Updated August 16, 2005
Pretty Good Privacy (PGP) has had quite a history since Phil Zimmermann released the first version in 1991. Government lawsuits, acquisitions, revisions, and finally a massive buyback of assets from erstwhile owner Network Associates in 2002 all befell the little piece of software initially used to help users securely post to Bulletin Board Systems.
But throughout all of this, the encryption itself has remained unbroken - in spite of claims ranging from lonely teenagers breaking it to the US government forcing Zimmermann to implant backdoors into the software. Along with S/MIME, PGP has been given the honor of being one of only two email encryption systems approved for use by the National Institute of Standards and Technology.
And yet, despite all of these accomplishments and praises, many users and organizations still refrain from using PGP or other encryption mechanisms to secure their email.
Why is this? A combination of different factors have deterred both the average Joe Internet and not-so-average Bob Company from buying into the world of email encryption. Chief among these is complexity. Encryption is seen as just too difficult to set up, for a home user and especially for the workplace. And terms such as "public key", "private key", and "digital signature" are viewed as concepts best left to the experts.
PGP Corporation - the company that owns and distributes PGP - has taken this to heart and crafted a solution to help companies both big and small encrypt everyday email, without having to go through the hassle of generating public and private keys or even consciously clicking an 'encrypt' button before sending a message. The solution is PGP Universal, which is a set of encryption tools that help an organization's users encrypt everything from email, to instant messages, or even entire hard drives, without having to invest in multiple products.
This article is the first of two reviewing PGP Universal, and will serve to set the scene and introduce the reader to both the product and PGP in general. The second article will deal with PGP Universal's technical details, and examine how the product functions in the business environment.
Let's start with a brief look at how far PGP has come since those early days of BBSes, cypherpunks, and the government lawsuits that love them.
Pretty Good History
Version 1.0 of PGP was written in 1991 by Philip Zimmermann. The politically-conscious Zimmermann wanted to devise a solution to allow users to post to the early Bulletin Board Systems and store files without being snooped on. To this end, he created the cross between public-key and symmetric key encryption known as of Pretty Good Privacy that remains publicly unbroken to this day.
PGP works like this: Alice wants to send an encrypted message to Bob. Alice locates Bob's public key (one half of Bob's key pair, publicly available for all to see and download) through a keyserver, Bob's website, or any other method, and uses it to encrypt her message. The message is then sent using normal delivery methods to Bob, who uses his private key (the other half of Bob's key pair, only visible and usable by him) to decrypt the message. Since no one but Bob knows his private key, no one but Bob can decrypt the message, and it is thus safe from prying eyes at all steps of the delivery process.
This method of keeping messages safe from electronic voyeurs did not escape the attention of the United States Government, and in 1993 a criminal investigation was undertaken into Zimmermann and PGP due to cryptography-related export regulations. Under US export laws, ciphers longer than 40 bits were considered munitions and thus illegal to export, and a three-year legal battle ensued between Zimmermann and his legal team - many of whom worked free of charge on the case - and the US government. This ended in victory for Zimmermann's team in February of 1996 after the government dropped all charges.
In the wake of this victory, Zimmermann founded PGP, Inc. to market his encryption solutions. The company was quickly bought in 1997 by Network Associates International (NAI), the makers of the McAfee Anti-Virus family of software, and a number of new features were added to PGP. Four years later, in 2001, NAI ceased the development of PGP and put the company's assets up for sale. A group of investors - including the current management team - soon purchased these assets, and thus was formed the PGP Corporation.
Since it achieved its independence from NAI, PGP Corp. has busied itself with the task of improving PGP and integrating it into a variety of security solutions for both the home and business user. This brings us back to the current day, with PGP Universal 2.0 - PGP Corp.'s integrated solution to allow organizations to satisfy their user's security and encryption demands from the network level.