How many times did I tell you about keys, public, private in those previous articles ?
- Part 8 : Sign files
- Part 9 : Encrypt files
- Part 10 : GPG Conf'
- Part 11 : Some details about keys and maths
- Part 12 : Export and import public and private keys
- Part 13 : Various security aspects
- Part 14 : Publish a signing policy
- Part 15 : Using gpg in command line
- Part 16 : Going to a gpg signing party
You still don’t know about it really. Let’s figure it now !
Consider two great numbers, p and q for example. The multiplication n = pq is easy to perform, but finding p and q after n is pretty difficult.
This is a one-way function : creating something from input is easy. The reverse (finding the input from its result) is almost impossible.
There are several other one-way functions. This one is just the easiest to describe.
Some one-way functions have a solution to reverse them. Those are the trapdoor functions.
You might have understood that the trapdoor are actually used as key in the ciphers.
A public key can decipher what has been ciphered by its private counter-part. And reverse.
So, with OpenPGP …
Actually, to execute some asymmetric cryptography is pretty time/power/cpu consuming. Around 1000 times more than symmetric cryptography. And the keys have to be way longer.
When ciphering a file or a mail, one use a combination of both:
- a symmetric key is created
- the file is then ciphered with
- the symmetric key is then ciphered with the asymmetric cryptography process. As the symmetric key is really small, that process is fast enough.
- Place it altogether in a proper container (with some compression somewhere in the process. I don't really know when).
Deciphering is the reverse operation :
- open the container
- decipher the symmetric key
- with the symmetric key, decipher the file itself.
Keys are actually mathematical structures. Really large numbers and the functions needed to work with them.
When you export a gpg key, you actually write those maths structures in a text file, with all the informations needed, like configuration, preferred algorithms as specified in the gpg.conf.
This is why one cannot use a DSA key with an RSA algorithm: numbers come with the tools to use them. If it were only for numbers, it would not matter.
These numbers are then the solutions to ciphers, to the encryption functions. Let's just remember that a computer is actually no more than a powerful mathematical machine. Everything is number there. A text is a huge series of numbers. And it is possible to do math with it.
Here it is, all those ciphers are just complex math operations and algorithms which, applied to any file, text or whatever, at its very constituents, create an image of it, impossible to use.
Ciphering means create a copy of something with a mathematical treatment as described, which makes it unusable. The opposite, decipher, permits the use of the said copy by opening it with the key involved.
Encrypt is a synonym of
So, a .gpg or .asc file is just a simple virtual paper sheet with those numbers and algorithms written on it.
I already said that each gpg key was actually a pair of keys : private and public.
Looking deeper, one can understand that there is, again, new ones: subkeys.
Actually the main key pair is more a keystone, but really rarely used in real life: it's merely used to sign sub-keys or your contact's keys.
You should try to keep that key for five years (this is personal estimation and judgment). That way, you can distribute this key on physical supports (business cards for example). As it has to stand long, it also has to be «strong». This expected validity does not change anything about security: you set a one-year period, that you push away regularly.
Your aim is to transition to a new main key the latest possible.
You will find interesting advices on that page.
Subkeys are actually the ones used in daily life: signing files and mails.
In the following articles, when the difference matters, I will either tell about main or subkeys.
On a single key, it is possible to set several mail addresses. Some people also use IDs or comments to indicate an otr fingerprint, an URL, a jabber address.
Add an ID or a subkey is easy with graphical interfaces to gpg like Kgpg.
This allow to link your professional address to your main personal one. It is easier and better than having one key for each of your addresses.
One can also sign only one of the ID ! For example, if you know one person with his professional mail, you might want to grant this one a signature. But you don't want to sign the other, it is OK and possible.
Kleopatra (and others), has a dialog box asking which one of the IDs to sign or not.
Gpg (and its graphical interfaces) can create groups of keys.
I must admit, I am not very aware of subkeys or IDs. Worse, I don't know anything about keys groups! My use of gpg is much more basic. Yet, I think it is important that you about it, and search for more informations if you need to.
If you know about some articles or more detailed docs on the subject, do not hesitate to write. I will then add the links.
There are an impressive quantity of algorithms used in cryptography. Most of them have a one and only role.
- symmetrical algorithms' ciphers
- DES (obsolete today)
- asymmetrical algorithms' ciphers
- RSA (the most famous and the most used currently)
- El-Gamal and DSA
- ECC : elliptic curves ciphers or hyper-elliptic, it is the state of the art as I am writing
- hash functions (that state of a file's integrity)
- The MDx series (obsolete today): MD1, MD5
- The SHA-x series: SHA-1, SHA-2, SHA-256, SHA-512
For those who know, you shall remark that some of these algorithms are the same as used in TLS.
I am a maker. I value and respect those who do things rather than those who argue about what to do and how to call it.
Yet, to be precise doesn't harm.
Cryptography is the part of human activities that aims to protect information. It create and design ciphers and algorithms that are the math operations that protect those informations.
To protect those informations, you encipher or cipher it. You use the said ciphers to protect your privacy. Then you decipher to use or read it.
To Encrypt, does not really exist. It is a wrong use of the vocabulary.
To Decrypt means the action of reading the information without the needed keys. Breaking the code and protection. Thus without being legitimate!