|
|
torn money and the PGP web of trust
Legitimacy and trust are perhaps the most complicated aspects of PGP (Pretty Good Privacy). The trust model used by PGP assumes that trust starts with bilateral arrangements (key signing) and grows organically to produce a decentralized "web" known as the "Web of Trust." Decentralization is advantageous in that it foregoes the need for any central authority, yet the model as it stands does not scale well in a large, open community. Torn Money has been designed as an authentication service primarily to facilitate the introduction of new users to the Web of Trust and also as a means of enhancing connectivity within the existing web. Torn Money is a follow-up to the AUUG's PGP Key Signing Service, which, in essence, seeks to maintain and support PGP's decentralized trust model. Background PGP is a publicly, and internationally, available privacy program. Essentially, it uses public key cryptographic techniques to allow messages to be exchanged between people across public networks while protecting the privacy of the contents and guaranteeing authenticity of the sender. Traditionally, one of the problems with cryptographic systems was "key management." The key is the secret value that allows information to be encoded and/or decoded. Prior to the development of public key cryptography, the key had to be securely exchanged between parties before they could communicate. Public key systems are designed such that two separate keys are used, one of which can be made public (like a telephone number) while the other is kept secure by the owner (like the telephone itself). In light of this development, it would appear that the problem of key management has been solved. Unfortunately, this is not the case. Key management is undeniably easier using public key systems, but the question now becomes one of authentication. How do you know, for sure, that the person you are sending a secret message to is really the person he or she claim to be? I could easily get a telephone connected in another name and sit back, waiting for phone calls intended for another person of that name. One solution to the problem is to introduce the notion of "trusted parties," that is, people whom you trust to introduce (and therefore authenticate) other parties to you. Using the telephone analogy, you would say secret things on the phone only if someone you trust had given you the telephone number, not if you had just looked it up in the phone book. This is what the PGP documentation refers to as the Web of Trust. Its structure is likened to that of a web because each party involved, trusted by you, can introduce other parties whom you may or may not already know. Another possible solution is the use of Certification Authorities, thereby enforcing a hierarchical structure on the Web of Trust. What this means is that any public key you acquire must now come with a list of certificates. For example, J. Smith's public key might come with a certificate from Widgets, Inc., stating that he works for them. In order to establish their authenticity, Widgets, Inc. would also require a certificate from someone asserting that it is a Delaware corporation. To authenticate this, the state of Delaware would need a certificate to verify it was really what it claimed to be, and so on. Eventually, the regression must stop, with a certificate being issued by some omnipresent authority (which, at the moment, is RSA Data Security, Inc.). Both schemes have flaws. The major problem with the Web of Trust is that it has to be big and well connected before it becomes useful, but the Certification Authority approach assumes the sort of control that is often the reason the parties wanted to communicate privately in the first place. (The above is intended to be an absolutely minimal explanation of the concepts of public key cryptography and key management. If the concepts are not yet clear, the PGP documentation, which you should eventually read, explains it in more detail.) Torn Money and the PGP Key Signing Service In an attempt to expand the Web of Trust, AUUG set up a PGP Key Signing Service in which it acted as an introducer for PGP keys. By virtue of the conferences it held, AUUG was in a position to physically meet with people, verify their identity, and then issue key signatures attesting to their identity. The high public profile of the organization meant that key verification wasn't difficult, and as the procedures for the key-signing were made public, it was easy to decide what level of trust to place in the authenticity of a key signed by AUUG. However, the service was beginning to introduce a hierarchy into the Web of Trust, with AUUG inadvertently taking on the role of a Certification Authority. The implications of this brought the service to an end, because it was no longer conforming to the PGP trust model. However, the service had one very innovative feature: it did not require people to have their key ready in advance. "Torn Money" has been designed in the same vein as the Key Signing Service, with its main aim to facilitate PGP key signing. This new service avoids the problems that the Key Signing Service was beginning to encounter while managing to preserve the favorable features -- namely, it still allows the verification of those who have not prepared their keys in advance. The inspiration behind Torn Money comes from old spy films, where the possession of a significant half of a torn banknote established a person's identity. The beauty of such a concept is that it no longer requires an "authority" such as AUUG to oversee the key-signing, the notion of the "torn" banknote means that any two parties can be involved and still effectively identify each other at a later date. Introduction to Torn Money PGP signing can occur whenever one interested party meets with another (conferences such as those hosted by AUUG or USENIX are a common forum for such an activity). People wishing to have their keys signed provide acceptable proof of identity together with their PGP fingerprint to the person or persons they wish to have sign their key. Their public key can then later be retrieved for signing from a key server or sent via email, with the supplied fingerprint providing verification of the key's authenticity. However, this kind of key signing is meaningful only if the interested parties already have PGP keys generated and their fingerprints with them. This is not always the case. Torn Money sidesteps this issue by providing a way in which interested parties can successfully identify each other at a later date. Conceptually, this means that, upon meeting, interested parties will establish their identities as before and then obtain a "secret." The possession of this secret is what enables secure future communication. With this in place, those who are unprepared now have the opportunity to create a PGP key at some later time and then communicate the required details to those parties from which they obtained their secret. By revealing the secret they were given, they are able to prove their identity, thus validating their key for signing. Although this scheme makes it conceptually viable for two unprepared parties to trade details, Torn Money's primary function is