Informsec2013 application
Submitted February 2013 (see also gpg4win-devel mailing list archive)
The German companies Intevation GmbH and g10 Code GmbH apply for this grant as partners. They are both located in the north-western part of Germany about 2 hours away from each other by train.
Both companies are owner run, vendor independent software companies, that only create and deliver services for Free Software (Open Source) . They are working together on the topic of email cryptography since 2001, when they started to work on porting GnuPG to the Windows platform. Intevation's and g10 Code's second project together was a contract for the German Federal Agency of IT-Security (www.bsi.bund.de) to integrate S/MIME crypto mail based on GnuPG into the Free Software email applications KMail and Mutt.
Project Description
In order to communicate files and emails safely, people and organizations depend on the availability of strong cryptography in software. Public key cryptography is especially useful as it does not depend on secure channels to transfer an encryption key. The existing Free Software (Open Source) product Gpg4win provides such a solution for users of the popular Windows operating systems by Microsoft. (See www.gpg4win.org) Gpg4win is based on GnuPG and supports both OpenPGP and S/MIME as widely known email and file encryption standards. GnuPG is fully compatible to other software solutions implementing these standards.
Aim of this project is to make this crypto functionality available to more users worldwide. The currently available versions of Gpg4win are 2.1.0 and 2.1.1-beta117. They have not kept up with a number of technical developments since the release of the last major version Gpg4win 2.0.0 in 2009. Many users now run 64bit versions of Windows or newer versions of Windows itself like Windows 7 and 8 while Gpg4win is still a 32bit application tested and developed for Windows XP and Vista. It still runs partly on Windows 7 64bit, but one important problem is that there is no 32bit Explorer anymore on those systems. This causes the Explorer extension of Gpg4win called GpgEX not to work on 64bit Windows. In addition some of the components of Gpg4win need to be upgraded to newer revisions, closing potential security holes.
Users all over the world have tried Gpg4win in recent years and some have reported problems with non-latin character encodings or other missing parts of the software. They have reported a couple of hundred reports in issue tracker like bugs.kde.org (for the certificate management application called Kleopatra) or bugs.gnupg.org (for the crypto backend). While it is perfectly normal for software applications to have a number of open reports, the lack of some features effectively prevents a more widespread usage of Gpg4win.
The goal of the project is to improve Gpg4win and release new versions of it. The new versions will be more secure and run on more variants of Windows that are out there. Furthermore some wanted features, customization possibilities and missing documentation bits are added. The result is that more users can use crypto to be sure from whom the message came and that the transfer was not not eavesdropped on. Part of the funding will also enable more interaction with the user community to gain feedback from their "field" experience.
Describe how you plan to address the above problem with this grant funding
The grant will be used to pay salaries and additional costs for improving Gpg4win. This means improving the software, documentation, website and its user community. The companies applying for the grant employ people that have created Gpg4win and helped to maintain it in recent years. These people have professional experience in improving Gpg4win and they will coordinate by technical means and a few physical meetings.
The source code of Gpg4win and its components like GnuPG and Kleopatra is already available to the public. Development of this Free Software happens in the open, with English as the primary language. Delivery of the project results will be in the source code repository, by downloadable installers and documentation updates on the website. The communication with the development and user communities may also happen via other public channels as well, such as issue trackers or mailinglists.
Technically Gpg4win consists out of several software components that are integrated and build into an installer for several variants of the Windows operating system. The components itself and the installer are internationalized, with the translations of German and English being most complete, but others available as well. All Free Software components will be checked and adapted for new revisions that have meanwhile be published, so they can be integrated. Improvements will be done to the standard GUI called "Kleopatra", the "pinentry", the explorer plug-in "GpgEX", the Outlook plug-in "GpgOL " and the part of the backend. As an additional test, we will see how good Gpg4win already runs on Windows 8. The documentation and website will be improved to reflect the progress of the new Gpg4win releases.
Provide step-by-step description of the tasks and specific timeline
(In order to keep this application readable, this section has been kept deliberately brief and assumes knowledge of software engineering and some technical security terminology. The applicants are happy to provide further explanations on request.)
Timeline: The goals of the project shall be reached within five months after starting it. Another month should be reserved as buffer to cope with unexpected events. In an optimistic scenario, the project can be concluded within four months. So the overall timeline is between four and six months. The first milestone coming after about one month, the second being realized within further 2-3 months, needing another month for the third and concluding milestone. See the list of milestones below.
At first new test systems for Windows 7 and Windows 8 64bit are set up, using virtual machines to provide reproducible results. Some of the existing development computer setups can be reused, while others have to be rebuild. At least g10 Code will have to purchase and set up one new modern computer for this project.
To reach the first milestone, all components are evaluated to see if new revisions of libraries have come out and if they can and should be integrated. E.g. the libpng library and similar technical libraries used. For Kleopatra this means updating its GUI library Qt to the stable version 4.8.4 and using the KDE Platform and PIMlibs version 4.9.x. This will enable non-latin locales and removes several other GUI defects of Kleopatra on Windows. While doing so, we will visit and react to all 'problem' reports for Kleopatra (93 at time of writing 2013-01-24) on bugs.kde.org and the tracker of the Gpg4win website.
The release process (which will be done at three times) of the Gpg4win installer means the following steps: An installer is done and used to test the functions and the installation procedure of the software. The website and documentation will be updated and the release announced via several public channels.
After the first milestone setting a solid basis, there is a slightly longer project phase where the new functions improving the current Gpg4win will be developed. We will add the ability to paste passwords in the component that accepts them, called "pinentry". This improves the security by enabling to use longer passwords for rarely used keys that many users keep in a separate password store (The ability to paste something into the "pinentry" application has been requested often, because people just use a separate password store. While the security of having such a password store is doubtful in a number of circumstances, feedback has shown that if the paste-feature is missing from Gpg4win's pinentry, there is a lowered chance that people will accept and use Gpg4win. Then they often fall back on using something which is a lot less secure than keeping the password store and using Gpg4win.)
GpgEx, the explorer plug-in will be ported to the 64bit Windows Explorer architecture. This means to change internal data structures and build options used by GpgEx and the libraries necessary for GpgEx.
For GpgOL we will develop a simple new version that will be able to run in Microsoft Outlook 2010. This simple version will only be able to do context menu operations on texts and attachments, but will _not_ offer the full OpenPGP/MIME handling capabilities of GpgOL for Outlook versions 2003 and 2007. In contrast to the full OpenPGP/MIME capabilities this simple version of GpgOL can be developed with far less resources.
The Gpg-Agent will be extended to be able to act as the private key agent for PuTTY (which is a widely used software for secure remote access based on the SSH protocol). This way, users can manage their SSH-key with GnuPG, attaching them as subkeys. And they can use all possibilities of Gpg-Agent, e.g. to keep the secret keys on smart cards, which protects the private ssh key against any attacker without direct physical access.
In the third phase of the project, leading to milestone three, feedback from the beta release will be incorporated. And a portable version of Gpg4win will be produced. The portable Version of Gpg4Win will be able to run the components of Gpg4Win (excluding GPA, Claws, GpgEx and GpgOl) without installation directly from some media, e.g. a USB stick. (This is often done by using a usb stick and then starting the software from it. This practice is doubtful in many circumstances as a simple keylogger or a tampered host computer will still be able to attack the users secret key. Thus it is important to secure the computer, even if you use a portable version. However having the portable version available raises the chances for people being able to use Gpg4win more often and thus for being able to protect their communications by strong cryptography.) Technically some file names and configurations are tweaked, including the necessary test and documentation improvements.
Project Personnel
- Werner Koch
- Andre Heinecke
- Emanuel Schütze
- Bernhard Reiter
Milestones
'''Proposed Milestone #1:''' This is a new Gpg4win release which mainly updates all components to their newest variants. This includes the GUI manager Kleopatra, which will then run on Window versions with non-latin encodings.
'''Proposed Milestone #2:''' For the second milestone all new features will be completed and released leading to a Gpg4win beta release, so that feedback can gathered for the improvement. This includes the enhanced components: GpgEx, GpgOL, pinentry and gpg-agent.
'''Proposed Milestone #3:''' A stable Gpg4win installer has been released. The version is tested and usable. Feedback since the Milestone #2 release has been incorporated. The project is fully completed.
Project Finances
Do you have additional funding to accomplish the described project? No additional funding for this particular project. A few years ago there have been a number of contracts to improve Gpg4win. We also accept donations for the maintenance of Gpg4win which sometimes can fund a minor update release of Gpg4win. What is the specific source of this additional funding? Donations usually by single persons. What is the amount of this additional funding? Projected about 1250 USD per 6 month from 30 donors, see http://lists.wald.intevation.org/pipermail/gpg4win-devel/2013-January/001190.html
'''Calculation of Rates:''' While Intevation and g10 Code both are for profit companies, we are applying for this grant based on our internal costs. (A usual market rate in the security software business would be between 100 - 180 EUR per hour.)
To give you a comparison, here are the costs Germany's Federal Administration has officially published for federal employees in the public sector as compiled from 2010/2011. The calculation is described in the German document "Personalkostensätze, Sachkostenpauschale und Kalkulationszinssätze für Kostenberechnungen und Wirtschaftlichkeitsuntersuchungen 2011" [1]
Their costs are calculated in the following way:
- The average number of working days per year in Germany is close to 200 (considering vacation, public holidays and times for sickness) (See [1] page 6) or 16.5 days/month.
- The direct salaries and social benefits cost for the employee, see the tables in [1].
- "Personalgemeinkosten" for indirect costs of an employee which came up to be 30% at an average. This includes support office staff like system administration, controlling, team leadership. (page 4)
- Material costs and rent, summing up to an average of 12,217 EUR per year for the workplace. It is called "Sachkostenpauschale" an includes all materials, office space, IT equipment, supplies). (pages 14 ff). Resulting into an average of 1005 EUR/month.
Within this project the work must be done by skilled software engineers, a comparable rate would by the lowest salary level applicable for college graduates in the German public service which is "E09". The "direct" employers costs according to [1] would be 51,106 EUR/year or 4258/month. Now indirect costs ("Personalgemeinkosten" and "Sachkosten") would be added as shown above.