Pretty Good Privacy (PGP)

Abstract
Pretty Good Privacy (PGP) is an encryption method in type of a computer program which helps in encryption of the plain text data giving them cryptographic privacy and authentication. PGP was first discovered and designed by Phil R. Zimmermann (PRZ) in 1991. PGP is nowadays believed to be the most popular and secure means of transferring data from one end to another. PGP is popular these days because it is very difficult for the black hats or even the government agencies to decipher the code of the text unless the key is provided. PGP serves as the function of three modules as message digesting, encryption and decryption.

Introduction
PGP (Pretty Good Privacy) is a computer program which allows encryption and decryption of plain text which needs to be protected while communication and also enables users to encrypt electronic mail and a file which needs to be sent from one user to user without being captured in between. PGP do help in signing the digital signatures which is tamper proof and cannot be claimed by any other person that the document or the file is from another user. The core idea behind the use of PGP is to ensure strong privacy and authentication.

Privacy is something that a certain thing can only be accessed by its authorised person similarly here only the proposed user can be given the priority of reading the text. PGP is pretty secure against the hackers who attack as man in the middle and try to decrypt the information sent as packets in any network. Authentication is to make sure that the delivery of the information is from the authorised person to the proposed person for its used without being tampered in between or altered. Authentication is a method to authenticate the genuineity of a person.

Use of PGP
PGP is used in the following tasks: 1. 2. 3. 4. 5. 6. 7. 8. 9. Encrypt files using IDEA1, a powerful private key encryption algorithm. Once the file is encrypted, the intended recipient has the privilege to decrypt the file using a pass phrase. Create private and public keys. These keys are used to encrypt and sign data to be sent over a network and also used to decrypt data sent from other uses. Administering the keys, this can be used to make and maintain a database consisting of the public keys that have been used for communication. Encryption of incoming and outgoing email messages. Veriy people's identity through the signing of digital signatures. Certifying Keys. PGP is helpful in signing other user's public keys. Recovering the keys, if a user has lost his key or had been stolen then PGP can be used in recovering them easily. PGP can be configured as per the need using differet encryption algorithms as per the requirement of the user. The PGP communication keys can also be available online at the internet key servers, and they can be added to the servers anytime.

Working of PGP
PGP works on the characterstics of public key and straight method of encryption. It is most commonly renowned by some of the experts as a fusion of compressor of plain text and encryptor of data. PGP initializes from compression of plaintext, because the smaller size of data will be more efficient in transmission as improving the security through the speed of transmission as the data can can travel faster between the sender and the reciever without being sniffed in between, also it is compressed for breaking down any pattern in the plaintext which is the decryption technique used by the hackers to resolve the data. Therefore it reduces the chances of deciphering the data in between through any means. Thereafter, PGP generates a session key which is a one time key and is created randomly on account of the mouse and the keyboard usage of the user. The session key once created is then used to be binded along with the recievers public key, the session key generated is also used with any encryption algorithm uses to encrypt the data. Which results to give a ciphher text. After this cipher text encryption and public key binding these two files are sent to the recipient.

Figure 1 How PGP Encryption Works

Deciphering of the data and the text works in the reverse order of encryption, the recipient uses his private key for the session to generate a temporary session key, the key then is used for decryption of the data.

Figure 2 How PGP Decryption Works

The amalgamation of these two encryption techniques merge the ease of the public key and conventional key, the conventional key is used for speeding up the transmission, as it is one thousand times faster than the public key, whereas public key is the resolution to the distribution and sending. Uniting both of the keys gives a perfect performance without any compromise in security.

Use of powerful hashing algorithms ad functions such as RSA and DSA is done by PGP for signing up the digital signatures on the data sent in a session, signing up of digital signatures is done through the use of private key and the digest generated. The method of non repudation is followed up after this process as the information condisting the plaintext and the digital signatures are then sent after. When it reaches to the reciever he uses PGP to calculate the digest and the senders public key and

the algorithm along with his signature algorithm to verify the transmission. The information could be said as not modulated if the recipients digital signatures matches with the senders public key. There is a little possiblity that an unauthorised person has the chance of capturing the data in between and then reconstructing the digests of message and matching them with the digital signs are verry little.

