PGP basics - PGP

This is a discussion on PGP basics - PGP ; I've read two or three documents/articles on cryptography (one Phil Zimmerans, one FAQ of one of the newsgroups and another handbook, and also a relevant chapter from a book on Expert One-On-One .NET called Advanced .NET Programming and either it ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: PGP basics

  1. PGP basics

    I've read two or three documents/articles on cryptography (one Phil
    Zimmerans, one FAQ of one of the newsgroups and another handbook, and
    also a relevant chapter from a book on Expert One-On-One .NET called
    Advanced .NET Programming and either it is that they all prsent a
    different view of PGP or it may be that I am simply confused between
    Public Key Encryption (PKI) and PGP.

    Can someone please describe PGP in short and distinguish it from PKI?
    I'll be really grateful.

    Is it just that PGP is:

    1. Generate a key pair using PKI.
    2. Publish your public key
    3. Hold your private key
    4. Encrypt first (use either symmetric or asymmetric encryption it
    doesn't matter. Prefer using symmetric for the most of it, use a high
    density key e.g 128-bit and for the sensitive part, use asymmetric
    encryption)

    5. Encrypt the symmetric (or whichever you're using) key with your
    private key.
    6. To avoid others having your public key to be able to decrypt it,
    encrypt again with the intended recipient's public key.
    7. Finally, optionally, get your public key certificed by a digital
    certificate issuing authority.


    Please tell me if I am wrong.


  2. Re: PGP basics


    Water Cooler v2 wrote:
    > I've read two or three documents/articles on cryptography (one Phil
    > Zimmerans, one FAQ of one of the newsgroups and another handbook, and
    > also a relevant chapter from a book on Expert One-On-One .NET called
    > Advanced .NET Programming and either it is that they all prsent a
    > different view of PGP or it may be that I am simply confused between
    > Public Key Encryption (PKI) and PGP.
    >
    > Can someone please describe PGP in short and distinguish it from PKI?
    > I'll be really grateful.


    You've fallen victim to Buzzword Bingo.

    PKI is not a technique nor algorithm. It's just fancy language for
    "cryptosystems based on public key algorithms" sometimes in a hiearchy
    but not always.

    > Is it just that PGP is:
    >
    > 1. Generate a key pair using PKI.


    No. They generate a key pair using a Public Key Algorithm (RSA,
    Diffie-Hellman, possibly ECC in the future)

    > 2. Publish your public key
    > 3. Hold your private key


    This is the "PKI" part. A system of distribution and retrieval of
    public keys.

    > 4. Encrypt first (use either symmetric or asymmetric encryption it
    > doesn't matter. Prefer using symmetric for the most of it, use a high
    > density key e.g 128-bit and for the sensitive part, use asymmetric
    > encryption)


    Messages are ALWAYS encrypted with a symmetric key. It's how the
    symmetric key gets to you that changes. If you use a public key then
    the symmetric key is encrypted with a public key algorithm. If you use
    a password (conventional mode) it's encrypted based on the password (I
    don't know exactly how because I haven't read the RFC in a long while).

    > 5. Encrypt the symmetric (or whichever you're using) key with your
    > private key.


    You'd only encrypt with a password or public key, you can encrypt to
    yourself but you'd still be using your public key.

    > 6. To avoid others having your public key to be able to decrypt it,
    > encrypt again with the intended recipient's public key.


    ??? You want to give out your public key.

    > 7. Finally, optionally, get your public key certificed by a digital
    > certificate issuing authority.


    Yeah, though I question what that actually "means".

    Tom


  3. Re: PGP basics

    Water Cooler v2 wrote:
    > I've read two or three documents/articles on cryptography (one Phil
    > Zimmerans, one FAQ of one of the newsgroups and another handbook, and
    > also a relevant chapter from a book on Expert One-On-One .NET called
    > Advanced .NET Programming and either it is that they all prsent a
    > different view of PGP or it may be that I am simply confused between
    > Public Key Encryption (PKI) and PGP.
    >
    > Can someone please describe PGP in short and distinguish it from PKI?
    > I'll be really grateful.
    >
    > Is it just that PGP is:
    >
    > 1. Generate a key pair using PKI.
    > 2. Publish your public key
    > 3. Hold your private key
    > 4. Encrypt first (use either symmetric or asymmetric encryption it
    > doesn't matter. Prefer using symmetric for the most of it, use a high
    > density key e.g 128-bit and for the sensitive part, use asymmetric
    > encryption)
    >
    > 5. Encrypt the symmetric (or whichever you're using) key with your
    > private key.
    > 6. To avoid others having your public key to be able to decrypt it,
    > encrypt again with the intended recipient's public key.
    > 7. Finally, optionally, get your public key certificed by a digital
    > certificate issuing authority.
    >
    >
    > Please tell me if I am wrong.
    >


    Read my . This discusses
    symmetric and asymmetric encryption and how PGP combines them. It also
    discusses public vs private keys.

    Followup set to comp.security.pgp.discuss.

    --

    David E. Ross


    Concerned about someone (e.g., Pres. Bush) snooping
    into your E-mail? Use PGP.
    See my

  4. Re: PGP basics

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "Water Cooler v2" writes:

    >Can someone please describe PGP in short and distinguish it from PKI?


    David Ross answered the first part. I'll comment on the different
    from PKI.

    The basic operations are similar - encryption and signing.

    The major difference, in my opinion, has to do with the trust question
    (when to trust a key, when to consider a key valid).

    With PKI, trust is based on the decision of a certification agent (or CA).
    The CA is self-appointed, and you are supposed to trust the CA if

    your operating system vendor researches the CA and decides it is
    worthy of trust

    the CA bribes your operating system vendor, and persuades it to
    consider the CA key trustworthy.

    By contrast, certifcation of PGP keys is based on the web of trust. You
    will trust a key if you have made your own decision to trust it, or if
    the key is signed by another key that you have chosen to trust.

    The PKI trust model is hierarchical, so works well in an organization.

    The web of trust is based on human relation, networks of trustable
    people, and works similar to the way we use notary publics to assess
    validity of ink and paper signatures (except that forgery is harder
    with digital signatures).

    With PKI, a certificate has a single CA certification signature.
    A PGP key, by contrast, can have multiple signatures.

    My personal opinion - doubtless some will disagree - is that the PGP
    web of trust better fits the internet as a whole, and the possibility
    of multiple signature certificates on a key makes it more robust than
    the PKI trust model.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (SunOS)

    iD8DBQFEiQikvmGe70vHPUMRAhvSAJ9mntfA4STRJOfNYXgW8w ldGI3QwwCfdvMs
    wQg/RwZFEY0nMnEsNEteQxQ=
    =JZnz
    -----END PGP SIGNATURE-----


+ Reply to Thread