How Pretty Good Privacy (PGP) works
PGP and GPG
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991.
Pretty Good Privacy (PGP) has since been defined as a standard called OpenPGP. It's outlined in RFC4880.
Requests For Comment at the
GNU Privacy Guard (GPG) also GnuPG. GPG is an implementation of OpenPGP and can be found on Linux, OS X and Windows.
With PGP and GPG often they're used interchangeably. Don't be too concerned if you get them mixed up. When referring to PGP or GPG keys, everyone (including you now) knows you mean a public/private keypair.
Yes the names are confusing and probably counterproductive.
PGP uses both asymmetric encryption and symmetric encryption. When encrypting a file (or message), the file is encrypted with a symmetric key, and the symmetric key is encrypted with asymmetric encryption.
Here's a diagram of how that works.
Let break this down into the two main parts and explain how they work.
Alice has a wants to encrypt a file. She puts it in a box with a lock. The
key to the lock is
secret. She keeps a copy of this
key to unlock the box later.
Alice now wants the file she encrypted. She unlocks (decrypts) the box with her
Pretty simple, one
key both encrypts and decrypts our box. Or to put it another way both the lock and key are
Benefits and Threats
Symmetric encryption has it's benefits, but it also has threats that prevent it usage in all cases.
Symmetric encryption is fast, much faster than asymmetric encryption.
If Alice decides to send a box locked with the key
secret to Bob, she also needs to tell Bob the key. It's possible to use a different channel to send the key. In all cases the key has a high risk of exfiltration (theft), rendering the encryption useless.
Symmetric encryption by itself is dangerous, in that it's risky. But when paired with asymmetric encryption, we can use the benefits of both. This is what PGP does.
Asymmetric Encryption / Key Pairs
Asymmetric encryption is different in that you need one
key to encrypt and a different
key to decrypt. The way this works is by using a mathematical function that is easy in one direction and hard in the other.
We'll go into detail in the next chapter.
Threats to PGP
You should be aware of of Shor's Algorithm. It desrcibes a method that will break public key encryption very quickly. Effectively making the hard problem (decryption) and easy as the easy problem (encryption).
Naturally the NSA (and presumably other TLA are working on being able to do this. If this does become possible we will likely hear about it 5-10 years after it's discovered. If we're lucky we'll find out quickly.
The NSA also reportedly records every PGP message they see, in the hope they can decrypt them later. Is they can solve Shor's Algorithm then they will be able to do this.