HomePurchaseProductsDownloadsInformation SecurityAboutSupportOur Customers
what is pgpdownload pgp

PGP - what is PGP and  how does PGP work?


Back in the 90&rsquo s PPGP (Phil&rsquo s Pretty Good Privacy) was the first time that real, effective cryptography was accessible to anyone outside of the military and banks.   Before that, from the largest corporation to the man in the street, there was precisely nothing.   So it paved the way for securing eCommerce and sending secrets across the Internet without any fear that they could be stolen or misused.

What is PGP?

PGP (or OpenPGP if you want to refer to the open public system that the Internet Engineering Task Force (IETF) have the right to specify and distribute) is a system that implements methods of distributing cryptographic keys that establish the identity of individual users, and allows those users to exchange secret information (messages and files) among themselves.

Securely identifying the individual recipients is critical to the process of secure information exchange, because if you don&rsquo t know who is at the other end then what is the point of sending them secrets?   And your infrastructure MUST be so secure that people cannot readily hack into it.

OpenPGP established two methods for deciding if you could trust the identity claiming it was a specific person:   Web of Trust and Certification Authority.

In Web of Trust, if you are certain you know who somebody is then you mark their public key as good because that is assumed to be good enough.   And maybe if you don&rsquo t know who the person is, but other people that you already know are willing to vouch for the person, then (maybe) that&rsquo s good enough.   And just maybe, if lots of people, even if you don&rsquo t know them all, vouch for the person, then that&rsquo s good enough.   This model mimics the &lsquo golf club&rsquo approach &ndash that if the members say the individual is OK then they get voted in.

In Certification Authority (also referred to as Public Key Infrastructure or PKI) you accept people are who they claim they are because some important authority &ndash the government maybe, or the banks maybe &ndash you get the idea, says that is who they are.   This is more impersonal but fits quite conveniently into corporate structure thinking.   Here you accept automatically that if the key comes from a known public authority then that&rsquo s good enough.

Once you have agreed with whatever method you prefer for identifying the people you want to send secrets to then PGP provides you with a tool for encrypting those secrets so that only the recipients you define can read what you are sending them.

So that is what PGP is.   How it works is not so difficult.


How does PGP work?


Sending files securely


When you want to send some secret(s) to somebody else (this might be their tax return, healthcare data, investment advice or anything else that could do them damage if it leaked out) then you need their public key (identity).   Think of the public key as a cell phone number.   You need to know the recipient&rsquo s number before you can call them.

You then use PGP to encrypt the information (messages, attached files and so on) as required for that individual (or numbers of individuals if you want to send to multiple people) and it automatically includes the encryption key needed to decrypt that information.   But if anyone not on the public key list used gets the encrypted information they cannot open it.   Encrypting files using PGP generally involves right-clicking on them in Windows File Explorer and selecting the option 'PGP encrypt' from the pop-up menu to encrypt them.   You can then choose the invdividuals you want to send the files to and the encryption alogrigthm and strength to use.   You can also digitally sign the files (this uses your private key) to prove that the files were sent from you.


Receiving files securely

On receiving encrypted information, you just double-click on it to invoke PGP to decrypt it.   PGP will automatically use your private key to decrypt the files.   Recipients have the ability to find out who sent the information (a so-called digital signature, which is in fact a unique cryptographic identity) so they can have some confidence as to the quality, security and safety of opening the file(s) and messages that have just come in (after all, what better way of spreading malware than to send it from a dodgy crypto identity to con you into believing it is real?).   The signature is verified automatically.   Generally, if the signature fails the encrypted information will not be decrypted.  

So there you have it.   PGP will encrypt information that can only then be read by the people whose public keys you specified.   PGP will decrypt information if you have a private key to match any of the public keys it was encrypted for. If a digital signature was used to &lsquo prove&rsquo who sent the encrypted file it will be checked automatically.




Home | Products | Purchase | Downloads | Information Security | About | Support | Our Customers | PGP Feed pgp products 

PGP - what is PGP and how does PGP work?