Pretty Good Privacy#OpenPGP

OpenPGP is a standardized data format for encrypted and digitally signed data. The format of certificates is determined, which are commonly referred to as "key."

It is based on the format that was introduced by PGP 5 and is standardized in RFC 4880.


Two of the main applications are the signing and encrypting e -mails. There are two formats:

  • PGP / INLINE as compatibility format Also available (albeit not without problems ) by mail agents that do not know the OpenPGP (including webmail ). The e-mail is supported by their structure as ordinary text email generated (Content -Type: text / plain), the encrypted text as a radix -64 encoded text contains (Base64 plus checksum, original text format of PGP); signed text is as clear text signature inserted (opening line, plain text, signature data as radix- 64). This allows only the sign and encrypt simple text mail ( mail body ).
  • For HTML emails, there is no such possibility.
  • Attachments can be pre- encrypted and / or signed but (that assume the email programs, in the case of webmail you have to do it without the appropriate browser addon itself). However, the signatures will not guarantee the integrity of the mail altogether. Signed parts can be removed unnoticed, in a different context signed data can be added (which only attract any attention, if you took the trouble to compare the time stamp of the individual signatures).
  • One of the drawbacks of PGP / Inline is that mail programs that do not understand the OpenPGP signature in the text view, which many recipients confused.
  • This procedure also covers file attachments and HTML emails. For the mail body and any attachments may be specified individually in each case, whether they are encrypted and / or to be signed; it is made technically just a signing and / or encryption (optional with PGP / inline for the text part and each attachment).
  • However, even this method only protects the contents of the mail, not their head data (by a sender, recipient, subject, date).
  • The disadvantage of PGP / MIME is that mail programs (or webmail implementations) that support even the basic standard in 1995 ( RFC 1847), which defines the basic e- mail format for encrypted or signed content, in case of doubt an empty mail Show with file attachments, what more irritating and even less user-friendly than a radix -64 signature in the text.

Some mail programs provide the ability to specify the address book entries, in which format OpenPGP messages are to be sent to the respective address. In this way, one can minimize the disadvantages of each method.

OpenPGP and S / MIME ( which uses X.509 certificates ) are the two most important standards for e -mail encryption. Another major use of OpenPGP is to secure the software distribution ( package management ) of eg Linux.

The result is OpenPGP in 1998 as a reaction to various developments:

  • The algorithms used in PGP (IDEA and RSA) were patented and could not be used arbitrarily. In particular, there was in the U.S. laws forbidding the export of strong encryption ( from 40 bit).
  • The program PGP was commercially marketed by the company, PGP Inc., and there were blank rumors that a rear door was built into the program because it had a so-called ADK function ( Additional Decryption Key ).
  • End of 1997, PGP Inc. Network Associates Inc. ( NAI) has been adopted, the member of the Key Recovery Alliance were.

The OpenPGP protocol is now supported by many products. Prominent representatives are the commercial PGP and the free open -source program GnuPG (standing under the GNU GPL).

In contrast, the also widely used S / MIME protocol uses X.509 certificates and is therefore in principle not compatible with OpenPGP, even if it is used at the lowest level, the same cryptographic methods. There are applications which OpenPGP keys can convert X.509 key in RSA format ( and vice versa: pem2openpgp from the Monkeysphere package ); However, this conversion affects only lost the raw key material, the certifications go through a third party. Also use the same key for SSH is possible ( such as by GnuPG).

There is also the OpenPGP Alliance, a grouping of several manufacturers who feel the OpenPGP format obligation. However, the corresponding website has not been updated since about 2001.

Cryptographic methods


OpenPGP uses a hybrid encryption that take advantage of asymmetric cryptosystems ( secure key transmission ) combined with those of symmetric cryptosystems (high speed).

Instead of using as a symmetric system, only one key for both encryption and decryption, consists in an asymmetric system a key pair consisting of two related keys, a public and a secret. Data that has been encrypted with the public key can only be decrypted with the secret key again; it is not possible to remove the encryption with public key. With the asymmetric method, a symmetric session key is encrypted, in turn, the actual data is encrypted with the.


In addition to the encryption OpenPGP also supports digital signatures with which recipients can ascertain the authenticity and integrity of messages. For this purpose, a checksum of the data is from the sender (also called hash value ) is formed, which is then signed with the private key (the data is itself untouched ). The recipient can verify the signature with the sender's public key.

Key authentication

Also public key can signed by other key holders ( "certified" ) are to demonstrate that the certifier has checked both the key (ie the fingerprint ) and the certified together with him User ID ( what there is of course no fixed rules ); multiple user IDs must each be individually certified. Unlike S / MIME, this signing is not based on a hierarchical system in which only a superior place key must sign minor points, but from a network of trust (Web of Trust ) in which each participant can sign the keys of others. The signature with the ( implicit) statement made about the authenticity of the key and the respective identity (name, e -mail, comment ) allows third parties to assess the authenticity of the certificate. Familiar as B certifications of A (either fully or partially ), B, the public key of the unfamiliar subscriber C could trust, if this key has been certified by A. The certification relates only to the authenticity of the key; if A trusts also the certifications of C, it is not apparent and irrelevant to the certification of C by A from the signature of A. The validity of certificates is a public information, user confidence in others is a private information. Unfortunately, key validation and certification of trust are often confused with each other.

Another, easier way to check the authenticity of a key, is the comparison of the fingerprint. It is a checksum of the key data (public master key plus the generation timestamp) in hexadecimal format ( for example, " 72F0 5CA5 0D2B BA4D 8F86 E14C 38AA E0EB "), which is easy to talk directly compare, by phone or by letter.

Of the certificates

OpenPGP certificates ( the current version 4) consist of a number of components. Your data are not certified in their entirety, but in individual components and partly by the key owner and of third parties, in part only by the key owner. A corollary is that a certificate can change over time. Components can be added, changed and deleted. The main components of an OpenPGP certificate are:

Third sign only the combination of master key and a user ID; it must, therefore, each user ID can be individually signed. Whether he signed all user IDs are free a third party. The key owner signed everything. Unsigned components are worthless and will be ignored. This may change its preferences, additional information and lifetimes of the owners own authority. He can subkey and user IDs to add and withdraw. Subkeys of OpenPGP software automatically accepted ( if they have a self-certification ), user IDs do not. If you can certify his key from third parties and then adds an e- mail address ( which is not certified by a third party ), then the user of the certificate will receive a warning if they want to encrypt for the added e- mail address. The display of the most important elements in GnuPG ( - list- sigs ):

Pub 1024D/0x12345678 2005-09-05             D44C 6A5B 71B0 427C 025C CED3 BD7D 6D27 1234 5678      uid first name last name      sig 0x12345678 first name last name      sig 0x87654321 certifier      uid first name Last Name ( CEO of Example Inc. )      sig 0x12345678 first name last name      sig 0x87654321 certifier      sub 2048R/0x51B279FA 2010-03-04 [ expires: 2013-03-03 ]      sig 0x12345678 first name last name It can be seen that only a master key ( pub) is present, that this is a 1024 -bit DSA key, and when this master key was generated. Among them is his fingerprint. ID, are usually designated by the key is the last part of the fingerprint. Then two user IDs (uid ) to see that both include a name and e- mail address and both were signed by both the associated key itself as well as by another key. Only one of the user IDs contains a comment in this case a professional position. In this way, an organization appropriately qualified key of a company (such as the the executive director), be certified by the position of the company towards third parties who rely on the first key employees. In addition, it can be seen that subkey ( sub) be signed only by her master key, but not by third parties.

The individual components of the certificate are assembled unlike X.509 without cryptography. The cryptographic security is situated just within the component. You can remove parts of a certificate therefore unnoticed. This means that the user generally can not be sure that a certificate that he has (as usual) was obtained from an unsafe source, is complete. To provide this security, you can export a certificate to a file and then sign.

Qualified signatures under the Electronic Signatures Act

The German signature law ( Signatures ) differs electronic signatures, electronic signatures and advanced electronic signatures. The latter are the actual content of the law, the first two groups are only the demarcation. The Signature Act provides both technical and organizational requirements for the recognition of qualified signatures. Currently (2012 ) provide the certification service providers not qualified certificates based on OpenPGP, so it is not possible to create qualified signatures with OpenPGP. This has technical reasons. At the current concept of OpenPGP heard

The Signature Act requires that the private key of qualified certificates are stored in hardware that can not be read. These are typically smart cards. Since the current version of the OpenPGP signatures of subkeys treated the same as the master keys to normal OpenPGP keys are in principle not for qualified signatures. But even if you generated an atypical, corresponding this requirement OpenPGP key that is used for its generation and storage hardware and software would have to be verified by a recognized by BSI site to see if it meets the safety requirements of the Act. The cost of such examination are another impediment to the availability of OpenPGP for qualified signatures.


  • RFC 2440 OpenPGP Message Format
  • RFC 4880 OpenPGP Message Format
  • RFC 5581 Camellia Cipher in OpenPGP The
  • RFC 6637 Elliptic Curve Cryptography ( ECC) in OpenPGP
  • RFC 3156 MIME Security with OpenPGP