Wednesday, March 30, 2016

S/MIME vs PGP


SMTP or Simple Mail Transfer Protocol was first developed in 1982 and at that time it had very few security features. As a result, we gradually needed to make email communications more secure. We wanted features to digitally sign, encrypt and decrypt emails. S/MIME and PGP (actually OpenPGP) are two standards that are developed for that purpose.





What is S/MIME ?


S/MIME is a standard which uses Public Key Cryptography to digitally sign, encrypt or decrypt emails.

The user first obtains a public-private keypair from a centralized trusted authority. The private key is kept secret with the user and the public key can be distributed with others.


At the time of digital signatures, the use has to sign the email with his private key and send it across. As the email is signed with the private key, the recipient will be able to verify the signature if the recipient has the sender's public key. In fact, anyone having the sender's public key would be able to verify the signature. But, as the private key is kept secret with the sender only, no one else other than the sender would be able to modify the original email.


And, if the user wants to send some secret message to a recipient, the sender would have to encrypt the email with the recipient's public key. As the private key is kept secret with the recipient, no one else other than the recipient would be able to decrypt the email.


And, if the email is signed with the sender's private key as well as encrypted with the recipient's public key, then only the recipient would be able to read the secret message after decrypting the message with the recipient's private key. And, at the same time, no one else other than the sender would be able to modify the original message.


In S/MIME, a user has to obtain his public-private keypair with a trusted authority. And, after receiving the keys, he has to use them suitably with the email application.



PGP


OpenPGP is another standard that can be used to digitally sign, encrypt and decrypt emails. PGP is a commercial program which is developed as per OpenPGP standard. Some people though prefer to use GPG which is an open source version of PGP made by GNU.

PGP also uses Public Key Cryptography to sign, encrypt and decrypt emails. So, in PGP also a user has to use his public-private keypair for signing, encryption and decryption of emails similar to S/MIME. A sender has to sign the email with his private key and the sender has to send an encrypted email to a recipient encrypting it with the recipient's public key.

So, you can say, S/MIME and PGP are very similar in one aspect – both of them use Public Key Cryptography to sign, encrypt and decrypt emails.



Difference between S/MIME and PGP


From a user's perspective, S/MIME and PGP are different in the way a user obtains his keypair. In S/MIME the user has to obtain his keypair from a trusted Certificate Authority. And, if someone wants to verify whether a public key is indeed the sender's authentic public key and is not forged by some attacker, he needs to verify it with the trusted authority and then use the key.

On the other hand, in PGP there is a concept of signing a keypair. Every user needs to sign his own keypair as well as of others with whom the user wants to communicate. Signing a key vouches for the authenticity of the public key. 

For example, if Alice is sure that a public key belongs to Bob and no one else, she would sign that public key. If another user Charlie wants to verify the authenticity of Bob's public key, Charlie can look at whoever has signed that particular public key. If Charlie knows Alice, he would be able to see that Alice has signed the public key, which in turn would increase the trustworthiness of the key. Moreover, while verifying someone else's key, one can indicate his trust level on that key by specifying four levels of trust (full, marginal, none, unknown). So, one does not need any trusted central authority to verify a public key.


So, to summarize, both S/MIME and PGP use Public Key Cryptography, yet both are two different standards. The main difference is S/MIME depends on a centralized trusted authority for verification of public keys, but PGP does not need that.


So, be informed about various security features and how you can use them, so that you can protect your data in a better way. And, stay safe, stay secured.





No comments:

Post a Comment