Comment by upofadown

1 year ago

>PGP is 20 years behind cryptographic best practices...

In what sense? If someone signs a package with, say, a RSA key, how is that behind in some way?

>30 years of unresolved technical debt.

How can a standard for a file/message format have technical debt. PGP is dead simple. Where is this debt hidden?

4 comments

upofadown

Reply
woodruffw  1 year ago

> In what sense? If someone signs a package with, say, a RSA key, how is that behind in some way?

OpenPGP specifies PKCS#1 v1.5 for RSA padding. Attacks on PKCS#1 v1.5 have been well understood for over 20 years[1]; every few years, someone finds a new one.

RSA itself is well-known for having weird number-theoretic problems that implementations have failed to respect, to catastrophic effects. Best practice for algorithm selection is to pick algorithms where users can't compromise the integrity of the scheme through poor public parameter selection; RSA forces the user to pick a public modulus and exponent, leading to all kinds of silly things that actually happen[2].

Edit: Correcting myself: most attacks on v1.5 padding concern encryption, not signatures. The general fragility argument remains, however.

[1]: https://news.ycombinator.com/item?id=5993959

  • upofadown  1 year ago

    Exactly how is PKCS#1 v1.5 vulnerable in PGP usage? You might be confusing PGP usage with encrypted pipe applications like TLS.

    >RSA forces the user to pick a public modulus and exponent, leading to all kinds of silly things that actually happen[

    What PGP implementation forces the user to pick the public modulus and exponent?

    • Avamander  1 year ago

      > Exactly how is PKCS#1 v1.5 vulnerable in PGP usage?

      Something that is often misused in a way that compromises security really needs to be proven secure rather than the opposite.

zamnos  1 year ago

PGP's extremely poor UX would suggest there's code that doesn't exist that should.