Add input from Wiktor

This commit is contained in:
Heiko Schaefer 2023-09-28 16:02:30 +02:00
parent 3ef4f265d1
commit eef2a11842
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
4 changed files with 63 additions and 9 deletions

View file

@ -13,6 +13,8 @@
https://en.wikipedia.org/wiki/Cryptographic_hash_function https://en.wikipedia.org/wiki/Cryptographic_hash_function
Note: hashes are sometimes called "digests".
## Symmetric-key cryptography ## Symmetric-key cryptography
[Symmetric-key cryptography](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) uses the same cryptographic key for both encryption and decryption. Symmetric-key cryptographic systems support *encryption/decryption* operations. [Symmetric-key cryptography](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) uses the same cryptographic key for both encryption and decryption. Symmetric-key cryptographic systems support *encryption/decryption* operations.
@ -25,6 +27,10 @@ Participants in symmetric-key operations need to exchange the shared secret over
- visualization? (maybe a black key icon, following wikipedia's example?) - visualization? (maybe a black key icon, following wikipedia's example?)
``` ```
Symmetric-key cryptography is much faster than public-key cryptography. Also, unlike traditional public-key mechanisms, symmetric-key cryptography is quantum-resistant.
So there is a trade-off: Symmetric-key has major benefits, but exchanging the shared secret is a problem that needs to be solved separately. [Hybrid cryptosystems](hybrid_cryptosystems) are one common approach.
### Symmetric-key cryptography in OpenPGP ### Symmetric-key cryptography in OpenPGP
Symmetric cryptography is used in OpenPGP as part of a [hybrid cryptosystem](https://en.wikipedia.org/wiki/Hybrid_cryptosystem). Symmetric cryptography is used in OpenPGP as part of a [hybrid cryptosystem](https://en.wikipedia.org/wiki/Hybrid_cryptosystem).
@ -33,6 +39,11 @@ Where symmetric keys are used in OpenPGP, they are referred to as "session keys.
### Authenticated encryption with associated data (AEAD) ### Authenticated encryption with associated data (AEAD)
```{admonition} TODO
:class: warning
- AEAD solves the problem of malleability.
```
## Public-key, or asymmetric cryptography ## Public-key, or asymmetric cryptography
@ -50,6 +61,13 @@ In many places, we'll deal with asymmetric cryptographic key pairs:
An asymmetric cryptographic key pair An asymmetric cryptographic key pair
``` ```
```{admonition} VISUAL
:class: warning
- Wiktor notes: red-green color-blindness affects 8,5% of the population.
- Heiko: maybe use colors + distinct shapes for the two key halves?
```
An asymmetric cryptographic key pair consists of a public and a private part. In this document, we'll show the public part of key pair in green, and the private part in red. An asymmetric cryptographic key pair consists of a public and a private part. In this document, we'll show the public part of key pair in green, and the private part in red.
We'll usually visualize cryptographic key pairs in this more compact form: We'll usually visualize cryptographic key pairs in this more compact form:
@ -77,6 +95,7 @@ OpenPGP makes heavy use of public-key cryptography.
Note that, for historical reasons, OpenPGP often uses the terms "public/secret" instead of "public/private." The OpenPGP RFC and other documentation often use the non-standard term "secret key" instead of the more common "private key." Note that, for historical reasons, OpenPGP often uses the terms "public/secret" instead of "public/private." The OpenPGP RFC and other documentation often use the non-standard term "secret key" instead of the more common "private key."
(hybrid_cryptosystems)=
## Hybrid cryptosystems ## Hybrid cryptosystems
[Hybrid cryptosystems](https://en.wikipedia.org/wiki/Hybrid_cryptosystem) combine public-key cryptosystems with symmetric-key cryptosystems in a way that makes use of their respective advantages. [Hybrid cryptosystems](https://en.wikipedia.org/wiki/Hybrid_cryptosystem) combine public-key cryptosystems with symmetric-key cryptosystems in a way that makes use of their respective advantages.

