In 1991, the US Government classified encryption as a "munition", illegal to export, like a tank or a missile. Phil Zimmermann released PGP (Pretty Good Privacy) to gives citizens the right to whisper. He was investigated for arms trafficking. He printed the source code in a book (Free Speech) to bypass the ban.
Hybrid Encryption
PGP combines best of worlds:
1. Compress the message.
2. Generate a random Session Key.
3. Encrypt message with Session Key (AES/IDEA).
4. Encrypt Session Key with Recipient's Public Key (RSA).
1. The Web of Trust (WoT)
Unlike HTTPS (which uses centralized Certificate Authorities), PGP is decentralized.
How do I know this Public Key belongs to Edward Snowden?
I don't. But I trust Alice. And Alice trusts Bob. And Bob met Snowden and signed his key.
Thus, I trust Snowden via a valid Chain of Trust.
2. Key Signing Parties
In the 90s and 2000s, geeks met in basements.
1. Show your Passport/ID.
2. Read your Key Fingerprint out loud.
3. Everyone verifies and signs your key.
This built the "Strong Set" of the Web of Trust.
3. Why PGP failed to go mainstream
Usability.
"Keep your private key on a YubiKey." "Don't lose your revocation certificate." "Copy-paste this ASCII armor block."
Signal and WhatsApp replaced PGP by making encryption invisible.
4. Modern Use Cases
1. Package Signing: Linux repositories (apt/yum) sign software with GPG.
2. Git Commits: GitHub verifies your identity via GPG signed commits ("Verified" badge).
3. Dark Web Markets: Still the standard for communicating addresses.
GPG vs PGP
PGP is a proprietary software owned by Symantec.
GPG (GnuPG) is the open-source implementation of the OpenPGP standard (RFC 4880). Use GPG.