How PGP works (2024)

Thisintroduction is available on-line at http://www.pgpi.org/doc/pgpintro/

How PGP works

Thefollowing text is taken from chapter 1 of the document Introductionto Cryptographyin the PGP 6.5.1 documentation. Copyright © 1990-1999 NetworkAssociates, Inc. and its Affiliated Companies. All Rights Reserved.Converted from PDF to HTML at http://access.adobe.com/and then manually edited by hand.

• The Basics of Cryptography
  • Encryption and decryption
  • What is cryptography?
    • Strong cryptography
    • How does cryptography work?
  • Conventional cryptography
    • Caesar's Cipher
    • Key management and conventional encryption
  • Public key cryptography
  • How PGP works
  • Keys
  • Digital signatures
    • Hash functions
  • Digital certificates
    • Certificate distribution
    • Certificate formats
  • Validity and trust
    • Checking validity
    • Establishing trust
    • Trust models
  • Certificate Revocation
    • Communicating that a certificate has been revoked
  • What is a passphrase?
  • Key splitting

TheBasics of Cryptography

When Julius Caesarsent messages to his generals, he didn't trust his messengers. So hereplaced every A in his messages with a D, every B with an E, and so onthrough the alphabet. Only someone who knew the "shift by 3" rule coulddecipher his messages.

And so webegin.

Encryptionand decryption

Figure 1-1.Encryption and decryption

Whatis cryptography?

Whilecryptography is the science of securing data, cryptanalysis isthe science of analyzing and breaking secure communication. Classicalcryptanalysis involves an interesting combination of analyticalreasoning, application of mathematical tools, pattern finding,patience, determination, and luck. Cryptanalysts are also called attackers.

Cryptology embracesboth cryptography and cryptanalysis.

Strongcryptography

--BruceSchneier, Applied Cryptography: Protocols, Algorithms, and Source Codein C.

PGP is alsoabout the latter sort of cryptography. Cryptography can be strong or weak, as explained above. Cryptographic strength ismeasured in the time and resources it would require to recover theplaintext. The result of strong cryptography is ciphertextthat is very difficult to decipher without possession of theappropriate decoding tool. How difficult? Given all of today'scomputing power and available time — even a billion computers doing abillion checks a second — it is not possible to decipher the result ofstrong cryptography before the end of the universe.

One wouldthink, then, that strong cryptography would hold up rather well againsteven an extremely determined cryptanalyst. Who's really to say? No onehas proven that the strongest encryption obtainable today will hold upunder tomorrow's computing power. However, the strong cryptographyemployed by PGP is the best available today. Vigilance and conservatismwill protect you better, however, than claims of impenetrability.

Howdoes cryptography work?

A cryptographicalgorithm, plus all possible keys and all the protocols that make itwork comprise a cryptosystem. PGP is a cryptosystem.

Conventionalcryptography

Figure 1-2.Conventional encryption

Caesar'sCipher

For example, ifwe encode the word "SECRET" using Caesar's key value of 3, we offsetthe alphabet so that the 3rd letter down (D) begins the alphabet.

So starting with

ABCDEFGHIJKLMNOPQRSTUVWXYZ

and slidingeverything up by 3, you get

DEFGHIJKLMNOPQRSTUVWXYZABC

where D=A, E=B,F=C, and so on.

Using thisscheme, the plaintext, "SECRET" encrypts as "VHFUHW." To allow someoneelse to read the ciphertext, you tell them that the key is 3.

Obviously, thisis exceedingly weak cryptography by today's standards, but hey, itworked for Caesar, and it illustrates how conventional cryptographyworks.

Keymanagement and conventional encryption

Recall acharacter from your favorite spy movie: the person with a lockedbriefcase handcuffed to his or her wrist. What is in the briefcase,anyway? It's probably not the missile launch code/ biotoxin formula/invasion plan itself. It's the key that will decrypt thesecret data.

