SoK: why Johnny can't fix PGP standardization

Pretty Good Privacy (PGP) has long been the primary IETF standard for encrypting email, but suffers from widespread usability and security problems that have limited its adoption. As time has marched on, the underlying cryptographic protocol has fallen out of date insofar as PGP is unauthenticated on a per message basis and compresses before encryption. There have been an increasing number of attacks on the increasingly outdated primitives and complex clients used by the PGP eco-system. However, attempts to update the OpenPGP standard have failed at the IETF except for adding modern cryptographic primitives. Outside of official standardization, Autocrypt is a "bottom-up" community attempt to fix PGP, but still falls victim to attacks on PGP involving authentication. The core reason for the inability to "fix" PGP is the lack of a simple AEAD interface which in turn requires a decentralized public key infrastructure to work with email. Yet even if standards like MLS replace PGP, the deployment of a decentralized PKI remains an open issue.

[1]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[2]  Bryan Ford,et al.  Reducing Metadata Leakage from Encrypted Files and Communication with PURBs , 2018, Proc. Priv. Enhancing Technol..

[3]  Jörg Schwenk,et al.  Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels , 2018, USENIX Security Symposium.

[4]  Jörg Schwenk,et al.  End-to-End Header Protection in Signed S/MIME , 2007, OTM Conferences.

[5]  Carmela Troncoso,et al.  ClaimChain: Improving the Security and Privacy of In-band Key Distribution for Messaging , 2017, WPES@CCS.

[6]  Gang Wang,et al.  End-to-End Measurements of Email Spoofing Attacks , 2018, USENIX Security Symposium.

[7]  Michael J. Freedman,et al.  CONIKS: Bringing Key Transparency to End Users , 2015, USENIX Security Symposium.

[8]  Jörg Schwenk,et al.  Re: What's Up Johnny? - Covert Content Attacks on Email End-to-End Encryption , 2019, ACNS.

[9]  Simon Singh,et al.  The Code Book , 1999 .

[10]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.

[11]  George Danezis,et al.  Sphinx: A Compact and Provably Secure Mix Format , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  Jonathan Katz,et al.  Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG , 2002, ISC.

[13]  Harry Halpin,et al.  LEAP: A Next-Generation Client VPN and Encrypted Email Provider , 2016, CANS.

[14]  Robert J. Zuccherato,et al.  An Attack on CFB Mode Encryption as Used by OpenPGP , 2005, Selected Areas in Cryptography.

[15]  Jörg Schwenk,et al.  "Johnny, you are fired!" - Spoofing OpenPGP and S/MIME Signatures in Emails , 2019, USENIX Security Symposium.

[16]  Jonathan Katz,et al.  A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols , 2000, USENIX Security Symposium.

[17]  Don Davis,et al.  Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML , 2001, USENIX Annual Technical Conference, General Track.

[18]  Harry Halpin,et al.  Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols , 2018, SSR.

[19]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[20]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[21]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .