It's time for PGP to die, says ... no, not the NSA – a US crypto prof

'We've come a long way since the 1990s, but PGP mostly hasn't'

Remote control for virtualized desktops

A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption.

Matthew Green is an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University in Maryland, US. This week, on his personal blog, he argued that it's "time for PGP to die", describing it as "downright unpleasant". He wrote:

Part of the problem lies in the nature of PGP public keys themselves. For historical reasons they tend to be large and contain lots of extraneous information, which it difficult to print them a business card or manually compare. You can write this off to a quirk of older technology, but even modern elliptic curve implementations still produce surprisingly large keys.

Since PGP keys aren't designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.

PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.

PGP key management "sucks", he said, and complained that there's no forward secrecy – meaning if someone's private key is obtained, it can be used to decrypt previously encrypted files and messages.

But he saves his harshest criticism for "terrible mail client implementations":

Many PGP-enabled mail clients make it ridiculously easy to send confidential messages with encryption turned off, to send unimportant messages with encryption turned on, to accidentally send to the wrong person's key (or the wrong subkey within a given person's key). They demand you encrypt your key with a passphrase, but routinely bug you to enter that passphrase in order to sign outgoing mail -- exposing your decryption keys in memory even when you're not reading secure email.

"We've come a long way since the 1990s, but PGP mostly hasn't," Green writes. "While the protocol has evolved technically – IDEA replaced BassOMatic, and was in turn replaced by better ciphers – the fundamental concepts of PGP remain depressingly similar to what [Phil] Zimmermann offered us in 1991. This has become a problem, and sadly one that's difficult to change."

Green's solution is to stop plugging encryption software into today's plaintext email systems as an afterthought, and instead build networks that are designed from the ground up to protect messages from eavesdroppers. He named TextSecure and DarkMail as potentially interesting projects that are moving in this direction.

The computer scientist's critique follows an announcement by Yahoo! last week to support end-to-end encryption using a fork of Google's secure email extension. The upshot is that both Gmail and Yahoo! Mail are moving towards support PGP for encrypting mail. "As transparent and user-friendly as the new email extensions are, they're fundamentally just reimplementations of OpenPGP - and non-legacy-compatible ones, too," Green notes.

Other security experts argued that, despite its flaws, there's nothing lying around to adequately replace PGP.

"If you’re a college professor, sure, replacing PGP sounds like an awesome project. If you care about real-world OPSEC, I'm not so sure," said security researcher Thomas H. Ptacek in a Twitter update.

"There is a lot wrong with PGP. Unfortunately, PGP is the only trustworthy mainstream cryptosystem. The. Only," he added. ®

[In our view, PGP trades user friendliness for security. If you need to contact El Reg securely, email, say, me using this public key. Its fingerprint must match 1FD3 81D9 6344 FC49 9C5F FBC1 0EC6 E70E 3EB7 9D2E, and it expires October 2014 due to key cycling policy. This information was updated August 15 following advice from Green. – US ed]

Remote control for virtualized desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Hikvision devices wide open to hacking, claim securobods
prev story


Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?