↑↑ Home ↑ Net & Web  

A non-technical explanation of Pretty Good Privacy

Pretty Good Privacy (PGP) is a standard for encryption with multiple conforming implementations, notably the freely licenced GnuPG. This article leaves the details of configuring and using it aside and concentrates on how it works in principle. As with all questions of safety and security, the human brain is the most important piece of equipment that cannot be replaced by any automatism. This brief guide should therefore best be read before consulting other sources for the technical details.

Public-key encryption

PGP is an example of a public-key encryption system. This is nothing particularly complicated. It means that each communication partner has a pair of keys — a public key suitable for encrypting messages to her, and a private key for decrypting them. A simple analogue in the physical world is a letterbox: Anyone can post a letter into the box, but only the receipient can open the box and take the letters out.

Public keys can be distributed without restriction without compromising security in any way. For PGP, they are often uploaded to public key servers such as the MIT key server. Different key servers copy public keys freely between them. Other methods of distribution are putting public keys on a web or FTP server.

The importance of the key fingerprint

Of course secure communication requires you to be sure that a public key belongs to the person you think it does. The e-mail address that comes with the key is an indication only — anyone can generate a key pair for any e-mail address and upload it to a key server. This is little use to them unless they can also intercept e-mail to that address, but you still should not rely blindly on the e-mail address attached to a public key.

This is where the key fingerprint comes in. This is a piece of data much smaller than the key. It can be computed from the key, but it is vanishingly unlikely that two different keys have the same fingerprint and practically impossible to create a key that has a given fingerprint. The upshot of this is that you can be sure a key is legitimate after comparing its fingerprint to what it should be. This assumes that you have received the reference fingerprint via a different communication channel than the key itself (otherwise the same person that provides you with a fake key could also provide a matching fingerprint). But a fingerprint is small enough to be written on a piece of paper or dictated by phone.

Which kind of communication is acceptable for verifying fingerprints depends on your security requirements. Consider what an attacker would have to do in order to fool you with a fake public key and fingerprint, and decide if that risk is acceptable for you. If you do not compare the fingerprint, or if you receive the reference fingerprint via the same channel as the key, both could be faked the same way. If your communication partner gives you the fingerprint personally on a piece of paper, you can be pretty sure it is the right one. Most other transmission methods fall somewhere in between.

Signing

When a message is important enough to warrant encryption, you often also want to be sure that it comes from the person it claims to. As said above, anyone can encrypt a message to you if your public key is widely available. Therefore encrypted messages are often also signed by the recipient. The same key pair that would be used to encrypt and decrypt a return message is used for signing. Only the signing is done with the private key, and the signature can be verified with the public key. So only the sender himself can sign a message, but anyone can check the signature.

Key signing — conferring trust

Your communication partner may be a person living far away that you have never met, and there may be no readily usable way of confirming their key fingerprint with them. Key signing was devised to allow you to verify a key in those circumstances, or just for additional security in any circumstance.

By signing someone else's (public) key, a person states that she has verified that the key in question does indeed belong to that person (or e-mail address). This does not in itself say all that much about the latter public key. But it means something if the following two conditions are met:

  1. You know that the public key of the signer belongs to that person, and
  2. you know that the signer is concientious in checking others' identities before signing a key.

Point 1 means that the signer is who she claims to be. Point 2 implies that you can rely on her judgement expressed by signing the other person's key. To be sure of (1), you have to already have verified the signer's key fingerprint in some way. To be reasonably sure of (2) as far as at all possible, you have to know her personally or at least by reputation. As always, there is no absolute security, and you have to decide what risk you are prepared to accept.

Key signing is not something that proves something in and of itself, but it is an indirection: It says something if you know something about the person doing the signing. Among your communication partners, several may have signed each other's keys. This is the "web of trust" in which keys are legitimised through the two points above and about which there are more technical details on other web pages.

PGP versus S/MIME

Next to PGP, another public-key system is in wide use: S/MIME. It is common in corporate environments and encrypted web traffic. The main conceptual difference is how keys are legitimised. In S/MIME, keys are signed hierarchically and legitimised ultimately by a few central certification authorities. Those authorities are trusted implicitly. This fits the human tendency to believe and obey the powerful uncritically, while PGP requires the same independent thought that functioning democracy and market economics would.


TOS / Impressum