IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.63 Use of PGP
Initiation responsibility: IT Security Management, Administrators
Implementation responsibility: IT users, Administrator
PGP (Pretty Good Privacy) is an encryption program that is in widespread use.
PGP can be used to encrypt and decrypt messages and files, and to attach a
digital signature (also referred to as an electronic signature) in order to be able
to prove that unauthorised changes have been made to a message or file. Keymanagement
tasks, such as adding and removing keys, can also be carried out
with the aid of PGP.
Encryption and digital signatures
PGP makes use of symmetric and asymmetric cryptographic procedures.
Symmetric procedures such as IDEA are used for data encryption, while
asymmetric procedures such as Diffie-Hellmann are used for the exchange of
keys and RSA or DSS for signature generation.
PGP creates and uses public and private keys in pairs of keys. For every
private key, there is exactly one public key. It is practically impossible to
determine the private key simply on the basis of the public one. A message
that has been encrypted with a public key or signed with the private key can
only be decrypted with the corresponding private key or verified with the
originator's public key. The public key can be revealed to anyone. Its purpose
is to encrypt messages to the owner of the private key.
In order to provide proof of unauthorised manipulation and therefore to
protect messages against modifications, PGP uses the originator's private key
to calculate a cryptographic checksum for the message - the digital signature.
Using the public key belonging to the sender of a message, every
communication partner can determine whether the cryptographic checksum at
the end of the message is valid or whether the message has been modified
without authorisation.
When using PGP it is advisable to use a combination of the two functionalities
described above. The standard procedure should be for messages and files to
be encrypted with the recipient's public key first and then to be signed with the
sender's private key, in order to obtain the greatest possible protection.
Versions
PGP is available for a wide variety of computer platforms (Unix systems,
DOS, Windows NT/9x etc.). The most commonly used versions are 2.6.3i, 5.x
and 6.x. Versions 5.x and 6.x are equipped with a graphical user interface, but
they are not downward-compatible with the preceding versions. Especially
when these versions of PGP are used in conjunction with operating systems
from the Windows family it should be borne in mind that it may be possible to
circumvent the security mechanisms of PGP by exploiting security
deficiencies in the operating system.
In view of the lack of downward compatibility, it is advisable to make
inquiries as to which version of PGP will be used by the communication
partners before exchanging encrypted messages. Version 2.6.3i is still in
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000