Feeds

It's time for PGP to die, says ... no, not the NSA – a US crypto prof

'We've come a long way since the 1990s, but PGP mostly hasn't'

Internet Security Threat Report 2014

A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption.

Matthew Green is an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University in Maryland, US. This week, on his personal blog, he argued that it's "time for PGP to die", describing it as "downright unpleasant". He wrote:

Part of the problem lies in the nature of PGP public keys themselves. For historical reasons they tend to be large and contain lots of extraneous information, which it difficult to print them a business card or manually compare. You can write this off to a quirk of older technology, but even modern elliptic curve implementations still produce surprisingly large keys.

Since PGP keys aren't designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.

PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.

PGP key management "sucks", he said, and complained that there's no forward secrecy – meaning if someone's private key is obtained, it can be used to decrypt previously encrypted files and messages.

But he saves his harshest criticism for "terrible mail client implementations":

Many PGP-enabled mail clients make it ridiculously easy to send confidential messages with encryption turned off, to send unimportant messages with encryption turned on, to accidentally send to the wrong person's key (or the wrong subkey within a given person's key). They demand you encrypt your key with a passphrase, but routinely bug you to enter that passphrase in order to sign outgoing mail -- exposing your decryption keys in memory even when you're not reading secure email.

"We've come a long way since the 1990s, but PGP mostly hasn't," Green writes. "While the protocol has evolved technically – IDEA replaced BassOMatic, and was in turn replaced by better ciphers – the fundamental concepts of PGP remain depressingly similar to what [Phil] Zimmermann offered us in 1991. This has become a problem, and sadly one that's difficult to change."

Green's solution is to stop plugging encryption software into today's plaintext email systems as an afterthought, and instead build networks that are designed from the ground up to protect messages from eavesdroppers. He named TextSecure and DarkMail as potentially interesting projects that are moving in this direction.

The computer scientist's critique follows an announcement by Yahoo! last week to support end-to-end encryption using a fork of Google's secure email extension. The upshot is that both Gmail and Yahoo! Mail are moving towards support PGP for encrypting mail. "As transparent and user-friendly as the new email extensions are, they're fundamentally just reimplementations of OpenPGP - and non-legacy-compatible ones, too," Green notes.

Other security experts argued that, despite its flaws, there's nothing lying around to adequately replace PGP.

"If you’re a college professor, sure, replacing PGP sounds like an awesome project. If you care about real-world OPSEC, I'm not so sure," said security researcher Thomas H. Ptacek in a Twitter update.

"There is a lot wrong with PGP. Unfortunately, PGP is the only trustworthy mainstream cryptosystem. The. Only," he added. ®

[In our view, PGP trades user friendliness for security. If you need to contact El Reg securely, email, say, me using this public key. Its fingerprint must match 1FD3 81D9 6344 FC49 9C5F FBC1 0EC6 E70E 3EB7 9D2E, and it expires October 2014 due to key cycling policy. This information was updated August 15 following advice from Green. – US ed]

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.