For a senderand recipient to communicate securely using conventional encryption,they must agree upon a key and keep it secret between themselves. Ifthey are in different physical locations, they must trust a courier,the Bat Phone, or some other secure communication medium to prevent thedisclosure of the secret key during transmission. Anyone who overhearsor intercepts the key in transit can later read, modify, and forge allinformation encrypted or authenticated with that key. From DES toCaptain Midnight's Secret Decoder Ring, the persistent problem withconventional encryption is key distribution: how do you getthe key to the recipient without someone intercepting it?

Publickey cryptography

Public keycryptography is an asymmetric scheme that uses a pair of keysfor encryption: a public key, which encrypts data, and acorresponding private, or secret key for decryption.Youpublishyour public keytotheworldwhile keeping your private keysecret. Anyone with a copy of your public key can then encryptinformation that only you can read. Even people you have never met.

It iscomputationally infeasible to deduce the private key from the publickey. Anyone who has a public key can encrypt information but cannotdecrypt it. Only the person who has the corresponding private key candecrypt the information.

Figure 1-3.Public key encryption

The primarybenefit of public key cryptography is that it allows people who have nopreexisting security arrangement to exchange messages securely. Theneed for sender and receiver to share secret keys via some securechannel is eliminated; all communications involve only public keys, andno private key is ever transmitted or shared. Some examples ofpublic-key cryptosystems are Elgamal (named for its inventor, TaherElgamal), RSA (named for its inventors, Ron Rivest, Adi Shamir, andLeonard Adleman), Diffie-Hellman (named, you guessed it, for itsinventors), and DSA, the Digital Signature Algorithm (invented by DavidKravitz).

Becauseconventional cryptography was once the only available means forrelaying secret information, the expense of secure channels and keydistribution relegated its use only to those who could afford it, suchas governments and large banks (or small children with secret decoderrings). Public key encryption is the technological revolution thatprovides strong cryptography to the adult masses. Remember the courierwith the locked briefcase handcuffed to his wrist? Public-keyencryption puts him out of business (probably to his relief).

HowPGP works

PGP thencreates a session key, which is a one-time-only secret key.This key is a random number generated from the random movements of yourmouse and the keystrokes you type. This session key works with a verysecure, fast conventional encryption algorithm to encrypt theplaintext; the result is ciphertext. Once the data is encrypted, thesession key is then encrypted to the recipient's public key. Thispublic key-encrypted session key is transmitted along with theciphertext to the recipient.

Figure 1-4. HowPGP encryption works

Decryptionworks in the reverse. The recipient's copy of PGP uses his or herprivate key to recover the temporary session key, which PGP then usesto decrypt the conventionally-encrypted ciphertext.

Figure 1-5. HowPGP decryption works

The combinationof the two encryption methods combines the convenience of public keyencryption with the speed of conventional encryption. Conventionalencryption is about 1, 000 times faster than public key encryption.Public key encryption in turn provides a solution to key distributionand data transmission issues. Used together, performance and keydistribution are improved without any sacrifice in security.

Keys

However, publickey size and conventional cryptography's secret key size are totallyunrelated. A conventional 80-bit key has the equivalent strength of a1024-bit public key. A conventional 128-bit key is equivalent to a3000-bit public key. Again, the bigger the key, the more secure, butthe algorithms used for each type of cryptography are very differentand thus comparison is like that of apples to oranges.

While thepublic and private keys are mathematically related, it's very difficultto derive the private key given only the public key; however, derivingthe private key is always possible given enough time and computingpower. This makes it very important to pick keys of the right size;large enough to be secure, but small enough to be applied fairlyquickly. Additionally, you need to consider who might be trying to readyour files, how determined they are, how much time they have, and whattheir resources might be.

Larger keyswill be cryptographically secure for a longer period of time. If whatyou want to encrypt needs to be hidden for many years, you might wantto use a very large key. Of course, who knows how long it will take todetermine your key using tomorrow's faster, more efficient computers?There was a time when a 56-bit symmetric key was considered extremelysafe.

Keys are storedin encrypted form. PGP stores the keys in two files on your hard disk;one for public keys and one for private keys. These files are called keyrings. As you use PGP, you will typically add the public keys ofyour recipients to your public keyring. Your private keys are stored onyour private keyring. If you lose your private keyring, you will beunable to decrypt any information encrypted to keys on that ring.

Digitalsignatures

A digitalsignature serves the same purpose as a handwritten signature. However,a handwritten signature is easy to counterfeit. A digital signature issuperior to a handwritten signature in that it is nearly impossible tocounterfeit, plus it attests to the contents of the information as wellas to the identity of the signer.

Some peopletend to use signatures more than they use encryption. For example, youmay not care if anyone knows that you just deposited $1000 in youraccount, but you do want to be darn sure it was the bank teller youwere dealing with.

The basicmanner in which digital signatures are created is illustrated in Figure1-6.Instead of encrypting information using someone else's public key, youencrypt it with your private key. If the information can be decryptedwith your public key, then it must have originated with you.

Figure 1-6.Simple digital signatures

Hashfunctions

PGP uses acryptographically strong hash function on the plaintext the user issigning. This generates a fixed-length data item known as a messagedigest. (Again, any change to the information results in a totallydifferent digest.)

Then PGP usesthe digest and the private key to create the "signature." PGP transmitsthe signature and the plaintext together. Upon receipt of the message,the recipient uses PGP to recompute the digest, thus verifying thesignature. PGP can encrypt the plaintext or not; signing plaintext isuseful if some of the recipients are not interested in or capable ofverifying the signature.

As long as asecure hash function is used, there is no way to take someone'ssignature from one document and attach it to another, or to alter asigned message in any way. The slightest change in a signed documentwill cause the digital signature verification process to fail.

Figure 1-7.Secure digital signatures

Digitalsignatures play a major role in authenticating and validating otherPGP users' keys.

Digitalcertificates

In a public keyenvironment, it is vital that you are assured that the public key towhich you are encrypting data is in fact the public key of the intendedrecipient and not a forgery. You could simply encrypt only to thosekeys which have been physically handed to you. But suppose you need toexchange information with people you have never met; how can you tellthat you have the correct key?

Digitalcertificates, or certs, simplify the task of establishingwhether a public key truly belongs to the purported owner.

A certificateis a form of credential. Examples might be your driver's license, yoursocial security card, or your birth certificate. Each of these has someinformation on it identifying you and some authorization stating thatsomeone else has confirmed your identity. Some certificates, such asyour passport, are important enough confirmation of your identity thatyou would not want to lose them, lest someone use them to impersonateyou.

A digitalcertificate is data that functions much like a physical certificate. Adigital certificate is information included with a person's public keythat helps others verify that a key is genuine or valid. Digitalcertificates are used to thwart attempts to substitute one person's keyfor another.

A digitalcertificate consists of three things:

• A publickey.
• Certificate information. ("Identity" information about theuser, such as name, user ID, and so on.)
• One or more digital signatures.

Thus, acertificate is basically a public key with one or two forms of IDattached, plus a hearty stamp of approval from some other trustedindividual.

Figure 1-8.Anatomy of a PGP certificate

Certificatedistribution

Certificateservers
A certificate server, also calledacert server or a keyserver, is a database that allows users to submit and retrievedigital certificates. A cert server usually provides someadministrative features that enable a company to maintain its securitypolicies — for example, allowing only those keys that meet certainrequirements to be stored.

PublicKey Infrastructures
A PKI contains the certificate storage facilities of a certificateserver, but also provides certificate management facilities (theability to issue, revoke, store, retrieve, and trust certificates). Themain feature of a PKI is the introduction of what is known as a CertificationAuthority, orCA, whichisahumanentity — a person, group,department, company, or other association — that an organization hasauthorized to issue certificates to its computer users. (A CA's role isanalogous to a country's government's Passport Office.) A CA createscertificates and digitally signs them using the CA's private key.Because of its role in creating certificates, the CA is the centralcomponent of a PKI. Using the CA's public key, anyone wanting to verifya certificate's authenticity verifies the issuing CA's digitalsignature, and hence, the integrity of the contents of the certificate(most importantly, the public key and the identity of the certificateholder).

