research-article

TOFU for OpenPGP

Authors:

Neal H. Walfield,

Werner KochAuthors Info & Claims

EuroSec '16: Proceedings of the 9th European Workshop on System Security

Article No.: 2, Pages 1 - 6

https://doi.org/10.1145/2905760.2905761

Published: 18 April 2016 Publication History

Abstract

We present the design and implementation of a trust-on-first-use (TOFU) policy for OpenPGP. When an OpenPGP user verifies a signature, TOFU checks that the signer used the same key as in the past. If not, this is a strong indicator that a key is a forgery and either the message is also a forgery or an active man-in-the-middle attack (MitM) is or was underway. That is, TOFU can proactively detect new attacks if the user had previously verified a message from the signer. And, it can reactively detect an attack if the signer gets a message through. TOFU cannot, however, protect against sustained MitM attacks. Despite this weakness, TOFU's practical security is stronger than the Web of Trust (WoT), OpenPGP's current trust policy, for most users. The problem with the WoT is that it requires too much user support. TOFU is also better than the most popular alternative, an X.509-based PKI, which relies on central servers whose certification processes are often sloppy. In this paper, we outline how TOFU can be integrated into OpenPGP; we address a number of potential attacks against TOFU; and, we show how TOFU can work alongside the WoT. Our implementation demonstrates the practicality of the approach.

References

[1]

Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, and Robin Sommer. Here's my cert, so trust me, maybe?: Understanding TLS errors on the web. In Proceedings of the 22nd International Conference on World Wide Web, WWW '13, pages 59--70, Republic and Canton of Geneva, Switzerland, 2013. International World Wide Web Conferences Steering Committee.

[2]

Rainer Böhme and Jens Grossklags. The security cost of cheap user interaction. In Proceedings of the 2011 Workshop on New Security Paradigms Workshop, NSPW '11, pages 67--82, New York, NY, USA, 2011. ACM.

Digital Library

[3]

Rainer Böhme and Stefan Köpsell. Trained to accept?: A field experiment on consent dialogs. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '10, pages 2403--2406, New York, NY, USA, 2010. ACM.

Digital Library

[4]

I. Brown, A. Back, and B. Laurie. Forward secrecy extensions for OpenPGP. Internet-Draft draft-brown-pgp-pfs-03, IETF Secretariat, October 2011. https://tools.ietf.org/html/draft-brown-pgp-pfs-03.

[5]

J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. OpenPGP Message Format. RFC 4880 (Proposed Standard), November 2007. Updated by RFC 5581.

[6]

Mark Davis and Michel Suignard. Unicode security mechanisms. Technical Report Version 8.0, The Unicode Consortium, June 2015. http://www.unicode.org/reports/tr39/.

[7]

Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, pages 581--590, New York, NY, USA, 2006. ACM.

Digital Library

[8]

Paul Ducklin. The TURKTRUST SSL certificate fiasco --- what really happened, and what happens next? https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/, January 2013. {Online; accessed 23-March-2016}.

[9]

Evgeniy Gabrilovich and Alex Gontmakher. The homograph attack. Communications of the ACM, 45(2):128, February 2002.

Digital Library

[10]

Zulfikar Ramzan. Phishing attacks and countermeasures. In Peter Stavroulakis and Mark Stamp, editors, Handbook of Information and Communication Security, pages 433--448. Springer Berlin Heidelberg, 2010.

[11]

P. Resnick. Internet Message Format. RFC 2822 (Proposed Standard), April 2001. Obsoleted by RFC 5322, updated by RFCs 5335, 5336.

Digital Library

[12]

Mark Risher. Protecting Gmail in a global world. http://googleforwork.blogspot.de/2014/08/protecting-gmail-in-global-world.html, August 2014. {Online; accessed 23-March-2016}.

[13]

Ryan Sleevi. Sustaining digital certificate security. https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html, October 2015. {Online; accessed 23-March-2016}.

