GPG/PGP info

My GPG key

link∞ -- Sorry, Wikka doesn't seem to like me posting my key heh.

What are GPG and PGP

Please note this is FAR from a comprehensive explanation, or even history... there is a lot of text elsewhere to describe such matters

PGP is a scheme for encrypted communications brought about by Phil Zimmermann∞ involving a rather complex, and somewhat politically motivated story. There are plenty of histories on why exactly Zimmermann did what he did, but the point is he wanted to use the RSA algorithm to provide a more secure method of communication.

• a Wikipedia article on RSA∞ -- this is pretty good for an overview
• Wikipedia article on PGP∞ -- good article on PGP

PGP uses what is called an asymmetric system, otherwise known as a public key infrastructure. Each person has two sets of "keys" - a public key and a private key. You hand out your public key to anyone you want, while keeping your private key (obviously) private and well protected. When someone wants to encrypt something, they encrypt it using their key, encrypting it to your PUBLIC key. When you want to read the message, you decrypt it using the PRIVATE key. In this way we can have communication where it's generally more secure, and we don't need to worry about propogation of the "seed" for symmetric crypto. Keys can also be used as identification credentials, and there are various methods of secure exchange.

What's so cool about RSA? The entire point of a public key infrastructure is that you can share information over a potentially hostile environment without defeating the security of your cryptosystem. With a symmetric cipher you need to exchange certain precomputed values (salt, initialization vector, password etc) which are sent over potentially hostile communication lines (as in, someone could be sniffing it). Someone gets your IV, you're borked.

RSA on the other hand allows for the exchange of the public key, information that cannot be used to reverse engineer the private key in any way, yet while providing something for the algorithm to encrypt to. So in a potentially hostile environment this is a good way of encrypting. The reason why the public key and private key are completely unrelated has to do with the nature of RSA itself, a public key is little more than a modulus (both the public/private keys contain this) and an exponent. Each user has a public and a private exponent, relatively large numbers. Without the private exponent, you can't decrypt what's encrypted to the public exponent.

It's definately vulnerable to a man-in-the-middle attack, and people usually rely on "fingerprints" or message digests (such as MD5) to verify the key belongs to who they claim to be. GPG has a way of rating a chain of trust - that is, I checked x much to figure out that Phil Zimmermanns key is, in fact, his own key, and I trust anything this guy has signed because he's a smart and paranoid guy (note: I don't know zimmermann, that was a hypothetical situation ;). There are also central key servers.

The cool thing about keyservers is that you can go look up a GPG key based on email address, real name etc. GPG keys can also contain photos (depending on the implementation), which can be even more useful.

Law

I'm admittedly ill versed in US cryptography laws. I know there are some that prohibit the exportation of applications that can do "strong" cryptography (RSA is definately included here). I know there are builds of GPG/PGP that are available internationally (see http://www.pgpi.org∞ for details), and that you can correspond using crypto with foreign nationals. I think I wrote this section mainly as a word of caution - PLEASE read up on the laws, crypto is not something that the US intelligence communities take lightly, even if you do.

PGP vs GPG

There's a lot of confusion regarding which version of what to get. PGP, as best I can tell, is a commercial application developed by Zimmermanns old company "PGP Corporation." There are free versions (MIT, PGPI) and alternate versions (GPG).

Misc Links

• PGP∞ itself is a commercial application with restrictions on the free verison (as well as export).
• Freeware PGP builds∞
• MIT PGP build∞ - MIT no longer supports building PGP
• GNU Privacy Guard (GPG)∞ an open source implementation of PGP, keys are interchangable (they are, after all, both RSA)

Commercial PGP itself has a nice suite of tools for management/usage of keys, and is highly user friendly. There are some limits to what you can do with a free copy, and the functionality CAN be duplicated without buying PGP, but they sure do look like a nice set of tools. Highly GUI-friendly.

GPG is the GNU's usual foray into making a free (beer/liberty) version of what's otherwise a closed source enterprise. GPG itself is widely supported and has many wrappers (IMs, emails, disk encryption etc). You can get anything you want, but you need to track it down yourself. I use GPG because it's free and because I can run it across all my systems. As a special note to Windows users, there's a lovely utility called Windows Privacy Tools∞ which wraps GPG in a more friendly environment.

Both GPG and PGP use the same RSA keys, so they are interchangable. PGP Corporation products may make use of different exchange algorithms (DH?) and may use some proprietary implementations. Otherwise I will refer to PGP and GPG collectively as GPG from now on, unless there is a notable difference in behavior.

Using GPG

With GPG there are a whole range of things you can encrypt - IM, email, files/volumes... Basically anything encryptable. It comes down to how exactly you want the infrastructure to work (exchange of keys, selection of public key, encryption, decryption etc). GPG is really popular with email, and you can find various plugins for your build (PGP proper comes with a set of tools, whereas GPG requires plugins for your mail client) and is gaining some popularity with IM.

(add stuff about looking up keys from centralized servers, PT integration etc)

---

This page is CategorySecurity