Is PGP still perfect encryption? And is it still used?

867 views

[ad_1]

I just finished reading Simon Singh’s The Code Book, and I got the impression that PGP was basically uncrackable, and more or less always will be. However, the book was written 20 years ago, so, is this still true?

In: Technology
[ad_2]

When we design crypto systems like PGP and SSL we do so assuming that computers will get faster and vulnerabilities will get found. So we make them modular so that we can upgrade the modules one by one and still retain backwards compatibility. So the PGP version used 20 years ago is no longer considered uncrackable, although it does hold up very well. However the modern versions are using encryption algorithms that were not even invented back then and typically use key sizes that were unheard of back then. They still use the same principles and message formats but that is where the comparison ends.

PGP was based on several ideas like public key encryption being used to encrypt a session key for a symmetric key which was used to encryption the data. It’s like using a lock within a lock but the session key is meant to be as hard to crack as the original public key.
It also uses things like hashing to electronically sign documents as a form for you to confirm the original.

The principles are still used but specific algorithms or key lengths will have changed from 20 years ago. With the increase of computing power the Data Encryption Standard (DES) protocol became much easier to crack as it only has a 56 bit key. A stop gap of encrypting data three times (tripleDES) was used before a replacement algorithm, AES (Advanced Encryption Standard).

PGP has evolved into a web standard which is implemented by the GNU Privacy Guard as free software. See https://gnupg.org/

The only perfect encryption I know is with a one time pad, which requires overheads like getting a key to you securely, but if I can get a key to you securely why cant I send the message to you securely and public key encryption gave ways for someone to encrypt data with your public key that only you could decrypt with your private key.

I don’t think there are any known serious attacks on PGP it self, but PGP is more “a practical way of using asymmetric encryption”. It has to use some form of asymmetric encryption (e.g. RSA) to share secret keys – and the security of PGP can therefor never be stronger than the encryption used here.

Usually when someone says “perfect security” it means that even with infinite computing power, you could never decrypt the message. Which is not the case for something like RSA – but we still believe it to be infeasible to break in practice for now.

The encryption itself is solid. But PGP is so hard to use correctly that almost nobody uses it nowadays (at least not for e-mail), and if they do, there’s a good chance that they’re making mistakes that mean they’re not really as protected as they think they are.

Nowadays, people tend to use e.g. Signal, which is secure *and* easy to use (and easy to use *correctly*).

PGP (or rather the open source version, GPG) is still used in some places, especially for signatures, but the original use case (e-mail) ist almost dead.

PGP was never perfect encryption, it was never meant to be. PGP even stands for “Pretty Good Privacy” and is wayyyy better than unencrypted emails but nothing except a properly used One Time Pad is “uncrackable”

PGP relies on the same stuff as HTTPS/SSL by using public/private key pairs. These key pairs are longggg so they’re hard to crack, hard enough to ensure no casual script kiddy can do it. Modern systems are using 2048 bit or 4096 bit long keys which would take years even with the NSA or similar working on it, but 1024 bit and below keys are definitely crackable by any nation state, and 512 bit keys could be done on AWS in an afternoon which is why we use extra long keys now

If you want “perfect” encryption you best get to making yourself some One-Time Pads. These are the only known method that is unbreakable regardless of the resources you could throw at cracking an encrypted message.

But there are some major practical issues with using them for most applications we use encryption for.

Something like PGP is, as far as is currently known, effective at encrypting to a level of security that is not known to be hackable using current, or reasonably anticipated future, technology. If anyone has found a way to break it they’re not sharing their discovery.