Page 1 of 1

Pretty Good Privacy

Posted: Wed Jul 22, 2009 10:26 am
by McDanielCA
Pretty Good Privacy was originally posted on the main page of LDSTech. It was written by Jonathan Eicher.

---------------------------------------------

To scriptorians, PGP means “Pearl of Great Price” but to cryptographers, it means “Pretty Good Privacy” and refers to the safe-keeping of personal information. PGP is a type of encryption the Church uses to communicate securely with other organizations, such as banks and businesses. Each day we depend on encryption to act as a computerized safe-and-key system for managing access to our data.

Phil Zimmermann, the creator of PGP, developed and released the first PGP software in 1991. He published his source code and freely gave it away for anyone to use. The software is simple to use and is designed to encrypt files and e-mail transferred over the Internet. PGP is now the most popular e-mail encryption software in the world.

How does PGP work?

PGP requires entities or individuals to create their own individual pair of encryption keys. The key pair contains a private key that is never shared with anyone and a public key that is shared with everyone. Anyone can use a public key and encrypt a file or message with it. However, only the entity or person with the corresponding private key will be able to decrypt it. This is known as a one-way function. The technical implementation of a one-way function is brilliant but simple.

An Example of PGP

Consider this example of PGP in action. In this example, Alice is the recipient of an encrypted e-mail message, Bob is the sender, and Eve is the eavesdropper.

Alice first needs an encryption key pair. She must choose two prime numbers to create her encryption keys. A prime number can be divided only by itself and the number one, without having any remainders. So Alice picks 9013 and 12373 as her prime numbers. She now creates her public key by multiplying these values together to make 111,517,849. Now Alice shares this key or value with everyone but does not reveal the two numbers she previously chose.

Bob sends Alice a secure message using her public key together with his message after processing them with a one-way function. Now Alice is the only one who can decrypt Bob's message since only she has her private key—only she knows the two values which she used to create her public key.

If Eve intercepted the message to Alice and wanted to read it, Eve would have to factor 111,517,849 to find the two values that were multiplied together. If she worked quickly and could factor four primes a minute, it would take her almost five hours to discover the values of Alice's private key and read the message Bob sent.

Modern Examples of PGP

A realistic example of a modern AES 256-bit public key would use primes that are 10 to the power of 77, or 10 followed by 77 zeros. The U.S. government has calculated that factoring a smaller AES 128-bit public key would take a supercomputer (which can compute 2 to the power of 55 factoring attempts per second) approximately 149 trillion years. When one-way functions are used with large primes, they become dauntingly secure.

Adopting PGP

You don’t need to be in a large organization like the Church or a bank to be able to use PGP. You can download and install PGP on your own computer.

There are two main producers of PGP software: a commercial business (www.pgp.com) and a nonprofit organization (www.gnupg.org). Both software packages are compatible with each other and abide by the rules of the OpenPGP Alliance. This means the software follows the Internet Engineering Task Force (IETF) Proposed Standard RFC 4880.

Today is a great time to take a few minutes and secure your e-mail messages and files from being intercepted and read by those who should not have access to them. As Cosmo says in the movie Sneakers, “The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeros, little bits of data.” PGP will give you a level of encryption that is impenetrable to code breakers.

Jonathan Eicher is a Linux engineer for the Church.

Posted: Wed Jul 22, 2009 1:24 pm
by RossEvans
In my day job, I regularly use the commercial version of PGP to encrypt and compress large confidential files for transmission to the Census Bureau. It is relatively painless, but does add a layer of complexity. Also, our counterparts at Census provide the commercial software.

It is the hassle factor -- the fact that everyone using PGP needs to install and use something -- that prevents its more widespread acceptance.

Institutions can enforce such a layer of complexity, but it seems beyond what most private individuals will tolerate. Even in closed institutional evironments, it is easier and more transparent to protect the transmission itself by such means as VPN tunnelling when the network architecture makes that feasible.

Of course, the appeal of PGP is that by encrypting the file or message itself, we then can exchange data securely over insecure networks. But even online banking now occurs routinely with just the encryption built into https.

Is there a potential use for PGP in any church projects, especially those that involve rank-and-file users?

AES is not PGP

Posted: Mon Jul 27, 2009 10:01 pm
by rand42-p40
Although I genuinely appreciate an article encouraging the use of Public Key Encryption technologies such as PGP, I cannot help but to point out that AES is not a "Modern Example of PGP". AES is a 128 bit *block cipher* with a *symmetric* key of size 128, 192, or 256 bits. RSA, DSA, and ElGamal, on the other hand, are all *asymmetric* algorithms which form the foundation of modern PKI systems, including PGP and GPG. The size of modern public/private keys used with RSA typically range from 1024 to 4096 (e.g. I use 2048 bit RSA keys for authenticating to my SSH server).

-david

Worth noting

Posted: Mon Aug 17, 2009 8:15 pm
by eeyore-p40
Although PGP is a very effective way of securing your data, please remember that it is intended to keep your data secure while in a powered down state, not necessarily while the computer is running. Most software encryption tools maintain the key in memory, so if your system isn't secure, the key can often times be found via a memory scan.

Additionally, some software tools make use of the TPM on modern computers to store the key and provide the interface to encryption/decryption routines. These devices, like any others in computer systems, can be accessed from the Operating System. This being the case, they can be hacked to provide key information as well.

All things considered, such software is still very valuable. But like any other security software, such as firewalls, it's not meant to provide absolute protection, but rather to serve as a determent to as many attackers as possible. So I'd be cautious about using a term such as "impenetrable to code breakers". AES is good, but even it's method are no longer as safe as once thought.