[olug] quick pgp question

Daniel Linder dan at linder.org
Thu Jun 10 16:02:48 UTC 2004

Just to help a bit, I tracked down some "How PGP works" pages and links. 
I think they might help clarify a bit here:

Overview: How PGP works: http://www.pgpi.org/doc/pgpintro/

"Signed e-mail"
 - See: "Digital Signatures" http://www.pgpi.org/doc/pgpintro/#p12
 - Basically the e-mail is sent in plain text and an encrypted "hash" (a
checksum which is then encrypted with the _senders_ private key) of the
body of the e-mail is attached.  If a man-in-the middle tries to change
something in the e-mail, the recipiant computer can compute the hash of
the e-mail text it received, then decrypt the hash value (using the
_senders_ public key) sent with the e-mail and compare the two.  If they
match, then there is a high confidance that the e-mail has not been
tampered with.

"Encrypted e-mail"
 - See: "How PGP works" http://www.pgpi.org/doc/pgpintro/#p10
 - In this case, the e-mail is compressed and encrypted with a ramdom,
symmetric, one-time "session key", and then the session key is encrypted
with the _receivers_ public PGP key.  The recipiant computer then
decrypts the session key with the _receivers_ private key, then uses that
key to decrypt the e-mail.
 - In addition, the encrypted e-mail inside /could/ be "signed" (see
above) as an additional security measure.  By doing both these steps, you
ensure that:
 (1) Only the intended receiver (or whomever has the "private keys") can
read the e-mail [encrypting].
 (2) That the entity doing the sending was really who they say they are


Daniel Linder

More information about the OLUG mailing list