Sie sind auf Seite 1von 17

HowPGPworks

Thefollowingtextistakenfromchapter1ofthedocument
IntroductiontoCryptographyinthePGP6.5.1documentation.
Copyright19901999NetworkAssociates,Inc.anditsAffiliated
Companies.AllRightsReserved.ConvertedfromPDFtoHTMLat
http://access.adobe.com/andthenmanuallyeditedbyhand.
TheBasicsofCryptography
Encryptionanddecryption
Whatiscryptography?
Strongcryptography
Howdoescryptographywork?
Conventionalcryptography
Caesar'sCipher
Keymanagementandconventionalencryption
Publickeycryptography
HowPGPworks
Keys
Digitalsignatures
Hashfunctions
Digitalcertificates
Certificatedistribution
Certificateformats
Validityandtrust
Checkingvalidity
Establishingtrust
Trustmodels
CertificateRevocation
Communicatingthatacertificatehasbeenrevoked
Whatisapassphrase?
Keysplitting

TheBasicsofCryptography
WhenJuliusCaesarsentmessagestohisgenerals,hedidn'ttrusthis
messengers.SohereplacedeveryAinhismessageswithaD,every
BwithanE,andsoonthroughthealphabet.Onlysomeonewho
knewthe"shiftby3"rulecoulddecipherhismessages.
Andsowebegin.

Encryptionanddecryption
Datathatcanbereadandunderstoodwithoutanyspecialmeasures
iscalledplaintextorcleartext.Themethodofdisguisingplaintextin
suchawayastohideitssubstanceiscalledencryption.Encrypting
plaintextresultsinunreadablegibberishcalledciphertext.Youuse
encryptiontoensurethatinformationishiddenfromanyonefor
whomitisnotintended,eventhosewhocanseetheencrypteddata.
Theprocessofrevertingciphertexttoitsoriginalplaintextiscalled
decryption.Figure11illustratesthisprocess.

Figure11.Encryptionanddecryption

Whatiscryptography?
Cryptographyisthescienceofusingmathematicstoencryptand
decryptdata.Cryptographyenablesyoutostoresensitive
informationortransmititacrossinsecurenetworks(likethe
Internet)sothatitcannotbereadbyanyoneexcepttheintended

recipient.
Whilecryptographyisthescienceofsecuringdata,cryptanalysisis
thescienceofanalyzingandbreakingsecurecommunication.
Classicalcryptanalysisinvolvesaninterestingcombinationof
analyticalreasoning,applicationofmathematicaltools,pattern
finding,patience,determination,andluck.Cryptanalystsarealso
calledattackers.
Cryptologyembracesbothcryptographyandcryptanalysis.

Strongcryptography
"Therearetwokindsofcryptographyinthisworld:cryptography
thatwillstopyourkidsisterfromreadingyourfiles,and
cryptographythatwillstopmajorgovernmentsfromreadingyour
files.Thisbookisaboutthelatter."
BruceSchneier,AppliedCryptography:Protocols,Algorithms,and
SourceCodeinC.
PGPisalsoaboutthelattersortofcryptography.Cryptographycan
bestrongorweak,asexplainedabove.Cryptographicstrengthis
measuredinthetimeandresourcesitwouldrequiretorecoverthe
plaintext.Theresultofstrongcryptographyisciphertextthatisvery
difficulttodecipherwithoutpossessionoftheappropriatedecoding
tool.Howdifficult?Givenalloftoday'scomputingpowerand
availabletimeevenabillioncomputersdoingabillionchecksa
seconditisnotpossibletodeciphertheresultofstrong
cryptographybeforetheendoftheuniverse.
Onewouldthink,then,thatstrongcryptographywouldholduprather
wellagainstevenanextremelydeterminedcryptanalyst.Who's
reallytosay?Noonehasproventhatthestrongestencryption
obtainabletodaywillholdupundertomorrow'scomputingpower.
However,thestrongcryptographyemployedbyPGPisthebest
availabletoday.Vigilanceandconservatismwillprotectyoubetter,
however,thanclaimsofimpenetrability.

Howdoescryptographywork?
Acryptographicalgorithm,orcipher,isamathematicalfunctionused
intheencryptionanddecryptionprocess.Acryptographicalgorithm
worksincombinationwithakeyaword,number,orphraseto
encrypttheplaintext.Thesameplaintextencryptstodifferent
ciphertextwithdifferentkeys.Thesecurityofencrypteddatais
entirelydependentontwothings:thestrengthofthecryptographic
algorithmandthesecrecyofthekey.
Acryptographicalgorithm,plusallpossiblekeysandallthe
protocolsthatmakeitworkcompriseacryptosystem.PGPisa
cryptosystem.

Conventionalcryptography
Inconventionalcryptography,alsocalledsecretkeyorsymmetric
keyencryption,onekeyisusedbothforencryptionanddecryption.
TheDataEncryptionStandard(DES)isanexampleofaconventional
cryptosystemthatiswidelyemployedbytheFederalGovernment.
Figure12isanillustrationoftheconventionalencryptionprocess.

Figure12.Conventionalencryption

Caesar'sCipher
Anextremelysimpleexampleofconventionalcryptographyisa
substitutioncipher.Asubstitutionciphersubstitutesonepieceof
informationforanother.Thisismostfrequentlydonebyoffsetting
lettersofthealphabet.TwoexamplesareCaptainMidnight'sSecret
DecoderRing,whichyoumayhaveownedwhenyouwereakid,and
JuliusCaesar'scipher.Inbothcases,thealgorithmistooffsetthe
alphabetandthekeyisthenumberofcharacterstooffsetit.
Forexample,ifweencodetheword"SECRET"usingCaesar'skey
valueof3,weoffsetthealphabetsothatthe3rdletterdown(D)
beginsthealphabet.
Sostartingwith
ABCDEFGHIJKLMNOPQRSTUVWXYZ
andslidingeverythingupby3,youget
DEFGHIJKLMNOPQRSTUVWXYZABC
whereD=A,E=B,F=C,andsoon.
Usingthisscheme,theplaintext,"SECRET"encryptsas"VHFUHW."
Toallowsomeoneelsetoreadtheciphertext,youtellthemthatthe
keyis3.
Obviously,thisisexceedinglyweakcryptographybytoday's
standards,buthey,itworkedforCaesar,anditillustrateshow
conventionalcryptographyworks.

