Pretty Bad Day With Pretty Good Privacy

A simple client request for PGP encryption turns into a messy affair; multiple keys leave client annoyed

Grrr. . . . users, pah. So far in my career, I've always managed to avoid doing desktop-support work. I know it's absolutely necessary, I know it's hard to do well, but most of all, I know I don't have the patience for it. Unfortunately, this week I had no option. We had an urgent request for some desktop support for a client who is trying to use PGP.

PGP stands for Pretty Good Privacy. It's one of the world's most popular cryptographic programs, designed to encrypt and decrypt e-mail, files and so on. It's a good program with a lot of popular support and a very interesting history.

1pixclear.gif
1pixclear.gif
1pixclear.gif

THIS WEEK'S GLOSSARY

PGP: Pretty Good Privacy software, developed by Philip R. Zimmermann, allows users to encrypt e-mail and other files for distribution to other users. PGP is one of the most widely used cryptographic programs available. Features include message encryption, digital signatures, data compression and e-mail compatibility. It is now owned by Network Associates Inc.

ADK: Additional Decryption Key allows a trusted third party to access data encrypted using public-key technology. The user encrypts the data using the recipient's public key as usual but then encrypts a copy of the data with a separate key known to a trusted third party. If someone other than the original recipient demands access, he can ask the trusted third party to decrypt it. Uses range from allowing management to decrypt files when the recipient loses the key to enabling government agencies to access encrypted files.

LINKS

www.pgp.com: Offers a free downloadable version of PGP software for personal use and a commercial version. PGP.com is now a subsidiary of Network Associates.

www.rsasecurity.com: Includes information on RSA's encryption products plus frequently asked questions about many aspects of encryption.

www.wse.com: Product information on Westinghouse Security Electronics Inc.'s proximity-card systems.

1pixclear.gif

The latest version has been integrated into Windows quite well - right-click on a file to bring up the PGP menu, easy buttons for Microsoft Outlook and simple, clear user interfaces. But like most cryptographic software, there's a lot of complexity hiding under that pretty face.

The client who needs support is a very senior executive and a very important client. He has personally hit on the idea of using PGP to encrypt his communications, and it's up to us to comply. He doesn't mind whether we do or not - if we can't read his e-mail, we can't do business with him, and it's no skin off his nose.

Instant Expert

The PGP expert at the client's company is a guy from the firm's IT help desk who installed the software two weeks ago and has - and I quote - "mucked around with it a bit."

There are two experts on PGP in our company: one in the head office, who configured our version of PGP and rolled it out around the company, and me. My expertise with PGP is based on the fact that I know cryptography theory extremely well, and I once met the author of PGP, Phil Zimmerman, at a cocktail party. I've never actually seen the software before, but that's still enough to make me an expert, especially since our guy in the head office is on holiday this week and we're losing business now.

Once I start exploring PGP, it turns out to be relatively simple. The interface is good, the buttons (usually) intuitive, the commands have obvious names and there are wizards to guide you through anything remotely complicated. In a very short time, I have set it up on three test machines and generated keys for each machine, and am swapping encrypted e-mail with ease.

Unfortunately, however, the original head-office expert who set it up did what I call an "academic" job of designing the system. An academic job is one that meets best practices; conforms to all the basic rules set out in the last article by the latest and greatest expert in the field; is based on sound, logical arguments; and is almost completely unusable in practice.

In this case, instead of just generating a pair of encryption keys per user, then publishing one of the pair for people to use to encrypt things for your eyes only, our default installation generates seven pairs of keys. Yes, seven. One is the unique pair of keys for that particular user, then we have the incoming Additional Decryption Key (ADK), the outgoing ADK, a revocation key, a corporate signing key and two other key pairs whose names mean nothing to anyone. I know what an ADK is only because I used to teach cryptography, and I'm not going to explain it here because you'll get bored and stop reading.

All these keys have a theoretical purpose, but they're all completely inapplicable to our current situation. In fact, the client is distinctly unimpressed at the clutter and promptly deletes them all and demands we go away and do it again better. But just to ensure that no meddlesome end user can circumvent these six additional pairs of keys, only one person has the ability to override the relevant configuration options. Yes, that one person is the head-office expert, who's on holiday.

In the end, PGP is just as prone to stupid users as any other program, and most of the problems turn out to be user error. We put in a bit of a bodge job to get around the clutter of keys by downloading the freeware version from the Web and installing it ourselves to use until we can get our properly licensed version working correctly.

I spend a day and a half firefighting the problems - a day and a half in which I'm constantly biting my tongue to stop myself from suggesting that it would be quicker and cheaper all around just to hire a courier to deliver these oh-so-sensitive e-mails. I now have renewed respect for desktop-support staff and renewed determination never to let it become a regular part of my job.

A Grand Plan

The rest of the week is spent delving a little deeper into my idea of smart/ proximity card-based access. I have grandiose ideas about doing away with passwords altogether by using smart cards to control access to the workstations. I have three months to come up with a working prototype, and everything so far is looking positive. A key component of this prototype is that the smart card also works as a proximity card, so that we can also use it to control access to the buildings.

When I looked at this idea four years ago, all the proximity-card manufacturers said, "What's a smart card?" and the smart-card manufacturers said, "What's a proximity card?" so I quickly stopped looking. This time, I seem to be getting a different story. While a few companies still just scratch their heads, I find two companies that claim it's a simple exercise and that they've done it before.

One company is Westinghouse Security Electronics (WSE), which manufactured our physical access control system. One of its standard proximity cards appears to come with a built-in smart card. If I can confirm that WSE uses an industry-standard format for its smart cards, it may all be a very simple exercise. The other firm is RSA Security Inc., one of the best-known companies in the crypto world. An RSA representative dismisses the problem as trivial and says they've worked with Westinghouse plenty of times before.

If things continue to go this well, the prototype might be very easy to cobble together. My next task will be to try to make sure I'm choosing the right type of smart card, as I don't want to buy a solution that can't be used for anything else. As I know relatively little about the smart-card industry, I'm approaching this one like a true consultant - I know a man who is an expert on the subject, so I shall bribe him with an exceptionally nice lunch and pick his brains. That's the sort of work I like!

• This journal is written by a real security manager, "Jude Thaddeus," whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com and at www.sans.org to help you and your security manager better solve security problems. Contact him at jude.t@lycos.com or head to the forums. (Note: Registration required to post message; anyone may read messages. To register for our forums, click here).

Related:

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon