Eli5 what is pgp key and how does it work

354 views

Eli5 what is pgp key and how does it work

In: 5

5 Answers

Anonymous 0 Comments

PGP stands for Pretty Good Privacy, as others have stated.

Say I want to create my very own PGP key. What I can do is run a special program on my computer that will generate a pair of extremely long numbers. One is called the public key, and the other is called the private key. They are mathematically linked in a very special way.

In essence, you can think of the public key as a padlock, and the private key as an actual physical key. The fact that they are both called keys is honestly pretty confusing to newcomers even though only one of them acts like a “key” in the way most people would think.

I take my public key and post it up for everyone to see on the public web. These are the PGP keys you see out in the wild.The private key, I keep to myself. I don’t let anyone see it, I don’t share it. Think of it like I’m mass-producing my padlocks, and putting them in stores all across the nation for people to buy and use, but not giving anyone the key to open them. These locks are completely unpickable and cannot be reverse-engineered by any real world device that currently exists at this time of writing.

Now say you want to send me a message in private. What you can do is go out and get one of my custom-made padlocks. Then, take the message you want to send to me, put it in an indestructible box, close it, and slap my padlock on it. Now that box is completely, impenetrably sealed. You can’t open it. If you send it in the mail and it gets intercepted, none of them can open it. Worst case, someone just takes it and prevents me from getting it, but no one can ever read it. Except me, that is, because if I do eventually get your locked box, I can open it with my key and read the message you put inside.

While this is more or less the system, it ignores a small wrinkle in how the actual system works. See, while you *can* take your entire message and use my special lock to secure it, it turns out that process in the real world is somewhat slow for computers to actually do. It’s a weird side effect of the extreme unpickability of my padlock, which it needs to have since it’s completely public. Instead, what you can do is make your computer generate a more efficient one-time-use lock and key on the spot. You then put your new padlock on the box containing your message, and instead put my special padlock on a tinier box that only has the key to your new lock, and you send me both boxes. I can use my key to unlock the tiny box, get your one-time-use key, open the second box, and I throw the one-time-use padlock and key away.

The final major piece of PGP is crytographic signatures. This one is a little harder to explain by analogy. Essentially, if you have your own set of public and private PGP keys, you can use your own private key to “sign” your message, like you would sign your name on a written letter, done in such a way that I can use your public key to check if it really was you who sent it. So, in addition to guaranteeing that no one other than I can read your message, you can also provide proof that you were the one who wrote it, so I can be sure I’m not getting a message from an imposter.

The diagram on [the Wikipedia article for PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) makes the process I laid out rather clear. I also think that [this YouTube video](https://www.youtube.com/watch?v=6H_9l9N3IXU) provides an excellent visual of the encryption and decryption steps with the public and private keys (which is only part of PGP, but it’s the most crucial part of it).

You are viewing 1 out of 5 answers, click here to view all answers.