You run your message through an algorithm which produces a fixed length hash. The hash is then signed with your private key.

The nature of asymmetric encryption is that whatever is encrypted with one key can only be decrypted with the other. So whatever is encrypted with your private key can only be decrypted with your public key.

If they get the message, produce the hash, then decrypt your signature with your public key, then your unencrypted hash should match the one they generated themselves. If it doesn’t, then that means:

The message was corrupted or modified in transit, resulting in them getting the wrong hash; or the hash wasn’t encrypted with your private key because they were unable to correctly decrypt it with your public key.

It uses encryption that works with a pair of digital keys. Kinda like two different passwords.
One is considered the “private key” and the other the “public key”

As the names suggest, the privare key stays in the hands of the owner of the key pair while the public key can be shared with the public.

If something is encrypted with either of those keys, only the other key of that pair can decrypt it.

So a member of the public can use the public key to encrypt something, which then can only be decrypted by the owner of the private key. Noone else of the public can decrypt/read that message.

On the other hand, if the owner encrypts something with the private key, anyone in the public that got the public key can decrypt it.

So if you get a mail from someone which contains additional encrypted information (let’s call it a digital signature) and you can use the public key of that person to decrypt that signature, you can be sure it came from them (or their private key was stolen 😉)

The signature is also related to the content of the mail. So if the mail was tampered with you would see that.

So a pgp signature can verify the authenticity and integrity of a mail or any other digital media.

Imagine we make a locked box that has two different keys that might open it. I share one with you, and keep one key.

Later, you receive a locked box and are told it has a message from me. But when you insert your key, the box does not unlock. You meet up with me and show it to me. I’m confused: I didn’t send you any boxes. I try my key, and the box does not unlock. There’s only one explanation: someone lied to you about who sent you the box.

That’s more or less how digital signatures work.

An “encryption algorithm” is math that needs two inputs: a “key” used by the math and “plaintext” representing the data you want to encrypt. PGP is a kind of algorithm that uses “shared keys”. That means its math is designed so there are two keys: a “public key” and a “private key”, and if you “lock” the data using one key, you can “unlock” that data using the other key. (In this case, “lock” means it gets garbled and reorganized so much a person who has it can’t tell what it originally was.) That’s basically the lockbox I just described. I have a “private key” that I keep secret from everyone else, but I also have a “public key” I let other people have. If I lock something with my private key, they can unlock it with my public key. If they lock something with my public key, my private key is the only thing that unlocks it.

Signatures use encryption, but don’t have to encrypt the data they’re protecting. Suppose I want to send you an email, and I want you to be SURE the email came from me. It’s not so private I want to encrypt it, but it’s important to know it really came from me.

I can do some quick, simple math on the email to get a “checksum”. Let’s simplify that and say I just make a new piece of text out of the first letter of every word in the email. Then I can encrypt that new text with my private key, and attach it to the email. This attachment is my “signature”.

Now when you get the email, you check my “signature”. You use my public key to “unlock” the data. You see it’s a string of characters, and that string is the first letters of every word in the email. Now you know two things:

1. The email HAD to have come from me, because if my public key “unlocked” the data it could only have been “locked” with MY private key, which I keep secret.
2. If someone has tampered with the email, they had to be VERY careful to not change the first letters of the words, so it’s very unlikely it’s been tampered with.

This is more or less how PGP signatures work. The “keys” are VERY big numbers, like “I have a thousand digits” big, so it’s ridiculously unlikely someone can just guess a person’s private key. There’s not a reversible relationship between the public key and private key, so knowing the public key doesn’t help people guess a private key. The “checksum” used is a lot more complicated than “the first letter of every word”, so the signature gives a much better confidence the message has not been tampered with.

The only way it breaks is if someone manages to steal a private key and the owner doesn’t know.

Public key crypto is a special kind of crypto.

Instead of the normal crypto in which your encrypt en decrypt (opposite actions) with the same key (password), you employ the same action with inverse keys.

The keys used are called the *private* and *public* keys are are mathematiclaly related.It is not feasible to derive one key from another, both are generated at the same time.

Every entity has their own key-pair consisting of both a private and public part.

As the name suggest, the private key is only known by one entity, while the public key is known and shared to everybody involved.

If I want to *encrypt* a message to you, I use *your public key*. I am sure only you can read (decrypt) it as I assume only you have the corresponding private key.

If I want to *sign* a message (PGP signature) to you, I use *my own private key*. You can verify the signature with my public key and you trust the message comes from me as you assume only I am in possesion of that private key to create that signature.

(Most PGP signed messages use a combination and are also encrypted.)