PGP (Pretty Good Privacy) a popular program used to encrypt and decrypt e-mail over the Internet. It is generally used to attest the privacy of communication with other people, in a manner that excludes anyone else from scanning the data except of the intended recipient; assures the integrity of the origin of data in a manner that forbids someone impersonating as the originator of the data; ensures the authenticity of the data in a manner that a created file cannot be altered unintentionally or on purpose.
Experts have deduced that there are possible ways of attacking the security of PGP.
Theoretically, PGP can be compromised if the cryptographic methods employed by PGP have a possible flaw that can undermine the dependability and safety of PGP fundamentally. On practical levels, PGP can be exploited when the pass phrase provided to gain access to the originator’s secret key is compromised or there is an intentional move to disrupt the process by dispensing fake public keys. Another strategy that can be used to attack PGP can be done by altering the source code of PGP and modifying the practicality of cryptographic processes being employed or by introducing unfamiliar hostile cipher that can make security-related data available to unscrupulous parties. The composed rendering of the falsified source code can bring about a binary that cannot be discerned by an average user to tell it apart from the actual, original version of PGP.
Image source: https://www.flickr.com/photos/twosevenoneonenineeightthreesevenatenzerosix/
From a theoretical point of view, attacking the cryptographic methods of PGP is practically impossible and hence the attention of PGP security depends upon the practical use of the secret key being used by the user and the potential weaknesses of securing the key safely by the individual. There are a number of practical issues in maintaining the secrecy of the pass phrase that further protects the secret key because maintaining the secrecy is a problem that needs to be highly emphasised.
How can one gauge the dependability of an obscure public key? To solve the problem, PGP offers two different solutions. Firstly, a ‘fingerprint’ of the public key can be obtained through a direct and authentic connection with the person, thus analysing the first-hand data you have received, with the ‘fingerprint’ of the public key you have acquired from unsound sources.
Most vitally, it is imperative to maintain the privacy of the passphrase that safeguards the classified key because affirming this privacy is an issue most people fail to appreciate significantly. Moreover, even if you have arrived at an intricate and elaborate passphrase, one must refrain from making the following errors in order to ensure that the secret key stays safeguarded. These include:
- Pass phrases should never be written down in plain text.
- Never use pass phrases for something else such as a login password. In many cases even a slight similarity can make drawing conclusions easier for hackers.
- Pass phrases must never be shared with any other individual.
- Pass phrases must never be forgotten. If PGP is used on a regular basis, it is rather unlikely that pass phrases will be forgotten.
- It is important to create a key revocation certificate, which is a type of a document that pronounces the public key invalid and enforceable; this certificate should be signed by the individual himself.
- A backup of secret keyring must be in need and kept a in a safe secure place.
As with all programs and applications, PGP too should be employed with a definite degree of comprehension of its fundamental rules and security methods. Also, possible risks which may take with the everyday usage of PGP.