PGP $($Pretty Good Privacy$),$ is a popular program that is used to provide confidentiality and authentication services for electronic mail and file storage. It was designed by Phil Zimmermann way back in $1991.$ He designed it in such a way, that the best cryptographic algorithms such as RSA, Diffie$-$Hellman key exchange, DSS are used for the public$-$key encryption $($or$)$ asymmetric encryption; CAST$-128,3$DES, IDEA are used for symmetric encryption and SHA$-1$ is used for hashing purposes. PGP software is an open source one and is not dependent on either of the OS $($Operating System$)$ or the processor. The application is based on a few commands which are very easy to use.

Confidentiality:

Sometimes we see some packages labelled as $$Confidential$,$ which means that those packages are not meant for all the people and only selected persons can see them. The same applies to the email confidentiality as well. Here, in the email service, only the sender and the receiver should be able to read the message, that means the contents have to be kept secret from every other person, except for those two.

PGP provides that Confidentiality service in the following manner:

$--$

$[,$ks$]$

$,$

$$

$.$

J

$)$

Dr$-$

M

$$

$(1)$

DC

Z$-1)-5$

The message is first compressed and a $128$ bit session key $($Ks$),$ generated by the PGP$,$ is used to encrypt the message through symmetric encryption. Then, the session key $($Ks$)$ itself gets encrypted through public key encryption $($EP$)$ using receiver$$s public key$($KUb$).$ Both the encrypted entities are now concatenated and sent to the receiver.

As you can see, the original message was compressed and then encrypted initially and hence even if any one could get hold of the traffic, he cannot read the contents as they are not in readable form and they can only read them if they had the session key $($Ks$).$ Even though session key is transmitted to the receiver and hence, is in the traffic, it is in encrypted form and only the receiver$$s private key $($KPb$)$can be used to decrypt that and thus our message would be completely safe.

At the receiver$$s end, the encrypted session key is decrypted using receiver$$s private key $($KPb$)$ and the message is decrypted with the obtained session key. Then, the message is decompressed to obtain the original message $($M$).$

RSA algorithm is used for the public$-$key encryption and for the symmetric jey encryption, CAST$-128($or IDEA or $3$DES$)$ is used.

Practically, both the Authentication and Confidentiality services are provided in parallel as follows :

$[,]$

$$

$$

$$

M

DP

EP

z

$($EC

$$

$,(2)$

$)$

Compare kla

$.$

Integrity :

The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. To do so$,$ PGP computes a hash $($also called a message digest$)$ from the plaintext and then creates the digital signature from that hash using the sender$\text{'}$s private key.

Authentication:

Authentication basically means something that is used to validate something as true or real. To login into some sites sometimes we give our account name and password, that is an authentication verification procedure.

In the email world, checking the authenticity of an email is nothing but to check whether it actually came from the person it says. In emails, authentication has to be checked as there are some people who spoof the emails or some spams and sometimes it can cause a lot of inconvenience. The Authentication service in PGP is provided as follows:

Ek H$(-)$

PUA

KPa

z

z$-1$

$($DP

TH

IS

M

M

$$

compare

H

As shown in the above figure, the Hash Function $($H$)$ calculates the Hash Value of the message. For the hashing purpose, SHA$-1$ is used and it produces a $160$ bit output hash value. Then, using the sender$$s private key $($KPa$),$ it is encrypted and it$$s called as Digital Signature. The Message is then appended to the signature. All the process happened till now, is sometimes described as signing the message $.$ Then the message is compressed to reduce the transmission overhead and is sent over to the receiver.

At the receiver$$s end, the data is decompressed and the message, signature are obtained. The signature is then decrypted using the sender$$s public key$($PUa$)$ and the hash value is obtained. The message is again passed to hash function and it$$s hash value is calculated and obtained.

Both the values, one from signature and another from the recent output of hash function are compared and if both are same, it means that the email is actually sent from a known one and is legit, else it means that it$$s not a legit one.