Pretty good privacy (PGP) is used in:

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. It was created by Phil Zimmerman in1991 while working at PK WARE, Inc.[1]

PGP and similar software follow the Open PGP standard (RFC4880) for encrypting and decrypting data.

Compatibility

As PGP evolves, versions that support newer features and algorithms are able to create encrypted messages that older PGP systems cannot decrypt, even with a valid private key. Therefore it is essential that partners in PGP communication understand each other's capabilities or at least agree on PGP settings.

Confidentiality

PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key. The message and its session key are sent to the receiver. The session key must be sent to the receiver so they know how to decrypt the message, but to protect it during transmission, it is encrypted with the receiver's public key. Only the private key belonging to the receiver can decrypt the session key.

Digital signatures

PGP supports message authentication and integrity checking. The latter is used to detect whether a message has been altered since it was completed (the message integrity property) and the former to determine whether it was actually sent by the person or entity claimed to be the sender (a digital signature). Because the content is encrypted, any changes in the message will result in failure of the decryption with the appropriate key. The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext and then creates the digital signature from that hash using the sender's private key.

Web of trust

Main article: Web of trust

Both when encrypting messages and when verifying signatures, it is critical that the public key used to send messages to someone or some entity actually does 'belong' to the intended recipient. Simply downloading a public key from somewhere is not an overwhelming assurance of that association; deliberate (or accidental) impersonation is possible. From its first version, PGP has always included provisions for distributing user's public keys in an 'identity certificate', which is also constructed cryptographically so that any tampering (or accidental garble) is readily detectable. However, merely making a certificate which is impossible to modify without being detected is insufficient; this can prevent corruption only after the certificate has been created, not before. Users must also ensure by some means that the public key in a certificate actually does belong to the person or entity claiming it. From its first release, PGP products have included an internal certificate 'vetting scheme' to assist with this, a trust model which has been called a web of trust. A given public key (or more specifically, information binding a user name to a key) may be digitally signed by a third party user to attest to the association between someone (actually a user name) and the key. There are several levels of confidence which can be included in such signatures. Although many programs read and write this information, few (if any) include this level of certification when calculating whether to trust a key.

The web of trust protocol was first described by Zimmermann in1992 in the manual for PGP version2.0

PGP found its way onto the Internet, and it very rapidly acquired a considerable following around the world. Users and supporters included dissidents in totalitarian countries (some affecting letters to Zimmermann have been published, some of which have been included in testimony before the US Congress), civil libertarians in other parts of the world (see Zimmermann's published testimony in various hearings), and the 'free communications' activists who called themselves cypherpunks (who provided both publicity and distribution) and decades later, CryptoParty, who did much the same via Twitter.

Criminal investigation

Shortly after its release, PGP encryption found its way outside the United States, and in February1993 Zimmermann became the formal target of a criminal investigation by the US Government for "munitions export without a license". Cryptosystems using keys larger than40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than128 bits, so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else.

Zimmermann challenged these regulations in an imaginative way. He published the entire source code of PGP in a hardback book,[14] via MIT Press, which was distributed and sold widely. Anybody wishing to build their own copy of PGP could buy the $60 book, cut off the covers, separate the pages, and scan them using an OCR program (or conceivably enter it as a type-in program if OCR software was not available), creating a set of source code text files. One could then build the application using the freely available GNU Compiler Collection. PGP would thus be available anywhere in the world. The claimed principle was simple: export of munitions—guns, bombs, planes, and software—was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment (the Ninth Circuit Court of Appeals in the Bernstein case and the Sixth Circuit Court of Appeals in the Junger case).

US export regulations regarding cryptography remain in force, but were liberalized substantially throughout the late1990s. Since2000, compliance with the regulations is also much easier. PGP encryption no longer meets the definition of a non-exportable weapon, and can be exported internationally except to seven specific countries and a list of named groups and individuals[15] (with whom substantially all US trade is prohibited under various US export controls).

PGP3 and founding of PGP Inc.

During this turmoil, Zimmermann's team worked on a new version of PGP encryption called PGP3. This new version was to have considerable security improvements, including a new certificate structure which fixed small security flaws in the PGP2.x certificates as well as permitting a certificate to include separate keys for signing and encryption. Furthermore, the experience with patent and export problems led them to eschew patents entirely. PGP3 introduced use of the CAST-128 (a.k.a. CAST5) symmetric key algorithm, and the DSA and ElGamal asymmetric key algorithms, all of which were unencumbered by patents.

After the Federal criminal investigation ended in1996, Zimmermann and his team started a company to produce new versions of PGP encryption. They merged with Viacrypt (to whom Zimmermann had sold commercial rights and who had licensed RSA directly from RSADSI), which then changed its name to PGP Incorporated. The newly combined Viacrypt/PGP team started work on new versions of PGP encryption based on the PGP3 system. Unlike PGP2, which was an exclusively command line program, PGP3 was designed from the start as a software library allowing users to work from a command line or inside a GUI environment. The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP2) that they called PGP4. To remove confusion about how it could be that PGP3 was the successor to PGP4, PGP3 was renamed and released as PGP5 in May1997.

Network Associates acquisition

In December1997, PGP Inc. was acquired by Network Associates, Inc. ("NAI"). Zimmermann and the PGP team became NAI employees. NAI was the first company to have a legal export strategy by publishing source code. Under NAI, the PGP team added disk encryption, desktop firewalls, intrusion detection, and IPsec VPNs to the PGP family. After the export regulation liberalizations of2000 which no longer required publishing of source, NAI stopped releasing source code.[16]

In early2001, Zimmermann left NAI. He served as Chief Cryptographer for Hush Communications, who provide an OpenPGP-based e-mail service, Hushmail. He has also worked with Veridis and other companies. In October,2001, NAI announced that its PGP assets were for sale and that it was suspending further development of PGP encryption. The only remaining asset kept was the PGP E-Business Server (the original PGP Commandline version). In February2002, NAI canceled all support for PGP products, with the exception of the renamed commandline product. NAI (now McAfee) continues to sell and support the product under the name McAfee E-Business Server.

Current situation

In August2002, several ex-PGP team members formed a new company, PGP Corporation, and bought the PGP assets (except for the command line version) from NAI. The new company was funded by Rob Theis of Doll Capital Management (DCM) and Terry Garnett of Venrock Associates. PGP Corporation supports existing PGP users and honors NAI's support contracts. Zimmermann now serves as a special advisor and consultant to PGP Corporation, as well as continuing to run his own consulting company. In2003, PGP Corporation created a new server-based product called PGP Universal. In mid-2004, PGP Corporation shipped its own command line version called PGP Command Line, which integrates with the other PGP Encryption Platform applications. In2005, PGP Corporation made its first acquisition—the German software company Glück & Kanja Technology AG,[17] which is now PGP Deutschland AG.[18] In2010, PGP Corporation acquired Hamburg-based certificate authority TC TrustCenter and its parent company, ChosenSecurity, to form its PGP TrustCenter[19] division.[20]

Since the2002 purchase of NAI's PGP assets, PGP Corporation has offered worldwide PGP technical support from its offices in Draper, Utah; Offenbach, Germany; and Tokyo, Japan.

On April29,2010 Symantec Corp. announced that it would acquire PGP for $300 million with the intent of integrating it into its Enterprise Security Group.[21] This acquisition was finalized and announced to the public on June7,2010. The source code of PGP Desktop10 is available for peer review.[22]

PGP Corporation encryption applications

This section describes commercial programs available from PGP Corporation. For information on other programs compatible with the OpenPGP specification, see External links below.

While originally used primarily for encrypting the contents of e-mail messages and attachments from a desktop client, PGP products have been diversified since2002 into a set of encryption applications which can be managed by an optional central policy server. PGP encryption applications include e-mail and attachments, digital signatures, laptop full disk encryption, file and folder security, protection for IM sessions, batch file transfer encryption, and protection for files and folders stored on network servers and, more recently, encrypted and/or signed HTTP request/responses by means of a client side (Enigform) and a server side (mod openpgp) module. There is also a Wordpress plugin available, called wp-enigform-authentication, that takes advantage of the session management features of Enigform with mod_openpgp.

The PGP Desktop9.x family includes PGP Desktop Email, PGP Whole Disk Encryption, and PGP NetShare. Additionally, a number of Desktop bundles are also available. Depending on application, the products feature desktop e-mail, digital signatures, IM security, whole disk encryption, file and folder security, encrypted self-extracting archives, and secure shredding of deleted files. Capabilities are licensed in different ways depending on features required.

