One of the fun parts of being an IT trainer is that every time you get cocky and you think you know everything there is about a particular topic, something comes along and teaches you that that's not necessarily the truth. This episode is PGP or pretty good privacy. And it is an encryption cryptosystem. That's been around for over 25 years. And it's actually kind of interesting. This is something I used to use a long time ago, had kind of forgotten about.
And then once I saw that CompTIA added this back end as an objective. I had quite a lesson. So let's talk about what PGP is. First of all, PGP was invented by a guy named Phil Zimmerman way back in 1991. That type of internet back there in the late 80s, early 90s. Didn't have encryption.
I know today we have secure protocols for this that the other we can use things like BitLocker to lock down a hard drive. We got all this encryption and all of these crypto systems All over the place, but back then there really wasn't any. If you wanted to encrypt a email, there weren't really good options as mine back then was starting to form. But for the normal rank and file person, there wasn't a nice little program. You could pull down, install and start doing encryption until PGP came along. So PGP was originally invented for email encryption.
Mr. Zimmerman wanted to encrypt stuff, send it an email, so other people couldn't read it. Now, PGP has evolved tremendously over the years. So it does all kinds of stuff. Today it is it you can use it to sign files, you can use it to encrypt email, you can encrypt individual files, you can encrypt partitions, you can even do full disk encryption with PGP. So before we start going into where we're using it, let's make sure we understand how the PGP encryption works. PGP counts on the idea of A random key that's generated by the encrypt or the encrypter creates a random key.
And then they encrypt their data using that random key. And then they encrypt the key using the receivers public key. So you will definitely have a key exchange going on here. So you've got your encrypted data and your encrypted key, and then you send an encrypted message decryption works pretty much the exact same way in reverse. So we start with our encrypted message, and we separate the encrypted key from the data, it's very easy to make that separation. And then we take the encrypted key, and we decrypt it with the private key.
So this works very much like a classic asymmetric key. We now have the temporary key, the random key, and we can use that to decrypt the data. And the end result is we have our plaintext. So if you notice from that diagram, we've got two keys, we've got a public private key, and then we also have this random key. So for Those of you who are familiar with TLS. And if you've watched my episodes on TLS, asymmetric encryption, you'll know that in a lot of situations, we use asymmetric encryption, only to transfer a session key.
And then we switch to symmetric. So PGP works very similar to this. This is fascinating because you got to keep in mind, Phil Zimmermann invented all of this by himself. PGP is an open standard. But unlike so many other cryptographic systems we use, he just came up with this on his own, and it is stood the test of time. Now granted, there's been a lot of improvements over the years.
For example, originally, it would be using something called El Gamal, which is really just diffie Hellman. And also he had to invent his own certificates. He doesn't use x dot 509 certificates like the rest of the internet does. There is a special type of certificate called PGP. So also one of the things that's actually kind of interesting is that Mr. Zimmermann came up with something very different called web of trust. So let me show you how this works.
Now if you've watched other episodes, you're familiar with the idea of public key infrastructure where we have a certificate authority, intermediate authorities, and then individual folks. So anytime a certificate has to be checked, it's signed by the certificate authority. And the intermediates do the day to day checking of the certificate. So PK is the way the entire internet works. So let me show you another way. Instead of the nice pyramid.
Imagine you have one certificate that trust another certificate, and then that certificate trust another certificate. And you end up with this mesh this web of trust. Web of Trust was, I'm not going to say Phil Zimmerman invented the concept, but he was the first person to really push this concept forward. A complete alternative to PK AI. There's some big benefits of web of trust with With this, you don't have any Vera signs or any big companies charging your money. It's just a matter of having a buddy who knows a friend who knows a pal.
And back in the PGP days that I actually did this, you would have people who would be called themselves accountants. And they would be they weren't like CPAs. They were they were people who were trusted by a lot of people. And you could go to them, you call them on the telephone, remember those things, and you'd call them on the phone, then you would submit a request to these guys, and they would sign your certificate. So wacky way to do things. The only downside to this is that over time, people got lazy.
And a lot of times people would accept certificates without going through the due diligence of a phone call making sure the person's legit and all of that, and we started running some problems with it. So the reality is, is that PGP recognize that web of trust really wasn't working that well. And pretty much all PGP solutions today. Use good old PK AI and it works just Fine. So even the Web of Trust was a failure. PGP didn't need to have web of trust.
They put a lot of time and energy into making that happen. But PGP works just fine in a PK solution as well. All right. There have been tremendous amounts of change with PGP over the years. Today, there are really three big players in the world of PGP. First of all, the original PGP group or what's left of them is currently a part of Symantec Corporation.
This organization only does one thing, but boy does it do it. Well. It encrypts mass storage, so they will do signing and they will also do disk encryption. What's cool about these tools is they work great with existing alternatives, for example, BitLocker, and Windows or file Vault for the Mac folks, and it's really designed more for a cloud and an enterprise solution. So instead of having a bunch of systems with BitLocker and fire file vault whatever, you can just PGP them all regardless of the operating system. And it works great.
This is a proprietary solution and you got to pay some money for it. For those of you who like free, there is the open PGP standard. Open PGP is not only a standard, but it's a group of people who support this, and they support it really well. The big job of open PGP is encrypted email. It has complete support for PK AI. And it also works well with alternative ways to encrypt email.
For example, good old famous s mime. It's actually a fascinating process, you can get open PGP and it manifests as a plugin that you put into your existing email. If you have Outlook or Thunderbolt or anything like that. You can just add extensions to that and you get full support for digital signing encryption, the whole shebang exchanging of public keys, it works great. It's kind Have a hassle to go through all this though. And if you actually want to generate your own certificates and you know, have a third party sign them, and there are places that can do that Komodo in particular is a great source for that.
It's a little bit of a pain. The nice part is though, if you want to encrypt email, there are wonderful solutions out there that take all of this off your hands. Personally, my favorite is proton mail. proton mail, which I personally use on a daily basis is just a web interface. So if you like using Gmail or Yahoo, you'd be familiar with the interface. But the difference is, is that from the proton mail server, to whoever else, and they also have to be on proton mail.
It's fully encrypted. So whereas your Gmail could conceivably be intercepted where your Yahoo might be able to be read by third parties with proton mail, there's no way to do that and it completely uses open PGP. Nice part is we don't even see it works that transparently. The last place that we see open PGP I'm sorry, well it is open PGP but PGP is the new Privacy Guard or better known as GPG. This is a complete free tool set. And it is based on open PGP.
But whereas open PGP only does email GPG does file and disk encryption. And if you're going to be encrypting in the Linux world, you're probably going to be using those