PGP, a little “what is it”.

In my post pertaining to my backup policies, we touched on how I utilize Symantec PGP Disk Encryption to store my data in personal vaults, preventing access without an authenticated password. I had a few people ask me to expand on what I meant by using a PGP zip(s), and why I use this solution.

To follow up, I will discuss (very briefly) what PGP is, and why I opted to this solution over others (such as AxCrypt or EncFS).

What is PGP?

PGP stands for “Pretty Good Privacy”, and is a protocol relating to data encryption (provided by the software). The usage of PGP varies, as it is capable of multiple usage cases, but primarily is used for data signature (‘file signatures‘).

The following is an exert of the definition (from Wikipedia) of PGP:

PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

So, when thinking of the process implemented within PGP, there is both a Public and Private key for file signatures. For example, email signing is one of the main usages of PGP.

The following explains the process for implementing a PGP signed email to a recipient. PGPAssebly.gif

 

  1. The sender signs their plain-text data with their public key;
  2. The application then encrypts the plaintext data with the cipher provided;
  3. The end-recipient then decrypts the file with their private key

 

Why did you select PGP?

Apart from the fact that I have keys to applications using PGP, as far as I am aware, there are little or no security issues with PGP.

Whilst this may not necessarily be true (keyloggers and social-engineering are two methods to bypass this), the following assumption was made:

Q: Can’t you break PGP by trying all of the possible keys?

A: This is one of the first questions that people ask when they are first introduced to cryptography. They do not understand the size of the problem. For the IDEA encryption scheme, a 128 bit key is required.

Any one of the 2128 possible combinations would be legal as a key, and only that one key would successfully decrypt the message. Let’s say that you had developed a special purpose chip that could try a billion keys per second. This is far beyond anything that could really be developed today.

Let’s also say that you could afford to throw a billion such chips at the problem at the same time. It would still require over 10,000,000,000,000 years to try all of the possible 128 bit keys. That is something like a thousand times the age of the known universe!

While the speed of computers continues to increase and their cost decrease at a very rapid pace, it will probably never get to the point that IDEA could be broken by the brute force attack.

A further report can be found here.

Furthermore, there is nothing preventing me including other security measures to encapsulate the data. Symantec’s PGP program simply encrypts a portion of a hard drive, with a private key. Once you want to access this portion of the drive (and further the data stored in the “PGP Vault”) you must supply the private key to decrypt the data; more sub-zips, or other encryption methods can be used inside the “virtual mounted drive”.

OpenPGP? PGP? GPG? What are they?

These protocols or “solutions” are “forks” of the original PGP method; OpenPGP being the open-sourced alternative. Each version of PGP has it’s own advantages, disadvantages and may have their own security threats associated against them.

To summarize; how do you use this?

To clarify, PGP is not the only tool I rely on; security, and the layers of complexity are vast.

Think of the directories like so:

/ root
/ root/PGPdisk/
/root/PGPdisk/folder1/
/root/PGPdisk/folder1/example.aax

The files (not folders) under the mounted directories are individually encrpyted with AxCrypt.

There are 3 main reasons for this;

  1. If there is an issue with Symantec and PGP disks (‘back door’), each file is encrypted individually;
  2. If the PGP disk is kept mounted and physical access granted, they must know another password and;
  3. If a virus attempts to edit the file content when the drive mounted, it need to decrypt beforehand (it would probably corrupt the data honestly, but still!)

…oh, and it is really simple to maintain, and transfer between drives!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s