How secure are PGP-encrypted telephones?

PGP - Pretty Good Privacy (OpenPGP)

PGP is a security standard with an encryption concept that was invented by Phil Zimmermann in 1991. A commercial variant has developed from this, which has changed hands several times and no longer plays a role. The mistrust that back doors and security loopholes have crept in when there is a change of ownership is too great.

OpenPGP (RFC 4880), which is based on PGP version 5, has existed since 1998. When you talk about PGP, you basically mean OpenPGP. In order to avoid confusion between the original PGP and OpenPGP, experts like to use the term GPG, which is the software implementation GNU Privacy Guard (GnuPG) from OpenPGP.

PGP is based on a mutual trust model between people who exchange their public keys and confirm identity and trustworthiness.
PGP or OpenPGP is a standard for encrypting e-mails and authenticating the sender that probably works best. However, it does require a little training and must be actively used by the respective communication partners. Unfortunately, PGP is not widely used.

Software: GNU Privacy Guard, plugins and extensions

Open source software called GNU Privacy Guard, abbreviated GPG or GnuPG, has been available for OpenPGP since 1999 and is available for all common operating systems. GnuPG is based on OpenPGP and is the post-programming (by Werner Koch) of PGP in the form of free software. OpenPGP is an open standard published by the IETF as an RFC.
Because GnuPG can only be operated via the command line, there are graphical user interfaces for the various operating systems that simplify operation.

GnuPG essentially limits itself to importing keys and entering the passphrase. For the integration into the e-mail client, special extensions are required, which have to be installed later. The PGP or GPG extensions for the various e-mail clients require that GnuPG is installed. Sometimes GnuPG brings the extension for the e-mail client with it. But not always.

  • Microsoft Outlook: Plugin GpgOL (Gpg4win) or Outlook Privacy Plugin
  • Apple Mail: GPG for Mail (GPGTools)
  • Thunderbird: integrated

Encrypting emails on mobile devices is difficult. Especially when it comes to security. The problem with a smartphone that you always carry around with you is that the secret key is stored in clear text. A smartphone must therefore be secured in such a way that there is no possibility of access if it is lost. So at least access protection by password or PIN is required.
Then there is the question of how to import the secret key into the device. In any case, not in plain text by email. Not even through cloud applications. Better to import via a PC.

  • iOS: not available
  • Android: Plugin AndroidPG (APG) with the mailer K9 or Kaiten, OpenPGP keychain with K9

Unfortunately, all user interfaces for GnuPG only support a subset of the functions that GnuPG can actually do. The encryption and decryption of e-mails is integrated everywhere. The key management, which is just as important, is usually implemented in a very intransparent manner.

How PGP works

PGP or OpenPGP is an encryption concept in which the participants authenticate each other. There is no central authority that could be compromised. There are only a few keyservers on which the public key is stored.

Two of the main uses of PGP are to sign and encrypt e-mail. A key pair consisting of public and private keys is required for encryption. The private key remains secret. The public key is published and is used to encrypt the emails. The email can then only be decrypted by the owner of the private key.

At the same time, the public key serves as a signature that can be used to confirm the authenticity of an email. Because there is no point in getting an encrypted e-mail if you cannot ensure that it actually originates from the specified sender.

Therefore, the public key must be authenticated by other PGP users. The participants authenticate the public keys of people they know with their private key. At the same time, the trustworthiness of the person-key connection is defined.

Key pair, fingerprint and key ID

Every PGP user has a key pair. The key pair consists of the public key and private key. The public key is given to the participants from whom you want to receive encrypted e-mails. The private key remains secret. This allows you to decrypt the e-mails that were encrypted with your own public key.

Each key pair also has a key ID and a digital fingerprint. The key ID is not necessarily unique. It is only together with the fingerprint. Anyone can use the fingerprint to check the authenticity of a public key. The fingerprint is a checksum of the key data in hexadecimal form.

signature

The public key has a second function: signing. This allows e-mails to be digitally signed to certify their authenticity.
The email client uses the PGP extension to create a checksum (hash value) for the content of the email. Finally, the user signs this hash with his secret key. The recipient can use the associated public key to check the signature (verify signature).
The recipient's e-mail client also generates a hash upon receipt, decrypts the hash created by the sender with the sender's public key and compares both hash values. If they are the same, the content of the mail was not manipulated when it was sent. The sender of the mail is actually the sender.

Together with the e-mail address, the recipient of e-mails can check whether an e-mail actually came from the person who sent it. The encryption would be worthless if it is not ensured that it is communicating with the right person. If the identity is not guaranteed, then you can save yourself the encryption.

Web of Trust

While with SSL / TLS or S / MIME a central authority, a certification authority (CA) confirms the trustworthiness of a key, PGP is based on the mutual trust of the users among each other. To do this, every PGP user has to authenticate the public keys of the people he trusts with his private key. This means that the PGP user confirms that the public key is guaranteed to belong to the person who published the key.
The check can be carried out by asking for a fingerprint over the phone or by checking ID. A self-checked key is, for example, a "direct trust". In addition, the trustworthiness of a person can be determined.

The process of authenticating other people's public keys seems cumbersome at first glance. But mutual authentication creates a network of mutual trust. This is known as the "Web of Trust (WoT)". As one becomes more and more trustworthy in this way, others also become more trustworthy. Until the trust is withdrawn.
This network helps evaluate an unknown person with an unknown key. You can manage without a central authority. The assessment takes place automatically in the background. The software determines a so-called "key legitimacy" from the data of people who are connected to this person-key combination.
In order for the trust network to work, users have to control, maintain and continuously expand their trust network.

Building your own network of trust is about as time-consuming as building a network of contacts in Xing or Facebook. As a rule, however, there are nowhere near as many people who have their own PGP key. That is why there are crypto parties in larger cities where beginners can get help from professionals with e-mail encryption and at the same time authenticate each other's public key. In this way you can build your own web of trust relatively quickly and at the same time become part of other trust networks.

Keyserver

Keyservers store and publish public keys and their attestations. The keyservers are networked with each other and exchange their data. Most keyservers are based on the software "Synchronizing Key Server (SKS)".
Uploading your own public key to a keyserver is the typical procedure for publishing it. In addition to your own key, you also upload the authentications of third-party keys and download the authentications and revocations of third-party keys from people with whom you maintain encrypted communication. One calls one's own collection of public keys "public keyring", which the user should regularly synchronize or update with a keyserver.
It can take a day for all keyservers to apply the changes. It can take several days for all friendly communication partners to apply their own changes.

How secure is PGP / OpenPGP / GnuPG?

PGP or OpenPGP / GnuPG encrypt the content of an email effectively. But not the metadata such as sender, recipient, subject, date, time, size or IP address. It would be desirable that the transmission of e-mails is generally encrypted. Then an attacker has no choice but to put a Trojan on the computer. And the moment the email is opened, it would be readable. However, this is a difficult scenario to execute.

With PGP, the difficulty is more on the user side. It starts with the user having to take care of key management and building a web of trust. Anyone who uses social networks such as Facebook and Xing will have no difficulty understanding and living the trust model. It looks completely different for normal users. It's not that easy for him to understand.

Uploading your own public key to a keyserver makes your social network publicly accessible. PGP reveals the contacts who have classified each other as trustworthy. Anyone who uses Facebook and Xing basically does the same thing.

In principle, PGP is only as secure as the individual users are able to keep their private key and the associated password secret. The encryption can only be considered secure if the owner of the private key can ensure at all times that no one else has got hold of the private key and the associated password.
All security experts agree that PGP is secure enough as long as the key used is long enough. Then cracking encrypted messages is still too time-consuming in practice. Even Edward Snowden trusts his communications with journalists to PGP encryption.

Other related topics:

share

Product recommendations

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!