openpgp-notes/book/source/03-cryptography.md

136 lines
10 KiB
Markdown
Raw Normal View History

<!--
SPDX-FileCopyrightText: 2023 The "Notes on OpenPGP" project
SPDX-License-Identifier: CC-BY-SA-4.0
-->
2023-11-03 12:26:06 +01:00
(cryptography_chapter)=
2023-09-29 19:01:22 +02:00
# Cryptographic concepts and terms
2023-10-12 16:31:59 +02:00
## Cryptographic hash functions
2023-11-25 22:07:07 +01:00
[Cryptographic hash functions](https://en.wikipedia.org/wiki/Cryptographic_hash_function) take data strings of any length (like a text message or file) and output a fixed-size code, a "hash digest," which is often abbreviated as either "digest" or "hash." A hash digest is also sometimes called a "(cryptographic) checksum." A hash digest acts like a unique identifier for the original data.
2023-09-28 16:02:30 +02:00
2023-11-25 22:07:07 +01:00
Cryptographic hash functions have two important properties:
2023-11-25 22:07:07 +01:00
- [**Pre-image resistance**](https://en.wikipedia.org/wiki/Preimage_attack): Given a hash digest, it should be very difficult to determine any data that matches this hash digest (including, but not limited to, the original data the hash represents). This property embodies the concept of a [one-way function](https://en.wikipedia.org/wiki/One-way_function) a calculation that is easy to perform, but very hard to reverse.
- [**Collision resistance**](https://en.wikipedia.org/wiki/Collision_resistance): It should be very difficult to find two distinct pieces of data that map to the same hash digest.
2023-10-26 12:12:26 +02:00
## Message authentication codes
2023-10-23 13:04:42 +02:00
2023-10-26 12:12:26 +02:00
A [message authentication code](https://en.wikipedia.org/wiki/Message_authentication_code) (MAC), also known as an authentication tag, is a small piece of information used to verify the integrity and authenticity of a message.
2023-10-23 13:04:42 +02:00
2023-10-26 12:12:26 +02:00
It is derived from the original message using a (symmetric) secret key. The recipient of a message containing a MAC, who is also in possession of the secret key, can verify that the message has not been altered.
[HMAC](https://en.wikipedia.org/wiki/HMAC) is a type of MAC that relies on a hash function. It is used in the OpenPGP protocol.
2023-10-23 13:04:42 +02:00
2023-10-26 14:12:48 +02:00
### Key derivation functions
2023-10-23 12:40:15 +02:00
2023-10-26 14:12:48 +02:00
A hash function can also be used to create a [key derivation function](https://en.wikipedia.org/wiki/Key_derivation_function) (KDF).
One application of KDFs is to generate symmetric key material from a password by iteratively passing it through a hash function.
2023-10-23 12:40:15 +02:00
2023-10-26 14:12:48 +02:00
A notable KDF for the OpenPGP specification is the [HKDF](https://en.wikipedia.org/wiki/HKDF), which is a key derivation function based on the HMAC.
2023-10-23 12:40:15 +02:00
2023-10-26 14:12:48 +02:00
For detailed information on KDFs and their role in the OpenPGP protocol, see the [encrypted secrets](encrypted_secrets) chapter and the [SEIPDv2](SEIPDv2) section of the encryption chapter.
2023-10-23 12:40:15 +02:00
2023-09-26 20:06:44 +02:00
## Symmetric-key cryptography
[Symmetric-key cryptography](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) uses the same cryptographic key for both encryption and decryption, unlike asymmetric cryptography where a pair of keys is used: a public key for encryption and a corresponding private key for decryption. Symmetric-key cryptographic systems support *encryption/decryption* operations.
2023-09-26 20:06:44 +02:00
Participants in symmetric-key operations need to exchange the shared secret over a secure channel.
2023-10-17 14:44:39 +02:00
```{figure} diag/symmetric_key.png
---
---
A symmetric cryptographic key (which acts as a shared secret)
2023-09-26 20:06:44 +02:00
```
2023-09-29 19:01:22 +02:00
### Benefits and downsides
2023-09-28 16:02:30 +02:00
Symmetric-key cryptography has major benefits: It is much faster than public-key cryptography (see below). Also, most current symmetric-key cryptographic mechanisms are believed to be resilient against possible advances in quantum computing[^postquantum].
2023-10-23 11:53:14 +02:00
[^postquantum]: Daniel J. Bernstein (2009). ["Introduction to post-quantum cryptography" (PDF)](http://www.pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf) states that: "many important classes of cryptographic systems", including secret-key cryptographic mechanisms like AES "[..] are believed to resist classical computers and quantum computers." (pages 1, 2).
2023-09-29 19:01:22 +02:00
However, exchanging the required shared secret is a problem that needs to be solved separately.
[Hybrid cryptosystems](hybrid_cryptosystems) combine the advantages of symmetric-key cryptography with a separate mechanism for managing the shared secret, using public-key cryptography.
2023-09-28 16:02:30 +02:00
2023-09-26 20:06:44 +02:00
### Symmetric-key cryptography in OpenPGP
2023-10-04 20:18:34 +02:00
Symmetric-key cryptography is used in OpenPGP in three contexts:
- most prominently, as part of a hybrid cryptosystem to encrypt and decrypt data,
- to encrypt [password-protected private key material](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption), and
2023-10-12 17:19:59 +02:00
- for [password-protected data encryption](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-symmetric-key-encrypted-ses), a less commonly used feature of the standard.
2023-09-26 20:06:44 +02:00
2023-10-04 20:18:34 +02:00
Where symmetric keys are used in OpenPGP for data encryption, they are called either "message keys" or "session keys[^sessionkey]."
2023-10-12 17:19:59 +02:00
[^sessionkey]: In OpenPGP version 6, the ["Version 2 Symmetrically Encrypted Integrity Protected Data Packet Format"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-2-symmetrically-enc) requires that a "message key" is derived from a "session key." In contrast, up to OpenPGP version 4, and in version 6 when using ["Version 1 Symmetrically Encrypted Integrity Protected Data Packet Format"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-1-symmetrically-enc), the "session key" was used directly as a symmetric encryption key.
2023-09-26 20:06:44 +02:00
### Authenticated encryption with associated data (AEAD)
[Authenticated encryption](https://en.wikipedia.org/wiki/Authenticated_encryption) offers more than just confidentiality; it ensures data integrity too.
2023-09-28 16:02:30 +02:00
In OpenPGP version 6, AEAD replaced the MDC[^MDC] mechanism to address malleability. In earlier OpenPGP versions, malicious alterations to ciphertext might go unnoticed. AEAD guards against such undetected changes.
2023-10-04 20:18:34 +02:00
2023-10-13 16:15:05 +02:00
[^MDC]: OpenPGP version 4 introduced a mechanism called MDC (Modification Detection Code), which fulfills a comparable purpose as AEAD in safeguarding message integrity. MDC is a non-standard mechanism, but no known attacks have compromised this scheme as of this document's last update.
2023-10-04 20:18:34 +02:00
By addressing the malleability problem, AEAD also counters a variation of the EFAIL[^efail] attack.
2023-10-04 20:18:34 +02:00
[^efail]: A variation of the [EFAIL](https://en.wikipedia.org/wiki/EFAIL) attack can be prevented by both the MDC and AEAD mechanisms. Also see ["No, PGP is not broken, not even with the Efail vulnerabilities,"](https://proton.me/blog/pgp-vulnerability-efail) especially the section "Malleability Gadget Exfiltration Channel Attack."
2023-10-04 20:18:34 +02:00
## Public-key (asymmetric) cryptography
2023-09-26 20:06:44 +02:00
[Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) uses asymmetric pairs of related keys. Each pair consists of a public key and a private key. These systems support encryption, decryption, and digital signature operations.
