„Since PGP keys aren’t designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.
These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify.
While in theory this is sound, in practice it adds complexity, which is always the enemy of security.
Now you may think this is purely academic. It’s not. It can bite you in the ass.Imagine, for example, you’re a source looking to send secure email to a reporter at the Washington Post.
On the GnuPG command line can be done as follows:
Now let’s ignore the fact that you’ve just leaked your key request to an untrusted server via HTTP.
At the end of this process you should have the right key with high reliability.
Except maybe not: if you happen to do this with GnuPG 2.0.18 — one version off from the very latest GnuPG — the client won’t actually bother to check the fingerprint of the received key.
A malicious server (or HTTP attacker) can ship you back the wrong key and you’ll get no warning.
This is fixed in the very latest versions of GPG but… Oy Vey.
|PGP Key IDs are also pretty terrible,
due to the short length and continued
support for the broken V3 key format.
You can say that it’s unfair to pick on all of PGP over an implementation flaw in GnuPG, but I would argue it speaks to a fundamental issue with the PGP design.
PGP assumes keys are too big and complicated to be managed by mortals, but then in practice it practically begs users to handle them anyway.
This means we manage them through a layer of machinery, and it happens that our machinery is far from infallible.
Which raises the question: why are we bothering with all this crap infrastructure in the first place.
If we must exchange things via Twitter, why not simply exchange keys?
Modern EC public keys are tiny.
You could easily fit three or four of them in the space of this paragraph.
If we must use an infrastructure layer, let’s just use it to shunt all the keymetadata around.
PGP key management sucks
|If you can’t trust Phil who can
Manual key management is a mug’s game.
Now often this does involve some tradeoffs — e.g.,, the need to trust a central authority to distribute keys — but even this level of security would be lightyears better than the current situation with webmail.
To their credit, both Google and Yahoo have the opportunity to build their own key management solutions (at least, for those who trust Google and Yahoo), and they may still do so in the future.
But today’s solutions don’t offer any of this, and it’s not clear when they will.
Key management, not pretty web interfaces, is the real weakness holding back widespread secure email.
|ZRTP authentication string as
used in Signal.
For the record, classic PGP does have a solution to the problem.
It’s called the „web of trust„, and it involves individuals signing each others‘ keys.
I refuse to go into the problems with WoT because, frankly, life is too short.
The TL;DR is that ‚trust‘ means different things to you than it does to me.
Most OpenPGP implementations do a lousy job of presenting any of this data to their users anyway.
The lack of transparent key management in PGP isn’t unfixable.
For those who don’t trust Google or Yahoo, there are experimental systems like Keybase.io that attempt to tie keys to user identities.
In theory we could even exchange our offline encryption keys through voice-authenticated channels using apps like OpenWhisperSystems‘ Signal.
So far, nobody’s bothered to do this — all of these modern encryption tools are islands with no connection to the mainland.
Connecting them together represents one of the real challenges facing widespread encrypted communications.
No forward secrecyTry something: go delete some mail from your Gmail account.
You’ve hit the archive button.
Presumably you’ve also permanently wiped your Deleted Items folder.
Now make sure you wipe your browser cache and the mailbox files for any IMAP clients you might be running (e.g., on your phone).
Do any of your devices use SSD drives?
Probably a safe bet to securely wipe those devices entirely.
And at the end of this Google may still have a copy which could be vulnerable to law enforcement request or civil subpoena.
(Let’s not get into the NSA’s collect-it-all policy for encrypted messages. If the NSA is your adversary just forget about PGP.)
Adding forward secrecy to asynchronous offline email is a much bigger challenge, but fundamentally it’s at least possible to some degree.
While securing the initial ‚introduction‘ message between two participants may be challenging*, each subsequent reply can carry a new ephemeral key to be used in future communications.
However this requires breaking changes to the PGP protocol and to clients — changes that aren’t likely to happen in a world where webmail providers have doubled down on the PGP model.
|If Will Smith looked like
this when your cryptography
was current, you need better
Poking through a modern OpenPGP implementation is like visiting a museum of 1990s crypto.
Key size defaults don’t reach the 128-bit security level.
MACs are optional.
Compression is often on by default.
Elliptic curve crypto is (still!) barely supported.
Most of these issues are not exploitable unless you use PGP in a non-standard way, e.g., for instant messaging or online applications.
And some people do use PGP this way.
But even if you’re just using PGP just to send one-off emails to your grandmother, these bad defaults are pointless and unnecessary.
It’s one thing to provide optional backwards compatibility for that one friend who runs PGP on his Amiga.
But few of my contacts do — and moreover, client versions are clearly indicated in public keys.**
Even if these archaic ciphers and formats aren’t exploitable today, the current trajectory guarantees we’ll still be using them a decade from now.
Then all bets are off.
On the bright side, both Google and Yahoo seem to be pushing towards modern implementations that break compatibility with the old.
Which raises a different question.
If you’re going to break compatibility with most PGP implementations, why bother with PGP at all?
This is by far the worst aspect of the PGP ecosystem, and also the one I’d like to spend the least time on.
But for what it’s worth, many PGP-enabled mail clients make it ridiculously easy to send confidential messages with encryption turned off, to send unimportant messages with encryption turned on, to accidentally send to the wrong person’s key (or the wrong subkey within a given person’s key). They demand you encrypt your key with a passphrase, but routinely bug you to enter that passphrase in order to sign outgoing mail — exposing your decryption keys in memory even when you’re not reading secure email.
Most of these problems stem from the fact that PGP was designed to retain compatibility with standard (non-encrypted) email. If there’s one lesson from the past ten years, it’s that people are comfortable moving past email. We now use purpose–built messaging systems on a day-to-day basis. The startup cost of a secure-by-default environment is, at this point, basically an app store download.
Incidentally, the new Google/Yahoo web-based end-to-end clients dodge this problem by providing essentially no user interface at all. You enter your message into a separate box, and then plop the resulting encrypted data into the Compose box. This avoids many of the nastier interface problems, but only by making encryption non-transparent. This may change; it’s too soon to know how.
So what should we be doing?
Quite a lot actually. The path to a proper encrypted email system isn’t that far off. At minimum, any real solution needs:
- A proper approach to key management. This could be anything from centralized key management as in Apple’s iMessage — which would still be better than nothing — to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.
- Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system.
- Cryptography that post-dates the Fresh Prince. Enough said.
- Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.
A number of projects are already going in this direction. Aside above-mentioned projects like Axolotl and TextSecure — which pretend to be text messaging systems, but are really email in disguise — projects like Mailpile are trying to re-architect the client interface (though they’re sticking with the PGP paradigm). Projects like SMIMP are trying to attack this at the protocol level.*** At least in theory projects like DarkMail are also trying to adapt text messaging protocols to the email case, though details remain few and far between.
It also bears noting that many of the issues above could, in principle at least, be addressed within the confines of the OpenPGP format. Indeed, if you view ‚PGP‘ to mean nothing more than the OpenPGP transport, a lot of the above seems easy to fix — with the exception of forward secrecy, which really does seem hard to add without some serious hacks. But in practice, this is rarely all that people mean when they implement ‚PGP‘.
ConclusionI realize I sound a bit cranky about this stuff. But as they say: a PGP critic is just a PGP user who’s actually used the software for a while. At this point so much potential in this area and so many opportunities to do better. It’s time for us to adopt those ideas and stop looking backwards.
* Forward security even for introduction messages can be implemented, though it either require additional offline key distribution (e.g., TextSecure’s ‚pre-keys‘) or else the use of advanced primitives. For the purposes of a better PGP, just handling the second message in a conversation would be sufficient.** Most PGP keys indicate the precise version of the client that generated them (which seems like a dumb thing to do). However if you want to add metadata to your key that indicates which ciphers you prefer, you have to use an optional command.*** Thanks to Taylor Hornby for reminding me of this.“