The principle of “Web of Trust” or how PGP works

Your instant messengers, HTTPS sites, authorization in Internet services, secure file storage and sometimes even alarm clocks – all these things use PGP.

But what is it anyway? Wikipedia gives the following definition:

PGP (Pretty Good Privacy) is a computer program, also a library of functions that allows you to perform encryption and digital signing of messages, files and other information.

The words are clear, but let’s see what’s under the hood.

Concept

Let’s pretend we have user A And user B.

They need to start communication, but in such a way that no one can find out about the contents of their correspondence. This is where they come to the rescue encryption.

Algorithms used in modern systems Rjindael (currently AES)DES, RC4 and some others.

I will not go into the details of their work. All you need to know about them – give them input data and a key, you will get an encrypted byte array, which can be returned to the reverse state with the same key. Like a padlock, they open and close, but without a key it is almost impossible to do this (there are no effective ways to break these algorithms). These encryption algorithms are called symmetrical.

And that’s the answer, isn’t it? Let user A hand over your key user B. Then it will be possible to encrypt your correspondence from both sides, and no one will know what they write to each other.

Of course, if both users know each other in real life, one can give the other a flash drive on which the key is written.

But this is impossible to do on the Internet, there are far from two users, but one service can serve millions of different users a day. Also, it is not always possible for everyone with whom you correspond to give your personal encryption key in person at a meeting.

Electronic signature

Since transferring your private key from the same AES is the same as compromising your security, the question arises – how user A can securely transfer your key user B?

The solution to the problem is to sign keys and letters with another key! But only this second key will be from asymmetric encryption algorithm. The essence is the same as that of symmetrical ones, only now there is no single key to the lock – there are two of them. One “public”they can only encrypt data, and the second – “private”it is able to decrypt the data processed by the public key of its pair.

Such a device allows you to freely publish your public key without harming your security.

This is the principle of operation “Electronic signatures”.

They are needed in order to user B data could be sure that the data was encrypted with exactly the key that belongs user Aand vice versa.

The signature is generated from the hash of the original data and is attached to the sent packet.

The recipient decrypts the signature with the public key, compares it with the hash of the received data, and if they match, then the sender is a genuine user, not a scammer.

Web of Trust

OK, we figured out how to commit handshake (handshake – the process of forming a secure communication channel).

Now imagine between user A and B another one sits user C.

“C” – an attacker who needs to know about the details of communication between A and B.

It generates two pairs of keys for signing and two more keys for encrypting data.

User A he appears user BA user Buser A. The reality is that in the realities of the Internet it is impossible to be 100% sure that the received electronic signature and key are genuine.

It turns out that if such a scenario is really possible, then our A and B will not see security?

There is salvation! So we have reached the main topic – “network of trust”, in English. Web of Trust.

This network consists in the fact that all users know the public keys of each other’s electronic signatures, and each of the network participants can be asked: “But is this key that user B sent me really belongs to him, and not to some intruder?”

At the same time, the network of trust can be very effective even with a small number of participants, since if one knows the other, then the third, asking the first, will find out the public key of the second. Like the roots of an oak tree, the Web of Trust is intertwined, allowing users to share data.

Now our user C can no longer impersonate other users, because he only has to try, and user Aasking any of the network participants, he will understand what is between him and user B someone stands and intercepts messages.

Generalization

Now let’s combine all these concepts into one simple diagram.

User A and User B are both in the same web of trust and want to start a secure conversation.

“A” asks any several participants in the network for the public key “B”. Using this key, he sends a handshake request to user B. “B” in turn learns the public key of user A, generates a symmetric key for further communication and, using the public key of user A, sends the symmetric key back.

All messages in this scheme are also signed with electronic signatures.

With such an interaction, outside interference is impossible, and our users can finally start correspondence.

It makes no sense to use this scheme manually – it is already built into all possible Internet communication protocols by your browsers and applications.

Outcome

No system is perfect. MITM (Man in the middle, in our case – a way to forge certificates by verifying fake keys with signatures trusted by the browser of victim users) attacks continue to this day.

But if the same “green padlock” flaunts near the address bar of your browser, your data is in the safe hands of the PGP algorithm.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *