The “Web of Trust” Principle or How PGP Works | HackerNoon

Your messengers, HTTPS protocol sites, authorization in Internet services, secure file storage, and sometimes even alarm clocks – all these things use PGP. But what is it anyway? Wikipedia gives the following definition:

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

PGP and similar software follow the OpenPGP standard (RFC 4880), an open standard for encrypting and decrypting data. Modern versions of PGP are interoperable with GnuPG and other OpenPGP-compliant systems.

It’s clear in words, but let’s see how it works.

Concept

Let’s imagine that we have user A and user B. They need to start communicating, but in such a way that no one can find out about the contents of their correspondence. This is where encryption comes in.

Modern systems use Rjindael (currently AES), DES, RC4, and some other algorithms.

I will not go into details of their work. All you need to know about them is that if you give them input data and a key, you get an encrypted byte array, which can be reversed with the same key. Like a padlock, they open and close, but without a key, it is almost impossible to do so (there are no effective ways to break these algorithms). Such encryption algorithms are called symmetric encryption algorithms.

And that’s the answer, isn’t it? Let user A give his key to user B. Then you can encrypt your correspondence from both sides, and no one will know what they write to each other.

Of course, if both users know each other in real life, one can give the other a flash drive with the key on it.

But on the Internet it is impossible to do this, users are far from two, and one service can serve millions of different users per day. Also, it is not always possible to give your personal encryption key to everyone with whom you correspond in person during a meeting.

Electronic Signature

Since passing your private key from the same AES is like compromising your security, the question arises – how can user A safely pass his key to user B?

The solution is to sign keys and e-mails with another key! But only this second key will be from an asymmetric encryption algorithm. The essence is the same as in symmetric, but now, there is no single key from the lock – there are two. One is “public”, the data can only be encrypted with it, and the second is “private”, which is able to decrypt the data processed by the public key of its pair.

Such a process allows you to freely publish your public key without compromising your security.

This is the basis of the principle of operation of “Electronic Signatures.”

They are needed so that user B of the data can be sure that the data has been encrypted with the key that belongs to user A, and vice versa.

The signature is created from the hash of the original data and is attached to the packet sent.

The recipient decrypts the signature with the public key, compares it with the hash of the received data, and if they match, the sender is a genuine user and not a fraudster.

Web of Trust

OK, we have figured out how to perform a handshake (handshake is the process of forming a secure communication channel).

Now, imagine that between users A and B, there is another user, C.

“C” is an attacker who needs to know about the details of A and B’s communication.

He creates two key pairs to sign and two more keys to encrypt the data.

To user A, he presents himself as user B, and to user B as user A. The reality is that in the realities of the Internet, one cannot be 100% sure that the resulting electronic signature and key are genuine.

So, if such a scenario is really possible, will our A and B not be safe?

There is salvation! Now, we have reached the main topic – the “Web of Trust.”

This network consists of the fact that all users know the public keys of each other’s electronic signatures, and each member of the network can be asked: “Does this key, which was sent to me by user B, belong to him and not to some intruder?”

In this case, a network of trust can be very efficient even with a small number of participants, because if one knows the other, the third, by asking the first, will know the public key of the second. Like the roots of an oak tree, the Web of Trust is intertwined, allowing users to share data.

Now, our user C can no longer impersonate other users. Only if he tries, user A, asking any of the network members, will realize that someone is standing between him and user B and intercepting messages.

Generalization

Now, let’s combine all these concepts into one simple scheme.

User A and user B are both in the same trust network and want to start a secure communication.

“A” asks multiple members of the network for ‘B’s’ public key. Using this key, he sends a handshake request to user B. “B,” in turn, learns the public key of user A, generates a symmetric key for further communication, and, using the public key of user A, sends the symmetric key back.

All messages in this scheme are also signed with electronic signatures.

With this communication, no outside interference is possible, and our users can finally begin to correspond.

There is no point in using this scheme manually – it is already built into all possible Internet communication protocols by your browsers and applications.

Bottom Line

No system is perfect. MITM (Man in the middle, in our case – a way to forge certificates by verifying fake keys with signatures trusted by the victim user’s browser) attacks are still being performed today.

But if you see that “green lock” near the address bar of your browser, your data is in the safe hands of the PGP algorithm.