World Library  
Flag as Inappropriate
Email this Article

GNU Privacy Guard

 

GNU Privacy Guard

GNU Privacy Guard
The GNU Privacy Guard logo
Developer(s) GNU Project
Initial release September 7, 1999 (1999-09-07)[1]
Stable release
  • "Stable": 2.0.26 (August 12, 2014 (2014-08-12)[2])
  • "Modern": 2.1.0 (November 6, 2014 (2014-11-06)[3])
  • "Classic": 1.4.18 (June 30, 2014 (2014-06-30)[4])
Preview release

Stable: 2.1.0-beta864 (October 3, 2014 (2014-10-03)[5])

Modern: 2.1.1-beta35 (November 24, 2014 (2014-11-24)[6])
Operating system Cross-platform
Type OpenPGP
License GNU GPLv3
Website .orggnupg

GNU Privacy Guard (GnuPG or GPG) is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems.

GnuPG is a part of the Free Software Foundation's GNU software project, and has received major funding from the German government.[7]

Contents

  • History 1
    • Branches 1.1
  • Platforms 2
  • Process 3
  • Limitations 4
  • Vulnerabilities 5
  • In popular culture 6
  • See also 7
  • References 8
  • External links 9

History

GnuPG was initially developed by Werner Koch. Version 1.0.0, which was the first production version, was released on September 7, 1999, almost two years after the first GnuPG release (version 0.0.0).[1] The German Federal Ministry of Economics and Technology funded the documentation and the port to Microsoft Windows in 2000.[8]

GnuPG is a system compliant to the OpenPGP standard, thus the history of OpenPGP is of importance; it was designed to interoperate with PGP, the email encryption program initially designed and developed by Phil Zimmermann.[9][10]

On February 7, 2014, a GnuPG crowdfunding effort closed, raising 36,732 euros for a new web site and infrastructure improvements.[11]

Branches

As of November 2014, there are three branches of GnuPG:

  • "Stable" (2.0), stable version for general use, initially released on November 13, 2006.[12]
  • "Modern" (2.1), containing the latest development with numerous new features such as elliptic curve cryptography; it will eventually replace the "stable" (2.0) branch. It was initially released on November 6, 2014.[3]
  • "Classic" (1.4), old standalone version, most suitable for older or embedded platforms. Initially released on December 16, 2004.[13]

"Modern" (2.1) and "stable" (2.0) can not be installed at the same time. However, it is possible to install "classic" (1.4) along with any of the other versions.[3]

There are two additional GnuPG branches, which are discontinued as of November 2014:

  • 1.2 branch, initially released on September 22, 2002,[14] with 1.2.6 as the last version, released on October 26, 2004.[15]
  • 1.0 branch, initially released on September 7, 1999,[1] with 1.0.7 as the last version, released on April 30, 2002.[16]

Platforms

Although the basic GnuPG program has a command-line interface, there exist various front-ends that provide it with a graphical user interface. For example, GnuPG encryption support has been integrated into KMail and Evolution, the graphical e-mail clients found in KDE and GNOME, the most popular Linux desktops. There are also graphical GnuPG front-ends (Seahorse for GNOME, KGPG for KDE). For Mac OS X, the Mac GPG project provides a number of Aqua front-ends for OS integration of encryption and key management as well as GnuPG installations via Installer packages.[17]

Furthermore, the GPGTools Installer[18] installs all related OpenPGP applications (GPG Keychain Access), plugins (GPGMail) and dependencies (MacGPG) to use GnuPG based encryption. Instant messaging applications such as Psi and Fire can automatically secure messages when GnuPG is installed and configured. Web-based software such as Horde also makes use of it. The cross-platform extension Enigmail provides GnuPG support for Mozilla Thunderbird and SeaMonkey. Similarly, Enigform provides GnuPG support for Mozilla Firefox. FireGPG was discontinued June 7, 2010.[19]

In 2005, G10 Code and Intevation released Gpg4win, a software suite that includes GnuPG for Windows, Gnu Privacy Assistant, and GnuPG plug-ins for Windows Explorer and Outlook. These tools are wrapped in a standard Windows installer, making it easier for GnuPG to be installed and used on Windows systems.

Other software wraps the command line in a Perl script (e.g. gpg-dialog) that is menu based.

Process

GnuPG is a hybrid encryption software program in that it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version.

GnuPG 2.x series use Libgcrypt as an encryption library, while GnuPG 1.x series do not use it and use an integrated library.

GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys may be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.

GnuPG also supports symmetric encryption algorithms. By default GnuPG uses the CAST5 symmetrical algorithm.

GnuPG does not use patented or otherwise restricted software or algorithms. Instead, GnuPG uses a variety of other, non-patented algorithms.[20]

For a long time it did not support the IDEA encryption algorithm used in PGP. It was in fact possible to use IDEA in GnuPG by downloading a plugin for it, however this might require a license for some uses in countries in which IDEA was patented. Starting with version 1.4.13/2.0.20, GnuPG supports IDEA because the last patent of IDEA expired in 2012 (Support of IDEA is "to get rid of all the questions from folks either trying to decrypt old data or migrating keys from PGP to GnuPG",[21] and is not recommended for normal use).

