Why Not PGP?

 

English Dutch French German Russian Spanish Turkish

PGP the Protocol an Introduction

PGP has been used to protect sensitive data for decades. Most have even heard of catch phrases like AES 256 or debates about minimum RSA key sizes. PGP stands for “Pretty Good Privacy.” This is a very apt name. It is pretty good, but only that. This model has significant drawbacks:

  • One Key: Each user only has one private encryption key. If the private key of a user is exposed (stolen, hacked, or subpoenaed by authorities), a perpetrator is able to decrypt all previously sent messages with that key.
  • Non-Reputability: Every message you send is signed with your private key which verifies and exposes the sender’s digital identity, proving authorship of the message. Now the sender’s privacy depends on the receiver’s actions. When having a secret conversation we don’t want our messages accredited to us. In fact, one would like to be able to effectively deny any contact with another.

Due to the key infrastructure, a user must have one public key to engage in private conversations without having a shared secret; this one public key also allows the other party to verify the authenticity of their messages.

 

State of PGP in Reality

PGP is the wrong protocol for any industry that needs to essentially have the electronic equivalent of a regular conversation between two people in an empty room.  Its single keypair, digital signature, and no forward secrecy makes it a poor choice for individuals who need the following properties:

  • To be able to know for sure who you are talking to.
  • Not have conversations intercepted.
  • Confidently deny any conversation to any interested third party.
  • Not live in daily fear of any private key one has ever used being exposed, and every single message ever written with that private key coming to light.
  • Not fearing a private key being cloned and used to eavesdrop future messages.
  • Being assured that deleted messages are indeed truly deleted.

Aside from just the deficiencies of the actual PGP protocol, today's market for PGP “secure” messaging is a hodgepodge of key servers, mail servers, and resellers whose only method of differentiating themselves from one another to their users is to slander, spread rumors, interfere with service levels of a competitor by either launching distributed denial-of-service attacks (DDOS), or just outright blocking resellers from communicating with them.  To boot, most do not have the technical capability to even run their infrastructure competently; therefore, you see hours and hours of outages due to misconfigurations or poor infrastructure being the norm. You also see the incompetency show up in messages travelling through the Internet without ANY encryption, or even basic protection of metadata (from, to, subject, ip address, time stamp) of messages transmitted to other resellers. All these things go on daily without the end user being any the wiser. One of the biggest secrets, rarely mentioned, is the fact that the majority of existing PGP resellers have a copy of the users private key on their servers. This is ridiculous. How do you pretend to offer a secure service, but have your subscribers private key on your server where it can be potentially exploited?

 

As the PGP reseller business is dying, resellers are anxious to maintain the cash flow they have come to expect from a business where they utilize off the shelf applications like Rim’s Blackberry Enterprise Server (BES), Symantec’s PGP Universal Server, Microsoft’s Exchange Server application and Microsoft Servers. Of all of these products, a reseller has no intimate knowledge of how they work. How could they?  They are all closed source and they have no clue what they are doing behind the scenes. We do know that all of these companies work with government agencies when asked upon to provide them with information on individuals. As far back as 2009, NSA specialists have been able to “see and read” text messages from Blackberrys. An NSA presentation entitled “Your target is using a BlackBerry? Now what?” shows what can be achieved. It contained an image of a Mexican government email, the plain text of which appears in a slide under the title “Post Processed BES collection.” Lately, there are many articles posted by reputable journalists and security experts that demonstrate that PGP messages (including deleted ones) are being decrypted on many different Blackberry subscriber units. Netherlands Forensic Institute (NFI) has confirmed they can indeed decrypt Blackberry messages from several devices.

 

PGP resellers response to a lot of this information coming to light is ludicrous. One message to their subscribers suggests to users that all is ok provided they change their default minimum four character passphrase to eight characters. A policy that allows for a four character password on a Blackberry is bad enough, but to tell users that it is being upgraded to a minimum eight character passphrase (which as an aside, would take approximately six hours for modern password clusters to crack) misses the point.  The point is the NFI did not decrypt the PGP messages due to short passphrases.  It is a red herring, to make users believe all is still good with PGP Blackberry and that human error is to blame. Another major reseller has written a lengthy diatribe informing their subscribers to stay the course with Blackberry, and in that SAME message they state they will be coming out with a new platform in the New Year. 

 

Another interesting thing to note about all this Blackberry device decryption information is the age of it. The NFI Blackberry cases recently circulating about this are well over a year old. PGP resellers were aware of these documents and many actually possessed them, but they remained buried until just recently. Needless to say, many of them are nonplussed the cat is out of the bag.  One of the many dirty little secrets about the business has been exposed. 

 

So now, as we can see, resellers are anxious to differentiate themselves in other ways. The new term making the rounds is now “ECC.”  Short, techie sounding, a little bit ominous. Not to burst anyone’s bubble, but ECC is used by a large portion of the Internet already for communications. It simply stands for Elliptical Curve Cryptography which is a relatively new branch of mathematics that allows for smaller key sizes with the same or better strength than large key sizes from competing algorithms like RSA (a longtime PGP default). PGP today uses RSA 4096 for asymmetric encryption (it is used to create your public/private key pair) and AES 256 for symmetrical encryption.  In BES version 10+ you can now choose ECC instead of RSA. The choices you have are ECC curves promoted by NIST (National Institute of Standards and Technology) or to make it more succinct National Security Agency (NSA). These curves have been proven to not be safe (http://safecurves.cr.yp.to/). Future changes in this industry see existing PGP resellers simply still using PGP or a variant of it, but with an ECC key instead of RSA key. The same problem exists, they make just enough changes to muddy the waters with technical jargon so that it appears there is a newer, safer product.  More to follow in an upcoming Blog.