History of Pretty Good Privacy (PGP)

• About the author
• History of PGP
• How PGP works

PGP (Pretty Good Privacy) is used mainly for secure electronic mail. It uses the RSA algorithm for exchanging keys and IDEA, another symmetric key algorithm, for encrypting the actual messages. It was first released in 1991.

It contains some means for secure key negotiation and for authentication. What PGP does is to encrypt a symmetrical key using the public key, then encrypt the remainder of the data with a faster algorithm using the symmetrical key. Its weakness lies in key negotiation, which is true for most methods. Right now, PGP has become a de-facto standard for e-mail facilities.

PGP 1 was initially going to use DES, but the author, Philip R. Zimmermann became downright suspicious of it and wrote his own encryption system, the Bass-O-Matic, that’s right, the one on Saturday Night Live. Adi Shamir refused to look at it at the 1991 Crypto Conference, but Eli Biham, another cryptographer, did and the Bass-O-Matic algorithm was immediately destroyed. But the next version of PGP was soon due out.

PGP Version 2.0 was put together by an informal team of programmers around the world. The biggest change was to switch out the Bass-O-Matic for IDEA, the International Data Encryption Algorithm. The major people that worked on PGP 2.0 were Branko Lankester (Netherlands), Peter Gutmann (New Zealand), and Jean-loup Gailly (France) who did the compression algorithm and the French translation.

The 2.0 version finally leveled out with the stable 2.3a. Both USA and international versions are available at www.pgpi.org.

Wait! Don’t go yet, if you’re worried about patent infringement, in the summer of 1993, Zimmermann hammered out a deal with ViaCrypt to make a legal, commercial version of PGP, the ViaCrypt PGP with the ViaCrypt RSA engine. The first version released was 2.4, based on 2.3a. The second release followed as version 2.7. Thus, PGP became legitimate for business.

Now, can’t afford ViaCrypt PGP? MIT stepped in in the summer of 1993 as well, and convinced Zimmermann to use the RSAREF engine in PGP under the non-commercial (free) license in order to legitimize PGP. When version 2.0 for RSAREF came out, that was made a possibility. PGP Version 2.5 was born under the RSAREF non-commercial use license. Jeffrey Schiller, MIT’s Network Manager, sent out a message to the cypherpunks mail list.

The Massachusetts Institute of Technology announces that it will shortly distribute PGP version 2.5, incorporating the RSAREF 2.0 cryptographic toolkit under license from RSA Data Security, Inc., dated March 16, 1994. In accordance with the terms and limitations of the RSAREF 2.0 license of March 16, 1994, this version of PGP may be used for non-commercial purposes only. PGP 2.5 strictly conforms to the conditions of the RSAREF 2.0 license of March 16, 1994. As permitted under it RSAREF license, MIT’s distribution of PGP 2.5 includes the accompanying distribution of the March 16, 1994 release of RSAREF 2.0. Users of PGP2.5 are directed to consult the RSAREF 2.0 license included with the distribution to understand their obligations under that license.

This distribution of PGP2.5, available in source code form, will be available only to users within the United States of America. Use of PGP 2.5 (and the included RSAREF 2.0) may be subject to export control. Questions concerning possible export restrictions of PGP 2.5 (and RSAREF 2.0) should be directed to the U.S. State Department’s Office of Defense Trade Controls.