Keymanagementandconventionalencryption
Conventionalencryptionhasbenefits.Itisveryfast.Itisespecially
usefulforencryptingdatathatisnotgoinganywhere.However,
conventionalencryptionaloneasameansfortransmittingsecure
datacanbequiteexpensivesimplyduetothedifficultyofsecure
keydistribution.
Recallacharacterfromyourfavoritespymovie:thepersonwitha
lockedbriefcasehandcuffedtohisorherwrist.Whatisinthe
briefcase,anyway?It'sprobablynotthemissilelaunchcode/
biotoxinformula/invasionplanitself.It'sthekeythatwilldecrypt
thesecretdata.
Forasenderandrecipienttocommunicatesecurelyusing
conventionalencryption,theymustagreeuponakeyandkeepit
secretbetweenthemselves.Iftheyareindifferentphysical
locations,theymusttrustacourier,theBatPhone,orsomeother
securecommunicationmediumtopreventthedisclosureofthe
secretkeyduringtransmission.Anyonewhooverhearsorintercepts
thekeyintransitcanlaterread,modify,andforgeallinformation
encryptedorauthenticatedwiththatkey.FromDEStoCaptain
Midnight'sSecretDecoderRing,thepersistentproblemwith
conventionalencryptioniskeydistribution:howdoyougetthekey
totherecipientwithoutsomeoneinterceptingit?

Publickeycryptography
Theproblemsofkeydistributionaresolvedbypublickey
cryptography,theconceptofwhichwasintroducedbyWhitfieldDiffie
andMartinHellmanin1975.(ThereisnowevidencethattheBritish
SecretServiceinventeditafewyearsbeforeDiffieandHellman,but
keptitamilitarysecretanddidnothingwithit.[JHEllis:The
PossibilityofSecureNonSecretDigitalEncryption,CESGReport,
January1970])
Publickeycryptographyisanasymmetricschemethatusesapairof
keysforencryption:apublickey,whichencryptsdata,anda
correspondingprivate,orsecretkeyfordecryption.Youpublishyour
publickeytotheworldwhilekeepingyourprivatekeysecret.Anyone
withacopyofyourpublickeycanthenencryptinformationthatonly

youcanread.Evenpeopleyouhavenevermet.
Itiscomputationallyinfeasibletodeducetheprivatekeyfromthe
publickey.Anyonewhohasapublickeycanencryptinformationbut
cannotdecryptit.Onlythepersonwhohasthecorrespondingprivate
keycandecrypttheinformation.

Figure13.Publickeyencryption
Theprimarybenefitofpublickeycryptographyisthatitallows
peoplewhohavenopreexistingsecurityarrangementtoexchange
messagessecurely.Theneedforsenderandreceivertosharesecret
keysviasomesecurechanneliseliminatedallcommunications
involveonlypublickeys,andnoprivatekeyisevertransmittedor
shared.SomeexamplesofpublickeycryptosystemsareElgamal
(namedforitsinventor,TaherElgamal),RSA(namedforits
inventors,RonRivest,AdiShamir,andLeonardAdleman),Diffie
Hellman(named,youguessedit,foritsinventors),andDSA,the
DigitalSignatureAlgorithm(inventedbyDavidKravitz).
Becauseconventionalcryptographywasoncetheonlyavailable
meansforrelayingsecretinformation,theexpenseofsecure
channelsandkeydistributionrelegateditsuseonlytothosewho
couldaffordit,suchasgovernmentsandlargebanks(orsmall
childrenwithsecretdecoderrings).Publickeyencryptionisthe
technologicalrevolutionthatprovidesstrongcryptographytothe
adultmasses.Rememberthecourierwiththelockedbriefcase
handcuffedtohiswrist?Publickeyencryptionputshimoutof
business(probablytohisrelief).

HowPGPworks
PGPcombinessomeofthebestfeaturesofbothconventionaland
publickeycryptography.PGPisahybridcryptosystem.Whenauser
encryptsplaintextwithPGP,PGPfirstcompressestheplaintext.Data
compressionsavesmodemtransmissiontimeanddiskspaceand,
moreimportantly,strengthenscryptographicsecurity.Most
cryptanalysistechniquesexploitpatternsfoundintheplaintextto
crackthecipher.Compressionreducesthesepatternsinthe
plaintext,therebygreatlyenhancingresistancetocryptanalysis.
(Filesthataretooshorttocompressorwhichdon'tcompresswell
aren'tcompressed.)
PGPthencreatesasessionkey,whichisaonetimeonlysecretkey.
Thiskeyisarandomnumbergeneratedfromtherandom
movementsofyourmouseandthekeystrokesyoutype.Thissession
keyworkswithaverysecure,fastconventionalencryptionalgorithm
toencrypttheplaintexttheresultisciphertext.Oncethedatais
encrypted,thesessionkeyisthenencryptedtotherecipient'spublic
key.Thispublickeyencryptedsessionkeyistransmittedalongwith
theciphertexttotherecipient.

Figure14.HowPGPencryptionworks
Decryptionworksinthereverse.Therecipient'scopyofPGPuseshis
orherprivatekeytorecoverthetemporarysessionkey,whichPGP
thenusestodecrypttheconventionallyencryptedciphertext.

Figure15.HowPGPdecryptionworks
Thecombinationofthetwoencryptionmethodscombinesthe
convenienceofpublickeyencryptionwiththespeedofconventional
encryption.Conventionalencryptionisabout1,000timesfasterthan
publickeyencryption.Publickeyencryptioninturnprovidesa
solutiontokeydistributionanddatatransmissionissues.Used
together,performanceandkeydistributionareimprovedwithoutany
sacrificeinsecurity.

Keys
Akeyisavaluethatworkswithacryptographicalgorithmto
produceaspecificciphertext.Keysarebasicallyreally,really,really
bignumbers.Keysizeismeasuredinbitsthenumberrepresenting
a1024bitkeyisdarnhuge.Inpublickeycryptography,thebigger
thekey,themoresecuretheciphertext.
However,publickeysizeandconventionalcryptography'ssecretkey
sizearetotallyunrelated.Aconventional80bitkeyhasthe
equivalentstrengthofa1024bitpublickey.Aconventional128bit
keyisequivalenttoa3000bitpublickey.Again,thebiggerthekey,
themoresecure,butthealgorithmsusedforeachtypeof
cryptographyareverydifferentandthuscomparisonislikethatof
applestooranges.
Whilethepublicandprivatekeysaremathematicallyrelated,it's
verydifficulttoderivetheprivatekeygivenonlythepublickey
however,derivingtheprivatekeyisalwayspossiblegivenenough
timeandcomputingpower.Thismakesitveryimportanttopick
keysoftherightsizelargeenoughtobesecure,butsmallenough
tobeappliedfairlyquickly.Additionally,youneedtoconsiderwho
mightbetryingtoreadyourfiles,howdeterminedtheyare,how
muchtimetheyhave,andwhattheirresourcesmightbe.
Largerkeyswillbecryptographicallysecureforalongerperiodof
time.Ifwhatyouwanttoencryptneedstobehiddenformany
years,youmightwanttouseaverylargekey.Ofcourse,who
knowshowlongitwilltaketodetermineyourkeyusingtomorrow's
faster,moreefficientcomputers?Therewasatimewhena56bit
symmetrickeywasconsideredextremelysafe.
Keysarestoredinencryptedform.PGPstoresthekeysintwofiles

onyourharddiskoneforpublickeysandoneforprivatekeys.
Thesefilesarecalledkeyrings.AsyouusePGP,youwilltypically
addthepublickeysofyourrecipientstoyourpublickeyring.Your
privatekeysarestoredonyourprivatekeyring.Ifyouloseyour
privatekeyring,youwillbeunabletodecryptanyinformation
encryptedtokeysonthatring.

Digitalsignatures
Amajorbenefitofpublickeycryptographyisthatitprovidesa
methodforemployingdigitalsignatures.Digitalsignaturesenable
therecipientofinformationtoverifytheauthenticityofthe
information'sorigin,andalsoverifythattheinformationisintact.
Thus,publickeydigitalsignaturesprovideauthenticationanddata
integrity.Adigitalsignaturealsoprovidesnonrepudiation,which
meansthatitpreventsthesenderfromclaimingthatheorshedid
notactuallysendtheinformation.Thesefeaturesareeverybitas
fundamentaltocryptographyasprivacy,ifnotmore.
Adigitalsignatureservesthesamepurposeasahandwritten
signature.However,ahandwrittensignatureiseasytocounterfeit.A
digitalsignatureissuperiortoahandwrittensignatureinthatitis
nearlyimpossibletocounterfeit,plusitatteststothecontentsofthe
informationaswellastotheidentityofthesigner.
Somepeopletendtousesignaturesmorethantheyuseencryption.
Forexample,youmaynotcareifanyoneknowsthatyoujust
deposited$1000inyouraccount,butyoudowanttobedarnsureit
wasthebanktelleryouweredealingwith.
Thebasicmannerinwhichdigitalsignaturesarecreatedis
illustratedinFigure16.Insteadofencryptinginformationusing
someoneelse'spublickey,youencryptitwithyourprivatekey.If
theinformationcanbedecryptedwithyourpublickey,thenitmust
haveoriginatedwithyou.

Figure16.Simpledigitalsignatures

Hashfunctions
Thesystemdescribedabovehassomeproblems.Itisslow,andit
producesanenormousvolumeofdataatleastdoublethesizeof
theoriginalinformation.Animprovementontheaboveschemeis
theadditionofaonewayhashfunctionintheprocess.Aoneway
hashfunctiontakesvariablelengthinputinthiscase,amessage
ofanylength,eventhousandsormillionsofbitsandproducesa
fixedlengthoutputsay,160bits.Thehashfunctionensuresthat,if
theinformationischangedinanywayevenbyjustonebitan
entirelydifferentoutputvalueisproduced.
PGPusesacryptographicallystronghashfunctionontheplaintext
theuserissigning.Thisgeneratesafixedlengthdataitemknownas
amessagedigest.(Again,anychangetotheinformationresultsina
totallydifferentdigest.)
ThenPGPusesthedigestandtheprivatekeytocreatethe
"signature."PGPtransmitsthesignatureandtheplaintexttogether.
Uponreceiptofthemessage,therecipientusesPGPtorecompute

thedigest,thusverifyingthesignature.PGPcanencryptthe
plaintextornotsigningplaintextisusefulifsomeoftherecipients
arenotinterestedinorcapableofverifyingthesignature.
Aslongasasecurehashfunctionisused,thereisnowaytotake
someone'ssignaturefromonedocumentandattachittoanother,or
toalterasignedmessageinanyway.Theslightestchangeina
signeddocumentwillcausethedigitalsignatureverificationprocess
tofail.

Figure17.Securedigitalsignatures
Digitalsignaturesplayamajorroleinauthenticatingandvalidating
otherPGPusers'keys.

