[7781] in cryptography@c2.net mail archive
Re: reflecting on PGP, keyservers, and the Web of Trust
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Wed Sep 6 21:57:56 2000
Mime-Version: 1.0
Message-Id: <v04210102b5dc5aaae8dd@[24.218.56.92]>
In-Reply-To: <3.0.6.32.20000905163858.008c3a80@pop.sprynet.com>
Date: Wed, 6 Sep 2000 17:03:24 -0400
To: David Honig <honig@sprynet.com>, Dan Geer <geer@WORLD.STD.COM>
From: "Arnold G. Reinhold" <reinhold@WORLD.STD.COM>
Cc: cryptography@c2.net
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
At 4:38 PM -0700 9/5/2000, David Honig wrote:
>At 05:33 PM 9/3/00 -0400, Dan Geer wrote:
>>
>>> How do they exchange public keys? Via email I'll bet.
>>
>
> >Note that it is trivial(*) to construct a self-decrypting
> >archive and mail it in the form of an attachment. The
>>recipient will merely have to know the passphrase. If
>
>If you have a secure channel to exchange a passphrase in,
>you have no need for PK.
>
I don't see any need for self-decrypting archives or passphrases.=20
The public key can be sent un-encrypted. All you need is a trusted,=20
not secure, channel to send the key fingerprint. This channel can=20
have very low bandwidth and need not be electronic.
Without key fingerprint verification, the primary attack against an=20
open exchange of public keys is the Man in the Middle. Remember the=20
burden on the Man in the Middle attacker against Bob:
1. The MITM must intercept every key exchange messages that Bob sends=20
or receives and then every message of any sort that Bob sends or=20
receives thereafter.
2. The MITM must be prepared to detect attempts to verify key=20
fingerprints in any message Bob sends or receives. These can involve=20
foreign languages, anagrams, subtle phrasing, steganography, etc. In=20
general this means that all messages must be screened by a well=20
trained human, not automatically.
3. If Bob ever discovers he is being attacked, he can use the MITM to=20
feed false information to his adversary.
4. If the attacker ever decides to stop, Bob will immediately be=20
alerted that something was wrong.
I think it is much cheaper and less risky to get one of the party's=20
private key by planting a worm program or bugging their keyboard.
At 7:22 PM -0700 9/5/2000, Ed Gerck wrote:
>
>PGP is based on an =93introducer-model=94 which depends on
>the integrity of a chain of authenticators, the users
>themselves. The users and their keys are referred from one
>user to the other, as in a friendship circle, forming an
>authentication ring, modeled as a list or =93web-of-trust=94.
>The web-of-trust model has some problems, to wit:
I would add one more problem with the web-of-trust model: the classic=20
p**n reliability equation. If there is a 90% chance that any given=20
introducer is reliable, then there is only a 34% chance that a chain=20
of 10 introducers is reliable. Would you give even a 90% trust=20
rating to a bunch of strangers? To really work, the web-of-trust=20
requires multiple, independent paths between any two individuals so=20
you can take the "or" of several chains. That level of density is not=20
likely to happen with individuals.
On the other hand, PGP does not depend on the he web-of-trust model=20
and I doubt very many people try to use it. I suspect most users=20
find other ways to exchange keys with their friends. As Paul Crowley=20
points out, what exactly does it mean to have trust in a stranger's=20
public key?
Arnold Reinhold
