Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.

Death to OpenPGP and GPG

Another set of death blows for OpenPGP came out this week. The first being a vulnerability in GPG which caused a weakening of 4096 bit keys. The second being researchers that have been able to attribute the source of RSA keys used by OpenPGP and others. I’ve talked about my opinion (shared by many others) that we should let PGP die. This additional cannon fodder.

The take away is that in the first case, I’m going to make the case that we should all move away from using GPG and in the second case I describe how doing so becomes an attack vector. Damned on both sides.

Weak in the keys

A recent vulnerability in GPG showed that if you chose the non-standard 4096 bit key size when generating your GPG keys, you are actually less secure than if you used 2048. This is caused by a vulnerability in the RNG that libgcrypt uses so that in some cases, 160bytes are predictable if the first 4640 bytes are known. In practice, the attack would mean that an attacker has access to your RNG, you generate a 4096bit key, and the attack is lucky enough to snag a portion of the 512 random bytes that are used to help generate the 4096 bit keys – a task that is not performed for the default 2048 key size.

You should read the original white paper and make your own conclusions. The researchers specifically state that they are not making any conclusions about weaknesses of RSA keys in GPG, but then on the other hand, people are talking about the comments in the patch that discuss the impact on 4096 bit keys.

This may seem theoretical and something easy to patch but when you lump this information and the dire future that GPG has in front of it, one may conclude that it’s time to give up on GPG software completely. Ask yourself, what is an alternative OpenPGP implementation that you could use that isn’t GPG? The answer should scare you when you consider the impact of a nation state targetting this software.

Key Attribution

Besides my normal gripes with OpenPGP, we have a new attack that is able to hurt those people that are trying to remain anonymous while using OpenPGP. Imagine if you will that you are off the grid, generating your GPG keys from a secure location, and completely compartmentalizing your OPSEC efforts. But you publish your keys so that others can communicate with you. And then you wake up and find an attack that is able to deduce the source of your keys.

The reasearch from Petr Svenda called The Million Key Question … Origins of RSA Public Keys the premise was that there are dozens of libraries that let you generate RSA keys and each of these libraries have subtle differences in how they generate these keys. These differences can be identified based on the properties of your public key.

This results in being able to take anyone’s public OpenPGP key, analyze it, and potentially determining the operating system and software used to generate that key pair. With this information attackers may be able to launch targeted attacks on your system or at least know what kind of software you’re running. In the past, when there are fingerprinting attacks like this (e.g. Tor Browser), the best you can do is to try and get everyone to use the same software. There is obscurity in numbers. So should we recommend everyone just use GPG for all of their keys? This is in contrast to my suggestion above and may put you at an even greater risk because the alternatives will be relatively untested compared to GnuPG.

If you want to try the analysis tool out yourself, you can use the online tool to classify someone’s keys here:


For example, watch what happens what you use Jacob Applebaum’s key in the above tool.

What’s Left

So should we get rid of GPG and make yourself fingerprintable? Keep using GPG but let attackers know which version you’re running? Give up on OpenPGP completely? It’s your accepted risk in the end. I will admit that these are difficult attacks to pull of that isn’t going to happen from any skiddy, but it depends on your threat model. I’m less concerned about these specific issues than I am with using crappy software for security purposes. If you’re interested in drama, there are many people that believe that GPG’s developer is a shill for NSA interests. Do your own research and check out a few of the examples.