The first 16 bits of the message digest in a PGP signature are translated in the clear, also referred to as ôcleartextö or ôplaintextö (ôHow PGP Worksö). The cleartext is not encrypted in any way and can be read by anyone without the use of a key (ôHow PGP Worksö). At first glance, this might seem like a security compromise, but with the use of a hash algorithm, it is not: ôThe security does not exist by keeping the encryption algorithms secret. In fact, it is enhanced by publishing them for peer reviewö (ôPGP Forumö).
PGP uses a hash algorithm that creates a mathematical summary from the userÆs name and signature, encrypting it with the senderÆs private key (ôPretty Good Privacyö). When the receiver subsequently uses the senderÆs public key to decrypt the hash code, a match signifies that ôthe message has arrived securely from the stated senderö (ôPretty Good Privacyö). The hash algorithm does perform its intended function; it helps determine whether the correct RSA key was used to decrypt the digest:
As long as a secure hash function is used, there is no way to take someone's signature from one document and attach it to another, or to alter a signed message in any way. The slightest change in a signed document will cause the digital signature verification process to fail (ôHow PGP Worksö).
How PGP Works. Retrieved on March 6, 2006 from: http://www.pgpi.org/doc/pgpintro/#p10
PGP Forum. Retrieved on March 6, 2006 from: http://forums.pgpsupport.com/viewtopic.php?t=4101&sid=969a6c2f8c7e0bfdd9bd4b3845a92be7
Pretty Good Privacy. Retrieved on March 6, 2006 from: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214292,00.html
...