Prior to working at UPMC, I had used Pretty Good Privacy (PGP)/Public Key Cryptography tools. However, throughout all my coursework and previous IT jobs I was never required to learn about PGP. It wasn’t until using it every day at UPMC that I discovered how much there is to this technology. It’s used for signing digital files, encrypting & decrypting data, file directories, or entire hard disks, for secure email communications, etc., and chances are you’ve used it countless times today and never even noticed.
PGP isn’t a device or software, although you need software to do it and almost all devices employ it. That’s not a riddle. Public Key Cryptography is just math. Such sophisticated mathematics that if you were to try and perform the calculations yourself with a pen and paper you would probably never finish a problem in your lifetime. That’s why you need software to do it. It’s so ubiquitous because, well, it solves some very difficult problems; also it’s free, and extraordinarily secure. I’d like to share my understanding of PGP in a way that leaves out the scary math functions and Greek symbols.
What’s your definition of a big number? Is it a trillion? Is it a trillion trillions? Go bigger. PGP is just math with two goals. The first is creating really, really big numbers. We call the first numbers private keys. The second goal is creating more really, really big numbers that are linked to the first – using a second algorithm. We call the second numbers public keys. I’ll explain these names and purposes as we go on, first it’s important to know what they are and how they are created.
If you pressed a button on your computer and generated a new PGP private key you would have a pretty good assurance that you are the only person, ever, in the history (or future) of the universe to know that number. As long as you keep that number private, you can rely on the mathematics for security. The math algorithm is so sufficiently random and the numbers so large that you could keep pressing that button all day, every day and never in your lifetime see a duplicate. In fact, every person on Earth could do the same thing, pooling our outputs, and none of the results would ever be the same.
Current theories on the absolute minimum energy cost to store 1 bit of data support the statement that there just isn’t enough energy in the universe to compute every possible private key. That means if every human being, computer, alien life form, and even if we could somehow bend all the energy in the universe to work together computing these numbers we would reach the end of the universe’s lifespan before completion. To quote the bard, Keanu Reeves, “Whoa.”
By themselves, these numbers are functionally worthless. Sorry, big build up for a huge let down, right? It’s cool to think about the theory but how do you apply these things and give them a use? The magic really happens with the second numbers, the public keys.
So we have our universe and it has been dissected into an incredibly large number of parts. We’ve turned the universe in to a giant graph. We could even appoint a theoretical center with an X, Y, and Z axis and start assigning values. If we wanted, we could draw a giant curve through the universe. Just like drawing a curved line on a Cartesian plane in geometry class. This is what PGP, effectively, does.
This is far from y=mx+b (which was as far as younger me wanted to go with math) but it is the same idea. Algebra teaches us that if the properties of a line are known you can predict the other points that fall on that line. The same is true for a PGP elliptic curve. The private key is used to generate this curved line. As long as the same key is used the same line is created each time. Points can be picked on this curved line and they will be linked to your private key because only your private key can generate this line. These points are just numbers and they become the public keys.
As long as a private key is secure no one can predict any possible points of its elliptic curve. This is why we call the first number a private key. It must be kept a secret. We use the second numbers, the public keys, to do the data encryption that secures websites, email, and all those great things from way back at the first paragraph. Public keys can be given out freely. If someone were to try and use it to identify your private key they would still have to check it against the PGP curves of every private key in the universe. That’s just impossible. Private keys can also be used to encrypt data that only public keys can decrypt. This provides you a guarantee that if you can decrypt data with a public key it is from the key holder.
If you are connecting to a website and want a secure connection you likely had to download a security certificate. There are many standards but you are likely storing one of the public keys for the web server’s private key in that certificate. When your browser connects to the secure site it will send traffic that is encrypted using the public key. That data can only be decrypted by the person or software that has access to the private key to which it is now linked. Yes, I am saying that if your encrypted banking traffic were to be scanned, sniffed or otherwise copied while transferred over the wire even an alien race thousands of years more advanced than ours probably couldn’t see a bit of useful data, let alone an account balance.
Though the math has been peer reviewed for decades and is considered sound PGP has a major weakness – humans. We are excellent when it comes to physical security; bank vaults, locks on doors, bars on windows, etc. We’ve been doing those things for so long. Digital security is still new. Although the mathematics of PGP is sound the way it is deployed or used by software can leave you vulnerable.
Recently, with respect to the time of this writing, the Heartbleed Bug has affected an insurmountable number of systems, devices and enterprises. This was not a bug In PGP. This was a bug in software that used PGP. Popular opensource software, OpenSSL, was exposing portions of client memory on systems where it was running. For affected clients, this meant the private keys that were in use were compromised. Eavesdroppers, whether they are aliens with technology beyond our understanding or a neophyte hacker snooping on your network traffic from their parents’ basement, could view keys private keys stored in memory. Once someone has your private key your security is gone. OpenSSL is used in home computers, websites, printers, cell phones, firewalls, operating systems and an unquantifiable number of software.
Pretty Good Privacy/Public Key Cryptography is far from flying cars and hover boards, but it is still pretty good sci-fi. Though reading its white papers or technical articles makes it easy to fall asleep, new technologies built with or upon PGP are astounding. Among these projects are anonymous proof of identity systems, decentralized peer-to-peer network based agreements, and, my favorite, autonomous corporations. There is too much to say about all these systems to cover them here. However, as PGP is concerned the cliché “When you’ve done something right no one will think you’ve done anything at all” applies. (Unless something breaks, thanks Heartbleed).
By Alex Sherbuck, Systems Analyst – ISDR