PGP key

Source: Internet
Author: User
Keywords PGP
The key may be the most important concept in PGP. A PGP key is a public key pair created by a user for a specific target. Generally speaking, a user creates a key to make a general connection with other people. All outgoing messages are signed with this key, and all incoming messages are decrypted with this key. There may be some confusion in key management at the beginning. The following sections describe the purpose and use of the key. 1. What is the first name? The previous example shows how easy it is to produce a key, and how easy it is to put any name in the key. This example illustrates the use of the key generated by the name "Ruth Thomas". It is as easy as using the name "William Clinton" to generate a key. This is not a joke, and a key is actually produced by this name. Of course, it does not belong to the president, but others may not know the truth when they see it on the Internet. PGP provides you with a number of ways to name your keys. You need to know how each of the different names should be used. You can generate a key with any name that is called UserID in the key. A key can have multiple userid. Generally, the form of UserID is real name, which consists of a single, compressed string of the user's actual name and e-mail address. For example, Ruth Thomas uses his Internet address to create a key pair for himself on the free.net. As shown earlier, he created a 1024-bit key on November 14, 1995. Because you can use the same key for multiple addresses, you may want to put more than one name in the same key to indicate that it can be used with multiple sites. You can use PGP to add UserID to your own key to edit the key ring. If Ruth wanted to use the same key in one of his other e-mail addresses, she could add the address to the second userid in his key. Every key to PGP has another name you can't control: keyID. The keyID of the key is a string of numbers that collude with the key parameter, which is used internally by PGP to access the key in the process. According to the design, want to let keyID to some extent imitate the actual key, but actually each keyid of the secret angle is different. keyID is a 64-bit amount, but only 32 bits are printed in hexadecimal format for the user. Whenever PGP needs Userid,keyid, it can be used in its place. To identify a string to PGP as keyID, you must put the string "0x" in front of it to indicate that it is a hexadecimal string. Ruth's key can also be called 0xd0c6326d. The problem with keyID is that it is now the lowest 64 bits of public key modulus. There is a very famous attack, someone can produce another different length of the key pair, but keyID and UserID is the same as yours. If the inspection is not meticulous,It's hard to tell which key you're using, and it's not telling PGP which key you want because PGP can only tow UserID and keyID. Unfortunately, there is now no precaution against such attacks. Future versions of PGP may have to deal with this situation. Because it is relatively easy to create a new key with the same key ID, a key security fingerprint is required. This key security fingerprint is unique and cannot be easily forged. This value can be used as a key authentication string, and if the UserID, keyID key size and fingerprint match, then the user is assured that he has the correct key. The key fingerprint is trustworthy because the key fingerprint is obtained using the same hashing algorithm. This algorithm is MD5,PGP to ensure message integrity. However, matching a key numeric value is not enough to trust this key. It is also important to check the name in the key. Anyone can create a key and say it belongs to the president; However, it is extremely unlikely that any such key will be part of the General Command. Therefore, as a user, you must use other methods to verify the name in the key. The "Web Accountability" section describes how to verify a key. 2.PGP Key ring PGP requires the user to keep a local cache of keys. This cache is referred to as the user's key ring. There are at least two key rings per User: Public key ring and private key ring. Each key ring is used to hold a set of keys for a particular target. However, it is important to maintain the security of the two key rings, and if someone alters the public key ring, it will cause you to incorrectly verify the signature or encrypt the message to the wrong receiver. (1) Public key ring public key ring holds public key, Useris, signature and trust parameters for all parties that communicate with you. Whenever PGP finds a key to verify a signature or encrypted message, it goes to your public key loop to find it. This means that you want to keep the public key loop up to date, either through frequent bulletins or by accessing the PGP public key server. Trust parameters are stored in the public key ring, so it is not possible to share the key ring between people. Furthermore, PGP does not handle multiple key loops correctly, so it is not easy to create a site-wide (site-wide) key ring using the current version. This is a very famous fault in PGP. When multiple key loops are supported in a future release, the best way to encrypt a key is to use a key server. A security issue with public key loops is that a corrupted public key ring can lead to incorrect signature verification and, worse, possibly send messages to the wrong object. An attacker could change the trust parameters stored in the public key ring, or change the actual key data stored there. These attacks are described in detail in the "attack on the Public key Ring" section. When you design a key ring, you just want to use it to keep some of the more intimate friends and colleagues ' keys. Unfortunately, the assumptions of this design have great limitations in terms of current use. Many people put the keys of someone he has never seen or never contacted into a key-ring country.This creates a number of problems, mainly due to the time required for information and replication and access to the key ring. The recommended approach is to keep the key ring as small as possible and obtain the key from the key server or the site-level key ring if necessary. (2) The private key ring is a personal private place in PGP. When you generate a key, the part that cannot be leaked is stored in the private key ring. Data that needs to be stored privately is encrypted, so access to the private key ring does not automatically allow for its secret use. However, if an attacker is able to access the private key ring, then there is a much smaller obstacle to his forgery of the signature decryption message. Because the private key is not transmitted among people, the only possible key in the user's key ring is his or her private key. Because the private key ring is protected by a phrase, a simple key ring content transfer does not allow access to the key material. We do not recommend sharing a private key, although this may sometimes be required. In particular, when you have a private key that belongs to an organization, it may be necessary to have multiple members of the organization access the private key. This means that any individual can act on behalf of that organization. Sometimes it may be useful to have a private key without passing a phrase. For example, creating a server with a private key represents a group of people. In particular, you can run an encrypted mailing list whose mail server has its own key and has the public key of all list members. The list member encrypts the message with the mail server's key and sends it to the list. The list process decrypts the message, and then the public key that is encrypted with the corresponding list member is renewed. The list server can sign messages with the list key at this point, but this is not required. In this case, the server process needs to access a private key, which requires that the key not pass the phrase. Because there may be multiple private keys in a private key ring, PGP has an option to specify the userid of the private key you want to use. Whenever PGP needs to select a private key, it chooses the first key of the key ring, which is usually the most recently created. You can use the-u option to provide userid to PGP to modify it so that PGP uses the corresponding UserID key. The fiduciary nature of 3.Web is said to be connected by a person on a global scale with a handshake of 6 times. This is a network of references, each of which is used as a reference to another person in the chain. PGP uses a similar method to introduce a new key, using the key signature as an introductory form. When a person signs a key, he becomes a potential reference for that key. For example, suppose Alice signs Bob's key, and Bob signs Charlie's key. Alice now has a proven path to Chrlie. Alice now has a way of knowing that Charlie's key is really Charlie because it has Bob's signature on it and that Alice knows Bob's key is indeed Bob's. This is a trust that provides transitive in the key. This design has aObvious problem. What if someone is a reference, but does not really know what the person he is introducing? For example, if Bob is very careless, he has signed Doug's key, claiming to be Charlie. Not only did Bob think the key belonged to Charlie (although Doug claimed it belonged to Charlie), and because there was no measure of accountability, Alice believed. This is what happens in the PGP Trust Network. Through the Trust network (Web of trusts), the user defines the amount of trust in a key as a reference. In the previous example, Alice gave Bob a key as much trust as possible, and if he believed that Bob correctly signed the other person's key, he would also believe the key. If Alice knew that Bob was lax about key verification, he would not trust Bob as a reference. As a result, Alice will no longer believe the key Bob signed for Doug, but declared Charlie. Of course, the Trust network is not absolutely safe. If someone is deceived into signing a wrong key, it makes others believe it wrongly. The PGP Trust network is considered to be a reputation system, with respectable people giving good signatures and others giving bad signatures. When there is a false reputation, the system may fail. 4. Trust level Trust network starts with a user's own key. PGP assumes that if you have a private key in a key pair, you may believe it. This is because you can demonstrate the key at any time by creating and validating the signature. This situation is called Ultimate Trust (Ultimate). Any key that is signed by a final trust key is considered a valid key. For each valid key, the user is required to assign a trust level to the key. This trust-level value defines the degree to which the user trusts the key as a referral. This can cause confusion because PGP uses the same term to define trust in key validity and the amount of trust as a reference. There are four levels of trust:. Full Trust (Somplete). Edge trusts (marginal trust). Distrust (no trust). Unknown Trust (unknown) in addition to the trust that can be defined by the key as a reference, the user can define the "full" and "edge" quantities required for the trust validity in the key. By default, PGP requires a full signature or two edge signatures. A full signature here is a signature that uses a key that is fully trusted by a reference, and the edge signature is the signature of a key that is trusted with the edge of a reference. Users can set these values to define how many full and edge signatures are required to trust the validity of a key. This process continues until the user-defined level is reached. In the search for a key ring, the default value is 4 levels of loops or nesting. If Alice signed for Bob, Bob signed Charlie, ChArlie for Dave, Dave Elena Signature, and Elena for Frank Signature, Alice is too far from Elena, can not trust Frank, trapped in the interval between the steps too much. And it all depends on Alice's trust in all the signers on this line. Generally, it is not recommended to place trust in the key of a user you do not know. To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) title Party (0 Votes) passing (0 Votes) original text: PGP key return network security home
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.