
PGP basics
I've read two or three documents/articles on cryptography (one Phil
Zimmerans, one FAQ of one of the newsgroups and another handbook, and
also a relevant chapter from a book on Expert OneOnOne .NET called
Advanced .NET Programming and either it is that they all prsent a
different view of PGP or it may be that I am simply confused between
Public Key Encryption (PKI) and PGP.
Can someone please describe PGP in short and distinguish it from PKI?
I'll be really grateful.
Is it just that PGP is:
1. Generate a key pair using PKI.
2. Publish your public key
3. Hold your private key
4. Encrypt first (use either symmetric or asymmetric encryption it
doesn't matter. Prefer using symmetric for the most of it, use a high
density key e.g 128bit and for the sensitive part, use asymmetric
encryption)
5. Encrypt the symmetric (or whichever you're using) key with your
private key.
6. To avoid others having your public key to be able to decrypt it,
encrypt again with the intended recipient's public key.
7. Finally, optionally, get your public key certificed by a digital
certificate issuing authority.
Please tell me if I am wrong.

Re: PGP basics
Water Cooler v2 wrote:[color=blue]
> I've read two or three documents/articles on cryptography (one Phil
> Zimmerans, one FAQ of one of the newsgroups and another handbook, and
> also a relevant chapter from a book on Expert OneOnOne .NET called
> Advanced .NET Programming and either it is that they all prsent a
> different view of PGP or it may be that I am simply confused between
> Public Key Encryption (PKI) and PGP.
>
> Can someone please describe PGP in short and distinguish it from PKI?
> I'll be really grateful.[/color]
You've fallen victim to Buzzword Bingo.
PKI is not a technique nor algorithm. It's just fancy language for
"cryptosystems based on public key algorithms" sometimes in a hiearchy
but not always.
[color=blue]
> Is it just that PGP is:
>
> 1. Generate a key pair using PKI.[/color]
No. They generate a key pair using a Public Key Algorithm (RSA,
DiffieHellman, possibly ECC in the future)
[color=blue]
> 2. Publish your public key
> 3. Hold your private key[/color]
This is the "PKI" part. A system of distribution and retrieval of
public keys.
[color=blue]
> 4. Encrypt first (use either symmetric or asymmetric encryption it
> doesn't matter. Prefer using symmetric for the most of it, use a high
> density key e.g 128bit and for the sensitive part, use asymmetric
> encryption)[/color]
Messages are ALWAYS encrypted with a symmetric key. It's how the
symmetric key gets to you that changes. If you use a public key then
the symmetric key is encrypted with a public key algorithm. If you use
a password (conventional mode) it's encrypted based on the password (I
don't know exactly how because I haven't read the RFC in a long while).
[color=blue]
> 5. Encrypt the symmetric (or whichever you're using) key with your
> private key.[/color]
You'd only encrypt with a password or public key, you can encrypt to
yourself but you'd still be using your public key.
[color=blue]
> 6. To avoid others having your public key to be able to decrypt it,
> encrypt again with the intended recipient's public key.[/color]
??? You want to give out your public key.
[color=blue]
> 7. Finally, optionally, get your public key certificed by a digital
> certificate issuing authority.[/color]
Yeah, though I question what that actually "means".
Tom

Re: PGP basics
Water Cooler v2 wrote:[color=blue]
> I've read two or three documents/articles on cryptography (one Phil
> Zimmerans, one FAQ of one of the newsgroups and another handbook, and
> also a relevant chapter from a book on Expert OneOnOne .NET called
> Advanced .NET Programming and either it is that they all prsent a
> different view of PGP or it may be that I am simply confused between
> Public Key Encryption (PKI) and PGP.
>
> Can someone please describe PGP in short and distinguish it from PKI?
> I'll be really grateful.
>
> Is it just that PGP is:
>
> 1. Generate a key pair using PKI.
> 2. Publish your public key
> 3. Hold your private key
> 4. Encrypt first (use either symmetric or asymmetric encryption it
> doesn't matter. Prefer using symmetric for the most of it, use a high
> density key e.g 128bit and for the sensitive part, use asymmetric
> encryption)
>
> 5. Encrypt the symmetric (or whichever you're using) key with your
> private key.
> 6. To avoid others having your public key to be able to decrypt it,
> encrypt again with the intended recipient's public key.
> 7. Finally, optionally, get your public key certificed by a digital
> certificate issuing authority.
>
>
> Please tell me if I am wrong.
>[/color]
Read my <http://www.rossde.com/PGP/pgp_encrypt.html>. This discusses
symmetric and asymmetric encryption and how PGP combines them. It also
discusses public vs private keys.
Followup set to comp.security.pgp.discuss.

David E. Ross
<http://www.rossde.com/>
Concerned about someone (e.g., Pres. Bush) snooping
into your Email? Use PGP.
See my <http://www.rossde.com/PGP/>

Re: PGP basics
BEGIN PGP SIGNED MESSAGE
Hash: SHA1
"Water Cooler v2" <wtr_clr@yahoo.com> writes:
[color=blue]
>Can someone please describe PGP in short and distinguish it from PKI?[/color]
David Ross answered the first part. I'll comment on the different
from PKI.
The basic operations are similar  encryption and signing.
The major difference, in my opinion, has to do with the trust question
(when to trust a key, when to consider a key valid).
With PKI, trust is based on the decision of a certification agent (or CA).
The CA is selfappointed, and you are supposed to trust the CA if
your operating system vendor researches the CA and decides it is
worthy of trust
the CA bribes your operating system vendor, and persuades it to
consider the CA key trustworthy.
By contrast, certifcation of PGP keys is based on the web of trust. You
will trust a key if you have made your own decision to trust it, or if
the key is signed by another key that you have chosen to trust.
The PKI trust model is hierarchical, so works well in an organization.
The web of trust is based on human relation, networks of trustable
people, and works similar to the way we use notary publics to assess
validity of ink and paper signatures (except that forgery is harder
with digital signatures).
With PKI, a certificate has a single CA certification signature.
A PGP key, by contrast, can have multiple signatures.
My personal opinion  doubtless some will disagree  is that the PGP
web of trust better fits the internet as a whole, and the possibility
of multiple signature certificates on a key makes it more robust than
the PKI trust model.
BEGIN PGP SIGNATURE
Version: GnuPG v1.4.3 (SunOS)
iD8DBQFEiQikvmGe70vHPUMRAhvSAJ9mntfA4STRJOfNYXgW8wldGI3QwwCfdvMs
wQg/RwZFEY0nMnEsNEteQxQ=
=JZnz
END PGP SIGNATURE