Introduction to OpenPGP Cryptography

Note: the text that follows is the first chapter of the Portuguese Cryptography Manual, it had to be cut according to the number of pages available for this small but great manual. This chapter is an introduction (very good by the looks of it) to Cryptography and provides a familiarization with the terms used as well as an explanation of the principal concepts which are behind its workings. The complete Manual has four other chapters:

• Installing cryptography programs
• Using cryptography programs
• Cryptography and the Internet: email, secure connection and protection of software
• Protecting your set of keys: encrypting your hard drive

These chapters are explained in minute detail and can be found at GnuPGpt.

Enjoy!

Introduction and concepts of cryptography

What is cryptography?

Cryptography is a method for coding messages in such a way as to guarantee that only the person who has the correct code can read them. What is cryptography for? To summarize, it is used to:

• Protect information
• Maintain people’s privacy
• Guarantee the authenticity of information (digital signatures)

Protecting information means that you can choose who accesses your information. Maintaining people's privacy means that people who are not authorized to access your information cannot decipher it. Guaranteeing the authenticity of information avoids people saying things that you didn’t say in your name.

How does it work?

The cryptography that we will look at here is based on a principle of the difficulty involved in carrying out reversible operations. For example, it is very easy to work out what is the sum of two prime numbers which are only divisible by 1 and by themselves, like 7, 11, and 23. But it is really much more difficult to work out, given any number, which the prime numbers are which I need to multiply to get this number. In other words, these mathematical operations with prime numbers are reversible – if I know what the prime numbers are I know the sum of them and if I know what the number is I can work out what their prime factors are and it is more difficult in one direction than in the other.

The difficulty in working out the prime factors of a number increases exponentially with the size of the number. Exponentially means an awful lot. And this is the basis of cryptography.

Imagine a lock with two keys. One only locks the lock and the other only unlocks it. This is more or less how GPG works. You will create two keys, one public and one private. The public key is the one that “locks” (encrypts) and the private key is the one that “unlocks” (deciphers) after you provide your password phrase. People who want to send encrypted documents to you must have your public key and ONLY YOU must have your private key and know your password phrase. In the same way, if you want to send an encoded message to someone you need to have the public key for it.

The cryptography scheme based on the pair of keys works like this:

original message -> public key -> encoded message
encoded message -> private key -> original message

These operations are reversible, that is, it is possible to have, for example:

encoded message -> public key -> original message

which in other words means the “cracking” of the encoded message and consequently the invasion of your privacy, since someone can intercept the encoded message and together with its public key determine what the original message was. But relax, don’t worry! Despite this being perfectly possible, we must remember that these operations are reversible but they are also easier to do one way than the other, that is, it is much easier to do:

original message -> public key -> encoded message

than

encoded message -> public key -> original message.

So that you have an idea, the first operation usually takes several seconds, depending on the size of the message and the size of the key. But the second one typically takes thousands of years (literally) and needs a huge amount of computer power, of thousands of computers or supercomputers working together. This difficulty in reversing the operation is what makes the use of cryptography possible as a tool for personal privacy, since in practice it is unviable to crack encrypted messages.

The operation

encoded message -> private key -> original message

also takes only a few seconds.

In summary: the cryptography dealt with in this short manual is based on pairs of keys, a public key and a private key. You exchange your public key with other people and keep your private key a secret. If you want to send an encoded message to someone, you just need to use that person’s public key to create a message which only he or she will be able to read. In the same way, if someone wants to send you an encoded message, that person just needs your public key and only you will be able to read the message, for which you will need to use your private key. It is very important that you have this principle clear in your mind before we go any further.

The collection of your public key(s) and private key(s) and other people’s public key(s) which you have is known as your key ring.

