Pssst, Your PGP Is Leaking

Metadata can be scraped from your messages even when you use PGP encryption.

Ever since the Snowden revelations, more and more people have been educating themselves on how to use encryption. One of the first programs people might turn to is Pretty Good Privacy, or PGP, a version of which was thrust further into the public consciousness when it was explicitly credited in Citizen Four, Laura Poitras' documentary on the National Security Agency and her meeting with Snowden.

But what users might not know is that messages encrypted using PGP leak a wealth of data about their senders and recipients, possibly allowing a well-resourced attack to map out who a target is sending secret messages to. In a talk at Usenix Enigma, a new security conference, Nicholas Weaver from the International Computer Science Institute explained the general technical details behind the NSA's mass surveillance systems, and touched upon a number of problems with PGP.

"To be honest, the spooks love PGP," he said. "It's very chatty, gives you a lot of metadata, gives you the entire communication record."

This is due, in part, to the fact that users' PGP KeyIDs can be scraped from a message after it has been encrypted. For example, any message—perhaps one intercepted by a mass surveillance system, or that a nosy lover has found in your email account—can be entered into a PGP client. This program will typically provide the KeyID, the numerical code that identities the key the message was encrypted to. Armed with this info, an attacker could then attempt to find more information about who the message was addressed to, such as a corresponding email address or name.

If you're trying to hold a private conversation, having details of all the people you're talking to inadvertently leak is not a great start.

To test this out, I asked Motherboard Staff Writer Lorenzo Franceschi-Bicchierai to provide me with a block of PGP text that he had sent to someone in the past. I dumped the message into a PGP client and attempted to decrypt its contents. Although that didn't work because the message wasn't intended for me, the program did spurt out a KeyID it was encrypted for, which could act as digital breadcrumbs for identifying the intended recipient.

The program provides the KeyID for the people the message is encrypted to, which will often include the sender as well as the recipient, as many PGP clients encrypt for the sender by default. Depending on the PGP software being used, it's also sometimes possible to obtain the users' email address and name if they have attached this information to the key.

Weaver, in a previous blog post, showed that a deeper analysis is possible with the tool "pgpdump." And in the context of mass surveillance, where a government has, say, access to the world's communications, those snippets of information could be just the start of unraveling a whole lot more about a target, Weaver adds.

"Lets say the starting thread is 'Nicholas Weaver.' Well, a little bit of searching finds my PGP key, with KeyID 0x6D81D70F920E2FEE. Now a simple query of "All PGP encrypted messages which include KeyID 0x6D81D70F920E2FEE" will pick up every encrypted message that I wrote or which was sent to me, and also give the content of the message if it hasn't aged off," he notes.

At this point, a sufficiently resourced analyst could then map out all of the other keys that are implicated in Weaver's communications. The snooper might not see the content of the messages, but that's not the point—PGP is a great tool for investigators to map out a target's social network. Naturally, if you're trying to organize a secret operation of some sort or just hold a private conversation, having details of all the people you're talking to inadvertently leak is not a great start.

On top of this, anyone using PGP likely also needs to think about email metadata. It's no good if two people are encrypting their messages with pseudonymous PGP keys, if their emails are then sent from addresses linked to their real identities, for example. Instead, fresh keys, obfuscated internet connections via Tor, and new email accounts are necessities for anyone trying to use PGP anonymously.

There are a couple of other techniques too for plugging the PGP metadata holes. The command "--throw-keyid" can be used to strip any mention of your key when you are encrypting a message. This means that, upon being presented with the message, your recipient's PGP client will have to cycle through all of their private keys and try them one by one, rather than jumping to whichever key the message was encrypted for. This might slow down the decryption process somewhat, but it provides reassurance that your message isn't providing identifiable data.

Another is to only encrypt the message to those who really need to see it—if you don't need to read the contents again, simply don't encrypt the email to yourself, as is the default with some clients. This would stop your own KeyID leaking, but not that of your recipient.

These points don't often come up in introductory conversations about encryption, but acknowledging them is crucial for anyone who is using PGP in any serious capacity.

"PGP is the NSA's friend," Weaver added.