OpenPGP INFO
OpenPGP (RFC 4880 standard) is a method of encrypting communication.
Because the encrypted message can be send on any channel that supports text messages, such as emails and personal messages,
OpenPGP can be considered channel-agnostic.
The encryption of OpenPGP has been under constant audit for decades.
It started in 1991 when Phil Zimmermann created PGP, the original implementation of the standard. Because of USA regulations he could not sell PGP software. Cryptography software was considered a national threat. Zimmermann published the entire source code of PGP in a hardback book which was distributed and sold worldwide.
OpenPGP is used in many business types
- finance and banking
- healthcare
- technical
- construction
OpenPGP provides
- confidentiality: the contents of the message are private
- integrity: the message can not be changed
- nonrepudiation: the message was sent by the person you think sent it
How does it work?
Misuse of OpenPGP can seriously diminish security of a website or a system when you think you are secure and you are not. Some things must be explained. Always make sure you understand the tools you are using.
The unencrypted information that you want to send is also called plaintext. The plaintext does not require to be decrypted. The next step would be to encrypt it before sending it.
After encryption step you get the ciphertext, which is the representation of plaintext which cannot be read without the cipher keys.
A cipher is a method of transforming each character of a message. An example is Caesar Cipher, which was used by Roman Emperor Julius Caesar to conceal the contents of his messages. It is easy to understand and nowadays easy to break using a computer. It is also called Substitution Cipher. Each letter of the alphabet is replaced by another letter. For example the cipher {AP,BH,CT,DU,ES,..,RA,SJ,TZ,..,ZK}
used for plaintext SECRET
results in ciphertext JSTASZ
.
Users who wish to encrypt messages they send must have a private key.
For any private key, there must be a
public key to send the message. So, when generating a private key, a public
key will also be generated. These are also known as a key pair.
OpenPGP guidelines
How to get public key of the recepient of the message?
- using a direct channel, such as Floppy disks, CDs, or other direct connections
- using a public key server for OpenPGP
Conversation using OpenPGP
Prequisits
- 2 users to share messages: user A and user B
- each user has his/hers own key pair (a public key and a private key)
- each user has the other user's public key
How to proceed?
- user A encrypts the message using private key A
- user A encrypts the resulted message one more time using public key B
- the final message will be send through the network
- user A sends the message which was encrypted 2 times to user B
- user B receives the message from user A
- user B decodes the message using private key B
- user B decodes the resulted message once again using public key A
- the message he/she gets is the fully decrypted message to read
To send a message back to user A, user B should proceed the same way user A did.
So, to start, user B should encrypt the message using private key B.
Just sending a OpenPGP message
Prequisits
To simply send a message encrypted with OpenPGP, only the receiver must have
a key pair. The sender should have the receiver's public key.
Some rules OpenPGP is based on
- the private key must be kept secret
- a message can be encrypted using the private key or the public key
- when a message is sent anonymously (the sender does not have a key pair) to a receiver (who has the private key and the public key), the sender knows only the public key of the receiver, so the public key of the receiver is used for encrypting the message
- if a message was encrypted using the private key, the public key is required to decrypt a message and read its content
- if a message was encrypted using the public key, the private key is required to decrypt a message and read its content
Purpose
- encrypting a message with other user's public key ensures that he/she is the only person who can read the message
- encrypting a message with own's private key ensures that the sender is who he/she sais he/she is
OpenPGP software
- OpenPGP implementations
- GnuPG - OpenPGP implementation
- PGP - OpenPGP-compliant software
- SeaHorse
- email clients
- Thunderbird - email client for PC
- Claws Mail - email client for PC
- K-9 mail - email client for smartphones with OpenPGP support
- other software
- GPG4WIN for windows
- SeaHorse for Ubuntu and Linux
- GPA for Ubuntu and Linux
Find out MORE about OpenPGP and computer security HERE.