# 有关PGP的基本概念

2014年从msn space存档中重新恢复出来！

```If I'm saying anything basic that you already know, please forgive me.
I mean no offense; I'm just not sure what level to start from.

You mentioned a five digit PIN number and a certificate. It sounds like
you need to encrypt the PIN number so you can send it across the network,
and some other party can read it?

Allow me to offer a few basics. DES and Triple-DES ("3DES" or "DESede") are
"symmetric cipher algorithms." This means they use the same key to
encrypt and to decrypt. This key is usually called a "secret key".
DES keys are 8 bytes long (64 bits, of which 8 are parity).
Triple-DES keys are 24 bytes long (192 bits of key, 24 bits of parity).

Also, DES and 3DES are "block cipher" algorithms. That is, they work on
blocks of data. The block size for DES and 3DES is 64 bits, or 8 bytes.

By comparison, RSA is a "public key" algorithm. That is, RSA actually
uses a key pair. There is a "public key" and a matching "private key."
The public key is usually distributed inside an X.509 certificate, though
this is not strictly required. As the name suggests, the private key is
never distributed.

These days, RSA keys are typically 1024 bits long, or 128 bytes. Using
the default algorithm, an RSA key can be used to encrypt up to N-11 bytes
of data, where N is the key length in bytes.

Normally, one does not encrypt data directly with an RSA key. Instead,
one creates a one-time-use random key for a symmetric cipher. (For
instance, one might generate 24 bytes of random data for use as a 3DES
key.) For convenience, let's call that key "Kmsg" (the "message" key).
One would then encrypt the actual message data using this message key.
Then, one encrypts Kmsg using the RSA public key of the intended
message recipient. Finally, send the encrypted message and the
encrypted Kmsg to the recipient.

As a specific example, suppose Alice wants to send Bob an encrypted
message. Let's say Alice decides to use DES. Alice generates Kmsg.
Let's suppose Kmsg = 0x1234567812345678 (eight bytes). We'll call the
message M.

Alice applies DES to encrypt M with Kmsg: DES(M,Kmsg)

Now, Alice encrypts Kmsg with Bob's public key: RSAPUB(Kmsg,Bob)

Alice sends Bob both DES(M,Kmsg) and RSAPUB(Kmsg,Bob). Bob uses his
private key: RSAPRIV (RSAPUB (Kmsg, Bob), Bob) == Kmsg. Then, Bob
uses the recovered Kmsg to decrypt DES(M,Kmsg) and gets back M.

One nice advantage of this scheme is that Alice can send the encrypted
message to all of Bob, Carol, and David very simply. Alice simply sends:

{ DES(M,Kmsg), RSAPUB(Kmsg,Bob), RSAPUB(Kmsg,Carol), RSAPUB(Kmsg,David) }

Each recipient uses the corresponding private key to decrypt one of the
RSAPUBs and then decrypt the original message. In fact, this is how
encrypted mail (S/MIME) works.

Phew, now, back to your case. If you really have a five digit PIN, you
can actually encrypt the PIN directly using RSA, or you can do what is
described above.

Hope this helps clarify matters some.
```  