ARCHIVED: What is PGP, and how secure is it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

On this page:

About PGP
Using PGP
PGP security
More information

About PGP

PGP ("Pretty Good Privacy") is a powerful, free cryptography package that lets people exchange files in a private, encrypted format, and also provides message authentication. PGP is called a public key system. Each person using PGP has both a public and a private key. Each key is actually a digital signature (a small file with a stream of uniquely generated characters). The public key is widely distributed to any correspondents, while the private key is guarded with secrecy.

An encrypted message in PGP is scrambled in a complex way to make it unreadable to anyone other than the intended recipient. You can use your private key and the recipient's public key to generate a message that can be unscrambled only by the recipient who has your public key as well as a personal private key, allowing you to easily exchange encrypted messages with anyone with whom you have exchanged public keys.

Conventionally, a single-key system is used to encrypt files; the same key used to encrypt a file is also used to decrypt it. The key thus must be carefully transferred from person to person, since if it were found, anyone could decode messages. This type of keying is known as symmetric.

PGP is also used for authentication. A private key generates a unique digital signature attached to a message. Anyone holding the creator's public key can verify that the message was generated by the person holding a genuine private key, and whether or not the message was altered in transit.

Using PGP

PGP can be used on most desktop computers as well as larger systems. Typically it is used on the command line to encrypt or decrypt files that will be moved to another mail program. Some scripts are available to allow more integrated PGP operations in some Unix mailers. The following examples demonstrate how to encrypt the file paper.txt for the user jsmith:

In Unix and DOS, using PGP 2.x, enter:
```
  pgp -e paper.txt jsmith
```
In Unix, using PGP 5.x, enter:
```
  pgpe -r jsmith paper.txt
```
To see a listing of other commands, enter:
```
  pgp -h
```

PGP security

Used in the right context, PGP, GnuPG, and other modern OpenPGP implementations can be considered military strength. That context includes:

Lengthy public/private key pair: Larger keys require more processing time for encryption and decryption, but offer better security. For most purposes, 1,024 bits should be sufficient.
Proper private key management: It's safest not to store your private key on a shared file system, but rather to keep it on a removable storage device (e.g., floppy, CD-R, keychain external drive) that you can take with you. If you must keep your private key on a shared system (such as a central system at IU):
- Make sure the private key file (e.g., .pgp/secring.pgp) is read/writable only by the owner. To do so on a Unix system, issue the shell command chmod go-wr secring.pgp.
- Connect to the remote system only via an encrypted connection, such as SSH or SSH2. SSH2 is more secure than SSH, so if it is available, use SSH2. An encrypted shell will prevent your passphrase from going out in plaintext via telnet.
Good passphrase choice: The passphrase "locks" your private key as a safety measure. A bad passphrase makes your private key easier to crack.
Proper passphrase usage: You should type your private key passphrase (required for decrypting mail messages for example, or digitally signing them) only on machine consoles, or over encrypted network links (e.g., via SSH).

While PGP is installed on UITS shared computers, using it on them violates the second and possibly the fourth points above. Therefore, it's not nearly as secure as it would be if it were locally installed on a workstation.

More information

For further information, consult the following resources:

For discussion of PGP, see the newsgroup alt.security.pgp and the FAQ for this newsgroup.
The Electronic Privacy Information Center is a good resource on privacy issues. Visit the EPIC Online Guide to Privacy Resources.
The PGP commercial product is available at pgp.com.
The open source equivalent of PGP, GnuPG, is available at gnupg.org. See Use GPG to encrypt files on IU's research supercomputers