Essay on PGP as it is used today

[Ángel]

On 2019-07-18 at 12:13 +1000, raf wrote:
> At work, when a client insists on email, and I (or the law)
> insist on encryption, I provide them with instructions for
> installing 7-zip and send them an AES-256 encrypted zip or 7z
> file as an attachment. It's the simplest thing I could think
> of that I thought most people could cope with.

Encrypted zip files have several factors that make it a beautiful
solution for sending encrypted messages to occasional users that don't
care much about it:

a) zip is a file format supported out-of-the-box by pretty much every
system, and that users are comfortable with. Whereas you would be seen
as a weirdo if you sent them a .gpg or other new file that needed a
special program, you would likely be asked to just sent it
"normally" (ie. unencrypted).

b) The format itself supports secure encryption (aes128/256).

c) If their client doesn't support AES-Encryption, their client will
show that *their program* can't cope with it. This places the onus on
the receiver (their zip decompresser isn't "new enough"), rather than
the sender (see a).


Nevertheless, it has a number of potential problems:

* As pointed out by Stefan Claas, you need to exchange the encryption
keys. The zip file is just an encryption primitive, so key distribution
may become a problem.

(raf, may I ask how you are dealing with it? As they are clients, are
you providing a set of keys in advance when personally visiting them?
Are you providing the key for the new message?)

* 7-Zip before 19.00 use a bad PRNG to fill a half-size IV 
https://threadreaderapp.com/thread/1087848040583626753.html

* A naive user trying to reply would easily end up using PKWARE
encryption (and reusing the password)


Kind regards