Cryptography Reference
In-Depth Information
cleanly implements the OpenPGP standard. As happens to all designers in
every software project, the product has grown out of its spiritual father's hands.
Meanwhile, programmers all over the world had started working on its further
development, its test, or its compilation. In fact, the project had become so sig-
nificant and popular that the German government began to financially sponsor
it. Amazing how policies can change over time! Not many years earlier, there
had been hefty discussions about banning cryptography, at least with regard to
key escrow.
GnuPG was born under Linux, but it also runs on many other UNIX derivatives
(though the installation is cumbersome in some cases), and on Windows, of
course, but with German documentation (
gpg4win
) only. Visit
www.gpg.org
for more details.
How does GnuPG differ from PGP 2.6 (and partly from its successors)?
•
GnuPG is a free software without patent claims so that it can be used by
everybody, including commercial use.
•
GnuPG implements several algorithms, and the embedding of additional
methods is easy. For example, Rijndael had been included in GnuPG
immediately after it became the new AES standard.
GnuPG 2.0 was announced in November 2006 (more about it below);
but the current release is still 1.4.5. It supports the asymmetric algo-
rithms ElGamal, RSA since its patent expiry in September 2000 (i.e.,
from GnuPG Version 1.0.3 and higher), and DSA (for signing). GnuPG
knows several hash functions, including MD5, SHA-1, SHA-256, and
RIPE-MD160 as well as symmetric algorithms including AES (with 128-
bit to 256-bit key lengths), CAST5, Twofish, Blowfish, Triple-DES, and
IDEA.
•
GnuPG has a strongly improved security concept. For example, it con-
tinually collects randomness and uses it when creating session keys. This
makes attacks against GnuPG much harder than against PGP 2.6. Also,
sensitive memory locations where private keys are located are kept before
swapping them to the hard disk (under UNIX for the time being). That
removed a critical security flaw in the old PGP.
•
The key management was expanded and improved considerably. Different
keys are used for encryption and signature. There are keys with a finite
lifespan, and keys can be revoked. A 'universal key' can be kept locally
on a notebook, and 'work keys' with a finite lifespan can be used for
