About PGP Keys
Keys are essentially
very large numbers. If you were to look at a key, all you would see is
a lot of apparently random digits.
OpenPGP keys, often referred to more simply as "PGP" keys,
are always created as key pairs with a public key and a secret key. The
owner of a key pair always keeps their secret key and gives their trading
partner their public key.
Keys are used
to encrypt/decrypt and to sign/verify files. An individual key pair can
be created for signing/verification only. Or, a key pair can be created
with a signing key and encryption sub-key. This type of key can be used
for encryption and decryption, as well as signing and verification.
Digital signatures
enable you to verify the authenticity of a file's origin and verify that
the file is intact. A digital signature also provides non-repudiation,
which means that it prevents the sender from claiming that he or she did
not actually send the information.
When a file
is signed with a secret key, only the public key that matches that secret
key can be used to verify the signature. When you establish a relationship
with a trading partner, they send you their public key. Each time they
encrypt a file to send to you, they use their secret key to sign the file.
When you decrypt the file, you determine whether your trading partner
encrypted the file by using their public key to verify the signature.
If you cannot verify their signature, then you should assume that your
trading partner was not the source of the encrypted file.
Here is an
example of which keys are used to encrypt/sign and decrypt/verify an inbound
file from your trading partner:
- You create a key pair to be used for encryption and
decryption and give your trading partner the public key.
- Your trading partner creates a key pair for signing
and verification and gives you their public key.
- Your trading partner encrypts
the file with your public key, signs it with their secret key,
and sends the encrypted/signed file to you.
- You decrypt the file with your secret key and verify
their signature with their public key.
The keys used
for you to encrypt/sign and decrypt/verify an outbound file to your trading
partner work in a similar way:
- Your trading partner creates a key pair to be used
for encryption and decryption and gives you the public key.
- You create a key pair for signing and verification
and give your trading partner your public key.
- You encrypt the file with your trading partner's public
key, sign it with your secret key, and send the encrypted/signed file
to them.
- Your trading partner decrypts the file with their secret
key and verifies your signature with your public key.
|
