PGP (Pretty Good Privacy) is a program designed to provide secure communications using the following three primary components:
Public key (asymmetric) cryptography, so that you can distribute a key to "the world" that allows them to encrypt data such that only you can decrypt the data.
PK algorithms tend to be relatively slow when applied to significant "bulks" of data. As a result, public key crypto systems generally use PK only to encrypt a "session" or "message" key. This message key is then used in conjunction with a symmetric/private key cipher to rapidly encrypt/decrypt the body of the message.
The most commonly used algorithm for this purpose is known as RSA, named after its creators, Rivest, Shamir, and Adelman. Other algorithms include "Diffie-Hellman" and "El Gamal."
Diffie-Hellman and El Gamal have recently become of additional interest since the patents that previously governed their use have expired, while the RSA patent still has some time "on the clock."
Private key (symmetric) block cipher.
Messages are split into "blocks," which are encoded/decoded using block ciphers with a "message key" which is a (preferably truly random) random key value generated for the current message. The algorithm traditionally used with PGP is a 128-bit cipher called IDEA; banking systems and various commercial RSA implementations commonly use DES; some systems use RC5. A block cipher that has been gaining popularity lately is Bruce Schneier's Blowfish.
The primary point of using of the block cipher is that they are immensely faster than any of the public key ciphers, and are perfectly good choices for encoding the main body of a message.
Message Digest Algorithm.
These are hashing algorithms that have the nice property that it is virtually impossible to construct multiple messages that produce the same Message Digest value. A copy of the resulting "signature" value is sent along with the message, and gives a good degree of confidence that the data has not been tampered with along the way.
RSA's MD5 is probably the most commonly used algorithm of this type.
PGP contains various other functions (e.g. - routines to manage generation of truly random numbers typically seeded using system timing values that are known to be truly random), tools for managing and authentication of public keys, a data compression algorithm (compressed data is smaller and generally appears more nearly random than the original data), and code to turn messages into "armored text" form so that even binary data can be transmitted using email.
There is also the option of signing plain text, that is, creating a signature for a document that is left in plain, readable form. The point of this is that it allows me to make a public statement and provide authentication that it is indeed I that made that statement, and not someone else masquerading as me. I haven't personally had call to need this functionality; the people that do are those that make CERT (Computer Emergency Response Team) announcements of security problems. When they announce that security "holes" have been found, they sign the plaintext announcements to provide some degree of confidence that it is indeed CERT that has announced the problem, and not someone else wishing to cause trouble.
PGP has recently started to be extended ( OpenPGP ) to allow users to specify the use of other encryption algorithms. This allows PGP to be more freely usable as RSA and IDEA are both patented algorithms.
Cryptographic tools have been considered by the US "NSA" to be "munitions" whose import/export must be restricted in comparable fashion to traditional "munitions" such as missiles and artillery.
(Nuclear, biological and chemical weaponry are not good comparisons, as the associated restrictions are exceedingly intense, particularly for chemical and biological devices that are forbidden by international treaty.)
Formerly known as Replay Associates; home of various free cryptographic software.
It uses (no-longer-patent-restricted) El Gamal as the public key algorithm, and may use others such as RSA.
It uses MD5 for message signatures, and may be configured to use others such as DSA, SHA-1, TIGER, and RIPE-MD-160.
Getting some support from the German government...
The code to PGP is publicly available. Therefore it is easy to modify. If someone were to modify the source code to PGP inserting a sneaky backdoor and leave it at some distribution point, it could be disastrous. However, it is also very easy to detect. Simply verify the checksums. Patching the MD5 module to report a false checksum is also possible, so verify using a known good copy. A more devious attack would be to modify the code, compile it and surreptitiously plant it in the target system. In a networked environment this can be done without ever having physical access to the machine.