Sunday, March 1, 2015

Why Perfect Forward Secrecy won't work over PGP?

Repeat the title here: Why Perfect Forward Secrecy won't work over PGP?

tl;dr because it's a logistic nightmare.

Perfect forward secrecy uses a one-time session key to secure a cryptographic communication channel using a long term key. The session key is negotiated in such a way that gaining access to the long term key will not recover the session key, so if the long term key is compromised, it cannot be used to decrypt a previously eavesdropped communication.

Of course, the compromised long term key could be used by a malicious third-party to impersonate as the victim in negotiating the cryptographic communication channel in the future.

An example of perfect forward secrecy is Diffie-Hellman key exchange. Such key exchanges are typically implemented over TLS where two computers automatically negotiate the cryptographic channel transparently to the users.

PGP, on the other hand, involves the user heavily as part of the negotiation. First you need to decide whom you include in your Web of Trust, by verifying in person their public key fingerprint. Without this step, you could be encrypting an important message for the wrong party. Then when you encrypt, you need to pick a cipher algorithm that your recipient's software knows how to decrypt. Back then it was a confusing boatload of 3DES, IDEA, TwoFish, BlowFish which sound like something from Dr. Suess. Nowadays you could count on AES. PGP then creates a random symmetric key, encrypts it with the recipient's public key, and produces the cipher text for you to deliver. This process is already onerous in itself. Only the most determined individual would put up with this effort.

For Perfect Forward Secrecy to work, both the sender and the recipient have to contribute to the creation of the one-time session key. You need to first complete the key negotiation, send the negotiation to the recipient and hear back, before you can encrypt the actual message. You can't have Perfect Forward Secrecy without participation from the recipient. This is a logistic nightmare.

This is not to say that even more determined pair of individuals could pull this off.

No comments: