Operating systems

Options for OpenPGP

For quality open source OpenPGP-compliant public key encryption tools, GnuPG isn't the only game in town.

Back in 1991, Philip Zimmerman -- one of the original Cypherpunks -- created an encryption tool he called PGP. He released it to the world at large for free use, and in privacy-conscious circles it gained a very positive reputation. It effectively became the standard by which other privacy tools were judged.

Since that time, in no particular order:

  • a business has been built around that tool and the other tools built on it, ultimately in the form of the PGP Corporation
  • an open standard encryption protocol was released, based on the design of PGP-based systems, called OpenPGP (see RFC 4880 for details)
  • the GNU project developed an open source implementation of the OpenPGP standard called GnuPG, which has been widely adopted by users of open source software

The Major Players

In the blue corner . . . PGP Corporation:

Naturally, I have discussed the inadvisability of trusting a brand in the past. If you really do want to pick a brand to trust, though, you could definitely do worse than PGP Corporation. Despite the fact that encryption that doesn't trust the user isn't trustworthy in general, there are some closed source software vendors with a more believable reputation for honesty and competence than others. PGP Corporation is, by all accounts, somewhere in the neighborhood of the top of the list.

I don't personally have much use for the PGP Corporation's products, and I haven't done the sort of work where I'd be in a position to recommend them to clients for a couple of years. If I were to get back to that sort of work, though, I'd be happy to recommend them where their functionality is needed.

In the red corner . . . the GNU Project:

GnuPG, meanwhile, is actually open source software with a strong reputation for good security practice as well -- and it is both open to deeper scrutiny than the proprietary, only mostly viewable source code of PGP Corporation's offerings, to say nothing of the fact that both are widely peer-reviewed. The downside for GnuPG in a comparison of the two is that PGP Corporation's software offers much greater functionality for enterprise deployments. In fact, it does things that may not be worth the effort of trying to do with GnuPG in many cases. When you don't need to do those things, GnuPG is the tool to use.

I use GnuPGP extensively. I've also written about it a fair bit here:

The Licensing Problem

Aside from its rather narrower capabilities, GnuPG has another problem: it uses copyleft licensing. This shouldn't be a big surprise for anything with "GNU" in the name, of course, since the GNU project was created by the same guy who invented the world's most widely used copyleft license, the GPL: Richard Stallman.

Many might object to the characterization of the use of the GPL as a "problem", of course. Licensing philosophy is a touchy subject of discussion, to put it mildly. It is especially critical, however, that you Choose the right licensing model for security software. Regardless of more abstruse considerations such as fundamental ethical theory, there are specific and overriding concerns when it comes to security tools that prompt me to favor (and advocate) a copyfree licensing policy, all else being equal.

Copyfree Options

There are a number of other open source OpenPGP implementations available, however -- with varying degrees of functionality and completeness. A few examples are listed here:

  • OpenPGP SDK: BSD License; library that implements OpenPGP specification
  • OpenPGP Reference Implementation: BSD License; developed as a reference implementation while the standard was being worked out
  • pgpdsa: Public Domain; minimalistic OpenPGP compatible DSA signature code
  • PGP Stealth: Custom License (see source files); steganogrpahic OpenPGP tool

I personally find the OpenPGP SDK the most interesting and encouraging of them -- though PGP Stealth has its points of interest as well. OpenPGP SDK version 0.9 was released this very month, signaling the rapid approach of a 1.0 stable release, and proving it is a vibrant, active project, unlike some others. I'll be keeping an eye on it.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

16 comments
Jaqui
Jaqui

don't include the enterprise level encryption that PGP provides, gnupg works for the digital signature I need for email, or encrypting an email if needed. If I did need significant encryption capabilities, I might not choose pgp, I might go with openssl certificates to encrypt instead.

