PGP – Authentication and Confidentiality
In 2013, when the NSA (United States National Security Agency) scandal was leaked to the public, people started to opt for the services which can provide them a strong privacy for their data. Among the services people opted for, most particularly for Emails, were different plug-ins and extensions for their browsers. Interestingly, among the various plug-ins and extensions that people started to use, there were two main programs that were solely responsible for the complete email security that the people needed. One was S/MIME which we will see later and the other was PGP.
As said, PGP (Pretty Good Privacy), is a popular program that is used to provide confidentiality and authentication services for electronic mail and file storage. It was designed by Phil Zimmermann way back in 1991. He designed it in such a way, that the best cryptographic algorithms such as RSA, Diffie-Hellman key exchange, DSS are used for the public-key encryption (or) asymmetric encryption; CAST-128, 3DES, IDEA are used for symmetric encryption and SHA-1 is used for hashing purposes. PGP software is an open source one and is not dependent on either the OS (Operating System) or the processor. The application is based on a few commands which are very easy to use.
The following are the services offered by PGP:
1. Authentication 2. Confidentiality 3. Compression 4. Email Compatibility 5. Segmentation
In this article, we will see about Authentication and Confidentiality.
Authentication basically means something that is used to validate something as true or real. To login into some sites sometimes we give our account name and password, that is an authentication verification procedure.
In the email world, checking the authenticity of an email is nothing but to check whether it actually came from the person it says. In emails, authentication has to be checked as there are some people who spoof the emails or some spams and sometimes it can cause a lot of inconvenience. The Authentication service in PGP is provided as follows:
As shown in the above figure, the Hash Function (H) calculates the Hash Value of the message. For the hashing purpose, SHA-1 is used and it produces a 160 bit output hash value. Then, using the sender’s private key (KPa), it is encrypted and it’s called as Digital Signature. The Message is then appended to the signature. All the process happened till now, is sometimes described as signing the message . Then the message is compressed to reduce the transmission overhead and is sent over to the receiver.
At the receiver’s end, the data is decompressed and the message, signature are obtained. The signature is then decrypted using the sender’s public key(PUa) and the hash value is obtained. The message is again passed to hash function and it’s hash value is calculated and obtained.
Both the values, one from signature and another from the recent output of hash function are compared and if both are same, it means that the email is actually sent from a known one and is legit, else it means that it’s not a legit one.
Sometimes we see some packages labelled as ‘Confidential’, which means that those packages are not meant for all the people and only selected persons can see them. The same applies to the email confidentiality as well. Here, in the email service, only the sender and the receiver should be able to read the message, that means the contents have to be kept secret from every other person, except for those two.
PGP provides that Confidentiality service in the following manner:
The message is first compressed and a 128 bit session key (Ks), generated by the PGP, is used to encrypt the message through symmetric encryption. Then, the session key (Ks) itself gets encrypted through public key encryption (EP) using receiver’s public key(KUb) . Both the encrypted entities are now concatenated and sent to the receiver.
As you can see, the original message was compressed and then encrypted initially and hence even if any one could get hold of the traffic, he cannot read the contents as they are not in readable form and they can only read them if they had the session key (Ks). Even though session key is transmitted to the receiver and hence, is in the traffic, it is in encrypted form and only the receiver’s private key (KPb)can be used to decrypt that and thus our message would be completely safe.
At the receiver’s end, the encrypted session key is decrypted using receiver’s private key (KPb) and the message is decrypted with the obtained session key. Then, the message is decompressed to obtain the original message (M).
RSA algorithm is used for the public-key encryption and for the symmetric key encryption, CAST-128(or IDEA or 3DES) is used.
Practically, both the Authentication and Confidentiality services are provided in parallel as follows :
M – Message
H – Hash Function
Ks – A random Session Key created for Symmetric Encryption purpose
DP – Public-Key Decryption Algorithm
EP – Public-Key Encryption Algorithm
DC – Asymmetric Encryption Algorithm
EC – Symmetric Encryption Algorithm
KPb – A private key of user B used in Public-key encryption process
KPa – A private key of user A used in Public-key encryption process
PUa – A public key of user A used in Public-key encryption process
PUb – A public key of user B used in Public-key encryption process
|| – Concatenation
Z – Compression Function
Z-1 – Decompression Function