The OpenPGP Standard Jonathan Callas Senior Security Consultant Kroll-O’Gara ISG
Outline PGP History The OpenPGP Standard OpenPGP’s relationship to other Relevant Standards The Future Note: “PGP” and “Pretty Good Privacy” are trademarks of Network Associates, Inc.
PGP History Early History –PGP 1.0 created in 1991 –PGP 2.0 introduced original cipher suite (RSA, IDEA, MD5) –PGP 2.6 created in 1994
PGP History Later History –PGP 3 started in –PGP Inc. Formed by PRZ after customs investigation dropped, 1996 –PGP 3 released as PGP 5.0 in May 1997
PGP History PGP 5.0 –New Algorithms DSS signatures Elgamal public-key encryption SHA-1 hashes CAST5 (CAST-128), TripleDES symmetric encryption
PGP History PGP 5.0 –New signature formats –New certificate structure Dual-key structure Architecture for N-key structure
PGP History OpenPGP –Started in the IETF in September 1997 –Starts with PGP 5 as a base –Encourages but does not require compatibility with PGP 2.6 –Unencumbered architecture
PGP History OpenPGP –Promoted to Proposed Standard in October 1998 –RFC 2440 –Implementations include Network Associates PGP Tom Zerucha reference implementation GNU Privacy Guard
OpenPGP Message Format Encrypted Session Key (one per “recipient”) Encrypted Data Signature (Optional) Compressed Data Literal Data
OpenPGP Message Format (2) Encrypted Session Key (one per “recipient”) Encrypted Data Signature (Optional) Compressed Data Literal Data
OpenPGP Message Format (3) Encrypted Session Key (one per “recipient”) Encrypted Data Signature (Optional) Compressed Data Literal Data
OpenPGP Certificates key User ID Signature Certification Signature Certificate
OpenPGP Dual Key Cert Signing Key (Typically DSS) Encryption Key (Typically Elgamal) Binding signature
OpenPGP Dual Key Cert (2) Signing Key (Typically DSS) Encryption Key (Typically Elgamal) Binding signature
OpenPGP Dual Key Cert (3) Signing Key (Typically DSS) Encryption Key (Typically Elgamal) Binding signature Encryption Key (Typically Elgamal) Binding signature
OpenPGP Dual Key Cert (4) Signing Key (Typically DSS) Encryption Key (Elgamal) Binding signature Signing Key (RSA) Binding signature Encryption Key (EC, lives on Smart card) Binding signature
OpenPGP Trust Model OpenPGP doesn’t have a trust model OpenPGP can use any trust model OpenPGP can support –Direct Trust –Hierarchical Trust –Cumulative Trust
Trust Models Direct Trust –I trust your cert because you gave it to me –Very secure trust model (do you trust yourself) –Scales least well –Used in OpenPGP, S/MIME, IPsec, TLS/SSL, etc.
Trust Models Hierarchical Trust –I trust your cert because its issuer has a cert issued by someone … whom I trust –Least secure trust model Damage spreads through tree Recovery is difficult
Hierarchical Trust (continued) –Best scaling, mimics organizations –Used in OpenPGP, S/MIME, IPsec, TLS/SSL, etc. Trust Models
Cumulative Trust (a.k.a. Web of Trust) –I trust your cert because some collection of people whom I trust issued certifications –Potentially more secure than direct trust –Scales almost as well as HT for intra- organization
Trust Models Cumulative Trust –Handles inter-organization problems Company A issues only to full-time employees Company B issues to contractors and temps A and B’s management issue edict for cross certification –Addresses “two id” problem How do you know John Smith(1) is John Smith(2)?
Other Relevant Standards So What? Why Bother? Myths about OpenPGP
So What? X.509 is everywhere –OpenPGP is small (code and data) Zerucha imp. is 5000 lines of C (sans crypto) –Suitable for embedded & end-user applications Used by banks, etc. transparently –It’s Flexible and Small! –It actually works
Why Bother? S/MIME will take over –PGP has years of deployment 90%? Traffic is some PGP. –PGP is only strong crypto S/MIME 3 is much better Outside the US, there is distrust Can you see the source? –Cisco: Secure is PGP’s to lose
Myths It’s only –It’s for any “object” It requires the web of trust –Can use any trust model –Businesses use PGP with hierarchies today It’s proprietary –IETF Standard
Present Into The Future Ultimately, data formats are less important than you’d think On desktops, size matters less –But small systems will be with us always Description of the OpenPGP philosophy –PGP implemented in X.509 –Certification Process
OpenPGP Philosophy Everyone is potentially a CA –This is going to happen whether you like or not. Everyone has different policies –Wait until you do inter-business PKI One size will not fit all –Validity is in the eye of the beholder –Trust comes from below
Potential PGP/X.509 merger Ideas of PGP Syntax of X.509 Disclaimer –This doesn’t exist –It’s all still experimental
X.509 Certificate User Information (DN & Stuff) Public Key Signature binds Key and Information
PGP in X.509 Drag Key 1 User 1 Signature 1 Key 1 User 1 Signature 2 Key 1 User 2 Signature 3
PGP Certification Process User PGP Certificate Server Pending Area PGP CA PGP Cert
PGP Certification Process User PGP Certificate Server Pending Area PGP CA PGP Cert
PGP Certification Process User PGP Certificate Server Pending Area PGP CA PGP Cert
PGP Certification Process User PGP Certificate Server Pending Area PGP CA PGP Cert
PGP Certification Process User PGP Certificate Server Pending Area PGP CA PGP Cert
X.509 Certification Process User CA Server CA PKCS10 Cert Request
X.509 Certification Process User CA Server CA PKCS10 Cert Request
X.509 Certification Process User CA Server CA PKCS10 Cert Request X.509 Certificate
X.509 Certification Process User CA Server CA X.509 Certificate
Certifying PGP with X.509 CA User CA Server CA PKCS10 Cert Request PGP Cert X.509 Certificate Key
Starting a PGP cert from X.509 User PGP Cert X.509 Certificate Key
Summary OpenPGP is an IETF standard –Certificates –“Objects” It’s lightweight and flexible Interesting work is being done for the future