How PGP works (2024)

Thisintroduction is available on-line at http://www.pgpi.org/doc/pgpintro/

How PGP works

Thefollowing text is taken from chapter 1 of the document Introductionto Cryptographyin the PGP 6.5.1 documentation. Copyright © 1990-1999 NetworkAssociates, Inc. and its Affiliated Companies. All Rights Reserved.Converted from PDF to HTML at http://access.adobe.com/and then manually edited by hand.

The Basics of Cryptography
- Encryption and decryption
- What is cryptography?
  - Strong cryptography
  - How does cryptography work?
- Conventional cryptography
  - Caesar's Cipher
  - Key management and conventional encryption
- Public key cryptography
- How PGP works
- Keys
- Digital signatures
  - Hash functions
- Digital certificates
  - Certificate distribution
  - Certificate formats
- Validity and trust
  - Checking validity
  - Establishing trust
  - Trust models
- Certificate Revocation
  - Communicating that a certificate has been revoked
- What is a passphrase?
- Key splitting

TheBasics of Cryptography

When Julius Caesarsent messages to his generals, he didn't trust his messengers. So hereplaced every A in his messages with a D, every B with an E, and so onthrough the alphabet. Only someone who knew the "shift by 3" rule coulddecipher his messages.

And so webegin.

Encryptionand decryption

Data that can beread and understood without any special measures is called plaintext or cleartext. The method of disguising plaintext insuch a way as to hide its substance is called encryption. Encryptingplaintext results in unreadable gibberish called ciphertext. Youuse encryption to ensure that information is hidden from anyone forwhom it is not intended, even those who can see the encrypted data. Theprocess of reverting ciphertext to its original plaintext is called decryption. Figure 1-1 illustrates this process.

Figure 1-1.Encryption and decryption

Whatis cryptography?

Cryptography isthe science of using mathematics to encrypt and decrypt data.Cryptography enables you to store sensitive information or transmit itacross insecure networks (like the Internet) so that it cannot be readby anyone except the intended recipient.

Whilecryptography is the science of securing data, cryptanalysis isthe science of analyzing and breaking secure communication. Classicalcryptanalysis involves an interesting combination of analyticalreasoning, application of mathematical tools, pattern finding,patience, determination, and luck. Cryptanalysts are also called attackers.

Cryptology embracesboth cryptography and cryptanalysis.

Strongcryptography

"There are twokinds of cryptography in this world: cryptography that will stop yourkid sister from reading your files, and cryptography that will stopmajor governments from reading your files. This book is about thelatter."

--BruceSchneier, Applied Cryptography: Protocols, Algorithms, and Source Codein C.

PGP is alsoabout the latter sort of cryptography. Cryptography can be strong or weak, as explained above. Cryptographic strength ismeasured in the time and resources it would require to recover theplaintext. The result of strong cryptography is ciphertextthat is very difficult to decipher without possession of theappropriate decoding tool. How difficult? Given all of today'scomputing power and available time — even a billion computers doing abillion checks a second — it is not possible to decipher the result ofstrong cryptography before the end of the universe.

One wouldthink, then, that strong cryptography would hold up rather well againsteven an extremely determined cryptanalyst. Who's really to say? No onehas proven that the strongest encryption obtainable today will hold upunder tomorrow's computing power. However, the strong cryptographyemployed by PGP is the best available today. Vigilance and conservatismwill protect you better, however, than claims of impenetrability.

Howdoes cryptography work?

A cryptographicalgorithm, or cipher, is a mathematical function used in theencryption and decryption process. A cryptographic algorithm works incombination with a key — a word, number, or phrase — toencrypt the plaintext. The same plaintext encrypts to differentciphertext with different keys. The security of encrypted data isentirely dependent on two things: the strength of the cryptographicalgorithm and the secrecy of the key.

A cryptographicalgorithm, plus all possible keys and all the protocols that make itwork comprise a cryptosystem. PGP is a cryptosystem.

Conventionalcryptography

In conventionalcryptography, also called secret-key or symmetric-key encryption,one key is used both for encryption and decryption. The Data EncryptionStandard (DES) is an example of a conventional cryptosystemthat iswidely employed by the Federal Government. Figure 1-2 is anillustration of the conventional encryption process.