Example of a public key

A public key is a sequence of codes, and can be presented as a simple text file. This file will contain a whole lot of crazy characters. Have a look:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBD6cuEoRBACQ6QKhCjN2qKHmOeeOdW9wOnnnd9V0eLREreSmMsRD6kSdXnrG
LQGrXMCBjelwOKB/vh2mcKn646PmSaq4sC+bLSOMAhME/IaDyDWZNWXo37yYlhDu
VD5wZGZNGMwov/bPDvjNjJTSXlo4/glbUNyVU2n9kiFYoDoSGjg1jQcYLwCgyeOJ
tHFSoelA62s+YmypI3KAzkcD/1S7Fim4p5X6HA/mUkFtuExDggba+OKmsmYNfPZ/
Q0sPAK85Or0zKAbGXAKUqezCuKCZ6FaesbIU5hTcQb2zKmzg1hzmtsWCTrxuj2X8
c//yRjDzFjT8KKCYKZWBGQTapGhvlHHq8ZsLlYZRzYyYtZ13a809FWk8G0Aq5/FA
be3KA/4nK+XAZUwXqXzu+xKINMu98zi9QWnVfBA5G132uCyrwOTBG1BV3803QFxG
XdBrEnGlz/RU9xjkVnEBWyqriO+lGDXuEZ6pWyx70UJ1S2qPDYKxoLTB68ZWAfKU
xYP8JYBC06hk6Ztq7FjkQGHxKMYQ9HCC3l9octyNsux+b/5Q+rQhU2lsdmlvIFJo
YXR0byA8cmhhdHRvQHJpc2V1cC5uZXQ+iFcEExECABcFAj6cuEoFCwcKAwQDFQMC
AxYCAQIXgAAKCRDA5viFRw5zwno5AKCGTBDCw9dalpr+SG7MQx00u1iehwCeKuGC
1FljdhHcu2CQX/JZoWLB/Qi5AQ0EPpy4TRAEAKmsLjxI2k/ITXu2kZJ7+SQPftb9
yRs8FxOsnmytkUwO8HaryPfuoMU51xG8XYL4blGL6u2J67KJOO4R3buwUDmH16RC
+nmMNlnaa0zlozsYIuB+r3s18hNLAss1LX0P0Ob6Ownar5VM8yNgVhEZkwBs6VhV
lfinYThWmpaXXLU3AAMFA/498Mfl1rs4z6vzkmIGu3Mqy+2CXSA/oCp9zPfFLJNM
+WUGhpbxkbbsNEzHdTFWPcoHi23k01KjT5CAiyiP30o6g8OV+3/WRYqeR4UNT6e8
7JDZo8kzjnTigI7XoAkqTJhL8pzhzvjboGZAaN1LDPgO2H//iRaBUjjrGaOTl9x2
c4hGBBgRAgAGBQI+nLhNAAoJEMDm+IVHDnPCsrYAoL9sLObVCteWmkAPFL3b5e/p
UFfAAKCzRRY3tPu6sHczFzOcw3SzeDN5x5kBogQ+nLhKEQQAkOkCoQozdqih5jnn
jnVvcDp553fVdHi0RK3kpjLEQ+pEnV56xi0Bq1zAgY3pcDigf74dpnCp+uOj5kmq
uLAvmy0jjAITBPyGg8g1mTVl6N+8mJYQ7lQ+cGRmTRjMKL/2zw74zYyU0l5aOP4J
W1DclVNp/ZIhWKA6Eho4NY0HGC8AoMnjibRxUqHpQOtrPmJsqSNygM5HA/9UuxYp
uKeV+hwP5lJBbbhMQ4IG2vjiprJmDXz2f0NLDwCvOTq9MygGxlwClKnswrigmehW
nrGyFOYU3EG9syps4NYc5rbFgk68bo9l/HP/8kYw8xY0/CigmCmVgRkE2qRob5Rx
6vGbC5WGUc2MmLWdd2vNPRVpPBtAKufxQG3tygP+JyvlwGVMF6l87vsSiDTLvfM4
vUFp1XwQORtd9rgsq8DkwRtQVd/NN0BcRl3QaxJxpc/0VPcY5FZxAVsqq4jvpRg1
7hGeqVsse9FCdUtqjw2CsaC0wevGVgHylMWD/CWAQtOoZOmbauxY5EBh8SjGEPRw
gt5faHLcjbLsfm/+UPq0IVNpbHZpbyBSaGF0dG8gPHJoYXR0b0ByaXNldXAubmV0
PohXBBMRAgAXBQI+nLhKBQsHCgMEAxUDAgMWAgECF4AACgkQwOb4hUcOc8J6OQCg
hkwQwsPXWpaa/khuzEMdNLtYnocAnirhgtRZY3YR3LtgkF/yWaFiwf0IuQENBD6c
uE0QBACprC48SNpPyE17tpGSe/kkD37W/ckbPBcTrJ5srZFMDvB2q8j37qDFOdcR
vF2C+G5Ri+rtieuyiTjuEd27sFA5h9ekQvp5jDZZ2mtM5aM7GCLgfq97NfITSwLL
NS19D9Dm+jsJ2q+VTPMjYFYRGZMAbOlYVZX4p2E4VpqWl1y1NwADBQP+PfDH5da7
OM+r85JiBrtzKsvtgl0gP6Aqfcz3xSyTTPllBoaW8ZG27DRMx3UxVj3KB4tt5NNS
o0+QgIsoj99KOoPDlft/1kWKnkeFDU+nvOyQ2aPJM4504oCO16AJKkyYS/Kc4c74
26BmQGjdSwz4Dth//4kWgVI46xmjk5fcdnOIRgQYEQIABgUCPpy4TQAKCRDA5viF
Rw5zwrK2AKC/bCzm1QrXlppADxS92+Xv6VBXwACgs0UWN7T7urB3MxcznMN0s3gz
ecc=
=1J0v
-----END PGP PUBLIC KEY BLOCK-----

This is my public key. It is big and beautiful, but not very comprehensible. To tell you the truth, I don’t understand any of what is written there, with the exception of the following sections:

----BEGIN PGP PUBLIC KEY BLOCK----

This first bit of text informs the reader that this is the beginning of the public key.

Version: GnuPG v.1.0.6 (GNU/Linux)
Comment : For info see http://www.gnupg.org

These two lines provide information about which program created the public key and in which operating system.

----END PGP PUBLIC KEY BLOCK----

This line tells the reader that the sequence of crazy characters of the public key is finished.

When you are going to send an encrypted message to someone, the cryptography program will use the crazy characters which appear between the lines ----BEGIN PGP PUBLIC KEY BLOCK---- and ----END PGP PUBLIC KEY BLOCK---- of the person’s public key to create the encoded message.

Note: there are no restrictions on the file name for a public key. Usually it has a file name ending in .asc, .key or something else. For example, your friend Groucho’s public key file could be groucho.asc, groucho.key or something else. If you want to check if a file contains a public key, you just need to open it in a text editor and see if the content of the file looks like the example of a public key above.

Example of a private key

A private key is also a sequence of codes which can also be presented as a common text file. This file will contain a whole lot of crazy characters. Here is a fictitious example of a private key:

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD6cuEoRBACQ6QKhCjN2qKHmOeeOdW9wOnnnd9V0eLREreSmMsRD6kSdXnrG
LQGrXMCBjelwOKB/vh2mcKn646PmSaq4sC+bLSOMAhME/IaDyDWZNWXo37yYlhDu
VD5wZGZNGMwov/bPDvjNjJTSXlo4/glbUNyVU2n9kiFYoDoSGjg1jQcYLwCgyeOJ
tHFSoelA62s+YmypI3KAzkcD/1S7Fim4p5X6HA/mUkFtuExDggba+OKmsmYNfPZ/
Q0sPAK85Or0zKAbGXAKUqezCuKCZ6FaesbIU5hTcQb2zKmzg1hzmtsWCTrxuj2X8
c//yRjDzFjT8KKCYKZWBGQTapGhvlHHq8ZsLlYZRzYyYtZ13a809FWk8G0Aq5/FA
be3KA/4nK+XAZUwXqXzu+xKINMu98zi9QWnVfBA5G132uCyrwOTBG1BV3803QFxG
XdBrEnGlz/RU9xjkVnEBWyqriO+lGDXuEZ6pWyx70UJ1S2qPDYKxoLTB68ZWAfKU
xYP8JYBC06hk6Ztq7FjkQGHxKMYQ9HCC3l9octyNsux+b/5Q+rQhU2lsdmlvIFJo
YXR0byA8cmhhdHRvQHJpc2V1cC5uZXQ+iFcEExECABcFAj6cuEoFCwcKAwQDFQMC
vUFp1XwQORtd9rgsq8DkwRtQVd/NN0BcRl3QaxJxpc/0VPcY5FZxAVsqq4jvpRg1
7hGeqVsse9FCdUtqjw2CsaC0wevGVgHylMWD/CWAQtOoZOmbauxY5EBh8SjGEPRw
gt5faHLcjbLsfm/+UPq0IVNpbHZpbyBSaGF0dG8gPHJoYXR0b0ByaXNldXAubmV0
NS19D9Dm+jsJ2q+VTPMjYFYRGZMAbOlYVZX4p2E4VpqWl1y1NwADBQP+PfDH5da7
OM+r85JiBrtzKsvtgl0gP6Aqfcz3xSyTTPllBoaW8ZG27DRMx3UxVj3KB4tt5NNS
PohXBBMRAgAXBQI+nLhKBQsHCgMEAxUDAgMWAgECF4AACgkQwOb4hUcOc8J6OQCg
hkwQwsPXWpaa/khuzEMdNLtYnocAnirhgtRZY3YR3LtgkF/yWaFiwf0IuQENBD6c
uE0QBACprC48SNpPyE17tpGSe/kkD37W/ckbPBcTrJ5srZFMDvB2q8j37qDFOdcR
vF2C+G5Ri+rtieuyiTjuEd27sFA5h9ekQvp5jDZZ2mtM5aM7GCLgfq97NfITSwLL
7JDZo8kzjnTigI7XoAkqTJhL8pzhzvjboGZAaN1LDPgO2H//iRaBUjjrGaOTl9x2
c4hGBBgRAgAGBQI+nLhNAAoJEMDm+IVHDnPCsrYAoL9sLObVCteWmkAPFL3b5e/p
1FljdhHcu2CQX/JZoWLB/Qi5AQ0EPpy4TRAEAKmsLjxI2k/ITXu2kZJ7+SQPftb9
ecc=
=1J0v
-----END PGP PRIVATE KEY BLOCK-----

As you must have spotted, a private key is a block of text whose structure if the same as that of the public key. The first two lines,

----BEGIN PGP PRIVATE KEY BLOCK----
Version: GnuPG v.1.2.1 (GNU/Linux)

tell the cryptography program that the text that follows in the sequence is a private key. The program will assume that the rest of the text is a private key until it finds the line that says:

----END PGP PRIVATE KEY BLOCK----

Example of an encrypted message

For example, why don’t we encrypt the following message:

Is your dad bald?

The result, when it is encrypted with my public key, looks like this:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.3 (GNU/Linux)

hQEOA3v8xQeh8DSxEAP/Rks1pm5WOyNZTtlJP1FVK602ix872ZMwsOsOYZ9oBC+o
pN9/03jLjlk3hF0v9KJkq3SQxu+E7zSCbuMigAum0QZgV3BMVjZDGKLDUN3D8Sgt
fBju6Y7Vn6wK87OWQlayWMAab+t77wQPjKuH9IPYJwsZ6zJJK5YIhgIlKU0FoKAD
/RWDmqQua/iswijTh5StgO+FJuseec22TgGPzZC4D05s9JE7gMIO3GvSTGR+re4i
SaCzrppudxOacsuCcRhR6IkA6lT8fKaZImU/aMev/UgwadGP3XeqiwxPUt+qHg6H
iYZyMShKAMZzF+PdgflaDYGffgIQBXpxWxjRMufX9LTW0lYBo1mQ6W1XgJG3AY47
knPyqSKRfuNPwayAGRdZM2yoq/DnwIUGB5cyfiNqkV9lXl25uXud99T3mDojYLzr
N/pWTHTdu5UA/RbBrPaeZ7HX3tdXnhlCzw==
=Jqqw
-----END PGP MESSAGE-----

So, you think it’s possible to decipher this? Only with my private key! The first two lines,

----BEGIN PGP MESSAGE----
Version: GnuPG v.1.2.3 (GNU/Linux)

indicate that what appears in the sequence is an encrypted message. The end of the encrypted message is indicated with the line:

----END PGP MESSAGE----

I am now going to encode the same message using several public keys, so that more people can read it.

original message -> several public keys -> message is deciphered by several recipients

The result is:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.3 (GNU/Linux)

