- 1 Introduction
- 2 Common Misconceptions
- 3 Related Tools
- 4 Links
- 5 Advanced Topics
- 6 Footnotes
- 7 License
TODO: To be written.
|Check if the gpg signature timestamp makes sense. For example, simply said, if you previously saw a signature from in 2015 and now you are seeing a signature from 2014, then you could be target of a rollback (downgrade) or indefinite freeze attack. |
|Note, OpenPGP signatures do sign files. Not file names. |
In English Language
- OpenPGP For Beginners
- OpenPGP Getting Started
- Free OpenPGP Courses
- OpenPGP Help Spread
- See also if there are any crypto parties in your vicinity.
- Try typing "crypto party" followed by the nearest city in a search engine of your choice.
In German Language
Air Gapped OpenPGP Key
Clearsign with Multiple Keys
The OpenPGP Web of Trust
If you want to be extra cautious and really authenticate a OpenPGP key in a stronger way than what standard HTTPS offers you, you could use the OpenPGP Web of Trust.
One of the inherent problems of standard HTTPS is that the trust we usually put on a website is defined by certificate authorities: a hierarchical and closed set of companies and governmental institutions approved by web browser vendors. This model of trust has long been criticized and proved several times to be vulnerable to attacks as explained on our warning page.
We believe instead that users should be given the final say when trusting a website, and that designation of trust should be done on the basis of human interaction.
The OpenPGP Web of Trust is a decentralized trust model based on OpenPGP keys. Let's see that with an example.
You're a friend of Alice and really trust her way of managing OpenPGP keys. You've validated Alice's key.
Furthermore, Alice met Bob in a conference, and signed Bob's key.
This scenario creates a trust path from you to Bob's key that could allow you to validate it without having to depend on certificate authorities.
This trust model is not perfect either and requires both caution and intelligent supervision by users. The technical details of creating, managing and trusting OpenPGP keys are outside of the scope of this document.
We also acknowledge that not everybody might be able to create good trust path since it based on a network of direct human relationships and the knowledge of quite complex tools such as GnuPG.
Bootstrapping OpenPGP keys from the web
What in case you want to totally stay anonymous or have no trust path to a OpenPGP key?
Some people just write an unencrypted mail to the recipient and ask them to send their public key. The recipient will most likely either send its public key or at least its fingerprint.
This works against passive attacks. An observer wouldn't know what they have been talking about in the following encrypted mails. This totally fails against active attacks. A man-in-the-middle could replace the recipient's key with its own malicious key. The sender would use the wrong key, the man-in-the-middle would decrypt the message, read it, and re-encrypt it with the legit key and forward it to the recipient. Neither sender nor recipient would ever find out that their messages are being read by an adversary. - This is the whole reason, why the trust model path and key signing is recommended in the first place.
As an alternative, some people also publish their OpenPGP fingerprint or their OpenPGP public key on their personal or other websites. This gets more secure, if the website is accessible over SSL (more when both server and client are using HSTS [and DNSSEC]) and/or as a hidden service with a .onion domain. Of course, this presupposes, that the visitor is aware what kind of transportation mechanism is provided. In this case, the adversary would have to break the SSL or onion encryption while someone wants to obtain the key or fingerprint or to compromise the server, which may take, depending on the adversary more resources. Note, that both, the public CA system of SSL and Tor hidden services have security issues, see SSL and Hidden_Services#Hidden_Services_Security for more information.
For such a model, it is best if the same website is accessible over both, https and .onion and the user visits both sites and compares if the results match.
To further improve the situation the key holder can spread its fingerprint and/or OpenPGP key to other websites. Some key holders attach their OpenPGP fingerprint to their e-mail signature (a short attachment of any mail) and participate(d) various public mailing lists. It will be difficult for an adversary to spoof all those information. This only helps, if the one trying to obtain the key is either aware of that or researching that on their own initiative.
GnuPG Key Encryption vs OpenPGP Hardware Protection
|GnuPG encryption of OpenPGP private key||hardware protection |
|OpenPGP private key can be protected by software encryption||Yes ||No |
|OpenPGP private key can be stored encrypted on storage||Yes ||No  |
|implementation of software or device 100% Libre Software||Yes||No |
|can be independently reproduced and audited||Yes||No |
|number of people capable of auditing the implementation||small ||very small |
|OpenPGP private key protected by hardware, as in it is very difficult to extract the key from the devices storage||No||Yes |
|wipes OpenPGP private key once physical tampering is detected (FIPS 140-2 Level 3)||No||No (?) |
|OpenPGP private key access notification||No||Some, yes? |
|secret  can be entered on a secure external device ||No||Some, yes. |
|OpenPGP private key can no longer be abused once detached from malware infected machine||No ||Yes |
|user difficulty to remember secret||Medium ||Easy |
|usability||Medium ||Difficult |
|OpenPGP private key security once lost (without machine compromise) ||protected by software encryption  ||protected by hardware    |
|OpenPGP private key cannot be used by malware  when key attached  and passphrase stolen  or pin cached||No||No|
|OpenPGP private key cannot be extracted, deleted or revoked by malware||No ||Yes|
|encryption of users data still effective once malware infected||No ||No |
|signatures cannot be created by malware||No||No|
|signature counter on hardware device||No||Yes |
|signature counter on computer display trustworthy if attached on malware infected computer||Not applicable.||No |
|signature counter trustworthy if attached on malware free machine ||Not applicable.||Yes|
Both options have unique advantages. Unfortunately, it is not yet possible to combine both options. 
