Introduction to PGP
Last updated: 2017-03-07
OpenPGP uses public key cryptography to provide features such as digital signatures and message encryption. The standard doesn’t rely on any single certificate authority. Instead, its users build a web of trust among themselves.
OpenPGPcommonly used standard defined in RFC4880
PGP(Pretty Good Privacy) as originally invented by Phil Zimmermann
GPG(GNU Privacy Guard) an implementation of OpenPGP standard
Why Use PGP
It is a trivial task to forge e-mail headers, which include the sender’s address. Anyone can send an e-mail that seemingly comes from you. When you sign an e-mail with PGP, the e-mail becomes temper-proof, authentic and indesputable.
Source code signatures
In open-source communities, it is a common practice to sign the software’s source code or packages. Once signed, anyone can verify the source code wasn’t tempered with since it has been signed by the developers or packagers.
When you need to transmit sensitive data (access codes, passwords, confidental documents, …) to another person over the internet, you can use PGP to encrypt the message for one particular recipient.
Symmetric key encryption (like AES) is usually used to encrypt files, because it demands less hardware resources. However, PGP can also be used to encrypt files.
How it works
PGP relies on public key cryptography – you need a keypair, a public and private key. The public key is meant to be distributed to others through keyservers or other means. The private key should be kept secure and only used by its owner. Protecting the private key is crucial, since anyone who has the private key can impersonate you.
Keyservers, such as pgp.mit.edu, make it easier to handle public keys. Major keyserver usually synchronize with each other.
Anyone can upload a public key to the keyserver. Also, anyone can issue a keypair with a chosen identity. Since there is no central authority, it is up to every user to decide which key to trust.
Who to trust
There are many reasons why you decide to trust a key and they depend on your particular use case.
- Personally verifying someone’s identity and their key
- Getting the key from a project’s / developer’s website
- Relying on the web of trust
- Trust the key on first use
If you decide to trust another key and verify that it belongs to the owner, you can certify the key with your signature. Afterwards, you can publish this signature to contribute to the web of trust.
Web of trust
As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.
Phil Zimmermann, according to Wikipedia