**SMTP**or

**Simple Mail Transfer Protocol**was first developed in 1982 and at that time it had very few security features. As a result, we gradually needed to make email communications more secure. We wanted features to digitally sign, encrypt and decrypt emails.

**S/MIME**and

**PGP**(actually OpenPGP) are two standards that are developed for that purpose.

**What is S/MIME ?**

**S/MIME**is a standard which uses Public Key Cryptography to digitally sign, encrypt or decrypt emails.

The
user first obtains a public-private keypair from a centralized trusted authority. The
private key is kept secret with the user and the public key can be
distributed with others.

At
the time of

**digital signatures**, the use has to sign the email with his private key and send it across. As the email is signed with the private key, the recipient will be able to verify the signature if the recipient has the sender's public key. In fact, anyone having the sender's public key would be able to verify the signature. But, as the private key is kept secret with the sender only, no one else other than the sender would be able to modify the original email.
And,
if the user wants to send some secret message to a recipient, the
sender would have to

**encrypt**the email with the recipient's public key. As the private key is kept secret with the recipient, no one else other than the recipient would be able to**decrypt**the email.
And,
if the email is

**signed**with the sender's private key as well as**encrypted**with the recipient's public key, then only the recipient would be able to read the secret message after decrypting the message with the recipient's private key. And, at the same time, no one else other than the sender would be able to modify the original message.
In
S/MIME, a user has to obtain his public-private keypair with a
trusted authority. And, after receiving the keys, he has to use them
suitably with the email application.

**PGP**

**OpenPGP**is another standard that can be used to digitally sign, encrypt and decrypt emails.

**PGP**is a commercial program which is developed as per OpenPGP standard. Some people though prefer to use

**GPG**which is an open source version of PGP made by GNU.

PGP
also uses Public Key Cryptography to sign, encrypt and decrypt
emails. So, in PGP also a user has to use his public-private keypair
for signing, encryption and decryption of emails similar to S/MIME. A
sender has to sign the email with his private key and the sender has
to send an encrypted email to a recipient encrypting it with the
recipient's public key.

So,
you can say, S/MIME and PGP are very similar in one aspect – both
of them use Public Key Cryptography to sign, encrypt and decrypt
emails.

**Difference between S/MIME and PGP**

From
a user's perspective, S/MIME and PGP are different in the way a user
obtains his keypair. In S/MIME the user has to obtain his keypair
from a

**trusted Certificate Authority**. And, if someone wants to verify whether a public key is indeed the sender's authentic public key and is not forged by some attacker, he needs to verify it with the trusted authority and then use the key.
On
the other hand, in PGP there is a concept of signing a keypair. Every
user needs to sign his own keypair as well as of others with whom the
user wants to communicate. Signing a key vouches for the authenticity
of the public key.

For example, if Alice is sure that a public key
belongs to Bob and no one else, she would sign that public key. If another user
Charlie wants to verify the authenticity of Bob's public key, Charlie
can look at whoever has signed that particular public key. If
Charlie knows Alice, he would be able to see that Alice has signed
the public key, which in turn would increase the trustworthiness of
the key. Moreover, while verifying someone else's key, one can
indicate his trust level on that key by specifying four levels of
trust (full, marginal, none, unknown). So, one does not need any
trusted central authority to verify a public key.

So,
to summarize, both S/MIME and PGP use Public Key Cryptography, yet
both are two different standards. The main difference is S/MIME
depends on a centralized trusted authority for verification of public
keys, but PGP does not need that.

So,
be informed about various security features and how you can use them,
so that you can protect your data in a better way. And, stay safe,
stay secured.

## No comments:

## Post a Comment