09/23/2024 | News release | Distributed by Public on 09/23/2024 10:47
You're working late Thursday evening as a contractor for a powerful government agency. You stumble across classified documents uncovering a surveillance program that invades the privacy of millions of citizens. Your heart races as you decide to expose this to the masses and enlist the help of a few journalists.
But you also know the organization you work for monitors emails (and other forms of communication). If your emails hit the wrong eyes, you could face severe penalties. When you contact the journalists, how will you know your emails only reach their intended audience? That's the dilemma whistleblower Edward Snowden faced.
This is where tools like PGP come in, offering a way to encrypt and protect communications. In this blog, we'll explore what is PGP encryption, how it works to protect your communications, its evolution and current usage, the pros and cons of using PGP, and best practices for securely implementing this encryption tool.
PGP (short for Pretty Good Privacy) is an encryption system used to secure emails and files. The PGP meaning refers to the encryption of sensitive data, ensuring that only the intended recipient can access it. It can describe any encryption program or application that implements the OpenPGP encryption standard. GPG (GNU Privacy Guard) is one of the most widespread open-source implementations of OpenPGP. PGP is primarily used to encrypt sensitive information (files, emails, etc.) such that it can only be decrypted by the intended recipient. Another use is for authentication. When someone signs a file or email, the receiver can authenticate the digital signature to ensure the sender is who they say they are.
PGP was introduced in 1991 by Philip R. Zimmermann as freeware and was later offered as a low-cost commercial product. During this time, PGP gained popularity among computer professionals and organizations as they tried to find an affordable way to add extra security to their emails. Since then, while the original product no longer exists, PGP has become a de facto standard for encrypting and digitally signing messages with tools like ProtonMail and Thunderbird, gaining popularity among privacy-conscious individuals partially thanks to the built-in PGP encryption.
Since 1991, PGP has grown from a niche encryption tool into a widely recognized secure communication standard. Today, PGP is integrated into many modern email clients. While still heavily used by privacy-conscious users, journalists, and activists, PGP's adoption has expanded to businesses and individuals who prioritize secure communication in a world increasingly concerned with data breaches and privacy threats.
PGP combines symmetric key encryption and public key encryption. Let's break down what these two things are and how they come together to form the basis of PGP.
Symmetric encryption relies on one shared key between the sender and the receiver (known as the session key). When the sender sends their message, they generate a random key and "lock" or encrypt the message using this key. Then, when the receiver is ready to open the message, they use the same key to "unlock" or decrypt the message.
The issue here is how can the sender securely share the key with the receiver? Sharing the key in plaintext exposes the communication to security risk.
Public-key encryption, also known as asymmetric encryption, in contrast uses two different keys for the encryption and decryption process: a public key and a private key. A user's public key is shared openly. When the sender sends a message, it is encrypted using the receiver's public key. The message can then only be decrypted using the receiver's private key. Since the public key is not used for decryption, it is safe to share with others, in plaintext, eliminating the risk associated with symmetric key encryption.
While this method is more secure, it is computationally intensive. As the size of the data being encrypted increases, the time and computational resources required also increase.
If the issue with symmetric key encryption is sending the key in plaintext, it would be great if we could encrypt the key itself. The session key is small, so it is a great candidate for public-key encryption. Enter PGP.
When the sender sends their message, it is encrypted using symmetric key encryption with a session key. The session key is encrypted using the receiver's public key. When the receiver is ready to open the message, they decrypt the session key with their private key. Then, they use the session key to decrypt the message.
Using this combination, we address the risk with symmetric key encryption (not having a secure way to share keys) and the limitations of public-key encryption (being limited on the size of data to encrypt within reasonable computational overhead).
PGP is widely used to encrypt emails, making sure they are only visible to the intended parties. A popular example is Edward Snowden using PGP to communicate with journalists.
At the time, he reached out to journalist Glen Greenwald urging him to install PGP so that their communications could be secured. Greenwald ignored his persistent requests for months. PGP can be complicated and it's hard to find time to sit and figure it out (even if government secrets may be on the line). Today, there are several email services that make PGP encryption more accessible to a standard user.
Sending PGP messages can be much easier than it seems. Email services, such as ProtonMail, that offer PGP can facilitate the process.
If both parties are using ProtonMail, ProtonMail automatically encrypts emails as well as creates digital signatures, hiding the complexity of key management.
If you're communicating with someone who is not using ProtonMail, they need to have a PGP plugin installed in their mail client or use some other PGP service (some of these tools will be discussed later).
First, you will share your public keys with each other-this can be done in multiple ways, including sending the key as an email attachment. The public key is saved with the user's contact, and you can start sending end-to-end encrypted messages, sign messages, and verify the other user's digital signatures.
