PGP Web of trust

How does it work?








by Konstantin Ryabitsev
LinuxCon North America, Chicago, 2014

About me

  • Responsible for the upkeep of the kernel.org web of trust
  • I had no idea how the web of trust worked until recently
  • Very few people do, even those who use PGP every day
  • Let's fix that!

What is Public Key Crypto?

  • Symmetric cryptography
    • Same key encrypts and decrypts
    • Strong
    • Fast
  • Asymmetric cryptography
    • One key encrypts (public key)
    • The other key decrypts (private key)
    • Depends on some curious math
    • Slooooow



Q: Which does PGP use?

  1. symmetric encryption
  2. asymmetric encryption

Public Key Crypto does BOTH

  1. Generates random "session key"
  2. Uses this session key for actual symmetric encryption
  3. Encrypts the session key with asymmetric encryption



This is why strong randomness matters!

Key Management

The proverbial "devil in the details"

Symmetric cryptography

  • Pre-shared keys only
  • Hard

Asymmetric cryptography

  • Public key collections
  • Hard




Because trust


Good messaging crypto does both:


Obfuscation

  • An enemy cannot read your message.


Verification

  • You know for sure* the message came from a friend.
  • You know for sure* enemies did not tamper with it.


* certain conditions apply



obfuscation is easy

verification is hard

Telling friends from foes

  • Meet up and share keys in person
    • Upside: really secure
      • Not really different from pre-shared keys
    • Downside: Can't possibly scale
      • How can computer-challenged Joe Schmoe know he's actually communicating with amazon.com?
      • How does Alice from New York know she's actually talking to Bertha from Melbourne?


We need a way to delegate trust!


Sign all

the things!

A fork in the road appears

  1. Centralized
    1. Certification Authorities
    2. TLS and S/MIME
  2. Decentralized
    1. Web of Trust
    2. OpenPGP

Centralized

  • Certification Authorities
    • A small set of entities that our software trusts
  • Single level of trust — all or none
  • Convenient
    • For users
    • For vendors
    • For hackers
    • For governments

Web of trust

  • You and only you pick who you trust
  • Multiple levels of trust
    • full or partial
  • Incredibly inconvenient
    • For users
    • For vendors
    • For hackers
    • For governments



This "web of trust"...

how in the blazes does it work?



No magic. Just math.

Alice, bob

and


jean-luc picard

When Picard met Riker


Most know the general idea:

  1. Riker tells Picard his key fingerprint
  2. Picard downloads Riker's public key
  3. Picard verifies the fingerprint
  4. Picard signs Riker's public key and uploads it


Let's see that in action!




Wait, trust "unknown"?

Graph all the things


What is "validity"


In PGP, "Validity" is your certainty that
this key belongs to the intended person.



Not the same thing as "Trust"!




So, what the heck is "trust"?

Trust


In PGP, "trust" is our certainty that this person
will do a good job verifying other people's 
identities before signing their keys.


Also called "owner-trust"



Trust is always unknown


Unless you and only you set it


Let's see how that works.

Graph all the things


Data comes on board

  1. Riker signs Data's key
  2. How does Data's trust/validity look like to Picard?
  3. Let's see it in action.


Validity: full

This is web of trust in action!

Graph all the things


Picard delegates


All keys signed by Riker will be valid to Picard


Riker is Picard's CA


it's worth repeating:


When you set owner-trust

that person becomes your

certification authority

marginal trust

  • X.509 only has one level of trust: full
  • OpenPGP has "marginal trust"
    • "I sorta trust this person, but not too much"
  • Let's see how that works

      GRAPH ALL THE THINGS


      Wesley comes along

      1. Only has Dr. Crusher's signature
      2. Let's see how that works

      Graph all the things




      Q: What will happen if both 

      worf and data sign 

      wesley's key?


      A: 3 marginals = 1 full

      GRAPH ALL THE THINGS


      Marginals are configurable

      • You can configure to require 2 or 5, or whatever
      • Best to stick to defaults, though

      Web of trust is shallow

      • Only goes 5 levels deep
      • You can check with --check-trustdb
        • Let's see how it looks
      • You can change the depth
        • but prepare for it to be slow

      Trust models

      • PGP
        • The default
      • Classic
        • No trust signatures
      • Direct
        • Set validity manually
        • Does not use the web of trust
      • Always
        • Do not use, ever
      • Auto
        • Whatever your trustdb says
        • Most often, PGP


      Advanced topics

      • Keyservers
      • Local signatures
      • Signature revocations
      • Trust signatures

      keyservers

      • Sharing public keys is difficult
      • Especially when heavily relying on the web of trust
      • PGP key servers were set up for that reason
        • Worldwide locations
        • Mutually replicating (most of them)
        • Pretty much required for sanity
      • gpg --search konstantin@linuxfoundation.org
      • gpg --recv-key [keyid]

      Local Signatures

      • When you don't want others to know
        • Just being in contact with someone can be incriminating
      • With keyservers, inadvertently sending sigs is easy
        • It's impossible to make a sig disappear
        • You can only revoke it, and that doesn't fix the problem
      • Local sigs not very commonly used
      • gpg --edit-key
        • lsign

      Revoking signatures

      • You screwed up and signed the wrong key
      • Or you found out you got tricked
      • Or that particular ID is no longer valid
      • If you haven't sent the public key to the keyserver
        • Just delete the signature and nobody has to know
      • If you did share the signature with the keyserver
        • You have to revoke it using "revsig"
        • And then upload it to the keyserver
      • Let's see how that works

      refresh prince

      • You should do "gpg --refresh" routinely
        • Picks up all the new subkeys
        • Fetches all the revocations
      • Run it from cron weekly overnight

      Trust signatures

      • Poorly understood and rarely used
      • Suitable for hierarchical organizations
        • Like starfleet
      • Allows to add owner-trust to signatures
      • Kind of like designating a "sub-CA" in the x.509 world


      Trust sigs:


      If you trust me, you can also trust this person to the same degree as me, should you choose to do so.



      You'll probably never use them.

      So don't worry if it's unclear. :)




      Most important takeaways



      "Validity" is our certainty that the key belongs to the intended person.


      You should only use keys with full validity.



      "Trust" or "owner-trust" is used to designate who we think will do a good job verifying other people's keys before signing them.


      Must be set manually on each key.




      Trust can be full or marginal


      Three marginals = one full




      And finally...


      PGP kinda sucks

      • It's near-universally acknowledged
      • The standard and crypto are old
        • No forward secrecy
        • Crypto has known weaknesses
      • It was written for the email world
        • Unsafe for many other applications
      • Mail client implementations universally suck
        • Unencrypted subject and metadata

      Web of trust kinda sucks

      • Completely opaque to non-technical people
        • And even to highly technical people
        • Hello, everyone!
      • Keyrings are universally stale
        • When was the last time you ran "refresh"?
      • Key signatures leak private data
        • Names, emails, social connections
      • Web of trust does not scale beyond small groups
      • Has many subtle ways in which it can be subverted

      It is still a useful tool

      • No, it's not a sane replacement for TLS
      • Yes, there are interesting alternatives in the works
        • Off-the-Record messaging (OTR)
        • New end-to-end mail crypto framework
      • Best suited for small, tightly-knit groups
        • that communicate mostly over email
        • which is really why you're here



      Thank you!

      @mricon