What is PGP , OpenPGP , GPG or GnuPG ?

posted on
by wael

PGP stands for pretty good privacy. It is a software used for digitally signing data in order to make sure that it has not been tampered with . It is also used for data encryption and decryption. PGP also provides keys management . Keys are used for singing and verification , and or , encrypting and decrypting of data. An example of key management is key creation or deletion .

After encrypting or digitally signing data , the output has a format . The format of the output is defined in three RFCs : rfc1991 , rfc2440 , rfc 4880 . RFC 1991 and 2440 are both obsoleted by RFC 4880 .

An RFC is a request for comment . Request of comments are a series of technical and organizational documents about the Internet produced by :

  • IETF : the Internet Engineering Task Force .
  • IRTF : the Internet Research Task Force .
  • IAB : the Internet Architecture Board .
  • Independent Submissions.

PGP was first created by Philip Zimmermann in 1991 . This was version one . Later on the message format for version 2 was defined in RFC 1991 . This covered version 2.6 and 2.7 . RFC 2440 defines the message format for PGP 3 . PGP 3 is known as PGP 5.x or PGP 5 , because PGP 5.x was the first version of a software that implemented PGP 3 .

PGP 5.x message format , formerly PGP 3 , is known as the OpenPGP protocol . OpenPGP also designates any software that implements PGP 5.x message format.

GNU Privacy Guard , aliased as GnuPG or GPG , is an example of such software .

pgp : How digital signature works; How encryption works ; What is ASCII arnored format ?

How digital signature works ?

The hash of the message or data to be signed is calculated , and after that it is encrypted using the sender private key . Later on the hash can either be attached to the message or data and transmitted with it , or it can be sent separately .

To authenticate the received message or data , the sender public key is used to extract the encrypted hash from the signature. The received data or message hash is calculated , and compared to the extracted hash , if they are equal the message is authenticated . 

			
@debian:~$ gpg --generate-key
# Generate a private and a public key by using GnuPG

gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/home/difyel/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: difyel
Email address: difyeld@gmail.com
You selected this USER-ID:
    "difyel <difyeld@gmail.com>"
# GnuPG creates the user ID of the holder of the key , 
# as such it asks certain questions . 
# It will also ask for a passphrase to protect the 
# generated  Private key . The passphrase is used to
# encrypt and decrypt the private key .  

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/difyel/.gnupg/trustdb.gpg: trustdb created
gpg: key FD03F9275A65B11A marked as ultimately trusted
gpg: directory '/home/difyel/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/difyel/.gnupg/openpgp-revocs.d/468547ECCE69424D64983453FD03F9275A65B11A.rev'
public and secret key created and signed.

pub   rsa3072 2020-02-04 [SC] [expires: 2022-02-03]
      468547ECCE69424D64983453FD03F9275A65B11A
uid                      difyel <difyeld@gmail.com>
sub   rsa3072 2020-02-04 [E] [expires: 2022-02-03]
# Line 35 contains the fingerprint of the created 
# public key .


@debian:~$ gpg --list-secret-keys
# List the stored secret keys .
/home/difyel/.gnupg/pubring.kbx
--------------------------------
sec   rsa3072 2020-02-04 [SC] [expires: 2022-02-03]
      468547ECCE69424D64983453FD03F9275A65B11A
uid           [ultimate] difyel <difyeld@gmail.com>
ssb   rsa3072 2020-02-04 [E] [expires: 2022-02-03]

@debian:~$ echo "This is a message" >> message
# Create a message to sign . 

@debian:~$ gpg --default-key "468547ECCE69424D64983453FD03F9275A65B11A"  --sign message
# --sign option is used to sign a message or data.
# This will create a file named
# message.gpg .
# The --default-key option is used to specify the 
# private key to sign with . 
# The message is signed using the private key 
# with the fingerprint 
# 468547ECCE69424D64983453FD03F9275A65B11A 
# gpg will ask for its passphrase .
# If the --default-key option is not used , then 
# The key used for signing , is the first private 
# key found in the stored keys .
gpg: using "468547ECCE69424D64983453FD03F9275A65B11A" as default secret key for signing


@debian:~$ gpg --verify message.gpg 
# The --verify option can be used to verify
# a digitally signed message . GPG will 
# automatically locate the public key used to
# verify the message . 
# --verify  ,Verify the signature of the message 
gpg: Signature made Tue 04 Feb 2020 05:48:01 AM EST
gpg:                using RSA key 468547ECCE69424D64983453FD03F9275A65B11A
gpg: Good signature from "difyel <difyeld@gmail.com>" [ultimate]
# The signature was successfully verified .


@debian:~$ gpg --decrypt message.gpg 
# The --decrypt option can be used to verify
# and extract a digitally signed message .
# GPG will automatically locate the public key 
# used to verify the message . 
This is a message
gpg: Signature made Tue 04 Feb 2020 05:48:01 AM EST
gpg:                using RSA key 468547ECCE69424D64983453FD03F9275A65B11A
gpg: Good signature from "difyel <difyeld@gmail.com>" [ultimate]
# The extracted message is highlited in line 87

How encryption works ?

A one time random number is generated ; it is called the session key . The session key is used to encrypt the message or the data to be transmitted. It is then encrypted by using the receiver public key , and it is attached to the message . The receiver first decrypts the session key by using his private key . The decrypted session key is used to decrypt the encrypted message .

Digital signature and encryption can take place at the same time . First the message is digitally signed by using the sender private key , as explained in the previous section . After that it is encrypted as explained in this section , by first generating a session key , and then using the session key to encrypt the signed message . The session key is then encrypted by using the receiver public key , and attached to the encrypted message .

The receiver , first decrypts the session key using his own private key , and after that decrypts the message using the session key . Next the receiver verify the digital signature using the sender public key .

If PGP compresses a message , this is done after digital signature , but before encryption . 

			
@debian:~$ gpg --generate-key
# Generate a private and a public key by using GnuPG

gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/home/difyel/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: difyel
Email address: difyeld@gmail.com
You selected this USER-ID:
    "difyel <difyeld@gmail.com>"
# GnuPG creates the user ID of the holder of the key , 
# as such it asks certain questions . 
# It will also ask for a passphrase to protect the 
# generated  Private key . The passphrase is used to
# encrypt and decrypt the private key .  

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/difyel/.gnupg/trustdb.gpg: trustdb created
gpg: key 8CE78D841135BC2A marked as ultimately trusted
gpg: directory '/home/difyel/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/difyel/.gnupg/openpgp-revocs.d/9D24885AF17800D7A35545658CE78D841135BC2A.rev'
public and secret key created and signed.

pub   rsa3072 2020-02-05 [SC] [expires: 2022-02-04]
      9D24885AF17800D7A35545658CE78D841135BC2A
uid                      difyel <difyeld@gmail.com>
sub   rsa3072 2020-02-05 [E] [expires: 2022-02-04]
# Line 35 contains the fingerprint of the created 
# public key .


@debian:~$ gpg --list-secret-keys
# List the stored secret keys .
/home/difyel/.gnupg/pubring.kbx
--------------------------------
sec   rsa3072 2020-02-05 [SC] [expires: 2022-02-04]
      9D24885AF17800D7A35545658CE78D841135BC2A
uid           [ultimate] difyel <difyeld@gmail.com>
ssb   rsa3072 2020-02-05 [E] [expires: 2022-02-04]

@debian:~$ echo "This is a message" >> message
# Create a message to encrypt . 

@debian:~$ gpg --recipient difyeld@gmail.com --encrypt message
# --recipient difyeld@gmail.com :  the recipient 
#	of the encrypted message is 
#	difyeld@gmail.com .
# --encrypt message : The message to be
#	encrypted is message .
#	A session key is generated , it is 
#	used to encrypt the message . The 
#	session key is encrypted using the 
#	recipient difyeld@gmail.com public key . 
# This will create a file named
# message.gpg 


@debian:~$ gpg --decrypt message.gpg 
# --decrypt message.gpg  : decrypts the message.gpg
#	file . 
# The appropriate stored receiver private key 
# is used to decrypt the session key attached
# to the message . The session 
# key is used to decrypt the message .  
gpg: encrypted with 3072-bit RSA key, ID 82E471C7D6714D21, created 2020-02-05
      "difyel <difyeld@gmail.com>"
This is a message
# The output from decrypting message.gpg
# is highlighted in line 77

What is the ASCII armor format ?

By default the output of digitally signing or encrypting a message is binary . Some systems only allow the transmission of ASCII data , and don't allow the transmission of random binary data ; As such , PGP provides the service of converting the binary file into ASCII by using radix 64 conversion . The result of this conversion is an ASCII armor file , which contains headers that provide information about its content .

In ASCII radix 64 conversion , each six bits are taken at a time , and replaced by a correspondent ASCII character based on their value . For example if the value of the six bits is 0 , it is replaced by the ASCII character A , if it is 26 it is replaced by the ASCII character a .