- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: The existing standard of PGP presents various challenges that must be addressed:
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
The existing standard of PGP presents various challenges that must be addressed:
1. lack of forward secrecy
2. lack of efficient group messaging/email mechanism 3. fossil cryptographic schemes in the standard
4. improper default security settings, e.g. compression before encryption
5. poor usability
6. problematic trust model and key management
7. rather naive design of the key revocation mechanism 8. insecure design of key IDs
9. asymmetric cryptographic schemes that would soon
become broken in the face of attackers who have access to quantum computers
Manifesto - Next Generation PGP
Kai-Chun Ning, Phil Zimmermann, KPN
What is PGP?
Pretty Good Privacy (PGP) is a software suite that provides digital security. With the encryption it provides, PGP can be used to transfer messages confidentially and is often used for email and file encryption. In totalitarian countries where surveillance is prevalent, citizens can make use of PGP to exchange information safely. Journalists often use PGP to communicate with their sources securely in the same manner1. In addition to encryption, PGP can also
be used to guarantee the authenticity of a message by generating an unforgeable digital signature for
it. Similar to a written signature, a digital signature ensures the recipient that the message indeed originates from the claimed source and has not been tampered with. Since its introduction in 1991, PGP has become an essential tool for, amongst others, dissidents, activists, journalists and whistleblowers.
Outdated Standard and Poor Usability
Despite the importance and benefits of PGP, some fundamental design choices hinder its universal adoption and its userbase remains relatively small2. When PGP was first introduced in 1991, some security concepts had not been conceived or were still under active research. Consequently, PGP does not possess
certain important security standards that are essential today, e.g. forward secrecy and practical group messaging. In particular, the lack of forward secrecy is considered to be a major security deficiency and is not acceptable to many. Besides forward secrecy, by default PGP applies compression before encrypting data, which renders the length of the ciphertext (even more) dependent on the content of the data. This dependency in turn leaks extra information, which has been exploited by researchers in various other cases before, e.g. in TLS, to recover the plaintext3.
In terms of the choice of cryptographic suite, PGP includes several early cryptographic schemes that are no longer considered secure. The inclusion of those outdated, so-called fossil cryptographic schemes has been proven to be a significant burden for software developers as well as maintainers and provides very little value. Additionally, accidental usage of those cryptographic schemes may lead to a total compromise of confidential information. One such scenario would be when one user in a group email replies with the entire email thread (exchanged so far) included, quoted and encrypted with triple DES4. This leakage scenario is still possible even when using the latest PGP software in 2019 due to the requirement of backward
compatibility. To make matters even worse, some of the aforementioned outdated cryptographic schemes (e.g. SHA1) are chosen by default. It is therefore necessary for users to manually configure PGP before usage. Unfortunately, to override the default settings, one would need to go through the lengthy manual of PGP to learn the format of the configuration file and available choices, which can be rather daunting for users who are not technically savvy. In short, improper security practice enforced by the default settings and the lack
of a simple user interface makes PGP inaccessible to the general public, even for its very own creator Phil Zimmermann5.
Trust Model and Key Management
In regards to the accessibility of PGP for average
users, one frequently criticized design of PGP is its
key management mechanism and trust model. PGP relies on a so-called “Web of Trust” to establish the authenticity of a public key. A Web of Trust removes the need of public key infrastructure (PKI) and certificate authorities (CA) that are commonly used to establish the authenticity of a key like in X.509 based systems. Instead of depending on a centralized CA for the verification of a public key, which is a single point
of failure, PGP determines whether or not the key is authentic by the amount of trust that is demonstrated by “other” PGP users in a Web of Trust. In essence,
if more than a certain number of other users who
are trusted by one particular PGP user claim that
the key is authentic, then the key is considered valid and is accepted by this user. This idea, however, has one critical drawback. A Web of Trust transforms
the problem of establishing the authenticity of a key from a technical issue into a social one, as a Web of Trust can only function if other PGP users are able
to make adequate judgments when vouching for the authenticity of keys. PGP tries to assist users in doing so by labeling keys with a trust level based on the amount of trust (untrusted, marginal, complete, and ultimate). Nonetheless, the procedure remains heavily dependent on human factors as the meaning of those four trust levels cannot be universally established nor scientifically defined. The definition of trust levels even reduces the usability of PGP, since now PGP users must learn the whole complex mechanism behind a Web of Trust in order to be able to assign trust labels properly. The problem of establishing the authenticity of a key therefore is not solved by the introduction of a Web of Trust and is arguably further complicated. In response, many PGP users simply held key signing parties where they physically meet up at one location to safely sign and vouch for each other’s’ keys.
Furthermore, even if a PGP user manages to label
keys with the appropriate trust level, the endorsed
keys remain local to this specific user and the user would still need to distribute the endorsed public keys. PGP tackles this problem by setting up a small number of “trusted key servers”. Users may upload their endorsement of other users’ keys or their own public keys to any of the servers. To prevent the censorship
of any of the keys or endorsement thereof, those key servers were designed to never delete either a public key or any information about a key (including its endorsements). The key servers synchronize with
each other periodically to maintain one single global database of public keys and together they function as a distribution hub where other PGP users can download those keys.
Despite the various advantages mentioned above, the addition of the key servers together with the rather inefficient design of the key serialization format opens up the avenue to devastating denial of service attacks6 7.
In short, by maliciously attaching tens of thousands of endorsements (signatures) on a target public key and uploading it to the key servers, an attacker would be able to render any PGP program unusable when the victim imports the poisoned public key into their system, which effectively denies the usage of the target key.
In addition, since a key and its relevant information
can never be deleted from the key servers, the so-called revocation certificate was introduced8. By uploading the revocation certificate of a key, the actual owner can render their key invalid, thereby retire the key. However, since by design anyone in possession of the private key can revoke the corresponding public key, one cannot distinguish a revocation certificate from the real owner and an attacker who has compromised the private key. Consequently, other PGP users may refuse to trust the revocation certificate and continue to make use of the revoked key. The fact that a revocation certificate may not originate from the legitimate key owner further inhibits the adoption of PGP.
Key ID Spoofing
To facilitate downloading keys from the key servers, PGP provides several approaches to searching for a particular key. One of them is the “key ID”, which is simply the lowest 32 or 64 bits of the hash value of a public key. Regrettably though, the introduction of the key ID paved a new avenue to key impersonation attacks. Due to the short length of the key IDs, an attacker can generate different public keys with an identical key ID efficiently. For example, it has been
reported that a 32-bit key ID collision of a public key can be found within merely 4 seconds9.
Quantum Resistance
At last, with the advent of quantum computing, the public cryptographic schemes adopted by PGP (in particular RSA and elliptic curves) would all become fundamentally broken. A complete replacement of the existing asymmetric cryptographic schemes is therefore necessary. To mitigate this imminent threat, several families of the so-called Post- Quantum cryptography (PQC), which are asymmetric Cryptographic schemes that are resistant to quantum attacks, would need to be carefully examined and tailored, after which proper replacement must be selected to meet the various requirements of PGP.
Conclusion
To sum up, the existing standard of PGP presents various challenges that must be addressed:
1. lack of forward secrecy
2. lack of efficient group messaging/email mechanism 3. fossil cryptographic schemes in the standard
4. improper default security settings, e.g. compression before encryption
5. poor usability
6. problematic trust model and key management
7. rather naive design of the key revocation mechanism 8. insecure design of key IDs
9. asymmetric cryptographic schemes that would soon
become broken in the face of attackers who have access to quantum computers
In spite of all those issues, PGP is still arguably the best choice in regard to secure digital communication. For example, the famous NSA whistleblower Edward Snowden made use of PGP to contact journalists10. At KPN CISO, we believe that those issues, while daunting, can be addressed and solved. Together with the creator of PGP, Phil Zimmermann, KPN CISO has plans set in motion to work on the next generation PGP standard.
In addition to the eradication of all the aforementioned issues, we envision the new PGP standard to be secure, relieved of its historic burden, open-source, completely free, and available to people in need just like the first PGP edition that was released back in 1991.
(1) https://www.theguardian.com/pgp
(2) https://pgp.cs.uu.nl/plot/
(3) https://tools.ietf.org/html/rfc7457#section-2.6
(5) https://www.vice.com/en_us/article/vvbw9a/even-the-inventor-of-pgp-doesnt-use-pgp
(6) https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f