LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

On keys and users

By Jake Edge
June 22, 2011

Secure communication requires encryption keys, but key management and distribution are difficult problems to solve. They are also important problems to solve; solutions that can be easily used by those who are not technically inclined are especially needed. Turning encrypted communications into the default, rather than an option used mostly by the technically savvy, will go a long way toward protecting users from criminals or repressive regimes. Even if these secure communications methods are only used by a subset of internet users, that subset truly needs these tools.

HTTPS

For most users, the only encrypted communication they use is SSL/TLS for accessing web pages served over HTTPS. The keys used for HTTPS are normally stored on the server side in the form of certificates that are presented to the browser when the connection is made. In order to establish the identity of the remote server, to avoid phishing-style attacks, those certificates are signed by certificate authorities (CAs) such that the browser can verify the key that it receives.

This scheme suffers from a number of problems, but it works well enough in practice so that, by and large, users can safely enter credit card and other personal information into the sites. It relies on centralized authorities in the form of the CAs, however, which can be a barrier to web site owners or users who might otherwise be inclined to serve content over HTTPS. In addition, trusting CAs has its own set of dangers. But, contrary to some of the big web players' beliefs, the web is not the only form of communication.

Other protocols

For the most part, things like instant messages, email, peer-to-peer data transfers, and voice over IP (VoIP) are all transmitted over the internet in the clear. Solutions exist to encrypt those communications, but they are not widely used, at least partly because of the key problem. Each protocol generally has its own idea of key formats and storage, as well as how to exchange those keys.

For efforts like the Freedom Box, it will be extremely important to find a solution to this key problem, so that users can more-or-less effortlessly communicate in private. If multiple applications that used keys could agree on common key types and formats, it would reduce the complexity. That may be difficult for a number of reasons, some technical, others social, so perhaps finding a way to collect up all of a user's keys into a single "key bundle" makes sense.

Generally, encryption these days uses public key cryptography, which means that there are actually two keys being used. One is the public key that can be widely disseminated (thus its name), while the other is a private key that must be kept secure. A key bundle would thus have two (or more) parts, the bundle that's shown to the rest of the world for communication and authentication, and the other that's kept secret. This private bundle would require the strongest protections against loss or theft.

Generating the keys, and agreeing upon some kind of bundle format, are fairly straightforward technical problems. Those can be solved rather easily. But the real problems will lie in educating users about keys, the difference between public and private keys, and how to properly protect their private keys. User interfaces that hide most of that complexity will be very important, but there will be things that users need to understand (chief among them will be the importance of private bundle safety).

Storing the keys

It would be a simpler problem to solve if the private bundle could be kept, securely, in one location, but that's not really a workable scenario. Users will want (or need) to communicate from a wide variety of devices, desktops, laptops, tablets, mobile phones, etc., and will want to maintain their identities (i.e. keys) when using any or all of them.

Storing the bundles at some "trusted" location on the internet ("in the cloud" in the parlance of our times) might be possible but it would also centralize their location. If some entity can cut off access to your key bundle, it leaves you without a way to communicate securely. Spreading the bundles out to various locations, and caching them locally, would reduce those problems somewhat. Obviously, storing the bundles anywhere (including locally) would require that the bundles themselves be encrypted—using a strong password—which leads to another set of potential problems, of course.

Since these private key bundles will be so important, there will need to be some way to back them up, which would be an advantage of the cloud scenario. Losing one's well-established identity could be a very serious problem. A worse problem would be if someone of malicious intent were to gain control over the keys. For either of those problems, some kind of revocation mechanism for the corresponding public keys would need to be worked out.

There are already some solutions to these problems, but, like much of the rest of the key management landscape, they tend to be very key and application-specific. For example, GNU Privacy Guard (GPG) public keys are often registered at a key server so that encrypted email can be decrypted and verified. Those keys can also be revoked by registering a revocation certificate with the key server. But, once again, key servers centralize things to some extent. Likewise, SSL/TLS certificates can be revoked by way of a certificate revocation list that is issued by a CA.

Public keys

Most of the above is concerned with the difficulties in maintaining the private bundle, but there are problems to be solved on the public key side as well. Gathering a database of the public keys of friends, family, colleagues, and even enemies will be important in order to communicate securely with them. But, depending on how that public key is obtained, it may not necessarily correspond to the individual in question.

