In the inconsistent and jargon-heavy lingo of cryptography, an identity is generally defined as the basic unit organizational unit for key pairs. Key pairs are the cornerstone of PGP encryption.
When a key pair is generated, both the public part of the key and the private part are generated at the same time. Both the public and private keys are made up of very large integers.
Using key pairs, you encrypt messages with the public key and decrypt messages with the secret key. Additionally, and critically for PGP communication, you can sign a message with a private key and verify a signature with the public key.
If you only want to send an encrypted message to someone, but not receive an encrypted reply, you only need the public key. In the OpenPGP protocol, public keys are distributed in what is known as a public key certificate. A public key certificate contains:
- User ID (a string that may or may not include an e-mail address)
- 1 or more public keys
- 1 or more signatures (at least 1 signature for each public key)
All of this information is encoded into Base64, so it resembles random sequences of letters and numbers. This makes keys easier to transmit over existing communications systems (anything messaging system handles a few thousand characters of text).
When a public key certificate is imported by a PGP client, the User ID on the certificate is verified using the public key. The first signature certifies that the User ID was chosen by someone with the primary secret key. Additional signatures certify that each additional public key was attached by someone with the primary secret key.
GnuPGP generates identities with two key pairs, known as a primary key and sub key. There are obstinate justifications for this set up, but the real reason for this is prior to the year 2000, the RSA algorithm was under patent protection. RSA keys can be used for both encryption and signing, but while RSA was under patent protection, separate algorithms were used for encryption and signing.
This is the process for encrypting a message using a public key certificate:
- Verify User ID string using signature
- Verify subkey using signature
- Generate random session key (SK) and encrypt the message using AES(SK)
- Encrypt SK using RSA algorithm and subkey