single-blog-post-content-image

What is PGP

PGP is a system utilizing mathemtical princples allowing one to encrypt something using the Public-Key and only the corresponding Private-Key can decrypt it and vice versa. This means that when something is encrypted using the public-key, nobody holding the public-key can decrypt it, only the private-key will decrypt it. If something is encrypted using the private-key only the public-key will be able to decrypt. Though this may seem to have no practical value, there is however a very practical and needed application for this use-case.

How does PGP Signing work

For this example, assume we are working with an email, however this example can be extended to protect any number of arbitrary data e.g. an image file, audio file, video file, text, database, etc.

When composing an email, I want the receiver of the email to be certain that I sent the email and not Mallory. Using PGP, it will compute the hash of the email, whether plain text or HTML. Using my private key I can proceed to encrypt the hash value of this message and attach the encrypted hash as an attachment or as text to the bottom of the email.

To verify the integrity of the email, meaning that the email was not modified in transit and that I sent the email, the receiver can use PGP and my public key to decrypt the attached signature and record the included hash. The next step is to use the same hashing algorithm and calculate the hash of the received email and compare it with the decrypted hash value included in the email. If these two hash values match we can be sure that the email has not been modified in transit.

How does PGP encryption work

To encrypt an email is much easier in theory. When we are composing a message to a receipt, before sending, we can encrypt the message by using the public key of the user. Instead of sending the original text to the receipt, we send the text after using the receipts public key to encrypt the text. Now since only the corresponding private key can decrypt the email, it doesn’t matter if somebody is able to intercept and store this message, since it was encrypted with the public key, the public key can’t be used to decrypt the message.

However, due to the nature of public-key cryptology, it is extremly expensive in CPU time to decrypt large massas of encrypted text. So we can use a combination of symmetric encryption combined with public-key cryptology to ease the process.

When we send an encrypted message, PGP can sign the message in the manner above if requested by the user. PGP then generates a very large random number and uses this generated number with a symmetric encryption alogorith to encrypt the message. We can then encrypt the generated number with the reciept’s public key, and attach this encrypted key in same way to the email, normally added in the email header.

When the receipt receives our message, the receipt can utilize his private key to decrypt the key we attached. Upon decryption the receipt can utilize the same symmetric encryption algorithm, with the decrypted key to decrypt the encrypted message received.

To send an email to multiple receipts, we are only required to encrypt the encryption key with each of the receipts public-key’s and attach all encrypted keys in the email header.

Why haven’t you ever heard of PGP

Using, managing and understanding PGP is hard. Even if one was to ignore the eccentric, magic and mathematical nature of PGP, a lot of attention must be paid to PGP key management. One has a very big responsibliity to try and keep the private key safe, as if this is hacked or leaked, you can be inpersonated and would have no way to refute this aswell as allowing the attacked the ability to decrypt received emails.

As a mathematican, I have a keen love for cryptology and the systems that underpin them. Keep an eye out for future articles related to cryptology.