It is not difficult to generate a key that purports to be associated with any arbitrary person you choose. The SSL/TLS certificate signing process is set up to explicitly deal with that problem by having the CAs vouch that a given certificate corresponds to a particular site. That kind of centralized authority is not a desirable trait for user-centric systems, however, so something like GPG's (and others') "web of trust" is a better model. Essentially, the web of trust allows the user to determine how much trust to place in a particular key, but it requires a fair amount of user knowledge and diligence that may make it too complex for non-technical users.

Free software can make a difference

As can be seen, there are a large number of hurdles that need to be cleared in order to make secure communication both ubiquitous and (relatively) simple to use. Key management has always been the achilles heel of public key cryptography, and obvious solutions are not ready to hand. But they are important problems to solve, even though they may only be used by a minority of internet users. For many, the additional hassles required to securely communicate may not be overcome by the concern that their communications may be intercepted. For others, who are working to undermine repressive regimes for example, making it all Just Work will be very important.

This is clearly an area where free software solutions make sense. Proprietary software companies may be able to solve some of these problems, but the closed-source nature of their code will make it very worrisome to use for anyone with a life-and-death need for it. There have just been far too many indications that governments can apply pressure to have "backdoors" inserted into communications channels. With open standards and freely available code, though, activists and others can have a reasonable assurance of privacy.

These problems won't be solved overnight, nor will they all be solved at once. Public key cryptography has been with us for a long time without anyone successfully addressing the key management problem. Recent events in the Middle East and elsewhere have shown that internet communication can play a key role in thwarting repressive regimes. Making those communications more secure will further those aims.

(Log in to post comments)

On keys and users

Posted Jun 23, 2011 9:29 UTC (Thu) by ortalo (subscriber, #4654) [Link]

Two thoughts I'd like to share for further discussion if anyone is interested:
- occasionnally and probably provocatively, I come to say that cryptography cannot be used to solve any security problem, but that it can be used to *move* it (from the protection of the data to the protection of the key(s)). These are still impressive achievements by the way; but using cryptography does not mean we do not have to address all other security issues correctly (integrity checks, access checks, authentication, authorization, revocation, monitoring, etc.).
- "For many, the additional hassles required to securely communicate may not be overcome by the concern that their communications may be intercepted." Computers offer us astounding new opportunities with respect to information security, not limited to ciphering. In the civil domain, these opportunities are probably even more astounding for integrity (signature, authentication, etc.) than for confidentiality issues. Why not try to go after original features to motivate most users to overcome the hassles? (For example, the Internet explosion of the 2000s boom was targeted at e-commerce; what about offering novel features surrounding money issues like peer-to-peer contracting? $$ tend to motivate many...)

DNSSEC and PKI

Posted Jun 23, 2011 10:32 UTC (Thu) by copsewood (subscriber, #199) [Link]

I suspect that DNSSEC combined with tamper resistant private key storage (e.g. within mobile phones) once these technologies becomes more widely available, will help lessen a couple of hard key management problems to a useful extent. (NB these 2 problems don't have and probably never will have complete solutions).

1. Having a generally known and agreed place to obtain public keys from where the domain name represents the identity of the user and some kind of a chain of trust needs to be established to say that the public key for alice.smith.coventry.uk really belongs to the Alice known to have this globally unique identity. (If you don't like AINA as the identity trust root, DNSSEC enables you or your community to establish alternate and even multiple trust anchors). The advantage is that DNS identities are the ones we use anyway, the difference between alice@smith.coventry.uk and alice.smith.coventry.uk being syntactic and not semantic.

2. Having arbitrarily short time to live values enables users to manage risk of key compromise and signature repudiation by leaving invalid signatures possible based upon user knowledge of key compromise for a known and more limited time extent. E.G if your bank requires you to inform them within 24 hours of your losing a signing device, it takes 48 hours to extract the private key from its tamper resistant container by someone with access to a semiconductor plant without destroying it, and the DNS record storing the key has a TTL of 24 hours, then the compromised key can be timed out before it can be used (unless a bank customer is unable to inform the bank within 24 hours. Larger transactions can have longer delays or additional security checks and those who think it may take them longer than 24 hours to inform their bank can insure against quantifiable risk, and the bank will probably be obliged to provide such insurance in exchange for normal bank charges).

One of the flies in this ointment concerns how Alice revokes her key once her mobile phone containing a tamper resistant module protecting her private key is stolen, if the signature from this key is the most reliable means for Alice to identify herself for this purpose. But I think all key-identity binding solutions have this problem, and require alternative means by which Alice's identity can be sufficiently established (e.g. personal knowledge of secrets over a phone conversation with Alice's bank). In this event the bank will prefer to risk an imposter who has been through Alice's rubbish bin and tapped her phone being able to cause a temporary denial of service on Alice's bank account than risk Alice's funds being stolen. Alternatively if Alice has signed a revocation certificate and left copies with friends who can identify her over the phone better than the bank, the bank may be able to accept a copy of one of these.

DNSSEC isn't just about securing the naming system, as I see it. It seems to provide for a more generic PKI.

DNSSEC and PKI

Posted Jun 23, 2011 11:17 UTC (Thu) by ndye (subscriber, #9947) [Link]

... the difference between alice@smith.coventry.uk and alice.smith.coventry.uk being syntactic and not semantic.

coventry.uk and smith.coventry.uk can be under completely separate administrative authority. In my view, the following are distinct identities:

  • alice.smith@coventry.uk
  • alice@smith.coventry.uk

So why do you assert no difference between

  • alice@smith.coventry.uk
  • alice.smith.coventry.uk

(Or there's much more I don't grok about DNS.)

@ndye: DNSSEC and PKI

Posted Jun 23, 2011 20:31 UTC (Thu) by copsewood (subscriber, #199) [Link]

"So why do you assert no difference between

alice@smith.coventry.uk
alice.smith.coventry.uk"

I was pointing out the fact of syntactic difference but the semantic similarity.

In the first example, the email admin of smith.coventry.uk creates the ID. In the second example the DNS admin of smith.coventry.uk does. Syntactically (based upon punctuation) we assume the first to be an email address and the second to be a DNS name. Semantically (the meaning behind the use of words) we have delegation of authority over identity through the big endian chain of labels in both cases, and it matters little whether the granter of the globally unique identity concerned is looking after a DNS or an email server.

The point I'm making here is that the DNS concept is inherently extensible to include everyone on the planet and use of all kinds of network services, not just the narrow priesthood of server operating geeks. RFC4255 http://tools.ietf.org/html/rfc4255 and RFC4871 Domainkeys http://tools.ietf.org/html/rfc4871 both demonstrate interest in using DNS and DNSSEC for secure or cheap public key storage and access in respect of non-DNS protocols (SSH and SMTP respectively). The use cases to extend the SMTP concept initially to Domainkeys (to prevent cheap email origin spoofing) , and to extend the Domainkeys concept to using DNSSEC to create certificates for authentication and privacy of email seem reasonably clear.

DNSSEC and PKI

Posted Jun 23, 2011 12:36 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link]

Yes, I completely agree that DNSSEC can provide a basis for a simple-to-use PKI. I wrote Easier Email Security is on the Way? back in 2002, outlining this. I think you could use DNSSEC to get keys for domains, and then other protocols (such as LDAP) to get public keys for individual users.

It's sad that it's taken so long to get DNSSEC mature. But it's finally starting to get out there. It's finally becoming possible.

On keys and users

Posted Jun 23, 2011 10:48 UTC (Thu) by job (guest, #670) [Link]

If people would start using DNSSEC, we'd have a pretty solid ground to stand on for the peer-to-peer key distribution required for the projects mentioned above. Instead of proving your identity in these systems (which is a quite difficult social problem at the very least) you could just accept that your domain name is your identity and move on to more interesting things.

On keys and users

Posted Jun 23, 2011 13:23 UTC (Thu) by ortalo (subscriber, #4654) [Link]

Don't you fear that such solution would be limited in scope to technically-oriented people?
From my point of view, few regular people do know what a DNS entry is, even less have actual control on their own DNS space.

These are not criticisms btw. At least you offer something for some class of users. But is the scope big enough to launch a successful security infrastructure in the open world?

