As an IT guy I get a lot of questions about all kinds of topics, and lately security is pretty high on people’s minds. One of the biggest questions I get is secure communication and how it works. So here’s a very basic overview on PGP encryption which will tie into e-mail communication.
What is PGP Encryption?
PGP stands for Pretty Good Privacy. PGP is an encryption standard, widely used for encrypting data for secure communications.
How does it work?
There’s a lot of really technical information out there on how it works, factoring the results of huge prime numbers being multiplied together and exactly how the encryption algorithms function, so I won’t go into that. If you want that sort of information the Wikipedia page is a good place to get started.
What I’m going to give here is a broad overview of the system as it applies to people who use it or are thinking about using it.
To understand PGP you need to understand basic encryption, or data scrambling. Basic encryption works with a single key, usually a password. You give your encryption program a file, or some other kind of data, and supply a password. The simplest kind of encryption program will use the password as a variable in an equation that scrambles the data. For instance the equation might be as simple as:
Data * Password = Encrypted Data
When you want to unscramble the data you use a decryption program and supply it with the scrambled data and the same password. The program will use the password as a key to unscramble the data. In the simplest methods it simply reverses the process the encryption program used:
Encrypted Data / Password = Data
Here is a simple example of how to encrypt small amounts of data with this equation using the calculator in Windows.
First thing we do is convert Hi and Pie to hexadecimal. Hexadecimal is a number system based on 16, like our normal numbering system is based on 10. It just makes it easier to represent characters as numbers. In this case we’re taking each character and finding out what its Hex ASCII value is. There are tons of converters online that can do this. I used this one. Here’s the hexadecimal representation:
Each two digit combination respresents one letter. If you look at the password you can tell that 50 is P, and 69 is i, and e is 65. So now we have a numerical representation of the data and password we can open Calculator and put it in “Programmer” mode, set it to Hex and do the Calculation. We want to multiply the Data by the Password.
4869 * 506965 = 16BE9FA26D
If we take the result and convert it back to text we get the following: ¾Ÿ¢m
No idea what the original message said now right? It’s effectively encrypted.
To get it back we just reverse the operation. We take the encrypted data, and divide it by the password, and we should get the data back:
16BE9FA26D/ 506965 = 4869
Convert 4869 back to text and we get “Hi”. It’s now decrypted.
Since any kind of computer data is really just a large number, this simple mathematical equation does the trick. But it only works for small amounts of data, and some algebra could figure out the password fairly easily. If you had the Encrypted data, but no password, you wouldn’t know what to divide by to get the data back. Of course for large amounts of data, or data that needs to be much more secure, a more complex equation or process needs to be used.
Pretty Good Privacy Encryption
Pretty Good Privacy takes basic encryption a bit further and uses a pair of keys, and in many cases, a password. Every person or entity using PGP has a public key, and a private key.
The public key is for encrypting the data, and the private key is used for decrypting it. When someone wants to send a message to someone privately they take that person’s public key and use it to encrypt the data, then the person receiving takes their private key, which only they have, and uses it to unscramble the data.
The public key can be sent to anyone, and as long as the private key remains only in that user’s control, it’s secure. No one without the private key can decrypt the data, or at least not easily.
You’ll note that this is one way only, the way it works is that every person using PGP has their own key pair. You never, ever share your private key. So two people communicating with each other securely would need to exchange their public keys with each other. Person A would use Person B’s public key when sending Person B a message, and Person B would use Person A’s public key when sending Person A a message.
Get PGP Software
Since there is an open standard for PGP called OpenPGP, programs that can make use of it are easy to find.
Mailvelope – This is a Chrome extension that makes your web mail secure. I use this one personally, and it is very user-friendly. You can import keys generated by any OpenPGP based software, and possibly others. I highly recommend this one as it works with Gmail, Yahoo!, and Outlook.com (Hotmail) right out of the box and can possibly be configured for others. If your version of Chrome supports extensions, this should run just fine on it.
Gpg4Win – Pretty big piece of software, seems to be updated and current though. I tested it with Windows 7 64bit. It works just fine if you run it as an administrator. The key generation software is easy to use and fairly user friendly. It also comes with a mail client you can use to send secure e-mail back and forth with. The mail client is good for Outlook Express, or Windows Mail users. Also seems to be free. Uses GnuPG, which is an open standard based on OpenPGP.
GPGTools – GnuPG’s Mac software. This looks much like Gpg4Win, just for Mac. This would be the software I suggest as it comes with everything you need right out of the box.
GnuPG – I’m a big fan of Ubuntu, and GnuPG has a Debian version that you can download. It looks like GnuPG is part of the standard packages you can download from the Ubuntu. I was able to just download this from the GUI several years ago so this is very easy to get now. They also have packages for other distributions.