2023-09-26 20:06:44 +02:00
2023-11-17 13:34:18 +01:00
Unlike symmetric cryptography, participants are not required to pre-arrange a shared secret. In public-key cryptography, the public key material is shared openly for certain cryptographic operations, such as encryption and signature verification, while the private key, kept confidential, is used for operations like decryption and signature creation.
2023-10-02 21:40:28 +02:00
(asymmetric_key_pair)=
### Asymmetric cryptographic key pairs
Throughout this document, we will frequently reference asymmetric cryptographic key pairs:
2023-10-17 14:44:39 +02:00
```{figure} diag/asymmetric_keypair.png
---
---
2023-09-26 20:06:44 +02:00
An asymmetric cryptographic key pair
```
2023-11-25 22:07:07 +01:00
Each key pair comprises two parts: the public key and the private key. For ease of identification in this documentation, the public key will be shown in green and the private key in red. Additionally, public keys are depicted with a solid border and pointing to the right, while private keys are shown with a dotted border and pointing to the left.
2023-11-25 22:07:07 +01:00
It's important to note that in many scenarios, only the public key is exposed or used. These situations will be elaborated upon in subsequent sections of this document.
2023-10-17 14:44:39 +02:00
```{figure} diag/public_key.png
---
---
2023-11-17 14:43:35 +01:00
The public part of an asymmetric key pair
```
### Usage and terminology in OpenPGP
2023-09-28 17:53:56 +02:00
OpenPGP extensively uses public-key cryptography for encryption and digital signing operations.
2023-09-28 17:53:56 +02:00
```{admonition} Terminology
:class: note
OpenPGP documentation, including the foundational RFC, opts for the term "secret key" over the more widely accepted "private key." As a result, in the RFC, you'll encounter the "public/secret key" pairing more frequently than "public/private key." This terminology reflects historical developments in the OpenPGP community, not a difference in technology.
While "secret key" (as used in the OpenPGP RFC) and "private key" serve the same purpose in cryptographic operations, this document will use the more common "public/private" terminology for clarity and consistency with broader cryptographic discussions.
```
2023-09-28 17:53:56 +02:00
2023-09-26 20:06:44 +02:00
### Cryptographic digital signatures
[Digital signatures](https://en.wikipedia.org/wiki/Digital_signature) are a fundamental mechanism of asymmetric cryptography, providing secure, mathematical means to validate the authenticity, integrity, and origin of digital messages and documents.
In OpenPGP, digital signatures have diverse applications, extending beyond mere validation of a message's origin. They can signify various intents, including certification, consent, acknowledgment, or even revocation by the signer. The multifaceted nature of "statements" conveyed through digital signatures in cryptographic protocols is wide-ranging but crucial, allowing third parties to inspect/evaluate these statements for authenticity and intended purpose.
2023-09-25 16:43:26 +02:00
Digital signatures in OpenPGP are used in two primary contexts:
2023-09-28 17:53:56 +02:00
- [Data signatures](signing_data)
- [Signatures on components](component_signatures_chapter)
2023-09-28 16:02:30 +02:00
(hybrid_cryptosystems)=
2023-11-25 22:15:37 +01:00
## Hybrid cryptosystems in OpenPGP
2023-09-25 16:43:26 +02:00
[Hybrid cryptosystems](https://en.wikipedia.org/wiki/Hybrid_cryptosystem) combine the use of symmetric and asymmetric (public-key) cryptography to capitalize on the strengths of each, namely symmetric cryptography's speed and efficiency and public-key cryptography's mechanism for secure key exchange.
2023-09-28 17:53:56 +02:00
2023-11-25 22:15:37 +01:00
OpenPGP uses a hybrid cryptosystem for encryption. This approach involves generating unique shared secrets, known as "session keys," for each session. For detailed information on this topic, please refer to the chapters {ref}`encryption_chapter` and {ref}`decryption_chapter`.