Let’s start with the basics: so what is encryption? Encryption is used to ensure that certain information doesn’t get into the wrong hands. It does this by making information impossible to read without the correct keys (in other words, the password).
Encryption is a process where you scramble information to make it impossible to read, turning it into “ciphertext”. Decryption is when you unscramble the information to make it readable again, turning it into “plaintext”. Any information can be encrypted: text, emails, files, and even entire hard drives.
There are lots of different methods of encryption, each using different algorithms with their own advantages and disadvantages (such as AES, RSA, Twofish, Elgamal), but we don’t need to actually understand them to use them. However, we will learn about the two main types of encryption: symmetric encryption and asymmetric encryption. In the case of symmetric encryption, it simply means that the same key (or password) is used to encrypt and decrypt. Let’s take a look at how Alice and Bob use symmetric encryption.
[tweet_box design=”box_02″]Are you more of a symmetric encryption or asymmetric encryption kind of person?[/tweet_box]
Alice and Bob are working together on a new project. They send each other lots of stuff over email, but they know that their competitor, Eve, could be monitoring their emails. They want to make sure Eve doesn’t hear about their work before it’s published. So they meet at a coffee shop and decide to use a password for encrypting all their emails, and the password is “wateristhesourceoflife”. Next time Alice needs to send Bob an email on the project, she encrypts it using the password:
Symmetric encryption is pretty simple: you encrypt plaintext into ciphertext and decrypt the ciphertext back into plaintext using the same password. However, this has a limitation: Alice and Bob needed to meet in person, to make sure that Eve couldn’t hear the password.
Sometimes, you want to use encryption with people that you can’t meet (like people you meet over the internet). This is where asymmetric encryption comes into the picture.
Asymmetric encryption and PGP
Asymmetric encryption means that there are two different keys for encryption and decryption, and this is done using keypairs. Each person has a public key and a private key: the public key is shared with everyone and the private key is stored safely and not shared. The public key is used to encrypt, and the private key is used to decrypt. This way, Alice can share her public key with everyone, including both Bob and Eve, while keeping her private key safe. Bob (and Eve) can encrypt a message with her public key, but only the private key (which Alice has) can decrypt the message. When Alice wants to send a message to Bob, she uses Bob’s public key to encrypt, while Bob will use his own private key to decrypt.
The advantage of using asymmetric encryption is that everyone has their own encryption channel: I can share my public key with everyone and be ready to receive encrypted messages from anyone. Another advantage of asymmetric encryption is that it allows for people with private keys to sign information and people can verify the signature with the public keys. But we’ll get back to this later.
PGP is actually the name of a program that was first written back in 1991, and is basically what initially took asymmetric encryption from an academic concept to something usable, thanks to computers. You may have also heard of GPG, GnuPG, OpenPGP and have gotten confused… Let’s just say that everything we’ll do here is based on the OpenPGP standard.
How does one use PGP?
PGP is generally used for communication, meaning the encryption of text that is meant for someone else to read. If you’ve been asked to encrypt your communications with someone using PGP, or if you’d like to just see what this is all about, we’ll try a very simple example.
Let’s try using PGP with a simple program for Windows called Portable PGP. On Linux I use GPA, but there is a variety of programs to choose from. Just make sure that you use a trustworthy and open source option!
Unlike in symmetric encryption, asymmetric encryption means that sending and receiving messages is a different process requiring different keys. Let’s say we want to let people send us encrypted messages. For this we’ll need to generate a keypair and share our public key while keeping our private key safe.
Generating and sharing Keys
When we run the program for the first time, it will ask us if we would like to generate a new keypair – let’s do it!
We don’t need to fill anything out, it’s all optional. However, you should probably add a passphrase: this protects your private key in case anyone hacks your computer.
New keypairs can always be generated in the section named “Keyring” by clicking on the keyring icon next to Private Keys.
Now that we have a keypair, let’s go ahead and export our public key by clicking the public key we want to export (the one we just made) and then clicking the floppy disc icon next to Public Keys. Save the file (which is your public key) wherever is comfortable.
This file that we saved is what we share with people who want to send us encrypted messages. We can upload it to the cloud, send it as an email attachment and generally make it public. Our private key is saved on our computer, and we can export it if needed (make sure it’s got a passphrase).
So now that we have our keys, people can send us encrypted messages. What does this look like? Let’s pretend we’re someone who wants to send you an encrypted message. This person would have to get your public key and import it (simply using the import button next to Public Keys). After they import it, we can go to the Encrypt section and begin to write our message. We can also encrypt a file. We just have to make sure that we choose the correct target (the recipient), to encrypt the message/file with their public key. Once we’re ready, all that’s left is to click the “Encrypt” button.
If we encrypted a file it will ask us where to save the encrypted file (so that we can then send to the recipient). If we encrypted a message, it will show us the ciphertext and we can then copy it or save it as a file, so that we can then send it.
Now let’s say that someone sent us this message by email. It’s quite obvious that anyone snooping on our emails won’t be able to understand anything. But since it was encrypted with our public key, we can read it with our private key. Let’s try that. We’ll go to the Decrypt section and paste the ciphertext, and then click the “Decrypt” button.
If our private key is protected by a passphrase, we’ll need to enter it now. We will then get our plaintext message.
And that’s it! That’s what it looks like to send and receive messages with PGP.
Signing and verifying messages
As we said earlier, another advantage of asymmetric encryption is that it allows us to sign and verify messages. This is similar to encryption, except the other way around: we sign messages with private keys and people can verify this using public keys.
People generally use this to prove they are who they claim to be over the internet It works very much like signatures used on paper, except with encryption it’s actually useful because it’s practically impossible to counterfeit. The process is pretty much exactly the same, except done through the “Sign” and “Verify” sections.
I know that hardcore security experts always have nitpicking to do and will probably have a problem with this article, which is why I’ll recommend for everyone who wants to use PGP and encryption in general for sensitive information to do their research.
Encryption is one of those fields that are constantly evolving. With enough time, these methods will be obsolete and newer methods will be needed. Cryptography is a fascinating field, and if you search around you won’t be lacking reading material. Keep safe and have fun!