What's the matter with PGP?
August 25, 2014 1:16 PM Subscribe
If your cryptography predates The Fresh Prince, you need better cryptography. With recognition of the need for secure communication standards finally going mainstream, crypto researcher and Johns Hopkins University professor Matthew Green takes a hard look at the de facto standard everyone is jumping on, and suggests that we can and should do a lot better.
Among other things Prof. Green is a lead on the team auditing TrueCrypt [previously]. [via]
Among other things Prof. Green is a lead on the team auditing TrueCrypt [previously]. [via]
tldr: yo pgp, smell ya later
posted by Flunkie at 1:33 PM on August 25, 2014 [8 favorites]
posted by Flunkie at 1:33 PM on August 25, 2014 [8 favorites]
Oh, so all we need to do is replace e-mail?
posted by ckape at 2:11 PM on August 25, 2014 [1 favorite]
posted by ckape at 2:11 PM on August 25, 2014 [1 favorite]
Not to threadsit, but no; all the substitutes people are using in place of email are readable in cleartext by the proprietary intermediate servers, even if they're sometimes not readable in transit by other third parties because of SSL. They also have no innate provision for remaining encrypted at the endpoints.
Email's by far the best thing we've got because it's decentralized and nonproprietary. He's just saying we need better crypto tools at each end.
posted by George_Spiggott at 2:22 PM on August 25, 2014 [4 favorites]
Email's by far the best thing we've got because it's decentralized and nonproprietary. He's just saying we need better crypto tools at each end.
posted by George_Spiggott at 2:22 PM on August 25, 2014 [4 favorites]
I'm glad to see this being written about, and hopefully it is read by people making decisions.
I work in a industry that this is highly relevant to, in software development that specifically deals with securely exchanging sensitive information. I cannot count the number of times I've had discussions with people about secure email. Always, my conclusion has been the same: fundamentally, we've got the (crypto) tech to do it, and we've had it for a long time, but the real unsolved problem is key management on a large scale.
It's not far off from the "last mile" problem for internet connections. Corporation to corporation links can be secured without too much hassle, but the only way you'll get user to user communications fully encrypted is to actually make this user friendly in ways that the existing solutions have never managed.
posted by tocts at 3:05 PM on August 25, 2014 [1 favorite]
I work in a industry that this is highly relevant to, in software development that specifically deals with securely exchanging sensitive information. I cannot count the number of times I've had discussions with people about secure email. Always, my conclusion has been the same: fundamentally, we've got the (crypto) tech to do it, and we've had it for a long time, but the real unsolved problem is key management on a large scale.
It's not far off from the "last mile" problem for internet connections. Corporation to corporation links can be secured without too much hassle, but the only way you'll get user to user communications fully encrypted is to actually make this user friendly in ways that the existing solutions have never managed.
posted by tocts at 3:05 PM on August 25, 2014 [1 favorite]
It's a thoughtful critique of PGP. Couched in flamebait clothing, I suppose to get the links, but I think most of what he's saying is non-controversial. PGP is important because it was first, and it works. But of course we can do better now.
This article is the first I'd heard of end-to-end, the Chrome extension that allows true end-to-end email encryption by doing OpenPGP in Javascript. Clever, if horribly kludgy. Is it worth paying attention to or, like PGP, will it be irrelevant to 99% of Internet users?
posted by Nelson at 3:24 PM on August 25, 2014
This article is the first I'd heard of end-to-end, the Chrome extension that allows true end-to-end email encryption by doing OpenPGP in Javascript. Clever, if horribly kludgy. Is it worth paying attention to or, like PGP, will it be irrelevant to 99% of Internet users?
posted by Nelson at 3:24 PM on August 25, 2014
I couldn't agree with him more about some of the default setting, interoperability, and client interface issues.
But the most fundamental issue is the one he identifies first, the identification and authentication question: how do I make sure that this key, which is purported to be belong to George Spiggot and to allow me to encrypt messages so that only he can read them, wasn't actually created and sent to me by someone sitting in a cubicle in Fort Meade?
The system for doing this that is built into PGP and GPG is almost impossibly burdensome. It's bad enough that only people who absolutely have to to protect their privacy will ever struggle through it. But for those people, it works. I can contact someone offline, ensure they are who they say they are, compare key signatures, and know that from that time forward I can send messages to to them that are private, and receive messages that I can verify are from them--at least until they themselves are suborned or extorted.