Figure 1-2.Conventional encryption

Caesar'sCipher

An extremelysimple example of conventional cryptography is a substitution cipher. Asubstitution cipher substitutes one piece of information for another.This is most frequently done by offsetting letters of the alphabet. Twoexamples are Captain Midnight's Secret Decoder Ring, which you may haveowned when you were a kid, and Julius Caesar's cipher. In both cases,the algorithm is to offset the alphabet and the key is the number ofcharacters to offset it.

For example, ifwe encode the word "SECRET" using Caesar's key value of 3, we offsetthe alphabet so that the 3rd letter down (D) begins the alphabet.

So starting with

ABCDEFGHIJKLMNOPQRSTUVWXYZ

and slidingeverything up by 3, you get

DEFGHIJKLMNOPQRSTUVWXYZABC

where D=A, E=B,F=C, and so on.

Using thisscheme, the plaintext, "SECRET" encrypts as "VHFUHW." To allow someoneelse to read the ciphertext, you tell them that the key is 3.

Obviously, thisis exceedingly weak cryptography by today's standards, but hey, itworked for Caesar, and it illustrates how conventional cryptographyworks.

Keymanagement and conventional encryption

Conventionalencryption has benefits. It is very fast. It is especially useful forencrypting data that is not going anywhere. However,conventional encryption alone as a means for transmitting secure datacan be quite expensive simply due to the difficulty of secure keydistribution.

Recall acharacter from your favorite spy movie: the person with a lockedbriefcase handcuffed to his or her wrist. What is in the briefcase,anyway? It's probably not the missile launch code/ biotoxin formula/invasion plan itself. It's the key that will decrypt thesecret data.

For a senderand recipient to communicate securely using conventional encryption,they must agree upon a key and keep it secret between themselves. Ifthey are in different physical locations, they must trust a courier,the Bat Phone, or some other secure communication medium to prevent thedisclosure of the secret key during transmission. Anyone who overhearsor intercepts the key in transit can later read, modify, and forge allinformation encrypted or authenticated with that key. From DES toCaptain Midnight's Secret Decoder Ring, the persistent problem withconventional encryption is key distribution: how do you getthe key to the recipient without someone intercepting it?

Publickey cryptography

The problems ofkey distribution are solved by public key cryptography, theconcept of which was introduced by Whitfield Diffie and Martin Hellmanin 1975. (There is now evidence that the British Secret Serviceinvented it a few years before Diffie and Hellman, but kept it amilitary secret — and did nothing with it. [J H Ellis: The Possibilityof Secure Non-Secret Digital Encryption, CESG Report, January 1970])

Public keycryptography is an asymmetric scheme that uses a pair of keysfor encryption: a public key, which encrypts data, and acorresponding private, or secret key for decryption.Youpublishyour public keytotheworldwhile keeping your private keysecret. Anyone with a copy of your public key can then encryptinformation that only you can read. Even people you have never met.

It iscomputationally infeasible to deduce the private key from the publickey. Anyone who has a public key can encrypt information but cannotdecrypt it. Only the person who has the corresponding private key candecrypt the information.

Figure 1-3.Public key encryption

The primarybenefit of public key cryptography is that it allows people who have nopreexisting security arrangement to exchange messages securely. Theneed for sender and receiver to share secret keys via some securechannel is eliminated; all communications involve only public keys, andno private key is ever transmitted or shared. Some examples ofpublic-key cryptosystems are Elgamal (named for its inventor, TaherElgamal), RSA (named for its inventors, Ron Rivest, Adi Shamir, andLeonard Adleman), Diffie-Hellman (named, you guessed it, for itsinventors), and DSA, the Digital Signature Algorithm (invented by DavidKravitz).

Becauseconventional cryptography was once the only available means forrelaying secret information, the expense of secure channels and keydistribution relegated its use only to those who could afford it, suchas governments and large banks (or small children with secret decoderrings). Public key encryption is the technological revolution thatprovides strong cryptography to the adult masses. Remember the courierwith the locked briefcase handcuffed to his wrist? Public-keyencryption puts him out of business (probably to his relief).

HowPGP works

PGP combines someof the best features of both conventional and public key cryptography.PGP is a hybrid cryptosystem. When a user encrypts plaintextwith PGP, PGP first compresses the plaintext. Data compression savesmodem transmission time and disk space and, more importantly,strengthens cryptographic security. Most cryptanalysis techniquesexploit patterns found in the plaintext to crack the cipher.Compression reduces these patterns in the plaintext, thereby greatlyenhancing resistance to cryptanalysis. (Files that are too short tocompress or which don't compress well aren't compressed.)

PGP thencreates a session key, which is a one-time-only secret key.This key is a random number generated from the random movements of yourmouse and the keystrokes you type. This session key works with a verysecure, fast conventional encryption algorithm to encrypt theplaintext; the result is ciphertext. Once the data is encrypted, thesession key is then encrypted to the recipient's public key. Thispublic key-encrypted session key is transmitted along with theciphertext to the recipient.

Figure 1-4. HowPGP encryption works

Decryptionworks in the reverse. The recipient's copy of PGP uses his or herprivate key to recover the temporary session key, which PGP then usesto decrypt the conventionally-encrypted ciphertext.

Figure 1-5. HowPGP decryption works

The combinationof the two encryption methods combines the convenience of public keyencryption with the speed of conventional encryption. Conventionalencryption is about 1, 000 times faster than public key encryption.Public key encryption in turn provides a solution to key distributionand data transmission issues. Used together, performance and keydistribution are improved without any sacrifice in security.

Keys

A key is a valuethat works with a cryptographic algorithm to produce a specificciphertext. Keys are basically really, really, really big numbers. Keysize is measured in bits; the number representing a 1024-bit key isdarn huge. In public key cryptography, the bigger the key, the moresecure the ciphertext.

However, publickey size and conventional cryptography's secret key size are totallyunrelated. A conventional 80-bit key has the equivalent strength of a1024-bit public key. A conventional 128-bit key is equivalent to a3000-bit public key. Again, the bigger the key, the more secure, butthe algorithms used for each type of cryptography are very differentand thus comparison is like that of apples to oranges.

While thepublic and private keys are mathematically related, it's very difficultto derive the private key given only the public key; however, derivingthe private key is always possible given enough time and computingpower. This makes it very important to pick keys of the right size;large enough to be secure, but small enough to be applied fairlyquickly. Additionally, you need to consider who might be trying to readyour files, how determined they are, how much time they have, and whattheir resources might be.

Larger keyswill be cryptographically secure for a longer period of time. If whatyou want to encrypt needs to be hidden for many years, you might wantto use a very large key. Of course, who knows how long it will take todetermine your key using tomorrow's faster, more efficient computers?There was a time when a 56-bit symmetric key was considered extremelysafe.

Keys are storedin encrypted form. PGP stores the keys in two files on your hard disk;one for public keys and one for private keys. These files are called keyrings. As you use PGP, you will typically add the public keys ofyour recipients to your public keyring. Your private keys are stored onyour private keyring. If you lose your private keyring, you will beunable to decrypt any information encrypted to keys on that ring.

Digitalsignatures

Amajor benefit ofpublic key cryptography is that it provides a method for employing digitalsignatures. Digital signatures enable the recipient of informationto verify the authenticity of the information's origin, and also verifythat the information is intact. Thus, public key digital signaturesprovide authentication and data integrity. A digitalsignature also provides non-repudiation, which means that itprevents the sender from claiming that he or she did not actually sendthe information. These features are every bit as fundamental tocryptography as privacy, if not more.

A digitalsignature serves the same purpose as a handwritten signature. However,a handwritten signature is easy to counterfeit. A digital signature issuperior to a handwritten signature in that it is nearly impossible tocounterfeit, plus it attests to the contents of the information as wellas to the identity of the signer.

Some peopletend to use signatures more than they use encryption. For example, youmay not care if anyone knows that you just deposited $1000 in youraccount, but you do want to be darn sure it was the bank teller youwere dealing with.

The basicmanner in which digital signatures are created is illustrated in Figure1-6.Instead of encrypting information using someone else's public key, youencrypt it with your private key. If the information can be decryptedwith your public key, then it must have originated with you.

Figure 1-6.Simple digital signatures

Hashfunctions

The systemdescribed above has some problems. It is slow, and it produces anenormous volume of data — at least double the size of the originalinformation. An improvement on the above scheme is the addition of aone-way hash function in the process. A one-way hash functiontakes variable-length input — in this case, a message of any length,even thousands or millions of bits — and produces a fixed-lengthoutput; say, 160-bits. The hash function ensures that, if theinformation is changed in any way — even by just one bit — an entirelydifferent output value is produced.

PGP uses acryptographically strong hash function on the plaintext the user issigning. This generates a fixed-length data item known as a messagedigest. (Again, any change to the information results in a totallydifferent digest.)

