Understanding Key Pairs
At the heart of PGP encryption is the concept of key pairs. Unlike traditional encryption that uses a single password or key, PGP uses a system of mathematically related keys that work together while serving different purposes.
Each PGP key pair consists of two parts:
Public Key
- Shared openly with others
- Used to encrypt messages to you
- Verifies your digital signatures
- Safe to distribute publicly
Private Key
- Kept strictly confidential
- Decrypts messages sent to you
- Creates your digital signatures
- Never shared with anyone
Think of your key pair as a mailbox with two keys. The public key is like the mail slot that anyone can use to put mail in, but only you with your private key (like the mailbox key) can open it to retrieve the contents.
Security Alert
Your private key is the foundation of your security.
If someone obtains your private key, they can:
- Read all messages encrypted to you
- Impersonate you by creating forged signatures
- Potentially decrypt previously captured encrypted messages
We'll cover secure private key management in later modules.
How Asymmetric Encryption Works
PGP uses asymmetric encryption (also called public-key cryptography). Unlike symmetric encryption where the same key is used for both encryption and decryption, asymmetric encryption uses different keys for these operations.
The One-Way Function
The security of public key cryptography relies on mathematical problems that are easy to perform in one direction but extremely difficult to reverse. The most common example is:
Multiplication vs. Factorization:
- It's easy to multiply two large prime numbers (p × q = n)
- It's extremely difficult to determine which prime factors were multiplied to produce a large number (find p and q when given only n)
This mathematical asymmetry creates a secure foundation for encryption. Your public and private keys are mathematically related through these one-way functions, but knowledge of the public key doesn't allow someone to derive your private key.
The Encryption Process Visualized
Here's how the encryption and decryption process works in practice:
Sending an Encrypted Message
- 1
Alice wants to send Bob a secure message
Alice composes her message: "Meeting at 3pm to discuss the project"
- 2
Alice obtains Bob's public key
She might get it from a key server, Bob's website, or directly from Bob
- 3
Alice's PGP software encrypts the message
The message is encrypted using Bob's public key, creating ciphertext that looks like random data
- 4
Alice sends the encrypted message
The encrypted message can be sent over any communication channel
- 5
Bob receives the encrypted message
It appears as scrambled text or an attachment in PGP format
- 6
Bob uses his private key to decrypt
Only Bob's private key can decrypt messages encrypted with his public key
- 7
Bob reads the original message
"Meeting at 3pm to discuss the project"
Important Security Note
Digital Signatures: Authentication and Integrity
In addition to encryption, public key infrastructure enables digital signatures, which provide two critical security properties:
- Authentication: Verification that a message truly came from the claimed sender
- Integrity: Assurance that the message hasn't been altered in transit
Digital signatures work in the opposite direction of encryption:
Encryption
Message is encrypted with recipient's public key
Message is decrypted with recipient's private key
Digital Signature
Message is signed with sender's private key
Signature is verified with sender's public key
The Signature Process
- Creating a signature: The sender's software creates a mathematical summary (hash) of the message and encrypts this hash with the sender's private key to create the signature.
- Attaching the signature: The signature is attached to the original message.
- Verifying the signature: The recipient's software decrypts the signature using the sender's public key and compares the hash with a newly calculated hash of the received message.
- Confirmation: If the hashes match, the message is verified as authentic and unaltered.
Tip
PGP lets you both encrypt and sign messages. This provides:
- Confidentiality (only the recipient can read it)
- Authentication (recipient knows it came from you)
- Integrity (recipient knows it wasn't altered)
Always try to both encrypt and sign important communications.
Key Servers and the Web of Trust
For public key encryption to work, users need a reliable way to obtain authentic public keys. There are two main systems used in the PGP ecosystem:
Key Servers
Key servers are repositories where users can publish and retrieve public keys. They function like directories, allowing you to search for keys by email address, name, or key ID.
Common public key servers include:
- keys.openpgp.org
- pgp.mit.edu
- keyserver.ubuntu.com
# Search for keys associated with an email address
gpg --keyserver keys.openpgp.org --search-keys [email protected]
# Or directly import a key if you know the key ID
gpg --keyserver keys.openpgp.org --recv-keys 0x1A2B3C4D5E6F7G8H
However, key servers have a significant limitation: they typically don't verify the identity of the person uploading a key. This creates a vulnerability where an attacker could upload a fraudulent key in someone else's name.
The Web of Trust
To address the authentication problem, PGP uses a decentralized trust model called the "Web of Trust."
The Web of Trust works through key signing:
- Users verify each other's identities in person (by checking ID)
- They sign each other's public keys to certify their authenticity
- These signatures are visible to other users of the keys
- Over time, a network of trusted relationships develops
If you trust Alice, and Alice has signed Bob's key, you might decide to trust Bob's key even if you've never met Bob personally.
Note
The Web of Trust is a powerful idea but has practical limitations:
- It requires in-person key verification for optimal security
- It works best in communities where many members interact face-to-face
- It can be challenging to build trust paths to new contacts
Many users now rely on alternative trust mechanisms like publishing key fingerprints on verified websites or social media accounts.
Anatomy of a PGP Key
A PGP key contains several important components:
- User ID: Contains the key owner's name and email address
- Key ID: A short identifier (usually the last 8 or 16 hexadecimal digits of the fingerprint)
- Fingerprint: A unique 40-character hexadecimal number that identifies the key
- Creation date: When the key was generated
- Expiration date: When the key will no longer be valid (if set)
- Signatures: Certifications from other PGP users who have verified this key
- Subkeys: Additional keys for specific functions (encryption, signing, authentication)
You'll become familiar with these components as you begin working with your own keys.
Conclusion
Public Key Infrastructure forms the foundation of PGP encryption. By understanding the concepts of key pairs, asymmetric encryption, and digital signatures, you now have the knowledge needed to start using PGP effectively.
In our next module, we'll walk through the practical process of creating your own PGP key pair and setting up the necessary tools to start using encryption in your communications.
Key Takeaways
- PGP uses key pairs: a public key that others use to encrypt messages to you, and a private key that only you use to decrypt those messages
- Asymmetric encryption relies on mathematical problems that are easy in one direction but extremely difficult to reverse
- Digital signatures provide authentication and integrity, verifying who sent a message and that it hasn't been altered
- Key servers and the Web of Trust help users find and verify authentic public keys
- Proper protection of your private key is essential to maintaining security