back to article It's time for PGP to die, says ... no, not the NSA – a US crypto prof

A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption. Matthew Green is an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University in Maryland, US. This week, on his personal blog, he argued that it's "time …

Page:

  1. NoneSuch Silver badge

    PGP stands for Pretty Good Privacy so you are getting no more than what you are promised.

    1. dotdavid
      Coat

      I thought the prof's argument was that it wasn't pretty?

      1. Anonymous Coward
        Anonymous Coward

        I dunno

        There's a certain beauty in seeing a PGP signature on the end of an email I suppose… :-)

        If only because it's so rarely seen.

  2. Brian Miller

    He's right! PGP sucks to use!

    Yeah, the prof is right, but it shouldn't take a PHD to get people to listen. It's actually been way past time for an update to the general implementation.

    One of the reasons all of this really stinks is because SMTP was never designed with rigorous security in mind. It's really past time to move to a better mail protocol.

    1. Nate Amsden

      Re: He's right! PGP sucks to use!

      hey man I like the ability to telnet to a SMTP server on port 25 and issue SMTP commands directly to debug things.

      same goes for HTTP.

      and other protocols.

      Myself I've never really had a need for encryption in email. I've run my own mail services since the mid 90s and I've never felt I needed fancier SMTP or to even deploy PGP (I think I used PGP a couple times back in the 90s for email never since). Though my mail system does support SASL/TLS I did add that a few years back so my mobile devices could email remotely without using webmail or VPN. Though I rarely even do that, I haven't sent an email through my email server from my phone since last year (it doesn't even work anymore and I can't be bothered to figure out why and fix it).

      1. PerlyKing
        FAIL

        Re: He's right! PGP sucks to use!

        @Nate: "Myself I've never really had a need for encryption in email" [and other stuff]

        You appear to be arguing against encryption on the grounds that you personally don't feel a need for it, and that if everyone else used it you would be inconvenienced. Thanks for your input.

    2. Dan 55 Silver badge

      Re: He's right! PGP sucks to use!

      No, it's time to move to the same mail protocol with STARTTLS support.

    3. brooxta

      Re: He's right! PGP sucks to use!

      It might suck to use for all the reasons he gave, and yes SMTP sucks because it was designed without security in mind, but there is one reason at least why PGP absolutely rocks:

      You can use it to encrypt a message to send via just about any medium. And you can verify that security independently of the infrastructure you used to communicate.

      As soon as you start to build a monolithic "secure" system you lose that independence, which is a big loss.

      In every secure system I am aware of (and I should say that I in no way consider myself an expert in the field) there is always a trade off between convenience and security. You can have more of one but it means less of the other. If this guy has come up with a way of increasing the convenience without losing any of PGP's security then I'm all for it, but if he's advocating the opposite I don't want to know.

      1. Roo
        Windows

        Re: He's right! PGP sucks to use!

        Have an upvote for that point about independence brooxta.

      2. Ihre versteckte Person
        Megaphone

        Re: He's right! PGP sucks to use!

        ... and there's the key point - "As soon as you start to build a monolithic "secure" system you lose that independence".

        'nuff said.

        1. Joe Harrison

          Re: He's right! PGP sucks to use!

          PGP just does not work for normal people.

          I have no problem setting up my own mail environment for both PGP and S/MIME security but I only know about two other people in my social circle who would be able to read it if I actually did send them an encrypted message. So what practical use is that?

          1. brooxta

            Re: He's right! PGP sucks to use!

            @Joe Harrison

            Its practical use is that it serves as a working system for many tech-savvy types, and also as a standard for other systems.

            PGP was invented years ago and it was an enormous step forward, even though it was as tough to use then as it is now (in fact tougher - ever tried using it on a 386?). The thing is that the problems it set out to address then have only become worse in the intervening time: now there is not just the concern that it is possible to exercise mass-surveilance on populations in the "west", but the proof that it is in fact happening.

