Non-profit, member-based IT support for research & educational institutions


CREN Strategic and Practical FAQ – CA Launching

PGP: Pretty Good Privacy

Draft 1.7, November 26, 2001

1. What is PGP?


Pretty Good Privacy was originally developed by Phillip Zimmerman to provide a means of secure communication in an insecure electronic environment.  “Pretty Good” is an understatement.  The framework that it is based on, the PKI (Public Key Infrastructure) and its encryption standards (such as Diffie-Helman or RSA algorithms of varying strengths) have been subjected to rigorous cryptanalysis.

PGP has since grown into a more versatile application under the direction of its current owner, Network Associates ( Until the most recent release PGP has been completely open source, allowing anyone to review the code and suggest improvements.

2. Why Do I Want to Use PGP?


PGP is another security tool similar to digital certificates.  One advantage of PGP is that individuals and small groups can begin using PGP for securing their email with little overhead.  At CREN, we use PGP to set up a secure communication channel with institutions applying to have the CREN CA sign their institutional certificate.  

Part of the process is that a validated Technical Contact send the official CSR Certificate Signing Request) to the CREN contact.  PGP is used to establish the secure communication channel that supports this part of the application process. It is also important that the Technical contact retain this “out-of-band” communication channel for communications.

Getting PGP is easy.  Here are the ways to do this.

The freeware version of PGP can be downloaded from any of the following sites:

From PGP (owned by NAI)  

                                                (Windows and Macintosh Versions)

From MIT           

                                    (Windows, Macintosh, AIX/HP-UX/Linux/Solaris)

PGP international

(Many versions, with translations into many languages, PGP news.)

Licensed versions of PGP can be bought at:

McAfee -,1057,3-18-ML100111,00.html

3. How does PGP work?

The first step in using PGP after installing the software onto your systems, is to generate a key for yourself.  In generating a key, the software generates a key pair. These are simply text files that look like gibberish to a human. The keys can be created at various levels of strength, such as 512, 1024, or 2048 bit strengths. The higher the number, the stronger the encryption values are of the key.  One key of the pair is the Private key – this key should always be kept safe and never given to anyone.  The other key is the public key – this key should be given to as many people as possible.


4. What are the uses of PGP?


The most commonly used aspect of PGP is the signing and encryption of email or files.  “Signing” a document is a way of verifying the integrity of the original work.  The steps that PGP implements are as follows:

a. Makes a digest or “hash” of the file or email.  A hash is an algorithm that produces (theoretically) a unique output (the hash) from a given input (the message).

b. Adds the hash to the end of the message.

c. When someone wants to verify that the message has not been modified, they run the hash algorithm on the message and compare it to the hash at the end of the message.  If the signatures match, the message has not been altered.

This is demonstrated in the following example:

The hash algorithm: take every third letter of the message (ignore punctuation), and convert the letter to a number (a=1, b=2…z=26).  Add the numbers together.

The message:  Hello, This is a sample message to demonstrate signatures.

The hash algorithm in progress:

Hello, This is a sample message to demonstrate signatures.

12 +20+19 + 1 +13 +5 +19 +7 +15 +13+19 +1 +19+14+21+19 = 217

The message after adding the hash:

            Hello, This is a sample message to demonstrate signatures.

Hash value: 217

If the message is altered, the hash value will not be the same.

            Altered message:

            Hello, This is an altered message to demonstrate signatures. - Creates a new hash:

Hello, This is an altered message to demonstrate signatures.

12 +20+19 +1 +12+18 +13+19 +5 +4+ 15 +20 +20 +9 +1 +18 = 206

Since the hashes are not equal, the message has been altered.

Actual hashing algorithms are much more complex.  Additionally, the hashing algorithm is used in conjunction with the user’s private key in such a way that the signature is unique. That is, if different people (thus different private keys) signed the same email, the signatures would be different.  Then the public key of the key pair is used to compare the hash created by the private key, and if the hashes match, then two things are assured:  1) The message has not been modified since signing and 2) the signature was not forged.

5. How is encryption used with digital signatures?

Encryption is a method of changing plaintext (text that is readable by humans) into ciphertext (text that is meaningless to humans).  There are many different ways of encryption, some stronger than others.  Two main categories of encryption are symmetric and asymmetric.  In symmetric cryptography, the same key that encrypts a file also decrypts it.  In asymmetric cryptography, which is what PGP uses, one key (the public key) encrypts the file, and the other key (the private key) decrypts it.  So, if user A wants to send an encrypted message to user B, user A would first obtain user B’s public key.  This is possible because public keys are meant to be widely distributed.  Then user A encrypts the message using user B’s public key.  The encrypted message can now only be decrypted with B’s private key, which only he possesses.  Not even user A, who wrote the message, can decrypt what he has encrypted, because he does not possess user A’s private key.  This ensures that the message is unreadable by anyone other than user A.

Encryption and signing are often combined.  In this scenario, user A would use user B’s public key to encrypt the message, then use his own private key to sign the message.  This will ensure that no one but user B can read the message, and when user B receives it, he can be assured that the message was not altered.  To read the message, user B would first use user A’s public key to verify that the signature matches.  Then user B would use his private key to decrypt the message that user A wrote.


For more information on PGP, visit




Web location:

Please send comments/suggestions to