Water Cooler v2 wrote:
> I've read two or three documents/articles on cryptography (one Phil
> Zimmerans, one FAQ of one of the newsgroups and another handbook, and
> also a relevant chapter from a book on Expert One-On-One .NET called
> Advanced .NET Programming and either it is that they all prsent a
> different view of PGP or it may be that I am simply confused between
> Public Key Encryption (PKI) and PGP.
>
> Can someone please describe PGP in short and distinguish it from PKI?
> I'll be really grateful.

You've fallen victim to Buzzword Bingo.

PKI is not a technique nor algorithm. It's just fancy language for
"cryptosystems based on public key algorithms" sometimes in a hiearchy
but not always.

> Is it just that PGP is:
>
> 1. Generate a key pair using PKI.

No. They generate a key pair using a Public Key Algorithm (RSA,
Diffie-Hellman, possibly ECC in the future)

> 2. Publish your public key
> 3. Hold your private key

This is the "PKI" part. A system of distribution and retrieval of
public keys.

> 4. Encrypt first (use either symmetric or asymmetric encryption it
> doesn't matter. Prefer using symmetric for the most of it, use a high
> density key e.g 128-bit and for the sensitive part, use asymmetric
> encryption)

Messages are ALWAYS encrypted with a symmetric key. It's how the
symmetric key gets to you that changes. If you use a public key then
the symmetric key is encrypted with a public key algorithm. If you use
a password (conventional mode) it's encrypted based on the password (I
don't know exactly how because I haven't read the RFC in a long while).

> 5. Encrypt the symmetric (or whichever you're using) key with your
> private key.

You'd only encrypt with a password or public key, you can encrypt to
yourself but you'd still be using your public key.

> 6. To avoid others having your public key to be able to decrypt it,
> encrypt again with the intended recipient's public key.

??? You want to give out your public key.

> 7. Finally, optionally, get your public key certificed by a digital
> certificate issuing authority.

Yeah, though I question what that actually "means".

Tom

Water Cooler v2 wrote:
> I've read two or three documents/articles on cryptography (one Phil
> Zimmerans, one FAQ of one of the newsgroups and another handbook, and
> also a relevant chapter from a book on Expert One-On-One .NET called
> Advanced .NET Programming and either it is that they all prsent a
> different view of PGP or it may be that I am simply confused between
> Public Key Encryption (PKI) and PGP.
>
> Can someone please describe PGP in short and distinguish it from PKI?
> I'll be really grateful.
>
> Is it just that PGP is:
>
> 1. Generate a key pair using PKI.
> 2. Publish your public key
> 3. Hold your private key
> 4. Encrypt first (use either symmetric or asymmetric encryption it
> doesn't matter. Prefer using symmetric for the most of it, use a high
> density key e.g 128-bit and for the sensitive part, use asymmetric
> encryption)
>
> 5. Encrypt the symmetric (or whichever you're using) key with your
> private key.
> 6. To avoid others having your public key to be able to decrypt it,
> encrypt again with the intended recipient's public key.
> 7. Finally, optionally, get your public key certificed by a digital
> certificate issuing authority.
>
>
> Please tell me if I am wrong.
>

Read my . This discusses
symmetric and asymmetric encryption and how PGP combines them. It also
discusses public vs private keys.

Followup set to comp.security.pgp.discuss.

--

David E. Ross


Concerned about someone (e.g., Pres. Bush) snooping
into your E-mail? Use PGP.
See my

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Water Cooler v2" writes:

>Can someone please describe PGP in short and distinguish it from PKI?

David Ross answered the first part. I'll comment on the different
from PKI.

The basic operations are similar - encryption and signing.

The major difference, in my opinion, has to do with the trust question
(when to trust a key, when to consider a key valid).

With PKI, trust is based on the decision of a certification agent (or CA).
The CA is self-appointed, and you are supposed to trust the CA if

your operating system vendor researches the CA and decides it is
worthy of trust

the CA bribes your operating system vendor, and persuades it to
consider the CA key trustworthy.

By contrast, certifcation of PGP keys is based on the web of trust. You
will trust a key if you have made your own decision to trust it, or if
the key is signed by another key that you have chosen to trust.

The PKI trust model is hierarchical, so works well in an organization.

The web of trust is based on human relation, networks of trustable
people, and works similar to the way we use notary publics to assess
validity of ink and paper signatures (except that forgery is harder
with digital signatures).

With PKI, a certificate has a single CA certification signature.
A PGP key, by contrast, can have multiple signatures.

My personal opinion - doubtless some will disagree - is that the PGP
web of trust better fits the internet as a whole, and the possibility
of multiple signature certificates on a key makes it more robust than
the PKI trust model.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (SunOS)

iD8DBQFEiQikvmGe70vHPUMRAhvSAJ9mntfA4STRJOfNYXgW8w ldGI3QwwCfdvMs
wQg/RwZFEY0nMnEsNEteQxQ=
=JZnz
-----END PGP SIGNATURE-----