            I don't know what the next big step forward will be or where/who it will come from, but I do know that it will need to give us at least what PGP does. Otherwise it won't be a step forward, but rather backwards.

            The experts tell us that cryptography is hard and good cryptography is even harder. From my experience I would tend to agree. The question is, is it worth it? And attempting to answer that question leads you on to other rather bigger questions.

            1. Tom 13

              Re: He's right! PGP sucks to use!

              The real problem with PGP isn't the principles behind it, its the same problem that plagues secure web sites: there is no secure but easily used exchange for certificates. We "solved" that problem for websites by designating a couple of suppliers of top level certs, and everybody buys their certs from them. But that approach doesn't readily work for PGP email keys. Maybe Google, Yahoo, and MS could setup some sort of free public storage for certs from which people could download keys, maybe not.

              1. Anonymous Coward
                Anonymous Coward

                Re: He's right! PGP sucks to use!

                Maybe Google, Yahoo, and MS could setup some sort of free public storage for certs from which people could download keys, maybe not.

                Like this?

      3. Julian Taylor

        Re: He's right! PGP sucks to use!

        Totally agree, but anything is worth it if you don't want RIPA sniffing over your emails.

        1. Sir Runcible Spoon

          Re: He's right! PGP sucks to use!

          I've used GPA a few times, it seems to make life a little easier.

          gnupg.org

      4. Anonymous Coward
        Anonymous Coward

        Re: He's right! PGP sucks to use!

        You can use it to encrypt a message to send via just about any medium. And you can verify that security independently of the infrastructure you used to communicate.

        As soon as you start to build a monolithic "secure" system you lose that independence, which is a big loss.

        Indeed, OpenPGP doesn't care what the underlying medium is. Carrier pidgeon, sneakernet, UUCP, SMTP, HTTP, AX.25… you name it, if it can carry Base64 reliably, it can carry OpenPGP reliably. The other bonus over SMTP/TLS is that this is end-to-end, whereas SMTP using TLS is only between hosts.

  3. Anonymous Coward
    Anonymous Coward

    Hyperbole?

    I don't know, but saying that PGP is "fundamentally flawed" seems like a bit of an exaggeration to me, especially when he does not come up with anything better.

    He advocates "a centralised key management system" à l'Apple, which is more or less what you get with X.509, in turn with its own set of problems; and, I quote: "Cryptography that post-dates the Fresh Prince. Enough said.". Well, no, I don't think enough has been said, pretty far from it.

    As for the supposedly inadequate clients, honestly, in the ten years or so that I've been using Enigmail and Kgpg, they've done the job just fine, thank you. And recent versions of Enigmail are configured by default to encrypt if possible, which addresses one of his points.

    For a researcher, I am surprised he didn't put this in an academic paper but rather just published a little rant in his blog. I take that as an indication of how much thought he's put into this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hyperbole?

      > For a researcher, I am surprised he didn't put this in an academic paper but rather just published a little rant in his blog.

      Presumably his little rant was triggered by inadvertently emailing his boss instead of a coworker (co-reseacher?) with a rant about his boss. :-)

      1. Number6

        Re: Hyperbole?

        Presumably his little rant was triggered by inadvertently emailing his boss instead of a coworker (co-reseacher?) with a rant about his boss. :-)

        Well, had he encrypted it with his coworker's public key then he'd have gotten away with it because hopefully his boss wouldn't have been able to decrypt it.

    2. Richard Conto

      Re: Hyperbole?

      Given what happened to domain name registrars for .COM becoming decentralized, and the scary/horror issues of all the multitudinous problems there have been with Certificate Authorities - he's going to have to make a better argument for a centralized key management system than just implying The Leader Knows Best.

    3. Anonymous Coward
      Anonymous Coward

      Re: Hyperbole?

      First someone invalidates him because he has a PhD. Then someone invalidates him because he has a PhD but he is not using it to publish it as a paper. What's next? He took too long to get his PhD? He hasn't renewed it in time? You can invent any number of irrelevant reasons for not taking someone's words seriously...

      1. Oninoshiko

        Re: Hyperbole?

        How about because he is wrong? Is that okay to invalidate him on?

        Let me list his argements and invalidate them:

        1) It's "old"

        I don't care. This isn't even really an argument. We've been making booze for thousands of years, but that doesn't make it any less of a find beverage.

        2) Keys are hard to read

        Well, yes. unfortunately he doesn't offer any kind of fix.

        3) Old releases of GnuPG have bugs.

        Yes, most software has bugs. Update to fix them. GnuPG can be updated for free (as in gratis). Any proposed fix will be susceptible to this problem.

        4) Trusting a central authority would be easier.

        Yes, it would. I think we can use the NSA as that central authority. If we trust any US company, they'll be it anyway.

        5) WoT is bad.

        He manages to take a whole paragraph and say just this and "I'm not backing it up with why." Well, I'm not responding to it, because he didn't bother to say anything to respond to.

        6) Lacks forward secrecy

        While forward secrecy is great, it requires much more automation on software side. This requires putting much more faith in much more complex software. For something like SSH, much of the complexity is already there because the sessions are real-time, for a non-realtime "session" I'm not as convinced. (although, this is EASILY the strongest point he makes)

        7) PGP supports old ciphers and not new ones.

        He even says most of these are not exploitable, so this is basically a rehash of 1. Specifically he complains about the lack of support for Elliptic Curve Cryptography (ECC). Dual_EC_DRBG (atleast) is known weak, and there are weaknesses in the recommended curve. At least one noted analyst recommends not using ECC at all in light of these revelations https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

        8) too easy to send unencrypted

        Ideally, it should probably be harder to send an encrypted email in these apps, unfortunately most people are not setup to receive encrypted emails, so sending unencrypted emails are still the norm. This is also likely to be unresolvable with:

        9) too easy to send unimportant emails encrypted

        If you are going to use encryption, you NEED to be using it for everything. If you don't you are give a treasure-trove of meta-data to an attacker. What you think it unimportant, who you are talking about important things with, and how often.

        10) too easy to encrypt the email with the wrong key

        I'll give him this.

        11) requires passphrase to unlock key, which is required for just signing.

        Not locking your key would be a HUGE vulnerability. The key is necessary for signing. Getting done with it and removing it from memory as fast as possible is the most secure thing you can do, but it requires you to reenter the passphrase each time. I guess I'm not sure I understand what he's proposing here, maybe he wants to abandon signatures.

  4. Richard Conto

    PGP is like Democracy ...

    ... in that it's the worst possible encryption system, except for all the others.

    This professor's complaints are mostly that PGP (or GPG) have awful applications. That's a side effect of PGP/GPG being pretty much a niche application AND being open source. The open source part is WHY the thing is trusted, and the niche part is because security and privacy is not terribly high on most people's communication priorities. (I don't doubt that cat videos are more important to most people than locking their houses and cars - much less securing private communications or passwords.)

    But re-engineering e-mail to provide for security & privacy is not likely to happen. Anyone remember X.400, the OSI's mail protocol? Any attempt to redesign email from scratch is likely to end up with something worse in terms of inability to inter-operate. (Besides, Facebook, Twitter, Google, et. al. are all re-engineering inter-personal communications anyway into proprietary social-networking horrors.)

    1. Anonymous Coward
      Anonymous Coward

      Re: PGP is like Democracy ...

      The open source part is WHY the thing is trusted

      since no open source cryptography project has ever had major security issues...

      1. Anonymous Coward
        Anonymous Coward

        Re: PGP is like Democracy ...

        The open source part is WHY the thing is trusted

        since no open source cryptography project has ever had major security issues...

        True, but at least in the open source world when the problem is found (and it still can take time), it's impossible to sweep under a rug… a company can just stick its fingers in its ears and yell "La la la la!"

        There are probably equally heinous bugs that rival HeartBleed in commercial software that will never be fixed. We'll not know what they are because it's in the companies' interest to keep it all hush hush.

  5. John Riddoch

    The. Only.

    That last part is the core; there is currently nothing to usurp PGP which is widespread in use already. Any replacement would have to offer something substantial over the current implementation and simply saying "more secure" isn't going to sway anyone other than the security paranoid. Any replacement has to be at least as simple to use as PGP, or users will simply not bother with it.

    And finally, the kicker - until it gets sufficient momentum, people will stick to the incumbent (PGP). There's no point having an uber-secure way of sending mail if no-one you send mail to can read it...

    1. Bloakey1

      Re: The. Only.

      That is exactly the point. What he wants us to do is dumb things down and make it user friendly. At the moment one has to go through a few hoops to use it and in my opinion that is a good thing. Even Greenwald balked at using it when approached by an annonymous source but when he got there he hit the jackpot.

      I like to know that I am expressly doing something so I will jump through hoops. Embed it and obfuscate it and I will presume all is ok and that is bad security.

      Leave it alone as a gold standard and work on something easier using ROT 19 or whatever.

      1. Michael Habel

        Re: The. Only.

        Leave it alone as a gold standard and work on something easier using ROT 19 or whatever.

        Fheyl gung fubhyq or EBG13

    2. Sir Runcible Spoon

      Re: The. Only.

      "There's no point having an uber-secure way of sending mail if no-one you send mail to can read it..."

      Surely if you have encrypted an email to someone then you have used their public key to do so, so one could assume they might know how to decrypt it (having made their public key available to you).

      1. phil dude
        Thumb Up

        Re: The. Only.

        And more importantly the other thing PGP does is let you SIGN a cleartext document, so mixed recipients can validate your key, along with those that think it is some sort of geek-haiku.

        P.

  6. Will Godfrey Silver badge
    Thumb Down

    Yes another person complaining about something, without having anything better to put in it's place.

    1. Anonymous Coward
      Anonymous Coward

      @Will Godfrey

      " ... without having anything better to put in it's place."

      Irrelevant. It's entirely possible to tell whether something's right without being able to produce something of equal or better quality yourself.

      1. Anonymous Coward
        Anonymous Coward

        Re: @AC

        Who argued that it isn't possible to spot potential problems? In many respects spotting the problems is the easier part, but without the second part it is of minimal value.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC

          "Who argued that it isn't possible to spot potential problems?"

          Nobody. I was pointing out it's unreasonable to criticise an observation based on whether the person making it can rectify it.

          "In many respects spotting the problems is the easier part, but without the second part it is of minimal value."

          I disagree.

          1. Will Godfrey Silver badge
            Thumb Down

            Re: @AC

            Nowhere near as unreasonable as saying something that actually works should 'die'.

  7. Anonymous Coward
    Anonymous Coward

    Not saying PGP is perfect

    As it certainly lacks in user friendliness and ease of use, both of which will be required if it is ever to be adopted by the masses.

    But key length on business cards? What a non-issue, given that business cards are dying out these days... But if you must, sounds like a good use for those 2D bar codes that every smartphone on the planet can read without issue.

    1. Bloakey1

      Re: Not saying PGP is perfect

      We could have our keys tattooed on our pudendum. Mine would read 179ef and when Kylie Minogue appears itwould read, errrr, hmmm, something a bit longer in 6 point font.

      1. Primus Secundus Tertius

        Re: Not saying PGP is perfect

        Lo! They met in Llandudno!

    2. ZSn

      Re: Not saying PGP is perfect

      Ok, geek alert. I *tried* to put a certificate into a qr code. It doesn't work, at least not for 2048 bit certificates. Even if you can shoehorn it into the maximum size of QR code, the resultant QR code is too big to be practically read (I've tried, trust me). If you print it A4 at best quality it still doesn't work. As for 1024 bit, perhaps it may work, at A4 size, never on a business card.

      OK, I admit, I have to much time on my hands.

      Matthew Green isn't usually too bad a read, he seems to have jumped off the deep end on this. It smacks of an academic with no real world experience.

      1. brooxta

        Re: Not saying PGP is perfect

        You don't need the whole certificate/key in a qr code, you can send that as an email attachment or download it from a web page or key server. The qr code would be useful for the key fingerprint though, which should be much more manageable. You would then use the fingerprint encoded in the qr code to verify you had downloaded the right key.

        1. ZSn

          Re: Not saying PGP is perfect

          >You don't need the whole certificate/key in a qr code, you can send that as an email attachment or download it from a web page or key server. The qr code would be useful for the key fingerprint though, which should be much more manageable. You would then use the fingerprint encoded in the qr code to verify you had downloaded the right key.

          I know, I was just hoping that there was a more elegant way in doing it all in one QR code so that you can personally give out your key.

          Incidentally I don't put my gpg on the public servers, naughty I know, but I only send the key to people I actually want to send encrypted messages to. Perhaps I'm a little too paranoid.

        2. Anonymous Coward
          Anonymous Coward

          Re: Not saying PGP is perfect

          And how do you trust an email or key server? Just because they tell you they are what they say they are and thereby you should trust them?

          1. brooxta

            Re: Not saying PGP is perfect

            > And how do you trust an email or key server?

            That's what the fingerprint is for. You use it to verify that what you downloaded is actually correct.

          2. A J Stiles
            Facepalm

            Re: Not saying PGP is perfect

            The whole point is that you don't *have* to trust the key server, or any server in the e-mail chain.

        3. foxyshadis

          Re: Not saying PGP is perfect

          Fingerprints are so broken. They're a straight MD5, which only gets more broken every year. Every email client I've used only presents 32 bits of the fingerprint for your visual verification. It's time for PGP to move on and some of the brilliant people who put modern TLS together to start working on secure email, otherwise Google and Yahoo will be the only ones controlling it.

          We've already patched and bodged SMTP into the 21st century, kicking and screaming all the way, at least; that proves that smart people could tackle PGP too.

      2. eldakka

        Re: Not saying PGP is perfect

        Could the QR code just contain a (https) URL to download the public key from and the fingerprint of the key?

        So the QR code could be used to GET the key and verify the key.

      3. Charles 9

        Re: Not saying PGP is perfect

        I *tried* to put a certificate into a qr code. It doesn't work, at least not for 2048 bit certificates.

        That's odd. 2048 bits should take up only 256 bytes, well within the QR Code limit of 2,953 bytes under ISO 8859-1 encoding. Even if you have to convert it to a text-compatible format, you should still be well within the limit, even counting necessary overhead.

      4. Anonymous Coward
        Anonymous Coward

        Re: Not saying PGP is perfect

        Read the article. He said newer Elliptical Curve keys are a lot smaller, i.e. a 40-char MiniLock key equivalent to a ~10x bigger 3072-bit PGP key.

    3. Anonymous Coward
      Anonymous Coward

      Re: Not saying PGP is perfect

      > But key length on business cards? What a non-issue, given that business cards are dying out these days... But if you must, sounds like a good use for those 2D bar codes that every smartphone on the planet can read without issue.

      As has already been mentioned, key length on business cards is an issue, at least for any decent length key--this was pointed out by Zimmerman himself when he first came up with PGP. However, that is what key fingerprints have been for since day one.

      I am a bit surprised that Mr. Green will mention this. As a cryptography user (for I hope he's not a mere academic expert), he will know that the way we "exchange" keys is by providing a bit of paper (or for the poshest geeks, yes, a business card) with our email address and key fingerprint on it--sometimes people physically sign the paper as well. The other user will then go and fetch the key itself from one of the usual servers and check by hand if the fingerprint matches, then set his trust level adequately.

      Has worked for me since the 90s and is not much different than, say, checking a signature on a paper document (it can be just as insecure, but also a lot more secure).

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like