How PGP works? A simple introduction

The Pretty Good Privacy (PGP) is an encryption strategy for (de)encrypting and signing data in general and email/messages in specific. While doing PGP, two other well-known cryptography algorithms are going to be used: Public-Key (Asymmetric), and Symmetric cryptography. So we firstly discuss these two ingredients, and then the PGP recipe.

Symmetric Cryptography

Symmetric cryptography is a typical well-known type of cryptographic algorithm based on a shared key between two parties. For example, Alice and Bob have their own shared encryption key which is privately kept at both sides. Then, if Alice wants to send a message to Bob, she uses that shared key for encrypting the message with some mathematical procedures, and then sends it to him over the network. On the other side, Bob is the only person who can decrypt the message and read the content. Famous algorithms: AES, Twofish, Serpent, etc.

Public-key Cryptography

This algorithm is also known as asymmetric cryptography algorithm. In contrast to previous algorithm, it has two types of keys: Public and Private keys. As names describe, Public key is supposed to be publicly known, and the Private key should be kept in private. Every person has his own Public and Private keys. This time Bob wants to send a message to Alice. These are the steps at both sides (a photo illustrating the algorithm is posted below):

At Bob side:

  1. Since Public keys are available, Bob encrypt the message using Alice’s Public key with their Public-Key algorithm.
  2. Send it over the network, no one else can decrypt it except Alice.

At Alice side:

  1. She receives the message.
  2. The message is only decryptable with Alice’s Private key. Since her Private key is only known by herself, the encrypted message is safe on the way. She decrypt the message using her Private key with their Public-Key algorithm.

Famous algorithms: RSA, DSA


Digital Signature (With Public-Key Cryptography)

Digital signature of messages/emails are supposed to ensure the sender’s origin, Integrity, and non-repudiation. To achieve this goal, Hash algorithms and Public-Key cryptography are used. For example, Alice wants to send a message to Bob and signs this message with her signature.

At Alice side:

  1. She writes the message.
  2. Using one of the negotiated Hash algorithms, she computes the hash of the message, which is unique.
  3. She encrypts the the hashed message with her Private key (so called sign key) using Public-Key cryptography. So, she is the only person who can make it.
  4. The encrypted hashed message (i.e. signature) is ready. She sends the signature and the original message over the network to Bob.

At Bob side:

  1. He receives the original message and its signature.
  2. He decrypt the signature using Public key of Alice (i.e. which is available for everyone) in order to obtain pre-computed hashed message.
  3. He has received the original message before. So he computes the hash of the original message using their negotiated Hash algorithm.
  4. He compares the pre-computed hashed message (i.e. at Alice’s side) and previous step hashed message. These two have to be equal. Otherwise, the message had been tampered on the way to Bob.
Source: Comodo

Source: Comodo


PGP Cryptography

As mentioned above, PGP exploits Public-key and Symmetric Cryptography. In this literature, we just focus on very high-level concepts of the PGP, and we will explore the details and more advanced topics including some codes in future posts. Again, Alice wants to send an email to Bob. But, she wants to protects the email data to be sure that only Bob can read it (images are from Wikipedia).

At Alice’s side:

1. She firstly generate a random key. This random key is going to be a Symmetric cryptography key, so called Session Key. (i.e. she will use this key to encrypt the email data.)



2. In this step, she encrypts the email data using the recently generated random key (Random Key), and then she encrypts the Random key using Bob’s Public key. If Bob wants to be able to decrypt the email data, he needs to have the Random Key. Besides, no one else should have that key; the Random Key therefore is encrypted using his Public key, meaning that he is the only person who can obtain the Random key using his Private key.



3. Everything is ready. The combination of this encrypted data along with Encrypted key is called Encrypted message. Then, it’s time to send this data over the network to Bob. There are some other further steps such as Signature, compression, etc. that we will discuss them in future posts in details.


At Bob’s side:

  1. Bob receives the encrypted message, containing the encrypted Key and encrypted email data.
  2. He obtain the key by decrypting the encrypted Key using his Private key. So he has the Random key, which is generated by Alice.
  3. He decrypt the email data using this Random key (Session Key), and then he can read it and be sure that no one else was not able to read this email on the way to him.


Key words: PGP, Public-key, Symmetric, Signature

Leave a Reply

Your email address will not be published. Required fields are marked *