(Summary: Cryptographically signing messages with my long-term PGP keys is too important to give up. Doing this on my Android telephone is easier than I thought. You should strengthen your secret key encryption if you’re also going to do this.)
Recently, Filippo Valsorda, cryptography expert and TLS guy at Cloudflare, wrote that he was giving up on PGP, or at least on long term PGP keys.
I agree with many of his points, especially the complexity of managing those keys, lack of forward secrecy (if someone were to steal my keys, they could decrypt all past conversations, unlike for example Signal) and accessibility (how do you verify a message with a baby on your left arm and your telephone in your right?). More generally, it makes a great deal of sense to make your security a moving target, as one of the Ars Technica commenters astutely summarised Filippo’s ideas.
However, in spite of these factors, I am not yet ready to give up my PGP long-term keys.
Why is that?
Well, one of the most important uses of my long-term PGP keys is to cryptographically sign messages that can be verified by people in my network as having come from my hands.
For example, when I change my phone or re-flash its firmware (this has happened 3 or 4 times over the past two months because Android), I send PGP-signed messages to my main Signal correspondents with our new safety numbers.
With all of these correspondents I have in the past either done some sort of in-person formal PGP signing procedure, or I make use of the web of trust, or I rely on keybase. My business cards even have my key fingerprint on them (yes, I’m one of those nerds).
At their ends, the recipients of my messages are able to determine with an extremely high degree of confidence that I wrote the exact message they opened.
In terms of accessibility, the post did make me curious enough to experiment with a mobile PGP solution, as I also did have to agree that I’ve in the past often had to wait until I was behind one of my own laptops or workstations to PGP-verify a message.
As my one friend explained on Signal:
It’s tricky to verify a message with a baby in your left hand and a telephone in your right!
OpenKeychain to the rescue!
Seeing that I was planning on carrying my long-term private keys around on my telephone (BlackBerry PRIV, FDE encryption active FWIW), I had to double-check the security of the secret key encryption.
It turns out that PGP encrypts each of your secret keys with a hash of the passphrase you supply. My passphrase is significantly longer than the average, and consists of random characters (uppercase, lowercase, numbers, symbols). Passphrase length and complexity is by far the most important factor determining the safety of your encrypted secret key.
However, I had the default SHA-1 hash (ouch) with only 64k iterations. Iterating the hash is called key stretching: the passphrase is hashed, that result is hashed, and so on, for very many times, so that the testing of each passphrase takes more time, complicating brute-force cracking approaches.
Inspired by the writings of Chris Wellons who keeps his encrypted secret keys on a public website (!!!), I reconfigured my private key encryption to use 1 million iterations of the SHA-512 hash, and to use AES-256 for the encryption itself:
gpg --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 1000000 --edit-key 384435C7E77A4564
After typing that command, enter
passwd at the prompt, then follow the prompts. You will have to enter your passphrase, and then enter your new passphrase twice.
You can then check that this operation is successful by using the command
gpg --list-packets secring.gpg. My output looks as follows. Most important is that algo is 9 (AES-256), hash is 10 (SHA-512) and protect count in my case is just over 1 million.
:secret key packet: version 4, algo 1, created 1376407300, expires 0 skey: [4096 bits] skey: [17 bits] iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: blabla protect count: 1015808 (159) protect IV: encrypted stuff follows keyid: 384435C7E77A4564
SHA-512 is the slowest hash which PGP offers (see these oclHashcat benchmarks for example), which means that each iteration of a brute-force password cracking attempt will take a bit longer / eat more GPU watts, which is exactly what we want. You can increase the protect count for as long as the delay on your smartphone is still tolerable.
However, remember that a stronger and longer passphrase is much better! (so we do both)
Other than that, remember that Android security is far from good, so do as much as you can to keep your phone safe (keep up with OS updates, stay away from unofficial app markets, and so on).
I was pleasantly surprised to learn that I could directly import both my
pubring.gpg files from my
~/.gnupg directory. Right after selecting secring.pgp for import, the UI looked like this:
You can see the old 1024 bit key I made in 2000 to use for my Debian activities, and the 4096 bit key I currently use.
After importing your secret and public keyring, you are able to encrypt, decrypt, sign and verify any files or clipboard contents on your Android phone:
So if I receive something like this via Signal:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Never gonna give you up, never gonna let you down Never gonna run around and desert you Never gonna make you cry, never gonna say goodbye Never gonna tell a lie and hurt you -----BEGIN PGP SIGNATURE----- iQFEBAEBCgAuJxxTdGVmYW4gdmFuIGRlciBXYWx0IDxzdGVmYW5Ac3VuLmFjLnph PgUCWE2aUQAKCRDl/rykoDTdZZgvB/9Yi76C9o7xIgQ/d85WbnKDjNosp5uXzgHm A2y+cxZDLVNLTMrlCTXOMRulaJMvb3Ocsvi+/gQVUF49fT74EXlZpZvvdTzhQfa2 VvQPjZmf/9PNzB3pgUtEDBwyLC21C6dqU+y7mPk91Aw1m8cKBQUSHmQxa7F/dCFc DCuWOcXjNt5vLQ2Q8mQBMpHaG9J5+4/0k/GEHAVcm55fzb7o2hJyEVb3EoYy8Pls khIwJpZVdwyY4FPoLXW3iJYanC5qoOoS81YLCyLEyin0jH56ve05uHbF0XcaNY4h NupkN2D+Dt4X2m2FXieM27eG/Ty9hVx7n7B3pT4P9KqeFDX8hQ/q =c7j9 -----END PGP SIGNATURE-----
I long-press, copy the message and then select “read from clipboard” from OpenKeychain’s Encrypt/Decrypt screen, which, if everything checks out, shows me the following message:
I can now rest assured that this specific buddy of mine is never gonna give me up and is never gonna let me down.
Cryptographically signing a message is equally easy, except that you’ll have to enter that long passphrase of yours. OpenKeychain will then make the signed and optionally encrypted text text available for sharing to any app, or for copying and pasting:
Easy peasy, and tested under all sorts of usually-PGP-unfriendly conditions!
Maintaining PGP long-term keys certainly has its issues, but the possibility of cryptographically signing any message so that recipients can establish with high confidence that it originated from you is too important to give up.
With an app like OpenKeychain and sufficiently strong passphrase hashing and secret key encryption, you are able to use your keys with ease from your telephone.
Granted, you are trading in some security for this convenience. However, given the choice between discarding my PGP keys completely, vs. taking these steps, I’ll hold on to my keys for a little while longer.
In order to mitigate the potential damage of one of my long-term keys being compromised, I have resolved to generate and start using a new private key as soon as I run through my current batch of business cards, and to continue rotating like this in the future.
Let me know in the comments what you think. Do you know of a better alternative for remotely verifying the identity and messages of your correspondents?