A brief history of GnuPG: vital to online security but free and underfunded
Donate to GnuPG.
Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.
One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project.
GnuPG is part of the GNU collection of free and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.
What is PGP?
PGP implements a form of cryptography that is known as “asymmetric cryptography” or public-key cryptography.
The story of its discovery is itself worth telling. It was invented in the 1970s by researchers at the British intelligence service GCHQ and then again by Stanford University academics in the US, although GCHQ’s results were only declassified in 1997.
Asymmetric cryptography gives users two keys. The so-called “public” key is meant to be distributed to everyone and is used to encrypt messages or verify a “signature”. The “private” or “secret” key must be known only to the user. It helps decrypt messages or “sign” them - the digital equivalent of a seal to prove origin and authenticity.
Zimmermann published PGP because he believed that everybody has a right to private communication. PGP was meant to be used for email, but could be used for any kind of electronic communication.
The challenge facing security software
Despite Zimmermann’s work, the dream of free encryption for everyone never quite came to full bloom.
Neither Zimmermann’s original PGP nor the later GnuPG managed to become entirely user-friendly. Both use highly technical language, and the latter is still known for being accessible only by typing out commands - an anachronism even in the late 1990s, when most operating systems already used the mouse.
Many users did not understand why they should encrypt their email at all, and attempts to integrate the tools with email clients were not particularly intuitive.
The release of the Edward Snowden documents in 2013 spurred renewed interest in PGP.
By today’s standards, GnuPG – like all implementations of OpenPGP – lacks additional security features that are provided by chat apps such as WhatsApp or Signal. Both are spiritual descendants of PGP and unthinkable without Zimmermann’s invention, but they go beyond what OpenPGP can do by protecting messages even in the case of a private key being lost.
What’s more, email reveals the sender and receiver names anyway. In the age of data mining, this is often enough to infer the contents of encrypted communication.
Nevertheless, GnuPG (and hence OpenPGP) are alive and well. Relative to the increased computational power available today, their cryptography is as strong today as it was in 1991. GnuPG just found new use cases - very important ones.
Journalists use it to allow their sources to deposit confidential data and leaks. This is a vital and indispensable method of self-protection for the leaker and the journalist.
But even more importantly, digital signatures are where GnuPG excels today.
Linux is one of the world’s most common operating system (it even forms the basis of Android). On internet servers that run Linux, software is downloaded and updated from software repositories - and most of them sign their software with GnuPG to confirm its authenticity and origin.
GnuPG works its magic behind closed curtains, once again.
– Ralph Holz in The Conversation, July 17, 2017