If I send a plaintext e-mail using Gmail to somebody, including my PGP public key block, is that secure?

Question

I've been trying to figure out "practical encryption" (AKA "PGP") for many years. As far as I can tell, this is not fundamentally flawed:

1. I know Joe's e-mail address: cool_joe@gmail.com.
2. I have a Gmail e-mail address: me_78@gmail.com.
3. I have GPG installed on my PC.
4. I send a new e-mail to Joe consisting of the "PGP PUBLIC KEY BLOCK" extracted from GPG.
5. Joe received it and can now encrypt a text using that "PGP PUBLIC KEY BLOCK" of mine, reply to my e-mail, and I can then decrypt it and read his message. Inside this message, Joe has included his own such PGP public key block.
6. I use Joe's PGP public key block to reply to his message, and from this point on, we only send the actual messages (no key) encrypted with each other's keys, which we have stored on our PCs.

Is there anything fundamentally wrong/insecure about this? Some concerns:

1. By simply operating the e-mail service, Google knows my public key (but not Joe's, since that is embedded inside the encrypted blob). This doesn't actually matter, though, does it? They can't do anything with my public key? The only thing it can be used for is to encrypt text one-way which only I can decrypt, because only I have the private key on my computer?
2. If they decide to manipulate my initial e-mail message, changing the key I sent to Joe, then Joe's reply will be unreadable by me, since it's no longer encrypted using my public key, but Google's intercepted key. That means Joe and I won't be having any conversation beyond that initial e-mail from me and the first reply by him (which Google can read), but after that, nothing happens since I can't read/decrypt his reply?

Answer 1

As Steffen already said, the Achilles' heel on your security is making sure you are talking to Joe, and Joe being sure he is talking to you. If the initial key exchange is compromised, the third party will be able to read your messages, reencrypt and send to Joe, and vice versa.

The crypto does not matter unless you solve this issue. That's why on the HTTPS world, there's a special entity named CA (Certificate Authority). The CA is to make sure Google cannot obtain a certificate for Facebook, and so on. So unless a rogue CA issued the certificate, you can navigate to Google, and be sure you are on Google.

The initial key transfer is the critical one, and this can be done in a couple ways:

• in person
• by out-of-band message (tweet, Instagram post, snail-mail)
• referral by a friend in common (you know Bill, have his key saved, and Bill knows both of you, and shares both keys)

After this exchange, your setup is pretty solid.

Answer 2

If they decide to manipulate my initial e-mail message, changing the key I sent to Joe, then Joe's reply will be unreadable by me, since it's no longer encrypted using my public key, but Google's intercepted key. That means Joe and I won't be having any conversation beyond that initial e-mail ...

As long as you can be sure that they can only man-in-the-middle the initial mail then this is true. But if they can man-in-the-middle the following mails too then they could simply decrypt the message from Joe to you because it was actually encrypted to them and can encrypt it again for you since they know your public key.

To setup secure communication for email you would need to have some other secure communication channel already to exchange or at least verify the public key since otherwise a MITM could simply claim these identities and nobody could detect this.

Answer 3

This approach is very secure as soon as you can trust the email provider (namely, Google).

All other answers on MITM attacks are true in general. In this particular case, when operating within the same provider, additional considerations can be made with success.

1. Joe can't be (easily) impersonated

Since a decade ago, anyone can send you a crafted email coming from "a guy named Joe", or even from donaldjaytrump@whitehouse.gov with what looks to be Joe's public key. Smallest providers (very, very, small email servers) might not enforce SPF policy.

Within the same email provider, and that is true for Gmail, additional checks are made to ensure nobody can forge a Gmail sender address. One has to hack Joe's account, which is out of the scope.

In short, assuming that Joe can't be hacked is enough to say that Joe can't be impersonated by malicious third party, and mail coming from Joe comes really from Joe from Joe's email account.

2. You (must) trust your own provider

Since you use the same provider, I have to assume that you trust it. No matter how Google, in this particular case, is trustworthy, from a security standpoint there is one attack vector left. The provider should be rogue enough to change Joe's public key with a forged public key to disrupt secure communication.

What I mean is that the only actor capable of breaking security of your conversation is Google Inc. themselves, because both of point #1 and because emails don't leave their own systems.

Answering your concerns

Google knows my public key (but not Joe's, since that is embedded inside the encrypted blob). This doesn't actually matter, though, does it? They can't do anything with my public key? The only thing it can be used for is to encrypt text one-way which only I can decrypt, because only I have the private key on my computer?

Assuming break of point 2, Google can impersonate you and alter your own public key with a key they know, and re-encrypt and re-sign the message at their will.

They have only one chance of action, and that is your first email "Hello Joe, this is my public key ABCDEF"

If they decide to manipulate my initial e-mail message, changing the key I sent to Joe, then Joe's reply will be unreadable by me, since it's no longer encrypted using my public key, but Google's intercepted key. That means Joe and I won't be having any conversation beyond that initial e-mail from me and the first reply by him (which Google can read), but after that, nothing happens since I can't read/decrypt his reply?

Google will have to eavesdrop and transcode the messages you exchange. If that happens, you won't be able to detect the attack, because both have initially put trust on the wrong key.

---

Email MITM example (with Alice, Bob, Charlie)

Charlie is a rogue email service provider

Alice (via Charlie):

Hello Bob, this is my public key ABC983 (attached key material)

Charlie generates a new keypair and replaces message

Hello Bob, this is my public key ZZZ765 (attached key material)

Bob receives the text, encrypts a new message with key ZZZ765, which is a rogue key, and stores ZZZ765 in his trust store. Then sends the following email to Charlie for delivery

Nice to meet you Alice, please use DEX258 as my key.