View file

@ -13,11 +13,11 @@ First, without additional context, the word "key" can refer either to public, or
Independent of the distinction between private and public keys, in OpenPGP, the term "key" is used to refer to three different layers, all related but distinct: Independent of the distinction between private and public keys, in OpenPGP, the term "key" is used to refer to three different layers, all related but distinct:
- A (bare) "cryptographic key" (without additional metadata). Those might be the private and/or public parameters that form a key, e.g., in case of an RSA private key, the exponent `d` along with the prime numbers `p` and `q`. 1. A (bare) "cryptographic key" (without additional metadata). Those might be the private and/or public parameters that form a key, e.g., in case of an RSA private key, the exponent `d` along with the prime numbers `p` and `q`.
- An OpenPGP *component key*: Either an "OpenPGP primary key", or an "OpenPGP subkey". A component key is one building block of an OpenPGP certificate. It consist of a (bare) cryptographic keypair combined some invariant metadata (e.g. key creation time). 2. An OpenPGP *component key*: Either an "OpenPGP primary key", or an "OpenPGP subkey". A component key is one building block of an OpenPGP certificate. It consist of a (bare) cryptographic keypair combined some invariant metadata (e.g. key creation time).
- An "OpenPGP key", or "OpenPGP certificate": Consists of a number of component keys plus additional elements, such as identity information. (OpenPGP "key servers" serve this type of object). 3. An "OpenPGP certificate" (or "OpenPGP key"): Consists of a number of component keys plus additional elements, such as identity information. (e.g. OpenPGP "key servers" serve this type of object).
In the following section, we'll look at these different layers. In the following section, we'll look at two OpenPGP-specific layers (2 and 3).
## Structure of OpenPGP certificates ## Structure of OpenPGP certificates
@ -30,7 +30,7 @@ An OpenPGP certificate (or "OpenPGP key") is a collection of an arbitrary number
All elements of an OpenPGP certificate are structured around one central element: the *OpenPGP primary key*. The primary key acts as a personal CA for the key's owner: It can make cryptographic statements about subkeys, identities, expiration times, revocation, ... All elements of an OpenPGP certificate are structured around one central element: the *OpenPGP primary key*. The primary key acts as a personal CA for the key's owner: It can make cryptographic statements about subkeys, identities, expiration times, revocation, ...
Note that OpenPGP certificates are typically long-lived and may be changed (typically by their owner), over time. Components can be added and invalidatedm, over the lifetime of a certificate Note that OpenPGP certificates are typically long-lived and may be changed (typically by their owner), over time. Components can be added and invalidated, over the lifetime of a certificate
### OpenPGP component keys ### OpenPGP component keys
@ -58,7 +58,7 @@ Besides a cryptographic keypair, an OpenPGP component key contains additional me
An OpenPGP component key An OpenPGP component key
``` ```
For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and metadata: For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and creation timestamp (plus additional algorithm parameters, for [ECDH Keys](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd)):
```{figure} diag/fingerprint.png ```{figure} diag/fingerprint.png
--- ---
@ -77,12 +77,13 @@ The "OpenPGP primary key" has the same structure as all other component keys. Bu
- Its fingerprint is used as the unique identifier for the full OpenPGP certificate. - Its fingerprint is used as the unique identifier for the full OpenPGP certificate.
- In addition, it is used for lifecycle operations (e.g. adding or invalidating subkeys or identities in a certificate) - In addition, it is used for lifecycle operations (e.g. adding or invalidating subkeys or identities in a certificate)
(The OpenPGP primary key has historically also sometimes informally been referred to as "master key".)
#### Subkeys #### Subkeys
In addition to the primary key, modern OpenPGP certificates can contain "subkeys" in addition to the primary key. In addition to the primary key, modern OpenPGP certificates can contain "subkeys" in addition to the primary key.
Subkeys have the same structure as the primary key, but play a subtly different role in the certificate. Subkeys have the same structure as the primary key, but play a subtly different role in the certificate. Subkeys are cryptographically linked with the primary key (more on this below).
```{figure} diag/with_subkeys.png ```{figure} diag/with_subkeys.png
--- ---
@ -109,6 +110,8 @@ Only the primary key can perform "certification" operations. All other operation
It is considered good practice to have separate component keys for each type of operation (specifically: to allow only *Certification* operations for the primary key, and to have separate *Signing*, *Encryption* and *Authentication* subkeys). It is considered good practice to have separate component keys for each type of operation (specifically: to allow only *Certification* operations for the primary key, and to have separate *Signing*, *Encryption* and *Authentication* subkeys).
(Aside: with ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption.)
### Identity components ### Identity components
#### User IDs #### User IDs
@ -187,6 +190,8 @@ Linking a User ID to an OpenPGP certificate
## Revocations ## Revocations
Note: certification signatures [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-revocable).
### Hard vs. soft revocations ### Hard vs. soft revocations
@ -216,6 +221,10 @@ Minimized versions, merging, effective "append only" semantics, ...
### Metadata Leak of Social Graph ### Metadata Leak of Social Graph
### Adding unbound User IDs to a certificate
Some OpenPGP subsystems may add User IDs to a certificate, which are not bound to the primary key by the certificate's owner. This can be useful to store local identity information (e.g. sequoia's public store).
## Zooming in: Package structure ## Zooming in: Package structure
To use OpenPGP, we need "(OpenPGP) keys." To use OpenPGP, we need "(OpenPGP) keys."
@ -364,6 +373,13 @@ A minimal OpenPGP key, visualized
Let's compare this with the same certificate seen as an armored "public" certificate (that is, a variant of the key above, but without the private key material. An OpenPGP user might give such a certificate to a communication partner, so that the remote party could send encrypted messages to the user): Let's compare this with the same certificate seen as an armored "public" certificate (that is, a variant of the key above, but without the private key material. An OpenPGP user might give such a certificate to a communication partner, so that the remote party could send encrypted messages to the user):
```{admonition} TODO
:class: warning
Show packet dump invocations.
```
``` ```
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 6D10 0EB0 444D 1648 DAD9 A0EE DE83 CCF4 A204 F957 Comment: 6D10 0EB0 444D 1648 DAD9 A0EE DE83 CCF4 A204 F957

View file

@ -8,4 +8,19 @@
- using revoked certificate? - using revoked certificate?
- using expired subkey? - using expired subkey?
- using revoked subkey? - using revoked subkey?
``` ```
## Advanced topics
### Selecting decryption key
- Trying PKESKs until one works out
- consider "smart" strategies
additional wrinkle: hidden intended decryption key (`gnupg --throw-keyid`)
also see:
https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#pkesk-notes
> An implementation MAY accept or use a Key ID of all zeros, or an omitted key fingerprint, to hide the intended decryption key

View file

@ -1 +1,5 @@
# Compression # Compression
## Zooming in: Package structure and internals
### Decompression yields a 'wrapped' openpgp packet stream