What you need to know about PGP

Online security is a hot topic and encryption plays an important role in this. Encryption is used for sending secured emails, end-to-end encryption (used by apps like Whatsapp) and more. It has also had some news coverage when the police managed to hack Encrochat and Exclu Messenger to catch criminals worldwide.

In the past year or so I have worked with PGP. There is a lot of information about this subject on the internet. However, all information is either fragmented over several websites or too detailed. In a series of blogposts I will share all the information that I wish I knew before I started working with PGP.

In this first blogpost I’ll discuss the basic principles of PGP. My second blogpost will be about keys that are used, and the third blogpost will be about the difference between the specification and implementation.

PGP stands for Pretty Good Privacy and is created in 1991. PGP can be used for signing, compressing and encrypting data like documents and emails. I will explain each in more detail.

Signing

Signing can be used to verify if the message is really from the sender and has not been altered in any way. PGP does this by first generating a hash. Which hash algorithm is used depends on the implementation (the default in GPG is SHA265). This hash is then signed using the private key of the sender. The receiver can verify this signature using the sender public key.

The data that needs to be encrypted can be very large. To make it easier to send, the data can be compressed by some sort of zip algorithm. Usually this is done after the signature has been generated and before the encryption takes place.

PGP can encrypt and decrypt a message. Encryption is done using the public key of the receiver and decryption is done using the private key of the receiver.

To understand how PGP encryption works you first need to know more about encryption. More importantly, you need to know the difference between symmetrical- and asymmetrical encryption.

Symmetric encryption

Symmetric encryption uses the same key for both encryption and decryption. An example of this is the Caesar cypher. This works by replacing each letter with a letter some fixed number of positions up or down the alphabet. For example, when you use a shift of 3 then A becomes C, B becomes D and C becomes E.

Hello world becomes Khoor zruog.

To decrypt this, you just need to reverse the effect (C becomes A, etc).

This is a fast way to encrypt and decrypt information, but it's only secure as long as the key is unknown. Because the key is used for both encryption and decryption, the key can be stolen at either the sending or receiving party. And when this key is revealed all messages sent using this key can be decrypted. Fake messages can also be generated which makes this method dangerous to rely on.

Asymmetric encryption

Asymmetric encryption uses a public and private key. The public key is used to encrypt the information and the private key is used to decrypt. Since the private key is only known at the receiver end, this is a very secure way of encryption. However, the downside is that this can take quite a long time to encrypt/decrypt. The longer the message, the slower the process.

PGP actually uses symmetric- and asymmetric encryption. This makes it both fast and secure.

The way PGP does this is by first generating a session key. This session key is a symmetric encryption key and is unique per message. The information is encrypted using this session key.

An example of a session key is

9:A9B20905A1E10A6CF4ABAC6E5EBE57655D46A2A12F40A40A50D89F3974D2C8

The session key is then encrypted using the public asymmetric encryption key of the receiver. Because the size of the session key is quite small this won't take long.

The encrypted data using the symmetric session key and the asymmetric encrypted session key are combined in the resulting message. This message can be sent to the receiver. This is very secure, because only the receiver can decrypt the session key.

These are the main features of PGP. The most important take-away is that PGP is both symmetrical and asymmetrical and that the encrypted session key is used to encrypt and decrypt the actual message. In the next blog I will talk about the keys that can be used.