Certificateformats

PGP recognizestwo different certificate formats:

• PGPcertificates
• X.509 certificates

PGP certificateformat
A PGP certificate includes (but is not limited to) the followinginformation:

• The PGPversion number — this identifies which version of PGP was used tocreate the key associated with the certificate.
• The certificate holder's public key — the publicportion of your key pair, together with the algorithm of the key: RSA,DH (Diffie-Hellman), or DSA (Digital Signature Algorithm).
• The certificate holder's information — thisconsists of "identity" information about the user, such as his or hername, user ID, photograph, and so on.
• The digital signature of the certificate owner — alsocalled a self-signature, this is the signature using thecorresponding private key of the public key associated with thecertificate.
• The certificate's validity period — thecertificate's start date/ time and expiration date/ time; indicateswhen the certificate will expire.
• The preferred symmetric encryption algorithmfor the key— indicates the encryption algorithm to which the certificateowner prefers to have information encrypted. The supported algorithmsare CAST, IDEA or Triple-DES.

One uniqueaspect of the PGP certificate format is that a single certificate cancontain multiple signatures. Several or many people may sign the key/identification pair to attest to their own assurance that the publickey definitely belongs to the specified owner. If you look on a publiccertificate server, you may notice that certain certificates, such asthat of PGP's creator, Phil Zimmermann, contain many signatures.

Some PGPcertificates consist of a public key with several labels, each of whichcontains a different means of identifying the key's owner (for example,the owner's name and corporate email account, the owner's nickname andhome email account, a photograph of the owner — all in onecertificate). The list of signatures of each of those identities maydiffer; signatures attest to the authenticity that one of the labelsbelongs to the public key, not that all the labels on the key areauthentic. (Note that 'authentic' is in the eye of its beholder —signatures are opinions, and different people devote different levelsof due diligence in checking authenticity before signing a key.)

Figure 1-9. APGP certificate

X.509certificate format
X.509 is another very common certificate format. All X.509certificates comply with the ITU-T X.509 international standard; thus(theoretically) X.509 certificates created for one application can beused by any application complying with X.509. In practice, however,different companies have created their own extensions to X.509certificates, not all of which work together.

Acertificaterequires someone to validate that a public key and the name of thekey's owner go together. With PGP certificates, anyone can play therole of validator. With X.509 certificates, the validator is always aCertification Authority or someone designated by a CA. (Bear in mindthat PGP certificates also fully support a hierarchical structure usinga CA to validate certificates.)

An X.509certificate is a collection of a standard set of fields containinginformation about a user or device and their corresponding public key.The X.509 standard defines what information goes into the certificate,and describes how to encode it (the data format). All X.509certificates have the following data:

• TheX.509 version number — this identifies which version of the X.509standardapplies to this certificate, whichaffects what informationcanbespecified in it. The most current is version 3.
• The certificate holder's public key — the publickey of the certificate holder, together with an algorithm identifierwhich specifies which cryptosystem the key belongs to and anyassociated key parameters.
• The serial number of the certificate — the entity(application or person) that created the certificate is responsible forassigning it a unique serial number to distinguish it from othercertificates it issues. This information is used in numerous ways; forexample when a certificate is revoked, its serial number is placed in a Certificate Revocation List or CRL.
• The certificate holder's unique identifier — (or DN — distinguished name). This name is intended to beunique across the Internet. This name is intended to be unique acrossthe Internet. A DN consists of multiple subsections and may looksomething like this:

  CN=Bob Allen, OU=Total Network Security Division,O=Network Associates, Inc., C=US

  (These refer to the subject's Common Name,Organizational Unit, Organization, and Country.)

• The certificate's validity period — thecertificate's start date/ time and expiration date/ time; indicateswhen the certificate will expire.
• The unique name of the certificate issuer — theunique name of the entity that signed the certificate. This is normallya CA. Using the certificate implies trusting the entity that signedthis certificate. (Note that in some cases, such as root or top-level CA certificates, the issuer signs its own certificate.)
• The digital signature of the issuer — the signatureusing the private key of the entity that issued the certificate.
• The signature algorithm identifier — identifies thealgorithm used by the CA to sign the certificate.

• you cancreate your own PGP certificate; you must request and be issued anX.509 certificate from a Certification Authority
• X.509 certificates natively support only a single name forthe key's owner
• X.509 certificates support only a single digital signatureto attest to the key's validity

You might thinkof an X.509 certificate as looking like a standard paper certificate(similar to one you might have received for completing a class in basicFirst Aid) with a public key taped to it. It has your name and someinformation about you on it, plus the signature of the person whoissued it to you.

Figure 1-10. AnX.509 certificate

Probably themost widely visible use of X.509 certificates today is in web browsers.

Validityand trust

When you'veassured yourself that a certificate belonging to someone else is valid,you can sign the copy on your keyring to attest to the fact that you'vechecked the certificate and that it's an authentic one. If you wantothers to know that you gave the certificate your stamp of approval,you can export the signatureto a certificateserver so that otherscanseeit.

As described inthe section Public Key Infrastructures,some companies designate one or more Certification Authorities (CAs) toindicate certificate validity. In an organization using a PKI withX.509 certificates, it is the job of the CA to issue certificatesto users — a process which generally entails responding to a user'srequest for a certificate. In an organization using PGP certificateswithout a PKI, it is the job of the CA to check the authenticity of allPGP certificates and then sign the good ones. Basically, the mainpurpose of a CA is to bind a public key to the identificationinformation contained in the certificate and thus assure third partiesthat some measure of care was taken to ensure that this binding of theidentification information and key is valid.

The CA is theGrand Pooh-bah of validation in an organization; someone whom everyonetrusts, and in some organizations, like those using a PKI, nocertificate is considered valid unless it has been signed by a trustedCA.

Checkingvalidity

Another way isto manually check the certificate's fingerprint. Just as everyhuman's fingerprints are unique, every PGP certificate's fingerprint isunique. The fingerprint is a hash of the user's certificate and appearsas one of the certificate's properties. In PGP, the fingerprint canappear as a hexadecimal number or a series of so-called biometricwords, which are phonetically distinct and are used to make thefingerprint identification process a little easier.

You can checkthat a certificate is valid by calling the key's owner (so that youoriginate the transaction) and asking the owner to read his or herkey's fingerprint to you and verifying that fingerprint against the oneyou believe to be the real one. This works if you know the owner'svoice, but, how do you manually verify the identity of someone youdon't know? Some people put the fingerprint of their key on theirbusiness cards for this very reason.

Another way toestablish validity of someone's certificate is to trust that athird individual has gone through the process of validating it.

A CA, forexample, is responsible for ensuring that prior to issuing to acertificate, he or she carefully checks it to be sure the public keyportion really belongs to the purported owner. Anyone who trusts the CAwill automatically consider any certificates signed by the CA to bevalid.

Another aspectof checking validity is to ensure that the certificate has not beenrevoked. For more information, see the section CertificateRevocation.

Establishingtrust

Meta andtrusted introducers
In most situations, people completely trust the CA to establishcertificates' validity. This means that everyone else relies upon theCA to go through the whole manual validation process for them. This isfine up to a certain number of users or number of work sites, and thenit is not possible for the CA to maintain the same level of qualityvalidation. In that case, adding other validators to the system isnecessary.

A CA can alsobe a meta-introducer. A meta-introducer bestows not onlyvalidity on keys, but bestows the ability to trust keys uponothers. Similar to the king who hands his seal to his trusted advisorsso they can act on his authority, the meta-introducer enables others toact as trusted introducers. These trusted introducers canvalidate keys to the same effect as that of the meta-introducer. Theycannot, however, create new trusted introducers.

