Essay on PGP as it is used today
angel at pgp.16bits.net
Sat Jul 20 00:06:24 CEST 2019
On 2019-07-18 at 12:13 +1000, raf wrote:
> At work, when a client insists on email, and I (or the law)
> insist on encryption, I provide them with instructions for
> installing 7-zip and send them an AES-256 encrypted zip or 7z
> file as an attachment. It's the simplest thing I could think
> of that I thought most people could cope with.
Encrypted zip files have several factors that make it a beautiful
solution for sending encrypted messages to occasional users that don't
care much about it:
a) zip is a file format supported out-of-the-box by pretty much every
system, and that users are comfortable with. Whereas you would be seen
as a weirdo if you sent them a .gpg or other new file that needed a
special program, you would likely be asked to just sent it
"normally" (ie. unencrypted).
b) The format itself supports secure encryption (aes128/256).
c) If their client doesn't support AES-Encryption, their client will
show that *their program* can't cope with it. This places the onus on
the receiver (their zip decompresser isn't "new enough"), rather than
the sender (see a).
Nevertheless, it has a number of potential problems:
* As pointed out by Stefan Claas, you need to exchange the encryption
keys. The zip file is just an encryption primitive, so key distribution
may become a problem.
(raf, may I ask how you are dealing with it? As they are clients, are
you providing a set of keys in advance when personally visiting them?
Are you providing the key for the new message?)
* 7-Zip before 19.00 use a bad PRNG to fill a half-size IV
* A naive user trying to reply would easily end up using PKWARE
encryption (and reusing the password)
More information about the Gnupg-users