[14]

Marc Stiegler. An introduction to petname systems. http://www.skyhunter.com/marcs/petnames/IntroPetNames.html, February 2005 (updated June 2010).

[15]

Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM'09, pages 399--416, Berkeley, CA, USA, 2009. USENIX Association.

Digital Library

[16]

Dan Wendlandt, David G. Andersen, and Adrian Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Annual Technical Conference, pages 321--334, 2008.

Digital Library

[17]

Wikipedia. Flame (malware) --- Wikipedia, The Free Encyclopedia, 2015. {Online; accessed 23-March-2016}.

Cited By

Wolf GOrtega-Arjona J(2024)A Protocol for Solving Certificate Poisoning for the OpenPGP Keyserver NetworkJournal of Internet Services and Applications10.5753/jisa.2024.381015:1(46-58)Online publication date: 23-May-2024
https://doi.org/10.5753/jisa.2024.3810
El-Hajj MBeune P(2024)Decentralized Zone-Based PKI: A Lightweight Security Framework for IoT EcosystemsInformation10.3390/info1506030415:6(304)Online publication date: 24-May-2024
https://doi.org/10.3390/info15060304
Chen LXue KLi JLi ZYu N(2024)Security-Enhanced WireGuard Protocol Design Using Quantum Key Distribution2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556292(718-723)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556292
Show More Cited By

Index Terms

TOFU for OpenPGP
1. Security and privacy
  1. Cryptography
    1. Key management
  2. Security services
    1. Authentication

Recommendations

On the (In)Security of ElGamal in OpenPGP
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Roughly four decades ago, Taher ElGamal put forward what is today one of the most widely known and best understood public key encryption schemes. ElGamal encryption has been used in many different contexts, chiefly among them by the OpenPGP standard. ...
A new signature scheme without random oracles

Digital signature is commonly used for authentication of a user or data. In order to ensure the security of a signature scheme, it is important to design a signature scheme with a security proof. In 1999, Gennaro et al. and Cramer et al. respectively ...
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

EuroSec '16: Proceedings of the 9th European Workshop on System Security

April 2016

47 pages

ISBN:9781450342957

DOI:10.1145/2905760

Program Chairs:
Michalis Polychronakis
Stony Brook University
,
Cristiano Giuffrida
VU University Amsterdam

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 April 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '16

EuroSys '16: Eleventh EuroSys Conference 2016

April 18 - 21, 2016

London, United Kingdom

Acceptance Rates

EuroSec '16 Paper Acceptance Rate 7 of 16 submissions, 44%;

Overall Acceptance Rate 47 of 113 submissions, 42%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
126
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wolf GOrtega-Arjona J(2024)A Protocol for Solving Certificate Poisoning for the OpenPGP Keyserver NetworkJournal of Internet Services and Applications10.5753/jisa.2024.381015:1(46-58)Online publication date: 23-May-2024
https://doi.org/10.5753/jisa.2024.3810
El-Hajj MBeune P(2024)Decentralized Zone-Based PKI: A Lightweight Security Framework for IoT EcosystemsInformation10.3390/info1506030415:6(304)Online publication date: 24-May-2024
https://doi.org/10.3390/info15060304
Chen LXue KLi JLi ZYu N(2024)Security-Enhanced WireGuard Protocol Design Using Quantum Key Distribution2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556292(718-723)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556292
Wolf GOrtega-Arjona J(2022)A proposal for the survival of the OpenPGP decentralized trust networkProceedings of the 2022 ACM Conference on Information Technology for Social Good10.1145/3524458.3548488(418-423)Online publication date: 7-Sep-2022
https://dl.acm.org/doi/10.1145/3524458.3548488
Wolf GOrtega Arjona J(2022)Protocolo para la certificación de llaves públicas para OpenPGP libre del envenenamiento de certificados2022 IEEE Biennial Congress of Argentina (ARGENCON)10.1109/ARGENCON55245.2022.9939771(1-7)Online publication date: 7-Sep-2022
https://doi.org/10.1109/ARGENCON55245.2022.9939771

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents