GnuPG, OpenSSL and FreeS/WAN

by Werner Koch <wk@gnupg.org>

The Open Source community has a lot of activities developing encryption software. In this statement GnuPG, OpenSSL and FreeS/WAN are covered.

Questions from the Danish IT Security Council

For which users are the products designed?

GnuPG is designed for all types of users. OpenSSL and FreeS/WAN are designed for programmers to include in their products. That is any person, organisation, company or government in the world may use these products. There are no restrictions on who can use GnuPG, except that some countries have banned the use of strong encryption that GnuPG delivers.

As an example, Linux uses GnuPG to prevent tampering with the software by adding an authentication document signed with GnuPG. The end user can then verify that the software was originated by Linus Torvalds.

GnuPG has versions for Linux, UNIX, Windows, OS/2 and MacOS.

OpenSSL makes it possible to run a web server with encryption (https). The supported operating systems are Linux, UNIX and Windows.

FreeS/WAN makes it possible to send all data encrypted between two machines.

What is the price of the products?

GnuPG, OpenSSL and FreeS/WAN are free (gratis) for all when downloading the software from the Internet.

A CD-ROM version of GnuPG is under development and the price is set to EUR 50.00 (DKK 375.00).

Support contracts will be available together with a CD-ROM version and any company can specialise on offering support.

There is no difference between the software on the CD-ROM version and the version which can be downloaded from the Internet.

Application of the products?

GnuPG protects email communication as well as documents stored on a computer.

OpenSSL is used for on-line applications such as secure browser communication over the Internet.

FreeS/WAN (IPSec) is used for Virtual Private Network (VPN).

The level of security offered by the products?

The security level for GnuPG is 4096 bits for asymetric encryption and 128 or 256 bits for symmetric encryption.

OpenSSL uses 512 bits asymetric as the standard defines but can easily adapt to any other size.

All algorithms used in both GnuPG and OpenSSL as based on well known standards: Digital Signature Standard (DSS), OpenPGP (RFC2440), SSL (de-facto standard, successor is TLS RFC2246).

How is the level of security ensured?

All products only use well established cryptographic algorithms which are suggested by the worlds top cryptographic researchers. See article by Bruce Schneier.

GnuPG, OpenSSL and FreeS/WAN are developed as Open Source and every part of the source code, including all development versions, are publicly available. Even the latest source (repositories) used by the developers are publicly accessible. Changes to the code are not done by random people but only by a few experienced developers based on reports from the testers.

A large base of experienced developers all over the world audit the code and to help this every new version of GnuPG or OpenSSL comes with a file describing in detail all changes to the code. Problems and other defects are fixed very fast (usually within a day or two).

Does the products comply with widely accepted standards?

GnuPG is compliant with OpenPGP and is thereby compatible with 95% of the market (PGP). OpenPGP is becoming an Internet standard as defined in RFC2440.

SSL is a de-facto standard but will migrate to the Internet standard TLS (RFC2246) in the near future.

How are the products distributed?

Primarily GnuPG, OpenSSL and FreeS/WAN are distributed via Internet. GnuPG will later on come in a CD-ROM version. A lot of distributors of Open Source such as SuSE and Debian already uses GnuPG for their products and distribute it.

Open Source

One of the most important things about encryption software is that it can only be trustworthy if the source code is available.

Article by Bruce Schneier:

"As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice."

There has been numbers of examples where a closed source encryption product was too weak and was eventually broken. It is therefore our opinion that any encryption software used by the Danish citizens must be open source.

Another important thing is that all products described here are free (gratis). This will ensure that everyone will be able to use encryption software regardless of their financial status.

A Danish version of the GnuPG software and documentation will make it more available to all Danish end users. If there is a strong demand for a Danish version it will be translated by the Open Source Community over time. To speed up the process, it would be most valuable if the Danish government support this with resources or donations.

Also the fact that the Wassenaar agreement does not control export of Open Source products is yet another argument for choosing Open Source.

Links

GnuPG
http://www.gnupg.org
http://www.gnupg.de/presse.en.html
OpenPGP
http://www.ietf.org/rfc/rfc2440.txt
OpenSSL
http://www.openssl.org
SSL standard
http://www.ietf.org/rfc/rfc2246.txt
FreeS/WAN
http://www.freeswan.org
SSL documentation
http://www.netscape.com/eng/ssl3/
Article about cryptography by Bruce Schneier
da: http://www.sslug.dk/artikler/krypto.html
en: http://www.counterpane.com/crypto-gram-9909.html
Example of cracking proprietary standards
http://www.counterpane.com/cmea-abstract.html
The Wassenaar document that frees Open Source
http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf
Open Source fixes security problem within four hours
http://www.pp.asu.edu/support/ping-o-death.html
Debian
http://www.debian.org
S.u.S.E
http://www.suse.de
This statement http://www.sslug.dk/misc/kryptering-20000117/gnupg.html