Pretty Good Protection (PGP

CISSPGOALCISSPGOAL Member Posts: 27 ■□□□□□□□□□
Pretty Good Protection (PGP): uses Symmetric encryption to encrypt and uses Asymmetric algorithm to encrypt session key and send it securely to the receiver

Is the above statement true and could someone explain, please.

Thank You.

Comments

  • cyberguyprcyberguypr Senior Member Mod Posts: 6,927 Mod
    It should be Pretty Good Privacy. This SANS paper explains the use of symmetric and asymmetric crypto pretty good (pun intended).

    http://www.sans.org/reading-room/whitepapers/vpns/pgp-hybrid-solution-717
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    Its Pretty Good Privacy.

    Its a hybrid cryptosystem. Simple here:

    To encrypt a message addressed to Alice in a hybrid cryptosystem, Bob does the following:
    1. Obtains Alice's public key.
    2. Generates a fresh symmetric key for the data encapsulation scheme.
    3. Encrypts the message under the data encapsulation scheme, using the symmetric key just generated.
    4. Encrypt the symmetric key under the key encapsulation scheme, using Alice's public key.
    5. Send both of these encryptions to Alice.
    To decrypt this hybrid ciphertext, Alice does the following:
    1. uses her private key to decrypt the symmetric key contained in the key encapsulation segment.
    2. uses this symmetric key to decrypt the message contained in the data encapsulation segment.
  • Spin LockSpin Lock Member Posts: 142
    CISSPGOAL wrote: »
    Pretty Good Protection (PGP): uses Symmetric encryption to encrypt and uses Asymmetric algorithm to encrypt session key and send it securely to the receiver

    Is the above statement true and could someone explain, please.

    Thank You.


    Like many topics covered by the CISSP exam, PGP is one of those topics that is fairly deep. And if your goal was to implement PGP on a Linux server, it would take a fair amount of time and research. Fortunately, the CISSP exam doesn't expect you to be an PGP implementation expert. The exam is "an inch deep and mile wide" as the cliche goes.

    So for the purposes of the exam, here is my "1 inch deep" explanation of PGP.

    1. As Cyberscum pointed out, PGP is a hybrid cryptosystem, which means it uses both private key (symmetric cipher) and public key (asymmetric cipher) to ensure secure end to end communication.

    2. One of the most critical components of a hybrid cryptosystem is ensuring the Public Key is authentic. In other words, if I'm trying to communicate securely with Bill Gates using a hybrid cryptosystem like PGP, I will have to send him the session key encrypted with his Public Key. But how do I get his public key? I guess he could email it to me - but how do I know the key is really coming from Bill Gates and not a hacker launching a man in the middle attack? This is a fundamental weakness with a hybrid cryptosystem - ensurng the public key you are using actually is registered to the intended recipient and not a forgery.

    3. So how is the authenticity of a public key guaranteed? There are two ways: 1)Use Public Key Infrastructure (PKI) or 2) Use the "Web of Trust" method. PGP uses Web of Trust not PKI to ensure the public keys being used are authentic. However, it's worth understanding how both PKI and Web of Trust function.

    4. Public Key Infrastructure - is the most commonly used method used to ensure the Public Key is authentic. Users request the public key for an individual or entity from a Certificate Authority(CA) such as Verisign. The CA sends you a digital certificate, which is the public key signed with the CA's digital signature. The digital signature proves the certificate was sent by the CA (authentication/source non-repudiation) and also ensures the public key wasn't modified (integrity)

    PKI is a very complex system. There is actually a hierarchy of CAs, and trusting the CA that provides you with the digital certificate is extremely important (if you can't trust the CA, the whole hybrid cryptosystem cannot be deemed secure). The ITU X.509 details how to ensure the CA you are dealing with can be trusted. This usually involves the root CA (root authority) signing the certificates of CA's beneath it. So if I trust the root authority and it signs the certificates issued by a different CA, I can thus trust that new CA.

    5. Web of Trust - Like PKI, it's purpose is to ensure the public key you are using is authentic. However, the method it uses to ensure public key authenticity is totally different. The public key is not provided by a CA, rather it's sent to you by the user or entity directly. Your level of trust that the key is authentic depends on how many other people have signed that public key. If no one has signed the public key, you can't trust it. But if the key has been signed by someone you already know and trust, there is some assurance the key is authentic. The more people that sign the key that you also trust, the more you are assured the key is valid. This system relies on the fact that if you are communicating with someone for the first time, you can trust his public key if you see that there are other people you know (and trust) that have signed his key.

    6. CISSP prep books I read discuss PGP as a mechanism for securely sending email, which was one of it's original purposes. But PGP can also be used for full disk encryption. But its worth noting the CISSP exam seems to focus on PGP as a technology for secure email transmission (the other one being S/MIME)

    Finally, let me say that the statements above are from my notes. As such, don't take them for fact and realize they may contain errors.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,715 Admin
    Here are some key points:
    1. Symmetric encryption uses a single key for both encryption and decryption (called secret key encryption).
    2. Asymmetric encryption uses one key for encryption and a different key for decryption (called public key encryption).
    3. Symmetric encryption is very fast and used to encrypt large amounts of data (such as messages).
    4. Asymmetric encryption is very slow and is only used to encrypt small amounts of data (such as message digest hashes and secret keys).
    5. A symmetrically-encrypted message can be decrypted by anyone who has a copy of the secret key used to encrypt the message.
    6. An asymmetrically-encrypted message can be decrypted only by the the key paired with the key used to encrypt the message.

    Given the differing qualities between symmetric and asymmetric encryption, symmetric encryption is mostly used for ensuring the confidentiality of data, while asymmetric encryption is used for ensuring the integrity and authenticity (non-reputation) of data.
Sign In or Register to comment.