WHITEPAPERg10codeGmbH201110174AnewAPIforGPGtomaintainthisdatabaseoptionallyaddthesameAPItoGPGSM2AnewAPIforGPGMEsothatapplicationscanmakeeasyuseofthedatabaseAnewvalueforGPGs150trustmodel ID: 436598
Download Pdf The PPT/PDF document "WHITEPAPER,g10codeGmbH,2011-10-172crypto..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
WHITEPAPER,g10codeGmbH,2011-10-172cryptographicalgorithmsduetoprogressintechnologyormathematics.Asimplereplacementoftheuser'scerticatewouldbeaggedbythetrustsystemasapossibleattack(seeSect.IV).Thus,akeyrolloverprocedureisrequiredinwhichthenewcerticateissignedbytheoldonebeforeitisdistributed.Suchcerticaterenewalsshouldbeinitiatedandmanagedautomaticallywithoutuserinteraction,accordingtopoliciesthataresetbythedomainexpertsandupdatedtogetherwiththesoftwarestack.II.AUTOMATICKEYDISTRIBUTIONOnechallengeinusabilityofpublickeycryptosystemsiskeydistributionandretrievalthroughapublickeyinfrastruc-ture(PKI).Historically,bothOpenPGPandS/MIMEhavecomeupwithunpracticalanswerstothequestioninwhichdatabaseandunderwhichnameacerticateshouldbestored,howchangesarepropagatedinthenetwork,andhowtrustisassignedtotheinformationstoredinthosedatabases[12].Werepeatthesimple,pragmaticsolutionsfrom[13]toaddresstheseintractabletheoreticalproblems.FollowingthePKIdesignrecommendationsin[12],certicatesareidentiedbyamandatorymailaddress,andmayalsocarryalocallymeaningfultextsuchasapersonalname.Thissolvestheidentityproblem.Revocationisavoided:Thevalidityofacerticateisgivenbyitspresenceinthedatabase(onlinevalidation).Lastly,asthedatabaseforstoringandretrievingcerticatesweproposeDNS,whichhasmanyusefulproper-ties:DNSprovidesdecentralizationandhighavailabilityworld-wide.Mailaddressessplitnaturallyintoausernameandadomainname,whichtstheexistingstructureofDNSrecords.Theproposalautomaticallybenetsfromsecurityim-provementstoDNS.Inparticular,DNSSECdisablesman-in-the-middleattacks.DNSrecordscanbedynamicallymanagedataneenoughtimegranularitytomatchuserexpectationsforallpseudonymsbutthoselastingforaveryshorttime.Butexactlyforthosenon-persistentpseudonyms,securityprovidedbythisproposalisalreadyconsiderablyweak-enedbychoiceofthetrustmodel(seeSect.IV).Becausecerticatescanbeverylong,itispossibletostoreangerprintofthecerticateinDNS,alongwithaURLtothefullcerticate.Duetocaching,DNSupdatesmaybedelayedandthusdatabaseentriesmayappearoutofdateinthenetworkforsometime.Inparticular,newidentitiesandinvalidationsmaynotbeimmediatelyvisibletoallpeers.Webelievethattheadvantagesbyfaroutweighthisimperfectionfortypicalusepatternsinmailcommunication.Theabovelookupprotocolallowstosecureeventheinitialcontactwithoutanyuserinteraction(seeSect.III).III.OPPORTUNISTICENCRYPTIONIn[8],Whittenreportsthat3outof12testuserssentmailaccidentiallyintheclearwhileexploringthesystem.Thiscanhappenifencryptionmustbemanuallyenabledbytheuser.Thesimplesolutionistoalwaysencryptifitispossible,whichiseasytodoifkeygenerationanddistributionisautomaticandtransparenttotheuser,asproposedabove.Caremustbetakentomakedecryptiononthereceivingsidetransparentaswell,toovercomesocialbarrierstouseofencryption[14].Garnkel[15]describesopportunisticmailencryptionwhichprovidessecuritybydefaultandtransparentlyfortheuser.Weaccepthisproposal,withsomedifferences:Toincreasecompatibilityandacceptance,wedonotspecifymechanismsdedicatedtosecuringthemessageheader.Asexplainedabove,weprefertostorethecerticateinDNSratherthanincludingitinthemessage.Thishasmanyadvantages,suchassecureinitialcontact,moreup-to-datecerticates,andbeingabletopiggy-backonDNSsecuritymeasurestoexcludeman-in-the-middleattacks,allofwhicharenotaddressedin[15].InsteadofusingalterthatactsasatransparentSMTP/POP3proxy,werequireeachMUAtoimplementencryptionitself.Thisenablesdeeperintegrationforabetteruserexperience:InGarnkel'sproposal,mailisencryptedifitispossible,otherwisethemailissentintheclear.Thereisnomechanismtoasktheuserforfeedbackinthiscase.Inourproposal,theMUAmayimplementthesamesimplepolicy,orasktheuserforfeedbackinteractivelyformoresophisticatedusecases.Also,Garnkelinsertsa+characteratthebeginningofthedecodedsubjectlinetoindicateanencryptedmailtotheMUA.Anyreplytosuchamailmustthenalsobeencrypted,oritwillnotbesent.Inourproposal,theMUAcanimplementthispolicyormoresophisticatedoneswithoutresortingtosuchspecialheadertricks.IV.TUFC/POPAmajorusabilitybarrierinpublickeycryptosystemsisthetrustmodel[8],[14].Thegoalistodisablespoongandman-in-the-middleattacksbyverifyingthatacerticatebelongstotheentity(personororganization)describedbyitsuserID.WhileX.509defersalltrustdecisionstothirdpartycerticateauthorities(CA),OpenPGPimplementationscommonlyrelyonadecentralizedreputationsystem,(weboftrust,WoT).Bothsystemsrequireasignicantinvestmentbytheuser:X.509askstheusertosinkmoneyintothearticialcerticatemarketthatprovidesadubiousreturn[12],whileOpenPGPaskstheuserharderandharderquestionsaboutthetrustworthinessofpeersawayfromthecenterofhispersonalweboftrust[14].Thedesignspacefortrustmodelsisconstrainednotonlybytechnicaldifculties,suchasscalabilitytobillionsofIDs,butalsomustrespectthementalmodeloftheuser:onlyasystemthatprovidesanaturalmappingfromuserexpectationtothetrustmodelhasachancetonduseracceptance.ThementalmodeloftheCAsystemisthatofaguidingparent:alltrustdecisionsaredeferredtoahigherauthority.ThementalmodeloftheWoTispeerrecommendation(friendofafriend).Bothsystemsarecontextfreeinthesensethattheyputasingle,nal,blackor WHITEPAPER,g10codeGmbH,2011-10-174AnewAPIforGPGtomaintainthisdatabase;optionallyaddthesameAPItoGPGSM2.AnewAPIforGPGMEsothatapplicationscanmakeeasyuseofthedatabase.AnewvalueforGPG'strust-modeloptiontoenabletheTUFCschemeandsmallamountofcodetoimplementthistrustmodel.AnewGPGMEAPItocreateakeyinthebackgroundifitdoesnotexists.D.MUAChangesMUAsneedtointeractwiththemailproviderswhensettingupanewmailaccount.Thisisrequiredtoautomaticallycreateanewkeyorassignanexistingkeytotheaccount.Thuschangestothemailaccountsetupdialogsarerequired.Duetothemostlyunattendedoperationofoursystem,asufcientmechanismisacheckboxtodisablekeygenerationandaprogressbarrunningduringkeygenerationanduntilthekeyhasbeenstoredbythemailprovider'ssystem.TheMUAcannotify(bymail)theuserassoonasthekeyisavailabletothepublicintheDNS.ThefunctiontodisplayamailneedstotellGPGMEthesender'saddressandrenderthemessageinawaytoshowthevericationstatusastoldbyGPGME.Forbestuserexperiencethisneedstobedoneasynchronouslysothatfastscrollingthroughmailswillnotneedtowaitforthevericationresult.MUAsfurtherneedtoimplementacongurationoptiontodisabletheTUFCsystemandtousethecryptofunctionsasfoundtoday.AnotheroptiontoallowtheuseofbothsystemtherebyassigningdifferenttrustvaluestoTUFCandPKIveriedmessagesisalsodesirabletogetacceptancebythemoretraditionalmembersofthecryptocommunity.IncaseafullPIMservicewithintegratedbackupisnotinuse,thebackupfeatureoftheMUAneedstoincludethekeys.Ifnobackupfeatureexistsatleastaregularbackupremindershouldbedisplayedbymeansofaninternallygeneratedmail.Asimplebackupmechanismmaybetoallowtheusertoprintoutthekeysonpaper,informofahexdumpwithchecksumsformanualorOCRinput(asproducedbypaperkey[20])andinformof2-dimensionalbarcodessuchasDataMatrixorQRcodes[21].VI.EXPERTOPTIONSDespitethatthegoalofthissystemissimplicity,wewillonlygainacceptanceifafewexpertoptionsareavailable:A.OneKeyforallAccountsComparedtothebroaduserbaseofmailonlyafewusersneedseveralmailaccounts.Ourproposalsupportsthisalreadybycreatingonekeypermailaccount.Someusersmightprefertousethesamekeyforseveralaccounts.Onepossiblereasonforthisusecaseistheuseofasmartcardwhichshallbypolicyonlybeusedforonecerticate.2Ormaybeaseparatebackendcanhandlethis.Thesystemshouldallowforthisusecase,whichneedstobesupportedbyallclientsbyallowingpreviouslycreatedkeystobeconguredanddeployedwithanaccount.ThekeyelementtoimplementthisfeatureistheindirectionexpressedbyPKA.Thatisthatonlythengerprintofthekeyisassociatedwiththemailaddressandnotaparticularkey.Inadditionahintisgivenwheretondthekey(herethishintisrequiredtobeabletoretrievethekeywithoutexternalinformation).EitheranURLoraDNScertrecordreferencemaybeusedinthePKArecordforaprimaryuserID(aliasing).AprimaryuserIDhastheadvantagethatothermailaddressesaremorelooselytiedtogether;thishasadvantagesforuserIDmanagement.B.UsingaPKITherearetwosmallcommunitieswhichareusedtotheirPKImodels:OpenPGPuserssometimesmakeheavyuseoftheWoTwhereashierarchicalorganizedgroupsdemandtheuseofthePKIX(X.509)trustmodel.Theyshouldbeallowedtokeeponusingtheirparticulartrustmodel.AwaytoimplementthisisacongurationswitchtochangetherenderingofTUFCprotectedmessagesfromgreentoyellowanduseonlygreen3trustachievedbytheWoTorPKIX.VII.USERINTERFACEDesigninganUIforthisisabitofachallenge.Howeveroverthelastyearsalotofexperiencewasbeencollectedinthedomainofwebbrowsers.Wecanbuilduponthis.VIII.CHALLENGESForasuccessfullydeploymentofsuchasystemitisofparamountimportancethatmajorwebmailproviderssupporttheirusersbyprovidingtheinfrastructuretostorekeyinfor-mationintheDNSusinganautomatedorsemi-automatedsystem.Findingincentivesfortheproviderstoimplementandsupportthisinfrastructuremaybedifcult.Althoughthetrustmodelcanprovidepositiveandnegativefeedbacktotheuser,suchfeedbackislikelytobeignoredinthecurrentcomputingenvironmentduetoadverseuserconditioninginthepastdecades[11].Toimproveuserper-ceptioninthelongterm,thequalityofthefeedbackmustimprovesignicantly.Inparticular,wehavetoeliminatefalsenegatives.Wealreadyexplainedhowfalsenegativesduetocerticaterenewalcanbeeliminatedbyautomatickeyrolloverprocedures.Weexpectthatamajorsourceoffalsenegativescomesfromusermobility,i.e.theuseofmultipleaccountsanddevices.Mobilityofpersonalinformationacrossuserdevicesandserviceproviderswillincreasinglybecomeanurgentproblemforawiderangeofapplications.Anysolutiontothisproblemingeneralcanalsobeappliedtomailcerticatesandthetrustcontextsoftheuser.3Ofcourse,thesecolorsneedtobesupportedbyotherindicatorslikedifferentframestylesorbackgroundtexturesaswell. WHITEPAPER,g10codeGmbH,2011-10-176REFERENCES[1]J.Linn,PrivacyenhancementforInternetelectronicmail:PartI:Messageenciphermentandauthenticationprocedures,RFC989,InternetEngineeringTaskForce,Feb.1987,obsoletedbyRFCs1040,1113.[Online].Available:http://www.ietf.org/rfc/rfc989.txt[2]P.Zimmermann,PGPMarks10thAnniversary,http://www.philzimmermann.com/EN/news/PGP 10thAnniversary.html(retrievedon28.July2011).[3]S.Crocker,N.Freed,J.Galvin,andS.Murphy,MIMEObjectSecurityServices,RFC1848(Historic),InternetEngineeringTaskForce,Oct.1995.[Online].Available:http://www.ietf.org/rfc/rfc1848.txt[4]J.Galvin,S.Murphy,S.Crocker,andN.Freed,SecurityMultipartsforMIME:Multipart/SignedandMultipart/Encrypted,RFC1847(ProposedStandard),InternetEngineeringTaskForce,Oct.1995.[Online].Available:http://www.ietf.org/rfc/rfc1847.txt[5]J.Callas,L.Donnerhacke,H.Finney,D.Shaw,andR.Thayer,OpenPGPMessageFormat,RFC4880(ProposedStandard),InternetEngineeringTaskForce,Nov.2007,updatedbyRFC5581.[Online].Available:http://www.ietf.org/rfc/rfc4880.txt[6]B.Ramsdell,Secure/MultipurposeInternetMailExtensions(S/MIME)Version3.1MessageSpecication,RFC3851(ProposedStandard),InternetEngineeringTaskForce,Jul.2004,obsoletedbyRFC5751.[Online].Available:http://www.ietf.org/rfc/rfc3851.txt[7]D.FlorencioandC.Herley,Alarge-scalestudyofwebpasswordhabits,inProceedingsofthe16thinternationalconferenceonWorldWideWeb,ser.WWW'07.NewYork,NY,USA:ACM,2007,pp.657666.[Online].Available:http://doi.acm.org/10.1145/1242572.1242661[8]A.WhittenandJ.D.Tygar,WhyJohnnycan'tencrypt:ausabilityevaluationofPGP5.0,inProceedingsofthe8thconferenceonUSENIXSecuritySymposium-Volume8.Berkeley,CA,USA:USENIXAssociation,1999,pp.1414.[Online].Available:http://portal.acm.org/citation.cfm?id=1251421.1251435[9]S.Gaw,E.W.Felten,andP.Fernandez-Kelly,Secrecy,agging,andparanoia:adoptioncriteriainencryptedemail,inProceedingsoftheSIGCHIconferenceonHumanFactorsincomputingsystems,ser.CHI'06.NewYork,NY,USA:ACM,2006,pp.591600.[Online].Available:http://doi.acm.org/10.1145/1124772.1124862[10]The2010U.S.DigitalYearinReview,WhitePaper,comScore,Feb.2011.