hQEOAwXhZ7S+8an6EAP8CwSfq+TjKziYiM4QGwAwNynKDLSkMdw6KeTmSi3XgfP+
Wf6p6KWGuVmD7ffGMwCBuB+mKpjmXhZ9EyR4JAVpgkMMN2ZCrTcMu4tDZqqvJV/t
jws1dwg0QaeCdmA6jbxBDuWUsbgOzxY/5URmttCfKGTgIOOh73VDZ3HXM4MrWIcE
AKFaCgiMybhYZLlXqEpqgyJWH54fsXSgRbv2yZE2G+9aNEolAVji7NfluKGhrosF
gRCEuFc1pGRnF+Z5+aMj/xK/9DKeqGt97aQbViQ33s/3soqskBWzd95rKK1ZyBRn
iIEoEXlc+eDRk+j6EsjR+Ex87fU4gCM9aNPQGkdLZZpJhQEOAzrq0korX+quEAQA
gOEV5STP2zCgQ5sSljd6D02lLXVky5P/4vvgBPUUpH9svMQUF5iJTPc8H/YUoOmW
Hpmk6nwXDsAwDhyoTuiiPHRBd+D1ckCtwsjRZePOhkU2r0m+9k4kI3Q34XX3jPDI
YABHRWP0tJaazCU/1PD1rKA0JWoLmA3x3i2AEizwLrkD/R+8xBgOUEV+XNJSEXqS
ooHbKCu9dItIXjHj2kzTpA5F9anT0xZYG+Q9SivWavZVAd8KLcDM7My1s/udjGyp
KWeSxcyHu6rYmdJw1by+eWddKn+2W7iSgnaOhjEimZcy53wYmrh5Wzv5vDL0Qd2d
RSX12GjdqW9FmOQvag2q8sIAhQIOA7jcJ6nlDzObEAf9EPB7HaCBFSovTp/c2GsU
HEyc3gRQ2RD1XPlnKA/PhE5zTIGCXiRdVLfQuoZ4xOwHng8ppM5xJkIU5oohhysu
m7YFlkM7rG9kavVAoATDeNfoLXjA7q/Cntl9xyy2NEUU9oQCilrS6JTvJ9UPPY1U
kW9zS8CNNIAgIQ+rVJZtc1E+34N8xORk+4nQz4QtY0nE6XMN83bIYfoIxGc0dn8O
PVOz5ej6utcZV2sdTZc0JnX3lXonUhkSCvsDcxRfUOemfObR2XZMq7OrFoKQ1mly
TQ9AW2mUyEbEtVsFdT8HOAC3M7z/EmnK97nAykONYko1RrHgWY/ekhElqxfvzy2I
6Qf9F9tTLshUy7QdM7WiGoJaxPwTUwlzGw29rnZo36JNKyWW8qnGU5+YH5iKzM4u
xeAOt12SKcBgzN2ucEdmOxm0A1rYL0IgDLWTYnD/YkmJbSp4xhwKEUEF4juiJdUd
ZTf1+tF6Q6yIRIFwLy3ES3NX6sA/dxkiN2YROC41VtcGqn84lCj3c4VnMw7LcLtX
GBP9y76tObNEXsCYGIsVqjxMXDFh0smQ8v1Loo1qFxBCjuPXWWBWL77814o2rS+Y
1eH+Q9rv5RajMygDD1afYxKoI1mey7yuRbiG02owHDNMs6wECCH77bRnxAVRLSWD
UCsIRMk0qWKApD/M7qIWn4qtl9JWAcG4KKrOGdIYswARUoJIMKn+TMJmbA8TxTKo
J7yrXniv3C9pyeEPqRUWdZqo4szVDKPGLz+VMCV4tzSE5iINGBNNXAM9HxqwmAX9
tqLVyGhs9UVe8RY=
=cbe0
-----END PGP MESSAGE-----

Can you see how the private key is bigger? That’s because now it is encoded for each of the public keys.

Fingerprint

So, fine, someone sends me their public key, I add it to my key ring and I start using it to encrypt things. But who guarantees that the key I received really belongs to that person? This is one of the most delicate aspects of cryptography using pairs of keys. This is discussed in more detail in the section “The limits of trust”.

There is a way of confirming the origin of the key by using the fingerprint of the public key, which is nothing more than a number associated with that key. The idea is that you can confirm the public key’s fingerprint with the person who owns it, preferably in person or in some very secure way. This is one of the best ways of checking that the key really belongs to that person.

For example, someone sends me a public key. I add it to my key ring. When I have the opportunity to meet up with the person, I exchange fingerprints with him or her, that is, I give him or her the fingerprint of my public key – which I keep written down on a piece of paper in my wallet! – and he or she gives me his or her fingerprint, which is also noted on a scrap of paper! When I get home, I can confirm if the public key I have for him or her on my computer has the same digital fingerprint as the one I received during the meeting. If the two coincide, I can be almost sure that the key really does belong to the person in question. I say “almost sure” because those of us who use cryptography are very skeptical and paranoid.

Here is an example of a digital fingerprint of a public key:

268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16

It is not difficult to keep this collection of letters and numbers on a scrap of paper or printed on your business card!

Digital signatures

In the previous section we explained how cryptography can be used to encrypt and decipher information. But the use of cryptography is not restricted to this. It is possible to use it to create digital signatures.

When you sign a contract, you sign on the dotted line with a pen. The expectation is that you have read everything properly and agree with what is written there. In other words, you trust the document and sign underneath. Your signature is proof that you gave the green light. The more complicated and scrawling and scribbled your signature is, the better for you, because it is more difficult for someone to fake your signature.