The PGP Universal Server2.x management console handles centralized deployment, security policy, policy enforcement, key management, and reporting. It is used for automated e-mail encryption in the gateway and manages PGP Desktop9.x clients. In addition to its local keyserver, PGP Universal Server works with the PGP public keyserver—called the PGP Global Directory—to find recipient keys. It has the capability of delivering e-mail securely when no recipient key is found via a secure HTTPS browser session.

With PGP Desktop9.x managed by PGP Universal Server2.x, first released in2005, all PGP encryption applications are based on a new proxy-based architecture. These newer versions of PGP software eliminate the use of e-mail plug-ins and insulate the user from changes to other desktop applications. All desktop and server operations are now based on security policies and operate in an automated fashion. The PGP Universal server automates the creation, management, and expiration of keys, sharing these keys among all PGP encryption applications.

The Symantec PGP platform has now undergone a rename. PGP Desktop is now known as Symantec Encryption Desktop, and the PGP Universal Server is now known as Symantec Encryption Management Server. The current shipping versions are Symantec Encryption Desktop10.3.0 (Windows and Mac OS platforms) and Symantec Encryption Server3.3.2.

Also available are PGP Command Line, which enables command line-based encryption and signing of information for storage, transfer, and backup, as well as the PGP Support Package for BlackBerry which enables RIM BlackBerry devices to enjoy sender-to-recipient messaging encryption.

New versions of PGP applications use both OpenPGP and the S/MIME, allowing communications with any user of a NIST specified standard.

OpenPGP

Inside PGP Inc., there was still concern about patent issues. RSADSI was challenging the continuation of the Viacrypt RSA license to the newly merged firm. The company adopted an informal internal standard called "Unencumbered PGP": "use no algorithm with licensing difficulties". Because of PGP encryption's importance worldwide (it is thought to be the most widely chosen quality cryptographic system), many wanted to write their own software that would interoperate with PGP5. Zimmermann became convinced that an open standard for PGP encryption was critical for them and for the cryptographic community as a whole. In July1997, PGP Inc. proposed to the IETF that there be a standard called OpenPGP. They gave the IETF permission to use the name OpenPGP to describe this new standard as well as any program that supported the standard. The IETF accepted the proposal and started the OpenPGP Working Group.

OpenPGP is on the Internet Standards Track and is under active development. The current specification is RFC4880 (November2007), the successor to RFC2440. Many e-mail clients provide OpenPGP-compliant email security as described in RFC3156. The standard was extended to support Camellia cipher by RFC5581 in2009, and encryption based on elliptic curve cryptography (ECDSA, ECDH) by RFC6637 in2012. Support of EdDSA will be added by draft-koch-eddsa-for-openpgp-00 proposed in2014.

The Free Software Foundation has developed its own OpenPGP-compliant program called GNU Privacy Guard (abbreviated GnuPG or GPG). GnuPG is freely available together with all source code under the GNU General Public License (GPL) and is maintained separately from several Graphical User Interfaces (GUIs) that interact with the GnuPG library for encryption, decryption and signing functions (see KGPG, Seahorse, MacGPG). Several other vendors have also developed OpenPGP-compliant software.

There are several iOS and Android OpenPGP-compliant applications such as iPGMail[23] for iOS; and OpenKeychain[24] for Android which enable key generation and encryption/decryption of email and files on Apple's iOS and Android.

• PGP

  • RFC1991 PGP Message Exchange Formats

• OpenPGP

  • RFC2440 OpenPGP Message Format (obsolete)
  • RFC4880 OpenPGP Message Format
  • RFC5581 The Camellia Cipher in OpenPGP
  • RFC6637 Elliptic Curve Cryptography (ECC) in OpenPGP
  • draft-koch-eddsa-for-openpgp-01 EdDSA for OpenPGP

• PGP/MIME

  • RFC2015 MIME Security with Pretty Good Privacy (PGP)
  • RFC3156 MIME Security with OpenPGP

OpenPGP's encryption can ensure secure delivery of files and messages, as well as provide verification of who created or sent the message using a process called digital signing. Using OpenPGP for communication requires participation by both the sender and recipient. OpenPGP can also be used to secure sensitive files when they're stored in vulnerable places like mobile devices or in the cloud.[25]

:

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. So, the answer is (b) Email Security.