In public-key cryptography, a user has a pair of keys: public
private. As their names suggest, the private key is kept private,
public key is distributed to other users. The owner of the private
never, ever shares the private key with anyone. A second, public
distributed to other users. The public and private keys of a
user are related via complex mathematical structures in such
a way that
inexorably links one key with the other. This relationship is
making public/private key-based encryption work, as you will
The public key is used as the basis for encrypting a message,
private key is necessary for the recipient to decrypt the encrypted
message. Only the bearer of the private key can decrypt the message.
the person who did the encrypting cannot decrypt the message
encrypted, because he does not hold the private key.
OK ... let's try this again:
Suppose that Joe User has a public key and a private key.
Jane User also
has a public key and a private key. Joe and Jane want to send
messages to each other, so they exchange public keys. Now Joe
has his own
private key and Jane's public key. Jane has her own private key,
Joe's public key.
Keys are kept on key rings: One ring is for private keys and
for public keys. They are not unlike real key rings that hold
your car, house, and
other keys together. On Joe's public key ring, he has Jane's
public key. On
Jane's public key ring, she has Joe's public key. Both Joe and
have private key rings, that hold only their own private keys.
private key rings should only ever hold their own private keys.
When Joe wants to send an encrypted message to Jane, he uses
encryption software to scramble the message based on Jane's public
Jane receives the message, then uses her encryption software
private key to decrypt it. Only Jane will be able to decrypt
a message that
has been encrypted by someone using her public key.
In the early 1990s, Phil Zimmerman developed PGP, or Pretty
Privacy, which quickly became a very popular piece of software
and file encryption using public and private keys. Due to the
export regulations and the import regulations of other countries
regarding encryption algorithms, however, the OpenPGP standard
developed, and the GnuPG software was built around it. Unlike
GnuPG does not use patented or restricted encryption algorithms,
thus, it has become a popular alternative to PGP.
Although US export laws were recently modified, both PGP and
will likely continue to co-exist in the developer community.
In the next
section, you'll learn to use either PGP or GnuPG with PHP to
and send messages, so now is a good time to decide which you'd
use. Here are some basic differences:
- To use PGP commercially, you must pay a fee, while GnuPG
is free for
all types of uses.
- GnuPG is primarily Unix-based, although a Windows version
exist. PGP has versions for Unix, Windows, and even the Mac.
- Both PGP and GnuPG have some restrictions or warnings regarding
and distribution, although this problem hits PGP users harder
- Both PGP and GnuPG are easy to install and subsequently
use, but PGP
has an extensive built-in GUI.
Take a look at both Web sites (www.pgp.com and www.gnupg.org) and decide for
After determining which encryption software you want to use,
steps outlined in either of the following sections to learn how
to set up
PGP or GNUPG on your Web server and on your personal system,
so you can
use PHP to invoke the encryption and send your Web-based order
whatnot to yourself as encrypted messages.