With cryptography based on the key ring system, it is more or less the same. More or less. It is similar in the sense that you need to be able to trust what is signed by someone. But different in the sense that nobody will be able to fake it (unless they steal your private key and your password).

The signature works in the following way:

I write a text, for example:

Cake in your face, cake on your foot, cake wherever you want it!

Next, I use the following operation:

original message -> private key -> signed message.

The signed message will contain the information in the original message and will be accompanied by a section of text generated by the combination of the original message, my private key and lots of mad mathematical operations. This section of text is the digital signature. If someone receives this message and has my public key, they can test if this message has the correct signature corresponding to my private key:

signed message -> public key -> confirmation of signature

If I sign the previous message, the signed message will be

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cake in your face, cake on your foot, cake wherever you want it!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAuSSqvSy1nGtWZ3cRAvbuAJ9CZgA3YXCWCWiHMgtqA1pnjUqnaQCgvvrv
JRwCqz/lUTdhE0j5KzoMvX0=
=l6xH
-----END PGP SIGNATURE-----

In the same way as with the encrypted message, the lines

----BEGIN PGP SIGNED MESSAGE----
Hash: SHA1

indicate that what follows is digitally signed. The crazy characters are the signature. A program with this signature and a public key corresponding to the private key which signed the message can check if the signature matches. Finally, the line

----END PGP SIGNATURE----

tells the cryptography program that the portion of the text that corresponds to the signature is finished.

I could also send my message in a file and the signature separately, to make it easier to read the message. For example, the signature corresponding to the message

Message protected against fraud.

can be distributed in a separate file, whose content, if signed with my public key, would be:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQBALBiEvSy1nGtWZ3cRAmneAKCzNFcwvmIYUS4/t9x9jeAWTCLcygCfSbpT
UrUnpqD+GUfovjNiS56dCec=
=8Czp
-----END PGP SIGNATURE-----

The digital signature allows you even to sign your copy of the public key belonging to your friends. Once you have exchanged your digital signature with theirs, signing your copy of a public key belonging to another person indicates that you trust that public key.

The limits of trust

As the “Fingerprint” section said, there is nothing that guarantees the origin of public keys which we receive and add to our key ring.

What we can do, beyond receiving the digital fingerprints of the public keys in person, is to give different levels of trust to determined keys. Giving a level of trust is sometimes the only thing we can do when we don’t have the opportunity to exchange digital fingerprints.

A very popular strategy is the use of the trust network, which is more or less based on the principle of my friend’s friend is my friend. For example, Maria has João’s public key and they have already exchanged digital fingerprints and signed each other’s public keys. Maria also has Josefina’s public key but has never been able to exchange digital fingerprints with her in person because Josefina lives in Krakow which is a long way away. However, João has been to Krakow and had the opportunity to exchange fingerprints with Josefina and signed her public key. Since Maria trusts João’s key and João trusts Josefina’s key, Maria can trust Josefina’s key and Josefina can trust Maria’s key. By creating this web of trust, people can have a little more security when using cryptography. The important thing is to trust your friends, but also to trust their friends, because they will sign keys that you may eventually be able to trust.

Key repositories

There are some computers on the Internet that act as public servers for public keys: they store public keys, and can receive and send public keys, which makes the search for keys easier, especially for people you have never been in contact with before. In a similar way to search engines, you go to the key server and search by the person’s name, email, etc. and based on this you can download and add keys to your key ring.

History

This section is purely illustrative and aims to give a flavor to the discussion. It can be missed out without compromising the understanding of the following sections.

The core of the problem, when we are talking about cryptography, is that the medium where the message will be distributed is public, that is, any person present in that medium can capture the message, whether the medium is a room, a bar table, a telephone system or the Internet. From the beginning, this art has not had much success in creating private media for the circulation of messages, what it did manage to create were systems to stop the message being understood if it were intercepted on its journey to the recipient.

The system of the pair of keys which we have dealt with here, also known as asymmetrical keys, is perhaps the most important discovery in the field of cryptography in the last centuries, but it was preceded by others which are also of great interest and will be succeeded by even more refined techniques – such as the case of quantum cryptography.

Here are some interesting references about the adventure of deciphering messages over the years:

• Cryptography at Wikipedia
• Wikibook on Cryptography

About this text

This text was written by Rhatto (rhatto[-@!]riseup.net) and translated from portuguese by Tori Holmes (tori.holmes[-@!]gmail.com).

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Brazil License.

-- SilvioRhatto - 29 Mar 2006
to top