loading...

How's modern encryption like?

yujiri8 profile image Ryan Westlund Updated on ・2 min read

I got into PGP under the impression it was kind of the gold standard of encryption. But more recently I've been hearing people saying its outdated, about things like saltpack and a Hacker News discussion on someone saying PGP was outmoded.

I've seen a whole bunch of new stuff mentioned (eg. here) that sounds like it's supposed to replace PGP: NaCl/libsodium/saltpack, AGE, OTR, probably a few others that slipped my mind, and there's also the MessagePack vs CBOR thing which I haven't researched.

What I'm trying to find out is what if any alternative to PGP I should be switching to.

I understand there are some differences in use case (eg. OTR proves authentication only to the recipient while PGP messages are either unauthenticated or unrepudiable). But my feeling is that differences like that shouldn't require entirely different formats; I would be surprised if it wasn't possible for the same format to provide both options. I don't know if NaCl/libsodium/saltpack do or not.

My understanding of NaCl vs libsodium is that NaCl was abandoned and libsodium is the surviving fork, but it's difficult to find anything super clear on it. I don't know if the saltpack implementations linked from saltpack.org use old NaCl or libsodium. I do know saltpack is developed by Keybase and saltpack.org doesn't mention any other places it's used (but doc.libsodium.org listed a ton of places libsodium was used). Does anyone use saltpack outside of Keybase?

It's hard to find any clear guide on how to actually use NaCl/libsodium/saltpack or whichever I would be using. Eg. how are keys meant to be generated? Do you just generate 32 random bytes or whatever and they don't have any metadata? The only use guide I found on it was for the C library, and its API is so huge and confusing I would not touch with a ten-foot pole.

I'm also not sure if OTR is meant to be used outside of a hosted app or if that's even practical.

Posted on by:

yujiri8 profile

Ryan Westlund

@yujiri8

I'm a programmer, writer, and philosopher. My Github account is yujiri8; all my content besides code is at yujiri.xyz.

Discussion

pic
Editor guide
 

PGP as a personal key manager has alternatives like KeePass, 1Password, LastPass, etc.

PGP as Web Of Trust has no alternative, but it has competitors in the Public Key Infrastructure (PKI) space. There is the much more widely used X.509, underlying TLS between web browsers and servers and most other systems.

PGP is one level higher than the cryptography primitives like NaCl. The likes of NaCl are AES-GCM, RSA, Elliptic Curve, etc. The encrypting and signing part of PGP have alternatives like age and signify.

NaCl is not abandoned; it is finished. It is thoroughly tested and validated, and published as an academic paper. But it only works on UNIX, and you have to build it from source yourself. libsodium is a community effort to port NaCl to more operating systems and to package it for package managers.

saltpack is a message format using NaCl. Its alternatives are PGP (yeah the message format part) and S/MIME.

For usage of libsodium, you are really supposed to use only five functions:

  • crypto_secretbox_easy for secret key encryption
  • crypto_secretbox_open_easy for secret key decryption
  • crypto_box_keypair for generating a pair of public and private keys
  • crypto_box_easy for public key encryption
  • crypto_box_open_easy for public key decryption