PGP (Pretty Good Privacy) is a cryptosystem (encryption system) that was invented by Philip Zimmermann, a computer analyst. From 1984 to 1991, Philip Zimmermann worked on a program that made it possible to run RSA on personal computers (PGP).
However, given that he was using RSA without the authorization of its authors, this cost him 3 years of criminal trials; as a result, since 1993, the program has sold for approximately $150.
PGP is a hybrid cryptography system that uses a combination of functions taken from public-key cryptography and symmetric cryptography.
When a user encrypts a text with PGP, the data are first compressed. This data compression makes it possible to reduce transmission time via any communication channel, save disk space and, most importantly, increase cryptographic security.
Most cryptanalysts exploit models found in plaintext to break the encryption. Compression reduces these models in plaintext, therefore considerably improving resistance to cryptanalysis.
Encryption then primarily takes place in two phases:
This encryption method combines the easy use of public-key encryption with the speed of conventional encryption. Conventional encryption is approximately 1,000 times faster than public-key encryption algorithms. Public-key encryption resolves the problem of key distribution. Used together, these two methods improve the performance and management of keys without compromising security.
PGP offers the following functions:
A PGP certificate includes the following information, among others:
The fact that one certificate can contain several signatures is one of the unique aspects of the format of PGP certificates. Several people can sign the key/identification pair to confidently certify that the public key belongs to the specified owner. Some PGP certificates are made of a public key with several names, each offering a different way to identify the key's owner (for example, the name and company messaging account of the owner, the alias and personal messaging account of the owner, his photograph - all in one certificate).
In a certificate, a person must affirm that a public key and the name of the key's owner are associated. Anyone can validate PGP certificates. X.509 certificates always have to be validated by a certification authority or a person appointed by the CA. PGP certificates also use a hierarchical structure with the help of a CA to validate certificates.
There are several differences between an X.509 certificate and a PGP certificate. The most important of these are laid out below:
To create your own PGP certificate, you need to ask for an X.509 certificate to be issued by a certification authority and obtain it;
In general, the CA (Certification authority) has complete trust to establish certificates' validity and carry out the manual validation process. But it is difficult to establish a trust relationship with people not explicitly considered as reliable by your CA.
In a PGP environment, any user can act as a certification authority. He can therefore validate another PGP user's public key certificate. However, such a certificate may not be considered valid by another user unless a third party recognizes the person who validated the certificate as a reliable correspondent. That is, if they respect for example my opinion that says that other people's keys are correct only if I am considered to be a reliable correspondent. Otherwise, my opinion concerning the validity of other keys is subject to controversy.
Let's suppose, for example, that your set of keys contains Alice's key. You have validated it and, to show this, you sign it. Furthermore, you know Alice is very fussy when it comes to the validation of other users' keys. As a result, you assign her key full reliability. Alice therefore becomes a certification authority. If she signs another user's key, this key appears as valid on your set of keys.
Only the certificate's owner (the owner of its corresponding private key) or another user, appointed revocation authority by the certificate's owner, has the possibility of revoking a PGP certificate. Naming a revocation authority is useful, since certificates are often revoked by PGP users because the corresponding private key' s complex password has been lost. Yet this procedure can be performed only if the private key can be accessed. An X.509 certificate can be revoked only by its issuer.
When a certificate is revoked, its potential users need to be notified. To announce the revocation of PGP certificates, the usual method involves placing this information on a certificate server. This way, users wanting to communicate with you are warned not to use this public key.
Article written by Sylvain Lorin
Source: http://www.pgpi.org/doc/pgpintro/, an excellent reference