PGP

Previous page
Table of content
Next page
 <  Day Day Up  >  

We include Pretty Good Privacy (PGP) here because it is supported as one of the token types in WS-Security headers. This approach, invented by Philip Zimmerman, is very different from the idea of there being a small number of trusted third parties as in Public Key Infrastructure (PKI). PGP is the most widely used email encryption and signing mechanism in use today. The second most widely used email encryption does not even register as a sliver on a pie chart of market share. Many people think that S/MIME certificates for signed and/or encrypted emails are prevalent . Not so. Even though tools such as Outlook, Eudora, and Lotus support S/MIME certificates, if measured by number of encrypted or signed emails sent, PGP has more than a 95% share. And one version of PGP is free with no overriding central authority. [3]

[3] See http://www.pgpi.org/products/pgp/versions/freeware/.

Strong freeware versions of PGP have always been available. Its deployment was always a grass-roots effort with a goal of free distribution to anyone and everyone worldwide, regardless of U.S. State Department restrictions about export because these types of crypto-systems were classified as "munitions." The PGP leaders struck back by publishing the complete source code in MIT Press books that were optimized for optical character recognition. Because books were not controlled as munitions, overseas groups were able to scan the books and obtain the source code easily.

PGP uses the IDEA algorithm for symmetric key encryption and the RSA algorithm with keys up to 2047 for key management and digital signatures. Its one-way hash algorithm is MD5.

Random public keys are seeded from keyboard latency while the subscriber is typing and uses probabilistic primality testing.

PGP encrypts a user 's private key using a hashed passphrase instead of a password. A passphrase is just a longer password than the normal eight or so characters . The user is encouraged to think of a complete phrase instead of just a word.

PGP's security is based on a layered approach. The only thing an attacker can tell about an encrypted message is who the recipient is. Only after the recipient decrypts the message does anyone know who the sender is if it was signed as well as encrypted.

PGP uses a distributed key management scheme with no certification authorities. The concept is instead a "Web of Trust"; this is symbiotic with the fundamental nature of the Internet. Users generate and distribute their own public keys, and users sign each others' public keys.

 <  Day Day Up  >  

Previous page
Table of content
Next page
Securing Web Services with WS-Security. Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption
Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption
ISBN: 0672326515
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Jothy Rosenberg, David Remy
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Systematic Software Testing (Artech House Computer Library)
Quantitative Methods in Project Management
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
The Oracle Hackers Handbook: Hacking and Defending Oracle
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy