PGP (Pretty Good Privacy) is computer program developed by Phil Zimmermann that provides high security encryption for privacy and authentication. It is most commonly used for e-mails, which has no build-in security. Recent versions of PGP include plug-ins for many popular e-mail applications (such as Microsoft Outlook, Outlook Express and Netscape Messenger).
How it works
PGP uses asymmetric encryption and the RSA cipher with a public key and a private key which are used to sign and encrypt a message. The public key is publicly available on some of the many key servers around the world and it can be used to encrypt a message to the owner of the public key or to verify a signature of the keyowner. The recipient of the encrypted message can then decrypt this message using his private key.
A similar principle may be used to detect whether an e-mail was altered during transmission and whether it was actually sent by the person listed as the sender. To do this, the sender uses PGP to sign the mail message. This means that PGP creates a hash code of the message, which is then encrypted using the private key of the signer. The recipient of the mail uses the public key of the signer to decrypt the hash code which is then compared to the hash code the recipient computes using the mail content. Only if both hashes are the same is it certain that the mail was not altered.
An astute reader will realize that a correct digital signature only verifies that the sender of a message is the owner of a matching cryptographic key. An impostor may create a new key under a fraudulent name, distribute his key to the world, and proceed to sign messages that register as correctly signed. For this reason it is important to verify by some means (for example, a meeting in person) that you have the correct key of the person with who you wish to correspond securely.
The first version of PGP released by Zimmermann was made available on the Internet at no charge. The source code was available under a disclosed-source license. PGP aquired a following. Its proponents were called cypherpunks.
New developments: OpenPGP and new PGP-like programs
After the success of the original PGP, independant implementations of the PGP algorithms developed and an Internet standard called OpenPGP documented the data format to ensure the all implementations could decrypt and verify each other's encrypted and signed messages.
Currently there exists a high-quality free-software implementation of the OpenPGP standard called GNU Privacy Guard (GPG). It has been released by the Free Software Foundation. This is an entirely separate implementation that shares no code with the original PGP.
There was also a fork in the original PGP software. A version was exported from the United States somehow and this became PGPi, the i standing for "international". This version, maintained and distributed outside the USA, was not subject to the restrictive American laws concerning export of cryptographic software.
PGP goes commercial
In 1996 the company PGP, Inc. was formed to develop PGP. It funded itself by selling a commercial version of the software, though the original free version remained available and supported. PGP, Inc. was aquired by Network Associates, Inc. Phil Zimmermann became a Network Associates employee. In mid-2001, Phil Zimmerman left Network Associates; it is not clear that Network Associates will continue to make available disclosed source versions of the PGP variants it is producing.
- http://www.gnupg.org - The GNU Privicy Guard. A Free Software implementation of OpenPGP
- http://www.openpgp.org - Standards body for PGP
- http://www.pgpi.org - more information on currently available open source versions of PGP and for information on GPG.