The Power of Pretty Good Privacy: Safeguarding Your Information in the Digital Age[edit | edit source]

I.       Introduction[edit | edit source]

Since I have started exploring the Web, I feared all the information the Internet has. I used to think I had the power to know everything about something with a simple click. But then I realized that if I could see what others were commenting, what others were posting and what others were saying about something, how can I trust the Internet? How can I say that nobody knows the content of my conversations with my friends or what I do online? That is why I was searching for ways to protect my messages. For that reason, I found programs like Tor, which allow users to surf on the Internet hiding your history, information, and your location. But what about communication apps? For example, Facebook saves your messages to collect your information. Also, when you send an email, it could be read by people that you did not send it to, or hackers can use Trojan Horse virus to get access to your messages. That is how I found Pretty Good Privacy (PGP).

Pretty Good Privacy is a cryptography computer program that allows you to have more privacy using encryption techniques^[1]. Basically, encryption is the process to protect information using mathematics algorithms to scramble information. This process allows that only authorized persons can get access(decrypt) to the information^[2]. The Pretty Good Privacy's creator, Philip Zimmerman, initially developed it with the intention of creating a software program that enables email encryption. To make the use of PGP more accessible, Zimmerman contacted volunteers to port this program to other platforms. The problem that Zimmerman did not notice was that PGP was a strong encryption program that harmed the work of the National Security Agency (NSA). The NSA could not get data even if they had a court order because Pretty Good Privacy made it impossible for people to access files without the password. In 1993, a federal investigation was opened against Zimmerman. Since the investigation was opened, this encryption program was illegal. After 3 years, the U.S. government closed the investigation on Zimmerman without filing criminal charges. When the case was closed, Zimmerman founded a corporation called PGP Inc.^[1].  Nowadays, Pretty Good Privacy is one of the more famous and stronger encrypting programs that millions of people use to have more privacy when they send an email. In this paper I will explore how Pretty Good Privacy prevents data breaches, and what are its limitations and challenges.

II.    How does PGP work?[edit | edit source]

Basically, Pretty Good Privacy is used to encrypt and decrypt files and manage the collection of PGP keys you have. To start understanding how Pretty Good Privacy works, we need to understand that every program uses algorithms to solve a certain problem or task. According to Sieuwert Van Otterloo, researcher in Utrecht University of Applied Sciences, PGP uses four kinds of algorithms. Depending on the necessity of the user, PGP uses one of these algorithms. The first kind of algorithm is called block ciphers. It makes a password to open a file. This password is the only key to decrypt a file. The second one is public key algorithms. This kind of algorithm creates two keys. The first one is used to share with anyone, and the second one is the original. These algorithms can be slow and more vulnerable. The third kind is hash algorithms. These algorithms take a key as an input associated with a datum or record and use it to identify the data storage and retrieval application. These algorithms are faster for computer and should minimize collisions. The last kind of algorithm is secret sharing algorithms. These algorithms divide information into shares. These shares are part of a private key, so it’s possible to divide the key in any numbers and then users decide the number of shares it needs to open the email. Also, the number of shares required must be less than the number of shares that the key was divided. Users need to have enough numbers of shares to know what the content of the file is^[3]. Each algorithm is used for specific task. So, depending on what the user needs, they may or may not use a particular algorithm. The use of all four algorithms ensures the functionality of the system.

In addition, algorithms are just the base of the system. These algorithms just allow the programmer to say what it will do and how. PGP is written to encrypt messages, but you can not only download the program and start encrypting messages. One of the best writers in security environments, Michael W. Lucas, explains that to use this program, it is necessary to create two keys, one private and one public. The sender uses his private key to encrypt and send the message to the receiver uses the receiver´s public key, then the receiver uses his own private key and the sender´s public key to open. The public key is available on the internet, so it is easy to find, but the users hold the private key. In addition, when the message is sent, only the receiver can open it^[4]. In summary, the reasons this program works is, first, to see the messages it is necessary to know the private key. No one can open it without the private key. And second, since the messages are being sent, only the receiver can see it. Having two keys allows more security. Although it could be possible that someone finds the public key, if they do not have the receiver’s private key, it will not be opened.

Now we understand how it works, we can see in what situations we need to use each algorithm, and what is the process to encrypt and decrypt a message. This knowledge will help us to see the advantages and limitations PGP has.

III.  Advantages of Pretty Good Privacy[edit | edit source]

Since it was created, PGP has earned a good reputation, making a lot of people see it as the standard form of encryption in different areas because of the benefits it has. For example, it makes sure that users do not lose their data, keeps people from intercepting their information when it's being sent and stops unauthorized users or hackers from getting their hands on sensitive data. Users can securely share information with multiple people and know that the email sender is legitimate. It also makes sure that if you delete something sensitive, it cannot be recovered. Users’ email conversations stay private and safe from hackers. Plus, it is not hard to learn at all, so you don’t need any special training to be a PGP encryption professional^[5]. Because of all the benefits of PGP, it has been used in many industries such as finance, technology, and education. Also, it has been implemented in many projects to improve he security.

The use of PGP and its applications have been studied since the first day it was launched, because of the benefits it has. It’s been implemented to help the security of many projects. The Maulana Azad National Urdu University professors, Khaleel Ahmad and Shoaib Alam, explain the importance of the security that PGP ensures and propose a PGP Ecommerce model based in elliptic curve cryptography. They mention the importance of the security in transactions, different levels of securities, and how to make a good security system. Then, they describe some programs that are using in transactions in Ecommerce and how to combine with cryptographic programs to design an Ecommerce structure with effective security steps. Finally, they propose a model that allows to make secure transaction using PGP to encrypt all the transactions^[6]. Ahmad and Alam emphasize the importance of security in online purchases and introduce a model that uses special encryption techniques to create a secure space for transactions. The most important thing about Ahmad and Shoaib’s paper is that it shows how to implement PGP in the transaction process and how helpful it could be.

In addition, The Gadjah Mada University professors Didit Suprihanto and Tri Kuntoro Priyambodo also mentioned how to implement PGP in government applications. In “The Implementation of Pretty Good Privacy in eGovernment Applications,” they propose to apply PGP in the Official Scripts Electronic Applications (OSE) in Indonesia. The OSE is a script that allows automation of the management of documents and letters. They propose to use PGP as an application message security, so this implementation will provide safety, effectiveness and efficiency and it needs two requirements, infrastructure requirements and structure requirements^[7]. This paper mentions how to apply PGP in a government application system. In the proposed system, the objective of PGP is more orienteered to help OSE, the Official Script that Bantul use, to have more safety.

IV.  Disadvantages and Cases of Vulnerabilities in Pretty Good Privacy[edit | edit source]

Even though millions of people use PGP, we need to understand that PGP has some disadvantages that can harm the user experience, and in extreme cases it can generate vulnerabilities. According to Poornima Naik, staff software engineer, PGP administration proves to be challenging due to the different versions available, which complicates its management. Additionally, compatibility issues arise as both the sender and receiver must have compatible versions of PGP to correctly read and decrypt the data. The inherent complexity of PGP also poses a hurdle as it utilizes a hybrid approach combining symmetric and asymmetric encryption, making it less familiar and more intricate than traditional methods. Another aspect to consider is the lack of recovery options. While other encryption schemes offer special programs to retrieve forgotten passwords, PGP does not provide a similar solution, resulting in the irreversible loss of messages or files if passwords are forgotten^[8]. In summary, PGP administration presents difficulties due to the variety of versions, compatibility issues, complexity, and the absence of password recovery options.

Although Pretty Good Privacy has demonstrated how efficiently and confident it could be, it does not mean that it won’t be affected by hacker attacks that take advantages of its vulnerabilities. For example, Thomas Brewster, a Forbes staff member, published an article in 2018 called “Major #eFail Vulnerability Exposes PGP Encrypted Email.” In this article, he explains the vulnerability that PGP suffered in 2018. This vulnerability could allow an attacker to modify the encrypted email and inject malicious code. Consequently, the user’s emails could be exposed. Also, it mentions that some researchers explained in a website how the attackers use this vulnerability to take advantage to take information from the receiver. They said the attacker changed an encrypted email to another with any external content to exfiltrate information^[9]. In this article we can see that PGP can have vulnerabilities that hackers can use. Even if PGP had harmed the work of the National Security Agency, PGP is not completely secure.

V.    Measures to Address PGP Vulnerabilities[edit | edit source]

a.      Standardized PGP: PGP was released more than 30 years ago, so one of the problems it has is the age and the different versions it has had. As Naik say, the sender and the receiver must have the same version to read the data^[8]. The problem is the number of versions it has. Someone who started using PGP since 2018 could have a different version than someone who starts in 2023, so it is important to make a unique version that can read data from different versions. This hypothetical version must receive upgrades to solver PGP vulnerabilities and read data from older versions. Also, this software must send email which can be compatible with the receiver version. Depending on the version, the sender could decide which version of PGP will use to encrypt the email, so the receiver can open it.

b.     Two-step verification: Unfortunately, PGP does not provide the option to recover passwords. That is why it could be possible to lose information. The solution to solve this problem could be a two steps verification system that allows users to recover their passwords. As another software that asks users for email to recover their passwords, PGP could ask the user one personal question and then it asks a specific code. To make possible this process, the first time you create an account, you receive a code to recover your password if you lose it. This code is only visible once and then it’ll be encrypted. Then you make yourself 10 questions and respond to them. When you lose your password, you use your code and respond to one of the questions. Someone who wants to access your account could have your code but won’t know the answer to your questions.

c.      PGP community: The PGP community must stay informed about the latest PGP vulnerabilities, patches, and best practices. So, it´s important to involve users in discussions, report vulnerabilities responsibly, and share knowledge to collectively improve the security of the PGP ecosystem.

VI.  Conclusion[edit | edit source]

Pretty Good Privacy (PGP) is an encryption program that gives privacy and security for digital communications. It offers advantage such as data protection, protect information from unauthorized access, makes it impossible to recover deleted content, and it is easy to use. Because all the benefits that PGP provide to the users. It has been implemented in many areas, such as e-commerce and government systems.

However, PGP also has its limitations and vulnerabilities. Challenges arise from the management of different versions, compatibility issues, and the complex nature of the hybrid encryption approach. The lack of password recovery options can lead to irreversible loss of data if passwords are forgotten. Additionally, PGP has faced vulnerabilities in the past, as demonstrated by the eFail vulnerability in 2018, which exposed encrypted emails to potential attacks.

To address these vulnerabilities, several measures can be taken. First, there should be efforts to consolidate and standardize PGP version to ensure compatibility and seamless data decryption across different versions. Upgrades and patches should be regularly released to address vulnerabilities and improve overall security. Second, there should be a two-step verification system that will provide the option to recover passwords in case of lose and assure that only the creator of the account can recover the password. Finally, collaboration with the PGP community is essential to make users informed about possible vulnerabilities and new patches. Users can help to solver new vulnerabilities by providing information.

TRIVIA[edit | edit source]

Enter the following link to play a trivia to and test your knowledge.

https://www.triviamaker.com/game-preview/game/TR20230615168687257936634-Trivia

Further Reading[edit | edit source]

Simon Garfinkel, "PGP: Pretty Good Privacy", O'Reilly & Associates, 1995. This book explains basic concepts to understand PGP and explains how to use PGP in depth step by step.

REFERENCE[edit | edit source]

1. ↑ ^{a b} Marion, Nancy (2020). Cybercrime: An Encyclopedia of Digital Crime (ist ed.).
2. ↑ Fundukian, Laurie (2012). Gale Encyclopedia of E-Commerce (2nd ed.). Gale, part of Cengage Group. p. 256.
3. ↑ Van Otterloo, Sieuwert (2001). A security analysis of Pretty Good Privacy. BlueRing.nl. pp. 17–55.
4. ↑ Lucas, Michael (2006). PGP & GPG Email for the Practical Paranoid how to use PNG and GPG for commercial and noncommercial emails (1st ed.).
5. ↑ "What is PGP Encryption? How it Works and Why It's Still Reliable. | UpGuard". www.upguard.com. Retrieved 2023-06-14.
6. ↑ Ahmad, Khaleel; Alam, Md Shoaib (2016). "E-commerce Security through Elliptic Curve Cryptography". Procedia Computer Science. 78: 867–873. doi:10.1016/j.procs.2016.05.549.
7. ↑ Suprihanto, Didit; Priyambodo, Tri Kuntoro. "International Journal of Information Engineering and Electronic Business(IJIEEB)". International Journal of Information Engineering and Electronic Business(IJIEEB). 9 (4): 1. doi:10.5815/ijieeb.2017.04.01.
8. ↑ ^{a b} Naik, Dr Poornima G. (2022-06-21). Security Lessons for Web App Developers – Vol I: Covers Modern Cryptography, Authentication using JSON Web Token and Web Security. Shashwat Publication. ISBN 978-93-95125-07-9.
9. ↑ Brewster, Thomas. "Major #eFail Vulnerability Exposes PGP Encrypted Email -- UPDATED". Forbes. Retrieved 2023-06-14.