PGP Encryption

PGP stands for Pretty Good Privacy which was an encryption protocol invented back in the 1990s, and it outlined how one can securely communicate with another person via a public network.


For example, if I decide to send an email to my friend John, I will have to connect to an email server or to a public key exchange server, and from here, make the request for John’s email address to get his public RSA key.

After a successful request, I would use his public key to encrypt the email message which I will be sending to him. Although this might appear to be a very simple concept to understand, problems do arise if the email you decide to send is longer than John’s RSA key. To overcome this obstacle, PGP has added a new layer of encryption so that the actual message is encrypted with symmetrical encryption like AES or DES, and a secret is encrypted with John’s public key.

Although this might solve the problem with email message lengths, another major problem is that if the RSA key is not strong enough then the symmetrical encryption process is greatly weakened (also if an outdated symmetric encryption is used). In addition, the PGP protocol by itself does not offer any protection for metadata, such as who the recipient of the email is.

PGP may be a widely adopted protocol, but the security vulnerabilities it has in association with metadata information can unveil very important information between two parties.

A very good example of this vulnerablity is when the owner of Lavabit, Ladar Levison, during a recent speech at DefCon gave the facts about a recent conversation he had with his lawyer. This was in regards to a subpoena he received from the FBI. The FBI knows that his lawyer worked with Wikileaks before, and based on this information, they assumed that Levison discussed this subpoena with him.

This is a very good example where a person, an organization, or a competitor does not necessarily have to decrypt your communication to find the intended recipient of your communications or guess the subject of the conversation.

With all of these examples, now you can see that a company stating that they only use the PGP protocol offers you very little privacy.