adam's notes

Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.

  • created by Phil Zimmerman
  • uses a web of trust concept with key servers that act as a decentralized mesh of repositories and clearinghouses
  • allows for encryption of data in motion and data at rest

PGP Family

The PGP, OpenPGP, and GnuPG cryptographic systems are more than just an algorithm or protocol.

  • have origins in social and legal debate over whether private citizens should have both legal and ethical rights to use encryption
    • government security services fought against this concept
  • these three can be called the PGP family
  • implement an alternative hierarchy of trust that Public Key Infrastructure (PKI) has provided
    • PKI and certificate authentication system is a monoculture
      • single ecosystem
      • can be corrupted or subverted
  • implements nonhierarchical ways of:
    • asserting trust
    • managing public key exchanges
    • and providing for user storage and protection of private keys
  • when used correctly, it provides comparable levels of security to that provided by traditional PKI
  • PGP is exceptionally difficult to break

Weakness

  • Opponents of PGP state these systems are technically challenging to use
    • do not scale well into consumer-friendly products and services
    • Certificate generation and management, certificate revocation, user protection and use of private keys
    • Bruce Schneier called this “Giving Up on PGP” in 2016
  • Are also growing number of defenders
    • claim opposers focus too much on commercialization
    • emphasize its utility for individual personal use

OpenPGP

OpenPGP is an Internet set of standards for PGP described in RFC 4880 by the IETF.

  • there is ongoing work to develop a PGP-compliant open source library of JavaScript routines for use in web apps that wan to use PGP in supported browsers

GNU Privacy Guard (GPG)

GNU Privacy Guard (GPG) is a free and open source implementation of the OpenPGP standard.

  • part of the GNU project
    • aims to provide users with what the project calls the four essential freedoms that software users should have and enjoy
  • provides:
    • key management and access modules
    • support for S/MIME and SSH
    • tools for easy integration into variety of applications
  • packages:
    • Windows: Gpg4win
    • preinstalled on Linux
    • Mac: GPGSuite using MacGPG

Web of Trust

Web of trust is a network of trust relationships built and maintained by the users or members of that network.

  • exists without a central, root certificate authority or one single anchor for trust chains
  • similar to natural human relationships
    • look to someone we already trust as a source of transitive trust when introducing us to someone else
  • still depends upon some kind of authentication of trustworthiness
    • PGP uses certificate-signing parties
      • social occasions to bring people together who are willing to attest to the validity of the certificate in question
  • one measure of the success or uptake of the web of trust concepts is the size of the set of users who have trust relationships with each other
    • called the strong set
    • is 55,000 for PGP in 2015

Graph View

Backlinks