PGP: Pretty Good Privacy. In *private-key cryptography* one key is used by
both parties. One problem with this kind of encryption is that if the
key is intercepted, a third party could decrypt the messages. So, the
idea of *public-key cryptography* was
developed. Here's how it works...

Everyone has two keys: a public and a private key. When someone wants to send something to a recipient, they (the sender) encrypt it with the recipient's public key. Then the only way to decrypt it is with the recipient's private key. One of the other benefits to PGP is that it allows the sender to "sign" their messages. This proves that the message came from the sender and has not been altered in transport.

Based on this theory, PGP allows everyone to publicize their public keys, while keeping their private keys secret. The result is that anyone can encrypt a message to someone else, as long as they have that person's public key.

In actuality, PGP uses a seies of private key, public key and one-way hash functions to encrypt a message. A one-way hash function takes some plaintext and translates it into a specific hash. The hash is unique to the message (like a fingerprint is to a person). The hash is also non-reversable, hence the name one-way. Let's run through an example of what PGP does to encrypt and decrypt an e-mail message. Our sender will be Chris and our receiver will be Brian.

- -Chris writes his message.
- -Chris uses a one-way hash function (such as MD5) to create a hash for the message.
- -Chris, via RSA or some other digital signature algorithm, signs the hash with his private key.
- -Chris merges the message and the signature, resulting in a new signed message.
- -A random encryption key is generated, the session key.
- -Chris uses the session key to encrypt the message, using DES or some other private key method.
- -Chris gets Brian's public key.
- -Chris then encrypts the key with Brian's public key, via RSA or some other public key method.
- -Chris merges the encrypted message and the encrypted key and mails it to Brian.

Once Brian receives the message he can have PGP decrypt it. Here's what it would do:

- -Brian seperates the encrypted message and the encrypted session key.
- -Using RSA, Brian decrypts the session key.
- -Using DES, Brian decrypts the message with the decrypted session key.
- -Brian then seperates the message and the signature.
- -Using MD5, Brian calculates the hash value of the message.
- -Brian gets Chris' public key.
- -Via RSA, and Chris' public key, Brian decrypts the signature.
- -Brian then compares the hash value and the decrypted signature. If they are the same, Brian knows that the message is authentic and has not been altered since Chris signed it.

Note: While we have used RSA,DES and MD5 in our example (that is what PGP uses) other similar algorithms could be used in their place. It is the combination of these three functions that makes PGP so strong. Remember, however, that the overall security of the method you choose is only as good as the weakest encryption method you choose to substitute for the three forms in the above example.