As of versions 2.0.26 and 1.4.18, GnuPG supports the following algorithms:

GnuPG 2.1 series will support elliptic curve cryptography (ECDSA, ECDH, EdDSA).[3]

Limitations

GnuPG is a command-line based system, that is not written as an API which may be incorporated into other software. GPGME is an API wrapper around GnuPG which parses the output of GnuPG, and various graphical front-ends based on GPGME have been created. This currently requires an out-of-process call to the GnuPG executable for many GPGME API calls. Because GPGME makes use of a special GnuPG interface designed for machine use, a stable and maintainable API between the components is given. Possible security problems in an application do not propagate to the actual crypto code due to the process barrier.

Vulnerabilities

The OpenPGP standard specifies several methods of digitally signing messages. In 2003, due to an error in a change to GnuPG intended to make one of those methods more efficient, a security vulnerability was introduced.[22] It affected only one method of digitally signing messages, only for some releases of GnuPG (1.0.2 through 1.2.3), and there were fewer than 1000 such keys listed on the key servers.[23] Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, since none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GnuPG versions released after this discovery (1.2.4 and later).

Two further vulnerabilities were discovered in early 2006; the first being that scripted uses of GnuPG for signature verification may result in false positives,[24] the second that non-MIME messages were vulnerable to the injection of data which while not covered by the digital signature, would be reported as being part of the signed message.[25] In both cases updated versions of GnuPG were made available at the time of the announcement.

In popular culture

In May 2014, The Washington Post reported on a 12-minute video guide "GPG for Journalists" posted to Vimeo in January 2013 by a user named anon108. The Post identified anon108 as fugitive NSA leaker Edward Snowden, who it said made the tutorial—"narrated by a digitally disguised voice whose speech patterns sound similar to those of Snowden"—to teach journalist Glenn Greenwald email encryption. In an update to the article, Greenwald confirmed to the Post that Snowden did author the video.[26]

See also

References

  1. ^ a b c "Release Notes". GnuPG. Retrieved 2014-01-30. 
  2. ^ Werner Koch (2014-08-12). "[Announce] GnuPG 2.0.26 released". gnupg.org. Retrieved 2014-08-15. 
  3. ^ a b c d Werner Koch (2014-11-06). "[Announce] GnuPG 2.1.0 "modern" released". gnupg.org. Retrieved 2014-11-06. 
  4. ^ Werner Koch (2014-06-30). "[Announce] GnuPG 1.4.18 released". gnupg.org. Retrieved 2014-06-30. 
  5. ^ Werner Koch (2014-10-03). "[Announce] The maybe final Beta for GnuPG 2.1". gnupg.org. Retrieved 2014-10-03. 
  6. ^ Werner Koch (2014-11-24). "Beta for 2.1.1 available". gnupg.org. Retrieved 2014-11-24. 
  7. ^ "Bundesregierung fördert Open Source" (in German). Heise Online. 1999-11-15. Retrieved July 24, 2013. 
  8. ^ "German Government Awards Grant for GPG Development". The New York Times Company. Retrieved 2014-08-08. 
  9. ^ "Gnu Privacy Guard". OpenPGP.org. Retrieved 2014-02-26. 
  10. ^ "Where to Get PGP". Philzimmermann.com. Retrieved 2014-02-26. 
  11. ^ "GnuPG: New web site and infrastructure". goteo.org. Retrieved 2014-03-09. 
  12. ^ Werner Koch (2006-11-13). "[Announce] GnuPG 2.0 released". gnupg.org. Retrieved 2014-01-30. 
  13. ^ Werner Koch (2004-12-16). "[Announce] GnuPG stable 1.4 released". gnupg.org. Retrieved 2004-12-16. 
  14. ^ Werner Koch (2002-09-06). "[Announce]GnuPG 1.2 released". gnupg.org. Retrieved 2014-11-06. 
  15. ^ Werner Koch (2004-08-26). "[Announce] GnuPG 1.2.6 released". gnupg.org. Retrieved 2014-11-06. 
  16. ^ Werner Koch (2002-04-30). "[Announce] GnuPG 1.0.7 released". gnupg.org. Retrieved 2014-11-06. 
  17. ^ "Mac GNU Privacy Guard".  
  18. ^ "GPGTools Installer".  
  19. ^ "FireGPG’s developers blog". Retrieved July 24, 2013. 
  20. ^ "GnuPG Features". Retrieved October 1, 2009. 
  21. ^ Koch, Werner (2012-12-21). "GnuPG 1.4.13 released". gnupg-users. http://lists.gnupg.org/pipermail/gnupg-users/2012-December/045844.html. Retrieved 2013-05-19.
  22. ^ Phong Q. Nguyen "Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3." EUROCRYPT 2004: 555–570
  23. ^ GnuPG's ElGamal signing keys compromised Werner Koch, November 27, 2003
  24. ^ False positive signature verification in GnuPG Werner Koch, February 15, 2006
  25. ^ GnuPG does not detect injection of unsigned data, Werner Koch, March 9, 2006
  26. ^ "Edward Snowden sent Glenn Greenwald this video guide about encryption for journalists. Greenwald ignored it.". The Washington Post. May 14, 2014. 
  27. ^ getfiregpg.org

External links

  • Project home page
  • A Short History of the GNU Privacy Guard, written by Werner Koch, published on GnuPG's 10th birthday
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.