WHITEPAPER,g10codeGmbH,2011-10-172cryptographicalgorithmsduetoprogress - PDF document

test . @test

376 views
Uploaded On 2016-08-07

WHITEPAPER,g10codeGmbH,2011-10-172cryptographicalgorithmsduetoprogress - PPT Presentation

WHITEPAPERg10codeGmbH201110174AnewAPIforGPGtomaintainthisdatabaseoptionallyaddthesameAPItoGPGSM2AnewAPIforGPGMEsothatapplicationscanmakeeasyuseofthedatabaseAnewvalueforGPGs150trustmodel ID: 436598

WHITEPAPER g10codeGmbH 2011-10-174AnewAPIforGPGtomaintainthisdatabase;optionallyaddthesameAPItoGPGSM2.AnewAPIforGPGMEsothatapplicationscanmakeeasyuseofthedatabase.AnewvalueforGPG's–trust-model

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/436598" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Pdf The PPT/PDF document "WHITEPAPER,g10codeGmbH,2011-10-172crypto..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

WHITEPAPER,g10codeGmbH,2011-10-172cryptographicalgorithmsduetoprogressintechnologyormathematics.Asimplereplacementoftheuser'scerticatewouldbeaggedbythetrustsystemasapossibleattack(seeSect.IV).Thus,akeyrolloverprocedureisrequiredinwhichthenewcerticateissignedbytheoldonebeforeitisdistributed.Suchcerticaterenewalsshouldbeinitiatedandmanagedautomaticallywithoutuserinteraction,accordingtopoliciesthataresetbythedomainexpertsandupdatedtogetherwiththesoftwarestack.II.AUTOMATICKEYDISTRIBUTIONOnechallengeinusabilityofpublickeycryptosystemsiskeydistributionandretrievalthroughapublickeyinfrastruc-ture(PKI).Historically,bothOpenPGPandS/MIMEhavecomeupwithunpracticalanswerstothequestioninwhichdatabaseandunderwhichnameacerticateshouldbestored,howchangesarepropagatedinthenetwork,andhowtrustisassignedtotheinformationstoredinthosedatabases[12].Werepeatthesimple,pragmaticsolutionsfrom[13]toaddresstheseintractabletheoreticalproblems.FollowingthePKIdesignrecommendationsin[12],certicatesareidentiedbyamandatorymailaddress,andmayalsocarryalocallymeaningfultextsuchasapersonalname.Thissolvestheidentityproblem.Revocationisavoided:Thevalidityofacerticateisgivenbyitspresenceinthedatabase(onlinevalidation).Lastly,asthedatabaseforstoringandretrievingcerticatesweproposeDNS,whichhasmanyusefulproper-ties:DNSprovidesdecentralizationandhighavailabilityworld-wide.Mailaddressessplitnaturallyintoausernameandadomainname,whichtstheexistingstructureofDNSrecords.Theproposalautomaticallybenetsfromsecurityim-provementstoDNS.Inparticular,DNSSECdisablesman-in-the-middleattacks.DNSrecordscanbedynamicallymanagedataneenoughtimegranularitytomatchuserexpectationsforallpseudonymsbutthoselastingforaveryshorttime.Butexactlyforthosenon-persistentpseudonyms,securityprovidedbythisproposalisalreadyconsiderablyweak-enedbychoiceofthetrustmodel(seeSect.IV).Becausecerticatescanbeverylong,itispossibletostoreangerprintofthecerticateinDNS,alongwithaURLtothefullcerticate.Duetocaching,DNSupdatesmaybedelayedandthusdatabaseentriesmayappearoutofdateinthenetworkforsometime.Inparticular,newidentitiesandinvalidationsmaynotbeimmediatelyvisibletoallpeers.Webelievethattheadvantagesbyfaroutweighthisimperfectionfortypicalusepatternsinmailcommunication.Theabovelookupprotocolallowstosecureeventheinitialcontactwithoutanyuserinteraction(seeSect.III).III.OPPORTUNISTICENCRYPTIONIn[8],Whittenreportsthat3outof12testuserssentmailaccidentiallyintheclearwhileexploringthesystem.Thiscanhappenifencryptionmustbemanuallyenabledbytheuser.Thesimplesolutionistoalwaysencryptifitispossible,whichiseasytodoifkeygenerationanddistributionisautomaticandtransparenttotheuser,asproposedabove.Caremustbetakentomakedecryptiononthereceivingsidetransparentaswell,toovercomesocialbarrierstouseofencryption[14].Garnkel[15]describesopportunisticmailencryptionwhichprovidessecuritybydefaultandtransparentlyfortheuser.Weaccepthisproposal,withsomedifferences:Toincreasecompatibilityandacceptance,wedonotspecifymechanismsdedicatedtosecuringthemessageheader.Asexplainedabove,weprefertostorethecerticateinDNSratherthanincludingitinthemessage.Thishasmanyadvantages,suchassecureinitialcontact,moreup-to-datecerticates,andbeingabletopiggy-backonDNSsecuritymeasurestoexcludeman-in-the-middleattacks,allofwhicharenotaddressedin[15].InsteadofusingalterthatactsasatransparentSMTP/POP3proxy,werequireeachMUAtoimplementencryptionitself.Thisenablesdeeperintegrationforabetteruserexperience:InGarnkel'sproposal,mailisencryptedifitispossible,otherwisethemailissentintheclear.Thereisnomechanismtoasktheuserforfeedbackinthiscase.Inourproposal,theMUAmayimplementthesamesimplepolicy,orasktheuserforfeedbackinteractivelyformoresophisticatedusecases.Also,Garnkelinsertsa+characteratthebeginningofthedecodedsubjectlinetoindicateanencryptedmailtotheMUA.Anyreplytosuchamailmustthenalsobeencrypted,oritwillnotbesent.Inourproposal,theMUAcanimplementthispolicyormoresophisticatedoneswithoutresortingtosuchspecialheadertricks.IV.TUFC/POPAmajorusabilitybarrierinpublickeycryptosystemsisthetrustmodel[8],[14].Thegoalistodisablespoongandman-in-the-middleattacksbyverifyingthatacerticatebelongstotheentity(personororganization)describedbyitsuserID.WhileX.509defersalltrustdecisionstothirdpartycerticateauthorities(CA),OpenPGPimplementationscommonlyrelyonadecentralizedreputationsystem,(weboftrust,WoT).Bothsystemsrequireasignicantinvestmentbytheuser:X.509askstheusertosinkmoneyintothearticialcerticatemarketthatprovidesadubiousreturn[12],whileOpenPGPaskstheuserharderandharderquestionsaboutthetrustworthinessofpeersawayfromthecenterofhispersonalweboftrust[14].Thedesignspacefortrustmodelsisconstrainednotonlybytechnicaldifculties,suchasscalabilitytobillionsofIDs,butalsomustrespectthementalmodeloftheuser:onlyasystemthatprovidesanaturalmappingfromuserexpectationtothetrustmodelhasachancetonduseracceptance.ThementalmodeloftheCAsystemisthatofaguidingparent:alltrustdecisionsaredeferredtoahigherauthority.ThementalmodeloftheWoTispeerrecommendation(friendofafriend).Bothsystemsarecontextfreeinthesensethattheyputasingle,nal,blackor