Email encryption is by far the most prominent use case of PGP, protecting messages with sensitive data in industries ranging from journalism to healthcare to corporate communication. People are always looking for ways to protect their privacy, and many use the standard to secure their private information.
PGP was originally used primarily by journalists and activists to safeguard their communications. When PGP was originally released by Philip Zimmermann in 1991, the goal was to empower people to take privacy into their own hands. In a time of increasing government scrutiny of private communications and the proliferation of electronic communication, PGP offered a way to securely encrypt emails from prying eyes.
Fast-forward to the present day, the popularity of PGP has skyrocketed. Who wants to expose their entire email history to the government or other organizations? With tools like ProtonMail, strongly encrypting and securing emails is now viable for even the less-technically-savvy among us (Hi, mom).
PGP can also be used for digital signatures, allowing email recipients to verify the identity of the sender and the integrity of the message.
This works by leveraging the sender's public and private keys. When the email is sent, the message is hashed. The hash is encrypted using the sender's private key to create the digital signature.
The recipient decrypts the hash with the sender's public key. The received message is also hashed. If the decrypted hash matches the hash of the message that is received, the digital signature is verified.
Once a message is hashed and encrypted, if even one character changes in transit, the recipient will know when they verify the digital signature. This can be a sign that either the sender is not who they say they are or that the message has been tampered. Digital signatures ensure the integrity of emails and add a safeguard against threats like phishing scams or identity theft.
With more people moving files to the cloud, you may wonder how to protect those files against unauthorized individuals. PGP-encrypted files can be safely stored on local or cloud storage to protect your information. Similarly, when sharing sensitive documents (including contracts, financial records, and research data), PGP ensures only the intended recipient can view the data.
The process works similarly to encrypting emails: using a symmetric session key to encrypt the files and encrypting the key with a public key. Once the files are ready to be accessed, using a private key to decrypt the file.
Several solutions can help with encrypting your files. Symantec (now part of Broadcom) is a major vendor of PGP file-encryption software after they acquired PGP Corp. in 2010. Products like Symantec Encryption Desktop and Symantec Encryption Desktop Storage allow you to encrypt your files without having to know all the ins and outs of the encryption/decryption process.
While people have tried to break PGP encryption, it is nearly impossible. The advanced algorithms provide robust security against hackers, nation-states, and even government agencies like the NSA.
While PGP itself is highly secure, certain implementations have presented security vulnerabilities, such as the Efail vulnerability.
PGP is widely supported for several use cases from securing your emails with tools such as ProtonMail to securing files with vendors such as Symantec. With its open-source implementation, OpenPGP, it can also be integrated into a variety of different software solutions, ensuring all users can benefit from strong encryption.
One reason PGP isn't even more prominent is that it can still be highly complex and not user-friendly. Several solutions that we've discussed are making it easier, but using PGP can still be a strenuous effort.
Improper uses of PGP can introduce additional security holes. Businesses wanting to leverage it would need to provide thorough training to their users.
There are several alternatives to PGP:
For most common uses of PGP, the set up involves downloading an add-on for your email program and following the installation instructions.
Gpg4o is popular among users looking to integrate OpenPGP with Outlook 2010-2016. It is one of the most straightforward and easy to install ways to implement PGP for Outlook.
GPG Tools offers a broad suite of software to encrypt all areas of your Mac system. The package contains an email plugin for Apple Mail. Other tools include a key manager, allowing you to use GPG in almost any application, as well as an engine so you can use GPG with the command line.
Enigmail is a security add-on that integrates with SeaMonkey, Epyrus, and Postbox. Enigmail was originally developed for Thunderbird, however latest versions of Thunderbird are no longer supported. Enigmail is free and can be used, modified and distributed under the terms of the Mozilla Public License.
ProtonMail was one of the first (and remains one of the most widespread) email providers to natively integrate PGP encryption. ProtonMail operates through a web portal, so you can easily separate secure communications from your everyday inbox.
Other services such as Hushmail and Mailfence offer similar functionality to ProtonMail and have additional features that may better fit the needs of you or your organization.
Hushmail offers features tailored for businesses and non-profits including the ability to create secure web forms. This, along with the fact that it is fully HIPAA-compliant, make it a popular choice among healthcare professionals.
Mailfence offers a suite of tools in addition to email including calendars, a safe place to store documents, and options to import your contacts and create groups for secure sharing.
When choosing an online PGP service, it's important to compare the functionality with your needs to determine which one is ultimately the best fit.
FairEmail is an open-source email app that is free for Android uers. Users will be able to decide which messages they want to encrypt. While this app offers flexibility and an easy-to-use interface, it is rare for people to want to use PGP through an Android. The user community for FairEmail is currently somewhat limited.
Security is the number one concern. There are certain PGP implementations that have introduced security risks before. For most people, spotting vulnerabilities in the software would be impossible. The best thing to do is check for any reported vulnerabilities in the software you are considering.
As you start to dip your toes into the world of PGP, it can be easy to drown in complex concepts and the general learning curve that comes with any new software. Choose a provider that offers solid support either in the form of a dedicated customer support team or a user community.
Standalone applications allow users to encrypt files and emails independently of the email client they use. While these applications offer versatility and robust security, some users will opt for the email add-ons or plugins that integrate easily with their existing tools.
Email add-ons and plugins like Enigmail or gpg4o enhance existing email clients by providing the ability to encrypt messages with PGP. These tools offer a mix of flexibility and familiarity while maintaining secure communication.
Mobile applications like FairEmail allow users to use PGP encryption on their smartphones and tablets. They provide a user-friendly interface for managing keys and encrypting messages on the go.
How do you know which public keys actually link back to the user you expect them to? A "web of trust" is used to describe the decentralized way trust is established with public keys. When you communicate with other users using their public keys, determine if that public key can be trusted (i.e. is the owner of the public key the person you think they are). If so, you can add that public key to your "keyring" and sign the key to indicate to others that you have verified this key and that it can be trusted.
The concept can be extended to trusting the people that "the people you trust" trust. A little bit of a mouthful, but basically "Your friends are my friends." If you know Bob carefully vets the public keys he accepts and trusts, you can choose to expand your list of trusted keys to include the ones that Bob trusts, thus creating a "web."
Every key can be trusted to a certain extent. There are 5 trust levels:
It is important to be able to trust the keys you're using. Using the wrong key could lead to the data falling into the wrong hands if intercepted. A digital certificate serves to establish whether a public key belongs to the correct owner. It will consist of three things:
When you want to verify a user's key, you can check the certificate's fingerprint. The fingerprint is a hashed version of the certificate and appears in the certificate properties either as a hexadecimal number or a series of words.
Now, you can call the user you want to communicate with and have them verify the fingerprint, or you can trust that someone else has gone through the process of validating it.
A PGP certificate (also called a PGP key certificate) is a digital document that contains your PGP public key and associated metadata, like your name, email address, and expiration date. Certificates are created with a validity period (a period of time in which it can be trusted). When the certificate expires, it will no longer be valid.
If a certificate owner terminates employment with the company that issued the certificate, or if somebody suspects that the certificate's private key can be compromised, the certificate can be revoked.
Anyone who has signed a certificate can revoke their signature on the certificate in these cases (which carries almost the same weight as the certificate itself being revoked).
Only the certificate owner or someone who has been designated with permission to revoke by the owner can revoke the certificate.
While PGP encryption itself is very secure, several other factors can introduce risk:
Organizations should consider the following legal and compliance aspects:
Yes, PGP encryption has been around for over 30 years and there have yet to be any vulnerabilities found in the basic implementation. The largest vulnerabilities found in the past have more so surrounded the implementation of PGP, so it is still important to carefully vet the software you choose to use.
PGP uses a combination of symmetric and public key encryption. The message is encrypted with a uniquely generated session key (symmetric key encryption). The session key is encrypted with the recipient's public key (public key encryption).
The session key (and ultimately the entire message) can only be decrypted by the recipient and their private key.
The best PGP software will vary depending on your needs. How frequently will you need to be encrypting messages and what are your specific encryption needs? What level of usability will your users need and what type of software will fit seamlessly into their current workflows? How much would you be willing to pay? Considering these will help narrow down the tool that would best suit your needs.
PGP is best utilized if the following scenarios apply to you:
Integrating PGP encryption with other security measures will further enhance data protection and defend against potential threats:
As our reliance for digital communications grows, your privacy is still your right. PGP enables you to maintain the confidentiality and integrity of your messages. Over 30 years, PGP continues to be one of the most widely recognized and trusted standards for secure email encryption.
As Philip Zimmermann, the author of PGP, said "PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it."
If your organization wants to implement PGP, make sure to vet the software you are considering and make note of things like user training, key management policies, and integration of PGP with existing security frameworks.
Evaluating the specific needs of your users and your organization will help ensure successful adoption.
The first step in getting started with PGP is selecting the right software. Consider your specific needs when doing so. Will your users need to integrate with their existing mail clients, or would it be preferable to use a standalone application?
Research the software before installing it to ensure that it is safe and reliable and that you will have strong support throughout the process. After selecting the software, setup is often straightforward. Several vendors also offer a free trial so you can make the most informed decision possible.
Email encryption should only be part of your overall cybersecurity strategy. A comprehensive security strategy should include protecting your users from getting compromised, which could put your keys at risk. Additionally, monitor your sensitive data before they are emailed out to ensure users are only accessing and sharing the appropriate data. Adding these additional layers will put you in the best position to protect your data and your privacy.