Telephone +44(0)1524 64544
Email: info(at)shadowcat.co.uk

Encryption is hard

Thu Nov 30 16:41:00 2017

So, after my previous post about PGP1 on Windows, I think I should go over some of the reasoning behind PGP, what its for, and hopefully why its coming into the limelight a lot more recently.

So, whats the point?

Well, the basic point of it all is privacy. The actual acronym stands for 'Pretty Good Privacy', which was created originally by Phil Zimmerman to allow anti-nuclear activists to communicate and store files securely2. The original history also includes some interesting bits about getting round odd US laws as well, and is well worth a read.

Anyway, back to what the point is. Well, there are multiple reasons to use PGP, which boil down to Privacy, Security, Identity and Accountability, and here I will go over a few examples. So lets go through them.

Privacy

We have a right to Privacy - In fact there are numerous occurances of it being written or implied in law, for example it's in the UN's Universal Decleration of Human Rights3 and USA has, through the Supreme court, found that the 1st, 3rd, 4th, and 5th Amendment imply this4. This all makes sense; for example, messages we send to our friends or significant others should only be between yourselves. This makes sense, for example if I am talking to Mark when in his Office, or even when out walking, then if there is no-one else within earshot I can be sure that the conversation is private. The same should be true for online communication; messages I share with Mark through messaging systems and email etc. should be private. Its not that myself or Mark have anything to hide5, its just that if we want to swap from basic 'isn't the weather shit right now' to 'how did the doctors appointment go' we shouldn't have to worry that people are listening in to what is private information.

Another example is a letter. If you send a letter in a sealed envelope to someone, you can be fairly sure that, assuming that the envelope is undamaged on the receiving side, that the contents of the letter are private, and that no-one has opened it6. This should be the same for an email, but at present is not the case - not all email providers send email between servers over TLS connections, which means that things can be intercepted on the wire without any issue such as by your ISP. The people who control the mail servers as well could read anything that is going through before it arrives at its destination.

So how PGP enables privacy, is by making sure that only the intended recipient(s) can decrypt the message. If I send them an email which is encrypted using PGP, they and only they can unlock it and read the contents. There are, or atleast have been real time messaging and audio/video conferencing software which uses PGP underneath to encrypt the traffic on the wire, allowing for fully private communication.

Security

So, I don't know about you, but I lock my house every time I leave it for work or any other time I'm going to be out for longer than it takes to put the bins out. Its sensible, I want my house secure and dont want anyone stealing my TV or Guitar - or anything else for that matter. I also lock my computers when I leave them, so that someone cant come up and do something while I'm not there - definitely important with access to client data and other things which are on there.

Then there are also all my passwords - some of which are impossible to remember (quite literally, I dont know how to type some of the characters in a few of them!) so I have to record them somewhere - which should be as secure as possible, without being impractical - tying them to a rock and dropping them out at sea is going to be fairly secure but not really useful when I need to use them again.

However there is also the meaning of security7, and how that can be applied to yourself - I also generally lock my door while I am in the house. So the ability to secure something in a physical sense is fairly easy to comprehend, however securing something digitally is actually a lot harder, as someone doesnt necessarily require physical access ot the device to do something.

With PGP, however, you can also be sure that as long as it is encrypted, it is secure - so if you encrypt a password with it, then only you can decrypt it. If a client needs to send you some sensitive details, such as access to their vpn, then instead of sending it over a form of communication that can be intercepted, then it can be encrypted and sent with the knowledge that it is is secure, and also be sure that it arrives at the other end and is only for the intended recipient, as you dont want some random person (or three letter agency) getting otherwise unauthorised access.

Identity

Which leads nicely into Identity - being able to prove who you are. In the UK at least, there are a couple of ways of doing this which are backed by the government, such as a Driving Licence, or a Passport. These documents prove who I am, and as an aside prove what I am allowed to do, or where I am able to go. These contain my name, Date of Birth, nationality, Address, and an image of me, which, assuming they are not forgeries, prove that I am who I say I am.

In the digital world, that is much harder to do - what with the ability to hide behind a pseudonym or not declare a name at all in some cases, there is no way to actually prove who you are. This has its advantages and disadvantages, such as not admitting easily how much of an Anime fan you are to people who may think less of you because of it (although I dont see why you would actually hang out with people like that...) but also allow for vicious attacks against people without them knowing who actually said it - just take a look at some of the trolls on Twitter, Youtube, or any other public platform with a comment box.

An odd one for this is Facebook, where your identity is fairly well tied to you, and yet people still say and do stupid things on there... but thats not the point here.

So as a PGP key is unique, and you alone control its usage, it can be used to prove who you are, by signing something with your key to say something like 'I wrote this' or 'I built this' or something similar. You can even certify other peoples PGP keys, which is you saying 'I trust that this PGP key belongs to this person, who is who they say they are, and they control its usage'. This itself is normally done using a government issued ID, but can also be just because you trust this person in real life.

Accountability

This brings me to the final part of this, which is accountability. Leading on from Identity, where I mentioned that you can sign items, also brings with it the point that by signing something, for example a piece of code, it also makes you accountable for it. This is used in a lot of major codebases, and infact Github itself signs all the commits it does on behalf of a user in the web UI with its own PGP key.

Where this comes into play a lot more is where there may be legal ramifications to errors introduced into the codebase, and being able to say that 'I have verified that all of these changes are made by me' also implies that you have not just compromised the codebase - willingly at least. (If you did it willingly, well... be it on your own head, as they know your identity!)

In Conclusion

Well, I hope that this has given you a rough outline of a few reasons to why people use PGP, and possibly even given you a few reasons to start looking into using it yourself. If I've convinced you to start looking more at it, great! Also if you have any questions, extra points or other such things, please catch me in the comments, or on Twitter (or anywhere else you know me).

And if you want to find my PGP keys, they are both here:

So catch you next time, where I think I will be going into how to create your own PGP keys, and some of the other background bits that may be useful to know and make your using of PGP much easier.


  1. Note that throughout this I am using the acronym PGP - this is interchangeable with OpenPGP and GPG (or GnuPG) which are all either implementations, definitions, or software that uses the PGP cryptographic method - and in all my searching these terms all seem to be used interchangeably for the most part. ↩

  2. From Wikipedia: Pretty Good Privace - Early History ↩

  3. The Right to privacy, Article 12: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." UN.org ↩

  4. Found on a reference round from Wikipedia against an analysis of China of all places: Right to privacy - note 17 ↩

  5. Hell we have a podcast where we talk utter randomness: The Yet as Un-Named Podcast ↩

  6. In the UK at least, it is Illegal for a Post(wo)man to open the mail, and at one point (and maybe still!) carried the penalty of Treason Postal Services Act 2000 Part V, 83 & 84 ↩

  7. The state of being free from danger or threat Oxford Living Dictionary ↩