GNU Privacy Guard
The GNU Privacy Guard (GnuPG or GPG) is a free software replacement for the PGP suite of cryptographic software, released under the GNU General Public License. It is a part of the Free Software Foundation's GNU software project, and has received major funding from the German Government. GPG is completely compliant with the IETF standard for OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GPG and other OpenPGP-compliant systems. Although some older versions of PGP are also interoperable, not all features of newer software are supported by the older software. It is necessary for users to understand those incompatibilities and work around them.
History
GPG was initially developed by Werner Koch. Version 1.0.0 was released on September 7th, 1999. The German Federal Ministry of Economics and Technology has funded the documentation and the port to Microsoft Windows in 2000.
Because GPG is an OpenPGP standard compliant system, the history of OpenPGP is of importance. See both PGP and OpenPGP for more information.
Version 1.4.2 of the stable branch was announced on 27 July 2005, and version 1.9.20 of the development branch (with S/MIME support) was released on 20 December, 2005.
Uses of GnuPG
GPG is stable, production-quality software. It is frequently included in free operating systems, such as FreeBSD, OpenBSD, and NetBSD and nearly all distributions of GNU/Linux.
Although the basic GPG program has a command line interface, there exist various front-ends that provide it with a graphical user interface; for example, it has been integrated into KMail and Evolution, the graphical email clients found in the most popular Linux desktops KDE and GNOME. For GNOME, there is a graphical GPG front-end called Seahorse. A plugin known as Enigmail allows GPG to be integrated with Mozilla and Thunderbird, which works on Microsoft Windows as well as Linux and other operating systems. Web-based software such as Horde also makes use of it. Note that, because the plugin mechanism is not part of GPG itself and not specified by the Open PGP standard, and because neither the GPG nor Open PGP developers were involved in their development, it is possible that GPG's security benefits could be compromised or even lost as a result of using such auxiliaries.
GPG can also be compiled for other platforms like Mac OS X and Windows. For Mac OS X, there is a free port called MacGPG which has been adapted to use the OS X user interface and its native class definitions. Cross compilation is not a trivial exercise, at least in part because security provisions vary with operating system and adapting to them is often tricky, but high quality compilers should routinely produce executables which will interoperate correctly with other GPG implementations.
How GPG works
GPG encrypts messages using asymmetric keypairs individually generated by GPG users. The resulting public keys can be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ 'owner' identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.
GPG does not use patented or otherwise restricted software or algorithms, including the IDEA encryption algorithm which has been present in PGP almost from the beginning. Instead, it uses a variety of other, non-patented algorithms such as ElGamal, CAST5, Triple DES, AES, Blowfish and Twofish. It is still possible to use IDEA in GPG by downloading a plugin for it, however this may require getting a license for some uses in some countries in which IDEA is patented.
GPG is a hybrid encryption software program in that it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is only used once. This mode of operation is part of the Open PGP standard and has been part of PGP from its first version.
Problems
The OpenPGP standard specifies several methods of digitally signing messages. Due to an error in a change to GPG intended to make one of those methods more efficient, a security vulnerability was introduced (Nguyen, 2004). It affects only one method of digitally signing messages, only for some releases of GPG (1.0.2 through 1.2.3), and there were less than 1000 such keys listed on the key servers [1]. Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, and none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GPG versions released after this discovery (1.2.4 and later).
GPG is a command-line based system, that is not written as an API which can be incorporated into other software. GPGME is an API wrapper around GPG which parses the output of GPG, and various graphical front-ends based on GPGME have been created. This requires an out-of-process call to the GPG executable for each GPGME API call. The approach is less than satisfactory because GPGME ends up parsing text output originally intended for human eyes. In general, GUI systems based on GPGME do not offer the robustness of software that calls true APIs (e.g. contrast WinPT with GnuPG to the PGP GUI: the latter uses API calls into its encryption routines).
Other software wraps the command line in a Perl script (e.g. gpg-dialog) that is menu based and more user friendly.
See also
- PGP
- Asymmetric key algorithm
- Cryptosystem
- Enigmail A free extention to Mozilla Thunderbird which allows signing and encryption of E-Mails
References
- Phong Q. Nguyen "Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3." EUROCRYPT 2004: 555–570
External links
- GNU Privacy Guard homepage
- MacGPG homepage
- GnuPG Keysigning Party HOWTO
- GnuPG's ElGamal signing keys compromised
- Graphical tutorial for Windows, Linux and others – email-oriented tutorial, using Enigmail, and Mozilla or Mozilla Thunderbird email clients.
- GPG and Mutt
- Short two page tutorial on en/decrypting files using public keys
- FSF page on GPGME – software library designed to integrate GPG with other applications