WHITEPAPER,g10codeGmbH,2011-10-174AnewAPIforGPGtomaintainthisdatabase;optionallyaddthesameAPItoGPGSM2.AnewAPIforGPGMEsothatapplicationscanmakeeasyuseofthedatabase.AnewvalueforGPG's–trust-modeloptiontoenabletheTUFCschemeandsmallamountofcodetoimplementthistrustmodel.AnewGPGMEAPItocreateakeyinthebackgroundifitdoesnotexists.D.MUAChangesMUAsneedtointeractwiththemailproviderswhensettingupanewmailaccount.Thisisrequiredtoautomaticallycreateanewkeyorassignanexistingkeytotheaccount.Thuschangestothemailaccountsetupdialogsarerequired.Duetothemostlyunattendedoperationofoursystem,asufcientmechanismisacheckboxtodisablekeygenerationandaprogressbarrunningduringkeygenerationanduntilthekeyhasbeenstoredbythemailprovider'ssystem.TheMUAcannotify(bymail)theuserassoonasthekeyisavailabletothepublicintheDNS.ThefunctiontodisplayamailneedstotellGPGMEthesender'saddressandrenderthemessageinawaytoshowthevericationstatusastoldbyGPGME.Forbestuserexperiencethisneedstobedoneasynchronouslysothatfastscrollingthroughmailswillnotneedtowaitforthevericationresult.MUAsfurtherneedtoimplementacongurationoptiontodisabletheTUFCsystemandtousethecryptofunctionsasfoundtoday.AnotheroptiontoallowtheuseofbothsystemtherebyassigningdifferenttrustvaluestoTUFCandPKIveriedmessagesisalsodesirabletogetacceptancebythemoretraditionalmembersofthecryptocommunity.IncaseafullPIMservicewithintegratedbackupisnotinuse,thebackupfeatureoftheMUAneedstoincludethekeys.Ifnobackupfeatureexistsatleastaregularbackupremindershouldbedisplayedbymeansofaninternallygeneratedmail.Asimplebackupmechanismmaybetoallowtheusertoprintoutthekeysonpaper,informofahexdumpwithchecksumsformanualorOCRinput(asproducedbypaperkey[20])andinformof2-dimensionalbarcodessuchasDataMatrixorQRcodes[21].VI.EXPERTOPTIONSDespitethatthegoalofthissystemissimplicity,wewillonlygainacceptanceifafewexpertoptionsareavailable:A.OneKeyforallAccountsComparedtothebroaduserbaseofmailonlyafewusersneedseveralmailaccounts.Ourproposalsupportsthisalreadybycreatingonekeypermailaccount.Someusersmightprefertousethesamekeyforseveralaccounts.Onepossiblereasonforthisusecaseistheuseofasmartcardwhichshallbypolicyonlybeusedforonecerticate.2Ormaybeaseparatebackendcanhandlethis.Thesystemshouldallowforthisusecase,whichneedstobesupportedbyallclientsbyallowingpreviouslycreatedkeystobeconguredanddeployedwithanaccount.ThekeyelementtoimplementthisfeatureistheindirectionexpressedbyPKA.Thatisthatonlythengerprintofthekeyisassociatedwiththemailaddressandnotaparticularkey.Inadditionahintisgivenwheretondthekey(herethishintisrequiredtobeabletoretrievethekeywithoutexternalinformation).EitheranURLoraDNScertrecordreferencemaybeusedinthePKArecordforaprimaryuserID(aliasing).AprimaryuserIDhastheadvantagethatothermailaddressesaremorelooselytiedtogether;thishasadvantagesforuserIDmanagement.B.UsingaPKITherearetwosmallcommunitieswhichareusedtotheirPKImodels:OpenPGPuserssometimesmakeheavyuseoftheWoTwhereashierarchicalorganizedgroupsdemandtheuseofthePKIX(X.509)trustmodel.Theyshouldbeallowedtokeeponusingtheirparticulartrustmodel.AwaytoimplementthisisacongurationswitchtochangetherenderingofTUFCprotectedmessagesfromgreentoyellowanduseonlygreen3trustachievedbytheWoTorPKIX.VII.USERINTERFACEDesigninganUIforthisisabitofachallenge.Howeveroverthelastyearsalotofexperiencewasbeencollectedinthedomainofwebbrowsers.Wecanbuilduponthis.VIII.CHALLENGESForasuccessfullydeploymentofsuchasystemitisofparamountimportancethatmajorwebmailproviderssupporttheirusersbyprovidingtheinfrastructuretostorekeyinfor-mationintheDNSusinganautomatedorsemi-automatedsystem.Findingincentivesfortheproviderstoimplementandsupportthisinfrastructuremaybedifcult.Althoughthetrustmodelcanprovidepositiveandnegativefeedbacktotheuser,suchfeedbackislikelytobeignoredinthecurrentcomputingenvironmentduetoadverseuserconditioninginthepastdecades[11].Toimproveuserper-ceptioninthelongterm,thequalityofthefeedbackmustimprovesignicantly.Inparticular,wehavetoeliminatefalsenegatives.Wealreadyexplainedhowfalsenegativesduetocerticaterenewalcanbeeliminatedbyautomatickeyrolloverprocedures.Weexpectthatamajorsourceoffalsenegativescomesfromusermobility,i.e.theuseofmultipleaccountsanddevices.Mobilityofpersonalinformationacrossuserdevicesandserviceproviderswillincreasinglybecomeanurgentproblemforawiderangeofapplications.Anysolutiontothisproblemingeneralcanalsobeappliedtomailcerticatesandthetrustcontextsoftheuser.3Ofcourse,thesecolorsneedtobesupportedbyotherindicatorslikedifferentframestylesorbackgroundtexturesaswell. WHITEPAPER,g10codeGmbH,2011-10-176REFERENCES[1]J.Linn,“PrivacyenhancementforInternetelectronicmail:PartI:Messageenciphermentandauthenticationprocedures,”RFC989,InternetEngineeringTaskForce,Feb.1987,obsoletedbyRFCs1040,1113.[Online].Available:http://www.ietf.org/rfc/rfc989.txt[2]P.Zimmermann,“PGPMarks10thAnniversary,”http://www.philzimmermann.com/EN/news/PGP 10thAnniversary.html(retrievedon28.July2011).[3]S.Crocker,N.Freed,J.Galvin,andS.Murphy,“MIMEObjectSecurityServices,”RFC1848(Historic),InternetEngineeringTaskForce,Oct.1995.[Online].Available:http://www.ietf.org/rfc/rfc1848.txt[4]J.Galvin,S.Murphy,S.Crocker,andN.Freed,“SecurityMultipartsforMIME:Multipart/SignedandMultipart/Encrypted,”RFC1847(ProposedStandard),InternetEngineeringTaskForce,Oct.1995.[Online].Available:http://www.ietf.org/rfc/rfc1847.txt[5]J.Callas,L.Donnerhacke,H.Finney,D.Shaw,andR.Thayer,“OpenPGPMessageFormat,”RFC4880(ProposedStandard),InternetEngineeringTaskForce,Nov.2007,updatedbyRFC5581.[Online].Available:http://www.ietf.org/rfc/rfc4880.txt[6]B.Ramsdell,“Secure/MultipurposeInternetMailExtensions(S/MIME)Version3.1MessageSpecication,”RFC3851(ProposedStandard),InternetEngineeringTaskForce,Jul.2004,obsoletedbyRFC5751.[Online].Available:http://www.ietf.org/rfc/rfc3851.txt[7]D.FlorencioandC.Herley,“Alarge-scalestudyofwebpasswordhabits,”inProceedingsofthe16thinternationalconferenceonWorldWideWeb,ser.WWW'07.NewYork,NY,USA:ACM,2007,pp.657–666.[Online].Available:http://doi.acm.org/10.1145/1242572.1242661[8]A.WhittenandJ.D.Tygar,“WhyJohnnycan'tencrypt:ausabilityevaluationofPGP5.0,”inProceedingsofthe8thconferenceonUSENIXSecuritySymposium-Volume8.Berkeley,CA,USA:USENIXAssociation,1999,pp.14–14.[Online].Available:http://portal.acm.org/citation.cfm?id=1251421.1251435[9]S.Gaw,E.W.Felten,andP.Fernandez-Kelly,“Secrecy,agging,andparanoia:adoptioncriteriainencryptedemail,”inProceedingsoftheSIGCHIconferenceonHumanFactorsincomputingsystems,ser.CHI'06.NewYork,NY,USA:ACM,2006,pp.591–600.[Online].Available:http://doi.acm.org/10.1145/1124772.1124862[10]“The2010U.S.DigitalYearinReview,”WhitePaper,comScore,Feb.2011.[11]P.Gutmann,“Securityusabilityfundamentals,”http://www.cs.auckland.ac.nz/pgut001/pubs/usability.pdf(retrievedon23.August2011).[12]——,“Pki:It'snotdead,justresting,”Computer,vol.35,pp.41–49,August2002.[Online].Available:http://portal.acm.org/citation.cfm?id=619078.622041[13]W.Koch,“Publickeyassociation,”inGUUGFr¨uhjahrsfachgespr¨ache2006:Proceedings.K¨oln,Germany:GUUG,2006,pp.159–167.[Online].Available:http://g10code.com/docs/pka-intro.de.pdf[14]S.L.GarnkelandR.C.Miller,“Johnny2:ausertestofkeycontinuitymanagementwiths/mimeandoutlookexpress,”inProceedingsofthe2005symposiumonUsableprivacyandsecurity,ser.SOUPS'05.NewYork,NY,USA:ACM,2005,pp.13–24.[Online].Available:http://doi.acm.org/10.1145/1073001.1073003[15]S.L.Garnkel,“Enablingemailcondentialitythroughtheuseofopportunisticencryption,”inProceedingsofthe2003annualnationalconferenceonDigitalgovernmentresearch,ser.dg.o'03.DigitalGovernmentSocietyofNorthAmerica,2003,pp.1–4.[Online].Available:http://portal.acm.org/citation.cfm?id=1123196.1123245[16]D.Wendlandt,D.Andersen,andA.Perrig,“Perspectives:ImprovingSSH-styleHostAuthenticationwithMulti-PathProbing,”inProc.USENIXAnnualTechnicalConference,Boston,MA,Jun.2008.[17]O.B.Tel,O.Bergman,andR.Boardman,“Personalinformationmanagement,”inExtendedAbstractsofthe2004ACMConferenceonHumanFactorsandComputingSystems.ACMPress,2004,pp.1598–1599.[18]T.AdamandM.Boehm,“Whenthebazaarsetsouttobuildcathedrals,”inBeautifulArchitecture,M.Treseler,Ed.O'ReillyMedia,2009,ch.12,pp.279–311.[19]D.Mahoney,“ThecompleteguidetopublishingPGPkeysinDNS,”http://www.gushi.org/make-dns-cert/HOWTO.html(retrievedon5.July2011).[20]D.Shaw,“Paperkey-anOpenPGPkeyarchiver,”http://www.jabberwocky.com/software/paperkey/(retrievedon30.August2011).[21]T.Jost,“HOWTOBackupyourGnuPGse-cretkeyonpaper,”http://schnouki.net/2010/03/22/howto-backup-your-gnupg-secret-key-on-paper/(retrievedon30.August2011).[22]S.Josefsson,“StoringCerticatesintheDomainNameSystem(DNS),”RFC4398(ProposedStandard),InternetEngineeringTaskForce,Mar.2006.[Online].Available:http://www.ietf.org/rfc/rfc4398.txt[23]T.Yl¨onen,“Ssh:secureloginconnectionsovertheinternet,”inProceedingsofthe6thconferenceonUSENIXSecuritySymposium,FocusingonApplicationsofCryptography-Volume6.Berkeley,CA,USA:USENIXAssociation,1996,pp.4–4.[Online].Available:http://portal.acm.org/citation.cfm?id=1267569.1267573[24]F.StajanoandR.J.Anderson,“Theresurrectingduckling:Securityissuesforad-hocwirelessnetworks,”inProceedingsofthe7thInternationalWorkshoponSecurityProtocols.London,UK:Springer-Verlag,2000,pp.172–194.[Online].Available:http://portal.acm.org/citation.cfm?id=647217.760118[25]P.Gutmann,“WhyIsn'ttheInternetSecureYet,Dammit?”inAusCERTAsiaPacicInformationTechnologySecurityConference2004;ComputerSecurity:Arewethereyet?AusCERT,May2004.[Online].Available:http://www.cs.auckland.ac.nz/pgut001/pubs/dammit.pdf WernerKochistheprincipalauthorofGnuPG,FreeSoftwareactivist,andBusinessManageratg10codeGmbH.Contacthimatwk@g10code.com. MarcusBrinkmannholdsadiplomadegreeinmathematicsfromtheRuhrUniversityBochumandisSoftwareArchitectatg10codeGmbH.Contacthimatmb@g10code.com.