The Difference Between PGP, OpenPGP, and GnuPG Encryption

July 23, 2019 Security and Compliance, MOVEit

Ah, cryptography. It’s so important to us in our every day lives and yet it has one of the longest and confusing pasts of any type of technology we use today.

Encryption has been used since ancient times by generals, spies, rebels, and even politicians. The cipher is considered one of the earliest forms of encryption and was used in Ancient Rome to keep information secret. Not even the messenger would know what a message meant without the proper decoder rings. The story goes that two people who needed to communicate securely over long distances could with the cipher.

Nowadays, encryption is necessary to ensure that no one is listening in on our conversations and to keep would-be criminal actors from stealing or corrupting that data. However, the fundamentals of encryption today are much the same as they were in the ciphers of the past. Of course, the encryption algorithms today are far superior with the help of advanced mathematics and computers, thus making brute force attacks much harder to pull off.

In this article, we are going to discuss three popular forms of encryption called PGP (Pretty Good Privacy), OpenPGP, and GnuPG (GNU Privacy Guard). They are similar in that OpenPGP is an open alternative to PGP (we will get into why later), and GnuPG is based off of the OpenPGP standard. Confused yet? You aren’t alone. All three standards are in use today, but have different applications.

What is PGP?

Pretty Good Privacy, also known as PGP, was originally created by Phil Zimmerman in 1991 as a way for people to communicate without eavesdropping. Today, it is used to encrypt and decrypt text messages and email. In a nutshell, the idea is that when you want to send an encrypted message or file somewhere, you encrypt it with a random key that will then be encrypted with the receiver’s public key. This public key can only be decrypted with a private key that only the designated 

receiver has.  That way, even if people know your public key, the receiver is the only one who can decrypt the file or message. The thing with PGP is that it isn’t an open patent and is currently owned by 

Symantec. Going further back into the 1990s, there used to be a law in the US that restricted the export of cryptographic technology outside the US. PGP was soon to be found being used overseas after being created by Phil Zimmerman. This led to a lengthy investigation in which no charges were every pressed against Zimmerman. However, Zimmerman released the source code of PGP which would allow any party to create their own versions of encryption software based off the original PGP source code. Since source code is protected under the first amendment, there really wasn’t much the US government could do since these new versions. That’s where OpenPGP came into play a few years later.

 

What is OpenPGP?

Due to the patent issues mentioned earlier, PGP was not always practical for international use. That’s why the OpenPGP Working Group was formed within the Internet Engineering Task Force (IETF). This eliminated the need to license PGP and get around some obsolete laws in the US at the time.

Nowadays, many email clients provide support for OpenPGP, which is still being supported and under active development.  

On the Ipswitch | Progress Community, we have a great overview of how OpenPGP works. Here is an excerpt from that page:

OpenPGP is a key-based encryption method used to encrypt files so that only their intended recipient can receive and decrypt them. OpenPGP is used widely to secure e-mail communications, but its technology can also be applied to FTP.  
 
OpenPGP works by using two cryptographic keys to secure files. A Public Key is used to encrypt the file so that only its corresponding Private Key can decrypt it.
 
Unlike SSL and SSH, OpenPGP is not a type of connection, but a method of encrypting a file prior to uploading it. As such, OpenPGP Mode can be used in conjunction with standard FTP, SSL or SSH connections.

As you can see, it’s similar to how PGP works. Now, since OpenPGP is an encryption standard supported by the IETF that is supported and developed by the PGP community, there are of course other standards that branch off of OpenPGP. The most common being the open source encryption standard called GnuPG, otherwise known as Gnu Privacy Guard, or GPG for short.

What is GnuPG?

GnuPG is another free encryption standard that companies may use that is based off of OpenPGP. GnuPG serves as a replacement for Symantec’s PGP. The main difference is the supported algorithms. However, GnuPG plays nice with PGP by design. Because GnuPG is open, some businesses would prefer the technical support and the user interface that comes with Symantec’s PGP. It is important to note, that there are some nuances between compatibility of GnuPG and PGP, such as the compatibility between certain algorithms, but in most applications such as email, there are workarounds. One such algorithm is the IDEA Module which isn’t included in GnuPG out of the box due to patent issues.

Picking an Encryption Standard

Hopefully, this article helped to aggregate much of the information that is on the net about the differences between all these standards. The important thing here is that PGP, OpenPGP, and GnuPG are all related and should work nice together. Depending on the application you use these encryption standards may determine which you choose to use.

What are you using at your company or for personal use? Is there anything you’d like to add to this synopsis? Sound off in the comments below!

Greg Mooney

Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.