# Second Serie | Part 11 : Some details about keys and maths

How many times did I tell you about keys, public, private in those previous articles ?

- Part 8 : Sign files
- Part 9 : Encrypt files
- Part 10 : GPG Conf’
- Part 11 : Some details about keys and maths
- Part 12 : Export and import public and private keys
- Part 13 : Various security aspects
- Part 14 : Publish a signing policy
- Part 15 : Using gpg in command line
- Part 16 : Going to a gpg signing party

You still don’t know about it really. Let’s figure it now !

## Maths

### One-way functions

Consider two great numbers, p and q for example. The multiplication *n = pq* is
easy to perform, but finding *p* and *q* after *n* is pretty difficult.

This is a one-way function : creating something from input is easy. The reverse (finding the input from its result) is almost impossible.

There are several other one-way functions. This one is just the easiest to describe.

### Trapdoor functions

Some one-way functions have a solution to reverse them. Those are the trapdoor functions.

You might have understood that the trapdoor are actually used as key in the ciphers.

A public key can decipher what has been ciphered by its private counter-part. And reverse.

## So, with OpenPGP …

Actually, to execute some asymmetric cryptography is pretty time/power/cpu consuming. Around 1000 times more than symmetric cryptography. And the keys have to be way longer.

When ciphering a file or a mail, one use a combination of both:

- a symmetric key is created
- the file is then ciphered with
- the symmetric key is then ciphered with the asymmetric cryptography process. As the symmetric key is really small, that process is fast enough.
- Place it altogether in a proper container (with some compression somewhere in the process. I don't really know when).

Deciphering is the reverse operation :

- open the container
- decipher the symmetric key
- with the symmetric key, decipher the file itself.

## Keys

Keys are actually mathematical structures. Really large numbers and the functions needed to work with them.

When you export a gpg key, you actually write those maths structures in a text file, with all the informations needed, like configuration, preferred algorithms as specified in the gpg.conf.

This is why one cannot use a DSA key with an RSA algorithm: numbers come with the tools to use them. If it were only for numbers, it would not matter.

These numbers are then the solutions to ciphers, to the encryption functions. Let's just remember that a computer is actually no more than a powerful mathematical machine. Everything is number there. A text is a huge series of numbers. And it is possible to do math with it.

Here it is, all those *ciphers* are just complex math operations and algorithms which, applied to any file, text or whatever, at its very constituents, create an image of it, impossible to use.

*Ciphering* means create a copy of something with a mathematical treatment as described, which makes it unusable.
The opposite, *decipher*, permits the use of the said copy by opening it with the key involved.

*Encrypt* is a synonym of

So, a .gpg or .asc file is just a simple virtual paper sheet with those numbers and algorithms written on it.

### Sub-keys

I already said that each gpg key was actually a pair of keys : private and public.

Looking deeper, one can understand that there is, again, new ones: subkeys.

Actually the main key pair is more a keystone, but really rarely used in real life: it's merely used to sign sub-keys or your contact's keys.

You should try to keep that key for five years (this is personal estimation and judgment).
That way, you can distribute this key on physical supports (business cards for example).
As it has to stand long, it also has to be «strong».
This *expected* validity does not change anything about security: you set a one-year period, that you push away regularly.

Your aim is to transition to a new *main* key the latest possible.

You will find interesting advices on that page.

Subkeys are actually the ones used in daily life: signing files and mails.

In the following articles, when the difference matters, I will either tell about *main* or *sub*keys.

### IDs

On a single key, it is possible to set several mail addresses. Some people also use IDs or comments to indicate an otr fingerprint, an URL, a jabber address.

Add an ID or a subkey is easy with graphical interfaces to gpg like Kgpg.

This allow to link your professional address to your main personal one. It is easier and better than having one key for each of your addresses.

One can also sign only one of the ID ! For example, if you know one person with his professional mail, you might want to grant this one a signature. But you don't want to sign the other, it is OK and possible.

Kleopatra (and others), has a dialog box asking which one of the IDs to sign or not.

### Keys groups

Gpg (and its graphical interfaces) can create groups of keys.

I must admit, I am not very aware of subkeys or IDs. Worse, I don't know anything about keys groups! My use of gpg is much more basic. Yet, I think it is important that you about it, and search for more informations if you need to.

**If you know about some articles or more detailed docs on the subject, do not hesitate to write. I will then add the links.**

### Algorithms

There are an impressive quantity of algorithms used in cryptography. Most of them have a one and only role.

- symmetrical algorithms’ ciphers
- DES (obsolete today)
- AES

- asymmetrical algorithms’ ciphers
- RSA (the most famous and the most used currently)
- El-Gamal and DSA
- ECC : elliptic curves ciphers or hyper-elliptic, it is the state of the art as I am writing

- hash functions (that state of a file's integrity)
- The MDx series (obsolete today): MD1, MD5
- The SHA-x series: SHA-1, SHA-2, SHA-256, SHA-512

For those who know, you shall remark that some of these algorithms are the same as used in TLS.

## Some vocabulary

I am a *maker*. I value and respect those who *do things* rather than those who argue about what to do and how to call it.

Yet, to be precise doesn't harm.

*Cryptography* is the part of human activities that aims to protect information.
It create and design *ciphers* and *algorithms* that are the math operations that protect those informations.

To protect those informations, **you** *encipher* or *cipher* it. **You** use the said *ciphers* to protect your privacy. Then you *decipher* to use or read it.

To *Encrypt*, does not really exist. It is a wrong use of the vocabulary.

To *Decrypt* means the action of reading the information without the needed keys. Breaking the code and protection. Thus without being legitimate!