PGP, descriptive acronym for Pretty Good Privacy, is a suite of encryption algorithms that handles the signing, encryption, and decryption of email messages and attachments. Signing is easy to explain – it assures the identity of the sender. Encryption and decryption are the processes of converting sensible content into gibberish and back. The algorithm that it uses has been in computer systems for decades, one that’s called public-key cryptography. Here is how it works:
- User A acquires the public key of User B
- User A “infuses” the public key of User B with the message
- User A sends the gibberish to User B
- User B decrypts the gibberish message with their private key
- User B gets the message in its original form
Because User B’s public and private keys are uniquely linked mathematically, only User B can decrypt the message. This way, even if the email is intercepted or delivered to the wrong person, all they can see is an encrypted email, and if they open it up, gibberish.
I was getting a haircut the other day and got chatting to the barber. It turns out they had a pretty bad month where the email account of one of their suppliers was hacked and the hacker impersonated the supplier and got the barber shop to pay thousands into the hacker’s account. Putting the lack of financial security intuition aside, let’s talk about how they could have avoided the situation altogether – Email Signing.
Signing is a similar but somewhat different process. It still uses public key cryptography, but in a rather different way. Let’s say User A wants to send a signed email to User B:
- User A writes the email, then generates a hash from the email. (Hashing is basically generating an unique representation of the email message. It doesn’t contain the message, yet if a single character in the original message changes, the hash will be completely different.)
- User A encrypts the hash with their private key, attaches it as a signature, and sends the email message as plain text along with the signature.
- User B receives the email, separately hashes the email, and decrypts the signature using User A’s public key.
- User B compares the hash they generated, with the decrypted signature.
- If they are the same, the email is marked “Signed & Verified”
So you can see, signing isn’t a process to encrypt the message, as anyone intercepting the message will get immediate access to it. Rather, it is a step ensuring the sender’s identity. Because of this very fact, even if the receiver doesn’t have the facility to verify the signature they can still read the email, albeit with a weird attachment to it.
In my barber’s case, if the supplier used mail signing, the barber will immediately spot that the signature is either wrong or missing. An alarm should be raised to further checking the identity of the sender either by calling them to confirm the details or replying asking for a signed confirmation.
I listed out the steps for these processes, but it’s actually incredibly simple to use as most programs and email clients handle this information behind the scene automatically. The two additional steps you might need to do are:
- Click on the “Sign the message” or “Encrypt the message” buttons.
- Enter your private key’s password
It’s also completely free! You can find all the software required for such process right here on OpenPGP’s website. I had been using Mac’s GPGTools integrated with Apple Mail and it worked flawlessly. When I’m on Windows, I use eM Client for email, and it works beautifully too.
It used to be the case where encryption comes at a premium – excessive processing power required to encrypt and decrypt, public key information difficult to obtain due to internet limitation or lack of centralised key servers, technical knowledge required to operate. But all of these problems have been solved with easy to use GUI interface, commonly known key servers, and our computers have become so fast it’s difficult to justify not to encrypt-protect anything. In this day and age, cyber security has become increasingly problematic, and we should all do our part to protect ourselves.
However, as with everything good, there is a catch:
Both parties have to use it for it to work.