2007-12-20 08:52:40 +00:00
|
|
|
A Short History of the GNU Privacy Guard
|
|
|
|
========================================
|
|
|
|
|
|
|
|
It's been a decade now that the very first version of the GNU Privacy
|
|
|
|
Guard [0] has been released. This very first version was not yet
|
|
|
|
known under the name of GnuPG but dubbed "g10" as a reference on the
|
|
|
|
German constitution article on freedom of telecommunication
|
|
|
|
(Grundgesetz Artikel 10) and as a pun on the G-10 law which allows the
|
|
|
|
secret services to bypass these constitutional guaranteed freedoms.
|
|
|
|
|
|
|
|
Version 0.0.0 released on December 20th 1997 [1], was a barely working
|
|
|
|
replacement of PGP avoiding all patented algorithm by using Elgamal
|
|
|
|
and Blowfish instead of RSA and IDEA. It was prominently marked as a
|
|
|
|
test version but nevertheless included most of the features of the
|
|
|
|
current GnuPG. The data format however was not compatible with
|
|
|
|
OpenPGP but oriented towards the PGP 2 format with a few extensions
|
|
|
|
(e.g. to allow streaming of data). The OpenPGP working group was
|
2008-01-10 08:13:14 +00:00
|
|
|
founded back in fall 1997 and I learned a bit too late about it to
|
2007-12-20 08:52:40 +00:00
|
|
|
build "g10" according to the then existing draft. For copyright
|
|
|
|
reasons it was practically not possible to reverse engineer the format
|
|
|
|
used by PGP-5, so the establishment of the OpenPGP WG was the right
|
|
|
|
thing at the right time.
|
|
|
|
|
|
|
|
Before talking about GnuPG we need to go some more years back in
|
|
|
|
history: To help political activists Phil Zimmermann published a
|
|
|
|
software called Pretty Good Privacy (PGP) in 1991. PGP was designed
|
|
|
|
as an easy to use encryption tool with no backdoors and disclosed
|
|
|
|
source code. PGP was indeed intended to be cryptographically strong
|
|
|
|
and not just pretty good; however it had a couple of inital bugs, most
|
|
|
|
of all a home designed cipher algorithm. With the availability of the
|
|
|
|
source code a community of hackers (Branko Lankester, Colin Plumb,
|
|
|
|
Derek Atkins, Hal Finney, Peter Gutmann and others) helped him to fix
|
|
|
|
these flaws and a get a solid version 2 out.
|
|
|
|
|
|
|
|
Soon after that the trouble started. As in many counties the use or
|
|
|
|
export of cryptographic devices and software was also strongly
|
|
|
|
restricted in the USA. Only weak cryptography was generally allowed.
|
|
|
|
PGP was much stronger and due to the Usenet and the availability of
|
|
|
|
FTP servers and BBSs, PGP accidently leaked out of the country and
|
|
|
|
soon Phil was sued for unlicensed munitions export. Those export
|
|
|
|
control laws were not quite up to the age of software with the funny
|
|
|
|
effect that exporting the software in printed form seemed not to be
|
|
|
|
restricted. MIT Press thus published a book with the PGP source code
|
|
|
|
which was then scanned outside the USA to form the base of PGP-2i ("i"
|
|
|
|
for international). Since then that version was used widely.
|
|
|
|
|
|
|
|
The criminal investigations against Phil ended in 1996 and he founded
|
|
|
|
PGP Inc to write PGP-5. The first public release was done in spring
|
|
|
|
1997. The same year at the 39th IETF meeting at Munich in August Phil
|
|
|
|
Zimmermann and Jon Callas asked the IETF to setup a working group to
|
|
|
|
publish a standard for the protocol used by PGP-5 under the name
|
|
|
|
OpenPGP. The main drive behind this was to allow widespread use of
|
|
|
|
strong encryption even if at some point the new company would decide
|
|
|
|
to stop selling and supporting PGP. As it turned out PGP Inc was
|
|
|
|
acquired by Network Associates just a few months later and in 2002
|
|
|
|
this company actually ceased support and development of PGP (though
|
|
|
|
the PGP product was later continued by the new PGP Corporation).
|
|
|
|
|
|
|
|
Also often claimed to be Free Software, PGP has never fulfilled the
|
|
|
|
requirements for it: PGP-5 is straight proprietary software; the
|
|
|
|
availability of the source code alonedoes not make it free. PGP-2 has
|
|
|
|
certain restrictions on commercial use [2] and thus puts restrictions
|
|
|
|
on the software which makes it also non-free. Another problem with
|
|
|
|
PGP-2 is that it requires the use of the patented RSA and IDEA
|
|
|
|
algorithms. The patent on RSA was only valid in the USA but the
|
|
|
|
patent on IDEA was and is still valid [3] in most countries.
|
|
|
|
|
|
|
|
Although the GNU project listed a requirement for a PGP replacement
|
|
|
|
for some years on its task list, it was not possible to start
|
|
|
|
implementing it as long as patents on all public key algorithms were
|
|
|
|
valid. That changed when in April 1997 the basic patent on public key
|
|
|
|
algorithms expired (the Diffie-Hellman US patent 4200770) and finally
|
|
|
|
in August when the broader Hellman-Merkle patent (4218582) expired.
|
|
|
|
|
|
|
|
A month later, at the Individual-Network Betriebstagung at Aachen [4],
|
|
|
|
Richard Stallman continued his talk with a BoF session where he asked
|
|
|
|
the European hackers to start implementing public key software. The
|
|
|
|
arms trafficker laws of the USA prohibited the GNU project to write
|
|
|
|
such software in their country or even by US citizens working abroad.
|
|
|
|
Thus he told the European hackers that they are in the unique position
|
|
|
|
to help the GNU with crypto software.
|
|
|
|
|
|
|
|
Being tired of writing SMGL conversion software and without a current
|
|
|
|
fun project, I soon found my self hacking on PGP-2 parsing code based
|
|
|
|
on the description in RFC-1991 and the pgformat.txt file. As this
|
|
|
|
turned out to be easy I continued and finally came up with code to
|
|
|
|
decrypt and create PGP-2 data. After I told the GNU towers that I
|
2008-01-10 08:13:14 +00:00
|
|
|
will take up the PGP replacement implementation I spent the rest of
|
2007-12-20 08:52:40 +00:00
|
|
|
the year replacing IDEA by Blowfish, RSA by Elgamal, implementing
|
|
|
|
streaming encryption, adding some key management and getting the code
|
|
|
|
into a reasonable shape.
|
|
|
|
|
|
|
|
There used to be a plan for a free version of Secure Shell called PSST
|
|
|
|
(later known as LSH) with a somewhat populated mailing lists
|
|
|
|
maintained by Martin Hamilton. Martin was the so kind to setup a
|
|
|
|
mailing list for g10 too and announced it on that list. This way we
|
|
|
|
got the first subscribers. Eventually I made the first tarball, put
|
|
|
|
it up to ftp.guug.de, the FTP server of the German Unix User Group,
|
|
|
|
and wrote an announcement [5].
|
|
|
|
|
|
|
|
Right the next day Peter Gutmann offered to allow the use of his
|
|
|
|
random number code for systems without a /dev/random. This eventually
|
|
|
|
helped a lot to make GnuPG portable to many platforms. The next two
|
|
|
|
months were filled with code updates and a lengthly discussion on the
|
|
|
|
name; we finally settled for Anand Kumria's suggestion of GnuPG and
|
|
|
|
made the first release under this name (gnupg-0.2.8) on Feb 24 [6].
|
|
|
|
Just a few days later an experimental version with support for Windows
|
|
|
|
was released. (That release also fixed an alignment problem on Alpha
|
|
|
|
boxes which was detected due to kernel log files filling up the hard
|
|
|
|
disk and an admin asking whether they really need to be backed up. ;-)
|
|
|
|
|
|
|
|
In July 1998 the first more or less OpenPGP draft compliant version
|
|
|
|
was released. Matthew Skala had contributed Twofish code done cleanly
|
|
|
|
from scratch (Twofish was at that time a promising AES candidate and
|
|
|
|
suggested by Schneier as a Blowfish replacement; however we had some
|
|
|
|
copyright concerns with the reference code). Michael Roth contributed
|
|
|
|
a Triple-DES implementation later the year and thus completed the
|
|
|
|
required set of OpenPGP algorithms. Over the next year the usual
|
|
|
|
problems were solved, features discussed, complaints noticed and
|
|
|
|
support for gpg in various other software was introduced by their
|
|
|
|
respective authors.
|
|
|
|
|
|
|
|
Finally, on September 7, 1999 the current code was released as version
|
|
|
|
1.0.0 with the major update of including Mike Ashley's GNU Privacy
|
|
|
|
Handbook [7]. A year later the RSA patent was to expire on September
|
|
|
|
20; the patent holder placed the patent into the public domain 3 weeks
|
|
|
|
earlier and thus we could release 1.0.3 with RSA support already on
|
|
|
|
September 18. One of the major obstacles on widespread use public
|
|
|
|
cryptography had gone (far too late of course).
|
|
|
|
|
|
|
|
Also in 1999 the German government decided that strong encryption will
|
|
|
|
not be regulated in any way and that its use is recommended for
|
|
|
|
everyone. To publicly support this statement the Ministry of
|
|
|
|
Economics funded the porting of GnuPG and related software to
|
|
|
|
Microsoft Windows [8]. The US government was not keen to see that and
|
|
|
|
tried to urge the German government to revise the decision to allow
|
|
|
|
unregulated distribution of crypto software [9]. That did not work
|
|
|
|
out and to the end the USA had no other way than to weaken their own
|
|
|
|
export rules.
