A German software programmer has released over the Internet the beta-test version of a freeware encryption program that he says is an alternative to the widely-used encryption software PGP (Pretty Good Privacy).
The program, called GnuPG (GnuPrivacyGuard), runs on any Unix-based platform and features 128-bit encryption, the same strength encryption as PGP, according to Werner Koch, the Düsseldorf-based software developer who wrote the program. GnuPG is also compatible with PGP versions 5.0 and 6.0, so it can send and receive PGP-encrypted messages.
One advantage of GnuPG over PGP is that not only is it secure, but it is also clearly in the public domain, according to Erich Moechel, editor of the Internet newsletter Quintessenz, who has tested the software. That means there is no chance it will be subject to government restrictions on exporting encryption software, he said.
In Vienna last month, 33 countries signed the Wassenaar Arrangement, agreeing to put export controls on some kinds of secure software. Although "mass market" software is considered exempt from these controls, the software which falls into this category is not very secure, according to Moechel. "That stuff can be cracked in a matter of milliseconds," he said.
It is not clear whether PGP falls into the category of public domain software, Moechel said. PGP version 5.0 business edition is clearly a commercial program, according to GnuPG creator Koch. PGP is now owned by Network Associates and is sold commercially. Although a free version of PGP 5.0 exists, Koch said, it is not being used for commercial purposes.
Another advantage of GnuPG is that it was developed outside the US, so it also cannot fall under any US restrictions on exporting encryption software, Koch said. The US requires permits for the export of strong encryption software.
Koch released early versions of GnuPG in December 1997, and has been improving it ever since. Now, he said, he feels he has a "good, stable program," which is ready for beta testing. In several months Koch plans to release version 1.0, after which the program will only require patches, Koch said.
Encryption technology scrambles a message so that it can only be read by authorised users, who possess a key to decrypt the message. GnuPG uses a symmetrical 128-bit key as well as an asymmetrical 1024-bit algorithm, which are used to scramble and unscramble the message, as well as to electronically sign the document.
In its current form, GnuPG will mainly be of interest to software developers, according to Moechel. "It doesn't have a graphical user interface. It also lacks some of the extra features offered by PGP-based products that run on Windows, such as a key server, which allows a function that can search the names of people that hold a public key," he said. Koch says that feature will be included in version 1.0, however.
GnuPG could easily be adapted for Windows, Koch said, but "I'm not going to do that for free. I'm not that interested in Windows," he said.
The software is already in commercial use, Koch said, and is preferred by some companies who want a program written specifically for a Unix platform, instead of for Windows. The software has some technical advantages over PGP, working better with other Unix-based programs, and using less memory than PGP, according to Koch.
GnuPG is already in commercial use and has been translated into 10 languages, he said. It has been used, for example, to encrypt a mailing list with sensitive medical information, to create anonymous e-mails in cases where someone does not want their identity traced, and to check the identity of certain parties who control Internet news forums, Koch said.
A freelance software developer, Koch created GnuPG in his spare time. "I wanted to work on something exciting," he said. He was inspired by the GNU project, an international effort to develop a free Unix-like operating system and associated applications. GNU stands for "GNU's Not Unix."
Publishing source code in the public domain is part of a movement which its advocates call freeware or open-source software. The idea is to subject source code to what some have called "massive peer review," that allows bugs in the software to be quickly detected and fixed by other users.
Although software released as "freeware" is public, the copyright to the GnuPG program does exist and is held by the Boston-based Free Software Foundation, Koch said.