I thoroughly recommend reading this article on PGP, the introduction to PGP & GPG: Email for the Practical Paranoid, then download whatever flavour of PGP you prefer and start using it.
This lawsuit turned Zimmermann into something of a hero in the computer community. Many people downloaded PGP just to see what all the fuss was about, and quite a few of them wound up using it. Zimmermann’s legal defense fund spread news of the PGP lawsuit even further. In congressional hearings about encryption, Zimmermann read letters he had received from people in oppressive regimes and war-torn areas whose lives had been saved by PGP, contributing greatly to the public awareness of how valuable his work had been. Also, PGP was available on the internet before the book was published — the code was available from anywhere in the world. (Admittedly, you needed internet access to get a copy, which was slightly difficult in the early 1990s.) The book was simply a legal device to make it possible for people outside the United States to use PGP without breaking US law.
Webmonkey is pleased to present the introduction to the book PGP & GPG: Email for the Practical Paranoid by Michael W. Lucas. Excerpt © 2006 No Starch Press. Reprinted with permission.
Encryption is an old science, and as computers became more and more powerful, the number of people working with encryption grew and grew. Government officials grew increasingly concerned about the widespread availability of encryption techniques. Although encryption has perfectly valid uses for everyday citizens, it’s also a powerful tool for criminals. In 1991, Senate Bill 266 (a sweeping anticrime bill) had a minor point that required government-accessible back doors in all encryption tools. While this bill was still under discussion, Phil Zimmermann combined some common encryption methods to produce the software he dubbed Pretty Good Privacy, or PGP.
The ideas behind PGP had been known and understood by computer scientists and mathematicians for years, so the underlying concepts weren’t truly innovative. Zimmermann’s real innovation was in making these tools usable by anyone with a home computer. Even early versions of PGP gave people with standard DOS-based home computers access to military-grade encryption. While Senate Bill 266 was still threading its way through the legislative process, a friend of Zimmermann’s distributed PGP as widely as possible in an effort to make military-grade encryption widely available before the law could take effect. The software was distributed to a variety of BBS systems as well as on the internet (largely an academic and research network at the time, but still with worldwide reach). Their activism contributed to the demise of antiencryption legislation.
Zimmermann, a long-time antinuclear activist, believed that PGP would be of most use to dissidents, rebels, and others who faced serious risks as a consequence of their beliefs — in other words, to many people outside as well as inside the United States. Ever since World War II, the United States government has considered heavy-duty encryption a serious threat to national security and would not allow it to be exported from the United States. (For details, see the Wikipedia entry on “Export of Cryptography“) Exporting encryption software, including PGP, required a license from the State Department, and certain countries could not receive such software exports under any circumstances. These rules were known as ITAR (for International Traffic in Arms Regulations) and classified encryption tools as weapons of war. Zimmermann decided to try to avoid the export restrictions by exploiting the difference between written words and software.
Zimmermann originally wrote PGP in boring old everyday text (or “source code”), just like that used in any book, and used computer-based tools to convert the human-readable text into machine-readable code. This is standard practice in the computer industry. The text is not software, just as the blueprints for a car are not a car. Both the text and the blueprints are necessary prerequisites for their respective final products, however. Zimmermann took the text and had it published in book form.
Books are not considered software, even when the book contains the “source code” instructions for a machine to make software. And books are not munitions (those of you who have dropped one of those big thick computer textbooks on your foot might take issue with this statement). Although many books on cryptography did have export restrictions, Zimmermann could get an export permit for his book of source code. Thus, people all over the world were able to get the instructions to build their own PGP software. They promptly built the software from those instructions, and PGP quickly became a worldwide de facto standard for data encryption.
As you might guess, the US government considered this tactic merely a way to get around munitions export restrictions. Zimmermann and his supporters considered the book speech, as in “free speech,” “First Amendment,” and “do you really want to go there?” The government sued, and over the next three years Zimmermann and the administration went a few rounds in the courts.
This lawsuit turned Zimmermann into something of a hero in the computer community. Many people downloaded PGP just to see what all the fuss was about, and quite a few of them wound up using it. Zimmermann’s legal defense fund spread news of the PGP lawsuit even further. In congressional hearings about encryption, Zimmermann read letters he had received from people in oppressive regimes and war-torn areas whose lives had been saved by PGP, contributing greatly to the public awareness of how valuable his work had been. Also, PGP was available on the internet before the book was published — the code was available from anywhere in the world. (Admittedly, you needed internet access to get a copy, which was slightly difficult in the early 1990s.) The book was simply a legal device to make it possible for people outside the United States to use PGP without breaking US law.
The story of the PGP lawsuit is fascinating and could fill a book this size or larger. Where exactly is the line between speech and computer code? Also, PGP was not distributed by Zimmermann himself, but by third parties. If someone in Libya downloaded PGP from an MIT server, was Zimmermann responsible? Lawyers fought these questions back and forth, but when it became obvious that the courts firmly believed that the First Amendment trumped State Department regulations, the State Department and subsequently the government dropped the suit. This not only saved them some time, money, effort, and humiliation at that moment but also prevented a legal precedent deeming encryption generally exportable. If a future administration desires, it can bring this issue back to the courts in more favorable circumstances against some other defendant.
OpenPGP
Even without the US government looming over it, PGP had some basic technical problems that cryptographers across the world quickly pointed out. The most glaring was that PGP made heavy use of the patent-protected RSA and IDEA encryption techniques; anyone who wanted to use PGP commercially needed to pay a license fee to the patent holders. Many computer scientists and security professionals found this unacceptable because they wanted an encryption system that would be freely usable by both the general public and businesses.
Zimmermann offered a solution in 1998, when his company, PGP Corporation, submitted an improved PGP design called OpenPGP to the internet Engineering Task Force (IETF), the body responsible for internet standards. OpenPGP defined standards by which different programs could communicate freely but securely by using an enhanced version of the PGP protocol and a variety of different encryption algorithms. This led the way for people and companies to create their own implementations of OpenPGP from scratch, tailoring them to meet their own requirements.
How Secure Is OpenPGP?
The OpenPGP standard is considered a military-grade, state-of-the-art security system. Although you see these words attached to all sorts of security products, OpenPGP is trusted by governments around the world, major industrial manufacturers, medical facilities, and the best computer security practitioners in the world.
That’s not to say that OpenPGP is the be-all and end-all of computer security. Misuse of OpenPGP can reduce your security by making you believe that you’re secure when you’re not, much as if you leave for vacation and forget to lock the front door of your house. Poor computer-management practices might lock the front door but leave the key under the welcome mat for anyone to find.
Also, given sufficient computing power, it is possible to break the encryption used in any OpenPGP application. The National Security Agency is rumored to have computers specifically engineered from the ground up especially to break this sort of encryption. Of course, if someone is willing to spend millions of dollars to get your information, there are easier ways for them to get it, so I would say that when properly configured and used, OpenPGP is sufficiently strong enough to make people choose another method of violating your privacy rather than try to break the encryption.
Today’s PGP Corporation
Today, PGP Corporation is a major player in the world of cryptography and information security, providing PGP software for many different platforms, from PCs to handhelds and even Blackberry phones. PGP Corporation software secures everything from email to instant messages to medical records.
PGP Corporation provides an implementation of OpenPGP that runs on popular operating systems. It provides a PGP system that integrates seamlessly with standard mail clients and desktops.
Although PGP Corporation was owned by Network Associates for a few years during the dot-com boom, it is now an independent company with a variety of big-name industry partners.
PGP is a commercial product, and PGP Corporation provides a whole range of related support services. We’re going to cover the basic version: the PGP Desktop. (The corporate PGP solutions could fill a book on their own.) Because PGP is a typical commercial product, you are expected to pay for it.
GnuPG is a freely available implementation of the OpenPGP standard that was released to the public in 1999 by the German developer Werner Koch. It is available for both Windows and Unix-like computers (including Mac OS X).
Because GnuPG conforms to the OpenPGP standard, it can be used to communicate with people using any other OpenPGP-compliant software. “Freely available” means that you can get for free. You also get access to all the source code used to create the program, which is not directly useful to many readers but is vital to those who can do something with it. The formal name of the software is GnuPG, but many people simply refer to it as GPG. No matter which you use, people conversant with OpenPGP will understand what you’re talking about.
GnuPG is freely available, but that doesn’t mean you can do anything you want with it. Any personal use is fine. Use within a company is also fine. If you want to use GnuPG within a commercial product and resell it, be absolutely certain to read the full General Public License (GPL) and comply with its terms! There is no such thing as “proprietary code” based on the GPL. You have been warned.
PGP versus GnuPG
Hmm. GnuPG is free, and PGP costs money. Why would you not always use GnuPG? There are several reasons why a person or organization might choose to purchase PGP rather than use the free GnuPG, or vice versa, including ease of use, support, transparency, and supported algorithms. All these reasons make the choice of encryption software very situation-dependent. Take a look at your options and pick the right tool for you.
Ease of Use
To use GnuPG, you must not be afraid to get code under your fingernails and tangle with the operating system’s command line. Although various GnuPG add-ons provide a friendly user interface, they’re not tightly integrated with the main product, and when the main GnuPG software is updated, these add-ons might or might not be updated. I wouldn’t dream of setting up Grandpa with GnuPG unless I really liked talking to him five days a week.
PGP Corporation puts a lot of effort into making its products work transparently for the end user, in exactly the same manner as any other desktop program. As a support person, I find this extremely valuable. If I needed to set up the sales force, marketers, and accountants at my company with a single cryptographic solution, I would choose PGP in a heartbeat on this factor alone.
(The nontechnical staff at your company might be more tech-literate than mine. If so, you’re more fortunate than you realize. Please tell me where to send my resume.)
Support
PGP Corporation has an extensive support organization. You can get phone support for the desktop products or have a whole team of consultants implement your company-wide PGP solution. When you buy PGP software, you get 30 days of free installation and setup support, which will allow enough time for most people to become comfortable with the tool. Support afterward exists at whatever level you require, for a fee.
GnuPG’s support organization, on the other hand, is typical of free software. Users are expected to read the software instructions, check the GnuPG website, and search the mailing list archives and the internet before contacting the mailing list for help. There is no phone number to call to speak to the “owner” of GnuPG. If you are the sort of person who wants to pick up a phone and yell at someone until they make your problem go away, GnuPG just isn’t for you. Although you can easily find expertise in GnuPG and OpenPGP, and hiring a consultant to maintain GnuPG isn’t that big a deal, that’s very different from having direct access to the vendor.
Although you might find an edge case for which one or the other program doesn’t work, or you might discover a software bug, both programs have thousands and thousands of users who have exercised every piece of functionality countless times. If you have a problem, one of these users has almost certainly already had that same problem, asked for help on a mailing list or message board, and received assistance. I find that a web search answers questions on either tool far more quickly than a phone call ever could.
Auditing, algorithms, and the law
Transparency
Transparency refers to how much of the software is visible. For most users, this is irrelevant — they just want the software to work properly, without causing system crashes or scrambling their recipe collection. You’re probably in this category. In the security industry, however, transparency is a vital question.
People who are serious about security — serious as in “billions and billions of dollars and/or many human lives depend on this information remaining private” — hire security experts to evaluate their security software and point out problems. The process of reviewing code and algorithms for problems is called auditing.
Encryption is an old science, and one of its primordial rules is that knowing how a good encryption scheme works doesn’t help you break it. Encryption schemes that are available for review by the general public are the only ones that professional cryptographers take seriously. The cryptography behind OpenPGP has been continuously audited for 10 years now by people who would be delighted to find problems with it. Discovering a problem in OpenPGP would be a sure-fire way to gain fame within the cryptography community, much as discovering how to build a 100-mile-per-gallon, high-performance gasoline engine would be in the auto industry. Both seem impossible, but many people try.
However, both PGP and GnuPG are more than the algorithms used by OpenPGP. There’s a whole bunch of source code in and around those algorithms. A bad guy could find a problem with that source code and use it to break the protection provided by the software. That source code requires auditing by skilled individuals to ensure its safety. GnuPG’s source code is open for audit by anyone in the world and is checked by many different people of differing skill levels. PGP’s source code is open for audit only to customers, but many of those customers hire very skilled people specifically to audit the code.
Algorithm Support
The original PGP used encryption methods that were encumbered by patents at the time PGP was created. Some of those encryption methods are now in the public domain, but one (IDEA) is protected by patents in Europe. OpenPGP has moved beyond all of these algorithms, but you might find references to them if you encounter old versions of PGP. You don’t need to understand what IDEA is, but you do need to recognize it if you encounter it and have to deal with it.
GnuPG does not support IDEA because IDEA is less than completely free. IDEA is licensed under very liberal terms — it’s free for non-commercial use; if you’ve ever bought a product that includes IDEA you have a lifetime, royalty-free IDEA license; and if all else fails you can buy an IDEA license online for $18.93. Those terms are modest, especially for modern software, but it doesn’t meet GnuPG’s standards. (Hey, it’s their software; they set the standards.) You can hack GnuPG to support IDEA, but the GnuPG folks won’t do it for you. PGP Corporation has paid the patent holder, and when you buy PGP you get access to that cipher. OpenPGP no longer requires IDEA, but some businesses might require it. If you find a 10-year-old encrypted file you need to open, you’ll need IDEA. Otherwise, it’s irrelevant.
OpenPGP and the Law
OpenPGP uses some of the strongest public-key encryption algorithms available to cryptographers anywhere. And I do mean strong. Law enforcement officials cannot break into a file properly protected with GnuPG, and some governments just don’t like their citizens having such strong protection. Some countries allow their citizens to use strong encryption algorithms, but only in a limited and breakable manner. Others require that all encryption keys be given to a “key escrow” agency, so that if you become a criminal mastermind the government can get your key from the escrow agency and decrypt your incriminating messages. This is much like asking muggers to register their Saturday Night Specials before committing holdups — and roughly as effective.
To make matters more confusing, these laws change irregularly. If you are in doubt about the laws regarding encryption use in your country, check with a local computing professional or lawyer. Googling for “encryption law survey” will uncover several websites on the topic, including a very good survey at http://rechten.uvt.nl/koops/cryptolaw.
