|
Size: 4440
Comment: Validity and key use and Display with tofu + pgp / easygpg
|
Size: 13059
Comment: Tried to clarify a bit more what the levels are for add goals and another conflict attack
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Validity and Opportunistc encryption = | ## page was renamed from EasyGpg2016/Validity <<TableOfContents>> = Automated Encryption = |
| Line 4: | Line 7: |
| opportunistic mail encryption when using the trust-model tofu+pgp. == Concept of "Verified Communication partner" (Signatures) == There should only be one prominent information when reading a signed mail: * Is there additional information that the sender is really is the indended communication partner. This could be displayed as a green checker or a seal ribbon or something. It should be prominent and next to the signed content. |
opportunistic mail encryption and how to use the trust-model tofu+pgp for automated encryption. == TODO: == Things to do after discussion and Feedback not integrated in this draft * The yellow checker does not work as a symbol. * Level 5 is not part of the screenshots. == What are our goals and how do we archive them? == * Prevent mass surveillance: By providing a fully automated encryption mode that requires no user interaction by default and uses a trust model based on the history of communication. * Spam phishing: By using signatures to verify the senders address. * Targeted (spear) phishing or CEO-Fraud: By including Web of Trust / pgp trust in our trust model and so enable verification levels that go above anything that could be reached through automation or a very convincing communication history. * Man in the Middle attacks: By tracking the consistency of the used encryption / signature key for a given sender address. = Details = == Trust Levels === Definitions of wording: userid: The userid on a key that matches the smtp Address of the sender. tofu: Information we have about the communication history and reflects a bit the A~P~I of gpgme_tofu_info_t. As tofu info is bound to a given key + userid it is also sometimes called "binding". key source: The source where the key was imported from, e.g. if if was automatically imported over https, or if it comes from public keyservers. Key with enough history for basic trust: === Level 0 === Defined as: {{{ (userid.validity <= Marginal AND tofu.signcount == 0 AND tofu.enccount == 0 AND key.source NOT in [cert, pka, danke, wkd]) }}} Explanation: With trust-model tofu+pgp this level is used only for Keys that were never used before to verify a signature and not obtained by a source that gives some indication that this is an actual key for this address. The Key should not be used for opportunistic encryption to avoid the problem that the recipient might not be able to decrypt the message because it is a wrong or outdated key. Usage: * Do not automatically encrypt to Level 0. === Level 1 === Defined as: {{{ ((userid.validity == Marginal AND tofu.validity < "Key with enough history for basic trust") AND key.source NOT in [cert, pka, dane, wkd]): }}} Explanation: This level means that there is some confidence that the recipient actually can use the key as we have seen at least one signature or we have a weak trust path over the web of trust. So it is unlikely that the recipient can't decrypt and thus its ok to use that Key for opportunistic encryption encryption but when receiving a signed message it should only show in details that a message was signed. There may be some indication that the sender demonstrated a willingness to use crypto mails, especially if opportunistic encryption is disabled. Usage: * Automatically encrypt to Level 1 * Don't show verified messages as much more trusted then an unverified message. === Level 2 === Defined as: {{{ (userid.validity == Marginal AND ((tofu.validity >= "Key with enough history for basic trust" AND tofu.signfirst >= 3 Days ago) OR key.source IN [cert, pka, dane, wkd])): }}} Explanation: The "automated user" that never uses any Certificate Manager or GnuPG will only see Level one and Level two as this is the highest level reachable through full automation. We have basic confidence that the Sender is who he claims because we either have an established communication history or some "good enough" source of the key (e.g. the mail provider + https) provided the key for this sender. Conflicts in this level are discussed more details below in the part about Conflict handling. Usage: * Automatically encrypt to Level 2 * Show verified messages as more trusted then an unverified message. === Level 3 === Defined as: {{{ userid.validity == Full AND "no key with ownertrust ultimate signed this userid." }}} Explanation: Level 2 is good enough for most use cases, but some organisations or individuals or policies may require and assurance of confidentiality that may never reached through automation. The idea is that Level 3-4 provide flexibility for Organisational Measures like: You may only send restricted documents to Level 4 keys. The level is reached either through Web of Trust or if a user explicitly set the tofu Policy to "Good" for this key. Automatically this Level can only be also be reached through WoT if a user trusted at least one other key. This is also the level for S/M~I~M~E Mails. Usage: * Automatically encrypt to Level 3 * You can assert in the ui that according to gnupg the sender is who he claims to be. === Level 4 === Defined as: {{{ userid.validity == ultimate OR (userid.validity == full AND "any key with ownertrust ultimate signed this userid.") }}} Explanation: Same reason as for Level 3. But even more restricted to direct trust, meaning that: Either yourself or someone that is allowed to make that e.g. your central "CA" style person you may have in an organisation has signed that key. For a user this could also mean something like "with this communication partner I want to be absolutely sure that I'm always using the right key. So I manually verify the fingerprint. And mark that with a local or public signature on that key. Usage: * Automatically encrypt to level 4 * Show verified messages as "the best". Stars and sprinkle level ;-) === Rationale === === Time delay for level 2 === A time delay is supposed to make it more expensive for an attacker to reach level 2 as we then start to make claims about the attacker. The assumption is that an attack that is kept up over some time is more difficult. Especially if it involves some external factors, like a phishing website etc. which might be turned off. A time delay gives others the chance to intervene if they detect an attack e.g. if it is organisationwide. It also mitigates User Experience problems arising from the use of the encryption count in GnuPG's calculation for basic history because if you encrypt 20 drafts or 20 mails / files quickly to the same key it should not become level 2 before you have seen a signature. A concern is that using the time of the first signature verification before reaching level 2 make lead to bad user experience. E.g.: You look at the same message after three days. Now it's level 2, last time you looked it was level 1. == Presentation == There should only be prominent information when reading a signed mail if: * There is additional information that the sender is really is the intended communication partner. (Level >= 2) This could be displayed as a checker or a seal ribbon or something. It should be prominent and next to the signed content. There should be a distinction between Levels two, three and four but it may be slight. |
| Line 18: | Line 230: |
| sender is not verified it should be displayed the same as an unsigned mail because | sender is not verified it should be displayed similar to an unsigned mail because |
| Line 20: | Line 232: |
| Communication partner. ==== Put it in Details ==== The information that a Mail was signed should of course be available even if the signature could not be used to verify the sender. And the user should get tips how to verify the sender (e.g. exchange fingerprints out of Band) but this should be "Details". Although easily accessible this should not be needed to establish cryptographically secured communication. === Definition of Sender === * Mail: The Sender is the first UID where the mailbox matches the mailbox of the {{{From header}}}. * File: The Sender is the UID from the {{{Signer's User ID}}} subpacket of a signature. === Definition of Verified Sender === A sender is only verified if the signature was made by a key that contains a UID for the Sender and one of the conditions match: * The signature is Fully / Ultimately valid. * The signature is marginally valid and: ** The signcount shows that there were several signed messages exchanged involving this key. The current threshold for this is at least **ten** messages. == Opportunistic Encryption (Mail only) == A MUA should offer automated opportunistic encryption. To determine if a mail can be sent encrypted one of the following rules must match for each recipient: * There is a Fully / Ulitimately valid key for the recipient. * This is a marginally valid key for the recpient and the first UserID matches |
Communication partner. You may want to show a tofu Conflict more prominent as user interaction is required at this point. Especially: **ignore GPGME's Red suggestion** An attacker would have removed the signature instead of invalidating it. It should be treated like an unsigned mail and only additional info in details should be shown for diagnostic purposes. Similarly when Red is set because a key is expired or so. It's not more negative then a unsigned mail so only if your M~U~A shows unsigned mails as "Red" may you treat signed mails this way, too ;-) == Conflict handling == What happens when there is a conflict in the tofu trust model, so you have seen two keys for a senders mailbox and the keys are not cross-signed and both are valid. When can this happen: Attacks: # There is a man in the middle trying to intercept encrypted communication and he did not control all of your communication history. # There is an impostor trying to claim a false identity. # There is a Troll trying to hurt usability so much that automated encryption is no longer used. # There is a man in the middle that controlled all your communication history (e.g. your router) Misuse: # A user generated two keys e.g. on two devices and did not cross sign them and uses both. # A user lost control of his old key, and did not have a revocation certificate. Both misuse cases should be handled on the senders side because he controls or lost control of the involved keys and can take steps / inform himself what went wrong. Case two very likely more common as case one would also lead to problems already because the communication partners of the second key would not know to which key they should encrypt the user would be able to read mails on one device but not at the other et. cetra. Loosing keys can also be assisted by software that provides a bad user experience or does not follow common practices. === Resolving conflicts on the senders side === A tofu aware ~G~U~I should (even when TOFU is disabled) check when a secret key is used for signing if there are other secret keys with the same uid available and they are not cross signed a GUI should offer that option. Similarly, if a signature is verified by a MUA and there are secret keys available with the same userid and they are not cross signed this should be told to the user and offered to do if possible. ==== WKD Checks ==== A tofu aware ~G~U~I should check when signing or from time to time if a different key is uploaded to a WKD for this userid and warn in that case. This will also make a permanent man in the middle attack by a mail service provider more expensive as it would mean providing a different key to the attacked user then to others. ==== Automated conflict resolution by recipients ==== Recipient means here that if there are two keys seen for one sender address when verifying a mail, the recipient is the person doing the verification. A conflict should then be automatically resolved by keeping the old key in use for automated encryption to this address until it is revoked or explicitly marked as bad and treating the new key for validity display just like a fresh key. * Policy bad for the new key. * Policy ask for the old key. The conflict would be detectable in the interface because it will no longer be shown that the sender is verified. A details dialog should provide a clear and easy option to switch keys for this recipient. The new key will then get policy auto and the old key as policy bad. E.g if your communication partner has lost his old key through misuse. ===== How would this relate to attacks? ===== * Man in the middle without full control of communication history. * A man in the Middle attack will be prevented and may be detected. * Impostor attack would still be prevented because the new key is never shown as valid / verified unless user interaction is done. * The DOS Crypto Attack will be prevented as conflicts are not shown so prominent. == Key discovery and Opportunistic Encryption (Mail only) == A MUA should offer automated key discovery and opportunistic encryption. The WKD / WKS helps with automated key discovery and should be used (by using {{{--locate-key}}}) To determine if a mail can be sent automatically encrypted one of the following rules must match for each recipient: * There is a Fully / Ultimately valid key for the recipient. * This is a marginally valid key for the recipient and the first UserID that matches |
| Line 53: | Line 341: |
| key was obtained through a slightly authenticated source. === Marginal Substates === For Marginal keys there should be a visible hint that the recipient's key might not be the intended recipient. E.g. a Lock symbol with different overlays for warning, yellow checker, green checker. These substates should indicate: * Very little confidence (marginal + signcount < 10) * Basic confidence (marignal + signcount >= 10) * Good confidence (marginal + signcount >= 100) === Definition of slightly authenticated source === A slightly authenticated source is a key from a source that gives some confidence in the fact that a recipient controls the key obtained from the source. It does **not** influence the status of Verified Sender more then seeing one signed message of that sender. The slightly authenticated source should just help determining an automatically selected key for opportunistic encryption that shows an indication that the recipient controls the key exactly as if you would have already seen one message signed with that key. === Keys from public keyservers === If you recieve a message from an Unknown Key a MUA should automatically retrieve it from a public keyserver or a Web Key directory. This Key can then be used for opportunistic encryption. == Examples from GpgOL == The Information boxes in the screenshots only open when a user hovers over the Icon. A click on the Signature Icon should open a Key Details dialog with further information about a key and e.g. options for conflict handling. A web of trust verified sender: {{http://files.intevation.de/users/aheinecke/gpgol_sigs/trusted.png}} A tofu verified sender: {{http://files.intevation.de/users/aheinecke/gpgol_sigs/tofu.png}} A marginal signature without enough history: {{http://files.intevation.de/users/aheinecke/gpgol_sigs/tofu-untrusted.png}} An invalid signature: {{http://files.intevation.de/users/aheinecke/gpgol_sigs/invalid.png}} An unsigned mail: {{http://files.intevation.de/users/aheinecke/gpgol_sigs/unsigned.png}} |
key was obtained through a slightly authenticated source (e.g. WKD). === Auto Key Retrieve === Additionally to WKD lookup, if you receive a message from an Unknown Key a MUA should automatically retrieve it from a public keyserver or a Web Key directory. This Key can then be used for opportunistic encryption because you have seen a signature it is very likely that the recipient can decrypt. (auto-key-retrieve in gnupg) == Screenshots from GpgOL == {{gpgol-no-key.png}} No key was found. Level 0. {{gpgol-tofu-first.png}} The first signed message form someone else. Level 1. {{gpgol-tofu-second.png}} The second message. Level 1. {{gpgol-tofu-basic.png}} Basic trust! