Cryptographic Services

In symmetric encryption, the same key is used to encrypt and decrypt. Symmetric algorithms are fast, but the distribution of the key can be cumbersome since it must be kept a secret. In asymmetric encryption, the public key and the private key form a key pair. The private key must be kept a secret but the public key can be distributed to anyone. Data encrypted by the public key can only be decrypted by the owner of the private key. Data encrypted by the private key can be decrypted by anyone since anyone can have the public key, but doing so authenticates its origin.

PGP encrypts using a symmetric algorithm with a new encryption key for each message. This session key is itself encrypted and sent together with the message.

With passphrase encryption, the session key is encrypted with a passphrase. The passphrase is simply a long password. Since the passphrase is known by the sender and the recipient, they can both decrypt the session key which is then used to decrypt the actual message. The difficulty with this approach is to distribute the passphrase to the recipient with some out of band mechanism and still keep it a secret.

With key pair encryption, the session key is encrypted with a public key. This eliminates the need for a shared secret because the public key can be known by anyone. The recipient uses the private key to decrypt the session key which is then used to decrypt the actual message. Since the private key is a secret known only by the recipient, only the recipient can decrypt the message.

PGP can sign messages using digital signatures. A signature confirms the identity of the sender and it confirms the message has not been altered during transmission. A digital signature is created as follows:

  1. The message is reduced to a small block of data using a one-way hash function.
  2. The hash is encrypted with the private key of the signer.
  3. This signature is sent together with the original message.

The recipient can validate the signature with the following procedure:

  1. The signature is decrypted using the public key of the signer to obtain the hash.
  2. The hash is saved momentarily and recomputed from scratch over the original message.
  3. The two hash values are compared.
  4. If the values are equal, the signature is validated. Otherwise, the message was altered and the signature is invalid.

PGP almost always compresses the message to reduce its size. This has the advantage of reducing the redundancy within the message and therefore makes the encryption more effective.

PGP performs the operations in this order: the clear text message is signed first, the result is compressed and finally it is encrypted. It is possible to skip any of these steps.

The result of processing a clear message with PGP is a binary message. PGP offers another form called armoring, which produces an ASCII message similar to Base64. This is not cryptographically more secure, but may protect against inadvertent modifications of the message during transport through some media, such as email.