PGP Encryption & Automation: Top 10 FAQs
PGP™ is a standard for encrypting data. It stands for “pretty good privacy” and was invented in 1991–more than three decades ago! That’s forever in technology years; but does that mean PGP is past its expiration date? Let’s explore ten common questions regarding PGP:
• What is PGP™ and how does it work?
PGP is a widely adopted standard for providing encryption and verification of data such that the data can only be viewed by the intended recipient, and that the sender of that data can be verified. It was standardized as “OpenPGP” with RCF 4880 in 2007, allowing any company or individual to freely use the technology. The terms “OpenPGP” and “PGP” can be used interchangeably when referring to the encryption standard.
OpenPGP works through the clever application of two different cryptographic techniques: public key and symmetric key cryptography. Public Key cryptography is used to strongly identify a party (person or machine) using PGP. Public key cryptography comprises two aspects of a single key: the private portion, which decrypts files encrypted for that party and/or digitally signs a file on behalf of that party, and a public portion which is distributed to anyone who wishes to encrypt data for that party, or who wishes to verify the identity of that party.
The cryptography for public keys is very slow, so it is used to sign and protect the secure payload which is encrypted with the symmetric key. The symmetric key is what is able to decrypt the contents of the PGP payload. Because the symmetric key is encrypted by the public key of a given party, only the intended recipient can unlock the symmetric key and read the data.
• Can PGP encryption be cracked?
PGP offers encryption using unlimited key lengths for key exchanges and ciphers, with most systems limiting those to 4096 and 256 bits, respectively. When using such strong cryptography, it is impractical to break the encryption. Even with the fastest computers, it would take trillions of years to crack the code on a 256-bit encryption key.
• How do I set up PGP encryption?
To set up PGP, you need to generate your own key pair, which consists of a public key and private key component. You keep the private key to yourself, while the public key can be given to anyone who wishes to send data encrypted for only you. If you wish to encrypt data for a given recipient, such that they are the only ones who can read it, you will need their public key. Diplomat MFT provides an intuitive user interface to create, import, and export PGP key pairs and public keys.
• Is it illegal to have PGP?
Historically, cryptography using keys of larger than 40 bits was treated by the United States government as munitions, and thus it was illegal to “export” outside of the U.S. Those laws have change since 2000, however, and now PGP can be used with all countries of the world, except those embargoed countries with which all trade is prohibited.
• Is PGP dead?
No! PGP is alive and well. If you are looking for a mechanism to protect your data in transit, and at rest, and to strongly authenticate the sender and recipient of data, then PGP is an excellent choice. For example, PGP is a security requirement for many banks when transferring data between your business and the bank. In fact, many of Coviant Software’s customers use Diplomat MFT to exchange PGP-encrypted files with financial institutions like JP Morgan, Citi, Bank of America–and more!
• How do you automate PGP decryption?
PGP encryption is often handled by complex command line applications, which can be confusing and hard to remember. But with Diplomat MFT, automation is a simple matter of point-and-click. Any time you need files encrypted, decrypted, signed, or verified, Diplomat MFT provides an intuitive interface to check the right options and choose the corresponding key from a list.
• What is the difference between PGP and GPG?
PGP (and OpenPGP) are the standard message formats for encrypting and signing data. GPG is short for “GnuPG,” an open source implementation of the PGP protocol. GPG provides a command line interface to perform PGP encryption, decryption, signing, verifying, and key management operations.
• What can I use instead of PGP?
Because PGP is a standard format for data encryption, there are many tools out there which can be used to do required PGP operations. GPG, for example, is an open source tool for doing PGP operations on a command line. If you wish to automate PGP operations in an intuitive, point-and-click interface, Diplomat MFT is an excellent choice of tools.
• Can I decrypt PGP with GPG?
GPG can decrypt PGP files because it is a tool that conforms to the OpenPGP standard. Any message that is encrypted in the OpenPGP format can be decrypted by GPG — or by any other standard conforming tool, such as Diplomat MFT. Because GPG is a command line tool, you will need to use the command line syntax for the various operations like encrypting, decrypting, signing, and verifying. A tool like Diplomat MFT provides an intuitive user interface to automate those operations.
• What algorithm does PGP use?
- The OpenPGP standard lists multiple public key algorithms, such as RSA, Elgamal, and DSA;
- The OpenPGP standard lists multiple algorithms for symmetric data encryption, such as 3DES, IDEA, CAST5, BlowFish, TwoFish, AES (128,192, and 256-bit), and Camellia (128, 192, and 256-bit);
- The OpenPGP standard lists multiple algorithms for hashes on the data (which are used for integrity checking and signatures), including MD5, SHA-1, RIPE-MD/160, and SHA2 (224, 256, 384, and 512-bit); and,
- The OpenPGP standards lists multiple algorithms for data compression, including ZIP, ZLIP, and BZIP2.
It is important to note, though, that only a few of these (DSA and Elgamal; 3DES; and SHA-1) are required to be implemented by the OpenPGP Standard. However, this minimal requirement is regarded as insecure because algorithms like 3DES and SHA-1 are considered “broken.” Fortunately, many PGP implementations support all the algorithms of the OpenPGP standard — and even some additional ones, like Elliptic Curve public key algorithms. Diplomat MFT is one such software that supports modern, secure algorithms in its PGP library.
If you have any other questions about PGP, OpenPGP, or its use in secure managed file transfers, don’t hesitate to get in touch.