Neon Samurai
Neon Samurai

rumor is that since version 7 (or was it version 5.. one of those low numbers anyhow), PGP has been required to ship with a backdoor. It may be tin-foil talk as I haven't a solid source but it seems to be one of the rumors around it.

apotheon
apotheon

Do you use any OpenPGP implementations to ensure your own privacy for communications or file encryption? If so -- what do you use?

apotheon
apotheon

"[i]If I did need significant encryption capabilities, I might not choose pgp, I might go with openssl certificates to encrypt instead.[/i]" There's nothing wrong with OpenPGP for encrypting really sensitive data -- unless you also want deniability (but that's a separate subject altogether). SSL/TLS doesn't in any way improve upon that, especially with the existence of good OpenPGP public key servers that provide more certain verification than the uncertain methods of untrustworthy CAs (see recent events re: MD5). What PGP Corporation's tools provide is stuff like centralized enterprise management of email signing and encryption so company-wide policy can be enforced. Since enforcement of security policy is a [b]huge deal[/b] in corporate enterprises, these tools are a great help to the IT department -- but you, as an individual who uses an OpenPGP compliant tool to sign and encrypt email of your own free will, have no need to run PGP Corp's server software to ensure you follow your own security policies.

bgillson
bgillson

As mentioned in other places, part of the rumor sprang from a miscommunication. Worse though, it was around that time that Network Associates (who owned PGP at that time) decided to stop publishing the source code to PGP -- something that had been done done since PGP Inc. was formed, and allowed security professionals to be assured that there were no back doors. Of course, to some people that "proved" that there was something to hide. In actuality, the only thing it proved is that Network Associates totally misunderstood the impact of what to them was probably a pretty straightforward business decision. To them, source code was something to be kept secret at all costs. In fact, it had nothing to do with a back door and, as Phil Zimmermann says here (http://www.philzimmermann.com/EN/faq/index.html), "There never have been, and never will be, at least as long as I am associated with the product." (Phil is still on the PGP Technical Advisory Board, see http://www.pgp.com/about_pgp_corporation/boards/tab.html). When the original management team bought the PGP assets back out from Network Associates and formed PGP Corp., one of the first things they did was to re-publish the source and try to gain back this trust. Unfortunately, this rumor still persists. As Phil says on his FAQ, "The team of people who make PGP share these values. They work on PGP because they believe in PGP. They aren't going to put backdoors in PGP. I have worked with them for years, and they are just as committed as I am." He's right. (Yes, I'm a proud member of this team)

apotheon
apotheon

This is the result of some kind of weird misstatement by someone who didn't understand the technical terms he was using when giving an interview on French TV. In short, it was apparently a [url=http://www.transfert.net/a3751][b]false alarm[/b][/url]. Of course, you might (understandably) be inclined to disbelieve any such corporate damage control -- but the source for the actual encryption and decryption routines of PGP Corporation's software is available for public viewing. Unless you think the binaries the company provides are compiled from different source, this should be somewhat reassuring. There are, of course, companies I [b]wouldn't[/b] trust to use the source they provide when compiling binaries for distribution. I'm more inclined to believe PGP Corporation than some of those others, though. A lot of the staff at PGP Corporation is a bunch of borderline anarcho-capitalist leaning former cypherpunks, as far as I'm aware. Zimmerman himself, no longer working for the commercial vendors of PGP software, has stated that the whole thing is obviously a misunderstanding, and that the company would never include a covert back door into its privacy software for government surveillance.

Neon Samurai
Neon Samurai

outside of ssl behind all possible network protocols, gpg and truecrypt are pretty high on my list. I can't remember the last time I sent an unsigned email from my home machines. If recipients picked up the habit, I could start encrypting rather than just signing.

Jaqui
Jaqui

and the ssl/tls encryption isn't really something I would need for encrypting communications with, unless it was a specific web page containing data for a specific person who has the required login to gain access. something like detailed confidential financial data, where login and url are sent via an encrypted email to an ssl enabled page, that is password protected. might do something like that once a decade.

ITAuditGuy
ITAuditGuy

I have heard that the US Govn't requires that all encryption products have a master key, which have to be submitted to the US Govn't for national security issues. Though, I never did try to find the truth of the matter.

apotheon
apotheon

It's always nice to have confirmation from someone who would know for sure.

Neon Samurai
Neon Samurai

I've always categorized it as one of the rumors I can't forget but can't take to seriously due to lack of supporting evidence. Good to know the original source of the bunk information though. Cheers.

Jaqui
Jaqui

the rumors that t.o.r. was going to be made illegal, and networking appliances were to be required to have a "back door" that would allow the US DHS to monitor all network traffic. t.o.r. The Onion Router. a multilayer encryption / routing application for those who don't know of it.

Neon Samurai
Neon Samurai

But that only accounts for DHS and voice communications. ;)

rob mekel
rob mekel

the big brother thingy gets a new life. Wonder why that is ;)