PGP and S/MIME Protocol

Both PGP and S/MIME protocols are used for authentication and privacy of messages over internet.

S/MIME protocol refers to Secure/Multipurpose Internet Mail Extensions which has been incorporated in the various main exchange software, incl. Outlook, Thunderbird & others And also incorporated in all major browsers (chrome, Mozilla, IE and others). S/MIME is based on IETF standards and defined in RFC 5751.

RFC 5751 defined S/MIME as "S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a consistent way to send and receive secure MIME data. Based on the popular Internet MIME standard, S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures), and data confidentiality (using encryption). As a supplementary service, S/MIME provides for message compression."

PGP known as Pretty Good Privacy, is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991.

PGP and similar software follow the OpenPGP standard (RFC 4880) for encrypting and decrypting data.

PGP user has the ability to give its public key to another user directly or the user can obtain the public key from the first user. PGP does not mandate a policy for creating trust and hence each user is free to decide the length of trust in the received keys. With the S/MIME, the sender or receiver does not rely on exchanging keys in advance and share a common certifier on which both can rely.

S/MIME is considered superior to PGP from an administrative perspective because of its strength, support for centralized key management through X.509 certificate servers and extensive industry support. PGP is more complicated from an end-user perspective, because it requires additional plug-ins or downloads to operate. S/MIME protocol allows most vendors to send and receive encrypted email without using additional software.

S/MIME is convenient because of secure transformation of all applications like spreadsheets, graphics, presentations, movies etc., but PGP was originated to address the security concerns of plain e-mail or text messages.

S/MIME is derived from the PKCS #7 data format for the messages, and the X.509v3 format for certificates. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography.

  • S/MIME and PGP protocols use different formats for key exchange.
  • PGP depends upon each user’s key exchange S/MIME uses hierarchically validated certifier for key exchange.
  • PGP was developed to address the security issues of plain text messages. But S/MIME is designed to secure all kinds of attachments/data files.
  • Nowadays, S/MIME is known to dominate the secure electronic industry because it is incorporated into many commercial e-mail packages.