Encrypting E-Mail Data
In this chapter, you'll learn to use the Free Software Foundation's implementation of the Pretty Good Privacy (PGP) method for general-purpose data security. The name of this implementation is the GNU Privacy Guard (GPG).
Though PGP and, more specifically, GPG can be used for encrypting many kinds of data, PGP really became an international success because of its ability to do quick-and-dirty encryption with many popular e-mail clients. The encryption of e-mail remains PGP's most common function.
A Quick PGP Overview
Like many of the other encryption methods we've covered so far, PGP works with a two-key encryption system. Every person using PGP creates a key pair for himself or herself. One key in the pair is a public key; the other key is a private key. The public key is circulated as widely as possible and may even be listed in any one of several public key databases, where other Internet users around the world can find it. The private key is a closely guarded personal secret and is never transmitted or copied anywhere or to anyone.
These two keys work together to encrypt and decrypt data. Data encrypted with the public key can be decrypted only with the private key, and, conversely, data encrypted with the private key can be decrypted only with a public key. This allows two kinds of verification to take place.
First, the members of the public at large who wish to send a message to a specific person can encrypt the message or data in question with the person's public key before sending it. Since only the person's private key can decrypt the message or data, the sender is guaranteed that no other human eyes will see it in unencrypted form, other than the intended recipient, who has the private key.
In the other direction, a sender can also validate (sign) a message or data using his private key and send it to various members of the public at large (or his or her friends). When the recipients are able to decode the signature using the supposed sender's public key, they can be assured that the message or the data did indeed come from the sender the message or data claims to be from.
Though there are really many more twists, turns, and features than this, this is the basic idea behind public key cryptography, and PGP represents a kind of brute-force, simple implementation of this concept.