Add input from Wiktor

2024-11-23 08:02:05 +01:00 · 2023-09-28 16:02:30 +02:00 · 2023-09-28 16:02:30 +02:00 · eef2a11842
commit eef2a11842
parent 3ef4f265d1
4 changed files with 63 additions and 9 deletions
--- a/book/source/03-cryptography.md
+++ b/book/source/03-cryptography.md
@ -13,6 +13,8 @@

 https://en.wikipedia.org/wiki/Cryptographic_hash_function

+Note: hashes are sometimes called "digests".
+
 ## Symmetric-key cryptography

 [Symmetric-key cryptography](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) uses the same cryptographic key for both encryption and decryption. Symmetric-key cryptographic systems support *encryption/decryption* operations.
@ -25,6 +27,10 @@ Participants in symmetric-key operations need to exchange the shared secret over
 - visualization? (maybe a black key icon, following wikipedia's example?)
 ```

+Symmetric-key cryptography is much faster than public-key cryptography. Also, unlike traditional public-key mechanisms, symmetric-key cryptography is quantum-resistant.
+
+So there is a trade-off: Symmetric-key has major benefits, but exchanging the shared secret is a problem that needs to be solved separately. [Hybrid cryptosystems](hybrid_cryptosystems) are one common approach.
+
 ### Symmetric-key cryptography in OpenPGP

 Symmetric cryptography is used in OpenPGP as part of a [hybrid cryptosystem](https://en.wikipedia.org/wiki/Hybrid_cryptosystem).
@ -33,6 +39,11 @@ Where symmetric keys are used in OpenPGP, they are referred to as "session keys.

 ### Authenticated encryption with associated data (AEAD)

+```{admonition} TODO
+:class: warning
+
+- AEAD solves the problem of malleability.
+```

 ## Public-key, or asymmetric cryptography

@ -50,6 +61,13 @@ In many places, we'll deal with asymmetric cryptographic key pairs:
 An asymmetric cryptographic key pair
 ```

+```{admonition} VISUAL
+:class: warning
+
+- Wiktor notes: red-green color-blindness affects 8,5% of the population.
+- Heiko: maybe use colors + distinct shapes for the two key halves?
+```
+
 An asymmetric cryptographic key pair consists of a public and a private part. In this document, we'll show the public part of key pair in green, and the private part in red.

 We'll usually visualize cryptographic key pairs in this more compact form:
@ -77,6 +95,7 @@ OpenPGP makes heavy use of public-key cryptography.

 Note that, for historical reasons, OpenPGP often uses the terms "public/secret" instead of "public/private." The OpenPGP RFC and other documentation often use the non-standard term "secret key" instead of the more common "private key."

+(hybrid_cryptosystems)=
 ## Hybrid cryptosystems

 [Hybrid cryptosystems](https://en.wikipedia.org/wiki/Hybrid_cryptosystem) combine public-key cryptosystems with symmetric-key cryptosystems in a way that makes use of their respective advantages.
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@ -13,11 +13,11 @@ First, without additional context, the word "key" can refer either to public, or

 Independent of the distinction between private and public keys, in OpenPGP, the term "key" is used to refer to three different layers, all related but distinct:

- A (bare) "cryptographic key" (without additional metadata). Those might be the private and/or public parameters that form a key, e.g., in case of an RSA private key, the exponent `d` along with the prime numbers `p` and `q`.
- An OpenPGP *component key*: Either an "OpenPGP primary key", or an "OpenPGP subkey". A component key is one building block of an OpenPGP certificate. It consist of a (bare) cryptographic keypair combined some invariant metadata (e.g. key creation time).
- An "OpenPGP key", or "OpenPGP certificate": Consists of a number of component keys plus additional elements, such as identity information. (OpenPGP "key servers" serve this type of object).
+1. A (bare) "cryptographic key" (without additional metadata). Those might be the private and/or public parameters that form a key, e.g., in case of an RSA private key, the exponent `d` along with the prime numbers `p` and `q`.
+2. An OpenPGP *component key*: Either an "OpenPGP primary key", or an "OpenPGP subkey". A component key is one building block of an OpenPGP certificate. It consist of a (bare) cryptographic keypair combined some invariant metadata (e.g. key creation time).
+3. An "OpenPGP certificate" (or "OpenPGP key"): Consists of a number of component keys plus additional elements, such as identity information. (e.g. OpenPGP "key servers" serve this type of object).

