ready to send

Yes

Yes

No

No

Received Message

Signature Required?

Confidentiality required?

Decrypt the Message

Yes

Decompress the Message

Verify Signature

Message Ready to use

Yes

No

No

Plain text Message

Conclusion

PGP is a remarkable phenomenon that provides confidentiality, authentication, and compression for email. [1]

It is platform independent. Web of Trust makes it really easy to

use. It is not controlled by any government.

References

1. Zimmerman P. Pretty Good Privacy: a digital data encryption program. Available from : http://users.ox.ac.uk/~aesb/pgp.ppt

2. Garfinkel S. PGP: Pretty Good Privacy OReilly;1994. 430 p.