now is the time to forget the whimpering child, become the warrior
2. Introduction
There are two main branches of cryptography: symmetric cryptography and asymmetric cryptography.
Symmetric cryptography is the first type of cryptography invented, dating back to 2000 years ago, and the only one most people know. In symmetric cryptography, a cipher (cryptographic algorithm) is used in conjunction with a single key, for instance a password, to encrypt a message. The message can then be decrypted using the same key.
Symmetric cryptography poses a problem concerning the delivery of secure messages. The sender can encrypt a message and send it to the recipient, but has to provide the recipient the key to decrypt it. The key cannot obviously be sent with the message, and must be communicated through a secure channel.
Encryption provides a secure channel for the delivery of messages but, in order to make it usable, the sender must first deliver the key to the recipient.
This catch-22 problem was solved only thirty years ago with the birth of asymmetric cryptography, also called public key cryptography.
Public key cryptography is much more interesting and useful. It does not operate with a single key but with a key pair, composed of a public key and a private key (also called secret key). Public and secret key are created together at the same time using a special algorithm.
Let's show how public cryptography works by taking as an example two people, Alice and Bob, that want to exchange secure messages.
Alice generates her own key pair in advance. Then makes the public key available to anyone, for instance by publishing the key in a public directory, and carefully keeps for herself the secret key. This is perfectly safe, because it is practically impossible (or, as computer scientists prefer to say, computationally infeasible) to derive a private key from its companion public key alone. Bob does the same: generates a key pair, publishes his public key and keeps undisclosed his secret key.
When Bob wants to send a confidential message to Alice, he first retrieves Alice's public key from the directory. Then he encrypts the message with her public key and sends the message. Alice decrypts the message with her private key and is able to read it.
Public key cryptography is not only employed for confidentiality (ensure that the message can be read only by the intended recipient), but also for authentication (ensure that the message really comes from the intended sender) and integrity (ensure that the message has not been altered in transit). Authentication and integrity are enforced by appending a digital signature to the message.
A digital signature is generated by an algorithm that uses a hash function in conjunction with a key. A hash function is a function that takes in input a message of any length, and outputs a string of fixed small length called digest which is a distillate of the message fed in input. Notable features of hash functions include that is practically impossible to derive the input from the output, and that changing just one bit of the input results in a completely different output.
Hence Bob writes the message, generates the digital signature for the message using a predetermined hash function and his private key, appends the signature to the message, and sends to Alice the whole lot. Alice receives the message and verifies the signature using the same hash function and Bob's public key.
If the signature is valid, then the sender is authenticated, because only the owner of the private key, Bob, could have signed the message. This guarantees also the integrity of the message, because had the message been altered in transit, it would resolve to a different digest and the signature would not match.
Public key cryptography was firstly discovered by James Ellis, Clifford Cocks and Malcolm Williamson of the British Government Communication Headquarters in 1975, but the discovery was filed as classified information and never divulged. The following year researchers Whitfield Diffie, Martin Hellman and Ralph Merkle independently made the same discovery and published it on a paper. One year later Ronald Rivest, Adi Shamir and Leonard Adleman provided the first practical implementation of a public key cryptography algorithm by developing the RSA cipher.
Then in 1991 Phil Zimmermann, a free speech activist and anti-nuclear pacifist, developed Pretty Good Privacy (PGP), the first software available to the general public that utilized RSA for email encryption and signing. Zimmermann, after having asked a friend to post the program on the worldwide Usenet, found himself prosecuted by the government and was even charged by the FBI for illegal weapon export. The charges were eventually dropped, and Zimmermann later founded PGP Inc., now acquired by PGP Corporation.
In 1997 PGP Inc. submitted a standardization proposal to the Internet Engineering Task Force. The standard was called OpenPGP and defined in 1998 in the IETF document RFC 2440. The latest version of the OpenPGP standard is described in RFC 4880, published in 2007.
PGP is now a famous commercial product for communication security and privacy in corporate, business and home environment, and is available at http://www.pgp.com and http://www.pgpi.org.
Nowadays there are many OpenPGP-compliant products: the most widespread is probably GnuPG (GNU Privacy Guard, or GPG for short) which was developed in 1999 by Werner Koch. The GnuPG Project is hosted at http://www.gnupg.org.
GnuPG is free, open-source and available for several platforms. It is a command-line only tool, which means that it does not have a graphical interface.
Enigmail, first released in 2001 by Ramalingam Saravanan and maintained by Patrick Brunschwig since 2003, is the GnuPG plug-in for Mozilla email clients (Thunderbird and SeaMonkey). Enigmail interfaces seamlessly with GnuPG and provides a GUI to make easy for everyone to securely encrypt, decrypt, sign, and verify the signature on email messages. The homepage of the Enigmail Project is http://enigmail.mozdev.org or http://www.mozilla-enigmail.org .
Enigmail, GnuPG, Thunderbird and SeaMonkey are all free and open-source software. They can be downloaded, copied and used for free. As open-source projects, their source code is available for everyone who desires to examine or customize it.
PGP, along with all its variants, is the most famous and widely used public-key-encryption software in the world. Since its creation it has allowed people in totalitarian countries to enjoy privacy, enforce free speech, fight censorship, and protect human rights. It makes use of the strongest ciphers known in the scientific literature, and if utilized properly it is virtually unbreakable.