Thursday, January 23, 2014

S/MIME and PGP differences

For email security , we are faced with 2 common methods. I will provide a One on One comparison of some of the differences between there two.

chain of trust via CA ( the trusted-body approach )
easier to intergrated into most mail systems ( windows for example )
if any part of the CA chain is compromised, the  whole chain is compromised
certicates based on x.509
lifetime is based on certificate expiration ( you will have to buy and renew certificates )
no such thing as  certification distribution , it  uses the CA root model ( hierachical )
cost money ( MTA server, certificates ,etc…..)
supports for MIME attachment only
RSA public-key
cipher supported is less than Gpg
PGP ( GNUpg )
not centralize to any one CA  or root-authority 
not as easy to implement in most mail systems
not an issue with PGP
non x509 compliant 
PGP  by earlier implementations, had a  lifetime of forever
public-key  distribution via manual distribution,  or keyservers
with GPG is 's 100%  free
more secured due to be decentralized ( <-- my opinion )
does mail encryption,  and much more ( e.g disk encryption )
supports RSA, DH,Elgamal,etc….
cipher support is slightly more than what  s/MIME clients support

Both methods provides the end-user  with  security,  and  closes the gap within the SSL/TLS island, as mention before in some of my earlier  postings.

How secure one over the other, really depends on if you believe in the CA model or web-of-trust. Since the CA models builds  reputation  & trust via  a selected authority, it places all security risk within that authority & delegation.


  • What-if a CA is compromised
  • What-if a CA has a forged certificate 
  • What-if they are working being the scenes with the gov and selling you and me out ;)

Past history has seen problems within a central CA root authority. ( look at past incidents with google, comodo, dignotar   ....for examples ) 

In conclusion;

Mail security show not be taken lightly. With email still being a main method for the delivery of information along with data.We should always think of security & within our daily email practices. 

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
       /     \

No comments:

Post a Comment