Digitalcertificates
Oneissuewithpublickeycryptosystemsisthatusersmustbe
constantlyvigilanttoensurethattheyareencryptingtothecorrect
person'skey.Inanenvironmentwhereitissafetofreelyexchange
keysviapublicservers,maninthemiddleattacksareapotential
threat.Inthistypeofattack,someonepostsaphonykeywiththe
nameanduserIDoftheuser'sintendedrecipient.Dataencryptedto
andinterceptedbythetrueownerofthisboguskeyisnowin
thewronghands.
Inapublickeyenvironment,itisvitalthatyouareassuredthatthe
publickeytowhichyouareencryptingdataisinfactthepublickey
oftheintendedrecipientandnotaforgery.Youcouldsimplyencrypt
onlytothosekeyswhichhavebeenphysicallyhandedtoyou.But
supposeyouneedtoexchangeinformationwithpeopleyouhave
nevermethowcanyoutellthatyouhavethecorrectkey?
Digitalcertificates,orcerts,simplifythetaskofestablishingwhether
apublickeytrulybelongstothepurportedowner.
Acertificateisaformofcredential.Examplesmightbeyourdriver's
license,yoursocialsecuritycard,oryourbirthcertificate.Eachof
thesehassomeinformationonitidentifyingyouandsome
authorizationstatingthatsomeoneelsehasconfirmedyouridentity.
Somecertificates,suchasyourpassport,areimportantenough
confirmationofyouridentitythatyouwouldnotwanttolosethem,
lestsomeoneusethemtoimpersonateyou.
Adigitalcertificateisdatathatfunctionsmuchlikeaphysical
certificate.Adigitalcertificateisinformationincludedwithaperson's
publickeythathelpsothersverifythatakeyisgenuineorvalid.
Digitalcertificatesareusedtothwartattemptstosubstituteone
person'skeyforanother.
Adigitalcertificateconsistsofthreethings:
Apublickey.
Certificateinformation.("Identity"informationabouttheuser,

suchasname,userID,andsoon.)
Oneormoredigitalsignatures.
Thepurposeofthedigitalsignatureonacertificateistostatethat
thecertificateinformationhasbeenattestedtobysomeother
personorentity.Thedigitalsignaturedoesnotattesttothe
authenticityofthecertificateasawholeitvouchesonlythatthe
signedidentityinformationgoesalongwith,orisboundto,thepublic
key.
Thus,acertificateisbasicallyapublickeywithoneortwoformsof
IDattached,plusaheartystampofapprovalfromsomeother
trustedindividual.

Figure18.AnatomyofaPGPcertificate

Certificatedistribution
Certificatesareutilizedwhenit'snecessarytoexchangepublickeys
withsomeoneelse.Forsmallgroupsofpeoplewhowishto
communicatesecurely,itiseasytomanuallyexchangediskettesor
emailscontainingeachowner'spublickey.Thisismanualpublickey
distribution,anditispracticalonlytoacertainpoint.Beyondthatpoint,
itisnecessarytoputsystemsintoplacethatcanprovidethe
necessarysecurity,storage,andexchangemechanismsso
coworkers,businesspartners,orstrangerscouldcommunicateif
needbe.Thesecancomeintheformofstorageonlyrepositories
calledCertificateServers,ormorestructuredsystemsthatprovide
additionalkeymanagementfeaturesandarecalledPublicKey
Infrastructures(PKIs).
Certificateservers
Acertificateserver,alsocalledacertserverorakeyserver,isa
databasethatallowsuserstosubmitandretrievedigitalcertificates.
Acertserverusuallyprovidessomeadministrativefeaturesthat
enableacompanytomaintainitssecuritypoliciesforexample,
allowingonlythosekeysthatmeetcertainrequirementstobe
stored.
PublicKeyInfrastructures
APKIcontainsthecertificatestoragefacilitiesofacertificateserver,
butalsoprovidescertificatemanagementfacilities(theabilityto
issue,revoke,store,retrieve,andtrustcertificates).Themain
featureofaPKIistheintroductionofwhatisknownasa
CertificationAuthority,orCA,whichisahumanentityaperson,
group,department,company,orotherassociationthatan
organizationhasauthorizedtoissuecertificatestoitscomputer
users.(ACA'sroleisanalogoustoacountry'sgovernment'sPassport
Office.)ACAcreatescertificatesanddigitallysignsthemusingthe
CA'sprivatekey.Becauseofitsroleincreatingcertificates,theCA
isthecentralcomponentofaPKI.UsingtheCA'spublickey,anyone
wantingtoverifyacertificate'sauthenticityverifiestheissuingCA's
digitalsignature,andhence,theintegrityofthecontentsofthe
certificate(mostimportantly,thepublickeyandtheidentityofthe

certificateholder).

