Communications of the ACM
Pgp Is Fundamentally Broken, Says Crypto Expert
A Johns Hopkins University professor says the PGP encryption protocol fails to meet modern public key cryptography needs.
Credit: Help Net Security
Johns Hopkins University professor Matthew Green says the PGP encryption protocol is badly out of date and fails to meet modern public key cryptography needs.
Green notes advances made since PGP was first introduced in 1991 and recognizes at the time the protocol was revolutionary, but he says it still too strongly resembles the 1991 version, whose usability was poor. Green argues PGP persists largely because of the need to continue supporting legacy systems and lack of a clearly superior alternative.
His main complaints are PGP's public keys are too long and difficult to manually compare, despite an awkward interface that makes handling keys almost mandatory. The key servers used to deliver the public keys also are not always themselves secure and trustworthy. Green says OpenPGP is especially lacking, with popular formats that have been thoroughly exploited and default settings that leave much to be desired.
He says improving PGP would involve improving its key management, implementing forward secrecy and newer and better cryptography, and allowing support for some legacy systems to lapse in the the name of better features going forward.
From Help Net Security
View Full Article
Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA
No entries found