The superiority of PGP encryption

Source: Internet
Author: User
Keywords PGP
We know that PGP (pretty) is the most popular kind of encryption software at present, it is a mail encryption software based on RSA public key encryption system. We can use it to keep the message confidential to prevent unauthorized reading, and it can also digitally sign the user's message so that the recipient can be sure of the sender's identity. It allows users to communicate securely with people they have never seen before, without requiring any secrecy to pass the key, because it uses an asymmetric "public key" and "private key" encryption system. But PGP is not a complete asymmetric encryption system, it is a hybrid encryption algorithm, which consists of a symmetric encryption Algorithm (IDEA), an asymmetric encryption algorithm (RSA), a one-way hashing algorithm (MD5), and a random number generator (a seed that produces a pseudo-random number sequence from the user keystroke frequency), Each algorithm is an integral part of PGP, PGP to get popular, get everyone's approval, the main half is its centralized several encryption algorithm advantages, so that they are complementary to each other. We know that the biggest security problem with the "public key" and "private key" encryption system is that public "public keys" can be tampered with. Affect the decryption of files, although PGP also uses this encryption system, and all "public key" and "private key" can be generated by the user, do not need a specialized certification body, But it has a relatively perfect key management system, so its other half of the advantages embodied in PGP Unique Key management system. Here we analyze the superiority of PGP encryption from the point of view of PGP encryption mechanism and key management. The encryption mechanism of PGP in modern society, e-mail and file transfer on the network has become a part of life. The security of the message is also highlighted, we all know that the data transmitted on the Internet is not encrypted. If the user does not protect their own information, the third party will easily obtain the user's privacy. Another problem is information authentication, how to let the recipient believe that the message has not been tampered with by a third party, you need to use digital signature technology. The characteristics of the RSA public key system make it very suitable to meet the above two requirements: confidentiality (privacy) and notarization (authentication). The founder of PGP is the American Phil Zimmermann, whose creativity is that he combines the convenience of the RSA public key system with the height of the traditional encryption system, and has a clever design on digital signature and key authentication management mechanism. The RSA (Rivest-shamir-adleman) algorithm is a public key system based on the assumption that large numbers cannot be decomposed by mass factorization. To put it simply, find two large prime numbers. One is open to the outside, one does not tell anyone. One that is public is called a "public key" and the other is called "Private key" (Prblic Key & Secret key or private key). The two keys are complementary, that is, the secret with the public key encryptionThe text can only be decrypted with the private key, and vice versa. Suppose a sent a letter to B, they know each other's public key. A on the use of B's public key encrypted mail sent, B received can use their own private key to decrypt the original. Because others do not know the private key of B, so even a I can not decrypt the letter, which solves the problem of confidentiality of the letter. On the other hand, because everyone knows B's public key, they can send a letter to B, then how to be sure that B is not a, this is the need for digital signatures, digital signatures to confirm the identity of the letter. The digital signature of PGP is the use of a function called "Mail Digest", "E-Mail Digest" (Message Digest), simply speaking to an email with an algorithm to calculate the most of the characteristics of the message, once the message changes in this number will change, So this number plus the user's name (actually in the user's key) and the date and so on, can be used as a signature, specifically PGP is a 128-bit binary number for "Mail Digest", the algorithm used to generate it is MD5 (message Digest 5. MD5 's author is that the code used in Ron Rirest,pgp is written by Colin Plumb. Md5,md5 is a one-way hashing algorithm that is not like a checksum code, is an alternative message and has the same MD5 eigenvalue as the original. The process by which PGP encrypts and signs messages is this: first, encrypt the 128-bit value with its own private key, attached to the message, and then use B's public key to encrypt the entire message (pay attention to the order here, if the first encryption and then signed, others can remove the signature after signing their own signature, thus tampering with the signature). When this cipher is received by B, b with their own private key to decrypt the mail, get a copy of the original and signature, B PGP also from the original calculation of a 128-bit eigenvalue and the use of a public key to decrypt the signature of the number to compare, if it is true that this mail is indeed a sent. These two security requirements are met. PGP can also be signed without encryption, this applies to the public statement, the declaration of the person to prove their identity (only on the Internet), you can use their own private signature, so that the recipient can confirm the identity of the sender, you can prevent the sender to deny their own statements. This has great application in the commercial field, it can prevent the sender to deny and the letter was tampered with on the way. Why does PGP use RSA and the traditional cryptographic algorithm? Because the RSA algorithm calculation is very large and the speed is not suitable for encrypting a large number of data, so PGP is actually used to encrypt not RSA itself, but the use of a call idea of the traditional encryption algorithm, also known as the "symmetric encryption method." The traditional encryption method is to encrypt the plaintext with one key and decrypt it with the same key. This method is represented by DES (US $ Data ENCRyption Standard), that is, multiplication encryption, the main drawback is that the length of the password is short, and the delivery channel can not solve the security problem, not suitable for the network environment Mail encryption needs. Idea is a patented algorithm in which patent holders are ETH and a Swiss company: Ascom-tech AG. Idea's added (solution) density is much faster than RSA, so in fact PGP is a randomly generated key (each encryption is different), using the idea algorithm to encrypt plaintext, and then use the RSA algorithm to encrypt the key. The recipient is also using RSA to solve this random key, and then use idea to decrypt the message itself. This kind of chain encryption to achieve both the confidentiality of the RSA system, but also the idea of the fast algorithm. PGP creative half on this point, why the RSA System 70 's proposed, has not been widely used? The speed is too slow! Where is the other half of PGP's creativity? This is the key management that I want to talk about here. Second, the Key management of PGP a mature encryption system must have a mature key management mechanism matching. The public key system is proposed in order to solve the problem of secrecy in the key distribution process of traditional encryption system. For example, one of the common means of cyber hackers is "listening", if the key is transmitted over the network is too dangerous. For PGP, the public key is supposed to be public and there is no problem with eavesdropping. However, there are still security issues in the public Key's publication, such as public key tampering, which may be the biggest vulnerability in a public-key cryptography system. The user must be assured that the user's public key belongs to the person who needs to receive the letter. To make this clear, let's take an example and explain how to use PGP properly to plug this vulnerability. For example, user A and User B communication, now assume that user A wants to send a letter to User B, first user A must obtain User B's public key, user A from the BBS download or other way to get the B's public key, and it encrypted the letter sent to B. Unfortunately, users A and B do not know, another user C dive into the BBS or network, listen to or intercept the public key of User B, and then replace the public key of User B with the public key of User B in its PGP system, and place it on BBS or directly as User B to replace User B's " The public key "is sent to user A. The public key used by user A to send a letter is already changed, and is actually another public key generated by user C masquerading as User B. So no one will be suspicious, but so that User B received a letter from user A can not be decrypted with their own private key, what's more, User C can also forge User B's signature to user A or someone else, because the public key in the hands of user A is forged, and user A will think it is a letter from User B. The best way to prevent this from happening is to avoid any other person having the opportunity to tamper with the public key, but it's very difficult to do this, one way is to get hisThe public key, however, is not possible when he is far away from home or in time is not attainable. But PGP developed a public key introduction mechanism to solve the problem, with the idea that if user A and User B had a common friend D, D knew that B's public key in his hands was correct. So d becomes a notary between users A and B, User B in order to prevent others to tamper with their own public key, the D-signature of their own public key uploaded to the BBS to let users to take, user A wants to obtain User B public key must first obtain D's public key to decrypt the BBS or Internet through D signed B's public key, This is tantamount to adding a double insurance, generally not likely to tamper with it without being found by users, even the BBS administrator. This is the security means of passing public keys from a common channel. Speaking of which, someone might ask, only through a signed notary strength is not a little bit, smart PGP of course will think of this, that is, the different signatures of their own public key collected together, sent to public places, so that most people can hope to know at least one of them, thereby indirectly authenticating the user's public key. The same user who has signed a friend's public key should send it back to him, so that he can be authenticated by the user by another friend of the user. It's kind of interesting, like the people in the real world. PGP is automatically based on what the user gets in the public key, and divides them into different trust levels for the user's reference to determine how much they trust them. You can also specify the ability of a person to have several layers of referral public key, which is decremented by the passing of authentication. One might also ask: how do you safely get the public key of D or other signed friends? It is true that user A gets the public key of D or other signed friends, but this requires that the user C must be familiar to the three of you, or even many of you, and that this is unlikely and must be planned for a long time. Of course, PGP's suggestion that this might also be preventative is that the role of a body that is universally trusted, he is known as a certification authority, and every public key he has signed is considered true, so that everyone has his public key, and it is convenient to authenticate the person's public key, because he is widely available for this service, It is extremely difficult to counterfeit his public key because his public key is widely circulated. Such "authoritative organization" is suitable by the non-personal control organization or the government organization to act, now has the level Attestation system the organization existence, like Guangdong Province e-Commerce Electronic Attestation Center (www.cnca.net) is an authoritative attestation organization. For those users who are very decentralized, PGP favours the use of private key-referral methods, because this kind of unofficial way more can reflect people's natural social intercourse, and people can also freely choose to trust friends to Notarization, in short, and people do not know the relationship between, each public key has at least one "username" (User ID), please use your own full name, preferably plus my e-mail address, so as not to confuse, this is PGP recommended use of electricityWord key authentication. Each of the keys of PGP has its own identity (keyID), keyID is a 8-bit hexadecimal number, two keys have a one-zero chance of having the same keyID, and PGP provides a more reliable way to identify the key: "Key fingerprint" (Keys Fingrprint), Each key corresponds to a string of digits (16 2-bit hexadecimal digits), and the fingerprint may be duplicated more rarely. And no one can specify that a key that has a fingerprint is generated, the key is randomly generated, and the key cannot be pushed back from the fingerprint. Once the user has got someone's key, he can check the fingerprint on the phone to authenticate his public key. To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title of the party (0 Votes) passed (0 Votes) The original text: the superiority of PGP encryption return to network security home
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.