mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-27 01:52:06 +01:00
ch5: use new diagrams
This commit is contained in:
parent
4a568be351
commit
d44226d288
1 changed files with 7 additions and 9 deletions
|
@ -18,10 +18,10 @@ This chapter is about the counterpart to the public material in certificates: He
|
|||
|
||||
In this text, we treat the private key material as logically separate from the OpenPGP certificate. Operations that use the private key material are typically handled by a separate subsystem. It is useful to think about OpenPGP certificates on one hand, and the associated private key material, on the other, as two related elements, which are usually handled separately[^pkcs11]:
|
||||
|
||||
```{admonition} VISUAL
|
||||
:class: warning
|
||||
|
||||
- OpenPGP certificate side-by-side with the associated, loose private key material
|
||||
```{figure} diag/OpenPGPCert_with_privatekeystore.png
|
||||
|
||||
An OpenPGP certificate, with the associated private key material handled by a key store subsystem.
|
||||
```
|
||||
|
||||
[^pkcs11]: This kind of distinction between certificates (which combine public key material and identity information) on the one hand, and private key material on the other, is also applied in the data model of [PKCS #11](https://en.wikipedia.org/wiki/PKCS_11) cryptographic systems.
|
||||
|
@ -38,10 +38,9 @@ Transferable secret keys are sometimes colloquially referred to as "OpenPGP priv
|
|||
|
||||
Sometimes users handle OpenPGP certificates combined with private key material in the form of *transferable secret keys* (TSK). Transferable secret keys are a serialized format that combines the OpenPGP certificate data with the connected private key material, stored in a single file.
|
||||
|
||||
```{admonition} VISUAL
|
||||
:class: warning
|
||||
```{figure} diag/TSK.png
|
||||
|
||||
- OpenPGP certificate with integrated private key material, as TSK
|
||||
OpenPGP certificate with integrated private key material, as a TSK
|
||||
```
|
||||
|
||||
The TSK format can be useful for backups of OpenPGP key material, or to move a key to a different computer[^gpg-tsk].
|
||||
|
@ -61,10 +60,9 @@ Using a passphrase can be useful when a third party can obtain a copy of the Ope
|
|||
|
||||
OpenPGP defines a mechanism called [string-to-key (S2K)](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-string-to-key-s2k-specifier) that is used to derive (high-entropy) symmetric encryption keys from (lower-entropy) passphrases, using a [key derivation function (KDF)](https://en.wikipedia.org/wiki/Key_derivation_function).
|
||||
|
||||
```{admonition} VISUAL
|
||||
:class: warning
|
||||
```{figure} diag/passphrase_using_S2K.png
|
||||
|
||||
- passphrase --(S2k mechanism)--> symmetric encryption key
|
||||
Transforming a passphrase to a symmetric key
|
||||
```
|
||||
|
||||
The private key material for individual component keys of one certificate can be encrypted with different mechanisms, and/or using different passphrases.
|
||||
|
|
Loading…
Reference in a new issue