Figure 3 Secure Digital Signatures

PGP employes the use of the Digital Certificates which are used to verify the genuinity of the sender or the creator of the data file, it compares and verifies that wheather the public keys are relaties to its specefic user or not, this is even used to verify that whether the key is valid or genuine or is not in existance. These certificates are composed of three parts namely Digital certificates, public key information, and a digital signatory. The use of these digital signatories is that when a user sends his data to any other third person the genuinity of the sender and the reciever could be verified. This provides a gurantee of the certificates. The formats used with PGP are of two types namely PGP certificates and x.509 certificates. For validating these certificates PGP uses model known as web trust model, these digital signatures are used for starting a file exchange session when this key is forwarded two a third person and so on this makes a user centric mode as web of trust. If a user signs a digital signature then it becomes as the introducer of the key to the other it is forwarding to and the process of web of trust continues.

Certifying Authority (CA) could be acted by any introducer in PGP as long as it is validated by another PGP users digital certificate. This can allow the PGP user to validate other users public keys if he is in the tusted user list. This process is very similar to the downloadings in torret the more are the positive comments and the downloading done on a particular file the more are the chances to be a trusted downlod user. Likely the more trusted user with the respected digital signatures belonging the more the people are going to trust the keys validity and genuinity.

A public key can be defined in three models such as: Complete trust Marginal trust No trust

Beside these modes of trustpublic key also modes of validity namely: Valid Marginally valid Invalid

If there is is a need of a new trusted user a new the user that needs to be the trusted has to initiate signing up the key through or could be through any other trusted user either, and the resultant key is defined as the trusted key with a level. For a key to be considered valid one has to start with any of complete signatue to generate a key that could be vaild. At the moderators machine the a passphrase is used for the encryption of the private keys which is encrypted by using the hard drive and along with the hashing algorithm that could be used for the encryption of the private key. The private key without this passphrase is of no use to anyone, and there is no way either to recover it back by normal means, therefore it should be easy or the user to know it without being acknowledged to anyone.

Applications of PGP
Mostly PGP is used in securing and encrypting the E-mail messages but at this point of time when unsecurity is increasing day by day, the use of PGP has been advanced and brought to front in many applications such as: Emails and Attched files Hard Disk drive complete encryption Digital signatures Securing files and folders Securing IM sessions Batch file exchange File protection on storage drives Self decrypting archives Deleted files Shredded files, etc.

Limitations of PGP
Alike all the encryption systems PGP hs even got some limitations, PGP is not valid against hackers, eavesdroppers, blackmailers or even dumpster drivers. That implies that on the delivery of a message it get seized in between. There is the chance that if any person blaickmails for the private key then it will be revieled to him. Passphrase are most likely to be found in the recycle bins as the administrators write the passwords on the papers and forget to shred them properly, a dumpster can make use of that for finding the key, the other limitations could be that it could be revieled in general talk or through social engineering attacks.

Block 2

Downloading PGP

1. Start a browser and go to http://lists.gnupg.org/pipermail/gnupgannounce/2012q1/000314.html . 2. At the top of the window, click on Downloads. 3. In the next screen, scroll to the bottom and check the box to indicate that you agree to the EULA. Click the Accept button. 4. The next screen asks for your name, address, and other information. Fill it in any way you choose 5. Confirm your email address in the next screen. 6. Check your email. You should receive a message with a Subject line beginning PGP Order Confirmation. Open it and click on the download link. 7. Follow the instructions to download the file. 8. Save the file on your desktop. 9. The remaining instructions are for Windows 2000 or XP users. Windows 95 or 98 users will need Winzip. I'm not sure what Mac users will need. 10. Minimize all the windows and find the downloaded file on your desktop and double-click it. That opens a zip archive containing two files as shown to the right on this page. Resize the window so it does not cover the whole desktop, and then drag those two files to the desktop. That will unzip them so you can use them.

Installing PGP
1. Restart your machine when prompted to.. Double-click the GPG4win.2.1.0.exe file on your desktop. When it asks you what language to use, select English. 2. An installer runs. Accept the license agreement and click Next twice.

PGP Setup
1. The PGP Setup Assistant opens as shown to the right on this page. If you see an Enabling PGP screen, accept the default selection of Yes and click Next. 2. At the Licensing Assistant: Enable Licensed Functionality screen, click Next. 3. At the Licensing Assistant: Enter License screen, select Use without a license and disable most functionality and click Next. 4. At the Licensing screen, click Next.