Furthermore, with DNSSEC, some central authority (and its associated procedure) still appears somewhere in the process. Admittedly, this one is probably less centralized and more open than X.509 CAs. But since the beginning, and of course even more in recent times, I've favoured more spontaneous/original approaches, like the PGP web of trust. Maybe this is the case also because it still seems more innovative to me. (A classical centralized and governement-oriented certification process, like for birth registration for example, is still useful, but somehow old fashioned...:-)

Finally, what makes you think proving your identity is such a "quite difficult social problem"?
Proving your identity to everyone in the world, with certainty, at governement-level security (with respect to nationality for example) and for a long time certainly is; but do we really need that everyday? Most of everyday life tasks are accomplished without using an identity card, many are entirely anonymous. On the net, self-signed certificates can be useful too (e.g. I certainly trust more lwn.net's than several much more costly ones, especially for reading your answer).

Why not try to isolate more practical and self-contained problems which necessitate a security solution and try to solve them separately?
BTW, we actually converge on our views if your concern is to secure DNS and use it to improve the (net) access to your own home computers securely. For that, DNSSEC sounds pretty good.

Astonishlingly, sometimes I have the feeling that, in this area of combined computer security and free software, we are as much in search of a problem that can be realistically solved than in search of an ideal technical solution. (And, what's an engineer without a problem to solve... ;-)

Maybe we need to look more closely to clarify the users' needs in this domain. (After all, in this area, users are frequently ignorant or even lying about their needs.)

On keys and users

Posted Jun 25, 2011 17:17 UTC (Sat) by pabs (subscriber, #43278) [Link]

I tend to agree with Moxie Marlinspike about DNSSEC:

http://blog.thoughtcrime.org/ssl-and-the-future-of-authen...

On keys and users

Posted Jun 26, 2011 11:22 UTC (Sun) by job (guest, #670) [Link]

Any crypto is limited in scope to technically-oriented people. Most people host their data with others.

DNSSEC appeals to me because we already have to trust the domain name system. If your domain is deregistered for any reason, your communication fails whether you have secured your domain or not.

The only third party you need to trust is your TLD (which you have to trust anyway, see above). For people under .com I understand your concerns but there are other TLDs and trust is not delegated between them except for the root, and it is impractical to deregister the TLD when a few individual domains is questionable.

The important thing here is that a mischevious registrar can only sabotage domains registered with them, whereas a trusted CA is normally completely trusted to sign anything in the global root. That difference alone is worth it, in my opinion.

That also sums up my criticism against Marlinspike's article. He concludes that DNSSEC is not impervious to attacks, which should be trivially true, but ignores the fact that it is lightyears ahead of what be have today.

What is mean that proving identity is hard is only that as far as I know only governments have succeeded doing in on the large scale required here. That most transactions are anonymous may be true but does not help us when we need to do secure transactions. Private CAs has proven to be a failure so far. Our choices are then between a large intergovernmental CA system (in effect delegating trust along the country TLDs) or to put our trust in DNSSEC. I would prefer the latter.

On keys and users

Posted Jun 23, 2011 17:26 UTC (Thu) by sethml (subscriber, #8471) [Link]

Anybody interested in an interesting approach to key distribution and management might want to take a look at Gale, a secure distributed IM/group chat system. Unfortunately, it's pretty much a dead project now, but still has some active use.

Unfortunately, the documentation is a bit sparse and incomplete. A few of the interesting features are:

  • Servers automatically create a spanning tree capable of routing messages to clients robustly while minimizing bandwidth use.
  • Servers are dumb and have no ability to decrypt messages - only the headers requires for routing messages are understandable by the servers.
  • Public key cryptography is used to authenticate senders and to encrypt private messages.
  • A tree of trust - the key for lwn@lwn.net would be signed by the private key for lwn.net, which in turn would be signed by the key for net, which would be signed by the root key. Given the root public key, the lwn@lwn.net key could be verified.
  • Keys fetchable on request by key-server daemons (gdomain), with a revocation mechanism.
The project never really figured out effective key storage and management for non-Unix machines, and eventually lost momentum beyond a core community which continues to use it. However, I think the key challenges it was trying to solve remain mostly unsolved.

GPG is an implementation, not a standard

Posted Jun 24, 2011 1:20 UTC (Fri) by vapier (subscriber, #15768) [Link]

probably just nitpicking here, but "GPG keys" are simply PGP keys. GPG is merely a GNU implementation of the OpenPGP standard.

also, it can be used for more than just e-mails. it's how many people verify packages (e.g. tarballs) that they release, and how many distros sign their packages (e.g. rpms/debs/etc...).

http://en.wikipedia.org/wiki/Pretty_Good_Privacy

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds