PGP
Authors: Brain Hart '99 and Chris Savarese
PGP
PGP: Pretty Good Privacy. In private-key cryptography one key is used by
both parties. One problem with this kind of encryption is that if the
key is intercepted, a third party could decrypt the messages. So, the
idea of public-key cryptography was
developed. Here's how it works...
Everyone has two keys: a public and a private key. When someone
wants to send something to a recipient, they (the sender) encrypt it
with the recipient's public key. Then the only way to decrypt it is
with the recipient's private key. One of the other benefits to PGP is
that it allows the sender to "sign" their messages. This proves that
the message came from the sender and has not been altered in
transport.
Based on this theory, PGP allows everyone to publicize their public
keys, while keeping their private keys secret. The result is that
anyone can encrypt a message to someone else, as long as they have
that person's public key.
In actuality, PGP uses a seies of private key, public key and
one-way hash functions to encrypt a message. A one-way hash function
takes some plaintext and translates it into a specific hash. The hash
is unique to the message (like a fingerprint is to a person). The hash
is also non-reversable, hence the name one-way. Let's run through an
example of what PGP does to encrypt and decrypt an e-mail message. Our
sender will be Chris and our receiver will be Brian.
- -Chris writes his message.
- -Chris uses a one-way hash function (such as MD5) to create a hash for the message.
- -Chris, via RSA or some other digital signature algorithm, signs the hash with his private key.
- -Chris merges the message and the signature, resulting in a new signed message.
- -A random encryption key is generated, the session key.
- -Chris uses the session key to encrypt the message, using DES or some other private key method.
- -Chris gets Brian's public key.
- -Chris then encrypts the key with Brian's public key, via RSA or some other public key method.
- -Chris merges the encrypted message and the encrypted key and mails it to Brian.
Once Brian receives the message he can have PGP decrypt it. Here's what it would do:
- -Brian seperates the encrypted message and the encrypted session key.
- -Using RSA, Brian decrypts the session key.
- -Using DES, Brian decrypts the message with the decrypted session key.
- -Brian then seperates the message and the signature.
- -Using MD5, Brian calculates the hash value of the message.
- -Brian gets Chris' public key.
- -Via RSA, and Chris' public key, Brian decrypts the signature.
- -Brian then compares the hash value and the decrypted signature. If they are the same, Brian knows that the message is authentic and has not been altered since Chris signed it.
Note: While we have used RSA,DES and MD5 in
our example (that is what PGP uses) other similar algorithms could be
used in their place. It is the combination of these three functions
that makes PGP so strong. Remember, however, that the overall security
of the method you choose is only as good as the weakest encryption
method you choose to substitute for the three forms in the above
example.
For Further Study and Enjoyment
For more information on PGP and instructions for downloading a program
for PGP encryption and decryption see the PGP Web Site at MIT.
Information for this page was obtained from E-Mail Security:
How to Keep your Electronic Messages Private by Bruce Schneier;
John Wiley & Sons, Inc. 1995.