Feeds

It's time for PGP to die, says ... no, not the NSA – a US crypto prof

'We've come a long way since the 1990s, but PGP mostly hasn't'

Choosing a cloud hosting partner with confidence

A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption.

Matthew Green is an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University in Maryland, US. This week, on his personal blog, he argued that it's "time for PGP to die", describing it as "downright unpleasant". He wrote:

Part of the problem lies in the nature of PGP public keys themselves. For historical reasons they tend to be large and contain lots of extraneous information, which it difficult to print them a business card or manually compare. You can write this off to a quirk of older technology, but even modern elliptic curve implementations still produce surprisingly large keys.

Since PGP keys aren't designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.

PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.

PGP key management "sucks", he said, and complained that there's no forward secrecy – meaning if someone's private key is obtained, it can be used to decrypt previously encrypted files and messages.

But he saves his harshest criticism for "terrible mail client implementations":

Many PGP-enabled mail clients make it ridiculously easy to send confidential messages with encryption turned off, to send unimportant messages with encryption turned on, to accidentally send to the wrong person's key (or the wrong subkey within a given person's key). They demand you encrypt your key with a passphrase, but routinely bug you to enter that passphrase in order to sign outgoing mail -- exposing your decryption keys in memory even when you're not reading secure email.

"We've come a long way since the 1990s, but PGP mostly hasn't," Green writes. "While the protocol has evolved technically – IDEA replaced BassOMatic, and was in turn replaced by better ciphers – the fundamental concepts of PGP remain depressingly similar to what [Phil] Zimmermann offered us in 1991. This has become a problem, and sadly one that's difficult to change."

Green's solution is to stop plugging encryption software into today's plaintext email systems as an afterthought, and instead build networks that are designed from the ground up to protect messages from eavesdroppers. He named TextSecure and DarkMail as potentially interesting projects that are moving in this direction.

The computer scientist's critique follows an announcement by Yahoo! last week to support end-to-end encryption using a fork of Google's secure email extension. The upshot is that both Gmail and Yahoo! Mail are moving towards support PGP for encrypting mail. "As transparent and user-friendly as the new email extensions are, they're fundamentally just reimplementations of OpenPGP - and non-legacy-compatible ones, too," Green notes.

Other security experts argued that, despite its flaws, there's nothing lying around to adequately replace PGP.

"If you’re a college professor, sure, replacing PGP sounds like an awesome project. If you care about real-world OPSEC, I'm not so sure," said security researcher Thomas H. Ptacek in a Twitter update.

"There is a lot wrong with PGP. Unfortunately, PGP is the only trustworthy mainstream cryptosystem. The. Only," he added. ®

[In our view, PGP trades user friendliness for security. If you need to contact El Reg securely, email, say, me using this public key. Its fingerprint must match 1FD3 81D9 6344 FC49 9C5F FBC1 0EC6 E70E 3EB7 9D2E, and it expires October 2014 due to key cycling policy. This information was updated August 15 following advice from Green. – US ed]

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.