openpgp-notes/book/source/03-cryptography.md

(cyrptography_chapter)=

Cryptographic concepts and terms

:class: warning

- Introduce visualizations for cryptographic primitives
- Show example visualizations for operations? (encrypt/decrypt and signing/verification - only if we're going to reuse the visual primitives later)

(Cryptographic) hash functions

(Cryptographic) hash functions map binary data of arbitrary length to a fixed size "hash" (hashes are also sometimes called "digests").

Hash functions are used in cryptography to produce shorthand "placeholders" for data. Two properties of cryptographic hash functions are particularly important:

• "Pre-image resistance": Given a hash value, it should be hard to find a message that maps to that hash value.
• "Collision resistance": It should be hard to find two messages that map to the same hash value.

Symmetric-key cryptography

Symmetric-key cryptography uses the same cryptographic key for both encryption and decryption. Symmetric-key cryptographic systems support encryption/decryption operations.

Participants in symmetric-key operations need to exchange the shared secret over a secure channel.

:class: warning

- visualization? (maybe a black key icon, following wikipedia's example?)

Benefits and downsides

Symmetric-key cryptography has major benefits: it is much faster than public-key cryptography (see below). Also, most current symmetric cryptographic algorithms are considered quantum-resistant¹.

However, exchanging the required shared secret is a problem that needs to be solved separately.

Hybrid cryptosystems (see below) are one common approach to leverage the benefits of symmetric-key cryptography, while handling the shared secret with a separate mechanism (using public-key cryptography).

Symmetric-key cryptography in OpenPGP

Symmetric-key cryptography is used in OpenPGP in three contexts:

• most prominently, as part of a hybrid cryptosystem to encrypt and decrypt data,
• to encrypt password-protected private key material, and
• for password-protected data encryption (a less commonly used feature of the standard).

Where symmetric keys are used in OpenPGP for data encryption, they are called either "message keys" or "session keys²."

Authenticated encryption with associated data (AEAD)

Authenticated encryption is a class of cryptographic schemes that gives additional guarantees besides confidentiality.

In OpenPGP version 6, AEAD was introduced as a successor to the MDC³ mechanism. AEAD is a common mechanism to solve the problem of "malleability": In past versions of the OpenPGP protocol, some malicious changes to ciphertext were undetectable. AEAD protects against undetected changes of ciphertext.

Protecting against malleability counters a variation of the EFAIL⁴ attack.

Public-key, or asymmetric cryptography

Public-key cryptography systems use asymmetric pairs of related keys. Public-key cryptographic systems support encryption/decryption as well as digital signature operations.

Unlike symmetric cryptography, public-key cryptography doesn't require participants to pre-arrange a shared secret. Instead, with public-key cryptography, the public parts of the key material can be shared openly and then used for cryptographic operations.

(asymmetric_key_pair)=

Asymmetric cryptographic key pairs

In many places, we'll deal with asymmetric cryptographic key pairs:

---
---
An asymmetric cryptographic key pair

An asymmetric cryptographic key pair consists of a public and a private part. In this document, we'll show the public part of a key pair in green, and the private part in red.

Note that in many contexts, only the public part is present (more on that later):

---
---
Only the public part of an asymmetric key pair

Public-key cryptography in OpenPGP

OpenPGP makes heavy use of public-key cryptography, both for encryption and signing operations.

:class: note

For historical reasons, the OpenPGP RFC and other documentation often use the non-standard term "secret key" instead of the more common "private key."

So in OpenPGP, the pair of terms "public/secret key" is sometimes used instead of the more common "public/private key."

Cryptographic digital signatures

Digital signatures are a mechanism that is based on asymmetric cryptography. With this mechanism, one actor can make a signature over a digital message, and another actor can check the validity of that signature.

The signer uses digital signatures to make statements about the message. Third parties can then inspect these statements.

:class: warning

- add visualization showing: message + private key + sign = signature -> message + signature + public key + verify = ok?

In OpenPGP, digital signatures are used in two different contexts:

• Certification statements
• Signatures over data

(hybrid_cryptosystems)=

Hybrid cryptosystems

Hybrid cryptosystems combine two cryptosystems and make use of their respective advantages:

• A public-key cryptosystem is used to safely handle shared secrets over insecure channels (in OpenPGP: so-called "session keys")
• A symmetric-key cryptosystem is used to efficiently encrypt and decrypt long messages (using an OpenPGP "session key" as the shared secret)

---

1. Daniel J. Bernstein (2009). "Introduction to post-quantum cryptography" (PDF) states that: "many important classes of cryptographic systems", including secret-key cryptographic mechanisms like AES "[..] are believed to resist classical computers and quantum computers." (pages 1, 2). ↩︎

2. In OpenPGP version 6, when using the "Version 2 Symmetrically Encrypted Integrity Protected Data Packet Format", a "message key" is derived from a "session key". Previously (up to OpenPGP version 4, and in version 6 when using "Version 1 Symmetrically Encrypted Integrity Protected Data Packet Format"), the "session key" was used directly as a symmetric encryption key. ↩︎

3. In OpenPGP version 4, a mechanism called MDC (Modification Detection Code) was introduced to serve a comparable purpose as AEAD. While MDC is a non-standard mechanism, as of this writing, there are no known attacks against the scheme. ↩︎

4. A variation of the EFAIL attack can be prevented by both the MDC and AEAD mechanisms. Also see "No, PGP is not broken, not even with the Efail vulnerabilities", especially the section "Malleability Gadget Exfiltration Channel Attack". ↩︎