How does it work?

In short, the USB token internally is a combination of a smartcard reader and a smartcard in one package, which can be connected to a USB port. An application can then talk to the smartcard and ask it to do some cryptographic operation, like signing or decrypting some data. Of course the token will only execute this operation when supplied with the correct pin code.

When a keypair is generated on the token, the private key never leaves the token. Therefore, all private key operations need to be done by the token itself.

For efficiency reasons, PGP (as any other application using public key cryptography) does not encrypt or sign all data with a public key primitive.

• For encryption, all data is encrypted to a secret random symmetric key. This symmetric key is then encrypted to a public key. For decryption, PGP just sends the encrypted symmetric key to the token for decryption and after retrieving the secret symmetric key, all data is decrypted without using the token. That way, even if the encrypted file is for example one gigabyte in size, only a few hundred bytes are exchanged on the relatively slow usb link, while still maintaining the same security.
• For signatures a similar procedure is used: the signature is done over a hash or message digest of the full message