The OpenPGP Standard Jonathan Callas Senior Security Consultant Kroll-O’Gara ISG.
-
Upload
virgil-gaines -
Category
Documents
-
view
220 -
download
1
Transcript of The OpenPGP Standard Jonathan Callas Senior Security Consultant Kroll-O’Gara ISG.
The OpenPGP Standard
Jonathan Callas
Senior Security Consultant
Kroll-O’Gara ISG
Information Security GroupInformation Security Group
Outline
• PGP History
• The OpenPGP Standard
• OpenPGP’s relationship to other Relevant Standards
• The Future
• Note: “PGP” and “Pretty Good Privacy” are trademarks of Network Associates, Inc.
Information Security GroupInformation Security Group
PGP History
• Early History– PGP 1.0 created in 1991– PGP 2.0 introduced original cipher suite (RSA,
IDEA, MD5)– PGP 2.6 created in 1994
Information Security GroupInformation Security Group
PGP History
• Later History– PGP 3 started in 1994-5– PGP Inc. Formed by PRZ after customs
investigation dropped, 1996– PGP 3 released as PGP 5.0 in May 1997
Information Security GroupInformation Security Group
PGP History
• PGP 5.0– New Algorithms
• DSS signatures
• Elgamal public-key encryption
• SHA-1 hashes
• CAST5 (CAST-128), TripleDES symmetric encryption
Information Security GroupInformation Security Group
PGP History
• PGP 5.0– New signature formats– New certificate structure
• Dual-key structure
• Architecture for N-key structure
Information Security GroupInformation Security Group
PGP History
• OpenPGP– Started in the IETF in September 1997– Starts with PGP 5 as a base– Encourages but does not require compatibility
with PGP 2.6– Unencumbered architecture
Information Security GroupInformation Security Group
PGP History
• OpenPGP– Promoted to Proposed Standard in October
1998– RFC 2440– Implementations include
• Network Associates PGP
• Tom Zerucha reference implementation
• GNU Privacy Guard
Information Security GroupInformation Security Group
OpenPGP Message FormatEncrypted SessionKey (one per“recipient”)
Encrypted Data
Signature(Optional)
CompressedData
LiteralData
Information Security GroupInformation Security Group
OpenPGP Message Format (2)Encrypted SessionKey (one per“recipient”)
Encrypted Data
Signature(Optional)
CompressedData
LiteralData
Information Security GroupInformation Security Group
OpenPGP Message Format (3)Encrypted SessionKey (one per“recipient”)
Encrypted Data
Signature(Optional)
CompressedData
LiteralData
Information Security GroupInformation Security Group
OpenPGP Certificates
key
User ID User ID
Signature
Certification
Signature
Signature
Certificate
Information Security GroupInformation Security Group
OpenPGP Dual Key Cert
Signing Key(Typically DSS)
Encryption Key(Typically Elgamal)
Binding signature
Information Security GroupInformation Security Group
OpenPGP Dual Key Cert (2)
Signing Key(Typically DSS)
Encryption Key(Typically Elgamal)
Binding signature
Information Security GroupInformation Security Group
OpenPGP Dual Key Cert (3)
Signing Key(Typically DSS)
Encryption Key(Typically Elgamal)
Binding signature
Encryption Key(Typically Elgamal)
Binding signature
Information Security GroupInformation Security Group
OpenPGP Dual Key Cert (4)
Signing Key(Typically DSS)
Encryption Key(Elgamal)
Binding signature
Signing Key(RSA)
Binding signature
Encryption Key(EC, lives onSmart card)
Binding signature
Information Security GroupInformation Security Group
OpenPGP Trust Model
• OpenPGP doesn’t have a trust model
• OpenPGP can use any trust model
• OpenPGP can support– Direct Trust– Hierarchical Trust– Cumulative Trust
Information Security GroupInformation Security Group
Trust Models
• Direct Trust– I trust your cert because you gave it to me– Very secure trust model (do you trust yourself)– Scales least well– Used in OpenPGP, S/MIME, IPsec, TLS/SSL,
etc.
Information Security GroupInformation Security Group
Trust Models
• Hierarchical Trust– I trust your cert because its issuer has a cert
issued by someone … whom I trust– Least secure trust model
• Damage spreads through tree
• Recovery is difficult
Information Security GroupInformation Security Group
• Hierarchical Trust (continued)– Best scaling, mimics organizations– Used in OpenPGP, S/MIME, IPsec, TLS/SSL,
etc.
Trust Models
Information Security GroupInformation Security Group
Trust Models
• Cumulative Trust (a.k.a. Web of Trust)– I trust your cert because some collection of
people whom I trust issued certifications– Potentially more secure than direct trust– Scales almost as well as HT for intra-
organization
Information Security GroupInformation Security Group
Trust Models
• Cumulative Trust– Handles inter-organization problems
• Company A issues only to full-time employees
• Company B issues to contractors and temps
• A and B’s management issue edict for cross certification
– Addresses “two id” problem• How do you know John Smith(1) is John Smith(2)?
Information Security GroupInformation Security Group
Other Relevant Standards
• So What?
• Why Bother?
• Myths about OpenPGP
Information Security GroupInformation Security Group
So What?
• X.509 is everywhere– OpenPGP is small (code and data)
• Zerucha imp. is 5000 lines of C (sans crypto)
– Suitable for embedded & end-user applications• Used by banks, etc. transparently
– It’s Flexible and Small!– It actually works
Information Security GroupInformation Security Group
Why Bother?
• S/MIME will take over– PGP has years of deployment
• 90%? Traffic is some PGP.
– PGP is only strong crypto• S/MIME 3 is much better
• Outside the US, there is distrust
• Can you see the source?
– Cisco: Secure email is PGP’s to lose
Information Security GroupInformation Security Group
Myths
• It’s email only– It’s for any “object”
• It requires the web of trust– Can use any trust model– Businesses use PGP with hierarchies today
• It’s proprietary– IETF Standard
Information Security GroupInformation Security Group
Present Into The Future
• Ultimately, data formats are less important than you’d think
• On desktops, size matters less– But small systems will be with us always
• Description of the OpenPGP philosophy– PGP implemented in X.509– Certification Process
Information Security GroupInformation Security Group
OpenPGP Philosophy
• Everyone is potentially a CA– This is going to happen whether you like or not.
• Everyone has different policies– Wait until you do inter-business PKI
• One size will not fit all– Validity is in the eye of the beholder– Trust comes from below
Information Security GroupInformation Security Group
Potential PGP/X.509 merger
• Ideas of PGP
• Syntax of X.509
• Disclaimer– This doesn’t exist– It’s all still experimental
Information Security GroupInformation Security Group
X.509 Certificate
User Information(DN & Stuff)
Public Key
Signature binds Key and Information
Information Security GroupInformation Security Group
PGP in X.509 Drag
Key 1
User 1
Signature 1
Key 1
User 1
Signature 2
Key 1
User 2
Signature 3
Information Security GroupInformation Security Group
PGP Certification Process
User
PGP CertificateServer Pending
Area
PGP CA
PGPCert
Information Security GroupInformation Security Group
PGP Certification Process
User
PGP CertificateServer Pending
Area
PGP CA
PGPCert
Information Security GroupInformation Security Group
PGP Certification Process
User
PGP CertificateServer Pending
Area
PGP CA
PGPCert
Information Security GroupInformation Security Group
PGP Certification Process
User
PGP CertificateServer Pending
Area
PGP CAPGPCert
Information Security GroupInformation Security Group
PGP Certification Process
User
PGP CertificateServer Pending
Area
PGP CA
PGPCert
Information Security GroupInformation Security Group
X.509 Certification Process
User
CAServer
CAPKCS10
Cert Request
Information Security GroupInformation Security Group
X.509 Certification Process
User
CAServer
CA
PKCS10Cert Request
Information Security GroupInformation Security Group
X.509 Certification Process
User
CAServer
CA
PKCS10Cert Request
X.509Certificate
Information Security GroupInformation Security Group
X.509 Certification Process
User
CAServer
CAX.509Certificate
Information Security GroupInformation Security Group
Certifying PGP with X.509 CA
User
CAServer
CA
PKCS10Cert Request
PGPCert
X.509Certificate
Key
Information Security GroupInformation Security Group
Starting a PGP cert from X.509
User
PGPCert
X.509Certificate
Key
Information Security GroupInformation Security Group
Summary
• OpenPGP is an IETF standard– Certificates– “Objects”
• It’s lightweight and flexible
• Interesting work is being done for the future