Feeds

It's time for PGP to die, says ... no, not the NSA – a US crypto prof

'We've come a long way since the 1990s, but PGP mostly hasn't'

Beginner's guide to SSL certificates

A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption.

Matthew Green is an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University in Maryland, US. This week, on his personal blog, he argued that it's "time for PGP to die", describing it as "downright unpleasant". He wrote:

Part of the problem lies in the nature of PGP public keys themselves. For historical reasons they tend to be large and contain lots of extraneous information, which it difficult to print them a business card or manually compare. You can write this off to a quirk of older technology, but even modern elliptic curve implementations still produce surprisingly large keys.

Since PGP keys aren't designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.

PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.

PGP key management "sucks", he said, and complained that there's no forward secrecy – meaning if someone's private key is obtained, it can be used to decrypt previously encrypted files and messages.

But he saves his harshest criticism for "terrible mail client implementations":

Many PGP-enabled mail clients make it ridiculously easy to send confidential messages with encryption turned off, to send unimportant messages with encryption turned on, to accidentally send to the wrong person's key (or the wrong subkey within a given person's key). They demand you encrypt your key with a passphrase, but routinely bug you to enter that passphrase in order to sign outgoing mail -- exposing your decryption keys in memory even when you're not reading secure email.

"We've come a long way since the 1990s, but PGP mostly hasn't," Green writes. "While the protocol has evolved technically – IDEA replaced BassOMatic, and was in turn replaced by better ciphers – the fundamental concepts of PGP remain depressingly similar to what [Phil] Zimmermann offered us in 1991. This has become a problem, and sadly one that's difficult to change."

Green's solution is to stop plugging encryption software into today's plaintext email systems as an afterthought, and instead build networks that are designed from the ground up to protect messages from eavesdroppers. He named TextSecure and DarkMail as potentially interesting projects that are moving in this direction.

The computer scientist's critique follows an announcement by Yahoo! last week to support end-to-end encryption using a fork of Google's secure email extension. The upshot is that both Gmail and Yahoo! Mail are moving towards support PGP for encrypting mail. "As transparent and user-friendly as the new email extensions are, they're fundamentally just reimplementations of OpenPGP - and non-legacy-compatible ones, too," Green notes.

Other security experts argued that, despite its flaws, there's nothing lying around to adequately replace PGP.

"If you’re a college professor, sure, replacing PGP sounds like an awesome project. If you care about real-world OPSEC, I'm not so sure," said security researcher Thomas H. Ptacek in a Twitter update.

"There is a lot wrong with PGP. Unfortunately, PGP is the only trustworthy mainstream cryptosystem. The. Only," he added. ®

[In our view, PGP trades user friendliness for security. If you need to contact El Reg securely, email, say, me using this public key. Its fingerprint must match 1FD3 81D9 6344 FC49 9C5F FBC1 0EC6 E70E 3EB7 9D2E, and it expires October 2014 due to key cycling policy. This information was updated August 15 following advice from Green. – US ed]

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.