Encrypting messages: PGP

PGP uses a mixed cryptographic system, in fact it uses both symmetric and asymmetric systems (to know more about these concepts and cryptography generally speaking, take a look at these pages about cryptography). PGP uses both of these systems because:

• When you use a symmetric system (with a secret key) you have necessarily to worry about how to exchange the secret key with the recipient of message, so you could prefer an asymmetric system
• The used asymmetric system takes a lot of time to encrypt the whole message (it's about 4000 times slower than the used symmetric system)

First PGP versions (up to 5.0) used the RSA algorithm (asymmetric system), and the IDEA algorithm (symmetric system). In a nutshell, in PGP the RSA algorithm encrypts a secret key which actually encrypt the bulk data. However the latest version uses two different algorithms: DSS/Diffie-Hellman and CAST (but if you are using the international version, you can choose to use RSA or DSS/Diffie-Hellman algorithms as an asymmetric system, and CAST, Triple-DES or IDEA algorithms as a symmetric system). When you use PGP you have to know 2 keys: the recipient's public key and your private key. That's all. In fact there is always a couple of keys strictly related each other: a public key and its corresponding private key. So when you encrypt a message you have to know the recipient's public key only (you know it because it's a PUBLIC key and all people knows it!). When the recipient receives your encrypted message, he decrypts it by means of his private key (this is a private key and so nobody except him knows the key!). In addition, maybe the recipient want to answer to you by sending an encrypted reply after reading your message. In this case he has to encrypt his message by means of your public key. When you receive his encrypted message, you will decrypt it by means of your private key. This is an asymmetric cryptographic system. In other words, all people knows others' public keys, but only each encrypted message's recipient knows his own private key to decrypt it.

However you have to know that PGP doesn't use RSA (or DSS/Diffie-Hellman in latest versions) to encrypt your message! PGP encrypt your message by means of the IDEA algorithm (or CAST or Triple-DES in latest versions). IDEA is a symmetric system, but you have not to know a private key to encrypt the message by means of IDEA. In fact PGP creates a temporary secret key randomly just for that message you are encrypting in that moment (if you encrypt again the same message, PGP will create a new absolutely different key again). After creating the secret key, PGP encrypt the message using that key. Finally PGP encrypt the secret temporary key (used to encrypt the message) by means of RSA (using the recipient's public key) and then sends it with the encrypted key used to encrypt it. When the recipient receives the message, its copy of PGP decrypts the key by means of the recipient's private key (remember: only the recipient can decrypt that key by means of his private key) and then it uses the decrypted key to actually decrypt the message. To much difficult to understand? Let's see an example:

You send an encrypted message to Alice and Alice decrypts it

1. You say to PGP that it has to encrypt a message with the Alice's public key 'APK'
2. PGP creates a new temporary secret key 'TSK' randomly
3. PGP encrypts the message by means of the temporary key 'TSK' (it uses IDEA, CAST or Triple-DES algorithms, which are symmetric systems)
4. PGP encrypts the temporary key 'TSK' by means of the Alice's public key 'APK' (it uses RSA or DSS/Diffie-Hellman algorithms, which are asymmetric systems). So this key become an encrypted key 'EK'
5. PGP sends both of them (the encrypted message and the key used to encrypt it) to the recipient
6. Alice receives your message
7. She decrypts the encrypted key 'EK' by means of her private key 'APRIVK' (here PGP uses RSA or DSS/Diffie-Hellman algorithm). So the key become 'TSK' again
8. Now her copy of PGP 'knows' the temporary secret key 'TSK', so it can use it to decrypt the message...

Let's see more...

1. Where to get PGP
2. How to install PGP 5.5.3i
3. How to use PGP 5.5.3i
4. Passwords and Passphrases
5. Signing public keys
6. Keyservers
7. Newsgoups