PGP is fundamentally broken, says crypto expert

“It’s time for PGP to die,” Matthew Green, noted cryptographer and research professor at Johns Hopkins University, opined in a recent blog post.

“Zimmermann’s PGP was a revolution. It gave users access to efficient public-key cryptography and fast symmetric ciphers in package you could install on a standard PC. Even better, PGP was compatible with legacy email systems,” he noted. “Sure, it sucked badly to use. But in those days, everything sucked badly to use.”

“While the protocol has evolved technically — IDEA replaced BassOMatic, and was in turn replaced by better ciphers — the fundamental concepts of PGP remain depressingly similar to what Zimmermann offered us in 1991,” he concluded.

There are many problems with PGP, he notes.

Its public keys are long, difficult to manually compare, and often times gotten from key servers via untrustworthy data transfer channels. “PGP assumes keys are too big and complicated to be managed by mortals, but then in practice it practically begs users to handle them anyway. This means we manage them through a layer of machinery, and it happens that our machinery is far from infallible,” he adds.

PGP key management is not transparent and there is no forward secrecy to protect old communications – although there are some experimental systems that are trying to fix both these problems.

“The OpenPGP format and defaults suck,” says Green. “Poking through a modern OpenPGP implementation is like visiting a museum of 1990s crypto. For legacy compatibility reasons, many clients use old ciphers like CAST5 (a cipher that predates the AES competition). RSA encryption uses padding that looks disturbingly like PKCS#1v1.5 — a format that’s been relentlessly exploited in the past. Key size defaults don’t reach the 128-bit security level. MACs are optional. Compression is often on by default. Elliptic curve crypto is (still!) barely supported.”

Finally, he laid into the “terrible mail client implementations.”

In his book, the required changes are many: a proper approach to key management, forward secrecy implemented into the protocol, newer and better cryptography, and a decision to make backwards compatibility less important.

His post generated quite a debate, both in the comments and on Twitter. Some users agreed with his points, but many have also pointed out that, despite its many faults, PGP is still the “least bad” option.

People involved in several projects that try solve some of these problems have piped up to note this, and it’s comforting to know that many work on a viable alternative.

Until a better one is created, it seems that tech savvy users will stick with PGP.

Share this