The alternative that he proposes is to have a central authority verify that person's identity for me. That makes the whole process HUGELY simpler for every user who can afford to trust that authority. But the people who need encryption most are the ones who are threatened by the most powerful enemies--the state actors--and those actors are the ones most likely to be able to bully or fool a central authority.
The problem with his proposal is, we already have an alternative to PGP that works just just the way he's hoping for. It's called S/MIME. It's built into a lot of email clients, AFAIK the crypto is modern, the defaults and user interface are mostly sane. Your company or your email provider issues a certificate that vouches for your identity, and in turn that company is vouched for by the certification authorities: the same organizations that assure your employer or provider is who they say they are when they ask for your credit card information over the web.
And for most threats, relying on a central authority is probably plenty good enough. It's certainly, as Green says "better than nothing." If all you're worried about is the theft of your credit card number, or a nosy family member, or even a blackmailer at your ISP reading your emails, S/MIME is great. If you're worried about Chinese intelligence stealing your company's secrets, it might be good enough.
But if you're concern is that the NSA will find out the location of the next protest and pass that on to arm-breakers from Pinkerton, then you ought to think really carefully before using it. Because nobody can figure out how to keep the NSA from demanding that those certification authorities issue another certificate, claiming that the cube-drone in Fort Meade is actually you. And because while we don't know the exact details of how, the Snowden leaks make it pretty clear that they're breaking into CA-protected communications somehow.
In short, what Green is hoping for is turn PGP and its kin into something much closer to S/MIME. But we already have that system, it's available in a lot of places, and for what it does it's fairly decent. PGP still exists for those who can't, or wont, trust the system of central authorities. They exist on different sides of a safety/usability tradeoff. Changing PGP to work differently won't make the tradeoff unnecessary, it will just mean both products are on the same side of the balance.
Until some brilliant cryptographer comes up with a way to provide reliable identification authentication without offline verification, and also without a central authority, there's no reason we shouldn't have tools that work both ways. This way people with both casual and deadly serious crypto needs have a tool they can rely on.
posted by CHoldredge at 3:29 PM on August 25, 2014 [10 favorites]
But the most fundamental issue is the one he identifies first, the identification and authentication question: how do I make sure that this key, which is purported to be belong to George Spiggot and to allow me to encrypt messages so that only he can read them, wasn't actually created and sent to me by someone sitting in a cubicle in Fort Meade?
The system for doing this that is built into PGP and GPG is almost impossibly burdensome. It's bad enough that only people who absolutely have to to protect their privacy will ever struggle through it. But for those people, it works. I can contact someone offline, ensure they are who they say they are, compare key signatures, and know that from that time forward I can send messages to to them that are private, and receive messages that I can verify are from them--at least until they themselves are suborned or extorted.
The alternative that he proposes is to have a central authority verify that person's identity for me. That makes the whole process HUGELY simpler for every user who can afford to trust that authority. But the people who need encryption most are the ones who are threatened by the most powerful enemies--the state actors--and those actors are the ones most likely to be able to bully or fool a central authority.
The problem with his proposal is, we already have an alternative to PGP that works just just the way he's hoping for. It's called S/MIME. It's built into a lot of email clients, AFAIK the crypto is modern, the defaults and user interface are mostly sane. Your company or your email provider issues a certificate that vouches for your identity, and in turn that company is vouched for by the certification authorities: the same organizations that assure your employer or provider is who they say they are when they ask for your credit card information over the web.
And for most threats, relying on a central authority is probably plenty good enough. It's certainly, as Green says "better than nothing." If all you're worried about is the theft of your credit card number, or a nosy family member, or even a blackmailer at your ISP reading your emails, S/MIME is great. If you're worried about Chinese intelligence stealing your company's secrets, it might be good enough.
But if you're concern is that the NSA will find out the location of the next protest and pass that on to arm-breakers from Pinkerton, then you ought to think really carefully before using it. Because nobody can figure out how to keep the NSA from demanding that those certification authorities issue another certificate, claiming that the cube-drone in Fort Meade is actually you. And because while we don't know the exact details of how, the Snowden leaks make it pretty clear that they're breaking into CA-protected communications somehow.
In short, what Green is hoping for is turn PGP and its kin into something much closer to S/MIME. But we already have that system, it's available in a lot of places, and for what it does it's fairly decent. PGP still exists for those who can't, or wont, trust the system of central authorities. They exist on different sides of a safety/usability tradeoff. Changing PGP to work differently won't make the tradeoff unnecessary, it will just mean both products are on the same side of the balance.
Until some brilliant cryptographer comes up with a way to provide reliable identification authentication without offline verification, and also without a central authority, there's no reason we shouldn't have tools that work both ways. This way people with both casual and deadly serious crypto needs have a tool they can rely on.
posted by CHoldredge at 3:29 PM on August 25, 2014 [10 favorites]
My problems with PGP/GPG have been:
1. No one else I know has shown an interest in using it.
2. Implementation across multiple web- and desktop-based clients on multiple computers and devices which may or may not mangle the text in transmission to meet unknown formatting and style directives. Although now that I'm only using two computers regularly, it's not as bad as it used to be.
3. Almost all of my email traffic is trivial and open secrets anyway.
posted by CBrachyrhynchos at 3:31 PM on August 25, 2014
1. No one else I know has shown an interest in using it.
2. Implementation across multiple web- and desktop-based clients on multiple computers and devices which may or may not mangle the text in transmission to meet unknown formatting and style directives. Although now that I'm only using two computers regularly, it's not as bad as it used to be.
3. Almost all of my email traffic is trivial and open secrets anyway.
posted by CBrachyrhynchos at 3:31 PM on August 25, 2014
Given the final bullet point in his what should we do section, it sure sounds like he thinks we need to replace e-mail.
posted by ckape at 4:19 PM on August 25, 2014
posted by ckape at 4:19 PM on August 25, 2014
If your cryptography predates The Fresh Prince, you need better cryptography.
It difficult to underestimate the impact that Fresh Prince had on crypto. You can divide the history of the field into two halves: Pre-Prince and Post-Prince.
We remember Fresh Prince for his groundbreaking work on the algebraic structure of elliptic curves over finite fields. However, it is easy to forget that his research was prompted not by a long-standing interest in mathematics, but a brute-force attack on a West Philadelphia basketball court. Many experts in the field attribute the practical success of Fresh Prince Cryptography to its developer's acute awareness of real-world attack vectors.
From a modern perspective, Fresh Prince's earliest work seems silly. Take for example his method of hiding public graffiti messages from surveilling authorities by portraying an aerosolized paint delivery system as a common can of spray-on deodorant. Attempting this today would be scarcely better than a double application of rot-13 encryption. But during that technologically unsophisticated era, when default software configurations came with publicly known default passwords, such crude social engineering techniques were remarkably successful.
Of course, Fresh Prince achieved his most important breakthroughs only after he accepted a chair at Auntie and Uncle Polytechnic in Bel Air, California. During a cab ride from the airport to his new campus, Fresh Prince was overwhelmed by an incredible odor within the vehicle. Upon recognizing that the odor conveyed an important subtext that could also be communicated verbally — that he would be smelling the cabbie later — Fresh Prince set to work developing several scent-based steganographic implementations.
After that he did lots more great crypto work, but I don't know what it is because I only remember the opening credits.
posted by compartment at 4:47 PM on August 25, 2014 [35 favorites]
It difficult to underestimate the impact that Fresh Prince had on crypto. You can divide the history of the field into two halves: Pre-Prince and Post-Prince.
We remember Fresh Prince for his groundbreaking work on the algebraic structure of elliptic curves over finite fields. However, it is easy to forget that his research was prompted not by a long-standing interest in mathematics, but a brute-force attack on a West Philadelphia basketball court. Many experts in the field attribute the practical success of Fresh Prince Cryptography to its developer's acute awareness of real-world attack vectors.
From a modern perspective, Fresh Prince's earliest work seems silly. Take for example his method of hiding public graffiti messages from surveilling authorities by portraying an aerosolized paint delivery system as a common can of spray-on deodorant. Attempting this today would be scarcely better than a double application of rot-13 encryption. But during that technologically unsophisticated era, when default software configurations came with publicly known default passwords, such crude social engineering techniques were remarkably successful.
Of course, Fresh Prince achieved his most important breakthroughs only after he accepted a chair at Auntie and Uncle Polytechnic in Bel Air, California. During a cab ride from the airport to his new campus, Fresh Prince was overwhelmed by an incredible odor within the vehicle. Upon recognizing that the odor conveyed an important subtext that could also be communicated verbally — that he would be smelling the cabbie later — Fresh Prince set to work developing several scent-based steganographic implementations.
After that he did lots more great crypto work, but I don't know what it is because I only remember the opening credits.
posted by compartment at 4:47 PM on August 25, 2014 [35 favorites]
Holy cow. It all makes sense now. For example, I suddenly realize that "Parents Just Don't Understand" is really about effective crypto securing your communications from authoritarian overreach! Fuck. The whole world just swam into focus. What a visionary. I need to go lie down.
posted by George_Spiggott at 5:00 PM on August 25, 2014 [8 favorites]
posted by George_Spiggott at 5:00 PM on August 25, 2014 [8 favorites]
We can't rule out next-generation developments from the Smith family.
Jaden Smith is clearly transmitting some sort of advanced code via his twitter.
posted by mccarty.tim at 6:57 PM on August 25, 2014 [3 favorites]
Jaden Smith is clearly transmitting some sort of advanced code via his twitter.
posted by mccarty.tim at 6:57 PM on August 25, 2014 [3 favorites]
"Your company or your email provider issues a certificate that vouches for your identity, and in turn that company is vouched for by the certification authorities: the same organizations that assure your employer or provider is who they say they are when they ask for your credit card information over the web."
Unfortunately the certificate authority system is already broken, probably to the point that it can't be fixed without hugely disruptive and painful change. Browsers automatically trust certificates which are issued by around 650 authorities or delegated authorities, several of which are government bodies (or closely linked to them). This story from last month is a great example.
There have been loads of examples of certificate authorities being hacked, with certificates being stolen and misused or "bad" certificates being issued by "good" authorities. At this point it's difficult to see how there's any trust left in a system which is built (and utterly reliant) on trust in order to provide any value.
posted by dvrmmr at 10:51 PM on August 25, 2014 [2 favorites]
Unfortunately the certificate authority system is already broken, probably to the point that it can't be fixed without hugely disruptive and painful change. Browsers automatically trust certificates which are issued by around 650 authorities or delegated authorities, several of which are government bodies (or closely linked to them). This story from last month is a great example.
There have been loads of examples of certificate authorities being hacked, with certificates being stolen and misused or "bad" certificates being issued by "good" authorities. At this point it's difficult to see how there's any trust left in a system which is built (and utterly reliant) on trust in order to provide any value.
posted by dvrmmr at 10:51 PM on August 25, 2014 [2 favorites]
The article implies that PGP is widespread use. This certainly isn't true; not for the general public; not for the vast majority of 'IT professionals', nor is it even true in the security industry.
I would be shocked if PGP had 10% of the usage that S/MIME has (which is also very low, but some large organizations and governments mandate its use).
That's not to say that the points made are poor ones, but it certainly could explain why PGP clients, nor PGP management software evolved to a level of usability that we've come to expect in modern products.
I respect Mathew Greens work and research enough to complain that I'd rather have him espousing more on what needs to be done (and endorsing/participating in relevant projects) than complain about PGP, which seems like shooting fish in the barrel.
posted by el io at 12:06 AM on August 26, 2014
I would be shocked if PGP had 10% of the usage that S/MIME has (which is also very low, but some large organizations and governments mandate its use).
That's not to say that the points made are poor ones, but it certainly could explain why PGP clients, nor PGP management software evolved to a level of usability that we've come to expect in modern products.
I respect Mathew Greens work and research enough to complain that I'd rather have him espousing more on what needs to be done (and endorsing/participating in relevant projects) than complain about PGP, which seems like shooting fish in the barrel.
posted by el io at 12:06 AM on August 26, 2014
A critique of Green's article, from the second comment in Schneier's post: What's The Matter With PGP?
posted by Bangaioh at 4:05 AM on August 26, 2014 [2 favorites]
posted by Bangaioh at 4:05 AM on August 26, 2014 [2 favorites]
I'm really glad to see a lot of talking about making everyday cryptography a lot easier to use for the average human.
I sometimes wish the non-average humans talking about it would be less emotionally invested in being right at all costs because that's an easily exploitable trait for a bad actor.
posted by Revvy at 12:02 PM on August 26, 2014
I sometimes wish the non-average humans talking about it would be less emotionally invested in being right at all costs because that's an easily exploitable trait for a bad actor.
posted by Revvy at 12:02 PM on August 26, 2014
I'd really like to see the cryptography community in general try to make tools and explanations of how to use crypto more accessible to the general public.
Public key cryptography, like PGP, is kind of hard to wrap your head around, but at the same time, it's proving increasingly important to keep information private. People are saving their documents not just on their network-connected computers, but also cloud services with their own vulnerabilities. And it's distressingly common to see people save their sensitive information in plaintext. Add in that even files people are storing locally could be accessed through malware installed on either their computers or even a router, and I don't think we're in an era where cryptography is just for people who are afraid of government surveillance or corporate espionage (not that it ever was, but that seems to be the perception).
posted by mccarty.tim at 12:59 PM on August 26, 2014
Public key cryptography, like PGP, is kind of hard to wrap your head around, but at the same time, it's proving increasingly important to keep information private. People are saving their documents not just on their network-connected computers, but also cloud services with their own vulnerabilities. And it's distressingly common to see people save their sensitive information in plaintext. Add in that even files people are storing locally could be accessed through malware installed on either their computers or even a router, and I don't think we're in an era where cryptography is just for people who are afraid of government surveillance or corporate espionage (not that it ever was, but that seems to be the perception).
posted by mccarty.tim at 12:59 PM on August 26, 2014
A critique of Green's article, from the second comment in Schneier's post: What's The Matter With PGP?
That's a very strong retort and I wish I'd included it in this post. I enjoyed Green's rant but it really is just that, it has a confusion of concerns and -- with this discussion as evidence -- it is not at all clear what he considers bathwater vs baby.
posted by George_Spiggott at 2:03 PM on August 26, 2014
That's a very strong retort and I wish I'd included it in this post. I enjoyed Green's rant but it really is just that, it has a confusion of concerns and -- with this discussion as evidence -- it is not at all clear what he considers bathwater vs baby.
posted by George_Spiggott at 2:03 PM on August 26, 2014
Yeah, centralized trust is a problem because it's got such value as a target. Go ask the bitcoin nerds about this. They've essentially got a distributed trust network, and many folks are looking into ways of solving the centralized trust issue with proof of work and a blockchain.
posted by butterstick at 4:30 PM on August 26, 2014
posted by butterstick at 4:30 PM on August 26, 2014
This article is the first I'd heard of end-to-end, the Chrome extension that allows true end-to-end email encryption by doing OpenPGP in Javascript. Clever, if horribly kludgy. Is it worth paying attention to or, like PGP, will it be irrelevant to 99% of Internet users?
I'm no crypto expert, but always I've found this article on the pitfalls of doing crypto in-browser with javascript to be pretty convincing. Some of its arguments wouldn't necessarily apply to an extension, though, assuming you trust whoever uploaded it, the Chrome app store, and the Chrome extension security model.
posted by whir at 6:10 AM on August 27, 2014
I'm no crypto expert, but always I've found this article on the pitfalls of doing crypto in-browser with javascript to be pretty convincing. Some of its arguments wouldn't necessarily apply to an extension, though, assuming you trust whoever uploaded it, the Chrome app store, and the Chrome extension security model.
posted by whir at 6:10 AM on August 27, 2014
Those critiques about Javascript are outdated. The primary complaints are " You have to send all the page content over SSL/TLS.", which of course we do all the time now. And "Browser Javascript is hostile to cryptography.", which is true, but is the problem that end-to-end is explicitly solving. I trust the folks who wrote it are fully aware of the challenges outlined in the pitfalls essay.
posted by Nelson at 9:03 AM on August 27, 2014
posted by Nelson at 9:03 AM on August 27, 2014
Just use Pond for your asynchronous messaging needs, well that's what all the cool kids in Berlin use these days. And obviously OtR gets the synchronous messaging job done, albeit quite vulnerable to traffic analysis.
posted by jeffburdges at 11:31 PM on September 3, 2014
posted by jeffburdges at 11:31 PM on September 3, 2014
« Older "Bake 'em away, toys!" | The Construction of Whiteness Newer »
This thread has been archived and is closed to new comments
posted by George_Spiggott at 1:26 PM on August 25, 2014 [1 favorite]