When “pretty good” is good enough
PGP stands for “Pretty Good Privacy”. It’s a set of algorithms for encrypting, compressing, and signing data so that a specific person can open and read that data, without a third party being able to also do so. They call it “pretty good” because when you talk about encryption, one of the first things you have to assume is that it’s going to be broken, or is already broken and no one knows. It’s important to know that given enough time, money, and computing power; every encryption can be broken. You also have to realize, There are people in this world who have a much simpler method of breaking encryption and it’s usually called the 5$ wrench attack.

For the most part. Your data is not something that someone is going to spend billions of dollars trying to get at. So long as you’re not in a country that routinely violates human rights, you might also not be susceptible to the 5$ wrench attack. I should note however that it seems people in the United States have been held in prison on contempt of court charges for not giving up decryption keys to encrypted data. It could very well be that you forget passwords to encrypted data and end up languishing in jail. A truly cruel punishment.
More acronyms
So PGP is the standard however it is owned by Symantec and considered proprietary. An open, non proprietary version of this standard is called OpenPGP. OpenPGP is just a concept, a piece of data outlining how OpenPGP works. GPG is actual code that does the things outlined in the OpenPGP standard.
All this lingo and stuff can be confusing so from now on I’ll just be talking about how to use GPG. All you need to take away from that is GPG is a program that let you use the stuff thats outlined in OpenPGP
A word on why
When you talk about securing yourself on the web you have to realize that it’s not just about securing you. Your life might not be at risk because of your views, your government, your ideals, or your beliefs. The thing is there are many people in this world who aren’t so lucky. Whistleblowers, Journalists, political dissidents opposed to fascist regimes all have to worry about whether or not they are going to be found out by someone who may not like what they have to say.
The truth is that using GPG, and encryption in general, normalizes the use of encryption. Imagine if you would, that nobody had locks on their front doors. When walking down the street, you would assume that the only door in the neighborhood with a deadbolt would be hiding something. This is a perfect analogy because it’s also a great response to people who say “Well I have nothing to hide why should I encrypt things”. You’re not hiding anything in your house, why have a lock on the door? Why have a door at all? The answer is that A: You don’t want people wandering in. B: You want to keep bad people out.
The same thing goes for encryption. Your identity is something that you need to protect. Identity theft occurs every day and it has far reaching implications. On top of that. As a society, we need Whistleblowers, Journalists, and yes, sometimes dissidents.
How does encryption work?
In order to talk about encryption, you usually have to talk about math. Lots of fairly complicated math. People write theses on encryption algorithms and base their entire mathematical careers off them. I’ve always found it to be a very intimidating way to approach the concept.
Basically, in order to encrypt something, you need a secret password known by both yourself and the person you’re trying to contact. This “shared secret” is then used to take your input data (your secret message) and transform it into something that is unrecognizable to an outside observer. Throughout history, this has taken many forms. One-time pads are very tight encryption, the enigma machine was famous for needing the first Turing machine to be built to crack it. If you want explanations as to how the math works for these, this isn’t the right blog.
This shared secret is then used in a “mathy” way to scramble the letters up in your message so much that it would be very difficult or impossible to unscramble without knowing the secret key.
When people talk about encryption they also always seem to use “Alice” and “Bob” as the people wanting to send messages. “Eve” is always the nefarious third party trying to spy on the communication. I don’t know why but make your own story up.
One-time pad encryption example
Let me take you through a quick example using a One-time Pad. A One-time pad is called such because in order for it to be secure, you can only use it once to encrypt data. Each successive use, weakens its encryption strength. They’re basically two paper booklets that are identical to each other with random letters on them. Those random letters are identical in each pad as well. The two people wanting to send messages to one another should each have one.
So let’s make our super secret one time pad. First we’re going to agree on a way to turn letters into numbers. We’ll go elementary school style with just listing the numbers of the letters in the alphabet. There are many techniques to making these, commonly called checkerboards or conversion tables, that allow for more characters and the use of a codebook to represent whole words as numbers as well.
| A | B | C | D | E | F | G | H | I | J | K | L | M |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 |
| N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 |
Next we’ll make our one time pad by generating a bunch of random letters. Important to note here that randomness is essential to this whole thing. Most of the things you think are random are not. Truly random things are difficult, but we’re not dealing with life or death info.
I went to random.org/strings and got 20 random 2 character strings. One of the most important security rules for making iron clad One-time Pad ciphers is to not use computers at all for encryption/decryption. You do want something truly random to make the pad and that is usually a computer of some sort. The idea is to have a computer make the One-time pad data while Alice and Bob are together and in a safe place. That computer should not belong to either Alice or Bob and would likely be owned by Alice and Bob’s handlers. It shouldn’t be connected to any network, and for real security, should be annihilated with antimatter after use. True randomness is hard to come by but that’s another post. When using a computer to encrypt or decrypt, Alice or Bob could leave behind data without even knowing it and it’s usually a variable that they cannot properly control. Again, we’re just having fun.
IM OT WM GU BY SH EB JR PU YC PV LW ZI CZ DB DM RU BH TY FV
I’ve arranged them in 2 letter groups because this next part is how we’ll encode/decode our message. Let’s convert these to numbers. I’m just going to grab a couple to use as we won’t need all of them.
| IM | OT | WM | GU | BY | SH | EB | JR | PU | YC | PV |
|---|---|---|---|---|---|---|---|---|---|---|
| 0913 | 1520 | 2313 | 0721 | 0225 | 1908 | 0502 | 1018 | 1621 | 2503 | 1622 |
Encrypting
We’re going to now use this to encode our secret message “I THINK EVE IS LISTENING” by grouping them by two characters, removing spaces, and formatting it like we did before. We do this because we don’t want “Eve” to know how many characters each word has. That would be a hint to our message’s contents.
| IT | HI | NK | EV | EI | SL | IS | TE | NI | NG |
|---|---|---|---|---|---|---|---|---|---|
| 0920 | 0809 | 1411 | 0522 | 0509 | 1912 | 0919 | 2005 | 1409 | 1407 |
The next part is where the magic happens. We are going to keep the first secret key the same so Alice can know which One-time pad to use to decode the message. Ideally a One-Time pad is made up of several pages of random characters and you’ll
need a way to let each other know which one you’re using. So we’re going to line up the data and add one to the other. We’re only adding the individual digits and ignoring any time it goes over 10 by just writing the remainder. This is called
Modulus 10, but that’s getting into the “mathy” thing we talked about. Just think 9 + 4 = 13 so we take off the 10 part and end up with 3.
| Key | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Secret | 0920 | 0809 | 1411 | 0522 | 0509 | 1912 | 0919 | 2005 | 1409 | 1407 | |
| One-time | 0913 | 1520 | 2313 | 0721 | 0225 | 1908 | 0502 | 1018 | 1621 | 2503 | 1622 |
| Cipher | 0913 | 1440 | 2112 | 1132 | 0747 | 1407 | 1414 | 1927 | 3626 | 3902 | 2029 |
Remember we are only adding single digits. You should never be adding more than one digit from the message to more than one digit of the One-time at a time.
Now that we have our secret encrypted cipher text, we destroy our pad and it will be secure. If we’re caught with the message we wouldn’t be able to provide a way to read it even with a 5$ wrench attack.
0913 1440 2112 1132 0747 1407 1414 1927 3626 3902 2029
Decrypting
So Bob sends his message to Alice via carrier pigeon. Eve has a fleet of pigeon intercepting hawks who grab Bob’s pigeon so Eve can copy down the message and send them on their way. Upon arriving, the pigeon tells Alice its harrowing tale. Unfortunately, Alice doesn’t understand the pigeon’s regional dialect but even if she did, she would not be concerned that the message’s contents were compromised.
To decrypt, Alice needs to take the secret Cipher, and subtract her secret key from it using the same modulus method (subtracting the remainder from 10) so 3 - 9 = -2 which would mean 10 - 2 = 8
| Key | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Cipher | 0913 | 1440 | 2112 | 1132 | 0747 | 1407 | 1414 | 1927 | 3626 | 3902 | 2029 |
| One-time | 0913 | 1520 | 2313 | 0721 | 0225 | 1908 | 0502 | 1018 | 1621 | 2503 | 1622 |
| Decode | 0920 | 0809 | 1411 | 0522 | 0509 | 1912 | 0919 | 2005 | 1409 | 1407 | |
| IT | HI | NK | EV | EI | SL | IS | TE | NI | NG |
ITHINKEVEISLISTENING
The pigeon reads the message and nods in agreement. Seeing this, Alice burns her scratch pad and the One-time pad. Eve can now never know what the message said.
As an exercise, and to demonstrate why this is such a strong encryption method, try decoding the previous cipher using the One-time pad of this:
0913 0835 1017 0827 9348 0594 9918 1805 2118 3082 2503
| Key | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Cipher | 0913 | 1440 | 2112 | 1132 | 0747 | 1407 | 1414 | 1927 | 3626 | 3902 | 2029 |
| One-time | 0913 | 0835 | 1017 | 0827 | 9348 | 0594 | 9918 | 1805 | 2118 | 3082 | 2503 |
| Decode |
You’ll notice the cipher is the same. It’s the same thing Eve has, but the message is different! It would have been nice to work out a message that could fit our conversion table nicely but remember that our attacker doesn’t know that either and therefore would have to assume that on the conversion table, there are numbers that go up to 93 and so on. Often time codebooks use numbers like this as well.
Circling back to GPG
What if Alice and Bob were never in the same room together? As soon as anyone, outside Alice and Bob, put their hands on a One-time pad, it should be considered compromised and, for all intents and purposes, useless.
This is where Asymmetric encryption comes in. GPG uses something called key-pairs. When Bob wants to get secret information he makes his key pair with an encryption function. That key pair consists of a public key and a private key. Anyone can know the public key. It’s public, and won’t compromise the security of the message. Sometimes it’s helpful to think of the public key as more of a public lock. Anyone can put a message in a box and lock it with that public lock but only Bob can unlock it. Alice also has a key pair. The purpose of these public keys are to both encrypt data and authenticate data. If Alice uses Bob’s public key, she can encrypt any data she likes using it. The only thing that can then decrypt that data, is Bob’s private key. Alice can also sign that encrypted message with her private key and Bob can use Alice’s public key to confirm that it was in fact signed by Alice and therefore likely to contain data that Alice encrypted. Let’s suppose Alice didn’t sign the message she sent to Bob.
1 |
Alice: Bob, Eve is on to us, go dark for a while, I'll let you know when it's less dangerous |
If Alice did sign the message, Bob could in fact decrypt the message but would also know that Alice may not have signed it. Eve doesn’t care what Alice sent Bob in this scenario. In fact she can’t know what the message says (assuming the encryption isn’t broken). She just needs to change what it says and her goals are met.
Asymmetric encryption is often times computationally expensive. In most cases, when someone wants to talk to a specific person, they use the public private key-pair to set up a shared secret key using an algorithm called the Diffie–Hellman key exchange.
In this method, Alice and Bob publicly agree on a shared set of numbers, they then use their private keys and use the public numbers in an algorithm to obtain a “mix” of numbers that they’ll send to one another. Alice and Bob then “mix” the others mixed numbers to be left with a pair of numbers that no one else can know. Eve would need access to either Bob or Alices private numbers in order to arrive at the new secret from any of the numbers that were shared.
It’s a little hard to understand this way, often a good way of explaining this is with colours. The image below shows a representation for this.

Notice the final colour never goes into the public space. This is the number that would then be used to encrypt messages using a symmetric encryption (similar to our one time pad example). If you’d like to see a video on this, Khan Academy presents a lesson by Brit Cruise and does a good job at demonstrating it.
Putting it all together
Bob and Alice are agents for the super secret Puppy alliance (SSPA). They have never been on the same continent together, let alone met. They’ve both been deployed in the kitty cat capitol city and need to communicate to ensure the survival of puppy dogs in a Feline controlled world. They both know the SSPA’s public key and trust that it belongs to them. Bob, gets a message from Alice that is signed with Alice’s Public key. He can not be sure that the message is in fact from Alice because Eve could have easily made a Public and Private key and called herself Alice. However, the message also contained a signature on Alice’s public key signed by the SSPA. Because Bob trusts the SSPA he can believe that this key in fact does belong to Alice as Eve would have no way of signing the public key with SSPA’s private key.
Using GPG Bob and Alice set up a shared secret and then can communicate in private while Eve is left on the outside not being able to read any of their messages. Puppies will rise again.
All of this just dips our toes into Cryptography, There is much more to know. There are several different parts of a crypto system and each have very specific uses. In later posts I will try to outline how to make some solid keys, the different
useful features of other systems, and more info on why it’s a good idea to not make crypto yourself and instead rely on the genius of others. Until then, try to come up with an explanation of forward secrecy. Think about how
you could change your key every message, Think about what would happen if you received a message out of order in that scenario. How would you protect earlier messages from being decrypted if your key was leaked?
As always, let me know if you have any questions or something you’d like me to add.