Just as Google built end-to-end, an e-mail encryption extension, and Yahoo announced their plans to support end-to-end encryption by forking Google’s project, Matthew Green, a cryptographer at John Hopkins University, decided to take aim at the encryption standard at the hearts of both of these projects.
Both Google and Yahoo use OpenPGP, a standard for encrypting and decrypting data. It all started out as a piece of software called PGP (for “pretty good privacy”), created by Phil Zimmermann in 1991. Those were the early days of the Internet, as well as the initial steps for e-mail communication. Bright-minded people had then realized that standard mail protocols of the day (although little has changed until today) did nothing to protect the privacy of e-mail content, and so they created PGP.
In this context, PGP was an extraordinary piece of software. It implemented working cryptography that could be installed on any PC. It was rather difficult to use, “but in those days, everything sucked badly to use”, notes Green. In 1997, an open standard called OpenPGP was released – it allowed those who wanted to use their own software to be compatible with the proprietary PGP. During the nineties it became the encryption tool, and having a PGP keypair was a sign of belonging to the mysterious geekdom of technical proficiency.
But that was the nineties. Cryptography has gone a long way since then, which is not necessarily the case with rather slowly moving OpenPGP. Just to name a few signs of PGP’s approaching redundancy: it defaults to CAST5 cipher which is a predecessor even to AES, a de facto symmetric cipher standard of today from quite some time ago. Elliptic curve cryptography, despite almost universal assumption that it will replace standard public-key algorithms such as RSA in a few years, is still badly supported and it does not look like it is going to change soon.
Another important drawback of OpenPGP is that it offers no forward secrecy. Forward secrecy is an idea in cryptography which means that whenever some of your encrypted communications are broken and read, all the other messages encrypted using the same method are safe (or have to be cracked separately).
Snowden’s revelations have shown that NSA has a policy of storing encrypted communications which are unbreakable today but may be breakable tomorrow. As technology advances, some aspects of encryption become redundant. An example, in 2003 a netsec company called RSA (no relation to the algorithm) reported that RSA algorithm keys of 2048 bits – defaulted by OpenPGP – were going to be sufficient until 2030 but will possibly be breakable later. If one wants security after that year, one should choose a larger key size.
For this and other reasons, forward secrecy has become a de facto requirement for modern cryptographic systems.
The last but perhaps not least of PGP’s drawbacks is gargantuan key management. The problem is that there is no 100% safe way to exchange public keys. That is, given someone’s key, there is no way for me to be sure that the key really belongs to that person. PGP’s solution for this is called the web of trust. It basically means that people should meet in person, verify each other’s keys and thus show other users that the keys they have are the right keys.
But the most likely deterrant for most would-be PGP users is the horridity of user experience. Each of today’s OpenPGP implementations involves a lot of copy-pasting, importing and exporting keys and looking for them in keyservers by human-unreadable hex identifiers. Although all of this is much less complicated than it seems, only the more privacy-savvy geeks tend to dare trying them.
What is the worst is that most of these drawbacks are essentially unfixable without rewriting the whole system from scratch. However, OpenPGP is still the best, or the least bad tool for e-mail encryption. Despite all the drawbacks listed above, no-one has yet created a better tool and so the criticisms are mostly academic. Nevertheless, they point out the problem that future developers should face and highlight the fact that it is really the right time to invent something new.
Reference: Matthew Green, What’s the matter with PGP, A Few Thoughts on Cryptographic Engineering, source link.