Encryption Mechanism of PGP program
The study is an assessment of the Pretty Good Privacy (PGP) program where it explores the encryption mechanism in great detail. The assessment involves identifying the various services offered by the PGP encryption program and describes the mechanism in the order they occur along with illustrating the PGP message format in tabular format and briefly describing the strengths to weaknesses of PGP certificates. After that the report identifies Internet of Things (IoT) as the field for the case study which is chosen to be the infamous EFAIL vulnerability of 2018. With a comprehensive analysis on the case study performed, the study provides concluding notes.
Literature Review
The encryption program Pretty Good Privacy (PGP) is used to provide cryptographic authentication and privacy for data communication (Ruoti et al. 2015). PGP signs encrypts and decrypts files, directories, texts and emails. The open standard platform OpenPGP (RFC 4880) is followed by PGP (Wouters 2016). Here a serial combination of symmetric-key cryptography, data compression, hashing and public-key cryptography is employed. Every public key must correlate to an email or username. As a result this encryption scheme has become the industry standard in securing services for e-mail communication.
The security services obtained through PGP are:
- Privacy
- Sender Authentication
- Message Integrity
- Non-repudiation
Apart from the above mentioned security services, support for key management and data compression are also obtainable (Kumar 2015). PGP relies on existing cryptographic algorithms like IDEA, RSA, MD5 instead of inventing newer ones. This makes PGP easy to implement and compatible with conventional security set ups. The working of PGP is explored in the following steps:
- The hash of the message is calculated using the MD5 algorithm (Gupta and Kumar 2014).
- The 128-bit resultant hash is signed by the sender’s private key using the RSA algorithm (Jamgekar and Joshi 2013).
- The digital signature is added to the message and compression of the resultant message is performed.
- The symmetric key is a 128-bit key that is generated for encrypting the compressed message using the IDEA algorithm (Ebrahim, Khan and Khalid 2014).
- Encryption of this symmetric key is done with the recipient’s public key using the RSA algorithm and appended with the encrypted message.
The PGP message format is illustrated in the table below:
|
Public Key ID |
Symmetric Key |
Sign |
Time |
Private Key ID |
Algorithm Used |
MD5 Hash |
Message Text |
|
Keys |
Signature |
||||||
|
Encrypted and compressed part |
|||||||
|
Base 64 format |
Here the IDs denote what key is encrypting the symmetric key and what key is verifying the hash signature (Fatima, Ahmad and Siddiqui 2015).
PGP key certificates are established after a consistent trust chain. The sender’s public key is signed by the recipient with his own public key and this public key is signed by the next recipient with his public key (Ryan 2014). The continuation of this process creates a trust chain. Here any user can act as a certifying authority and any user can certify another user’s public key. This certificate is valid as long as the user certifying the public key is considered trustworthy by the other user. However, this certification method has certain issues. It is difficult to find chains that lead from a trusted and known public key to the desired key as also there can exist multiple chains leading to different keys of the desired user. But the PKI infrastructure can also be used by PGP to certify public keys from the certification authority CA (X.509 certificate).
Critical review of Business Case
PGP message format
The field chosen for the following business case study is Internet of Things (IOT) where the recently discovered vulnerability of PGP termed EFAIL is the selected business case study (Burt and Geer 2018). Professor Sabastian Schinzel, of Munster University, Germany alleged that he and his team were about to publish a paper that exposes the vulnerability in PGP/GPG and S/MIME email encryption schemes (Poddebniak et al. 2018). The warnings issued by the group of researchers have caused alarming concerns among privacy advocates. The concerns are rising as PGP is a very popular end to end and open source encryption standard which is broadly used at the political level, among reporters of repute and established businesses who seek to secure their messaging and communication processes. The Digital Civil Liberties group, EFF or Electronic Frontier Foundation issued advisory stating that the vulnerabilities pose immediate risks for users who use the concerned encryption schemes for their email communication and that the risks include the potential of exposing past messages. They suggest users should disable or uninstall tools and services used for automatically decrypting PGP encrypted email and further went on to name a few of these widely used tools namely – Apple Mail, Gpg4Win for Outlook, Enigmail and Thunderbird (Melšová 2017). With the full report getting leaked early by the German newspaper Suddeutsche Zeitung, the lead researcher took to twitter and a row ensued between the backers of the report and those not so impressed by it.
With the events unfolding political dissidents, businesses and journalists chose to rely on PGP in maintaining online privacy. Despite the massive hue and cry, many among the privacy community were left unimpressed by the way the disclosure was handled as pointed out that the report ultimately ended up detailing vulnerabilities in the email clients instead of the PGP method itself.
In response to the outbreak, developers of the email encryption program, including creator of PGP Phil Zimmermann came to the front and targeted EFF for blowing the issue out of proportion terming the advice as dangerously misleading and assuring EFAIL vulnerabilities not being flaws of the OpenPGP protocol but errors created while implementation which can be performed by anyone since PGP is open standard.
Werner Koch of GnuPG said that the issue was overblown by EEF and stated how the topic of the paper mentioned the use of HTML as back channel to serve as medium for modified encrypted emails (Walfield 2017).
Strengths and weaknesses of PGP certificates
It is a known fact that HTML mails and specifically external links such as <img href=”tla.org/TAG”/> are harmful if targeted by MUAs (Mail User Agent). Broken MIME parsers allow multiple MUAs to concatenate to decrypted HTML mime parts making malicious html snippets easily plantable (Poddebniak et al. 2018). As a result it is suggested not to use HTML mails but if so then a proper MIME parser must be used disallowing all access to any external links. Another way around can be the use of authenticated encryption. This is easy for PGP since authenticated encryption (AE) was adopted in 2000 or 2001 when Modification Detection Code (MDC) was introduced for a similar threat (Recacha 2013). But for some PGP implementations that have been very late in introducing MDC, the threat looms large.
Thunderbird responded saying that a patch addressing the last known exploit vector was undergoing testing and would be made available shortly (Poddebniak et al. 2018).
ProtonMail however was most blunt in hitting back at the disclosure. The private email servicer based in Switzerland added that the real vulnerabilities laid with the different individual clients of PGP and that there is no issues with the PGP and OpenPGP programs. It further mentioned that services using openpgp.js library are also safe until changes are made to the default settings (Corrigan-Gibbs and Ford 2013). In its most scathing attack at the researchers ProtonMail termed as Efail as being a prime example of irresponsible disclosure and accused the story of being hyped to the EFF and mainstream media only to get the recommendation published irresponsibly.
A cryptographer from Google though responded back at the negative feedback from the community and termed publishing as a perfect case study for safe APIs and why users implementing the program should not be blamed for vulnerabilities in today’s day and age.
An irresponsible disclosure or not, the paper the shaken up the infrastructure across the board in the space of Internet of Things (IoT) (Burt and Geer 2018). Several mailing clients scrambling for patches for EFAIL testifies it. Messages and communications play critical role in the massive interconnection of devices, tools and platforms of businesses, organizations as well as in personalization the various digital assets of individual end users and any vulnerability in PGP encryption program if not addressed can have catastrophic impact.
Conclusion
To conclude the study explores thoroughly the PGP encryption program by listing the services obtainable, a stepwise elaboration of the encryption mechanism, visual representation of PGP message format and evaluating the advantages and disadvantages of PGP certificates. The report then identifies EFAIL as the case study for the IoT landscape and conducts a comprehensive analysis of the said vulnerability mentioning how it is affecting the environment and platforms pertaining to PGP and how it may affect the IoT landscape. From the analysis it is easily understandable that the encryption mechanism of PGP remains fool proof, although the environment and platforms implementing the PGP program has to be fully secured. For otherwise, vulnerabilities like EFAIL can cause wide ranging damages, mostly unrecoverable for in the IoT landscape the spreading of vulnerabilities is difficult to manage.
References
Burt and Geer (2018). DATA PROTECTION FOR THE DISORIENTED, FROM POLICY TO PRACTICE. [online] Hoover.org. Available at: https://www.hoover.org/sites/default/files/research/docs/burtgeer_flatlight_revisednov20_webreadypdf_final.pdf [Accessed 8 Feb. 2019].
Corrigan-Gibbs, H. and Ford, B., 2013, November. Conscript your friends into larger anonymity sets with JavaScript. In Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society (pp. 243-248). ACM.
Ebrahim, M., Khan, S. and Khalid, U.B., 2014. Symmetric algorithm survey: a comparative analysis. arXiv preprint arXiv:1405.0398.
Fatima, S., Ahmad, S. and Siddiqui, S., 2015. X. 509 and PGP Public Key Infrastructure methods: A critical review. International Journal of Computer Science and Network Security (IJCSNS), 15(5), p.55.
Gupta, P. and Kumar, S., 2014. A comparative analysis of sha and md5 algorithm. architecture, 1, p.5.
Jamgekar, R.S. and Joshi, G.S., 2013. File encryption and decryption using secure RSA. International Journal of Emerging Science and Engineering (IJESE), 1(4), pp.11-14.
Kumar, S.N., 2015. Review on network security and cryptography. International Transaction of Electrical and Computer Engineers System, 3(1), pp.1-11.
Melšová (2017). PGP (GPG) encryption for small and medium enterprises. [online] Is.muni.cz. Available at: https://is.muni.cz/th/uticm/thesis.pdf [Accessed 8 Feb. 2019]
Poddebniak, D., Dresen, C., Müller, J., Ising, F., Schinzel, S., Friedberger, S., Somorovsky, J. and Schwenk, J., 2018, August. Efail: Breaking S/MIME and OpenPGP email encryption using exfiltration channels (draft 0.9. 1). In Proceedings of the 27th USENIX Security Symposium.
Recacha, F., 2013. IOC: The most lightweight authenticated encryption mode. Submission to National Institute of Standards and Technology.
Ruoti, S., Andersen, J., Zappala, D. and Seamons, K., 2015. Why Johnny still, still can’t encrypt: Evaluating the usability of a modern PGP client. arXiv preprint arXiv:1510.08555.
Ryan, M.D., 2014, February. Enhanced Certificate Transparency and End-to-End Encrypted Mail. In NDSS.
Walfield, N.H., 2017. An Advanced Introduction to GnuPG.
Wouters, P., 2016. Dns-based authentication of named entities (dane) bindings for openpgp (No. RFC 7929).
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
