Each public and private key in PGP is accompanied by a key certificate. It generally contains the following content:
Key content (a key represented by a large number up to hundreds of digits)
Key type (indicating whether the key is a public key or a private key) key)
Key length (the length of the key, expressed in binary bits)
Key number (used to uniquely identify the key)
Create Time
User ID (information about the key creator, such as name, email, etc.)
Key fingerprint (a 128-bit number, which is a summary of the key content) The unique characteristics of the key)
Intermediary signature (digital signature of the intermediary, stating the authenticity of the key and its owner, including the intermediary’s key number and identification information)
< p>PGP stores the public key and private key in the key ring (KEYR) file. PGP provides efficient algorithms to find the keys that users need.PGP requires passwords in many places, which mainly protect private keys. Because the private key is too long and irregular, it is difficult to remember. PGP encrypts it with a password and stores it in the key ring, so that users can indirectly use the private key with an easy-to-remember password.
Each private key of PGP is encrypted by a corresponding password. PGP mainly requires the user to enter a password in three places:
When the encrypted information needs to be decrypted, PGP requires the user to enter the password and take out the private key to decrypt the information
When the user needs to decrypt the file or When signing information, the user enters a password and takes out the private key for encryption
When performing traditional encryption of files on the disk, the user needs to enter a password
2. The above introduces the workflow of PGP. The following will introduce the encryption and decryption methods related to PGP and the key management mechanism of PGP.
PGP is an encryption software for public use. Emails are transmitted through open networks, and others on the network can monitor or intercept emails to obtain the content of the emails. Therefore, email security issues are more prominent. To protect information from being obtained by a third party, encryption technology is required. Another issue is information authentication. How to make the recipient convinced that the email has not been tampered with by a third party, which requires digital signature technology. The characteristics of the RSA public key system make it very suitable to meet the above two requirements: confidentiality (Privacy) and authentication (Authentication).
RSA (Rivest-Shamir-Adleman) algorithm is a public key system based on the assumption that it is impossible to factorize large numbers into prime factors. Simply put, it is to find two very large prime numbers, one that is public and the public key, and the other that is not told to anyone, that is the private key. These two keys are complementary, which means that ciphertext encrypted with the public key can be decrypted with the private key, and vice versa.
Suppose A wants to send a letter to B, and they know each other's public key. A uses B's public key to encrypt the email and sends it. After B receives it, he can use his own private key to decrypt A's original text. Since no one else knows B's private key, even A himself cannot decrypt the letter, which solves the problem of keeping the letter confidential. On the other hand, since everyone knows B's public key, they can all send a letter to B, so B cannot be sure whether it is a letter from A. At this time, a digital signature is needed for authentication.
Before explaining digital signatures, we need to explain what a "message digest" is. Email digest is to use a certain algorithm to calculate a number that best reflects the characteristics of the email. Once the email is changed, this number will change. Then this number plus the author's name (actually in the author's key (in) and the date, etc., it can be used as a signature. PGP uses a 128-bit binary number as the "mail digest", and the algorithm used to generate it is called MD5 (message digest 5). MD5 is a one-way hash algorithm. Unlike the CRC check code, it is difficult to find a replacement email with the same MD5 characteristic value as the original.
Back to the digital signature, A uses his private key to encrypt the above 128-bit characteristic value, attaches it to the email, and then uses B's public key to encrypt the entire email. In this way, after the ciphertext is received by B, B uses his own private key to decrypt the email and obtains A's original text and signature. B's PGP also calculates a 128-bit characteristic value from the original text and uses A's public key to decrypt it. Compare the numbers obtained from the signatures. If they match, it means that the email is indeed from person A. In this way both security requirements are met.
PGP can also only sign without encrypting. This is suitable for making public statements. In order to verify his or her identity, the declarant can sign with his or her private key. This allows the recipient to confirm the identity of the sender and prevents the sender from denying his statement. This has great application prospects in the commercial field. It can prevent the sender from denying the letter and the letter from being tampered with on the way.