About PGP

PGP (Pretty Good Privacy) is one of mechanisms for encryption and digital signature.

• >> Public key cryptography
• >> Web of trust
• >> Fingerprint of a public key

>> Public key cryptography

PGP utilizes public key cryptography. In public key cryptography, each user generates a pair of keys: secret and public keys, and let only the public key available to others.

A message encrypted with the public key can only be decrypted with the corresponding secret key. Therefore one can send a message safely through an unsafe channel by encrypting the message just for the correspondent. It is also possible for a person to digitally sign a message by reversing the roles of the keys; the content encrypted with the secret key can only be decrypted with the corresponding public key.

>> Web of trust

The trust of a public key is problematic in public key cryptography. Some impostor may publicize a forged public key on the Internet, where communication channels are unprotected.

In order to guarantee the authenticity of a public key, it is effective to attach a digital signature to the key. However, a digital signature itself is a cipher using public key cryptography, which means that one must verify the authenticity of the signing key in order to verify the signature on the public key. The problem is recursive.

PGP challenges this problem with expansion of the web of trust, which is a network of signing relationships of public keys. Once the authenticity of public keys is established between two people (perhaps by making a contact in the physical space), they sign each other's public keys. A web of trust starts from this relationship, and is expanded as more people join in the signing relationships.

>> Fingerprint of a public key

Since a public key is too big for a human being to handle directly, it is very cumbersome to confirm that a public key they have obtained is genuine. For that sake, a public key data is compressed to the form of 40 digits (because it is in hexadecimal, the numbers may contain alphabets between 'A' and 'F'). This is called the fingerprint of the public key. The fingerprint is calculated in such a way that if two public keys are slightly different, the resulted fingerprints differ widely.

In order to confirm that a public key is genuine, one should obtain the fingerprint of the key via a trusted channel. Then you calculate the fingerprint of the key you have obtained, and compare the two fingerprints.

About GnuPG

GnuPG (GNU Privacy Guard) is an open and free substitute for the PGP program.

GnuPG does not use IDEA algorithm¹ which is patented. Therefore there is no restriction in how the software is used. GnuPG is compliant to RFC2440 (OpenPGP).

You may want to refer to http://www.gnupg.org/ for detailed information on GnuPG.

---

1	An algorithm is a problem-solving procedure.