vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2024-11-23 08:02:05 +01:00
Code Issues Projects Releases Packages Wiki Activity

ch5: use new diagrams

Browse source
This commit is contained in:
Heiko Schaefer 2023-10-29 23:07:00 +01:00
parent 4a568be351
commit d44226d288
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
1 changed files with 7 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
book/source/05-private.md
View file

@ -18,10 +18,10 @@ This chapter is about the counterpart to the public material in certificates: He
In this text, we treat the private key material as logically separate from the OpenPGP certificate. Operations that use the private key material are typically handled by a separate subsystem. It is useful to think about OpenPGP certificates on one hand, and the associated private key material, on the other, as two related elements, which are usually handled separately[^pkcs11]:
```{admonition} VISUAL
:class: warning
- OpenPGP certificate side-by-side with the associated, loose private key material
```{figure} diag/OpenPGPCert_with_privatekeystore.png
An OpenPGP certificate, with the associated private key material handled by a key store subsystem.
```
[^pkcs11]: This kind of distinction between certificates (which combine public key material and identity information) on the one hand, and private key material on the other, is also applied in the data model of [PKCS #11](https://en.wikipedia.org/wiki/PKCS_11) cryptographic systems.
@ -38,10 +38,9 @@ Transferable secret keys are sometimes colloquially referred to as "OpenPGP priv
Sometimes users handle OpenPGP certificates combined with private key material in the form of *transferable secret keys* (TSK). Transferable secret keys are a serialized format that combines the OpenPGP certificate data with the connected private key material, stored in a single file.
```{admonition} VISUAL
:class: warning
```{figure} diag/TSK.png
- OpenPGP certificate with integrated private key material, as TSK
OpenPGP certificate with integrated private key material, as a TSK
```
The TSK format can be useful for backups of OpenPGP key material, or to move a key to a different computer[^gpg-tsk].
@ -61,10 +60,9 @@ Using a passphrase can be useful when a third party can obtain a copy of the Ope
OpenPGP defines a mechanism called [string-to-key (S2K)](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-string-to-key-s2k-specifier) that is used to derive (high-entropy) symmetric encryption keys from (lower-entropy) passphrases, using a [key derivation function (KDF)](https://en.wikipedia.org/wiki/Key_derivation_function).
```{admonition} VISUAL
:class: warning
```{figure} diag/passphrase_using_S2K.png
- passphrase --(S2k mechanism)--> symmetric encryption key
Transforming a passphrase to a symmetric key
```
The private key material for individual component keys of one certificate can be encrypted with different mechanisms, and/or using different passphrases.