Generating Keys
1. At the User Type screen, accept the default selection of I am a new user and click Next. 2. At the PGP Key Generation Assistant screen, click Next. 3. At the Name and Email Assignment screen, enter your name and a working email address and click Next. 4. At the Passphrase Assignment screen, enter a word or phrase you can remember into both boxes and click Next. 5. At the Key Generation Progress screen, wait till the animation stops and click Next. 6. At the PGP Messaging: Introduction screen, clear both boxes and click Next. 7. At the Congratulations! screen, click Finish.

You should now see a padlock-and-keys icon in the notification area (the lower-right corner of the screen), as shown to the right on this page. That icon indicates that PGP is running, and its the easiest way to use the PGP program.

Exporting the key to a storage disk

1. It is important to export your key to a floppy disk, so that you will still be able to read your encrypted e-mail even if the computer you are using loses the information. This is especially important if you work in a public lab, because the files on the machine will vanish at each restart because of the Deep Freeze software. If you are working at home on your own machine, this step is not really necessary. 2. Click the padlock icon in the notification area and select Open PGP Desktop. 3. In the PGP Desktop All Keys window, you will see your name listed in the All Keys column, as shown to the right on this page. You will see your name instead of Sam CCSF.

4. Right-click your name and select Export. In the Export Key to File window, in the Save in: drop-down list box, select Flash drive. Check the Include Private Key(s) box, as shown to the right on this page. Accept the default file name and click Save to save the file.

Exporting a key to a key server

1. No one can send you encrypted email unless they have your public key. The best way to make that key available is to upload it to a public server. 2. In the PGP Desktop All Keys window, right-click your name and select Send To,

ldap://keyserver.pgp.com:389, as shown to the right on this page. 3. A PGP Global Directory Assistant window opens. Click Next. 4. A progress indicator moves. When it stops, you should see a message saying Successfully uploaded key(s) to keyserver.pgp.com. Click Next. 5. At the completing the PGP Global Directory Assistant screen, click Finish.

Block 3

Verify the working of PGP and keys

For the verification of the working of PGP, we are going to use a free software known as Wireshark, it is an unlicenced tool used for network protocol analysing and capturing the network travelling packets in between of the session or any file exchange procedure. The most common use of wireshark is sniffing and that may be used for any unauthorised and illegal activities through the network causing the unfair means and an attempt to hacking, we are going to use this software for the actual verification of the PGP in the local network follow the file exchange process throught the session, the encryption of public key, and the compression, encryption of the plain text to cipher text. The first screenshot shows the unencrypted infomation travelling over the network that has been captured in between of the conversation by this tool:

These are the packets that has been captured through wireshark showing the travel of information in the network which now have to go through the different native point which is the packet sniffers PC, which in this case is ours therefore the PC now has got the native inter routing administrator powers therefore every packet has to go through this PC.

Thereafter is the screenshot showing the unencryted information without the use of PGP, this the actual information that has to be exchanged over the network without the deployment of PGP in the network.

The next screen dump shows the same informaiton that has been captured after the deployment of PGP in the network and the information that has been captured if captured in between by any halicious attacker or a hacker, this screen verifies the working of the PGP in the built in system after installing of the PGP in the system. The screen dump shows the less number of packets because the the system in which it has been deployed is the virtual machine workstation therefore it can have access only to the inter VM network.

This was the verification of PGP working and deployment the working and verification of the public key used in the PGP sessions is explained below:

1. Go to he mail server that you sent the message with earlier in the earlier steps which should be having a message header as [PGP Global Directory] and asks for the verification of the key as Verify The Key. 2. Open that message and click the Complete the Verification Process button, as shown to the right on this page. 3. A Web page opens with the title Verify Your Key as shown to the right on this page. Click the Accept button.

The next window is titled Email Address Confirmed and it gives you a chance to download a verification key. You can just ignore that and close the browser the verification key is not required for this assignment.

Importing Key from Keyserver

1. In the PGP Desktop All Keys window, in the left pane, click Search for Keys. 2. A Search for Keys pane opens at the top of the PGP Desktop All Keys window. Leave the first two boxes set at the defaults, which create the phrase Search everywhere for keys that meet all of the following conditions: In the third line, there are three boxes. In the first box, select Email. Leave the second box set to Contains and in the third box, enter cnit.131@gmail.com. Your Search for Keys pane should look like the figure to the right on this page. Click the Search button. CNIT 131 should appear in the lower portion of the window.

