What is PGP and How Does Encrypted Email Work?

Pretty Good Privacy (PGP) encryption is an encryption computer program that encrypts emails, files and text to ensure their privacy and security. It is the world’s widest used email security system.

A brief history of PGP

PGP is the brainchild of Phil Zimmerman, a well-known American computer scientist, cryptographer and political activist. Zimmerman created the first version of the data encryption program in 1991 to help journalists and activists send, receive and store sensitive files securely. It was originally available as freeware, one of the reasons for its huge popularity at launch. In the years that followed, PGP gained even greater acceptance on the back of people’s desire to maintain the confidentiality of their private information.

PGP provides cryptographic privacy and authentication for email

Cryptography uses techniques that make information readable only to the sender and receiver of an email, and unintelligible to anyone else. The understandable information is the plaintext and its incomprehensible version is the ciphertext.

The information is encrypted by the sender prior to sending and decrypted by the receiver, ensuring the privacy of the information even on an insecure channel.

The authentication aspect of PGP deals with confirming the identity of the sender and ensuring that the message was intended for the particular recipient. PGP also supports integrity checking, the assurance that the message from the sender was not altered en route to the recipient. The mechanisms are discussed under ‘Digital Signature’.

How does encrypted email work?

PGP uses symmetric key encryption and public key encryption. A key is a series of numbers or a string of numbers and letters that scrambles and unscrambles electronic information at the sender’s and receiver’s end respectively.

Symmetric encryption is a type of encryption that uses one secret key to both encrypt and decrypt messages. The sender and receiver need to exchange the key to allow decryption. Symmetric encryption algorithms convert the message to ciphertext, making it unreadable to everyone but the recipient who has the decryption key. After the recipient receives the message, the algorithm changes the ciphertext back to plaintext.

In contrast, public-key cryptography (also known as asymmetric encryption) uses a pair of keys - one public and one private - to encrypt and decrypt electronic information. The private key is a secret key while the public key is available for anyone to use. The recipient can share the public key with anyone as it is needed to only encrypt messages, not decrypt them. In other words, a message encrypted with the public key can only be decrypted with the private key, while a message encrypted with the private key needs the public key for decryption.

The use of public-key cryptography is also a reason for the popularity of PGP, as it allows people who haven’t met ahead of time to send encrypted messages to each other without having to exchange private encryption keys.

Example

Say Alicia wants to send Ray a message:

  • Ray generates a public and private key
  • Ray shares the public key and retains the private key
  • Alicia encrypts her message using the public key
  • Alicia sends the email to Ray
  • Ray decrypts the email using the private key

Digital signature

Digital signatures use algorithms to combine your private key with the message you’re authenticating. The plaintext of your message is put through a hash function, which maps the data to a fixed-size string of digits called a message digest. The message digest is encrypted with your private key through what is called the digital signature. The email message, along with your digital signature, is sent to the recipient.

Upon receiving the email message with the digital signature attached, its integrity and authenticity can be verified. This is automatically done by the PGP software.

If the message has been modified by even a single punctuation mark or character, then the message digests will be completely different. A discrepancy in message digests may point to one of three things: the digital signature could be fake, the message may have been altered after it was signed, and the public key used to decrypt the digital signature was not linked to the private key used to encrypt it, suggesting that the sender is not who they claim to be.

Other than authenticating the sender and verifying the integrity of the message, digital signatures also offer the advantage of no-repudiation i.e., the sender cannot claim that they did not send it. Digital signatures have made it possible for people to vouch for one another and built an interconnected web of trust.

In summary

The most common use case of PGP is to secure electronic communications. If you frequently send or receive sensitive information, and must ensure its security and integrity, Pretty Good Privacy is definitely valuable. The best private and secure email services support PGP.

Show Comments