11/29/2022

Pretty Good Privacy (PGP)

The Pretty Good Privacy Algorithm

UCI 403: Information Assurance and Security

Summary

• Overview
– Characteristics – Reasons for Growth.
• Operational Description – Services
Authentication – Confidentiality – Authentication and
Confidentiality – Compression – E-Mail Compatibility –
Compression and Reassembly.
• Cryptographic Keys
– Session Key Generation – Key Identifiers – General Format of
PGP Message – Key Rings.
• Public Key Management
– Use of Trust – Trust Flag Byte – Revocation of Public Keys.

1
 11/29/2022

PGP Overview

• Pretty Good Privacy (PGP) was developed by

Philip Zimmermann in the early 1990s.
– One of today's most widely used public key
cryptography programs.
– Long subject of controversy.
– Available as a plug-in for many e-mail clients (e.g.
Outlook, Gmail, Apple Mail, Eudora, etc…)
• Provides confidentiality and authentication.
– Sign and/or encrypt e-mail messages.
– File storage applications.

PGP Overview

• It implements the following algorithms:

– SHA or MD5 for calculating the message hash;
– CAST, Triple-DES, or IDEA for encryption; and,
– RSA or DSS/Diffie-Hellman for key exchange and digital
signatures.
• PGP was one of the first so-called "hybrid
cryptosystems" that combined aspects of hashing,
compression, SKC and PKC.
– When Zimmermann was first designing PGP in the late-1980s,
he wanted to use RSA to encrypt the entire message.
– The PCs of the days, however, suffered significant performance
degradation when executing RSA, so he hit upon the idea of
using SKC to encrypt the message and PKC to encrypt the SKC
key. 4

2
 11/29/2022

PGP Characteristics

1. Implements the best available cryptographic algorithms

as building blocks.
2. Integrates these algorithms into a general purpose
application that is independent of the operating system
and processor and is based on a small set of easy-to-use
commands.
3. Makes the package and its documentation freely
accessible.
• Including the source code.
4. Entered agreement with a company to provide a fully
compatible, low cost commercial version of PGP.
• Network Associates Inc.

PGP Reasons for Growth

1. Freely available worldwide in versions that run a variety

of platforms.
• Commercial version includes support.
2. Based on algorithms that are considered extremely
secure.
3. Provides a wide range of applicability.
• From individuals to large corporations.
4. It is not controlled by any governmental or standards
organization.
5. PGP is now on an Internet standards track.
• RFC 3156

3
 11/29/2022

PGP Operational Description

The actual operation of PGP consists of 5 services:

1. Authentication
2. Confidentiality
3. Compression
4. E-mail compatibility
5. Segmentation

The next slide gives a summary of these services, then we discuss

each service in more detail.

Summary of PGP Services

Function Algorithms Used Description

Digital signature DSS/SHA or RSA/SHA A hash code of a message is created using SHA-1.
This message digest is encrypted using DSS or
RSA with the sender’s private key and included with
the message.
Message CAST or IDEA or Three-key A message is encrypted using CAST-128 or IDEA or
encryption Triple DES with Diffie-Hellman 3DES with a one-time session key generated by the
or RSA sender. The session key is encrypted using Diffie-
Hellman or RSA with the recipient’s public key and
included with the message.
Compression ZIP A message may be compressed, for storage or
transmission, using ZIP.
Email Radix 64 conversion To provide transparency for email applications, an
compatibility encrypted message may be converted to an ASCII
string using radix 64 conversion.
Segmentation -- To accommodate maximum message size
limitations, PGP performs segmentation and
reassembly.

4
 11/29/2022

PGP Authentication

1. Sender creates a message.

2. Use SHA-1 to generate 160-bit hash of message.
3. Hash encrypted with RSA using sender's private key and
is prepended to message.
4. Receiver uses RSA with sender's public key to decrypt
and recover hash code.
5. Receiver generates a new hash code for the message
and compares it with the decrypted hash code.
• If the two match, the message is accepted as authentic.

PGP Authentication

M: Plaintext EP: Public Key Encryption

H: Hash Function DP: Public Key Decryption
PRa: Private Key of user A Z: Compression using Zip
PUa: Public Key of user A ||: Concatenation

10

5
 11/29/2022

PGP Authentication

• The combination of SHA-1 and RSA provides an

effective digital signature scheme.
– Because of the strength RSA: the recipient is assured
that only the possessor of the matching private key can
generate the signature.
– Because of the strength of SHA-1: the recipient is
assured that no one else could generate a new
message that matches the hash code and hence the
signature of the original message.
• Signatures maybe attached to the message or
sent separately.
11

PGP Confidentiality

1. Sender generates message and 128-bit random number

as one-time session key.
2. Encrypt message using CAST-128 (or IDEA or 3DES in
64-bit cipher feedback (CFB) mode) with session key.
3. Encrypt session key with RSA using recipient's public
key, and prepend to message.
4. Receiver uses RSA with its private key to decrypt and
recover session key.
– PGP can use ElGamal (a derivative of Diffie-Hellman) as
an alternative for key encryption.
5. Session key is used to decrypt message.

12

6
 11/29/2022

PGP Confidentiality

M: Plaintext PUb: Public Key of user B

Ks: Session Key
EC: Symmetric Encryption
DC: Symmetric Decryption
PRb: Private Key of user B
EP: Public Key Encryption
DP: Public Key Decryption
Z: Compression using Zip
||: Concatenation
13

PGP Confidentiality

• RSA (or ElGamal) not used for message

encryption because symmetric algorithms are
substantially faster.
• Using public encryption solves the problem of key
distribution.
• The use of a one-time symmetric key strengthens
further the symmetric algorithm.
– PGP provides key size options from 768 to 3072 bits.

14

7
 11/29/2022

PGP Confidentiality and

Authentication

Both services may be used on same message:

1. Signature is generated for the plaintext message and
prepended to the message.
2. Encrypt both message and signature using CAST-128/
IDEA/3DES and the session key using RSA or ElGamal.
– Preferred sequence: Sender first signs the message with its own
private key, then encrypts the message with session key, then
encrypts session key with recipient’s public key.
– Allows storing a signature with the plaintext version of message.
– A third party may not need to be concerned with the symmetric
key when verifying the signature.

15

PGP Confidentiality and

Authentication

KS: Session Key PUa: Public Key of user A

EC: Symmetric Encryption
DC: Symmetric Decryption
H: Hash Function
PRa: Private Key of user A
PRb: Private Key of user B
PUb: Public Key of user B
EP: Public Key Encryption
DP: Public Key Decryption
Z: Compression using Zip
||: Concatenation 16

8
 11/29/2022

PGP Compression

• PGP uses the ZIP compression algorithm.

– Average compression ratio: 2.0
• PGP compresses messages after signature but before
encryption.
– Saves space for e-mail transmission and for file storage.
• Message encryption is applied after compression to
strengthen cryptographic security.
– The compressed message has less redundancy than the original
plaintext thus making cryptanalysis more difficult.

17

PGP Compression

The signature is done before compression for two reasons:

1. We can store only the uncompressed message and the
signature for future verification.
2. PGP’s compression algorithm is not deterministic.
– Various implementations of the algorithm achieve
different tradeoffs in running speed vs. compression
ratio.
– They are all interoperable.
• Any version can decompress any other.
– Applying a hash function to the output would constraint
all PGP implementations to the same version.

18

9
 11/29/2022

PGP E-mail Compatibility

• Many electronic mail systems only permit the use

of blocks consisting of ASCII text.
• PGP provides the service of converting the raw 8-
bit binary stream to a stream of printable ASCII
characters using radix-64.
– Each group of three octets of binary data is mapped
into four ASCII characters.
– It also appends a CRC to detect transmission errors.

19

PGP E-mail Compatibility

• Use of radix-64 expands message by 33%.

– Ignoring the signature and key components, the effect
of compression and expansion on a file of length X
would be:
1.33*0.5*X = 0.665*X
- Hence, overall compression of about 1/3.
- Radix-64 blindly converts the input stream
regardless of the content.
- Thus if a message is not signed but encrypted, the
output will be unreadable to the casual observer.

20

10
 11/29/2022

PGP Operation – Summary

21

PGP Operation – Summary

22

11
 11/29/2022

PGP Segmentation and Reassembly

• Many systems restrict maximum length to 50,000 octets.

Any message longer must be broken up to smaller segments each
of which is mailed separately.
• PGP automatically subdivides large messages to
segments that can be send via e-mail.
– Segmentation is the last thing done (after radix-64 conversion).
– The session key component and signature appear only once, at
the beginning of the first segment.
• At the receiving, PGP strips off all e-mail headers and
reassembles the entire original block.

23

PGP Example 1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Carol.

What was that pithy Groucho Marx quote?

/kess

-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNFUdO5WOcz5SFtuEEQJx/ACaAgR97+vvDU6XWELV/GANjAAgBtUAnjG3
Sdfw2JgmZIOLNjFe7jP0Y8/M =jUAU
-----END PGP SIGNATURE-----

• A PGP signed message. This message will not be kept secret from an
eavesdropper, but a recipient can be assured that the message has not been
altered from what the sender transmitted. The sender signs the message
using their own private key. The receiver uses the sender's public key to
verify the signature.
24

12
 11/29/2022

PGP Example 2
-----BEGIN PGP MESSAGE-----
Version: PGP for Personal Privacy 5.0
MessageID: DAdVB3wzpBr3YRunZwYvhK5gBKBXOb/m

qANQR1DBwU4D/TlT68XXuiUQCADfj2o4b4aFYBcWumA7hR1Wvz9rbv2BR6WbEUsy
ZBIEFtjyqCd96qF38sp9IQiJIKlNaZfx2GLRWikPZwchUXxB+AA5+lqsG/ELBvRa
c9XefaYpbbAZ6z6LkOQ+eE0XASe7aEEPfdxvZZT37dVyiyxuBBRYNLN8Bphdr2zv
z/9Ak4/OLnLiJRk05/2UNE5Z0a+3lcvITMmfGajvRhkXqocavPOKiin3hv7+Vx88
uLLem2/fQHZhGcQvkqZVqXx8SmNw5gzuvwjV1WHj9muDGBY0MkjiZIRI7azWnoU9
3KCnmpR60VO4rDRAS5uGl9fioSvze+q8XqxubaNsgdKkoD+tB/4u4c4tznLfw1L2
YBS+dzFDw5desMFSo7JkecAS4NB9jAu9K+f7PTAsesCBNETDd49BTOFFTWWavAfE
gLYcPrcn4s3EriUgvL3OzPR4P1chNu6sa3ZJkTBbriDoA3VpnqG3hxqfNyOlqAka
mJJuQ53Ob9ThaFH8YcE/VqUFdw+bQtrAJ6NpjIxi/x0FfOInhC/bBw7pDLXBFNaX
HdlLQRPQdrmnWskKznOSarxq4GjpRTQo4hpCRJJ5aU7tZO9HPTZXFG6iRIT0wa47
AR5nvkEKoIAjW5HaDKiJriuWLdtN4OXecWvxFsjR32ebz76U8aLpAK87GZEyTzBx
dV+lH0hwyT/y1cZQ/E5USePP4oKWF4uqquPee1OPeFMBo4CvuGyhZXD/18Ft/53Y
WIebvdiCqsOoabK3jEfdGExce63zDI0=
=MpRf
-----END PGP MESSAGE-----

• PGP encrypted message.

25

PGP Cryptographic Keys

PGP uses the four types of keys:

1. One-time session symmetric keys.
2. Public keys.
3. Private keys.
4. Passphrase-based symmetric keys.

27

13
 11/29/2022

PGP Cryptographic Keys

Key requirements:
1. A means of generating unpredictable session keys.
2. Allow multiple public key/private key pairs per user.
• User may wish to change key pair from time to time.
• User may have multiple key pairs to interact with different
groups of correspondents to enhance security.
3. Each PGP entity must maintain a file of its own
public/private key pairs as well as a file of public keys
of correspondents.

28

PGP Session Key Generation

• Each session key is associated with a single

message.
– Used only for encrypting/decrypting that message.
• A symmetric encryption algorithm is used.
– CAST-128 and IDEA use 128-bit keys.
– 3DES uses a 168-bit key.
• On the following discussion assume we choose
CAST-128.

29

14
 11/29/2022

PGP Session Key Generation

• Use CAST-128 to generate a 128-bit random number.

Input consist of a 128-bit key and two 64-bit blocks that are treated
as plaintext to be encrypted.
Using cipher feedback mode, CAST-128 produces two 64-bits
ciphertext blocks, concatenated to form the 128-bit session key.
• The plaintext input is derived from a stream of 128-bit
randomised numbers.
– Numbers based on keystroke input from users.
– Both keystroke timing and actual keys struck are used.
– Also combined with previous session key output from CAST.
• Result is an unpredictable sequence of session keys.
30

PGP Key Identifiers

• A user may have multiple private/public key

pairs.
– How does the recipient know which of its public keys
was used to encrypt?
• Possible solutions:
1. Include public key with message.
– Recipient could verify this is one of its public keys and
proceed.
– Unnecessarily wasteful of space.

31

15
 11/29/2022

PGP Key Identifiers

2. Associate an identifier with each public key.

– Unique within each user.
– Combination of User ID and Key ID would be
sufficient.
– Only the much shorter Key ID would need to be
transmitted.
– Management and overhead problem: Key IDs must be
assigned and stored.

32

PGP Key Identifiers

3. Assign a Key ID to each public key that is with

high probability unique within a user ID.
– Consists of its least significant 64 bits.
• Key ID of a public key: PUa = PUa mod 264
• Sufficient length: probability of duplicate IDs very small.
– Key ID also required for the digitals signature because
sender may use one of its private keys to encrypt.

33

16
 11/29/2022

General Format of PGP Message

• A PGP message consists of 3 components:

– The message component.
– An optional signature.
– An optional session key component.
• The following figure shows the different
components:

34

General Format of PGP Message

35

17
 11/29/2022

PGP Key Rings

• PGP provides a pair of data structures at each

node to store key ID’s:
– Private Key Ring:
• To store the private/public key pairs owned by that node.
– Public Key Ring:
• To store the public keys of other users known to this node.

36

PGP Private Key Ring

• Storage of private keys:

– User selects a passphrase.
– System generates new key pair using RSA and asks user for
passphrase.
– Using SHA-1, a 160-bit hash is generated from passphrase and
passphrase is discarded.
– Private key is encrypted using CAST-128 (or IDEA or 3DES ) and
the hash as key.
– Encrypted private key is stored and hash discarded.
• Passphrase is entered every time the user wants to
access the private key.

37

18
 11/29/2022

PGP Key Ring Structures

38

PGP Public Key Management

• Preventing public keys from tampering is the single most

difficult problem in practical PKC.
• Suppose: A’s key ring contains a public key attributed to B
but the key is actually owned by C!
- A got the key from a bulletin board system (BBS) that was used
by B to post the public key but was compromised by C.
– C can then send messages to A and forge B’s signature.
– Any encrypted message from A to B can be read by C.
• Need for approaches that minimise the risk that a user’s
public key ring contains false public keys.

39

19
 11/29/2022

PGP Public Key Management

1. Physically get the key ring from B.

2. Verify key by telephone.
• Send key by mail, compute SHA-1 hash (“fingerprints”) and call.
3. Obtain B’s public key from a mutual trusted individual D.
• D creates a signed certificate: Create certificate, compute SHA-1
digest, encrypt digest with private key and attach signature to
certificate.
• Send directly or post in BBS.
4. Obtain B’s public key from a trusted certifying authority.
• Public key certificate created and signed by certifying authority.

40

PGP Use of Trust

• PGP provides a convenient means of using trust,

associating trust with public keys and exploiting trust
information.
• Each entry in the public key ring is a public key certificate.
• Associated with each entry we have the following fields:
– Key Legitimacy.
– Signature Trust.
– Owner Trust.
• These fields are contained in a structure known as Trust
Flag Byte (shown in next table).

41

20
 11/29/2022

PGP Use of Trust

• Key Legitimacy Field:

– Indicates the extent to which the user trusts this is a public key for this
user.
– Computed by PGP.
• Signature Trust Field: Associated with each entry are zero or more
signatures that sign this certificate. Each signature has a trust field.
– Indicates the degree to which user trusts the signer to certify public keys.
– Derived from the collection of signature trust fields in the collection.
• Owner Trust Field: Each entry defines a public key associated with a
particular owner with an associated trust.
– Indicates the degree to which this public key is trusted to sign other
public key certificates.
– Assigned by the user.

42

PGP Use of Trust

Trust processing is as follows:

1. When A inserts a new public key, PGP must
assign a value to the trust flag that is associated
with the owner of this public key.
– If owner is A, key appears in private key ring, then
value: ultimate trust.
– Otherwise, A is asked for his assessment of the trust
to be assigned to the owner of this key: unknown,
untrusted, marginally trusted or completely trusted.

43

21
 11/29/2022

PGP Use of Trust

2. One or more signatures must be attached to new entry.

More signatures may be added later.
– PGP searches to see if author is among the known public key
owners.
– If found, OWNERTRUST value is assigned to SIGTRUST.
– Otherwise, unknown user is assigned.
3. Value of key legitimacy is calculated based on the
signature trust fields present for this entry.
– If at least one has value of ultimate, then set to complete.
– Otherwise, compute weighted sum of trust values.
– A weight of 1/X given to signatures that are always trusted; 1/Y
to those that are usually trusted (X and Y configured by user).
– If total weight reaches 1, then set to complete.

44

PGP Trust Flag Byte

45

22
 11/29/2022

PGP Use of Trust

• In the absence of ultimate trust, X signatures that are always trusted

or Y signatures that are usually trusted (or some other combination) is
needed.
• A key that is trusted to be legitimate may not be trusted to sign other
keys.
• PGP processes the public-key ring periodically to achieve consistency
• It is a top-down process
– For each OWNERTRUST field, PGP scans the ring for all signatures
authored by that owner and updates the SIGTRUST field to equal the
OWNERTRUST field.
– Then all KEYLEGIT fields are computed on the basis of the attached
signatures.
• In the following example, we assume that two partially trusted
signatures are sufficient to certify a key.
46

PGP Trust Models

47

23
 11/29/2022

PGP Revocation of Public Keys

• A user may wish to revoke a public key because it

may be compromised or to avoid using it for an
extended period of time.
• The owner then issues a signed key revocation
certificate.
– The corresponding private key is used to sign the
certificate that revokes the public key.
• The owner should disseminate this certificate as
widely and quickly as possible to enable potential
correspondents to update their public key rings.
48

Among the first Hybrid cryptosystems

• PGP was one of the first so-called "hybrid

cryptosystems" that combined aspects of SKC and
PKC.
– When Zimmermann was first designing PGP in the late-
1980s, he wanted to use RSA to encrypt the entire
message.
– The PCs of the days, however, suffered significant
performance degradation when executing RSA so he
hit upon the idea of using SKC to encrypt the message
and PKC to encrypt the SKC key.

49

24
 11/29/2022

References

• Most of the material and diagrams in the previous

slides was taken from:
• Stallings, W. Cryptography and Network Security:
Principles and Practice, 4th ed. Englewood Cliffs
(NJ): Prentice Hall, 2006
• Gary C. Kessler May 1998 (Last updated: 1st Oct
2022) on:
– https://www.garykessler.net/library/crypto.html

50

25