[lug] pgp and gpg compatibility

Michael J. Pedersen marvin at keepthetouch.org
Wed Dec 20 17:45:28 MST 2000 

On Wed, Dec 20, 2000 at 02:58:41PM -0600, C Menzes wrote:
> 
> that was exactly the case. it looks like rh7 ships with 1.0.2. 
> redhat's ftp site has an rpm for 1.0.4 in the updates directory.
> can you offer a brief explanation of how IDEA is used compared to RSA? i
> do recall that rsa's patent was lifted a few months ago, however i'm not
> clear on the diff between a session left encryption algorithm compared to
> a that applied to a key.

Glad I could help out a bit there. Now, as to what happens, it's going to
sound kind of strange, but it works.

Basically, you have two (VERY broad) classes of cipher algorithms. These two
are known as public key and symmetric. Here's how they work:

symmetric ciphers take either encrypted or plaintext as input, run this
through several transformations, and spit out the inverse. Meaning that if you
feed in plaintext, you get encrypted, and if you feed in encrypted, you get
plaintext. The main detail here is the key. Those transformations rely on a
common key. This is also the weakness of symmetric ciphers. If you can get a
key to someone securely, then you can also get the message to them securely
(usually). The benefit of these systems is that they are computationally
cheap, meaning they can be done quickly even in software.

Public key ciphers are made up of two parts, a public key and a private key.
Essentially, these keys at joined are the hip, and are useless without each
other. When you encrypt a message using someone's public key, only their
private key can decrypt it. However, the process of encrypting the entire
message is extremely difficult, and carries a high computation expense,
meaning that encrypting a very long message will result in a very long
operation.

Modern public key crypto systems (ie: pgp and gpg) use a hybrid mechanism.
This means they use both symmetric and public key cryptography. Here's how
they do it:

1) Determine the public key of the recipient.
2) Generate a random session key. This is used by the symmetric cipher (for
   instance, IDEA). This is why it is so important to have good random
   numbers, as opposed to weak random numbers. It is also where the phrase
   cryptographically strong random number generator comes from (well, it's one
   of the more common uses).
3) Encrypt the session key using the recipients public key.
4) Encrypt the message itself using the symmetric cipher and the session key.

As a result, what happens is that public keys use one mechanism (RSA being one
example), session keys are encrypted with them, and the actual message is done
with fast mechanism.

Hope that helps out!

-- 
Michael J. Pedersen
My GnuPG KeyID: 4E724A60        My Public Key Available At: wwwkeys.pgp.net
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
GnuPG available at http://www.gnupg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20001220/4b878fcf/attachment.pgp>

More information about the LUG mailing list