A brief history of GnuPG: Vital to online security but free and underfunded – GCN.com

Posted on by

A brief history of GnuPG: Vital to online security but free and underfunded

This article was first posted on The Conversation.

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forcedto fundraiseto continue the project.

GnuPG is part of the GNU collection offree and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt onJanuary 11, 1996, but relief is probably a good guess. The United States government had just endedits investigationinto him and his encryption software, PGP or Pretty Good Privacy.

In the 1990s, the U.S. restricted the exportof strong cryptography, viewing it as sensitive technology that had once been the exclusive purview of the intelligence and military establishment. Zimmermann had been facing serious punishment for posting PGP on the internet in 1991, which could have been seen as a violation of theArms Export Control Act.

To circumvent U.S. export regulations and ship the software legally to other countries, hackers even printed the source codeas a book, which would allow anyone to scan it at its destination and rebuild the software from scratch.

Zimmermann later worked with the PGP Corporation, which helped define PGP as an open internet standard,OpenPGP. A number of software packages implement this standard, of which GnuPG is perhaps the best known.

What is PGP?

PGP implements a form of cryptography that is known as asymmetric cryptography or public-key cryptography.

The story of its discovery is itself worth telling. It was invented in the 1970s byresearchersat the British intelligence service GCHQ and then again byStanford University academicsin the U.S., although GCHQs results were only declassified in 1997.

Asymmetric cryptography gives users two keys. The so-called public key is meant to be distributed to everyone and is used to encrypt messages or verify a signature. The private or secret key must be known only to the user. It helps decrypt messages or sign them -- the digital equivalent of a seal to prove origin and authenticity.

Zimmermann published PGP becausehe believedthat everybody has a right to private communication. PGP was meant to be used for email, but could be used for any kind of electronic communication.

The challenge facing security software

Despite Zimmermanns work, the dream of free encryption for everyone never quite came to full bloom.

Neither Zimmermanns original PGP nor the later GnuPG managed to become entirely user friendly. Both use highly technical language, and the latter is still known for being accessible only by typing out commands -- an anachronism even in the late 1990s, when most operating systems already used the mouse.

Many users did not understand why they should encrypt their email at all, and attempts to integrate the tools with email clients were not particularly intuitive.

Big corporations such as Microsoft, Google and Apple shunned it -- to this day, they do not ship PGP with their products, although some are now implementing forms of end-to-end encryption.

Finally, there was the issue of distributing public keys -- they had to be made available to other people to be useful. Private initiatives never gathered much attention. In fact,a number ofacademic studiesin the early and late 2000s showed that these attempts never managed to attract widespread public usage.

The releaseof the Edward Snowden documents in 2013 spurred renewed interest in PGP. Crypto parties became a global phenomenon when people met in person to exchange their public keys, but this was ultimately short-lived.

PGP today

When I met Zimmermann in Silicon Valley in 2015, he admitted that he did not currently use PGP. In a more recent email, he said this is because it does not run on current versions of macOS or iOS. I may soon run GnuPG, he wrote.

By todays standards, GnuPG -- like all implementations of OpenPGP -- lacks additional security features that are provided by chat apps such as WhatsApp or Signal. Both are spiritual descendants of PGP and unthinkable without Zimmermanns invention, but they go beyond what OpenPGP can do by protecting messages even in the case of a private key being lost.

Read more:
A brief history of GnuPG: Vital to online security but free and underfunded - GCN.com

Related Posts
This entry was posted in $1$s. Bookmark the permalink.