In public-key cryptography, a user has a pair of keys: public
and
private. As their names suggest, the private key is kept private,
while the
public key is distributed to other users. The owner of the private
key
never, ever shares the private key with anyone. A second, public
key is
distributed to other users. The public and private keys of a
particular
user are related via complex mathematical structures in such
a way that
inexorably links one key with the other. This relationship is
crucial to
making public/private key-based encryption work, as you will
soon see.
The public key is used as the basis for encrypting a message,
while the
private key is necessary for the recipient to decrypt the encrypted
message. Only the bearer of the private key can decrypt the message.
Even
the person who did the encrypting cannot decrypt the message
he just
encrypted, because he does not hold the private key.
Huh?
OK ... let's try this again:
Suppose that Joe User has a public key and a private key.
Jane User also
has a public key and a private key. Joe and Jane want to send
encrypted
messages to each other, so they exchange public keys. Now Joe
has his own
private key and Jane's public key. Jane has her own private key,
and
Joe's public key.
Keys are kept on key rings: One ring is for private keys and
another is
for public keys. They are not unlike real key rings that hold
your car, house, and
other keys together. On Joe's public key ring, he has Jane's
public key. On
Jane's public key ring, she has Joe's public key. Both Joe and
Jane also
have private key rings, that hold only their own private keys.
Their
private key rings should only ever hold their own private keys.
When Joe wants to send an encrypted message to Jane, he uses
his
encryption software to scramble the message based on Jane's public
key.
Jane receives the message, then uses her encryption software
and her
private key to decrypt it. Only Jane will be able to decrypt
a message that
has been encrypted by someone using her public key.
In the early 1990s, Phil Zimmerman developed PGP, or Pretty
Good
Privacy, which quickly became a very popular piece of software
for email
and file encryption using public and private keys. Due to the
United States'
export regulations and the import regulations of other countries
regarding encryption algorithms, however, the OpenPGP standard
was
developed, and the GnuPG software was built around it. Unlike
PGP software,
GnuPG does not use patented or restricted encryption algorithms,
and
thus, it has become a popular alternative to PGP.
Although US export laws were recently modified, both PGP and
GnuPG
will likely continue to co-exist in the developer community.
In the next
section, you'll learn to use either PGP or GnuPG with PHP to
encrypt
and send messages, so now is a good time to decide which you'd
like to
use. Here are some basic differences:
- To use PGP commercially, you must pay a fee, while GnuPG
is free for
all types of uses.
- GnuPG is primarily Unix-based, although a Windows version
does
exist. PGP has versions for Unix, Windows, and even the Mac.
- Both PGP and GnuPG have some restrictions or warnings regarding
export
and distribution, although this problem hits PGP users harder
than GnuPG.
- Both PGP and GnuPG are easy to install and subsequently
use, but PGP
has an extensive built-in GUI.
Take a look at both Web sites (www.pgp.com and www.gnupg.org) and decide for
yourself.
After determining which encryption software you want to use,
follow the
steps outlined in either of the following sections to learn how
to set up
PGP or GNUPG on your Web server and on your personal system,
so you can
use PHP to invoke the encryption and send your Web-based order
forms and
whatnot to yourself as encrypted messages.
next page»