[11]P.Gutmann,Securityusabilityfundamentals,http://www.cs.auckland.ac.nz/pgut001/pubs/usability.pdf(retrievedon23.August2011).[12],Pki:It'snotdead,justresting,Computer,vol.35,pp.4149,August2002.[Online].Available:http://portal.acm.org/citation.cfm?id=619078.622041[13]W.Koch,Publickeyassociation,inGUUGFr¨uhjahrsfachgespr¨ache2006:Proceedings.K¨oln,Germany:GUUG,2006,pp.159167.[Online].Available:http://g10code.com/docs/pka-intro.de.pdf[14]S.L.GarnkelandR.C.Miller,Johnny2:ausertestofkeycontinuitymanagementwiths/mimeandoutlookexpress,inProceedingsofthe2005symposiumonUsableprivacyandsecurity,ser.SOUPS'05.NewYork,NY,USA:ACM,2005,pp.1324.[Online].Available:http://doi.acm.org/10.1145/1073001.1073003[15]S.L.Garnkel,Enablingemailcondentialitythroughtheuseofopportunisticencryption,inProceedingsofthe2003annualnationalconferenceonDigitalgovernmentresearch,ser.dg.o'03.DigitalGovernmentSocietyofNorthAmerica,2003,pp.14.[Online].Available:http://portal.acm.org/citation.cfm?id=1123196.1123245[16]D.Wendlandt,D.Andersen,andA.Perrig,Perspectives:ImprovingSSH-styleHostAuthenticationwithMulti-PathProbing,inProc.USENIXAnnualTechnicalConference,Boston,MA,Jun.2008.[17]O.B.Tel,O.Bergman,andR.Boardman,Personalinformationmanagement,inExtendedAbstractsofthe2004ACMConferenceonHumanFactorsandComputingSystems.ACMPress,2004,pp.15981599.[18]T.AdamandM.Boehm,Whenthebazaarsetsouttobuildcathedrals,inBeautifulArchitecture,M.Treseler,Ed.O'ReillyMedia,2009,ch.12,pp.279311.[19]D.Mahoney,ThecompleteguidetopublishingPGPkeysinDNS,http://www.gushi.org/make-dns-cert/HOWTO.html(retrievedon5.July2011).[20]D.Shaw,Paperkey-anOpenPGPkeyarchiver,http://www.jabberwocky.com/software/paperkey/(retrievedon30.August2011).[21]T.Jost,HOWTOBackupyourGnuPGse-cretkeyonpaper,http://schnouki.net/2010/03/22/howto-backup-your-gnupg-secret-key-on-paper/(retrievedon30.August2011).[22]S.Josefsson,StoringCerticatesintheDomainNameSystem(DNS),RFC4398(ProposedStandard),InternetEngineeringTaskForce,Mar.2006.[Online].Available:http://www.ietf.org/rfc/rfc4398.txt[23]T.Yl¨onen,Ssh:secureloginconnectionsovertheinternet,inProceedingsofthe6thconferenceonUSENIXSecuritySymposium,FocusingonApplicationsofCryptography-Volume6.Berkeley,CA,USA:USENIXAssociation,1996,pp.44.[Online].Available:http://portal.acm.org/citation.cfm?id=1267569.1267573[24]F.StajanoandR.J.Anderson,Theresurrectingduckling:Securityissuesforad-hocwirelessnetworks,inProceedingsofthe7thInternationalWorkshoponSecurityProtocols.London,UK:Springer-Verlag,2000,pp.172194.[Online].Available:http://portal.acm.org/citation.cfm?id=647217.760118[25]P.Gutmann,WhyIsn'ttheInternetSecureYet,Dammit?inAusCERTAsiaPacicInformationTechnologySecurityConference2004;ComputerSecurity:Arewethereyet?AusCERT,May2004.[Online].Available:http://www.cs.auckland.ac.nz/pgut001/pubs/dammit.pdf WernerKochistheprincipalauthorofGnuPG,FreeSoftwareactivist,andBusinessManageratg10codeGmbH.Contacthimatwk@g10code.com. MarcusBrinkmannholdsadiplomadegreeinmathematicsfromtheRuhrUniversityBochumandisSoftwareArchitectatg10codeGmbH.Contacthimatmb@g10code.com.