SoK: Why Johnny Can't Fix PGP Standardization

by   Harry Halpin, et al.

Pretty Good Privacy (PGP) has long been the primary IETF standard for encrypting email, but suffers from widespread usability and security problems that have limited its adoption. As time has marched on, the underlying cryptographic protocol has fallen out of date insofar as PGP is unauthenticated on a per message basis and compresses before encryption. There have been an increasing number of attacks on the increasingly outdated primitives and complex clients used by the PGP eco-system. However, attempts to update the OpenPGP standard have failed at the IETF except for adding modern cryptographic primitives. Outside of official standardization, Autocrypt is a "bottom-up" community attempt to fix PGP, but still falls victim to attacks on PGP involving authentication. The core reason for the inability to "fix" PGP is the lack of a simple AEAD interface which in turn requires a decentralized public key infrastructure to work with email. Yet even if standards like MLS replace PGP, the deployment of a decentralized PKI remains an open issue.



There are no comments yet.


page 1

page 2

page 3

page 4


Statistical Analysis of ReRAM-PUF based Keyless Encryption Protocol Against Frequency Analysis Attack

There has been a growing interest in fully integrating Physical Unclonab...

Re: What's Up Johnny? -- Covert Content Attacks on Email End-to-End Encryption

We show practical attacks against OpenPGP and S/MIME encryption and digi...

PakeMail: authentication and key management in decentralized secure email and messaging via PAKE

We propose the use of PAKE for achieving and enhancing entity authentica...

IoD-Crypt: A Lightweight Cryptographic Framework for Internet of Drones

Internet of Drones (IoD) is expected to play a central role in many civi...

Authentication and Key Management Automation in Decentralized Secure Email and Messaging via Low-Entropy Secrets

We revisit the problem of entity authentication in decentralized end-to-...

Bionic Optical Physical Unclonable Functions for Authentication and Encryption

Information security is of great importance for modern society with all ...

A Critique of Immunity Passports and W3C Decentralized Identifiers

Due to the widespread COVID-19 pandemic, there has been a push for `immu...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.