investigating the openpgp web of trust
play

Investigating the OpenPGP Web of Trust Alexander Ulrich, Ralph Holz , - PowerPoint PPT Presentation

May 07, 2023 •736 likes •1.31k views

Investigating the OpenPGP Web of Trust Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle Diskrete Mathematik Universit at T ubingen Netzarchitekturen und Netzdienste Technische Universit at M unchen ESORICS 2011 Alexander

  1. Investigating the OpenPGP Web of Trust Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle Diskrete Mathematik Universit¨ at T¨ ubingen Netzarchitekturen und Netzdienste Technische Universit¨ at M¨ unchen ESORICS 2011 Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 1

  2. Introducing the Web of Trust PGP/GnuPG (GPG) Widely used implementations of OpenPGP (authentication & encryption) Often used for e-mail Web of Trust (WoT) PKI: everyone can certify anyone else Decentralized Certification Authorities (CAs) allowed: just very active users Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 2

  3. Web of Trust (WoT): Directed Graph Oliver George Nate Bob Paul Quentin Emile Charlie Daniel Ivan Alice Henry Frank Laura "signs" Jane Karla Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 3

  4. Web of Trust (WoT): Directed Graph Oliver George Nate Bob Paul Quentin Emile Charlie Daniel Ivan Alice Henry Frank Laura Jane Karla Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 3

  5. Web of Trust (WoT): Directed Graph Oliver George Nate Bob Paul Quentin Emile Charlie Daniel Ivan Alice Henry Frank Laura Jane Karla Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 3

  6. Our Questions (Problem Statement) Analyze the Web of Trust’s graph w.r.t. Macro structure How can users profit from the WoT? Usefulness to users How effectively can the WoT used? Robustness How does the WoT react to changes? Further Aspects Social structures? Crypto algorithms? Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 4

  7. Our Questions (Problem Statement) Analyze the Web of Trust’s graph w.r.t. Macro structure How can users profit from the WoT? Usefulness to users How effectively can the WoT used? Robustness How does the WoT react to changes? Further Aspects Social structures? Crypto algorithms? Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 4

  8. Our Questions (Problem Statement) Analyze the Web of Trust’s graph w.r.t. Macro structure How can users profit from the WoT? Usefulness to users How effectively can the WoT used? Robustness How does the WoT react to changes? Further Aspects Social structures? Crypto algorithms? Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 4

  9. Our Questions (Problem Statement) Analyze the Web of Trust’s graph w.r.t. Macro structure How can users profit from the WoT? Usefulness to users How effectively can the WoT used? Robustness How does the WoT react to changes? Further Aspects Social structures? Crypto algorithms? Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 4

  10. Our Questions (Problem Statement) Analyze the Web of Trust’s graph w.r.t. Macro structure How can users profit from the WoT? Usefulness to users How effectively can the WoT used? Robustness How does the WoT react to changes? Further Aspects Social structures? Crypto algorithms? Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 4

  11. Background: OpenPGP Certification Public/private key pair: pub 2048R/69B003EF User ID: [Ralph Holz, <holz@net.in.tum.de>] Issue a certificate = sign(User ID, public key) Web of Trust (WoT) Network of key servers to upload keys Synchronizing Keyservers (SKS) protocol Complete history of the network (SKS knows no ‘delete’ operation!) Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 5

  12. Trust in OpenPGP Owner Trust Alice: “I trust Bob [ very much / somewhat / not ] to properly identify a person before signing.” Private assessment – stored locally Valid keys in GnuPG default settings Path length ≤ 5 Either ‘full’ trust in all owners on path Or ≥ 3 distinct paths with ‘marginal’ trust in owners Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 6

  13. Deriving Requirements A good WoT should... have certification paths between many (all) keys else it is not useful have short certification paths less entities to trust chances of accurately assessing key authenticity have redundant paths between keys beneficial for GnuPG trust metric be robust removal of a key must have little impact on reachability capture social relations between users well trust assessment is easier in communities Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 7

  14. Deriving Requirements A good WoT should... have certification paths between many (all) keys else it is not useful have short certification paths less entities to trust chances of accurately assessing key authenticity have redundant paths between keys beneficial for GnuPG trust metric be robust removal of a key must have little impact on reachability capture social relations between users well trust assessment is easier in communities Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 7

  15. Deriving Requirements A good WoT should... have certification paths between many (all) keys else it is not useful have short certification paths less entities to trust chances of accurately assessing key authenticity have redundant paths between keys beneficial for GnuPG trust metric be robust removal of a key must have little impact on reachability capture social relations between users well trust assessment is easier in communities Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 7

  16. Deriving Requirements A good WoT should... have certification paths between many (all) keys else it is not useful have short certification paths less entities to trust chances of accurately assessing key authenticity have redundant paths between keys beneficial for GnuPG trust metric be robust removal of a key must have little impact on reachability capture social relations between users well trust assessment is easier in communities Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 7

  17. Deriving Requirements A good WoT should... have certification paths between many (all) keys else it is not useful have short certification paths less entities to trust chances of accurately assessing key authenticity have redundant paths between keys beneficial for GnuPG trust metric be robust removal of a key must have little impact on reachability capture social relations between users well trust assessment is easier in communities Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 7

  18. Deriving Requirements A good WoT should... have certification paths between many (all) keys else it is not useful have short certification paths less entities to trust chances of accurately assessing key authenticity have redundant paths between keys beneficial for GnuPG trust metric be robust removal of a key must have little impact on reachability capture social relations between users well trust assessment is easier in communities Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 7

  19. Let’s Start: Obtaining Our Dataset Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 8

  20. Used Dataset Obtained full snapshot of SKS database Stored relevant key properties in SQL DB Snapshot contains complete history of network Time stamps of key creation, signatures, expiry, revocations, . . . Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 9

  21. Resulting Key Set Many keys available on the servers All keys 2.7 millions Expired, revoked, broken keys 570,000 But not many used for signatures Keys with incoming or outgoing signatures 325,000 Resulting signatures 817,000 Majority of available keys are not verifiable: no signature chains. Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 10

  22. Macro Structure Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 11

  23. Macro Structure Strongly Connected Components (SCCs) Nate Bob Paul Charlie Daniel Alice Henry Frank Laura Jane Karla Within an SCC, there is ≥ 1 signature chain between any key pair. Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 12

  24. Macro Structure SCCs are important: mutual authentication only within the same SCC SCCs in the Web of Trust Largest SCC (LSCC) of just 45,000 keys (!) But there are 240,283 SCCs... ... > 100,000 are single nodes (trivial sub-graphs) ... ≈ 10,000 node pairs Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 13

  25. Macro Structure: SCC Sizes 1e+05 1e+04 1e+03 quantity 1e+02 1e+01 1e+00 1 2 4 8 16 40 117 44952 component size Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle: Investigating the OpenPGP Web of Trust 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenPGP? mailing lists? OpenPGP on mailing lists? let's fix that! manual all subscribers have

OpenPGP? mailing lists? OpenPGP on mailing lists? let's fix that! manual all subscribers have

OpenPGP? mailing lists? OpenPGP on mailing lists? let's fix that! manual all subscribers have all subscribers and all public keys doesn't scale list key scales works proxy re-encryption secure e-mail list service

472 views • 28 slides
Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We

1.05k views • 28 slides
Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven

Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven

Free Technology Workshop Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven Gordon Room RS309 9am - 12noon Friday 27 June 2014 http://ict.siit.tu.ac.th/moodle/ Adresses Local copies of

667 views • 19 slides
FOSDEM 2019 Vincent Breitmoser 1 / 13 Intro I'm Vincent Developer of OpenKeychain OpenPGP

FOSDEM 2019 Vincent Breitmoser 1 / 13 Intro I'm Vincent Developer of OpenKeychain OpenPGP

FOSDEM 2019 Vincent Breitmoser 1 / 13 Intro I'm Vincent Developer of OpenKeychain OpenPGP support in K-9 Mail More holistic approach required 2 / 13 Overview - Goals 1. Make it easy to encrypt e-mail 2. Don't rely on infrastructure 3.

296 views • 13 slides
EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

675 views • 41 slides
GPG4LIBRE: OPENPGP SIGNING &amp; ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER

GPG4LIBRE: OPENPGP SIGNING &amp; ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER

GPG4LIBRE: OPENPGP SIGNING &amp; ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER 12TH, 2017 Thorsten.Behrens@cib.de GPG4LIBRE - MOTIVATION we dont do enough crypto yet! put encryption and signing at users finger tips

188 views • 17 slides
Status of the Debian OpenPGP keyring Jonathan McDowell, Gunnar Wolf What do we do Daniel Kahn

Status of the Debian OpenPGP keyring Jonathan McDowell, Gunnar Wolf What do we do Daniel Kahn

Status of the Debian OpenPGP keyring Daniel Kahn Gillmor, Status of the Debian OpenPGP keyring Jonathan McDowell, Gunnar Wolf What do we do Daniel Kahn Gillmor Jonathan McDowell Gunnar Wolf Escaping algorithmic fragility: So far

492 views • 28 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light Absorption Absorption Measurements Measurements Christine Walsh Lund University (Lund, Sweden) NOAA ERSL (Aerosol Research Group) Overview of

354 views • 17 slides
Developing and Investigating Online Programming Resources Andrew Petersen Department of

Developing and Investigating Online Programming Resources Andrew Petersen Department of

Developing and Investigating Online Programming Resources Andrew Petersen Department of Mathematical and Computational Sciences University of Toronto andrew.petersen@utoronto.ca Goals Introduce two of my areas of research Investigating

1.03k views • 91 slides
NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For ACM CCS I ndustry/ Govt Track Oct. 26, 2004 Carl Landwehr ( clandweh@nsf.gov ) Cyber Trust Coordinator National Science Foundation What s the

439 views • 17 slides
Investigating Dimensionality Dimensionality Dimensionality with with Investigating

Investigating Dimensionality Dimensionality Dimensionality with with Investigating

Investigating Investigating Investigating Dimensionality Dimensionality Dimensionality with with Investigating Dimensionality Mokken Analysis Mokken Analysis and CFA and CFA by means of Nader et al. Nader et al. Mokken Analysis

571 views • 7 slides
Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization creates opportunities and risks Page 2 And its common truth We cant expect people to actively support the digital transformation if we cannot

499 views • 11 slides
The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability

The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability

The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability based upon positive expectations of the intention or behaviour of another. Key components of TRUST include (1) the recognition of vulnerability

471 views • 13 slides
Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust:

Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust:

Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust: confidence in, or an assured reliance on, the character, integrity, ability, strength, or truth of someone or something faith: Confidence or

784 views • 33 slides
RHyTHM: A Randomized Hybrid Scheme To Hide in the Mobile Crowd Mohammad Khodaei, Andreas Messing,

RHyTHM: A Randomized Hybrid Scheme To Hide in the Mobile Crowd Mohammad Khodaei, Andreas Messing,

RHyTHM: A Randomized Hybrid Scheme To Hide in the Mobile Crowd Mohammad Khodaei, Andreas Messing, and Panos Papadimitratos Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH) Stockholm, Sweden Nov. 28,

361 views • 15 slides
SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular

SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular

KTH ROYAL INSTITUTE OF TECHNOLOGY SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular Communication Systems M. Khodaei, H. Jin and P . Papadimitratos Networked Systems Security Group (NSS) In IEEE

464 views • 42 slides
INDONESIA Arriya Mungsunti Andy Sumner Arief Yusuf The Developers Dilemma: Structural

INDONESIA Arriya Mungsunti Andy Sumner Arief Yusuf The Developers Dilemma: Structural

Kyunghoon Kim INDONESIA Arriya Mungsunti Andy Sumner Arief Yusuf The Developers Dilemma: Structural Transformation, Inequality Dynamics, and Inclusive Growth UNU-WIDER Workshop, 10 th /September/2019, Bangkok, Thailand BACKGROUND: STEADY

521 views • 19 slides
comparison of methods for clustering citation networks Lovro Nees Jan van Eck Ludo Waltman

comparison of methods for clustering citation networks Lovro Nees Jan van Eck Ludo Waltman

comparison of methods for clustering citation networks Lovro Nees Jan van Eck Ludo Waltman Subelj Leiden University Leiden University University of Ljubljana Centre for Science and Centre for Science and Faculty of Computer and

394 views • 15 slides
Tagging modality in Oceanic languages of Melanesia Annika Tjuka, Lena Weimann, and Kilu von

Tagging modality in Oceanic languages of Melanesia Annika Tjuka, Lena Weimann, and Kilu von

MelaTAMP project Data Method Inter-annotator agreement Conclusion Tagging modality in Oceanic languages of Melanesia Annika Tjuka, Lena Weimann, and Kilu von Prince August 1 st , 2019 1 / 23 The 13 th Linguistic Annotation Workshop

515 views • 28 slides
Community Detection: From Plain to Attributed Complex Networks Martin Atzmueller Universit y of

Community Detection: From Plain to Attributed Complex Networks Martin Atzmueller Universit y of

Community Detection: From Plain to Attributed Complex Networks Martin Atzmueller Universit y of Kassel, Research Cent er for Informat ion S yst em Design Ubiquit ous Dat a Mining Team, Chair for Knowledge and Dat a Engineering Web S cience

1.5k views • 99 slides
StatisticalNLP Spring2010 Lecture2:LanguageModels DanKlein UCBerkeley

StatisticalNLP Spring2010 Lecture2:LanguageModels DanKlein UCBerkeley

StatisticalNLP Spring2010 Lecture2:LanguageModels DanKlein UCBerkeley SpeechinaSlide Frequencygivespitch;amplitudegivesvolume

235 views • 21 slides
Growth in Southeast San Francisco/San Mateo Counties Planned/Proposed Development + Housing:

Growth in Southeast San Francisco/San Mateo Counties Planned/Proposed Development + Housing:

Growth in Southeast San Francisco/San Mateo Counties Planned/Proposed Development + Housing: 18,000 units + Employment: 15 million square feet + Retail + Office + R&amp;D + Port Intensification BAYVIEW TRANSPORTATION IMPROVEMENTS 25th

154 views • 3 slides

More recommend