3.

4.

5. Right-click CNIT 131 and select Add To, All Keys.

Applying Encryption on a Text File

1. Click Start, All Programs, Accessories, Notepad. Type in your name, as shown to the right on this page, and save the file as hw15 on your floppy disk, or in any other folder you can find, such as the My Documents folder. 2. Open the folder containing the hw15 file. Right-click the hw15 file and select PGP, PGP Zip, Encrypt & Sign as shown to the right on this page.

3. In the PGP Desktop Key Selection Dialog box, drag CNIT 131 from the upper pane to the lower Recipients list, as shown to the right on this page. This means the file will be encrypted using my public key that you just imported, so I can read it. Your name will also appear in the Recipients listthat way you can read your copy of the email. Click the OK button. 4. 5. A PGP Desktop Enter Passphrase box opens, but you wont have to enter it because it was cached earlier. Click the OK button. A hw15.txt file will appear on your diskette, with an icon showing a lock, and the file type PGP Encrypted File, as shown to the right on this page.

6. To see what the encryption has accomplished, right-click this file and select Open With , NotePad. (You may have to select Choose Program and select NotePad from a list.) You can see that the file is utterly unreadable, as shown to the right on this page. Close Notepad.

Email the Encrypting file to Myself for verification

1. Use any email client of your choice to mail the hw15.txt.pgp file to me as an attachment. My address is CNIT.131@gmail.com. Use a subject line of HW15 from Your Name.

Veryifying the Email

1. Read your email. Within a few days, I will reply to your email, and I will include an attachment with the secret instructions you need to use to complete this assignment. Save the attachment on a floppy disk, or any other folder of your choice. 2. Right-click the padlock icon in the notification area at the lower-right corner of your desktop and select Open PGP Desktop. Verify that your key is shown in the list. If it is not, select File, Import and import the key from the floppy disk you saved it on. 3. Open the floppy disk (or the other folder you saved my attachment in). Double-click the encrypted file. PGP Desktop should open showing that the secret.txt file was Decrypted and Verified, as shown to the right on this page. 4. In the lower pane of the PGP Desktop window, right-click the secret.txt file and select Extract. Enter your passphrase if you are prompted to. 5. In the Browse for Folder box, select the desktop or any other location of your choice for the decrypted file, and click OK. 6. Open the decrypted file and send the secret word inside it back to me to complete the assignment.

Summary
PGP is based on the worldwide accepted technology known as the public key crypto system which is used in making secure sessions, it is belived to the most popular and secure means of communication and file exchange up to date, it uses the some of the very strong hashing algorithms llike SHA 512, AES - 256 , Diffie Hellman/DSS for encryption of the data. Which is very hard to break during the validity of the sessions, as the studu shows that even the government security agencies are unable to break the code and deciphr the information within the session limit. The only error at present which can come in the PGP encryption is the human error or vulnerability. PGP has bcome a standard for file exchange protocol for encryption.

References
Garfinkel, Simson. PGP: Pretty Good Privacy, O'Reilly & Associates, 1995, 393 pages., accessed on 13,April,2012. Stallings, William. Protect your Privacy: a Guide for PGP Users, Prentice Hall, 1994, 287 pages, retrived on 14,April,2012. "The comp.security.pgp FAQ", http://www.ch.pgp.net/pgpnet/pgp-faq/, 15,April,2012. "The International PGP Home Page", http://www.pgpi.org, 15,April,2012. "MIT distribution site for PGP", http://web.mit.edu/network/pgp.html, 15,April,2012. "Phil Zimmermann on PGP", http://www.philzimmermann.com/EN/essays/index.html, 15,April,2012. "PGP Timeline", http://www.cypherspace.org/adam/timeline/, 15,April,2012.. Overview of the installation and the verification of the public key encryption, samsclass.info/131/hwF05/hw15.doc, retrived on 17,April,2012. Block 3 verification of public key, http://www.docstoc.com/docs/105057118/PGPencryption , retrived on 19 April, 2012. Overview of installation, security.ucsf.edu/EIS/.../pgpDesktopWin_1011_quickstart_en.pdf, retrived on 19 April,2012. "Pretty Good Privacy", http://en.wikipedia.org/wiki/Pretty_Good_Privacy, 15,April,2012.. "Where to Get PGP and GPG", http://cryptography.org/getpgp.htm, 15,April,2012.