It's time for PGP to die, says ... no, not the NSA – a US crypto prof

'We've come a long way since the 1990s, but PGP mostly hasn't'

Protecting against web application threats using SSL

A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption.

Matthew Green is an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University in Maryland, US. This week, on his personal blog, he argued that it's "time for PGP to die", describing it as "downright unpleasant". He wrote:

Part of the problem lies in the nature of PGP public keys themselves. For historical reasons they tend to be large and contain lots of extraneous information, which it difficult to print them a business card or manually compare. You can write this off to a quirk of older technology, but even modern elliptic curve implementations still produce surprisingly large keys.

Since PGP keys aren't designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.

PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.

PGP key management "sucks", he said, and complained that there's no forward secrecy – meaning if someone's private key is obtained, it can be used to decrypt previously encrypted files and messages.

But he saves his harshest criticism for "terrible mail client implementations":

Many PGP-enabled mail clients make it ridiculously easy to send confidential messages with encryption turned off, to send unimportant messages with encryption turned on, to accidentally send to the wrong person's key (or the wrong subkey within a given person's key). They demand you encrypt your key with a passphrase, but routinely bug you to enter that passphrase in order to sign outgoing mail -- exposing your decryption keys in memory even when you're not reading secure email.

"We've come a long way since the 1990s, but PGP mostly hasn't," Green writes. "While the protocol has evolved technically – IDEA replaced BassOMatic, and was in turn replaced by better ciphers – the fundamental concepts of PGP remain depressingly similar to what [Phil] Zimmermann offered us in 1991. This has become a problem, and sadly one that's difficult to change."

Green's solution is to stop plugging encryption software into today's plaintext email systems as an afterthought, and instead build networks that are designed from the ground up to protect messages from eavesdroppers. He named TextSecure and DarkMail as potentially interesting projects that are moving in this direction.

The computer scientist's critique follows an announcement by Yahoo! last week to support end-to-end encryption using a fork of Google's secure email extension. The upshot is that both Gmail and Yahoo! Mail are moving towards support PGP for encrypting mail. "As transparent and user-friendly as the new email extensions are, they're fundamentally just reimplementations of OpenPGP - and non-legacy-compatible ones, too," Green notes.

Other security experts argued that, despite its flaws, there's nothing lying around to adequately replace PGP.

"If you’re a college professor, sure, replacing PGP sounds like an awesome project. If you care about real-world OPSEC, I'm not so sure," said security researcher Thomas H. Ptacek in a Twitter update.

"There is a lot wrong with PGP. Unfortunately, PGP is the only trustworthy mainstream cryptosystem. The. Only," he added. ®

[In our view, PGP trades user friendliness for security. If you need to contact El Reg securely, email, say, me using this public key. Its fingerprint must match 1FD3 81D9 6344 FC49 9C5F FBC1 0EC6 E70E 3EB7 9D2E, and it expires October 2014 due to key cycling policy. This information was updated August 15 following advice from Green. – US ed]

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.