Cryptography Reference
In-Depth Information
In his online magazine
Cryptogram
, Schneier referred to them as a failure. You
can find more details in [Schmeh].
Potential for Fraud
The server hierarchy requires that a third-party public key
always
be checkable
by definition. This is a clear advantage over the Web of Trust of PGP. This
auditing ability can be easily implemented, and certificates can also be stored in
easily accessible databases. Mallory cannot mount a man-in-the-middle attack
as long as he can't forge digital signatures or compromise servers.
Another advantage over PGP is that it enables key revocation. However, this
is not so simple: the validity has to be checked for every certificate newly
received. To this end, a remote or local database that stores invalid certificates
can be queried. This database could be compromised. However, in any event
key revocation in the PEM protocol is more secure than within the Web of
Trust.
A theoretical weakness of the server hierarchy is its potential to be compro-
mised. For example, Kurt could be working for a national intelligence agency
and have sold his private key to them. The agency intercepts Bob's certificate
and instead of it sends their own with a different key signed by EgonII, who
in reality is a computer inside the agency. EgonII and Kurt seem to be certi-
fying each other. Since the agency knows Kurt's private key, they can do this
even without Kurt knowing about it. The agency can intercept mails exchanged
between Alice and Bob, decrypt them and re-encrypt them to forward them to
whoever.
Helmut's signature can't prevent this fraud either, since nothing about Kurt
has changed toward the outside: his public key remains the same, only his
signatures are 'reconstructed' by the agency.
I gave a black-and-white depiction: PEM is supposed to protect its users from
private attackers, while PGP is supposed to protect them from governments or
national intelligence agencies. More specifically:
•
PEM fully relies on the immunity of the server hierarchy, thus reliably
excluding the usual man-in-the-middle attack. On the other hand, fraud
is potentially possible by compromising the server. Furthermore, PEM
requires continual access to the network.
•
PGP cannot reliably exclude a man-in-the-middle attack, but it can with
a rather high probability, because compromising
one
computer within the