to introduce newcomers to the Web of Trust and enhance connectivity. It is therefore essential that one of the parties involved already belong to the Web of Trust so that his or her signature will act to initiate a newcomer. This person, call this an "expert user," will effectively become the "owner" of the Torn Money. It is this person's responsibility to generate and distribute the Torn Money, but he or she is in no way to be considered an "authority." To such effect, the newcomer is well advised to participate in the Torn Money scheme with as many expert users as possible. Definition of Torn Money Torn Money borrows its form from that of a banknote. It is simply a piece of paper containing pairs of related secrets (which function something like a banknote's serial number). Upon generating a piece of Torn Money, the expert user will be required to enter name, email address, PGP Key ID and fingerprint, and the number of newcomers he or she wishes to sign keys for. This information is required to facilitate future communication between the owner of the Torn Money and the recipients. The generated piece of Torn Money will contain the owner's name and PGP fingerprint at the top, as well as a sentence comprising eight four-letter words -- the secret. Next, there is a blank table of n rows, where n is the number of newcomer keys the owner elected to sign. This is left blank so that the expert user can note down the name, email address, and identification information (optional) of anyone wishing to participate. Lastly, the remainder of the document is divided into n sections, designed to be "torn" off by the owner and distributed among the participants. Each section contains the name of the expert user, his email address, PGP key ID and fingerprint, the Web address of the Torn Money Web site, and eight four-letter words -- the participant's secret. (See Appendix for a sample of Torn Money). After verifying a newcomer's identity, the expert user notes their details in a row in the table and gives him the tear-off section corresponding to his row number. This piece of Torn Money should be kept safe and it is now the only existing link between the expert user's identification information and the new user. For security reasons, it is also vital that no one else has access to the Torn Money, as it contains the new user's secret. Once the newcomer has generated his own PGP key, he should send email to the expert user(s) for whom he has Torn Money. To be secure, the email should be encrypted using the expert user's PGP key (obtained either from the expert user or a key server and verified with the fingerprint of the newcomer's half of the Torn Money), and signed using the newcomer's PGP keys in order to prove ownership. The content of this mail should comprise the new user's PGP public keys itself and the secret eight four-letter words from the Torn Money. Upon receiving this message, the expert user must verify the secret received before signing the new key. The new user's secret is derived from a combination of the expert user's secret, her row number in the table on the expert's half of the Torn Money, and the expert's user's name. Thus, the expert user must provide these details exactly to the Torn Money verification program to authenticate the contents of the email message. Once this has been achieved, the expert user can sign the new user's key and return it. Note: The use of Torn Money is in no way restricted to newcomer/expert user pairs. As our overall objective is to increase connectivity within the Web of Trust, established users of PGP who may arrive at a gathering ill-equipped for key signing are also encouraged to use Torn Money. Torn Money Generation and Verification Torn Money can be generated in two ways: either by using the Web interface at the USENIX Web site, or by downloading the source for it and generating it on your own computer. The same option applies to the verification of the procedure -- a Web interface is available, and the source for it comes as part of the download for the Torn Money program. User Support Once the Torn Money project is complete, full documentation and procedures for use will be made available from the USENIX Web site. At this point in time we envision the users of Torn Money to comprise three distinct groups: new users of PGP seeking connection to the Web of Trust, expert users willing to certify new users, and people wishing to advertise gatherings (e.g., conferences, seminars, etc.) where PGP key-signing or exchange of Torn Money can occur. As such, a series of pages will be dedicated to each group. Newcomers Instruction PageIn support of new users of PGP and Torn Money, a series of help pages will be made available and the Web addresses included on their piece of Torn Money. These pages will include information on PGP and trust, the function of Torn Money and its usage, links to key servers, and the details of any gatherings at which the exchange of Torn Money can occur. Expert Users Instruction and Generation PageA set of pages will also be aimed at established users of PGP who wish to generate their own pieces of Torn Money. These pages will include information on the function of Torn Money and its usage as applicable to an expert user, as well as details on how to generate Torn Money and how to verify responses from recipients. The date and location of any gatherings at which the exchange of Torn Money can occur will be made available, and expert users intending to engage in key-signing (and specifically the distribution of Torn Money) will be given the option to register their attendance at specific functions. Organizer's PageAs part of the Torn Money key-signing service, support will be given to functions and gatherings at which key signing can occur. This support will be provided through a series of pages on the USENIX Web site that will allow organizers to register their functions as forums for PGP key-signing and the distribution of Torn Money. The time, date, and location of the function will be made publicly available so that expert users may indicate their attendance and hence their willingness to certify new users and newcomers seeking an introduction to the Web of Trust may see when they next have the opportunity to be certified. All feedback, questions and concerns regarding Torn Money can be directed to Greg Rose and/or Jeanette McLeod. Over time appropriate FAQs will be compiled and posted to the Web site and Torn Money will be revised to better meet user needs. Concluding Remarks Successful world wide use of PGP depends on a widespread, well-connected Web of Trust. Torn Money has been designed with this goal in mind. The project is due for completion sometime this fall, and the Web pages discussed in this article will be made available from the USENIX Web site <http://www.usenix.org>. Meanwhile, any feedback on the project is welcome, and Torn Money is available for trial usage on request.
Appendix TORN MONEY FOR Jeanette McLeod Key Fingerprint: 1B DE 98 8F C8 49 05 4B 82 56 DD DA 67 4E FD B0 Verification: real yawn ntis warm winy peel date rate
| |||||||||||||||||||||||||||||
 Need help? Use our Contacts page.
First posted: 1st February 1999 jr Last changed: 2 Feb 1999 jr |
|
Issue index