Cryptography Reference
In-Depth Information
ElGamal, and
1536R
means a 1536-bit key for RSA. The date of creation as well as
the name (e-mail address) of the owner is provided.
PGP makes extensive usage of checksums and cryptographic digests so that bad
pass phrases or modified files are easily detected.
12.4.2 Public-Key Management
A user can create his asymmetric keys. He just needs to select the algorithm and key
size, and to provide enough randomness for PGP to generate it in a random way. For this,
PGP analyzes key strokes on the keyboard (people calls this an “entropy collector”) and
makes random bits from time intervals between key strokes by using a pseudorandom
generator. Once an asymmetric key pair is created, the secret part is encrypted with
a symmetric key which is derived from a pass phrase. Both the public key and the
encrypted secret key are stored in the corresponding key ring.
PGP provides commands in order to manage key rings: extracting, adding, chang-
ing keys, etc. Those commands are as secure and user friendly as possible.
When a user is given a public key from another one, he can insert it in his key
ring. At the same time, he determines the level of trust he can attribute to the validity
of that key. For instance, if the key was given hand to hand, he can fairly trust that the
key is valid. If the key was taken from a Web site through insecure connection, he may
give a low confidence to the validity. Additionally, the public key can be certified by
a third party that the user trusts, or partially trusts. The
trust path
can of course have
more than one intermediate parties. There can be several trust paths to the public key.
The public key can be inserted in the key ring with this extra kind of certificate. The
user must therefore permanently manage keys with different trust levels and be aware
of potential weak trusts.
PGP users have defined the notion of web of trust in which keys are vertices and
oriented edges means that one key certified the other one. Trust paths are simply paths
in this graph. The shorter the paths the higher the trust confidence.
12.4.3
Security Weaknesses
Since PGP was made in order to be fully controlled by the user, security issues occur
when it is not well used. For this a minimal education on cryptography is required in
order to securely use it. People must be educated on how to choose and use a pass
phrase, on what a key size means, on how the public-key management works, and on
how sensitive a key ring can be.
Among one of the weakest point, the key infrastructure heavily relies on trust. The
authentication of public keys is not controlled by any central authority (PGP was made
Search WWH ::
Custom Search