• PDF / 828,471 Bytes
• 18 Pages / 439.37 x 666.142 pts Page_size
• 27 Downloads / 183 Views

DOWNLOAD

REPORT

stract. The OpenPGP protocol provides a long time adopted and widespread tool for secure and authenticated asynchronous communications, as well as supplies data integrity and authenticity validation for software distribution. In this work, we analyze the Web-of-Trust on which the OpenPGP public key authentication mechanism is based, and evaluate a threat model where its functionality can be jeopardized. Since the threat model is based on the viability of compromising an OpenPGP keypair, we performed an analysis of the state of health of the global OpenPGP key repository. Despite the detected amount of weak keypairs is rather low, our results show how, under reasonable assumptions, approximately 70 % of the Web-of-Trust strong set is potentially affected by the described threat. Finally, we propose viable mitigation strategies to cope with the highlighted threat.

Keywords: Web-of-Trust

1

· WoT · OpenPGP · GPG · PGP

Introduction

The continuous increase in the size of computing systems, and the amount of data processed and exchanged by them calls for a widespread and trustworthy infrastructure for secure communications, encompassing both synchronous data transport and asynchronous messaging. Secure and endpoint-authenticated transport is nowadays provided by the Transport Layer Security (TLS) protocol [6], which is regarded as the most widespread solution when it comes to interactive communications between a server and a client. By contrast, the main workhorse in providing both confidentiality of the contents and sender authenticity, when it comes to secure e-mails, is the Open Pretty Good Privacy (OpenPGP) protocol [3]. The use of OpenPGP has been recently encouraged as a practical countermeasure to dragnet surveillance actions involving e-mail inspection. In particular the Free Software Foundation has promoted a campaign [29] to foster its use even among non technically-savvy users. Finally, the OpenPGP protocol is widely used to ensure data authentication and integrity of c Springer International Publishing Switzerland 2015  G. Pernul et al. (Eds.): ESORICS 2015, Part I, LNCS 9326, pp. 429–446, 2015. DOI: 10.1007/978-3-319-24174-6 22

430

A. Barenghi et al.

binary packages of both all the Debian and RedHat derived GNU/Linux distributions, and a significant number of other popular ones such as Arch, Slackware and Gentoo. Therefore, the authenticity of the software binaries installed on the overwhelming majority of GNU/Linux systems is provided by OpenPGP signatures. Since 2010, the official implementation of the OpenPGP protocol is available as a commercial technology by Symantec Corp., even if its source code is publicly available for peer review [28]. In addition to its employment as a solution to provide confidentiality and sender-authentication for e-mails, Symantec’s products also employ the same protocol for securing files and documents. The OpenPGP protocol, first defined in the RFC2440 [4] and then amended and extended in the RFC4880 [3] by the Internet Engineering Task Force (IETF), has its best known impleme

Recommend Documents

Trustworthiness Evaluation

149 35 49MB

Pretty Good Privacy (PGP)

145 47 2MB

The detail is in the difficulty: Challenging search facilitates rich incidental object encoding

123 50 1MB

Extubation of the Challenging or Difficult Airway

198 54 268KB

The Medicalization of America's Schools Challenging the Concept of E

160 71 2MB

Challenging the Borders of Justice in the Age of Migrations

171 39 3MB

The Disorder of Mathematics Education Challenging the Sociopolitical

203 39 7MB

Challenging Whiteness and the Violence that Follows

173 70 2MB

Trusting in order to inspire trustworthiness

132 61 390KB

Chile: Changing the Teaching Profession, the Most Challenging Reform

190 40 3MB

Welfare and Values Challenging the Culture of Unconcern

140 64 20MB

Challenging the Phenomena of Technology Embodiment, Expertise, and E

143 13 2MB