What is Pretty Good Privacy?

PGP or Pretty Good Privacy is as the name suggest a package that guarantees privacy or in other words it is an encryption package. PGP was developed by Phil Zimmermann.

Conventional encryption (also known as symmetric cypher) uses a single key. The same key is used to encrypt and decrypt a message. This key has to be kept secret otherwise the scheme is compromised. The main problem is how to distribute the secret key and ensure that it remains secret.

PGP is a dual-key or public-key cryptosystem (also known as asymmetric cypher). One key is kept secret, the other key is made public. To communicate with the owner of the secret key a message is encrypted with the corresponding public key, this message can only be decrypted using the secret key.

A dual-key encryption system gets around the problem of key distribution as anyone and everyone may have a copy of the public key. This though merely substitutes one problem with another. Unless the key is obtained direct in person from the owner of the key one can never be certain as to the authenticity of the key.

Two methods exist to help verify the public key.

All keys are signed, or at least they should be. A key will be signed by the owner of the key (using the secret key) and possibly by third parties known to the key owner (using their secret key). If you have a key from one of these third parties you will be able to verify the key.

Each key has a unique 128-bit digital fingerprint. By obtaining the fingerprint through an alternative source (ideally tamper-proof - fax, printed copy, published in a book or magazine, telephone conversation et cetera) it is possible to use the fingerprint to validate the key.

Many public keys are obtainable from public key servers. No checks are made on whoever is uploading the key, the key server itself could be attacked, the communication channel is not secure. The keys should always be regarded as untrustworthy and subjected to verification.

PGP can be used to sign messages. This is the same process as used to sign a key. The presence of a digital signature can be used to verify the authenticity of a document or file. This can be very useful for ensuring that a file downloaded off the net has not been tampered with or infected by a virus.

PGP uses the RSA algorithm for encryption. This relies on the impossibility of factoring large prime numbers (using current technology and factoring algorithms). PGP is regarded as hard encryption - that which is impossible to crack in the foreseeable future.

PGP is the de facto Internet standard for encryption and digital signatures.

Index ~ PGP ~ Why use PGP ~ Web of Trust ~ Quick Reference ~ My Key
(c) Keith Parkins 1996-1998 -- June 1998 rev 6