Pretty Good Privacy, commonly known as PGP, is a utility that enables computers to exchange messages, secure files, and use network connections with privacy and strong authentication. PGP uses verification of individuals through authentication and encryption of data using keys. In addition to verifying those computers and users from whom you receive messages and files, PGP also stores the encrypted data on your computer, guaranteeing privacy from hackers.
PGP uses encryption and decryption keys to ensure privacy. The keys are a pair of mathematically related cryptographic keys. PGP uses a public key for the encryption. Public keys are published on many Internet sites and even on private servers, if you have a PGP or other secure program. You freely distribute your public key so it can be seen and used by all users.
A corresponding private key is used for decryption. The private key is unique; it remains on the individual user's PC. Private keys are securely protected. Private keys are located in a keystore, which is protected by many security measures. Anyone who attacks your computer needs the physical keystore to decrypt your files. With PGP, your server or computer generates a public key that it sends to others over the network, Internet, e-mail, and so on. Others use that public key to encrypt data and then send it back to you. You are the only one with the private key; therefore, you are the only one who can decrypt the files.
Some PGP programs are freeware, or you can pay for programs that offer similar and often more intricate features. PGP is a basic program you can use with Windows, Macs, and many Linux distributions. Generally, the freeware is for use by individuals as opposed to corporations. For more information about freeware, see www.pgpi.org.
PGP comes in the simplest of versions, such as GnuPG, for example. GnuPG (Privacy Guard) is a command-line utility that is a basic PGP utility for open source programming. GnuPG does not use the IDEA algorithm, which makes true PGP what it is. IDEA is a 128-bit encryption that is patented for use with PGP.
Many varied other PGP versions exist, some freeware, some shareware, and some commercial products. The most recent release of a commercial product is PGP version 8.0, for Macs and Windows users. You can purchase a single seat license for individual or small-business use for around $50. PGP 8 encrypts e-mail, files, instant messages, plus it enables you to manage your PGP keys. PGP 8 also encrypts data on your computer so that it cannot be hacked.
There are other forms of encryption and protection over the Internet or on your own network. Certificates and digital signatures are two additional methods you can use to secure your data. For more information, see the sidebar "Certificates and Digital Signatures" or see www.articsoft.com.
Certificates and Digital Signatures
Public Key Infrastructure (PKI) is a security solution that provides digital security through authentication, data integrity, data confidentiality, and access control. The main question about your security structure is who should you trust? Certificates and digital signatures are a part of PKI that enable you not only to know who has access to your data but also to control who has access to your data.
A user who wants to take part in a specific PKI generates a public and private key pair; actually, a software program generates the keys and performs all of the encryption, decryption, signing, and so on, in the background. Anyone can get ahold of the public key, but only the original user and the certificate authorities (CAs) have access to the private key. The public key encrypts the data; the private key decrypts data. To someone who does not have the private key, the encrypted data is worthless.
With the private key, the sender puts a digital signature on data and files as a stamp of sorts, saying that data and signature is uniquely that user's.
Certificate authorities are the delivery and administration mechanism for certificates (also called digital certificates). The certificate is a file containing information identifying the sender and the public key. The CA is a trusted third party that verifies the information. So when you receive data using PKI, the CAs have verified that the data is from who it says it's from. Data not matching the appropriate certificates and digital signatures does not make it through the certificate authorities.