Meta-introducerand trusted introducer are PGP terms. In an X.509 environment, themeta-introducer is called the root Certification Authority (root CA) and trusted introducers subordinate CertificationAuthorities.

The root CAuses the private key associated with a special certificate type calleda root CA certificate to sign certificates. Any certificatesigned by the root CA certificate is viewed as valid by any othercertificate signed by the root. This validation process works even forcertificates signed by other CAs in the system — as long as the root CAcertificate signed the subordinate CA's certificate, any certificatesigned by the CAis considered valid to others within the hierarchy.This process of checking back up through the systemto see who signedwhose certificate is called tracing a certification path or certificationchain.

Trustmodels

Companiesfollowone or another trust model, which dictates how userswill go about establishing certificate validity. There are threedifferent models:

• DirectTrust
• Hierarchical Trust
• A Web of Trust

In PGP, a userwho validates keys herself and never sets another certificate to be atrusted introducer is using direct trust.

Figure 1-11.Direct trust

HierarchicalTrust
In a hierarchical system, there are a number of "root" certificatesfrom which trust extends. These certificates may certify certificatesthemselves, or they may certify certificates that certify still othercertificates down some chain. Consider it as a big trust "tree." The"leaf" certificate's validity is verified by tracing backward from itscertifier, to other certifiers, until a directly trusted rootcertificate is found.

Figure 1-12.Hierarchical trust

Web of Trust
A web of trust encompasses both of the other models, but also adds thenotion that trust is in the eye of the beholder (which is thereal-world view) and the idea that more information is better. It isthus a cumulative trust model. A certificate might be trusted directly,or trusted in some chain going back to a directly trusted rootcertificate (the meta-introducer), or by some group of introducers.

Perhaps you'veheard of the term six degrees of separation, which suggeststhat any person in the world can determine some link to any otherperson in the world using six or fewer other people as intermediaries.This is a web of introducers.

It is also thePGP view of trust. PGP uses digital signatures as its form ofintroduction. When any user signs another's key, he or she becomes anintroducer of that key. As this process goes on, it establishes a webof trust.

In a PGPenvironment, any user can act as a certifying authority. AnyPGP user can validate another PGP user's public key certificate.However, such a certificate is only valid to another user if therelying party recognizes the validator as a trusted introducer. (Thatis, you trust my opinion that others' keys are valid only if youconsider me to be a trusted introducer. Otherwise, my opinion on otherkeys' validity is moot.)

Stored on eachuser's public keyring are indicators of

• whether ornot the user considers a particular key to be valid
• the level of trust the user places on the key that thekey's owner can serve as certifier of others' keys

Levels oftrust in PGP
The highest level of trust in a key, implicit trust, is trustin your own key pair. PGP assumes that if you own the private key, youmust trust the actions of its related public key. Any keys signed byyour implicitly trusted key are valid.

There are threelevels of trust you can assign to someone else's public key:

• Complete trust
• Marginal trust
• Notrust (or Untrusted)

• Valid
• Marginally valid
• Invalid

1. Start witha valid key, one that is either
   • signed by you or
   • signed by another trusted introducer
   and then
2. Set the level of trust you feel the key's owner isentitled.

For example,suppose your key ring contains Alice's key. You have validated Alice'skey and you indicate this by signing it. You know that Alice is a realstickler for validating others' keys. You therefore assign her key withComplete trust. This makes Alice a Certification Authority. If Alicesigns another's key, it appears as Valid on your keyring.

PGP requiresone Completely trusted signature or two Marginally trusted signaturesto establish a key as valid. PGP's method of considering two Marginalsequal to one Complete is similar to a merchant asking for two forms ofID. You might consider Alice fairly trustworthy and also consider Bobfairly trustworthy. Either one alone runs the risk of accidentallysigning a counterfeit key, so you might not place complete trust ineither one. However, the odds that both individuals signed the samephony key are probably small.

