PGP and GnuPG use the notion of a ring of trust:(2) If you trust someone and that person trusts someone else, the person you trust can provide an introduction to the third party. When you trust someone, you perform an operation called key signing. By signing someone else's key, you are verifying that that person's public key is authentic and safe for you to use to send e-mail. When you sign a key, you are asked whether you trust this person to introduce other keys to you. It is common practice to assign this trust based on several criteria, including your knowledge of a person's character or a lasting professional relationship with the person. The best practice is to sign someone's key only after you have met face to face to avert any chance of a person-in-the-middle(3) scenario. The disadvantage of this scheme is the lack of a central registry for associating with people you do not already know.
PGP is available without cost for personal use, but its deployment in a commercial environment requires you to purchase a license. This was not always the case: Soon after its introduction, PGP was available on many bulletin board systems, and users could implement it in any manner they chose. PGP rapidly gained popularity in the networking community, which capitalized on its encryption and key management capabilities for secure transmission of e-mail.
After a time, attention turned to the two robust cryptographic algorithms RSA and IDEA, which are an integral part of PGP's code. These algorithms are privately owned. The wide distribution and growing user base of PGP sparked battles over patent violation and licenses, resulting in the eventual restriction of PGP's use.
Enter GnuPG, which supports most of the features and implementations made available by PGP and complies with the OpenPGP Message Format standard. Because GnuPG does not use the patented IDEA algorithm but uses BUGS instead, you can use it almost without restriction: It is released under the GNU GPL. The two tools are considered to be interchangeable and interoperable. The command sequences for and internal workings of PGP and GnuPG are very similar.
The GnuPG System Includes the gpg Program
GnuPG is frequently referred to as gpg, but gpg is actually the main program for the GnuPG system.
GNU has a good introduction to privacy, The GNU Privacy Handbook, available in several languages listed at www.gnupg.org/docs.html. Listed on the same Web page is the Gnu Privacy Guard (GnuPG) Mini Howto, which steps through the setup and use of gpg. And, of course, there is a gpg info page.
(2) For more information, see the section of The GNU Privacy Handbook titled Validating Other Keys on Your Public Keyring.
(3) Person in the middle: If Alex and Jenny try to carry on a secure e-mail exchange over a network, Alex first sends Jenny his public key. However, suppose that Mr. X sits between Alex and Jenny on the network and intercepts Alex's public key. Mr. X then sends his own public key to Jenny. Jenny then sends her public key to Alex, but once again Mr. X intercepts it and substitutes his public key and sends that to Alex. Without some kind of active protection (a piece of shared information), Mr. X, the person in the middle, can decrypt all traffic between Alex and Jenny, reencrypt it, and send it on to the other party.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.