-In the following section, we'll look at these different layers.
+In the following section, we'll look at two OpenPGP-specific layers (2 and 3).


 ## Structure of OpenPGP certificates
@ -30,7 +30,7 @@ An OpenPGP certificate (or "OpenPGP key") is a collection of an arbitrary number

 All elements of an OpenPGP certificate are structured around one central element: the *OpenPGP primary key*. The primary key acts as a personal CA for the key's owner: It can make cryptographic statements about subkeys, identities, expiration times, revocation, ...

-Note that OpenPGP certificates are typically long-lived and may be changed (typically by their owner), over time. Components can be added and invalidatedm, over the lifetime of a certificate
+Note that OpenPGP certificates are typically long-lived and may be changed (typically by their owner), over time. Components can be added and invalidated, over the lifetime of a certificate

 ### OpenPGP component keys

@ -58,7 +58,7 @@ Besides a cryptographic keypair, an OpenPGP component key contains additional me
 An OpenPGP component key
 ```

-For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and metadata:
+For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and creation timestamp (plus additional algorithm parameters, for [ECDH Keys](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd)):

 ```{figure} diag/fingerprint.png
 ---
@ -77,12 +77,13 @@ The "OpenPGP primary key" has the same structure as all other component keys. Bu
 - Its fingerprint is used as the unique identifier for the full OpenPGP certificate.
 - In addition, it is used for lifecycle operations (e.g. adding or invalidating subkeys or identities in a certificate)

+(The OpenPGP primary key has historically also sometimes informally been referred to as "master key".)

 #### Subkeys

 In addition to the primary key, modern OpenPGP certificates can contain "subkeys" in addition to the primary key.

-Subkeys have the same structure as the primary key, but play a subtly different role in the certificate.
+Subkeys have the same structure as the primary key, but play a subtly different role in the certificate. Subkeys are cryptographically linked with the primary key (more on this below).

 ```{figure} diag/with_subkeys.png
 ---
@ -109,6 +110,8 @@ Only the primary key can perform "certification" operations. All other operation

 It is considered good practice to have separate component keys for each type of operation (specifically: to allow only *Certification* operations for the primary key, and to have separate *Signing*, *Encryption* and *Authentication* subkeys).

+(Aside: with ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption.)
+
 ### Identity components

 #### User IDs
@ -187,6 +190,8 @@ Linking a User ID to an OpenPGP certificate

 ## Revocations

+Note: certification signatures [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-revocable). 
+
 ### Hard vs. soft revocations


@ -216,6 +221,10 @@ Minimized versions, merging, effective "append only" semantics, ...

 ### Metadata Leak of Social Graph

+### Adding unbound User IDs to a certificate
+
+Some OpenPGP subsystems may add User IDs to a certificate, which are not bound to the primary key by the certificate's owner. This can be useful to store local identity information (e.g. sequoia's public store).
+
 ## Zooming in: Package structure

 To use OpenPGP, we need "(OpenPGP) keys."
@ -364,6 +373,13 @@ A minimal OpenPGP key, visualized

 Let's compare this with the same certificate seen as an armored "public" certificate (that is, a variant of the key above, but without the private key material. An OpenPGP user might give such a certificate to a communication partner, so that the remote party could send encrypted messages to the user):

+
+```{admonition} TODO
+:class: warning
+
+Show packet dump invocations.
+```
+
 ```
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: 6D10 0EB0 444D 1648 DAD9  A0EE DE83 CCF4 A204 F957
--- a/book/source/11-decryption.md
+++ b/book/source/11-decryption.md
@ -8,4 +8,19 @@
  - using revoked certificate?
  - using expired subkey?
  - using revoked subkey?
-```
+```
+
+## Advanced topics
+
+### Selecting decryption key
+
+- Trying PKESKs until one works out
+- consider "smart" strategies
+
+additional wrinkle: hidden intended decryption key (`gnupg --throw-keyid`)
+ 
+also see:
+
+https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#pkesk-notes
+
+> An implementation MAY accept or use a Key ID of all zeros, or an omitted key fingerprint, to hide the intended decryption key
--- a/book/source/12-compression.md
+++ b/book/source/12-compression.md
@ -1 +1,5 @@
-# Compression
+# Compression
+
+## Zooming in: Package structure and internals
+
+### Decompression yields a 'wrapped' openpgp packet stream