Why would you use something like PGP if you have to send your encryption key unencrypted to the party you are sending to? And if you leave this key out on something like Twitter for example, couldn’t law enforcement or a third party if they gained access to the other persons email still read the contents of the encrypted email by using this key? Doesn’t this defeate the purpose of using encryption?
In: Technology
The public key / private key paradigm doesn’t exactly work like this, but this analogy helps you understand it pretty well:
You want to send something to someone securely, but you don’t entirely trust them. So you send them the thing in a lock box that has space for two padlocks. When you send it to them, you lock it with your padlock in one of the places that a lock can be secured. You keep your key, and then you send it to them. When they receive the box, they then lock it with their padlock, in the other space. They keep their own key. then, they send the box back to you.
When you receive the box, you unlock and remove your padlock. the box is still secured with their padlock, which you don’t have the key for. You send the box back to them.
Finally, they unlock their own padlock, and they can open the box. They are able to access the secure contents of the box. you didn’t need to give them your key, and they didn’t need to give you theirs.
No. Asymmetric, AKA public/private key, encryption isn’t compromised by sharing your public key. Asymmetric encryption uses two different keys to encrypt and decrypt messages. The public key (which you share) is for encrypting messages to you. The private key (which you don’t share) is the only way to decrypt messages. Your public key won’t work for decrypting messages, so nobody intercepting a message can read it.
In order to have a PGP encrypted conversation with somebody, you need to exchange public keys, so that you can each encrypt a message for the other person. But only the person with the correct private key can decrypt it.
The encryption serves as proof that “you” sent it. It’s effectively a signature and the public key is how you verify it.
When you make a new encryption key, you’re making a pair of two keys. There’s a private key, which you can use to encrypt, and a public key, which can be used to decrypt. Thanks to fancy math, this is one way and you can’t reverse engineer the private key.
For the purpose of private conversation, there are key exchange protocols to produce a “shared secret” for end to end encryption. Again, fancy math is involved
When you use those kind of systems you have 3 keys.
A Public Key you display publicly unencrypted.
A Private Key you never send.
And a Random Key which you send encrypted.
You need your Private Key in order to read anything encrypted with your Public Key.
The math makes it very very hard to figure out your Private Key if you have only the Public Key. Even if you have a whole bunch of messages and know exactly what they say, it’s still way too hard for people to do it.
The problem is the math for this whole Public Key/Private Key business takes a lot of computing power to do.
So rather than do the whole email like that, they use cipher that’s faster, and just use the Public Key/Private Key to send the key for that one.
I recommend spending a few minutes researching public key infrastructure (PKI). There’s a lot to it but I understand PKI, specifically asymmetric cryptography, to allow prople to send messages to you encrypted with your public key that only you can decrypt with your private key. You can’t use the recipients public key to decrypt intercepted messages.
You do use the public key to verify the digital signature of a message to confirm its origin and that it’s not been tampered with (integrity).
PGP uses a key *pair*. A private key and a public key. The private key you keep to yourself, and should *never* be shared with anyone. There is nothing special about the public key, and can be shared with anyone and everyone without affecting security…so long as you maintain sole control of the private key.
Think of it like this. You have 100 friends, and your birthday is coming up. You want all 100 of your friends to be able to send you gifts, but you don’t trust all your friends, so you want to be sure only *you* can open and receive the gifts.
You go out and you buy 100 identical padlocks and 1 master key for those padlocks. This is a magical master key…it can open all 100 of those padlocks, there isn’t another like it in existence, and it cannot be duplicated.
You can now send those 100 padlocks to your 100 friends. And you can give them instructions. “I look forward to having you at my party. Please use the enclosed padlock to secure your gift to me”
Then, when you receive their gift, you, and *only you* can unlock that lock, because you have the only key in existence that opens that lock.
Padlocks = public key
Magical Master Key = private key
Latest Answers