The OpenPGP Standard Jonathan Callas Senior Security Consultant Kroll-O’Gara ISG.

The OpenPGP Standard

Jonathan Callas

Senior Security Consultant

Kroll-O’Gara ISG

Information Security GroupInformation Security Group

Outline

• PGP History

• The OpenPGP Standard

• OpenPGP’s relationship to other Relevant Standards

• The Future

• Note: “PGP” and “Pretty Good Privacy” are trademarks of Network Associates, Inc.


PGP History

• Early History– PGP 1.0 created in 1991– PGP 2.0 introduced original cipher suite (RSA,

IDEA, MD5)– PGP 2.6 created in 1994


PGP History

• Later History– PGP 3 started in 1994-5– PGP Inc. Formed by PRZ after customs

investigation dropped, 1996– PGP 3 released as PGP 5.0 in May 1997


PGP History

• PGP 5.0– New Algorithms

• DSS signatures

• Elgamal public-key encryption

• SHA-1 hashes

• CAST5 (CAST-128), TripleDES symmetric encryption


PGP History

• PGP 5.0– New signature formats– New certificate structure

• Dual-key structure

• Architecture for N-key structure


PGP History

• OpenPGP– Started in the IETF in September 1997– Starts with PGP 5 as a base– Encourages but does not require compatibility

with PGP 2.6– Unencumbered architecture


PGP History

• OpenPGP– Promoted to Proposed Standard in October

1998– RFC 2440– Implementations include

• Network Associates PGP

• Tom Zerucha reference implementation

• GNU Privacy Guard


OpenPGP Message FormatEncrypted SessionKey (one per“recipient”)

Encrypted Data

Signature(Optional)

CompressedData

LiteralData


OpenPGP Message Format (2)Encrypted SessionKey (one per“recipient”)

Encrypted Data

Signature(Optional)

CompressedData

LiteralData


OpenPGP Message Format (3)Encrypted SessionKey (one per“recipient”)

Encrypted Data

Signature(Optional)

CompressedData

LiteralData


OpenPGP Certificates

key

User ID User ID

Signature

Certification

Signature

Signature

Certificate


OpenPGP Dual Key Cert

Signing Key(Typically DSS)

Encryption Key(Typically Elgamal)

Binding signature


OpenPGP Dual Key Cert (2)



Binding signature





Binding signature


Binding signature




Encryption Key(Elgamal)

Binding signature

Signing Key(RSA)

Binding signature

Encryption Key(EC, lives onSmart card)

Binding signature


OpenPGP Trust Model

• OpenPGP doesn’t have a trust model

• OpenPGP can use any trust model

• OpenPGP can support– Direct Trust– Hierarchical Trust– Cumulative Trust


Trust Models

• Direct Trust– I trust your cert because you gave it to me– Very secure trust model (do you trust yourself)– Scales least well– Used in OpenPGP, S/MIME, IPsec, TLS/SSL,

etc.


Trust Models

• Hierarchical Trust– I trust your cert because its issuer has a cert

issued by someone … whom I trust– Least secure trust model

• Damage spreads through tree

• Recovery is difficult


• Hierarchical Trust (continued)– Best scaling, mimics organizations– Used in OpenPGP, S/MIME, IPsec, TLS/SSL,

etc.

Trust Models


Trust Models

• Cumulative Trust (a.k.a. Web of Trust)– I trust your cert because some collection of

people whom I trust issued certifications– Potentially more secure than direct trust– Scales almost as well as HT for intra-

organization


Trust Models

• Cumulative Trust– Handles inter-organization problems

• Company A issues only to full-time employees

• Company B issues to contractors and temps

• A and B’s management issue edict for cross certification

– Addresses “two id” problem• How do you know John Smith(1) is John Smith(2)?


Other Relevant Standards

• So What?

• Why Bother?

• Myths about OpenPGP


So What?

• X.509 is everywhere– OpenPGP is small (code and data)

• Zerucha imp. is 5000 lines of C (sans crypto)

– Suitable for embedded & end-user applications• Used by banks, etc. transparently

– It’s Flexible and Small!– It actually works


Why Bother?

• S/MIME will take over– PGP has years of deployment

• 90%? Traffic is some PGP.

– PGP is only strong crypto• S/MIME 3 is much better

• Outside the US, there is distrust

• Can you see the source?

– Cisco: Secure email is PGP’s to lose


Myths

• It’s email only– It’s for any “object”

• It requires the web of trust– Can use any trust model– Businesses use PGP with hierarchies today

• It’s proprietary– IETF Standard


Present Into The Future

• Ultimately, data formats are less important than you’d think

• On desktops, size matters less– But small systems will be with us always

• Description of the OpenPGP philosophy– PGP implemented in X.509– Certification Process


OpenPGP Philosophy

• Everyone is potentially a CA– This is going to happen whether you like or not.

• Everyone has different policies– Wait until you do inter-business PKI

• One size will not fit all– Validity is in the eye of the beholder– Trust comes from below


Potential PGP/X.509 merger

• Ideas of PGP

• Syntax of X.509

• Disclaimer– This doesn’t exist– It’s all still experimental


X.509 Certificate

User Information(DN & Stuff)

Public Key

Signature binds Key and Information


PGP in X.509 Drag

Key 1

User 1

Signature 1

Key 1

User 1

Signature 2

Key 1

User 2

Signature 3


PGP Certification Process

User

PGP CertificateServer Pending

Area

PGP CA

PGPCert



User


Area

PGP CAPGPCert



User


Area

PGP CA

PGPCert


X.509 Certification Process

User

CAServer

CAPKCS10

Cert Request



User

CAServer

CA

PKCS10Cert Request



User

CAServer

CA

PKCS10Cert Request

X.509Certificate



User

CAServer

CAX.509Certificate


Certifying PGP with X.509 CA

User

CAServer

CA

PKCS10Cert Request

PGPCert

X.509Certificate

Key


Starting a PGP cert from X.509

User

PGPCert

X.509Certificate

Key


Summary

• OpenPGP is an IETF standard– Certificates– “Objects”

• It’s lightweight and flexible

• Interesting work is being done for the future

The OpenPGP Standard Jonathan Callas Senior Security Consultant Kroll-O’Gara ISG.

Documents

Transcript of The OpenPGP Standard Jonathan Callas Senior Security Consultant Kroll-O’Gara ISG.