- Defined as per TUF: Attacks and Weaknesses:
- token or smartcard
- If a secure password has been chosen to protect the OpenPGP private key.
- The OpenPGP private key is stored unencrypted on the storage of the smartcard or token.
- Stored on hdd, usb, etc.
- Stored on the memory chip of the smartcard or token.
- Source: 1) gnupg-users mailing list: Possible to combine smartcard PIN with key password? 2) Patrick Schleizer specifically asked Werner Koch about this at c3c1. This is neither possible nor a planned or likely future feature.
- Specification may be Libre Software, but currently there are no blueprints for smartcards or tokens that are Libre Software.
- Due to the absence of blueprints and copyright, no other company can reproduce/audit security.
- Written in C and using cryptography. Hard stuff.
- Hardware is more difficult than software. That type of hardware is even harder. Only the engineers of producers have a chance to best understand it. In the case of closed hardware implementations, which most (all?) tokens and smartcards are, open and independent audits are impossible.
- It is very difficult to read the storage of smartcards and tokens. Professional data recovery companies usually decline requests for recovery from such storage.
- As far as known, no OpenPGP tokens or smartcards claim to poss this security feature.
- Some external smartcard readers blink a flashlight and/or tone when key is being accessed?
- password vs pin
- On an external device that is usually not infected by malware.
- Example: spr332
- A skilled adversary will take a copy of the OpenPGP private key as well as the passphrase for the case that the user manages to move on the a malware free machine.
- Since adversaries cannot extract the key to get a copy, once the compromise has been undone (either by chance, by doing a clean re-installation which the malware did not survive or because of noticing of the malware), future files/mails encrypted to the private key can no longer be decrypted by the adversary. No new malicious signatures can be made anymore. Revoking previously compromised keys would still be advisable, because the adversary could have created a huge number of signatures for all sorts of texts and/or files.
- a long passphrase
- a medium sized pin
- Arguably, OpenPGP is not that simple. In compression, OTR has a smaller feature set (for example, no signatures for publicly released files), but encryption is much more usable. OTR is younger and has more users.
- Initial setup is harder than GnuPG private key password encryption and generally hard.
- Assumption, 1) no malware on users computer 2) either the storage (hdd, usb, etc.) holding the OpenPGP private key vs token or smartcard has been lost, stolen or robbed.
- The adversary would require either 1) a backdoor in gnupg itself 2) or a backdoor in the distribution that shipped gnupg 3) or have found a vulnerability in gnupg 4) or have found an effective weakness in the encryption algorithm used by gnupg
- No vulnerabilities in gnupg's private OpenPGP key encryption have ever been reported.
- Quote wikipedia:
Smart cards can be physically disassembled by using acid, abrasives, or some other technique to obtain unrestricted access to the on-board microprocessor. Although such techniques involve a fairly high risk of permanent damage to the chip, and irrecoverable loss of the secret keys therein, they permit much more detailed information (e.g. photomicrographs of encryption hardware) to be extracted.
- Other, non-OpenPGP smartcards have been cracked in past using ultra-expensive electron-scanning microscopes. Source: theguardian, http://www.theguardian.com/technology/2002/mar/13/media.citynews
- More information on the realism, difficulty and cost of such attacks is required. If you know more information, please add them here.
- If machine used by the user has been compromised by malware such as trojan horse.
- On storage (hdd, usb, etc.) vs on token or smartcard)
- By keylogger or extracted from memory once cached.
- Therefore make sure to have a backup on storage that is never attached to that machine.
- An adversary who manged to compromise the user's machine can use a keylogger to sniff the OpenPGP private key password once it's entered next time of extract it from memory if it's still cached. Any of the users encrypted e-mail, files, etc. (that are read from the users devices or that have been extracted from other sources, such as by man-in-the-middle attacks or obtained from the user's mail provider and so forth) can then be decrypted.
- An adversary who manged to compromise the user's machine can wait until the user caches its pin next time. Otherwise, same as above. Once a machine has been compromised, nothing it shows can be trusted anymore. Even if the PIN is never cached. If the PIN is cached or not is up to the software on the users machine which can be no longer trusted once compromised. The adversary could install its own key caching software (gnupg-agent). Instead of the users request "decrypt mail X", malware can also intercept this and make it "decrypt mail Y and X".
- Users could attach their smartcard to other computers, perhaps non-compromised, perhaps offline machines and check the signature counter. For example output, see: http://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smartcard/
- One malware is running on a machine, nothing the machine's display can be trusted. It could be manipulated by the malware.
- Assumption: The tooken or card reader has not been compromised by malware running on the users machine.
The rest of this page is under the following license.
Whonix OpenPGP wiki page Copyright (C) Amnesia <amnesia at boum dot org> Whonix OpenPGP wiki page Copyright (C) 2012 -2014 Patrick Schleizer <email@example.com> This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code. This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss | Investors | Donate
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.