ECS401: Cryptography and

Network Security

Module 5: Authentication Protocols

Email Security : Pretty Good Privacy
Lecture 47 and 48
Outline of the lecture
• Pretty Good Security
• The Working of PGP
• PGP Algorithms
• Key Rings
• PGP Certificates

2
Pretty Good Security
Phil Zimmerman is the father of the Pretty Good Privacy (PGP) protocol. He is credited with the creation of
PGP.
The most significant aspects of PGP are that it supports the basic requirements of cryptography, is quite
simple to use, and is completely free, including its source code and documentation.
Moreover, for those organizations that require support, a low-cost commercial version of PGP is available
from an organization called Viacrypt (now Network Associates).
PGP has become extremely popular and is far more widely used, as compared to PEM. The email
cryptographic support offered by PGP is shown in Figure 1.

Figure 1: Security features offered by PGP 3

The Working of PGP

As shown, PGP
In PGP, the sender starts with a digital
of the message signature, which is
needs to include The broad-level followed by
the identifiers of steps in PGP are compression, then
the algorithm used illustrated in Figure by encryption,
in the message, 2. then by digital
along with the enveloping and
value of the keys. finally, by Base-64
encoding.

Figure 2: PGP operations

4
The Working of PGP
PGP allows for three security options when sending an email message.

These options are

Signature only
(Steps 1 and 2)

Signature and Base-64

encoding (Steps 1, 2 and 5)

Signature, Encryption,
Enveloping, and Base-64
encoding (Steps 1 to 5)
Figure 2: PGP operations

5
Security options using PGP

Notation

6
The Working of PGP
Let us discuss the five steps in PGP now. Note that the receiver has to perform these four steps in the reverse direction to
retrieve the original plain text email message.

Step 1: Digital Signature Step 2: Compression

• This is a typical process of digital • This is an additional step in PGP. Here,

signature, which we have studied the input message as well as the
many times before. In PGP, it consists digital signature are compressed
of the creation of a message digest of together to reduce the size of the final
the email message using the SHA-1 message that will be transmitted. For
algorithm. The resulting message this, the famous ZIP program is used.
digest is then encrypted with the ZIP is based on the Lempel–Ziv
sender’s private key. The result is the algorithm. The Lempel–Ziv algorithm
sender’s digital signature. looks for repeated strings or words,
and stores them in variables. It then
replaces the actual occurrence of the
repeated word or string with a pointer
to the corresponding variable. Since a
pointer requires only a few bits of
memory as compared to the original
string, this method results in the data
7
being compressed.
The Working of PGP
Step 2: Compression

For instance, consider the following string:

What is your name? My name is Atul.

Using the Lempel–Ziv algorithm, we would

create two variables, say A and B and
replace the words is and name by pointers
to A and B, respectively. This is shown in
Figure 3.

Figure 3: Lempel-Ziv algorithm, as used by the ZIP

program
As we can see, the resulting string What 1 your 2? My 2 1 Atul. Is smaller compared to the original string What is your name?
My name is Atul. Of course, the bigger the original string, the better the compression gets. The same process works for PGP.

8
The Working of PGP
Step 3: Encryption
• In this step, the compressed output of
step 2 (i.e. the compressed form of the
original email and the digital signature
together) are encrypted with a
symmetric key. For this, generally the
IDEA algorithm in CFB mode is used.
Figure 4: Formation of digital envelope
Step 4: Digital Enveloping
• In this case, the symmetric key used for
encryption in step 3 is now encrypted
with the receiver’s public key. The
output of step 3 and step 4 together
form a digital envelope. This is shown in
Figure 4.
9
The Working of PGP
Step 5: Base-64 encoding
• The output of step 4 in Base-64 is
encoded now.

Reason for doing this encoding: E-mail Compatibility

When PGP is used, at least part of the block to be transmitted is encrypted. If only the signature service is used, then the
message digest is encrypted (with the sender’s private key). If the confidentiality service is used, the message plus signature
(if present) are encrypted (with a one-time symmetric key).

Thus, part or all of the resulting block consists of a stream of arbitrary 8-bit octets. However, many electronic mail systems
only permit the use of blocks consisting of ASCII text.

To accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a stream of printable
ASCII characters. 10
The Working of PGP
Step 5: Base-64 encoding

The Base-64 encoding (also called

Radix-64 encoding or ASCII armour)
process transforms arbitrary binary
input into printable character output.

In this technique, the binary input is

processed in blocks of 3 octets, or 24
bits. These 24 bits are considered to
be made up of 4 sets, each of 6 bits.

Each such set of 6 bits is mapped into

an 8-bit output character in this Figure: Base-64 encoding concept
process. This concept is shown in the
Figure. 11
The Working of PGP
Base-64 encoding

This seems to be a fairly

straightforward process.
However, one key question
is, what is the logic used for
mapping a 6-bit input block
into an output 8-bit block?

For this, a mapping table is

used, as explained in the
example below.

In our example of Base-64

encoding, let us consider a
24-bit raw stream as
0010001101011100100100
01. Figure: Base-64 encoding
example 12
 The Working of PGP
Mapping to Base-64 table
What happens here is, a standard pre-defined Table 1: Base-64 encoding mapping table
table is used, as shown in Table 1. The decimal
number generated is looked up into this table.

The character found at the position specified by

the decimal number in this table is mentioned in
the output.

For example, in our example, the first decimal

number is 8, and the 8th position in our mapping
table indicates a character I. Similarly, the second
position specifies the number 53. In our mapping
table, we see that the character 1 is found in the
53rd position, and so on. Finally, the binary
equivalent corresponding to the 8-bit ASCII of this 13
character is written.
The Working of PGP
Note on Base-64 encoding

 • The use of radix 64 expands a message by 33%. Fortunately, the session key and signature portions of the message are
relatively compact, and the plaintext message has been compressed.

• In fact, the compression should be more than enough to compensate for the radix-64 expansion. For example, literature
reports an average compression ratio of about 2.0 using ZIP. If we ignore the relatively small signature and key
components, the typical overall effect of compression and expansion of a file of length would be . Thus, there is still an
overall compression of about one-third.

• One noteworthy aspect of the radix-64 algorithm is that it blindly converts the input stream to radix-64 format regardless
of content, even if the input happens to be ASCII text. Thus, if a message is signed but not encrypted and the conversion is
applied to the entire block, the output will be unreadable to the casual observer, which provides a certain level of
confidentiality.

• As an option, PGP can be configured to convert to radix-64 format only the signature portion of signed plaintext messages.
This enables the human recipient to read the message without using PGP. PGP would still have to be used to verify the
signature.

14
PGP Algorithms
PGP supports a number of algorithms. The most common of them are listed in Figure 5.

Figure 5: PGP
algorithms

15
Key Rings

Additionally, PGP specifies a ring of

When a sender wants to send an email
message to a single recipient, there is
not too much of a problem.
Complexities are introduced when a
message has to be sent to multiple
recipients.
public-private keys. This is because Alice
may want to change her public-private
If Alice needs to correspond with 10
key pair, or may want to use a different
people, Alice needs the public keys of all
key pair for different groups of users
these 10 people. Hence, Alice is said to
(e.g. one key pair when corresponding
need a key ring of 10 public keys.
with someone in her family, another
when corresponding with friends, a
third in business correspondence, etc.).

In other words, every PGP user needs to have two sets of key rings:

A ring of her own public-private key pairs, and A ring of the public keys of other users.
16
Key Rings
Note that in one of the
key rings, Alice maintains
a set of key pairs; while Obviously, she cannot Similarly, other users in a
The concept of key rings
in the other, she just have the private keys of PGP system will have
is shown in Figure 5.
maintains the public the other users. their own two key rings.
keys (and not key pairs)
of other users.

Figure 5: Key rings maintained by a user in 17

Key Rings
There would be two possible situations:

(I) Alice needs to send a message to another user in the system

(a) Alice creates a message

digest of the original
message (using SHA-1), and
encrypts it using her own
private key (via the RSA or
DSS algorithm) from one of
the key pairs shown in the
left side of the diagram.
This produces a digital
signature.
(c) Alice uses the public key
of the intended recipient
(by looking up the key ring
shown on the right side for
(b) Alice creates a one-time
the appropriate recipient)
symmetric key.
to encrypt the one-time
symmetric key created
above. RSA algorithm is
used for this.

18
Key Rings
There would be two possible situations:
(I) Alice needs to send a message to another user in the system
(d) Alice encrypts the
original message with the
one-time symmetric key
(using IDEA or DES-3
algorithm).
(f) Alice sends the output
(e) Alice encrypts the
of steps (d) and (e) above
digital signature with the
to the receiver. What
one-time symmetric key
would the receiver need
(using IDEA or DES-3
to do? This is explained
algorithm).
next.
19
Key Rings
II. Now suppose that Alice has received a message from one of the other users in the system.

(a) Alice uses her private key

(b) Alice uses the one-time
to obtain the one-time
symmetric key to decrypt (c) Alice computes a
symmetric key created by
the message. (Refer to steps message digest of the
the sender. (Refer to steps
(b) and (d) in the earlier original message (say MD1).
(b) and (c) in the earlier
explanation).
explanation.)

20
Key Rings
II. Now suppose that Alice has received a message from one of the other users in the system.
(d) Alice now uses this one-
time symmetric key to obtain
the original digital signature.
(Refer to steps (b) and (e) in
the earlier explanation.)
(e) Alice uses the sender’s
(f) Alice compares message
public key from the key ring
digests MD1 and MD2. If they
shown in the right side of the
match, Alice is sure about the
diagram to decrypt the digital
message integrity and
signature and gets back the
authentication of the
original message digest (say
message sender.
MD2).
21
PGP Certificates

Like the digital certificates, in

X.509, there is a root CA,
who issues certificates to the
In order to trust the public
second-level CAs. The second
key of a user, we need to In PGP, things work
level CAs can issue
have that user’s digital differently. There is no CA.
certificates to the third level
certificate. PGP can use Anyone can sign a certificate
CAs, and so on. This can
certificates issued by a CA, or belonging to anyone else in
continue up to the required
can use its own certificate the ring.
number of levels. At the
system.
lowest level, the last CA
issues certificates to the end
users.

22
PGP Certificates
Atul can sign the
certificate for Ana, Jui,
Harsh, and so on. There is
no hierarchy of trust, or a
treelike structure. This
creates a situation where
a user can have
certificates issued by
different users.
Figure 6: Anyone can issue certificates to anyone else in PGP
Harsh may fully trust Atul,
For example, Jui may have but not Anita! Hence,
Hence, if Harsh wants to
a certificate signed by there can be multiple
verify Jui’s certificate, he
Atul, and another one by paths in the line of trust
has two paths: Jui <174>
Anita. This is shown in from a fully or partially
Atul, and Jui <174> Anita.
Figure 6. trusted authority to a
certificate.
23
PGP Certificates
The equivalent of CA (i.e. a user who issues certificates) in PGP is called an
introducer.

Introducer trust

The whole concept can

be understood better
Certificate trust
with the help of three
ideas:

Key legitimacy
24
Introducer Trust
We have mentioned that there is no concept of a hierarchical CA structure in PGP. Hence, it is natural that the ring of trust
in PGP cannot be very large, if every user has to trust every other user in the system.

To resolve this issue, PGP provides for multiple levels of trust. The
number of levels depends on the decision of implementing PGP
in a certain way. However, for simplicity, let us say that we have
decided to implement three levels of trust to an introducer.

In real life, we do
not fully trust
everyone we know. Let us call none
Do we? these levels as
partial

complete

25
Introducer Trust
The introducer trust then
specifies what level of trust
the introducer wants to
allocate to other users in the
system.

For example, Atul may now say

that he fully trusts Jui,
whereas Anita says she only
partially trusts Jui. Jui, in turn,
says that she does not trust
Harsh. Harsh suggests that he
partially trusts Anita in turn,
and so on. This is shown in
Figure 7.

Figure 7: Introducer trust 26

Certificate Trust

It is normally the same as

the introducer trust level
that issued the certificate.
When a user A receives a This is shown in Figure 8.
certificate of another user
B issued by a third user C,
depending on the level of
trust that A has in C, A
assigns a certificate trust
level to that certificate
while storing it.

27
Figure 8: Certificate trust
Certificate Trust
Let us take another example to ensure that there is no confusion. Imagine that there is a set of users in the system.
Assume that Mahesh fully trusts Naren, partially trusts Ravi and Amol, and has no trust in Amit.
Naren issues two
certificates: one to
Amrita (with public key
K1) and another to
Pallavi (with public key
K2). Mahesh stores the
public keys and
certificates of Amrita and
Pallavi in his ring of
public keys with
certificate trust level
equal to full.
Amol issues two
certificates: one to Uday
(with public key K3), and
another to Parag (with
Amit issues a certificate
public key K4). Mahesh
Ravi issues a certificate to Pramod (with public
stores the public keys
to Uday (with public key key K4). Mahesh stores
and certificates of Uday
K3). Mahesh stores the the public key and
and Parag in his ring of
public key and certificate certificate of Pramod in
public keys with
of Uday in his ring of his ring of public keys
certificate trust level
public keys with with certificate trust level
equal to partial. Note
certificate trust level equal to none. Mahesh
that Mahesh now has
equal to partial. can also discard this
two certificates for Uday,
certificate.
one issued by Ravi, and
the other issued by
Amol, both with partial
level of certificate trust.
28
Key Legitimacy
The objectives behind introducer trust and certificate trust is to decide whether to trust the public key of a user. In PGP
terms, this is called key legitimacy.

PGP defines the following

simple rule to decide the key For instance, suppose we
Mahesh legitimacy: The level of key have assigned certain
needs to legitimacy for a user is the weights to certificate trust
know how weighted trust level for that levels, as shown in Figure 9.
legitimate user.
are the
public keys
of Amrita,
Pallavi,
Uday,
Parag,
Pramod,
and so on. Figure 9: Assigning weights to certificate trust
29
levels
Key Legitimacy
In this situation, in order to
trust a public key (i.e.
certificate) of any other user,
Mahesh needs one fully
trusted certificate or two
partially trusted certificates.
Mahesh can also trust Uday,
Thus, Mahesh can fully trust
based on the two partially
Amrita and Pallavi based on
trusted certificates that Uday
the certificates they had
had received from Ravi and
received from Naren.
Amol.

Interestingly, the legitimacy of a public key belonging to an entity has nothing to do with the trust level of that person.

For instance:

Naren may be trusting Amit. Hence, Naren can encrypt a

However, Mahesh will continue to reject certificates issued
message with the public key derived from Amit’s
by Amit, since he does not trust Amit.
certificate, and can send the encrypted message to Amit.
30
Web of Trust In our example, on what basis would we trust Naren’s
public key if no one has created a certificate for Naren?

The earlier discussion To resolve this problem, several schemes are possible in PGP, as
outlined below.
leads to a potential
problem. What Mahesh can physically
happens if nobody obtain the public key of
Naren by meeting in This can be done
creates a certificate person and getting the telephonically as well.
for a fully or partially key on a piece of paper
trusted entity? or as a disk file.

Mahesh can, of course,

Naren can email his
obtain Naren’s public key
public key to Mahesh.
from a CA.

31
Web of Trust
Both Naren and Mahesh compute a message digest of this key. If MD5 is used, the result is
a 16-byte digest. If SHA-1 is used, the result is a 20- byte digest. In hexadecimal, the digest
becomes a 32-digit value in MD5, and a 40-digit value in SHA-1. This is displayed as 8
groups of 4-digit values in MD5, or 10 groups of 4-digit values in SHA-1, and is called
fingerprint. Before Mahesh adds the public key of Naren to his ring, he can call up Naren to
Naren can email his public tell him what fingerprint value he has obtained to cross-check with the fingerprint value
key to Mahesh. that is separately obtained by Naren. This ensures that the public key value is not changed
in the email transit. To make matters better, PGP assigns a unique English word to a 4-digit
hexadecimal number group, so that instead of speaking out the hexadecimal string of
numbers, users can speak out normal English words, as defined by PGP. For example, PGP
may have assigned a word India to a hexadecimal pattern of 4A0B, etc.

Regardless of the mechanism, eventually this process of

Whenever a user needs to revoke his/her public key (because of
obtaining keys of other users and sending our own to others
loss of private key, etc), he/she needs to send a key revocation
creates what is called a web of trust between groups of people.
certificate to the other users. This certificate is self-signed by the
This keeps the public key ring getting bigger and bigger, and
user with his/her private key.
helps secure the email communication.

32