Key Properties

Each key has a Main User ID, which characterizes the owner. It consists of a name (mandatory), and e-mail address (highly recommended and necessary for this program) and an additional distinguisher (optional). In GPG a user ID would look like this: Heinrich Heine (Duesseldorf) <hh@yahoo.com>.

At this moment, this program cannot have “international characters” in the key User IDs, i.e., characters that are not part of the standard 26 letter English alphabet. (Sorry.)

You can add more User IDs, e.g., if you have a second e-mail account. You can make a previously secondary User ID into the primary User ID. If you want to, you can delete a user ID, e.g., when you give up an e-mail address.

Adding or changing User ID does not change anything about the key, i.e., its cryptographic properties, at all! This means, after changing User IDs, you can still read all the encrypted messages you received before and the signatures will not change either.

The “Short Key ID” (here, for practicality, only called Key ID) consists of “0x” plus 8 characters, where each character is either a number between 0 and 9 or a letter between A and F. It is derived somehow from the cryptographic characteristics of the key, but tells us nothing about the keys properties. The 16-character version of the Key ID is called the “Long Key ID.”

These two key IDs characterize the key, not the user, so that they stay the same, even if the User IDs are changed.

It is unlikely that there are two keys with the same short key ID, but possible; it is way more unlikely to find two keys with the same long key IDs. (It is almost completely impossible to find two keys with the same “fingerprint”, see below).

E.g., RSA uses the RSA algorithm (named after the three inventors, Rivest, Shamir, and Adleman). RSA is a de facto standard in much of the cryptographic world and the most popular algorithm; it serves for encryption/decryption and for signing.

DSA is the Digital Signature Algorithm (also called DSS for Digital Signature Standard or DH for Diffie-Hellman [Diffie and Hellman, invented the DH algorithm, and some see DSA is a variant of their algorithm]), used for signing as the name says.

ELG stands for ElGamal, an encryption scheme named after Taher ElGamal. GPG uses this algorithm for encryption only.

Indeed, what we call “one key” often consist of two (or more) different mathematical encryption (sub-)keys bundled together. Often one key is for signing and another encrypting/decrypting, using different algorithms. The user does not have to worry about this at all.

This is the key size (also called key length) in bit: Keys of the length 256 can have “2 to the 256th power” different values.

(The longer the key, the longer it will take an attacker to try them all, and thus a longer key of the same algorithm is usually considered safer or stronger than a shorter one. However, keys of the same key length but for different algorithms can imply very different encryption strengths.)

Date, when key is set to expire. “Never” means that no expiration date is set.

“Validity” says how sure the program is that this particular key belongs to the person indicated by the main user ID. This value is calculated by the number and quality of the signatures that this key is signed with.

A key’s “fingerprint” consists of 40 characters, each character being a number 0 through 9 or a letter A through F. This fingerprint is calculated using properties of the key, but in a way that the knowledge of the fingerprint tells us nothing about the key itself.

If it is rare that two different keys have the same short key ID, very unusual if they have the same long key ID, it is extremely unlikely that two keys have the same fingerprint, especially if the keys have the same length.

Thus, as with a real fingerprint of a human being, such a key fingerprint is unique, i.e., the likelihood that two keys have the same fingerprint is so unlikely that we don’t even have to think about it.

Apart from telling you which algorithms you use and how strong your encryption is, these key properties should be used when verifying the owner of the key.

E.g., let’s assume your friend Alice Smith sent you a key by e-mail and asks you to send confidential material to her. How do you know that actually Alice sent you the key and not another malicious person (Mallory) that opened an e-mail account in Alice’s name, let’ say Alice.Smith@yahoo.com, hoping that you do not notice that your friend’s e-mail is actually AliceSmith@yahoo.com.

What you should do is call your friend Alice on the phone, and let her read to you (you know her voice!) the

	a)	Type,
	b)	Size (also called: length), and
	c)	Fingerprint of her key, and
	d)	Her e-mail address.

You may think it is safe if Alice just tells you that she sent you her key. But that may not be true. For example, Alice may have sent you the key (that is, tried to), but Mallory was able to intercept it. Mallory now sends you his, Mallory’s, key instead of Alice’s and his, Mallory’s e-mail address, which both look just like they belong to Alice. Now you send your message to Mallory (thinking it is Alice), Mallory decrypts it, reads it, encrypts it again, this time with Alice’s key (remember, he intercepted it), and sends it to Alice. Alice now calls you and tells you she got your encrypted message “sound and safe”. You think that really proves that your secret communication worked, when, in fact, Mallory read it all.

If you don’t ask Alice for the fingerprint of her key, you won’t find this out.