OpenPGP, the standard defining how to encrypt and sign messages using PGP(new window), the most widely used email encryption format, received a major upgrade, introducing various security improvements and more modern cryptographic algorithms.
PGP has been used to secure email messages since the 90s. Over the past 25 years, the standard has been updated multiple times. However, cryptographic advances have continued pushing the boundaries of privacy and security forward. Since 2016, when we started maintaining OpenPGP.js(new window), one of the world’s most widely used open-source email encryption libraries, we’ve worked to modernize PGP while preserving one of its main assets — interoperability. This allows us to bring the best of modern crypto to Proton Mail while ensuring that Proton Mail is not a walled garden.
Standardization ensures future interoperability, and Proton has also been actively involved in the standardization process with the OpenPGP Working Group at the Internet Engineering Task Force (IETF). The result of this is the “crypto refresh(new window)” of the OpenPGP standard, as it has been dubbed, has brought about modern authenticated encryption, more secure curves, memory-hard password hashing, and more.
By standardizing these improvements rather than using proprietary protocols, we’re paving the way for the entire email ecosystem to be more secure and ensuring that encrypted email remains interoperable.
Security improvements
Here’s an overview of the biggest security improvements in the PGP crypto refresh.
Modern authenticated (AEAD) encryption
Modern encryption should be resistant to surreptitious tampering. An attacker without access to your secret key should not be able to modify your message without detection. Encryption with this property is called “authenticated encryption”.
OpenPGP has had authenticated encryption for a long time, using a mechanism called the “Modification Detection Code” (MDC). While this does the job, modern authenticated encryption schemes achieve secrecy and authentication in one integrated algorithm. Such encryption modes, dubbed AEAD algorithms, offer improved performance at the same security level.
The new standard includes GCM, an AEAD algorithm available in the Web Cryptography API, which provides native implementations of cryptographic primitives to web applications and offers improved performance and security. For this reason, we’ll soon start using this mode in all Proton products.
More secure curves
New in the crypto refresh specification is a set of public-key algorithms that use Curve25519 and Curve448 for encryption and decryption (X25519 and X448) and signing and verifying (Ed25519 and Ed448). Members of the Proton community may know that we have used Curve25519 for years. Nevertheless, this will be the first time that it’s formally specified.
We’ve also proposed adding Curve25519 and Curve448 to the Web Cryptography API(new window). Some browsers, such as Chrome and Safari, have started to implement Curve25519. We plan to use this in OpenPGP.js to further improve our web applications’ performance and security once it’s available.
Memory-hard password hashing function
OpenPGP has built-in password hashing functions, which it calls the “string-to-key (S2K) algorithms”. However, until the crypto refresh, all of them were quite weak. The strongest algorithm, “iterated and salted S2K”, salts the password and then hashes the salt and password repeatedly using a cryptographic hash function such as SHA-2 for a configurable number of iterations, but with an upper limit of 62 MiB on the hashed data. Since SHA-2 hashing has become very fast and cheap, this is no longer sufficient to securely hash a password. For this reason, Proton has long used an additional password hashing function, bcrypt, to hash passwords before using them to encrypt OpenPGP messages or keys.
OpenPGP will transition to Argon2(new window), the winner of the Password Hashing Competition. This function is “memory-hard(new window)”, meaning it requires a significant amount of memory to hash a password. This makes it more difficult for an attacker to optimize the password-guessing process using dedicated hardware, such as application-specific integrated circuits(new window), because the hashing speed will remain bound by the speed of the memory. With the updated OpenPGP standard, we will switch to Argon2 at Proton as well.
Deprecating legacy algorithms
The crypto refresh deprecates old cryptographic primitives and algorithms, including the hash algorithms MD5, SHA1, and RipeMD, the symmetric algorithms IDEA, 3DES, and CAST5, and the public-key algorithms ElGamal, DSA, and RSA keys of less than 3072 bits (the security level comparable to Curve25519). These are all considered less secure than their modern alternatives and, as a result, are not fit for use in new data or even the consumption of existing data in some cases. Proton’s default has long been Curve25519, which is more secure.
Preventing key overwriting attacks
One area of the Proton Crypto team’s research has been key overwriting attacks, and in 2022, we published a research paper(new window) on this topic together with Professor Kenneth Paterson from ETH Zurich. This research was also presented at the ACM Conference on Computer and Communications Security in Los Angeles in November 2022. While we added security patches to OpenPGP.js and GopenPGP(new window) as soon as we discovered these issues, the newest OpenPGP specification addresses the vulnerabilities in a more efficient way.
