CREN
Strategic and Practical FAQ � CA Launching
Draft 1.7, November 26, 2001
1. What is PGP?
Pretty Good Privacy
was originally developed by Phillip Zimmerman to provide a means of secure
communication in an insecure electronic environment.� �Pretty Good� is an
understatement.� The framework
that it is based on, the PKI (Public Key Infrastructure) and its
encryption standards (such as Diffie-Helman or RSA algorithms of varying
strengths) have been subjected to rigorous cryptanalysis.
PGP has since grown into a
more versatile application under the direction of its current owner,
Network Associates (www.nai.com). Until the most recent release
PGP has been completely open source, allowing anyone to review the code
and suggest improvements.
2. Why Do I Want to Use PGP?
PGP is another security tool similar to digital
certificates.� One advantage of
PGP is that individuals and small groups can begin using PGP for securing
their email with little overhead.�
At CREN, we use PGP to set up a secure communication channel with
institutions applying to have the CREN CA sign their institutional
certificate.��
Part of the process is that
a validated Technical Contact send the official CSR Certificate Signing
Request) to the CREN contact.� PGP
is used to establish the secure communication channel that supports this
part of the application process. It is also important that the Technical
contact retain this �out-of-band� communication channel for
communications.
Getting PGP is easy.�
Here are the ways to do this.
The freeware version of PGP can be downloaded from
any of the following sites:
From PGP (owned by NAI)����������https://n>https://www.pgp.com/products/freeware/default.asp
����������������������������������������������� (Windows
and Macintosh Versions)
From MIT�������������https:// https://web.mit.edu/network/pgp.html
����������������������������������� (Windows, Macintosh,
AIX/HP-UX/Linux/Solaris)
PGP international������� https://www.pgpi.org
(Many versions, with translations
into many languages, PGP news.)
Licensed versions of PGP can be
bought at:
McAfee
- https://mcafeestore.beyond.com/Product/0,1057,3-18-ML100111,00.html
3. How does PGP
work?
The
first step in using PGP after installing the software onto your systems,
is to generate a key for yourself.�
In generating a key, the software generates a key pair. These are
simply text files that look like gibberish to a human. The keys can be
created at various levels of strength, such as 512, 1024, or 2048 bit
strengths. The higher the number, the stronger the encryption values are
of the key.� One key of the pair
is the Private key � this key should always be kept safe and never given
to anyone.� The other key is the
public key � this key should be given to as many people as possible.
4. What are the uses of PGP?
The most commonly
used aspect of PGP is the signing and encryption of email or files.� �Signing� a document is a way of
verifying the integrity of the original work.� The steps that PGP implements are as follows:
a. Makes a
digest or �hash� of the file or email.�
A hash is an algorithm that produces (theoretically) a unique
output (the hash) from a given input (the message).
b. Adds the
hash to the end of the message.
c. When someone
wants to verify that the message has not been modified, they run the hash
algorithm on the message and compare it to the hash at the end of the
message.� If the signatures match,
the message has not been altered.
This is demonstrated in the
following example:
The hash
algorithm: take every third letter of the message (ignore punctuation),
and convert the letter to a number (a=1, b=2�z=26).� Add the numbers together.
The
message:� Hello, This is a sample
message to demonstrate signatures.
The hash
algorithm in progress:
Hello, This is a sample message to demonstrate signatures.
12 +20+19 + 1 +13 +5 +19 +7 +15
+13+19 +1 +19+14+21+19 = 217
The message
after adding the hash:
����������� Hello, This is a sample
message to demonstrate signatures.
Hash
value: 217
If the message is altered, the
hash value will not be the same.
����������� Altered message:
����������� Hello, This is an altered
message to demonstrate signatures. - Creates a new hash:
Hello, This is an altered message to demonstrate signatures.
12 +20+19 +1
+12+18 +13+19 +5 +4+ 15 +20 +20 +9 +1 +18 = 206
Since the
hashes are not equal, the message has been altered.
Actual hashing algorithms are
much more complex.� Additionally,
the hashing algorithm is used in conjunction with the user�s private key
in such a way that the signature is unique. That is, if different people
(thus different private keys) signed the same email, the signatures would
be different.� Then the public key
of the key pair is used to compare the hash created by the private key,
and if the hashes match, then two things are assured:� 1) The message has not been modified
since signing and 2) the signature was not forged.
5. How is encryption used with
digital signatures?
Encryption is a
method of changing plaintext (text that is readable by humans) into
ciphertext (text that is meaningless to humans).� There are many different ways of
encryption, some stronger than others.�
Two main categories of encryption are symmetric and
asymmetric.� In symmetric
cryptography, the same key that encrypts a file also decrypts it.� In asymmetric cryptography, which is
what PGP uses, one key (the public key) encrypts the file, and the other
key (the private key) decrypts it.�
So, if user A wants to send an encrypted message to user B, user A
would first obtain user B�s public key.�
This is possible because public keys are meant to be widely
distributed.� Then user A encrypts
the message using user B�s public key.�
The encrypted message can now only be decrypted with B�s private
key, which only he possesses.� Not
even user A, who wrote the message, can decrypt what he has encrypted,
because he does not possess user A�s private key.� This ensures that the message is
unreadable by anyone other than user A.
Encryption and
signing are often combined.� In
this scenario, user A would use user B�s public key to encrypt the
message, then use his own private key to sign the message.� This will ensure that no one but user
B can read the message, and when user B receives it, he can be assured
that the message was not altered.�
To read the message, user B would first use user A�s public key to
verify that the signature matches.�
Then user B would use his private key to decrypt the message that
user A wrote.
�����������
For more
information on PGP, visit www.pgp.com.
Please send comments/suggestions to
cren@cren.net
|