CertificateRevocation

Certificatesare thus created with a scheduled validity period: a startdate/time and an expiration date/ time. The certificate is expected tobe usable for its entire validity period (its lifetime). Whenthe certificate expires, it will no longer be valid, as theauthenticity of its key/ identification pair are no longer assured.(The certificate can still be safely used to reconfirm information thatwas encrypted or signed within the validity period — it should not betrusted for cryptographic tasks moving forward, however.)

There are alsosituations where it is necessary to invalidate a certificate prior toits expiration date, such as when an the certificate holder terminatesemployment with the company or suspects that the certificate'scorresponding private key has been compromised. This is called revocation. Arevoked certificate is much more suspect than anexpired certificate. Expired certificates are unusable, but do notcarry the same threat of compromise as a revoked certificate.

Anyone who hassigned a certificate can revoke his or her signature on the certificate(provided he or she uses the same private key that created thesignature). Arevoked signature indicates that the signer no longerbelieves the public key and identification information belong together,or that the certificate's public key (or corresponding private key) hasbeen compromised. A revoked signature should carry nearly as muchweight as a revoked certificate.

With X.509certificates, a revoked signature is practically the same as a revokedcertificate given that the only signature on the certificate is the onethat made it valid in the first place — the signature of the CA. PGPcertificates provide the added feature that you can revoke your entirecertificate (not just the signatures on it) if you yourself feel thatthe certificate has been compromised.

Only thecertificate's owner (the holder of its corresponding private key) orsomeone whom the certificate's owner has designated as arevoker can revoke a PGP certificate. (Designating a revoker is auseful practice, as it's often the loss of the passphrase for thecertificate's corresponding private key that leads a PGP user to revokehis or her certificate — a task that is only possible if one has accessto the private key.) Only the certificate's issuer can revoke an X.509certificate.

Communicatingthat a certificate has been revoked

In a PKIenvironment, communication of revoked certificates is most commonlyachieved via a data structure called a Certificate Revocation List, or CRL, which is published by the CA. The CRLcontains a time-stamped, validated list of all revoked, unexpiredcertificates in the system. Revoked certificates remain on the listonly until they expire, then they are removed from the list — thiskeeps the list from getting too long.

The CAdistributes the CRL to users at some regularly scheduled interval (andpotentially off-cycle, whenever a certificate is revoked).Theoretically, this will prevent users from unwittingly using acompromised certificate. It is possible, though, that there may be atime period between CRLs in which a newly compromised certificate isused.

Whatis a passphrase?

A passphrase is a longer version of a password, and in theory, a moresecure one. Typically composed of multiple words, a passphrase is moresecure against standard dictionary attacks, wherein theattacker tries all the words in the dictionary in an attempt todetermine your password. The best passphrases are relatively long andcomplex and contain a combination of upper and lowercase letters,numeric and punctuation characters.

PGP uses apassphrase to encrypt your private key on your machine. Your privatekey is encrypted on your disk using a hash of your passphrase as thesecret key. You use the passphrase to decrypt and use your private key.A passphrase should be hard for you to forget and difficult for othersto guess. It should be something already firmly embedded in yourlong-term memory, rather than something you make up from scratch. Why?Because if you forget your passphrase, you are out of luck.Your private key is totally and absolutely useless without yourpassphrase and nothing can be done about it. Remember the quote earlierin this chapter? PGP is cryptography that will keep major governmentsout of your files. It will certainly keep you out of your files, too.Keep that in mind when you decide to change your passphrase to thepunchline of that joke you can never quite remember.

Keysplitting

Insucha caseitis wisetosplit the key among multiple people in such a way that morethan one or two people must present a piece of the key in order toreconstitute it to a usable condition. If too few pieces of the key areavailable, then the key is unusable.

Some examplesare to split a key into three pieces and require two of them toreconstitute the key, or split it into two pieces and require bothpieces. If a secure network connection is used during thereconstitution process, the key's shareholders need not be physicallypresent in order to rejoin the key.