[8154] in cryptography@c2.net mail archive
Re: Is PGP broken?
daemon@ATHENA.MIT.EDU (L. Sassaman)
Sat Dec 2 19:00:05 2000
Date: Wed, 29 Nov 2000 17:17:28 -0800 (PST)
From: "L. Sassaman" <rabbi@quickie.net>
To: Adam Back <adam@cypherspace.org>
Cc: <nelson@crynwr.com>, <cryptography@c2.net>
In-Reply-To: <200011290359.WAA01120@cypherspace.org>
Message-ID: <Pine.LNX.4.30.QNWS.0011291526510.6540-100000@thetis.deor.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PGP is less broken than PEM or S/MIME... ;)
I think one could write an entire book on the flaws in PGP, and how they
could be repaired. However, I don't see anything really unique to PGP in
this regard.
Comments on a few of the issues:
It's understandable that RSA was removed during the period of legal
trouble PGP faced because of it. and it's understandable that Phil
Zimmermann and PGP encouraged the use of the new key format, since there
had been new features and improvements made to it over the older RSA
("version 3") key format. It also didn't help PGP overall to have
incompatible versions.
PGP had been through compatability changes twice before, with no ill
effect. PGP 2.0 was not compatible with 1.0, and 2.5's compatability was
artificially limited with previous versions (because of PKP issues, I
believe).
PGP gained a large following with 2.6.x, however, so many more people were
affected by the switch to the new key format in 5.x than they had been in
the previous format changes.
Of course, now PGP has added RSA v4 keys and introduced yet another key
type earlier versions can't handle.
GnuPG's lack of support for IDEA is a big problem. There is an IDEA module
that users can "drop in" to add support, but the GnuPG folks have done a
good job of hiding it from the public eye.
Likewise, PGP's lack of support for (or Werner's decision to incorporate
into GnuPG) Blowfish causes problems, since it was the default cipher for
GnuPG for a while. (The problems are not as serious as the IDEA issues,
however.)
GnuPG is still not able to properly use keys made with PGP 2.6.x.
(Messages encrypted and signed with a v3 RSA key cannot be decrypted by
PGP).
I have to disagree with Will Price on two issues he brings up about PGP.
PGP 2.6.2 was a program designed for DOS. The fact that the Unix versions
of PGP 7.0 have an interface that was designed for a different operating
system and that has not been improved since 1993 does not strike me as
something beneficial.
PGP will also never have the platform coverage that open source software
can have. In addition to all the platforms (except Macintosh) that PGP
supports, GnuPG runs on Irix, True64, FreeBSD, NetBSD, OpenBSD, BSD/OS,
SCO, SunOS, and others. That's not PGP's fault; it's just the nature of
commercial vs. open source software. But to say that PGP runs on "nearly
all platforms" is misleading.
Neither GnuPG nor PGP are very easy to use, on any platform. PGP's lack of
useful error messages is terrible, and the overwhelming number of bells
and whistles that users see in configuration and operation of the program
detracts from usability. (Yet there are many options that "power-users"
might find beneficial that are missing from PGP.) GnuPG's ad hoc
command-line option design has produced a less-than-intuitive interface.
And integration into mailers has to come a long way before it will be
considered sufficient.
The lack of a central certificate authority[1] in PGP is one of its
biggest benefits and worst flaws. It permits users to get up and running
with a system for encryption and signing without additional expense or
hassle involved with dealing with a CA. It allows for pseudonymous secure
communication. It allows users to build trust relationships that are
meaningful to *them*, not to some large inept corporate body only
interested in making a few dollars [and by the way, would you buy a domain
name?]
However, explaining "fingerprint verification" to new users of PGP is
quite difficult. There are people who have signed my key whom I have never
met. There is a key on the key servers that bears my name and email
address, but was not created by me. People who should know better than to
trust the key servers have used that key in communication with me. If a CA
existed that provided OpenPGP key signing and managed key server services,
a lot of these issues could be addressed. (There is no technical reason
why such a CA couldn't exist. But I wish you luck getting funding for it.)
There have been secure email companies popping up with proprietary key
formats. (Hushmail and Zixit[2] are the two big ones that I can think of
immediately). If RFC 2440 functionality were available in a crypto library
without a restrictive license, perhaps we'd see companies such as those
adopting OpenPGP as the format of choice. Perhaps we would see OpenPGP
features shipping with email clients, so that users would not need to rely
on plugins and wrappers for their email.
OpenPGP needs to become more widely used, and PGP needs more competition.
As it is right now, it benefits PGP when users are forced to upgrade to
the "next version" for any reason. It's more money in their pockets.
If PGP were only one of many programs implementing OpenPGP, any changes to
the program that affected compatability would be taken much more seriously
by everyone involved, I believe. PGP would risk losing customers by
breaking compatability, if only the customers had someplace else to go.
Shameless plug: Ben Laurie and I were discussing this exact topic earlier
this month. I'm going to England next month to sit down and hash out
exactly what we want to do, but we would like to add OpenPGP features to
OpenSSL. I plan to put out a call for developers in January but if you are
interested please let me know. I think the benefits of having an
Apache-style licensed OpenPGP toolkit are obvious. (No, this isn't going
to fix compatability problems between versions of PGP. No, it's not going
to solve the CA vs. ad hoc fingerprint verification issues. But what it
will do is make OpenPGP more desirable to developers wishing to add secure
email services to their products. It will eliminate the need for people to
purchase the PGP SDK or to comply with the GPL if they want to put
seamlessly integrated OpenPGP functionality in their products.)
The upside to all of this is that I believe everyone involved in
developing OpenPGP products wish to correct all the problems associated
with them. Here's to hoping they do.
- --Len.
[1] -- Not exactly true. TrustCenter (www.trustcenter.de) offers PGP key
signing / verification.
[2] -- Sadly, a standard format would only be a small improvement on
Zixit, which has a system that I would never recommend anyone trust for
securing anything of importance.
On Tue, 28 Nov 2000, Adam Back wrote:
>
> No, it's not just you, it is indeed broken. So there are a number of
> culprits:
>
> - Probably mainly RSA for being difficult to deal with, and in general
> letting lose a bunch of rabid lawyers on the crypto community.
> Fortunately the patent has no expired.
>
> - PGP/NAI for shipping versions without RSA support, and for some of
> that time shipping add ons which added RSA support
>
> - GPG/FSF for shipping versions without RSA support for patent
> reasons. (And also without IDEA support for patent reasons even now
> that the RSA patent has expired.)
>
> I hate patents.
>
> It seems also there was a fair bit of stupidity on the part of PGP. I
> think they were trying to deal with the problems RSA were causing
> them, when they tried to renege on the license to use RSA that PGP
> acquired through ViaCrypt or whatever the story was. But then they
> apparently decided to conciously try to stamp out use of RSA, and
> release versions without RSA support during times when they in fact
> could use RSA. PRZ was I'm pretty sure I recall trying to persuade
> people to stop using it.
>
> As good cause as it was to stop people using RSA before the RSA patent
> expired -- the approach taken had precisely the opposite effect of
> that desired. Loads of people stuck to 2.x because it was the only
> version that worked. If they had instead made the upgrade smooth with
> no incompatibility issues, I reckon a lot more people would've moved
> over to pgp5.x/6.x. I know I tried it several times and gave up in
> disgust.
>
> And lastly even if they had done it right, GPG went in and fucked it
> up some more by sticking religiously to the "don't use patented
> algorithms" free software mantra to the huge detriment of PGP
> interoperability. The only remaining patent problem is IDEA, and they
> are incredibly reasonable about licensing compared to RSA
> (non-commercial use free, fixed published licensing terms, etc)
>
> I'm sure Vin'll give us the RSA labs spin... over to you Vin :-)
> Perhaps even some PGP folks would like to defend their decisions to
> release PGP versions without RSA support.
>
> Adam
>
> > Is it just me, or is PGP broken? I don't mean any particular version
> > of PGP -- I mean the fact that there are multiple versions of PGP
> > which generate incompatible cryptography. Half the time when someone
> > sends me a PGP-encrypted message, I can't decrypt it. Presuming that
> > I'm right, is anyone attempting to fix PGP?
> >
> > Not to mention anything about PGP keyservers, or the utter and
> > complete absence of anybody doing point-source PGP signing.
>
__
L. Sassaman
Security Architect | "The world's gone crazy,
Technology Consultant | and it makes no sense..."
|
http://sion.quickie.net | --Sting
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE6JaqwPYrxsgmsCmoRAkbLAJ0QmEPs7Nb6ioLueJxTlVHZOmZxqQCgjyCD
GLdjeyXYe6/5ehCImeZc4o8=
=0Yvv
-----END PGP SIGNATURE-----