Robustness against future vulnerabilities
While most of the changes in the crypto refresh aim to fix known vulnerabilities or modernize the cryptographic primitives used, some are intended to prevent potential vulnerabilities in cryptographic primitives that might be discovered in the future from affecting OpenPGP.
In particular, signatures are now salted — in other words, a random value is hashed before the message or document that’s signed. This makes it more difficult to carry out a collision attack, where an attacker swaps out a signature of a given document with a signature of a different document that shares the same prefix as that signature may have been hashed with a different salt, meaning that the prefix wouldn’t match.
This means that if an attack such as SHAttered(new window) (which demonstrated a collision in SHA1) was ever found against current hashing algorithms (such as SHA2), OpenPGP would not be impacted as much.
Upcoming improvements
After the crypto refresh of the OpenPGP standard is released, we plan to continue to work with the OpenPGP Working Group to bring even more advanced cryptography and additional features to PGP, such as:
Security improvements
- Post-quantum cryptography (a topic that we’ve already been working on. We’ll publish a separate blog post about it shortly.)
- Forward secrecy (protecting messages sent today even if a key is compromised tomorrow)
- Domain separation for signing and/or encryption
Facilitating new functionality
- Automatic forwarding using proxy re-encryption
- Persistent symmetric keys for long-term storage of symmetric key material, symmetrically encrypted messages, and symmetric attestations
- Designated Revoker to replace the deprecated Revocation Key mechanism
- Attestation Signatures to facilitate first-party-attested third-party certifications (1PA3PC).
- Superseded keys to facilitate the transition to new keys
- Stateless OpenPGP Interface (SOP)
- Extensions to RFC 3156(new window) (PGP/MIME)
Specifications of and improvements to network-based key discovery mechanisms
- HTTP Keyserver Protocol (HKP)
- Web Key Directory (WKD)
You can find additional details on the proposed topics here(new window).
Specification and implementations
The “crypto refresh” update to the OpenPGP standard is currently under review by the Security Area Director of the IETF. Once the document passes this review, it will be published as a new standard.
The specification was co-authored by Daniel Huigens from Proton, Justus Winter from Sequoia-PGP, and Niibe Yutaka from the Free Software Initiative of Japan (FSIJ). It was edited by Paul Wouters from Aiven. The Working Group chairs, Daniel Kahn Gillmor from the American Civil Liberties Union (ACLU) and Stephen Farell from Trinity College Dublin, led the process. We would like to thank them and everyone else who contributed to the crypto refresh for helping make the internet more secure!
We’ve already implemented the crypto refresh in OpenPGP.js and GopenPGP, the two open-source OpenPGP libraries that Proton maintains. We’ll soon release new versions with these improvements so that any application using these libraries, including Proton Mail, Proton Drive, Proton Pass, and many others, can benefit from the security and performance improvements in the crypto refresh.
We would also like to thank the Sovereign Tech Fund(new window), an initiative funded by the German Federal Ministry for Economic Affairs and Climate Action that supports open-source projects contributing to digital infrastructure that serves the public interest, for funding the implementation of the crypto refresh in OpenPGP.js and GopenPGP(new window).
You can check the implementation progress of various OpenPGP libraries, including OpenPGP.js and GopenPGP, at the OpenPGP Interoperability Test Suite results for the crypto refresh(new window). Sequoia-PGP developed this test suite, which tests OpenPGP implementations for interoperability to ensure that email messages can be sent between any two users, regardless of which application or OpenPGP implementation they use.
Impact
PGP is used to secure multiple Proton services like Proton Mail, Proton Drive, and Proton Pass, but they’re far from the only ones. Thunderbird, the popular desktop email client, has built-in support for OpenPGP. Mailvelope and Flowcrypt, both browser extensions using OpenPGP.js, enable anyone to end-to-end encrypt their emails using OpenPGP even if their email provider doesn’t support end-to-end encryption. The latter also offers mobile apps for Android and iOS. All of these applications, and many more, form part of the OpenPGP ecosystem, allowing users to send encrypted messages interoperably without being bound to a single provider or application. The open standard fosters innovation and prevents lock-in, ultimately benefiting the end users.
Thanks to the crypto refresh, the millions of people who use these applications will benefit from all the security and performance improvements mentioned above. Your messages will be more securely encrypted, whether you’re communicating with another Proton user or a user of any of the other applications with OpenPGP support.
With your support, we look forward to continuing to develop interoperable, open-source, and open standards cryptography to further the mission of Proton and the entire open-source privacy ecosystem.
This work was conducted by Daniel Huigens, Lara Bruseghini, and Lukas Burkhalter from the Proton Cryptography team.
