Skip to content

Describe PGP and GPG

What is PGP and GPG

PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard) are both cryptographic software tools used for encrypting and decrypting data, as well as for digitally signing messages to ensure their authenticity and integrity. They are primarily used for securing email communication, but they can also be used to encrypt files and other forms of data.

PGP

PGP (Pretty Good Privacy) uses a combination of symmetric-key and public-key cryptography to provide privacy and authentication.

Here's how it works:

  • Encryption: PGP uses symmetric-key cryptography to encrypt the data, but it also uses public-key cryptography to securely transmit the symmetric encryption key. This allows for secure communication between parties without them needing to exchange secret keys beforehand.

  • Digital signatures: PGP allows users to digitally sign messages or files using their private key, which can be verified by others using the sender's public key. This provides authentication and ensures that the message has not been tampered with.

GPG

** GPG(GNU Privacy Guard):** GPG is an open-source alternative to PGP and is part of the GNU Project. It is compatible with the OpenPGP standard, which is based on PGP's original specifications. GPG offers similar functionality to PGP but is free to use and has been widely adopted by the open-source community.

Here's how GPG works:

  • Compatibility: GPG is designed to be compatible with PGP, allowing users to exchange encrypted messages and files with PGP users seamlessly.

  • Encryption and digital signatures: Like PGP, GPG supports both encryption and digital signatures. It uses the same hybrid approach of symmetric-key and public-key cryptography to provide privacy and authentication.

GPG in Action!

If I wanted to encrypt a message using gpg, I first need to obtain the recipient's public key and import it into gpg's memory. You can import keys using the following command:

gpg --import <public_key_file>
Now you are able to properly encrypt the message for the intended recipient, using the following command:
gpg --output secret.gpg --encrypt --recipient bob@cyber.org doc

The recipient would then use their own private key (assymetric encryption at work here!) in order to decrypt the message.

gpg --output doc --decrypt doc.gpg
Let's say you intercepted an encrypted message as well as the private key needed to decrypt the file. The process is simple; first import the key, then decrypt.
gpg --import <private_key_file>
Now that you have the appropriate key imported, we can decrypt the file using the following command:

gpg --decrypt encrypted_message.txt

Now, for this next example we have several files in a directory. The file we want has been digitally signed, and we have obtained that signature file. First we must verify each file against the signature until the output indicates the signature is good (it would be useful to create a script or loop here for larger directories!):

gpg --verify signature_file.sig encrypted_message.gpg
Once we identify the file we can then import the key and run the decrypt command as normal.

In light of all of this, it is important to understand that no decryption would be possible without the proper key. This should emphasize the importance of securely exchanging your keys so as to not let them fall into the hands of unintended parties.

Class Exercise!

You and a battle buddy will each generate a public/private key pair on your machine. Using netcat you will transfer your public keys to each other. Then, using those keys you will encrypt a message, and send it back for decryption.

All of this should be possible on your local boxes, using only netcat and gpg.