---Encrypted using ZZZ765, signed using DEX258---

Charlie intercepts the email, decrypts using ZZZ765 to get the plaintext, then generates yet a new keypair.

Charlie delivers the following email to Alice

Nice to meet you Alice, please use FGN754 as my key

---Encrypted using ABC983, signed with FGN754---

Alice will trust the rogue key FGN754 in their trust store.

Both parties will swear that they have genuinely talked each other securely until the day they meet at a bar, in person.

To their surprise, they will discover that they used the wrong keys and that the original emails differ from their "Sent mail" folder. End of the story

Answer 4

In your scenario, the PGP key that you send to Joe can be manipulated in-transit, and Joe won't be able to notice it unless you make use of one out the following solution approaches built into PGP:

The initial public key exchange is crucial, but there are solutions to it. For X.509 certificates (as used for S/MIME), that same problem is solved using hierarchically organized certificate authorities. In that system, a certificate can be trusted if it is signed by a trusted CA. The PGP approach to it is the web of trust which more or less means that anyone can sign a key, and whether or not that signature can be trusted depends on your personal trust in the signer.

So to apply this mechanism to your problem, if your key is signed by a third party who is trusted by Joe, then it is impossible to manipulate the key in-transit in a way that would go unnoticed because the manipulator would not be able to sign the manipulated key in the name of the third party. Note that if the key is signed by a trusted third party, the key can be obtained from any source, and that is how PGP key servers are supposed to work.

If there is no third party that is trusted by you or Joe, then you can still send your public key to Joe, but you would have to verify that the key received by Joe has not been modified en route in another way. To do so, you can tell him your key's fingerprint, but you would need to do that on an independent channel. For example, it is not unusual to publish the fingerprint on a web site. Unless that web site is hosted by Google, it is very improbable that it could be manipulated to fit the manipulated key.

Answer 5

It creates a one time opportunity for an attacker to MITM (man in the middle) your certificate exchange and offer a different one instead. Hypothetically they could intercept and forward every message you send re-encrypted with the new attacker key. There are several mitigating factors though.

If both of you use the webmail client for gmail, there is minimal opportunity for an attacker to mess with your email, even though SMTP is not actually super secure.

After the key exchange you will know you are mailing the same person, whether attacker or legitimate. It is essentially a trust on first use thing, there are no further opportunities for an attack to happen.

The attacker would need to essentially MITM all if your emails, if they constantly got lost it would be a red flag.

There are suggestions that they entire key needs to be exchanged in a secure channel, this is false. You can email the public key block and then call or meet in person to exchange the certificate thumbprint--a secure hash of the key--to verify that it is valid.

Answer 6

As others have pointed out, in your scenario, Google is in the position to be a man-in-the-middle for your initial message sending your public key to Joe. One thing that can be helpful is to publish your public key in multiple locations. So, you publish your public key on your website (not hosted by google), on github and facebook and hacker news and reddit and stackexchange and on multiple public key servers, or on a billboard or an ad in the New York Times or a post in an anonymous newsgroup or a random forum or whatever (and in fact, services like keybase.io allow you to link a lot of those things to your pgp public key with a verifiable signature). Then, you can list all the places you put your public key, and sign the whole message with the same key. Google, or anyone else, is unlikely to be able to modify all those places.

However, since Google also owns a trusted CA, and Google's Chrome browser is also widely used, if Google wanted to target you, it seems possible that they could make their browser trust the altered version of any public site. To do this, they'd have to either issue another certificate to all the third party sites that listed your key (and Certificate Transparency is designed to mitigate this kind of attack), or they'd have to do a bit of post-download manipulation in Chrome, and even that would be easy to detect by comparing output in Firefox and Chrome.

Answer 7

That is correct. The public key is freely distributable. Anybody who has your public key can encrypt messages and send them to you. Only the private key (which you should never distribute) can decrypt the messages.

• Public Key = Encrypt
• Private Key = Decrypt

However, the limitation is if you send someone your public key they can only encrypt messages sent to you. This is a one-way encryption scheme and not totally secure since anyone can intercept and read the unencrypted messages you send to someone else. You would also need to obtain their public key to be able to encrypt messages you send to them.

A user may intercept an encrypted message but there is no ability to read encrypted messages using the public key as far as I know. I think what others are referring to is if you're communicating with Joe and a third user, Sam, is introduced. If Sam has your public key he could potentially send an encrypted message to you pretending to be Joe. You likely would still know that Sam isn't Joe because their public keys aren't the same and/or you don't have Sam's public key. If you tried to send an encrypted message back to Sam it wouldn't work.

Most casual users of email don't have a private/public key pair to send encrypted email. I'm sure even if they did it would promptly be blocked by their email provider and the NSA since there's no ability to intercept the message, read what's in there and gain the financial upper hand over them.

Answer 8

Like many things in life, the answer is yes and no. Per your questions:

1. You're right, there's no problem about the world knowing your public key - that's why it is called Public Key
2. No, you're wrong on that. Since your service provider controls your service, it can act as a perfect Man In The Middle and intercept all your corresponding with Joe. Now, if your service provider intercepts those emails and stops them from reaching your inbox while Joe believes he's in a relationship with you and that the emails between you and him are private, and you think that there's nothing going on between Joe and you, well....now Joe is sharing his private thoughts with someone which is not you :(

Conclusion: You better send your Public Key via a different channel, a channel which can't intercept your conversations.