Certificateformats
Adigitalcertificateisbasicallyacollectionofidentifyinginformation
boundtogetherwithapublickeyandsignedbyatrustedthirdparty
toproveitsauthenticity.Adigitalcertificatecanbeoneofanumber
ofdifferentformats.
PGPrecognizestwodifferentcertificateformats:
PGPcertificates
X.509certificates
PGPcertificateformat
APGPcertificateincludes(butisnotlimitedto)thefollowing
information:
ThePGPversionnumberthisidentifieswhichversionof
PGPwasusedtocreatethekeyassociatedwiththecertificate.
Thecertificateholder'spublickeythepublicportionof
yourkeypair,togetherwiththealgorithmofthekey:RSA,DH
(DiffieHellman),orDSA(DigitalSignatureAlgorithm).
Thecertificateholder'sinformationthisconsistsof
"identity"informationabouttheuser,suchashisorhername,
userID,photograph,andsoon.
Thedigitalsignatureofthecertificateowneralsocalleda
selfsignature,thisisthesignatureusingthecorresponding
privatekeyofthepublickeyassociatedwiththecertificate.
Thecertificate'svalidityperiodthecertificate'sstartdate/
timeandexpirationdate/timeindicateswhenthecertificate
willexpire.
Thepreferredsymmetricencryptionalgorithmforthekey
indicatestheencryptionalgorithmtowhichthecertificate
ownerpreferstohaveinformationencrypted.Thesupported
algorithmsareCAST,IDEAorTripleDES.
YoumightthinkofaPGPcertificateasapublickeywithoneormore
labelstiedtoit(seeFigure19).Onthese'labels'you'llfind
informationidentifyingtheownerofthekeyandasignatureofthe
key'sowner,whichstatesthatthekeyandtheidentificationgo
together.(Thisparticularsignatureiscalledaselfsignatureevery
PGPcertificatecontainsaselfsignature.)
OneuniqueaspectofthePGPcertificateformatisthatasingle
certificatecancontainmultiplesignatures.Severalormanypeople
maysignthekey/identificationpairtoattesttotheirownassurance
thatthepublickeydefinitelybelongstothespecifiedowner.Ifyou
lookonapubliccertificateserver,youmaynoticethatcertain
certificates,suchasthatofPGP'screator,PhilZimmermann,contain
manysignatures.
SomePGPcertificatesconsistofapublickeywithseverallabels,
eachofwhichcontainsadifferentmeansofidentifyingthekey's
owner(forexample,theowner'snameandcorporateemailaccount,
theowner'snicknameandhomeemailaccount,aphotographofthe
ownerallinonecertificate).Thelistofsignaturesofeachofthose
identitiesmaydiffersignaturesattesttotheauthenticitythatoneof
thelabelsbelongstothepublickey,notthatallthelabelsonthekey
areauthentic.(Notethat'authentic'isintheeyeofitsbeholder
signaturesareopinions,anddifferentpeopledevotedifferentlevels
ofduediligenceincheckingauthenticitybeforesigningakey.)

Figure19.APGPcertificate
X.509certificateformat
X.509isanotherverycommoncertificateformat.AllX.509
certificatescomplywiththeITUTX.509internationalstandardthus
(theoretically)X.509certificatescreatedforoneapplicationcanbe
usedbyanyapplicationcomplyingwithX.509.Inpractice,however,
differentcompanieshavecreatedtheirownextensionstoX.509
certificates,notallofwhichworktogether.
Acertificaterequiressomeonetovalidatethatapublickeyandthe
nameofthekey'sownergotogether.WithPGPcertificates,anyone
canplaytheroleofvalidator.WithX.509certificates,thevalidatoris
alwaysaCertificationAuthorityorsomeonedesignatedbyaCA.
(BearinmindthatPGPcertificatesalsofullysupportahierarchical
structureusingaCAtovalidatecertificates.)
AnX.509certificateisacollectionofastandardsetoffields
containinginformationaboutauserordeviceandtheir
correspondingpublickey.TheX.509standarddefineswhat
informationgoesintothecertificate,anddescribeshowtoencodeit
(thedataformat).AllX.509certificateshavethefollowingdata:
TheX.509versionnumberthisidentifieswhichversionof
theX.509standardappliestothiscertificate,whichaffectswhat
informationcanbespecifiedinit.Themostcurrentisversion3.
Thecertificateholder'spublickeythepublickeyofthe
certificateholder,togetherwithanalgorithmidentifierwhich
specifieswhichcryptosystemthekeybelongstoandany
associatedkeyparameters.
Theserialnumberofthecertificatetheentity(application
orperson)thatcreatedthecertificateisresponsiblefor
assigningitauniqueserialnumbertodistinguishitfromother
certificatesitissues.Thisinformationisusedinnumerous
waysforexamplewhenacertificateisrevoked,itsserial
numberisplacedinaCertificateRevocationListorCRL.
Thecertificateholder'suniqueidentifier(orDN
distinguishedname).Thisnameisintendedtobeuniqueacross
theInternet.Thisnameisintendedtobeuniqueacrossthe
Internet.ADNconsistsofmultiplesubsectionsandmaylook
somethinglikethis:
CN=BobAllen,OU=TotalNetworkSecurityDivision,
O=NetworkAssociates,Inc.,C=US
(Theserefertothesubject'sCommonName,Organizational
Unit,Organization,andCountry.)
Thecertificate'svalidityperiodthecertificate'sstartdate/
timeandexpirationdate/timeindicateswhenthecertificate
willexpire.
Theuniquenameofthecertificateissuertheunique
nameoftheentitythatsignedthecertificate.Thisisnormally
aCA.Usingthecertificateimpliestrustingtheentitythat

signedthiscertificate.(Notethatinsomecases,suchasroot
ortoplevelCAcertificates,theissuersignsitsown
certificate.)
Thedigitalsignatureoftheissuerthesignatureusingthe
privatekeyoftheentitythatissuedthecertificate.
Thesignaturealgorithmidentifieridentifiesthealgorithm
usedbytheCAtosignthecertificate.
TherearemanydifferencesbetweenanX.509certificateandaPGP
certificate,butthemostsalientareasfollows:
youcancreateyourownPGPcertificateyoumustrequestand
beissuedanX.509certificatefromaCertificationAuthority
X.509certificatesnativelysupportonlyasinglenameforthe
key'sowner
X.509certificatessupportonlyasingledigitalsignatureto
attesttothekey'svalidity
ToobtainanX.509certificate,youmustaskaCAtoissueyoua
certificate.Youprovideyourpublickey,proofthatyoupossessthe
correspondingprivatekey,andsomespecificinformationabout
yourself.Youthendigitallysigntheinformationandsendthewhole
packagethecertificaterequesttotheCA.TheCAthenperforms
someduediligenceinverifyingthattheinformationyouprovidedis
correct,andifso,generatesthecertificateandreturnsit.
YoumightthinkofanX.509certificateaslookinglikeastandard
papercertificate(similartooneyoumighthavereceivedfor
completingaclassinbasicFirstAid)withapublickeytapedtoit.It
hasyournameandsomeinformationaboutyouonit,plusthe
signatureofthepersonwhoissuedittoyou.

Figure110.AnX.509certificate
ProbablythemostwidelyvisibleuseofX.509certificatestodayisin
webbrowsers.

Validityandtrust
Everyuserinapublickeysystemisvulnerabletomistakingaphony
key(certificate)forarealone.Validityisconfidencethatapublic
keycertificatebelongstoitspurportedowner.Validityisessentialin
apublickeyenvironmentwhereyoumustconstantlyestablish
whetherornotaparticularcertificateisauthentic.
Whenyou'veassuredyourselfthatacertificatebelongingto
someoneelseisvalid,youcansignthecopyonyourkeyringto
attesttothefactthatyou'vecheckedthecertificateandthatit'san
authenticone.Ifyouwantotherstoknowthatyougavethe
certificateyourstampofapproval,youcanexportthesignaturetoa
certificateserversothatotherscanseeit.

AsdescribedinthesectionPublicKeyInfrastructures,some
companiesdesignateoneormoreCertificationAuthorities(CAs)to
indicatecertificatevalidity.InanorganizationusingaPKIwithX.509
certificates,itisthejoboftheCAtoissuecertificatestousersa
processwhichgenerallyentailsrespondingtoauser'srequestfora
certificate.InanorganizationusingPGPcertificateswithoutaPKI,it
isthejoboftheCAtochecktheauthenticityofallPGPcertificates
andthensignthegoodones.Basically,themainpurposeofaCAis
tobindapublickeytotheidentificationinformationcontainedinthe
certificateandthusassurethirdpartiesthatsomemeasureofcare
wastakentoensurethatthisbindingoftheidentificationinformation
andkeyisvalid.
TheCAistheGrandPoohbahofvalidationinanorganization
someonewhomeveryonetrusts,andinsomeorganizations,like
thoseusingaPKI,nocertificateisconsideredvalidunlessithas
beensignedbyatrustedCA.

Checkingvalidity
Onewaytoestablishvalidityistogothroughsomemanualprocess.
Thereareseveralwaystoaccomplishthis.Youcouldrequireyour
intendedrecipienttophysicallyhandyouacopyofhisorherpublic
key.Butthisisofteninconvenientandinefficient.
Anotherwayistomanuallycheckthecertificate'sfingerprint.Justas
everyhuman'sfingerprintsareunique,everyPGPcertificate's
fingerprintisunique.Thefingerprintisahashoftheuser's
certificateandappearsasoneofthecertificate'sproperties.InPGP,
thefingerprintcanappearasahexadecimalnumberoraseriesof
socalledbiometricwords,whicharephoneticallydistinctandare
usedtomakethefingerprintidentificationprocessalittleeasier.
Youcancheckthatacertificateisvalidbycallingthekey'sowner
(sothatyouoriginatethetransaction)andaskingtheownertoread
hisorherkey'sfingerprinttoyouandverifyingthatfingerprint
againsttheoneyoubelievetobetherealone.Thisworksifyou
knowtheowner'svoice,but,howdoyoumanuallyverifytheidentity
ofsomeoneyoudon'tknow?Somepeopleputthefingerprintoftheir
keyontheirbusinesscardsforthisveryreason.
Anotherwaytoestablishvalidityofsomeone'scertificateistotrust
thatathirdindividualhasgonethroughtheprocessofvalidatingit.
ACA,forexample,isresponsibleforensuringthatpriortoissuingto
acertificate,heorshecarefullychecksittobesurethepublickey
portionreallybelongstothepurportedowner.Anyonewhotruststhe
CAwillautomaticallyconsideranycertificatessignedbytheCAtobe
valid.
Anotheraspectofcheckingvalidityistoensurethatthecertificate
hasnotbeenrevoked.Formoreinformation,seethesection
CertificateRevocation.

Establishingtrust
Youvalidatecertificates.Youtrustpeople.Morespecifically,you
trustpeopletovalidateotherpeople'certificates.Typically,unless
theownerhandsyouthecertificate,youhavetogobysomeone
else'swordthatitisvalid.
Metaandtrustedintroducers
Inmostsituations,peoplecompletelytrusttheCAtoestablish
certificates'validity.Thismeansthateveryoneelsereliesuponthe
CAtogothroughthewholemanualvalidationprocessforthem.This
isfineuptoacertainnumberofusersornumberofworksites,and
thenitisnotpossiblefortheCAtomaintainthesamelevelof
qualityvalidation.Inthatcase,addingothervalidatorstothesystem
isnecessary.
ACAcanalsobeametaintroducer.Ametaintroducerbestowsnot
onlyvalidityonkeys,butbestowstheabilitytotrustkeysupon
others.Similartothekingwhohandshissealtohistrustedadvisors
sotheycanactonhisauthority,themetaintroducerenablesothers
toactastrustedintroducers.Thesetrustedintroducerscanvalidate

keystothesameeffectasthatofthemetaintroducer.Theycannot,
however,createnewtrustedintroducers.
MetaintroducerandtrustedintroducerarePGPterms.InanX.509
environment,themetaintroduceriscalledtherootCertification
Authority(rootCA)andtrustedintroducerssubordinateCertification
Authorities.
TherootCAusestheprivatekeyassociatedwithaspecialcertificate
typecalledarootCAcertificatetosigncertificates.Anycertificate
signedbytherootCAcertificateisviewedasvalidbyanyother
certificatesignedbytheroot.Thisvalidationprocessworksevenfor
certificatessignedbyotherCAsinthesystemaslongastheroot
CAcertificatesignedthesubordinateCA'scertificate,anycertificate
signedbytheCAisconsideredvalidtootherswithinthehierarchy.
Thisprocessofcheckingbackupthroughthesystemtoseewho
signedwhosecertificateiscalledtracingacertificationpathor
certificationchain.

Trustmodels
Inrelativelyclosedsystems,suchaswithinasmallcompany,itis
easytotraceacertificationpathbacktotherootCA.However,
usersmustoftencommunicatewithpeopleoutsideoftheircorporate
environment,includingsomewhomtheyhavenevermet,suchas
vendors,customers,clients,associates,andsoon.Establishinga
lineoftrusttothosewhohavenotbeenexplicitlytrustedbyyourCA
isdifficult.
Companiesfollowoneoranothertrustmodel,whichdictateshow
userswillgoaboutestablishingcertificatevalidity.Therearethree
differentmodels:
DirectTrust
HierarchicalTrust
AWebofTrust
DirectTrust
Directtrustisthesimplesttrustmodel.Inthismodel,ausertrusts
thatakeyisvalidbecauseheorsheknowswhereitcamefrom.All
cryptosystemsusethisformoftrustinsomeway.Forexample,in
webbrowsers,therootCertificationAuthoritykeysaredirectly
trustedbecausetheywereshippedbythemanufacturer.Ifthereis
anyformofhierarchy,itextendsfromthesedirectlytrusted
certificates.
InPGP,auserwhovalidateskeysherselfandneversetsanother
certificatetobeatrustedintroducerisusingdirecttrust.

Figure111.Directtrust
HierarchicalTrust
Inahierarchicalsystem,thereareanumberof"root"certificates
fromwhichtrustextends.Thesecertificatesmaycertifycertificates
themselves,ortheymaycertifycertificatesthatcertifystillother
certificatesdownsomechain.Consideritasabigtrust"tree."The
"leaf"certificate'svalidityisverifiedbytracingbackwardfromits
certifier,toothercertifiers,untiladirectlytrustedrootcertificateis
found.

Figure112.Hierarchicaltrust
WebofTrust
Aweboftrustencompassesbothoftheothermodels,butalsoadds
thenotionthattrustisintheeyeofthebeholder(whichisthereal
worldview)andtheideathatmoreinformationisbetter.Itisthusa
cumulativetrustmodel.Acertificatemightbetrusteddirectly,or
trustedinsomechaingoingbacktoadirectlytrustedrootcertificate
(themetaintroducer),orbysomegroupofintroducers.
Perhapsyou'veheardofthetermsixdegreesofseparation,which
suggeststhatanypersonintheworldcandeterminesomelinkto
anyotherpersonintheworldusingsixorfewerotherpeopleas
intermediaries.Thisisawebofintroducers.
ItisalsothePGPviewoftrust.PGPusesdigitalsignaturesasits
formofintroduction.Whenanyusersignsanother'skey,heorshe
becomesanintroducerofthatkey.Asthisprocessgoeson,it
establishesaweboftrust.
InaPGPenvironment,anyusercanactasacertifyingauthority.Any
PGPusercanvalidateanotherPGPuser'spublickeycertificate.
However,suchacertificateisonlyvalidtoanotheruserifthe
relyingpartyrecognizesthevalidatorasatrustedintroducer.(That
is,youtrustmyopinionthatothers'keysarevalidonlyifyou
considermetobeatrustedintroducer.Otherwise,myopinionon
otherkeys'validityismoot.)
Storedoneachuser'spublickeyringareindicatorsof
whetherornottheuserconsidersaparticularkeytobevalid
theleveloftrusttheuserplacesonthekeythatthekey's
ownercanserveascertifierofothers'keys
Youindicate,onyourcopyofmykey,whetheryouthinkmy
judgementcounts.It'sreallyareputationsystem:certainpeopleare
reputedtogivegoodsignatures,andpeopletrustthemtoattestto
otherkeys'validity.
LevelsoftrustinPGP
Thehighestleveloftrustinakey,implicittrust,istrustinyourown
keypair.PGPassumesthatifyouowntheprivatekey,youmust
trusttheactionsofitsrelatedpublickey.Anykeyssignedbyyour
implicitlytrustedkeyarevalid.
Therearethreelevelsoftrustyoucanassigntosomeoneelse's
publickey:
Completetrust
Marginaltrust
Notrust(orUntrusted)
Tomakethingsconfusing,therearealsothreelevelsofvalidity:
Valid
Marginallyvalid
Invalid

Todefineanother'skeyasatrustedintroducer,you
1.Startwithavalidkey,onethatiseither
signedbyyouor
signedbyanothertrustedintroducer
andthen
2.Settheleveloftrustyoufeelthekey'sownerisentitled.
Forexample,supposeyourkeyringcontainsAlice'skey.Youhave
validatedAlice'skeyandyouindicatethisbysigningit.Youknow
thatAliceisarealsticklerforvalidatingothers'keys.Youtherefore
assignherkeywithCompletetrust.ThismakesAliceaCertification
Authority.IfAlicesignsanother'skey,itappearsasValidonyour
keyring.
PGPrequiresoneCompletelytrustedsignatureortwoMarginally
trustedsignaturestoestablishakeyasvalid.PGP'smethodof
consideringtwoMarginalsequaltooneCompleteissimilartoa
merchantaskingfortwoformsofID.YoumightconsiderAlicefairly
trustworthyandalsoconsiderBobfairlytrustworthy.Eitherone
alonerunstheriskofaccidentallysigningacounterfeitkey,soyou
mightnotplacecompletetrustineitherone.However,theoddsthat
bothindividualssignedthesamephonykeyareprobablysmall.

CertificateRevocation
Certificatesareonlyusefulwhiletheyarevalid.Itisunsafeto
simplyassumethatacertificateisvalidforever.Inmost
organizationsandinallPKIs,certificateshavearestrictedlifetime.
Thisconstrainstheperiodinwhichasystemisvulnerableshoulda
certificatecompromiseoccur.
Certificatesarethuscreatedwithascheduledvalidityperiod:astart
date/timeandanexpirationdate/time.Thecertificateisexpectedto
beusableforitsentirevalidityperiod(itslifetime).Whenthe
certificateexpires,itwillnolongerbevalid,astheauthenticityofits
key/identificationpairarenolongerassured.(Thecertificatecan
stillbesafelyusedtoreconfirminformationthatwasencryptedor
signedwithinthevalidityperioditshouldnotbetrustedfor
cryptographictasksmovingforward,however.)
Therearealsosituationswhereitisnecessarytoinvalidatea
certificatepriortoitsexpirationdate,suchaswhenanthecertificate
holderterminatesemploymentwiththecompanyorsuspectsthat
thecertificate'scorrespondingprivatekeyhasbeencompromised.
Thisiscalledrevocation.Arevokedcertificateismuchmoresuspect
thananexpiredcertificate.Expiredcertificatesareunusable,butdo
notcarrythesamethreatofcompromiseasarevokedcertificate.
Anyonewhohassignedacertificatecanrevokehisorhersignature
onthecertificate(providedheorsheusesthesameprivatekeythat
createdthesignature).Arevokedsignatureindicatesthatthesigner
nolongerbelievesthepublickeyandidentificationinformation
belongtogether,orthatthecertificate'spublickey(orcorresponding
privatekey)hasbeencompromised.Arevokedsignatureshould
carrynearlyasmuchweightasarevokedcertificate.
WithX.509certificates,arevokedsignatureispracticallythesame
asarevokedcertificategiventhattheonlysignatureonthe
certificateistheonethatmadeitvalidinthefirstplacethe
signatureoftheCA.PGPcertificatesprovidetheaddedfeaturethat
youcanrevokeyourentirecertificate(notjustthesignaturesonit)
ifyouyourselffeelthatthecertificatehasbeencompromised.
Onlythecertificate'sowner(theholderofitscorrespondingprivate
key)orsomeonewhomthecertificate'sownerhasdesignatedasa
revokercanrevokeaPGPcertificate.(Designatingarevokerisa
usefulpractice,asit'softenthelossofthepassphraseforthe
certificate'scorrespondingprivatekeythatleadsaPGPuserto
revokehisorhercertificateataskthatisonlypossibleifonehas
accesstotheprivatekey.)Onlythecertificate'sissuercanrevokean
X.509certificate.

Communicatingthatacertificatehasbeenrevoked

Whenacertificateisrevoked,itisimportanttomakepotentialusers
ofthecertificateawarethatitisnolongervalid.WithPGP
certificates,themostcommonwaytocommunicatethatacertificate
hasbeenrevokedistopostitonacertificateserversootherswho
maywishtocommunicatewithyouarewarnednottousethatpublic
key.
InaPKIenvironment,communicationofrevokedcertificatesismost
commonlyachievedviaadatastructurecalledaCertificate
RevocationList,orCRL,whichispublishedbytheCA.TheCRL
containsatimestamped,validatedlistofallrevoked,unexpired
certificatesinthesystem.Revokedcertificatesremainonthelist
onlyuntiltheyexpire,thentheyareremovedfromthelistthis
keepsthelistfromgettingtoolong.
TheCAdistributestheCRLtousersatsomeregularlyscheduled
interval(andpotentiallyoffcycle,wheneveracertificateis
revoked).Theoretically,thiswillpreventusersfromunwittingly
usingacompromisedcertificate.Itispossible,though,thatthere
maybeatimeperiodbetweenCRLsinwhichanewlycompromised
certificateisused.

Whatisapassphrase?
Mostpeoplearefamiliarwithrestrictingaccesstocomputersystems
viaapassword,whichisauniquestringofcharactersthatauser
typesinasanidentificationcode.
Apassphraseisalongerversionofapassword,andintheory,a
moresecureone.Typicallycomposedofmultiplewords,a
passphraseismoresecureagainststandarddictionaryattacks,
whereintheattackertriesallthewordsinthedictionaryinan
attempttodetermineyourpassword.Thebestpassphrasesare
relativelylongandcomplexandcontainacombinationofupperand
lowercaseletters,numericandpunctuationcharacters.
PGPusesapassphrasetoencryptyourprivatekeyonyourmachine.
Yourprivatekeyisencryptedonyourdiskusingahashofyour
passphraseasthesecretkey.Youusethepassphrasetodecryptand
useyourprivatekey.Apassphraseshouldbehardforyoutoforget
anddifficultforotherstoguess.Itshouldbesomethingalready
firmlyembeddedinyourlongtermmemory,ratherthansomething
youmakeupfromscratch.Why?Becauseifyouforgetyour
passphrase,youareoutofluck.Yourprivatekeyistotallyand
absolutelyuselesswithoutyourpassphraseandnothingcanbedone
aboutit.Rememberthequoteearlierinthischapter?PGPis
cryptographythatwillkeepmajorgovernmentsoutofyourfiles.It
willcertainlykeepyououtofyourfiles,too.Keepthatinmindwhen
youdecidetochangeyourpassphrasetothepunchlineofthatjoke
youcanneverquiteremember.

Keysplitting
Theysaythatasecretisnotasecretifitisknowntomorethanone
person.Sharingaprivatekeypairposessuchaproblem.Whileitis
notarecommendedpractice,sharingaprivatekeypairisnecessary
attimes.CorporateSigningKeys,forexample,areprivatekeys
usedbyacompanytosignforexamplelegaldocuments,
sensitivepersonnelinformation,orpressreleasesto
authenticatetheirorigin.Insuchacase,itisworthwhileformultiple
membersofthecompanytohaveaccesstotheprivatekey.
However,thismeansthatanysingleindividualcanactfullyon
behalfofthecompany.
Insuchacaseitiswisetosplitthekeyamongmultiplepeopleinsucha
waythatmorethanoneortwopeoplemustpresentapieceofthe
keyinordertoreconstituteittoausablecondition.Iftoofewpieces
ofthekeyareavailable,thenthekeyisunusable.
Someexamplesaretosplitakeyintothreepiecesandrequiretwo
ofthemtoreconstitutethekey,orsplititintotwopiecesandrequire
bothpieces.Ifasecurenetworkconnectionisusedduringthe
reconstitutionprocess,thekey'sshareholdersneednotbephysically
presentinordertorejointhekey.

[PGPiHome>Documentation>HowPGPworks]