What's PGP/OpenPGP/GPG?

what is pgp and what we can do with it?
(sorry being noob, im new in this world)

3 Likes

PGP (as meaning is Pretty Good Privacy) is a way to encrypt messages online like to encrypt emails, texts, files (not just these but is a good example to use) used to share private information. Also, its closest to military-grade encryption known.
You’ll generate two types of keys: public and private. The public key is which you’ll give to someone send a email for u (as example) and the private key you’ll keep with you which will be possible to decrypt the email.

e.g.:
Public Key (who’s sending the email for you) > Private Key (which u’ll not share with anyone)
Plain Text > Encrypted Text > Plain Text (decrypted with private key by u)

Summing up: Public Key > encrypt (thats the key which u’ll share with the people),
Private Key > decrypt (this key u’ll keep with urself, dont share with anyone NEVER if u want to keep ur privacy)

It can be confused now but if you encrypt a text (as example) with ur private key and put in the internet, the people will can decrypt the text with ur public key, so its like two keys and one is used to encrypt and the other can be decrypted, so thats why u need to keep the Private Key(one key) with urself and dont share with anyone NEVER.

4 Likes

You basically describe asymmetric encryption/decryption (also called public-key cryptography). This isn’t a unique property of PGP but also used by other crypto software/protocols like some TLS protocols, Bitcoin, ZRTP (VoIP), or S/MIME.

PGP itself is more a cryptographic toolbox. Actually, there is:

  • PGP (as mentioned by roe): This is proprietary software, originally developed by Phil Zimmermann (American cryptographer). Today, Symantec owns PGP.
  • OpenPGP: An open standard, introduced several years after PGP was made. (See https://tools.ietf.org/html/rfc4880 and other RFCs). OpenPGP specifies the use of different algorithms like SHA-1, AES-128, or RSA for e-mail security.
  • GPG (GNU Privacy Guard): Open source implementation of OpenPGP, available for most platforms and with support for elliptic curve cryptography (which will likely be the default in future).
  • Then, there are other implementations/libraries that are all more or less compliant with OpenPGP like NeoPG, Sequoia PGP, or OpenPGP.js.

Important to know is that OpenPGP (and compliant implementations) doesn’t support Perfect Forward Secrecy. There is only an expired draft (https://tools.ietf.org/html/draft-brown-pgp-pfs-03). This means if an attacker is able to get your private decryption key in future, he/she will be able to decrypt all communication ever encrypted using the corresponding public key. Modern crypto like the Signal Protocol uses advanced features to avoid this.

I think the term military-grade encryption originates from days when there was strong military-grade encryption only available for authorities, and consumer-grade encryption that was weakened on purpose.

Nowadays, encryption schemes like AES/RSA are public, so there is no difference between public encryption schemes used by the military or by consumers. However, the term “military-grade encryption” is still used in marketing lingo of companies, esp. by VPN providers. However, their “military-grade encryption” is nothing special these days.

7 Likes

@infosechandbook
interesting. so which is more recommended and secure?

1 Like
  • Recommended: Just use OpenPGP-compliant implementations like GPG or OpenPGP.js (this is used by Mailvelope).
  • Secure: If you don’t need Perfect Forward Secrecy, you can use OpenPGP-compliant software. If you need PFS, then use instant messengers with support for modern crypto protocols like the Signal Protocol. We wrote a long article about it here: https://infosec-handbook.eu/blog/gpg-for-emails/
4 Likes

@infosechandbook
whats Perfect Forward Secrecy?

1 Like

See above:

And from Wikipedia:

Forward secrecy protects past sessions against future compromises of secret keys.

2 Likes

So in practice, if I’m Joe Blow (which I am), and I want to email people using “PGP”, can I use any of PGP, Open PGP or GPG, without asking first my correspondents which flavor of PGP they use ?

Or is even the question nonsensical ?

2 Likes

As long as all involved parties are using OpenPGP-compliant features, it should not matter which implementation you use. However, if someone uses any special features (e.g., some tools also encrypt the message’s subject header), you could run into problems.

5 Likes

Excellent explanation! I was going to jump in on this, but it looks like you have it covered. One thing I’ll say is that the term “military grade encryption” is pretty meaningless, unless you’re referring to elliptic curve cryptography. The former is more of a marketing term by VPN services and such.

2 Likes

You can use any of them - it doesn’t matter which program they use for the encryption/decryption. For instance, I use the program Seahorse for PGP on my device, but if you’re using GPG (GNU Privacy Guard), you can still decrypt the messages I send you.

3 Likes