|
|
|
|
|
|
|
|
Although we still develop GnuPG using servers located in Europe the
|
|
|
|
new US export controls eventually allowed US hackers to contribute to
|
|
|
|
GnuPG development. In 2001 David Shaw joined the project and since
|
|
|
|
then he is one of the most active GnuPG hackers and the co-maintainer.
|
|
|
|
|
|
|
|
It's now a long time since GnuPG could be managed as a fun project and
|
2008-01-10 08:13:14 +00:00
|
|
|
thus I now spend most of my professional life maintaining and extending
|
2007-12-20 08:52:40 +00:00
|
|
|
GnuPG. In 2001 I founded g10 Code, a Free Software company for the
|
|
|
|
development and support of GnuPG and related software. The most known
|
|
|
|
project is probably GnuPG-2 which started under the name NewPG as part
|
|
|
|
of the broader Aegypten project. The main goal of Aegypten was to
|
|
|
|
provide support for S/MIME under GNU/Linux and integrate that cleanly
|
|
|
|
with other mail clients, most notably KMail. Although having been
|
|
|
|
actively used since 2004, we released 2.0.0 only one years ago.
|
|
|
|
|
|
|
|
It was not that much fun writing X.509/CMS (commonly named S/MIME)
|
|
|
|
software compared to the elegant and very interoperable OpenPGP
|
|
|
|
protocol. Having mastered that we meanwhile achieved to provide a
|
|
|
|
software which is really useful and works nicely with almost any other
|
|
|
|
S/MIME implementation. It also turned out that we could port GnuPG-2
|
|
|
|
to Windows - despite my original claim that a modern POSIX platform
|
|
|
|
will be needed for GnuPG-2. This development also showed that it is
|
|
|
|
viable to develop Free Software as a business.
|
|
|
|
|
|
|
|
With the new tools and from a user's perspective S/MIME and OpenPGP
|
|
|
|
will soon not make much of a difference anymore. However I had to
|
|
|
|
smile when I today read a report on the last RSA Europe conference
|
|
|
|
where a quick poll during a talk showed that OpenPGP is the mostly
|
|
|
|
used encryption protocol.
|
|
|
|
|
|
|
|
Recall that GnuPG is just one tool; there are numerous other tools out
|
|
|
|
to solve related privacy problems. Kudos to all who worked on writing
|
|
|
|
and deploying privacy tools over all these years!
|
|
|
|
|
|
|
|
|
|
|
|
Happy Hacking,
|
|
|
|
|
|
|
|
Werner
|
|
|
|
|
|
|
|
|
|
|
|
[0] http://www/gnupg.org
|
|
|
|
[1] ftp://ftp.gnupg.org/gcrypt/historic/g10-0.0.0.tar.gz
|
|
|
|
[2] from pgpdoc2.txt: "Finally, if you want to turn PGP into a
|
|
|
|
commercial product and make money selling it, then we must agree
|
|
|
|
on a way for me to also make money on it. [...] Under no
|
|
|
|
circumstances may PGP be distributed without the PGP
|
|
|
|
documentation, including this PGP User's Guide."
|
|
|
|
[3] "valid" is meant in the sense the patent holders use it and does
|
|
|
|
not imply that I regard patents on software a valid concept. See
|
|
|
|
http://www.fsfeurope.org/projects/swpat/background.en.html .
|
|
|
|
[4] http://www.dascon.de/IN-BT97/programm.html
|
|
|
|
[5] http://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014131.html
|
|
|
|
There are just a few mails in December mainly discussing patent things.
|
|
|
|
[6] http://lists.gnupg.org/pipermail/gnupg-devel/1998-February/014208.html
|
|
|
|
[7] http://lists.gnupg.org/pipermail/gnupg-announce/1999q3/000037.html
|
|
|
|
[8] http://partners.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html
|
|
|
|
[9] http://www.heise.de/tp/r4/artikel/5/5124/1.html
|
|
|
|
|
2008-06-01 19:44:05 +00:00
|
|
|
=== Remarks ===
|
|
|
|
|
|
|
|
In a reply to this mail Alan Olsen remakrked on the ML:
|
|
|
|
|
|
|
|
MIT was forced to use the RSAREF library which had a non free
|
|
|
|
license. At first they used the RSAREF2 library, but then they were
|
|
|
|
told to use the RSAREF1 library. (I diffed the two libraries and
|
|
|
|
determined that the only difference was that RSAREF2 had fixed a
|
|
|
|
number of buffer overflows and other security flaws. There were no
|
|
|
|
added features.)
|
|
|
|
|
|
|
|
If I remember correctly, 2.5 had RSAREF2 and 2.6 had RSAREF1. One
|
|
|
|
of the main reasons for the creation of the "International version"
|
|
|
|
was the use of RSAREF. (Besides the security issues, it was pretty
|
|
|
|
damn slow. In the days of the i386 people cared about speed.)
|
|
|
|
|
|
|
|
Jaime Suarez translated the text in his blog, see
|
|
|
|
|
|
|
|
http://wordpress.mundocripto.com
|
|
|
|
|