Then PGP usesthe digest and the private key to create the "signature." PGP transmitsthe signature and the plaintext together. Upon receipt of the message,the recipient uses PGP to recompute the digest, thus verifying thesignature. PGP can encrypt the plaintext or not; signing plaintext isuseful if some of the recipients are not interested in or capable ofverifying the signature.

As long as asecure hash function is used, there is no way to take someone'ssignature from one document and attach it to another, or to alter asigned message in any way. The slightest change in a signed documentwill cause the digital signature verification process to fail.

Figure 1-7.Secure digital signatures

Digitalsignatures play a major role in authenticating and validating otherPGP users' keys.

Digitalcertificates

One issue withpublic key cryptosystems is that users must be constantly vigilant toensure that they are encrypting to the correct person's key. In anenvironment where it is safe to freely exchange keys via publicservers, man-in-the-middle attacks are a potential threat. Inthis type of attack, someone posts a phony key with the name and userID of the user's intended recipient. Data encrypted to — andintercepted by — the true owner of this bogus key is now in the wronghands.

In a public keyenvironment, it is vital that you are assured that the public key towhich you are encrypting data is in fact the public key of the intendedrecipient and not a forgery. You could simply encrypt only to thosekeys which have been physically handed to you. But suppose you need toexchange information with people you have never met; how can you tellthat you have the correct key?

Digitalcertificates, or certs, simplify the task of establishingwhether a public key truly belongs to the purported owner.

A certificateis a form of credential. Examples might be your driver's license, yoursocial security card, or your birth certificate. Each of these has someinformation on it identifying you and some authorization stating thatsomeone else has confirmed your identity. Some certificates, such asyour passport, are important enough confirmation of your identity thatyou would not want to lose them, lest someone use them to impersonateyou.

A digitalcertificate is data that functions much like a physical certificate. Adigital certificate is information included with a person's public keythat helps others verify that a key is genuine or valid. Digitalcertificates are used to thwart attempts to substitute one person's keyfor another.

A digitalcertificate consists of three things:

A publickey.

Certificate information. ("Identity" information about theuser, such as name, user ID, and so on.)

One or more digital signatures.

The purpose of thedigital signature on a certificate is to state that the certificateinformation has been attested to by some other person or entity. Thedigital signature does not attest to the authenticity of thecertificate as a whole; it vouches only that the signed identityinformation goes along with, or is bound to, the public key.

Thus, acertificate is basically a public key with one or two forms of IDattached, plus a hearty stamp of approval from some other trustedindividual.

Figure 1-8.Anatomy of a PGP certificate

Certificatedistribution

Certificates areutilized when it's necessary to exchange public keys with someone else.For small groups of people who wish to communicate securely, it is easyto manually exchange diskettes or emails containing each owner's publickey. This is manual public key distribution, anditispracticalonlytoacertain point. Beyond that point, it is necessary to put systems intoplace that can provide the necessary security, storage, and exchangemechanisms so coworkers, business partners, or strangers couldcommunicate if need be. These can come in the form of storage-onlyrepositories called Certificate Servers, or more structuredsystems that provide additional key management features and are called PublicKey Infrastructures (PKIs).

Certificateservers
A certificate server, also calledacert server or a keyserver, is a database that allows users to submit and retrievedigital certificates. A cert server usually provides someadministrative features that enable a company to maintain its securitypolicies — for example, allowing only those keys that meet certainrequirements to be stored.

Certificateformats

A digitalcertificate is basically a collection of identifying information boundtogether with a public key and signed by a trusted third party to proveits authenticity. A digital certificate can be one of a number ofdifferent formats.

PGP recognizestwo different certificate formats:

PGPcertificates

X.509 certificates

PGP certificateformat
A PGP certificate includes (but is not limited to) the followinginformation:

The PGPversion number — this identifies which version of PGP was used tocreate the key associated with the certificate.

The certificate holder's public key — the publicportion of your key pair, together with the algorithm of the key: RSA,DH (Diffie-Hellman), or DSA (Digital Signature Algorithm).

The certificate holder's information — thisconsists of "identity" information about the user, such as his or hername, user ID, photograph, and so on.

The digital signature of the certificate owner — alsocalled a self-signature, this is the signature using thecorresponding private key of the public key associated with thecertificate.

The certificate's validity period — thecertificate's start date/ time and expiration date/ time; indicateswhen the certificate will expire.

The preferred symmetric encryption algorithmfor the key— indicates the encryption algorithm to which the certificateowner prefers to have information encrypted. The supported algorithmsare CAST, IDEA or Triple-DES.

You might think ofa PGP certificate as a public key with one or more labels tied to it(see Figure 1-9). On these 'labels' you'll find informationidentifying the owner of the key and a signature of the key's owner,which states that the key and the identification go together. (Thisparticular signature is called a self-signature; every PGPcertificate contains a self-signature.)

One uniqueaspect of the PGP certificate format is that a single certificate cancontain multiple signatures. Several or many people may sign the key/identification pair to attest to their own assurance that the publickey definitely belongs to the specified owner. If you look on a publiccertificate server, you may notice that certain certificates, such asthat of PGP's creator, Phil Zimmermann, contain many signatures.

Some PGPcertificates consist of a public key with several labels, each of whichcontains a different means of identifying the key's owner (for example,the owner's name and corporate email account, the owner's nickname andhome email account, a photograph of the owner — all in onecertificate). The list of signatures of each of those identities maydiffer; signatures attest to the authenticity that one of the labelsbelongs to the public key, not that all the labels on the key areauthentic. (Note that 'authentic' is in the eye of its beholder —signatures are opinions, and different people devote different levelsof due diligence in checking authenticity before signing a key.)

Figure 1-9. APGP certificate

X.509certificate format
X.509 is another very common certificate format. All X.509certificates comply with the ITU-T X.509 international standard; thus(theoretically) X.509 certificates created for one application can beused by any application complying with X.509. In practice, however,different companies have created their own extensions to X.509certificates, not all of which work together.

Acertificaterequires someone to validate that a public key and the name of thekey's owner go together. With PGP certificates, anyone can play therole of validator. With X.509 certificates, the validator is always aCertification Authority or someone designated by a CA. (Bear in mindthat PGP certificates also fully support a hierarchical structure usinga CA to validate certificates.)

An X.509certificate is a collection of a standard set of fields containinginformation about a user or device and their corresponding public key.The X.509 standard defines what information goes into the certificate,and describes how to encode it (the data format). All X.509certificates have the following data:

TheX.509 version number — this identifies which version of the X.509standardapplies to this certificate, whichaffects what informationcanbespecified in it. The most current is version 3.

The certificate holder's public key — the publickey of the certificate holder, together with an algorithm identifierwhich specifies which cryptosystem the key belongs to and anyassociated key parameters.

The serial number of the certificate — the entity(application or person) that created the certificate is responsible forassigning it a unique serial number to distinguish it from othercertificates it issues. This information is used in numerous ways; forexample when a certificate is revoked, its serial number is placed in a Certificate Revocation List or CRL.

The certificate holder's unique identifier — (or DN — distinguished name). This name is intended to beunique across the Internet. This name is intended to be unique acrossthe Internet. A DN consists of multiple subsections and may looksomething like this:

CN=Bob Allen, OU=Total Network Security Division,O=Network Associates, Inc., C=US

(These refer to the subject's Common Name,Organizational Unit, Organization, and Country.)

The certificate's validity period — thecertificate's start date/ time and expiration date/ time; indicateswhen the certificate will expire.

The unique name of the certificate issuer — theunique name of the entity that signed the certificate. This is normallya CA. Using the certificate implies trusting the entity that signedthis certificate. (Note that in some cases, such as root or top-level CA certificates, the issuer signs its own certificate.)

The digital signature of the issuer — the signatureusing the private key of the entity that issued the certificate.

The signature algorithm identifier — identifies thealgorithm used by the CA to sign the certificate.

There are manydifferences between an X.509 certificate and a PGP certificate, but themost salient are as follows:

you cancreate your own PGP certificate; you must request and be issued anX.509 certificate from a Certification Authority

X.509 certificates natively support only a single name forthe key's owner

X.509 certificates support only a single digital signatureto attest to the key's validity

To obtain an X.509certificate, you must ask a CA to issue you a certificate. You provideyour public key, proof that you possess the corresponding private key,and some specific information about yourself. You then digitally signthe information and send the whole package — the certificate request— to the CA. The CA then performs some due diligence in verifyingthat the information you provided is correct, and if so, generates thecertificate and returns it.

You might thinkof an X.509 certificate as looking like a standard paper certificate(similar to one you might have received for completing a class in basicFirst Aid) with a public key taped to it. It has your name and someinformation about you on it, plus the signature of the person whoissued it to you.

Figure 1-10. AnX.509 certificate

Probably themost widely visible use of X.509 certificates today is in web browsers.

Validityand trust

Every user in apublic key system is vulnerable to mistaking a phony key (certificate)for a real one. Validity is confidence that a public keycertificate belongs to its purported owner. Validity is essential in apublic key environment where you must constantly establish whether ornot a particular certificate is authentic.

When you'veassured yourself that a certificate belonging to someone else is valid,you can sign the copy on your keyring to attest to the fact that you'vechecked the certificate and that it's an authentic one. If you wantothers to know that you gave the certificate your stamp of approval,you can export the signatureto a certificateserver so that otherscanseeit.

As described inthe section Public Key Infrastructures,some companies designate one or more Certification Authorities (CAs) toindicate certificate validity. In an organization using a PKI withX.509 certificates, it is the job of the CA to issue certificatesto users — a process which generally entails responding to a user'srequest for a certificate. In an organization using PGP certificateswithout a PKI, it is the job of the CA to check the authenticity of allPGP certificates and then sign the good ones. Basically, the mainpurpose of a CA is to bind a public key to the identificationinformation contained in the certificate and thus assure third partiesthat some measure of care was taken to ensure that this binding of theidentification information and key is valid.

The CA is theGrand Pooh-bah of validation in an organization; someone whom everyonetrusts, and in some organizations, like those using a PKI, nocertificate is considered valid unless it has been signed by a trustedCA.

Checkingvalidity

One way toestablish validity is to go through some manual process. There areseveral ways to accomplish this. You could require your intendedrecipient to physically hand you a copy of his or her public key. Butthis is often inconvenient and inefficient.

Another way isto manually check the certificate's fingerprint. Just as everyhuman's fingerprints are unique, every PGP certificate's fingerprint isunique. The fingerprint is a hash of the user's certificate and appearsas one of the certificate's properties. In PGP, the fingerprint canappear as a hexadecimal number or a series of so-called biometricwords, which are phonetically distinct and are used to make thefingerprint identification process a little easier.

You can checkthat a certificate is valid by calling the key's owner (so that youoriginate the transaction) and asking the owner to read his or herkey's fingerprint to you and verifying that fingerprint against the oneyou believe to be the real one. This works if you know the owner'svoice, but, how do you manually verify the identity of someone youdon't know? Some people put the fingerprint of their key on theirbusiness cards for this very reason.

Another way toestablish validity of someone's certificate is to trust that athird individual has gone through the process of validating it.

A CA, forexample, is responsible for ensuring that prior to issuing to acertificate, he or she carefully checks it to be sure the public keyportion really belongs to the purported owner. Anyone who trusts the CAwill automatically consider any certificates signed by the CA to bevalid.

Another aspectof checking validity is to ensure that the certificate has not beenrevoked. For more information, see the section CertificateRevocation.

Establishingtrust

You validate certificates. You trust people. More specifically, you trustpeople to validate other people' certificates. Typically, unless theowner hands you the certificate, you have to go by someone else's wordthat it is valid.

Meta andtrusted introducers
In most situations, people completely trust the CA to establishcertificates' validity. This means that everyone else relies upon theCA to go through the whole manual validation process for them. This isfine up to a certain number of users or number of work sites, and thenit is not possible for the CA to maintain the same level of qualityvalidation. In that case, adding other validators to the system isnecessary.

A CA can alsobe a meta-introducer. A meta-introducer bestows not onlyvalidity on keys, but bestows the ability to trust keys uponothers. Similar to the king who hands his seal to his trusted advisorsso they can act on his authority, the meta-introducer enables others toact as trusted introducers. These trusted introducers canvalidate keys to the same effect as that of the meta-introducer. Theycannot, however, create new trusted introducers.

Meta-introducerand trusted introducer are PGP terms. In an X.509 environment, themeta-introducer is called the root Certification Authority (root CA) and trusted introducers subordinate CertificationAuthorities.

The root CAuses the private key associated with a special certificate type calleda root CA certificate to sign certificates. Any certificatesigned by the root CA certificate is viewed as valid by any othercertificate signed by the root. This validation process works even forcertificates signed by other CAs in the system — as long as the root CAcertificate signed the subordinate CA's certificate, any certificatesigned by the CAis considered valid to others within the hierarchy.This process of checking back up through the systemto see who signedwhose certificate is called tracing a certification path or certificationchain.

Trustmodels

In relativelyclosed systems, such as within a small company, it is easy to trace acertification path back to the root CA. However, users must oftencommunicate with people outside of their corporate environment,including some whom they have never met, such as vendors, customers,clients, associates, and so on. Establishing a line of trust to thosewho have not been explicitly trusted by your CA is difficult.

Companiesfollowone or another trust model, which dictates how userswill go about establishing certificate validity. There are threedifferent models:

DirectTrust

Hierarchical Trust

A Web of Trust

Direct Trust
Direct trust is the simplest trust model. In this model, a user truststhat a key is valid because he or she knows where it came from. Allcryptosystems use this form of trust in some way. For example, in webbrowsers, the root Certification Authority keys are directly trustedbecause they were shipped by the manufacturer. If there is any form ofhierarchy, it extends from these directly trusted certificates.

In PGP, a userwho validates keys herself and never sets another certificate to be atrusted introducer is using direct trust.

Figure 1-11.Direct trust

HierarchicalTrust
In a hierarchical system, there are a number of "root" certificatesfrom which trust extends. These certificates may certify certificatesthemselves, or they may certify certificates that certify still othercertificates down some chain. Consider it as a big trust "tree." The"leaf" certificate's validity is verified by tracing backward from itscertifier, to other certifiers, until a directly trusted rootcertificate is found.

Figure 1-12.Hierarchical trust

Web of Trust
A web of trust encompasses both of the other models, but also adds thenotion that trust is in the eye of the beholder (which is thereal-world view) and the idea that more information is better. It isthus a cumulative trust model. A certificate might be trusted directly,or trusted in some chain going back to a directly trusted rootcertificate (the meta-introducer), or by some group of introducers.

Perhaps you'veheard of the term six degrees of separation, which suggeststhat any person in the world can determine some link to any otherperson in the world using six or fewer other people as intermediaries.This is a web of introducers.

It is also thePGP view of trust. PGP uses digital signatures as its form ofintroduction. When any user signs another's key, he or she becomes anintroducer of that key. As this process goes on, it establishes a webof trust.

In a PGPenvironment, any user can act as a certifying authority. AnyPGP user can validate another PGP user's public key certificate.However, such a certificate is only valid to another user if therelying party recognizes the validator as a trusted introducer. (Thatis, you trust my opinion that others' keys are valid only if youconsider me to be a trusted introducer. Otherwise, my opinion on otherkeys' validity is moot.)

Stored on eachuser's public keyring are indicators of

whether ornot the user considers a particular key to be valid

the level of trust the user places on the key that thekey's owner can serve as certifier of others' keys

You indicate, onyour copy of my key, whether you think my judgement counts. It's reallya reputation system: certain people are reputed to give goodsignatures, and people trust them to attest to other keys' validity.

Levels oftrust in PGP
The highest level of trust in a key, implicit trust, is trustin your own key pair. PGP assumes that if you own the private key, youmust trust the actions of its related public key. Any keys signed byyour implicitly trusted key are valid.

There are threelevels of trust you can assign to someone else's public key:

Complete trust

Marginal trust

Notrust (or Untrusted)

To make thingsconfusing, there are also three levels of validity:

Valid

Marginally valid

Invalid

To defineanother's key as a trusted introducer, you

Start witha valid key, one that is either

signed by you or
signed by another trusted introducer

and then

Set the level of trust you feel the key's owner isentitled.

For example,suppose your key ring contains Alice's key. You have validated Alice'skey and you indicate this by signing it. You know that Alice is a realstickler for validating others' keys. You therefore assign her key withComplete trust. This makes Alice a Certification Authority. If Alicesigns another's key, it appears as Valid on your keyring.

PGP requiresone Completely trusted signature or two Marginally trusted signaturesto establish a key as valid. PGP's method of considering two Marginalsequal to one Complete is similar to a merchant asking for two forms ofID. You might consider Alice fairly trustworthy and also consider Bobfairly trustworthy. Either one alone runs the risk of accidentallysigning a counterfeit key, so you might not place complete trust ineither one. However, the odds that both individuals signed the samephony key are probably small.

CertificateRevocation

Certificates areonly useful while they are valid. It is unsafe to simply assume that acertificate is valid forever. In most organizations and in all PKIs,certificates have a restricted lifetime. This constrains the period inwhich a system is vulnerable should a certificate compromise occur.

Certificatesare thus created with a scheduled validity period: a startdate/time and an expiration date/ time. The certificate is expected tobe usable for its entire validity period (its lifetime). Whenthe certificate expires, it will no longer be valid, as theauthenticity of its key/ identification pair are no longer assured.(The certificate can still be safely used to reconfirm information thatwas encrypted or signed within the validity period — it should not betrusted for cryptographic tasks moving forward, however.)

There are alsosituations where it is necessary to invalidate a certificate prior toits expiration date, such as when an the certificate holder terminatesemployment with the company or suspects that the certificate'scorresponding private key has been compromised. This is called revocation. Arevoked certificate is much more suspect than anexpired certificate. Expired certificates are unusable, but do notcarry the same threat of compromise as a revoked certificate.

Anyone who hassigned a certificate can revoke his or her signature on the certificate(provided he or she uses the same private key that created thesignature). Arevoked signature indicates that the signer no longerbelieves the public key and identification information belong together,or that the certificate's public key (or corresponding private key) hasbeen compromised. A revoked signature should carry nearly as muchweight as a revoked certificate.

With X.509certificates, a revoked signature is practically the same as a revokedcertificate given that the only signature on the certificate is the onethat made it valid in the first place — the signature of the CA. PGPcertificates provide the added feature that you can revoke your entirecertificate (not just the signatures on it) if you yourself feel thatthe certificate has been compromised.

Only thecertificate's owner (the holder of its corresponding private key) orsomeone whom the certificate's owner has designated as arevoker can revoke a PGP certificate. (Designating a revoker is auseful practice, as it's often the loss of the passphrase for thecertificate's corresponding private key that leads a PGP user to revokehis or her certificate — a task that is only possible if one has accessto the private key.) Only the certificate's issuer can revoke an X.509certificate.

Communicatingthat a certificate has been revoked

When a certificateis revoked, it is important to make potential users of the certificateaware that it is no longer valid. With PGP certificates, the mostcommon way to communicate that a certificate has been revoked is topost it on a certificate server so others who may wish to communicatewith you are warned not to use that public key.

In a PKIenvironment, communication of revoked certificates is most commonlyachieved via a data structure called a Certificate Revocation List, or CRL, which is published by the CA. The CRLcontains a time-stamped, validated list of all revoked, unexpiredcertificates in the system. Revoked certificates remain on the listonly until they expire, then they are removed from the list — thiskeeps the list from getting too long.

The CAdistributes the CRL to users at some regularly scheduled interval (andpotentially off-cycle, whenever a certificate is revoked).Theoretically, this will prevent users from unwittingly using acompromised certificate. It is possible, though, that there may be atime period between CRLs in which a newly compromised certificate isused.

Whatis a passphrase?

Most people arefamiliar with restricting access to computer systems via a password, which is a unique string of characters that a user types inas an identification code.

A passphrase is a longer version of a password, and in theory, a moresecure one. Typically composed of multiple words, a passphrase is moresecure against standard dictionary attacks, wherein theattacker tries all the words in the dictionary in an attempt todetermine your password. The best passphrases are relatively long andcomplex and contain a combination of upper and lowercase letters,numeric and punctuation characters.

PGP uses apassphrase to encrypt your private key on your machine. Your privatekey is encrypted on your disk using a hash of your passphrase as thesecret key. You use the passphrase to decrypt and use your private key.A passphrase should be hard for you to forget and difficult for othersto guess. It should be something already firmly embedded in yourlong-term memory, rather than something you make up from scratch. Why?Because if you forget your passphrase, you are out of luck.Your private key is totally and absolutely useless without yourpassphrase and nothing can be done about it. Remember the quote earlierin this chapter? PGP is cryptography that will keep major governmentsout of your files. It will certainly keep you out of your files, too.Keep that in mind when you decide to change your passphrase to thepunchline of that joke you can never quite remember.

Keysplitting

They say that asecret is not a secret if it is known to more than one person. Sharinga private key pair poses such a problem. While it is not a recommendedpractice, sharing a private key pair is necessary at times. CorporateSigning Keys, for example, are private keys used by a company tosign — for example — legal documents, sensitive personnel information,or press releases to authenticatetheirorigin. In such a case, it isworthwhile for multiple members of the company to have access to theprivate key. However, this means that any single individual can actfully on behalf of the company.

Insucha caseitis wisetosplit the key among multiple people in such a way that morethan one or two people must present a piece of the key in order toreconstitute it to a usable condition. If too few pieces of the key areavailable, then the key is unusable.

Some examplesare to split a key into three pieces and require two of them toreconstitute the key, or split it into two pieces and require bothpieces. If a secure network connection is used during thereconstitution process, the key's shareholders need not be physicallypresent in order to rejoin the key.

[PGPi Home > Documentation > How PGPworks]