DAV EY WINDER Davey delves deep into the world of encryption. First, remembering how PGP began, and then through a service that promises to secure your email.
Davey delves deep into the world of encryption. First, remembering how PGP began, and then through a service that promises to secure your email
Way back at the start of the 1990s, Phil Zimmerman wrote an essay displaying remarkable perception of what was to come as the internet matured. “Email messages are just too easy to intercept and scan for interesting keywords,” Zimmerman wrote. “This can be done easily, routinely, automatically and undetectably on a grand scale.”
Remember that this was almost 20 years before Edward Snowden blew his snooping whistle loudly – and with such reverberations within the world of cryptology. Zimmerman then stated: “The government will protect our email with government-designed encryption protocols. Probably most people will acquiesce to that. But perhaps some people will prefer their own protective measures.” Phil Zimmerman was, in case you need reminding, the creator of Pretty Good Privacy (PGP).
His journey towards fame – or infamy, dependent upon your views of government and privacy – began in 1991, when the US Senate had added a resolution to a bill that would “encourage” the industry to add backdoors to networking (including the emerging internet) equipment. The wording of that resolution resonates with more recent – and, sadly, more successful – attempts to blow the doors off the privacy of communications. “… providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain-text contents of voice, data, and other communications when appropriately authorised by law.”
Criminal investigations
Scary stuff, huh? And it’s worth repeating that this was 26 years ago. That US bill didn’t succeed, but it sure caught the attention of computer science graduate and software engineer Mr Zimmerman, who realised how close the US government had just come to making it illegal to use secure communications online. He wasn’t wrong, either: soon afterwards, public key cryptography had become a protected weapon (“munitions” was the term used in law) with strict export controls.
Zimmerman had the foresight to get his PGP software, based around the RSA public key crypto algorithm, released as freeware. Along with the source code and documentation, he sent a copy of it to his friend Kelly Goen, who in turn uploaded the source to Usenet and a whole bunch of bulletin-board systems. The code, like the truth, will out – and out it was.
Within a couple of years the government came calling; not the FBI, but US Customs. Zimmerman and Goen were charged with exporting protected munitions without the appropriate licence, and a federal grand jury indictment followed. In fact, it followed them for three years until the powers that be realised that the duck they had been chasing had died a long time ago. Not that this stopped the US government from starting a criminal investigation, which also failed to produce charges that stuck.
Things went a little downhill from there with regards to the romance of the privacy defender story (if you see it through nerd-tinted spectacles like me). Zimmerman founded a company called PGP, which was acquired by Network Associates, which was acquired by McAfee, and which sold a commercial application of PGP. It gets even messier if you delve into licensing agreements and legal agreements between RSA (which owned the algorithm that PGP was based upon) and Zimmerman. The story kind of ends with Zimmerman agreeing not to distribute PGP any longer and RSA agreeing not to sue him as a result.
As one story ends, another begins. That code, the PGP version 1.0 software that was pushed out into the public domain, had developed an organic momentum all of its own. Helped by MIT, PGP 2.5 eventually emerged from the ether and RSA became annoyed, but legal complications over interests in the algorithm patent meant that legal actions weren’t taken. It also meant that PGP could take on a new life, and Zimmerman was once again at the forefront of it.
He published a book with the source code of the new PGP version programmed in C and printed it in a font designed to be scanner friendly. The US had made it quite clear, all the way to the Supreme Court and on many an occasion, that “written expression” couldn’t be against the law. Zimmerman had got another one-up on the man, as it were. Apart from the fact that it was actually still illegal to export PGP 2.5, thanks to that munitions classification.
Thankfully, a European privacyfriendly programmer, Ståle
Schumacher, adapted the code enough to make version 2.6xi legal anywhere in the world.
Which is where we find ourselves today. Now there’s something called the OpenPGP standard via the Free Software Foundation, as the original source code is currently owned by Symantec, and most folk will use the GNU Privacy Guard (GnuPG) along with an email client such as Mozilla Thunderbird. Or they would if it were easier to install and configure. It involves getting on very friendly terms with the command line interface, or investing time to learn how a PGP client with a graphical UI works under the bonnet, or flashing the cash to subscribe to a service that does most of the dirty work for you.
A nerdy nicety?
And now we stumble upon the real problem with PGP, or rather the real problem with encrypted emails and encrypted messaging in general. If it’s too complicated, only geeks will use it to talk to other geeks. I want to talk to my family, friends and assorted non-geek contacts. If it’s too expensive, only those who really want it and can afford it will use it. End-to-end email encryption is great in theory, but in practice it only works if both sender and recipient are using the same secure application. That’s where it’s always been a busted flush for becoming anything other than a nerdy nicety.
If Bob wants to send Alice an encrypted message, he first has to send one saying: “I want to send you an encrypted message, to do so you need to download and use this app.” If Alice discovers that the app is too complicated or not to her liking, she won’t bother; ditto if that app costs a few quid a month to use or demands she opens up a new email account with some weird address. It has to be simple to set up, easy and functional enough to accompany, if not entirely replace, her email client of choice – and it needs to be free, or as good as. SecureMyEmail (SME) is the closest I’ve come across so far to meeting these requirements.
SME comes in a number of OS flavours, including both Windows and Mac via a version of Mozilla Thunderbird with the SME plugin already installed. However, I’ve been testing the Android app, so for the purposes of this review that should be borne in mind. iOS users will have to wait, I’m afraid, although I’m assured that there is a version in the pipeline. The same goes for email clients other than Thunderbird, with Apple Mail already underway and Outlook in the planning stage.
Back to Android, where the app is a doddle to install and configure. And if you’re an old hand at this PGP thing then you can use it with your existing keys easily enough. Again, I’m writing this overview from the perspective of a user that’s new to the encryption world, and for them there really is nothing to be afraid of. I’d happily invite my mum or eldest grandchild to use SME, safe in the knowledge that they could follow the instructions without fear of failure.
I like the fact that it doesn’t require you to register a new email address at securemyemail.com; you simply use your existing email address, be that with a mail provider or your own mail server. I also like the fact that, while not free, it’s close at 99 cents per email address per year. There are lifetime subscription plans for the more adventurous, but for most why worry when you’re “risking” only 7p per month?
I also like the fact that it allows the more advanced user to exploit the full functionality of PGP crypto. So, the SME client app is fully PGP compatible in that it creates real PGP keys that you can use wherever other software or services require them. Hit the Advanced Settings option and you’ll find all the key management, on-demand key regeneration, importing and exporting tools that the crypto-savvy user could want.
Those among you who are privacy savvy can also rest assured that the SME creators have given proper thought to data sovereignty issues. The company behind SME has a Swiss incorporated management company and data is housed in Swiss data centres. The encryption happens on your device, before any data – including attachments (which are also encrypted) – are sent. This means your data will remain encrypted in transit and at rest on your, or your email service provider’s, servers. By using native software – rather than a webmail client, for example – your private key isn’t only generated on your device, but it remains there. Decryption, likewise, is done on the recipient’s device.
“SME is easy to use, but also allows the more advanced user to exploit the full functionality of PGP crypto”
Security concerns
Without getting too deep into the math, during the initial setup of SecureMyEmail, a unique 4,096-bit key pair and passphrase will be generated. How secure is all that? Good question, and the answer – if we accept that there are no known backdoors, side-channel attacks or quantum computers to take into consideration – is long enough to future-proof it for the foreseeable future.
The connections between my Android device and the SME servers in Geneva haven’t been forgotten either, which comes as no great surprise to me, since the people behind SME also run a VPN business. This translates into multiple layers of this particular security onion: the APIs are set to opt for Transport Layer Security 1.2 in preference; ephemeral key support is deployed to enable perfect forward secrecy (compromise of long-term keys doesn’t compromise past session keys in effect); and HTTP Strict