PGP

PGP: Pretty Good Privacy. Up to this point we've talked about private-key cryptography (one key used y both parties). There was one problem with this kind of encryption: If the key was intercepted, a third party could decrypt the messages. So, the ideas of public-key cryptography was developed. Here's how it works...

Everyone has two keys: a public and a private key. When someone wants to send something to a recipient, they (the sender) encrypt it with the recipient's public key. Then the only way to decrypt it is with the recipient's private key. One of the other benefits to PGP is that it allows the sender to "sign" their messages. This proves that the message came from the sender and has not been altered in transport.

Based on this theory, PGP allows everyone to publicize their public keys, while keeping their private keys secret. The result is that anyone can encrypt a message to someone else, as long as they have that person's public key.

In actuality, PGP uses a seies of private key, public key and one-way hash functions to encrypt a message. A one-way hash function takes some plaintext and translates it into a specific hash. The hash is unique to the message (like a fingerprint is to a person). The hash is also non-reversable, hence the name one-way. Let's run through an example of what PGP does to encrypt and decrypt an e-mail message. Our sender will be Chris and our receiver will be Brian.

-Chris uses a one-way hash function (such as MD5) to create a hash for the message.

-Chris, via RSA or some other digital signature algorithm, signs the hash with his private key.

-Chris merges the message and the signature, resulting in a new signed message.

-A random encryption key is generated, the session key.

-Chris uses the session key to encrypt the message, using DES or some other private key method.

-Chris gets Brian's public key.

-Chris then encrypts the key with Brian's public key, via RSA or some other public key method.

-Chris merges the encrypted message and the encrypted key and mails it to Brian.

Once Brian receives the message he can have PGP decrypt it. Here's what it would do:

-Brian seperates the encrypted message and the encrypted session key.

-Using RSA, Brian decrypts the session key.

-Using DES, Brian decrypts the message with the decrypted session key.

-Brian then seperates the message and the signature.

-Using MD5, Brian calculates the hash value of the message.

-Brian gets Chris' public key.

-Via RSA, and Chris' public key, Brian decrypts the signature.

-Brian then compares the hash value and the decrypted signature. If they are the same, Brian knows that the message is authentic and has not been altered since Chris signed it.

Note: While we have used RSA,DES and MD5 in our example (that is what PGP uses) other similar algorithms could be used in their place. It is the combination of these three functions that makes PGP so strong. Remember, however, that the overall security of the method you choose is only as good as the weakest encryption method you choose to substitute for the three forms in the above example.

For more information on PGP and instructions for downloading a program for PGP encryption and decryption see the PGP Web Site at MIT.

Main Page
Caesar Cipher
Simple Substitution Cipher
Vigenere Cipher
Gronsfeld Cipher
The German Enigma Machine
RSA Public Key Encryption
PGP -- Pretty Good Protection

Information for this page was obtained from E-Mail Security: How to Keep your Electronic Messages Private by Bruce Schneier; John Wiley & Sons, Inc. 1995.