PGP Web of trust
How does it work?
by Konstantin Ryabitsev
LinuxCon North America, Chicago, 2014
About me
-
Responsible for the upkeep of the kernel.org web of trust
- I had no idea how the web of trust worked until recently
- Very few people do, even those who use PGP every day
- Let's fix that!
What is Public Key Crypto?
- Symmetric cryptography
- Same key encrypts and decrypts
- Strong
- Fast
- Asymmetric cryptography
- One key encrypts (public key)
- The other key decrypts (private key)
- Depends on some curious math
- Slooooow
Q: Which does PGP use?
- symmetric encryption
- asymmetric encryption
Public Key Crypto does BOTH
- Generates random "session key"
- Uses this session key for actual symmetric encryption
- Encrypts the session key with asymmetric encryption
This is why strong randomness matters!
Key Management
The proverbial "devil in the details"
Symmetric cryptography
-
Pre-shared keys only
- Hard
Asymmetric cryptography
-
Public key collections
- Hard
Because trust
Good messaging crypto does both:
Obfuscation
-
An enemy cannot read your message.
Verification
-
You know for sure* the message came from a friend.
- You know for sure* enemies did not tamper with it.
* certain conditions apply
obfuscation is easy
verification is hard
Telling friends from foes
- Meet up and share keys in person
- Upside: really secure
- Not really different from pre-shared keys
- Downside: Can't possibly scale
- How can computer-challenged Joe Schmoe know he's actually communicating with amazon.com?
- How does Alice from New York know she's actually talking to Bertha from Melbourne?
We need a way to delegate trust!
Sign all
the things!
A fork in the road appears
- Centralized
- Certification Authorities
- TLS and S/MIME
- Decentralized
- Web of Trust
- OpenPGP
Centralized
- Certification Authorities
- A small set of entities that our software trusts
- Single level of trust — all or none
- Convenient
- For users
- For vendors
- For hackers
- For governments
Web of trust
- You and only you pick who you trust
- Multiple levels of trust
- full or partial
- Incredibly inconvenient
- For users
- For vendors
- For hackers
- For governments
This "web of trust"...
how in the blazes does it work?
No magic. Just math.
Alice, bob
and
jean-luc picard
When Picard met Riker
Most know the general idea:
- Riker tells Picard his key fingerprint
- Picard downloads Riker's public key
- Picard verifies the fingerprint
- Picard signs Riker's public key and uploads it
Let's see that in action!
Wait, trust "unknown"?
Graph all the things
What is "validity"
In PGP, "Validity" is your certainty that
this key belongs to the intended person.
Not the same thing as "Trust"!
So, what the heck is "trust"?
Trust
In PGP, "trust" is our certainty that this person
will do a good job verifying other people's
identities before signing their keys.
Also called "owner-trust"
Trust is always unknown
Unless you and only you set it
Let's see how that works.
Graph all the things
Data comes on board
- Riker signs Data's key
- How does Data's trust/validity look like to Picard?
- Let's see it in action.
Validity: full
This is web of trust in action!
Graph all the things
Picard delegates
All keys signed by Riker will be valid to Picard
Riker is Picard's CA
it's worth repeating:
When you set owner-trust
that person becomes your
certification authority
marginal trust
-
X.509 only has one level of trust: full
- OpenPGP has "marginal trust"
- "I sorta trust this person, but not too much"
- Let's see how that works
GRAPH ALL THE THINGS
Wesley comes along
- Only has Dr. Crusher's signature
- Let's see how that works
Graph all the things
Q: What will happen if both
worf and data sign
wesley's key?
A: 3 marginals = 1 full
GRAPH ALL THE THINGS
Marginals are configurable
-
You can configure to require 2 or 5, or whatever
- Best to stick to defaults, though
Web of trust is shallow
- Only goes 5 levels deep
- You can check with --check-trustdb
- Let's see how it looks
- You can change the depth
- but prepare for it to be slow
Trust models
- PGP
- The default
- Classic
- No trust signatures
- Direct
- Set validity manually
- Does not use the web of trust
- Always
- Do not use, ever
- Auto
- Whatever your trustdb says
- Most often, PGP
Advanced topics
- Keyservers
- Local signatures
- Signature revocations
- Trust signatures
keyservers
- Sharing public keys is difficult
- Especially when heavily relying on the web of trust
- PGP key servers were set up for that reason
- Worldwide locations
- Mutually replicating (most of them)
- Pretty much required for sanity
- gpg --search konstantin@linuxfoundation.org
- gpg --recv-key [keyid]
Local Signatures
- When you don't want others to know
- Just being in contact with someone can be incriminating
- With keyservers, inadvertently sending sigs is easy
- It's impossible to make a sig disappear
- You can only revoke it, and that doesn't fix the problem
- Local sigs not very commonly used
- gpg --edit-key
- lsign
Revoking signatures
- You screwed up and signed the wrong key
- Or you found out you got tricked
- Or that particular ID is no longer valid
- If you haven't sent the public key to the keyserver
- Just delete the signature and nobody has to know
- If you did share the signature with the keyserver
- You have to revoke it using "revsig"
- And then upload it to the keyserver
- Let's see how that works
refresh prince
- You should do "gpg --refresh" routinely
- Picks up all the new subkeys
- Fetches all the revocations
- Run it from cron weekly overnight
Trust signatures
- Poorly understood and rarely used
- Suitable for hierarchical organizations
- Like starfleet
- Allows to add owner-trust to signatures
- Kind of like designating a "sub-CA" in the x.509 world
Trust sigs:
If you trust me, you can also trust this person to the same degree as me, should you choose to do so.
You'll probably never use them.
So don't worry if it's unclear. :)
Most important takeaways
"Validity" is our certainty that the key belongs to the intended person.
You should only use keys with full validity.
"Trust" or "owner-trust" is used to designate who we think will do a good job verifying other people's keys before signing them.
Must be set manually on each key.
Trust can be full or marginal
Three marginals = one full
And finally...
PGP kinda sucks
- It's near-universally acknowledged
- The standard and crypto are old
- No forward secrecy
- Crypto has known weaknesses
- It was written for the email world
- Unsafe for many other applications
- Mail client implementations universally suck
- Unencrypted subject and metadata
Web of trust kinda sucks
- Completely opaque to non-technical people
- And even to highly technical people
- Hello, everyone!
- Keyrings are universally stale
- When was the last time you ran "refresh"?
- Key signatures leak private data
- Names, emails, social connections
- Web of trust does not scale beyond small groups
- Has many subtle ways in which it can be subverted
It is still a useful tool
- No, it's not a sane replacement for TLS
- Yes, there are interesting alternatives in the works
- Off-the-Record messaging (OTR)
- New end-to-end mail crypto framework
- Best suited for small, tightly-knit groups
- that communicate mostly over email
- which is really why you're here
Thank you!
@mricon
PGP Web of trust
By Konstantin Ryabitsev
