PGP (Pretty Good Privacy) is a respected encryption mechanism for protecting email correspondence. PGPi is available for free, so the main reason for purchasing PGP Personal Security 7.03 would be to obtain the extra features that McAfee provides. These include a built-in firewall, self-decrypting files, a virtual hard drive that encrypts files and automatically decrypts them as they are accessed, plus free technical support via a Web page.
For many people, PGP is synonymous with trustworthy data security. Created by Phil Zimmermann in response to proposed US anti-cryptography legislation, PGP caused conniptions in security community and delight around the world. It was the first freely obtainable, reliable and usable system for encrypting files and emails without relying on the distribution of secret keys. Public key encryption means you can give out a key to everyone, and they can use it to encrypt messages for you. Nobody can then decrypt the message without the private key that you -- hopefully -- keep secret.
PGP was free for many years, with the security of the software ensured by public source code -- in other words, nobody could hide a backdoor in the software, as the users had the option of remaking it themselves. Network Associates (of which McAfee is a subsidiary) continues to do this, but only for the public key parts of PGP Personal Security. The company has commercialised the product and now sells a full version while giving away the bare bones of the software in the old tradition. The full version, PGP Personal Security 7.03, matches current trends by including a firewall, encrypted virtual hard disk drives and a bevy of other disparate functions.
PGP is a strong and reliable encryption system, if it's used right. The major problem is the complexity of managing key authentication for more than a handful of users. If you send me your public key, I call you to verify the fingerprint. Then I sign the key to verify that I trust that key. I then send you your own public key so you can get my signature of your key. You then do the same for my key.
This works fine for two correspondents. However, with each added user the number of signatures verifying the keys escalates. Beyond about five users it gets too complicated to manage, so you have to use some kind of central server to manage the keys. The problem then loses some of the trust that on which PGP is based. I trust your key, not because I have checked it out, but because someone I trust has said your key is trustworthy. On a server, I have to trust that the server is completely secure and that the administrator of the server has checked out each key.
3%
5%
