What is PGP Encryption and How Does it Work?
What is PGP?
PGP, also known as Pretty Good Privacy is a computer program that utilizes cryptographic algorithms to provide its users authentication, privacy and integrity of data during transmission. PGP is widely used to encrypt and secure all types of communications. Not only securing, but also ensuring that both sides are who they claim they are. It also has other uses as you’ll discover later in this article.
PGP was developed in 1991 by Philip Zimmermann. Philip later had to deal with the US government when PGP found its way out of the US to other countries. Here’s a part of Zimmermann’s own writing on PGP. Before we delve into how PGP works, we have to talk about encryption and its types to set the stage for better understanding.
What is Encryption?
Encryption is simply-put, the process of encoding data in a way that only intended parties can access the data. In cryptography, data which can be read is referred to as paintext and data that has been encrypted is called ciphertext.
Even if our ciphertext somehow ended up in adversaries’ hands, they won’t be able to understand what the information says. That’s because ciphertext is a disfigured version of the clear-text. Only entities we share the decrypting technique with can decode and read the information. For an example of this, and a really old one, is Julius Caesar’s encryption method. Julius replaced every letter in his messages with a letter three positions away through the alphabet. Meaning that he replaced every A with a D and every B with an E and so on. Only people aware of this shifting rule, would be able to decrypt the messages.
Encryption has evolved vastly with the inception of computers. The existence of hardware capable of performing complicated mathematical calculations in almost no time spurs the need for more complicated cryptographic algorithms. The concept of keys is heavily used in cryptography. Keys can be letters, numbers or a mixture of the two. They are used in combination with encoding algorithms to encrypt data to a further level of security. Data encrypted with different keys produces different ciphertexts.
In this encryption scheme—also called conventional encryption or secret key—the same key is used for ciphering and deciphering data. Communicating parties must share the same key to have secure communication. This is inconvenient, since one party has to send the secret key somehow (e.g. in person) to the other before transmitting data. A good example on this type and its weakness is the Enigma Machine.
Public Key Encryption
Public Key Encryption, also known as asymmetric key—works out the inconvenience of key distribution faced when using symmetric key. In this scheme, each party has two keys: a public key and a private key. You share your public key with everyone but you keep your private key.. well, private.
Anyone with a copy of your public key can encrypt information that only you can decrypt with your private key. Magic! Well, actually no, it’s just math. Your public key and private key are mathematically related. Notwithstanding that the public key is derived from the private key, the process cannot be reversed. Some examples of public key encryption schemes are RSA and DSA.
Advantages of Public Key Encryption:
• Key distribution is not a problem here.
• Elimination of the need to have preexisting security arrangements. Any with a copy of your public key can start encrypting messages to you.
Disadvantages of Public Key Encryption:
• It’s slow. About 1,000 times slower than conventional encryption.
How PGP Encryption Works:
PGP combines the best features of both symmetric and asymmetric encryption. It’s like a hybrid of the two with additional features of its own. When you encrypt data using PGP, it first compresses the data in an effort to minimize transmission time and disk space, as well as to add in an extra layer of security. Then, PGP creates a session key, which is a randomly generated, small sized, one-time-only key. This key is used to encrypt data with.
There’s a reason behind why PGP creates this key. Did you figure it out? Do you recall when we said that public key encryption is incredibly slower compared to conventional encryption? PGP tries to solve this issue through creating this key and using it to encrypt the message using the old school conventional encryption. Remember, conventional key encryption is 1,000 times faster than public key encryption. After that, the session key itself is encrypted using your recipient’s public key.
The public and private key pairs can be used in another way. Instead of encrypting messages using other people’s public keys, you can encrypt messages using your private key. If messages can be decrypted using your public key, then this means that they certainly originated from you. This is very useful and efficient. Authentication is every bit as substantial in cryptography as privacy is. Privacy is not that much of a concern when you can’t make sure you’re messaging who you think you’re messaging, right?
What is a Digital Signature?
Digital signatures are mathematical schemes for verifying the authenticity of data. As explained above, authenticity can be verified via interchanging which key of the pair we encrypt with. However, this method is inefficient. For that reason digital signature was introduced. You can think of digital signatures as ordinary physical signatures. The main difference being that unlike physical signatures, digital signatures are virtually impossible to fake. Digital signatures utilize hashing functions in it’s working mechanism.
In cryptography, hashing is the process of converting any form of data into a unique string of text. It’s similar to encryption, only no keys are involved. It’s worth noting that hashing is a one-way function, which means the original value cannot be retrieved from the hash. Examples of cryptographic hashing algorithms are MD5, MD4, SHA1, SHA256.
One of the downsides of public key cryptography—in addition to slowness—is how it produces a huge volume of data, about twice the size of the original value. PGP solves this through the use of hashing functions. A hashing function takes any data of any size as input and outputs a fixed sized hash. Should the data be changed, even the slightest, a totally different hash is produced.
Signing and Verifying Signatures.
The process of signing and verifying digital signatures goes something like this: PGP employs hashing functions on data intended to be signed. The output is, like we mentioned earlier, a fixed sized hash. This output hash is called the digest.
Following, PGP encrypts this digest using the private key which gives the digital signature. The newly created signature is then sent along with the plaintext data to the recipient.
The PGP recipient client uses the same hashing functions on the received plaintext data to produce the digest. It then decrypts the signature using the sender’s public key. If the value of the decrypted digital signature is equal to the value of the digest computed by the recipient, then the verification is successful.
Public Key Infrastructure
Digital signatures only have to do with verifying that a given message has been signed with a private key that is correspondent to a given public key. As far as it goes, digital signatures have nothing to do with verifying that a certain person singed the message. This can be done with the help of PKI (Public Key Infrastructure) and digital certificates.
Checking PGP Signatures
A Digital Signature can also be used for more than just communication. For instance, software vendors allow for costumers to receive a copy of their public keys, so that when people download software from their websites, they can make sure they downloaded the authentic software and not something else.
It’s good practice to always check the authenticity of software you download. In 2016, Linux Mint, a popular Linux distribution website was hacked. The download links of for the OS system linked to a malicious version. Many people fell for that and installed malicious versions of the OS. However,if those people had used PGP to verify the signatures before downloading the files, they would have known that something was not right.
Benefits of using PGP
• Privacy. Only the sender and the receiver can see the messages communicated.
• Integrity. You can be sure received data has not been altered or modified.
• Authenticity. You can be sure the sender is who you think they are, given digital certificates are used.
• Authenticity check for downloads. You can be sure files you download are the real thing.
• PGP software is free and easy to use.