Find solution
What's encryption?

OpenSSL instead of PGP for message signing and encryption? Really?

  • Over the last several years, I've seen more developers use openssl for file and message signing and encryption, where in the past we would have used PGP/gnupg/OpenPGP.  Is this wise, is it essentially throwing away the work that went into the PGP web of trust, and should we worry about it, or just go with the flow?   I'm guessing one reason for openssl's inroads into signing is that the APIs for PGP have been pretty slim (I was one of the earlier authors of python's 'gnupg.py' workaround; desperation leads to desperate code...) Anyone have any strong opinions about this?  Does the value of PGP's web of trust outweigh the implementation headaches, or is it time to move on?  Openssl is certainly a crypto swiss army knife, can do signing and file encryption just fine, and has better APIs, but frankly, the top-down SSL certificate infrastructure makes my skin crawl.  Now I'm at the point where I need to pick a crypto suite for a new open source peer-to-peer application.  The application is message-based rather than stream-based, will use websockets between peers for message framing at the network layer, and needs both wire and on-disk encryption and signing.  Because SSL and websockets go so great together, I'm finding myself wanting to use openssl for the on-disk crypto as well, rather than shoehorn PGP in there and have to manage two cryptosystems.  I could use PGP for both wire and disk, but I'm concerned about message rates -- perhaps hundreds or thousands of messages per second, with most messages being generated and parsed by machine.  This is not exactly in the sweet spot of PGP's intended use case. If I pretend that PGP never existed in the first place, I'm finding that using openssl is a great way to do wire encryption, counterparty authentication, and message and file signing and encryption.  I'm even thinking I could, just maybe, build an entire web-of-trust-like SSL certificate infrastructure right into my shiny new application, encourage signing parties among users to populate it, and bypass the SSL certificate racket. But that feels so... redundant. below points out the NaCl library as another alternative; has a python library for it: https://github.com/seanlynch/pynacl. What am I otherwise missing, either pro or con?

  • Answer:

    OpenSSL is a perfectly acceptable solution to this problem.  PGP is designed for encrypting and signing messages between people.  The relative lack of APIs and the Web of Trust model both reflect that.  It's adaptable for other, more automated tasks as well -- the Debian package repository comes to mind -- but it has far fewer options and isn't as automated as OpenSSL. OpenSSL is, as you said, a Swiss army knife.  You need to be more careful with it, as the many options give you many ways to screw up.  But the flexibility is also very powerful.  Unlike PGP, it's primarily designed to be used programmatically, though it can be used from the command line as well.  It is definitely a better choice for the wire than PGP, and it's not worse for on-disk encryption, just slightly easier to get wrong. PGP's web of trust model is sometimes what you want -- perhaps for peer-to-peer? -- but the OpenSSL PKI is more useful most of the time. You might also consider a special-purpose library like NaCl.  NaCl is blazing fast, but isn't very flexible, it's a pain to build, and it can be kind of tricky to get the design right sometimes.  Some mistakes are harder to make with NaCl, but some are also easier.  I'd probably stick with OpenSSL.

Michael Hamburg at Quora Visit the source

Was this solution helpful to you?

Other answers

Just a short answer (answering my own question) to maybe think in terms of some sort of hybrid, sharing keys between cryptosystems.  Might be more work than it's worth, but since this is a new app and I'm willing to build some key management infrastructure, it's worth at least considering.   Here's one howto:  http://www.sysmic.org/dotclear/index.php?post%2F2010%2F03%2F24%2FConvert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL http://web.monkeysphere.info/ wants to re-use the PGP web of trust for both SSL and SSH as well.

Steve Traugott

There are a bajillion different forks of pynacl, not to mention independent implementations and http://labs.umbrella.com/2013/03/06/announcing-sodium-a-new-cryptographic-library/ wrappers, so I wouldn't necessarily recommend using mine. I have been accepting pull requests (slowly, since for some reason I keep missing notifications from Github), but I haven't been doing any work on it myself because I don't have any current projects using NaCl. Sodium seems a lot easier to build and more portable, so I'd recommend using something that wraps that. I really like the different cryptosystems used by NaCl. 255 bit keys? Resistance against timing and cache attacks? Sign me up! The biggest problem I've run into is that the primitives it supplies are fairly high level and don't necessarily do the things I want. Want to encrypt to more than one person? Sorry! Gotta roll your own function on top of the lower level ones. Want perfect forward security? Sorry! Anyone who gets a hold of your private key can decrypt everything you've ever received unless you roll your own DH key exchange and Ed25519 authentication. Still, this is the same problem you face with any other crypto libraries, and at least NaCl gives you SOME higher level primitives. It's just not a complete set, though that kind of blows Bernstein's entire approach out of the water, because most people using NaCl will want to stray outside the primitives he's provided, and as soon as they do, they're off in the same crypto minefield Bernstein wanted to rescue them from.. GnuPG's web of trust is nice, but that's about the only thing it has going for it. It's a monolithic CLI, not a library, and http://www.gnupg.org/related_software/gpgme/ just makes it easier to call the CLI from a program. This has limited its use in other software; people tend to go with OpenSSL since it's a library. Netpgp might be better, but I haven't really looked at it. It seems like the entire PGP line has been stagnant for quite a while now; your choices are about the same now as five years ago. The big problem with crypto (in fact all security) apps, though, is their crappy UIs. They're especially hard to get right, because security is hard. A new app with the "right" UI could eclipse GPG's web of trust in a few weeks just by getting non-crypto-geeks to use it. But you're not going to get people to go to signing parties. Remember, non-geeks. http://wiki.cacert.org/PgpSigning is less secure than having someone verify your identity and key fingerprint in person, but it's a lot closer to the "right" thing because it's far more convenient to use. After all, crypto you don't use is worthless. Besides, the PGP keysigning party guidelines suggest you do things like verifying government-issued ID, because the statement you're making by signing the key is that the key belongs to the real-world entity who legally goes by such and such a name, etc. We don't actually need such strong statements the vast majority of the time. What we really care about is that the person we're communicating with today is the same as the person we were communicating with yesterday. Hearing from a bunch of other people that they've also communicated with that person using that key, ala the http://perspectives-project.org/, should be sufficient to that task.

Sean Lynch

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.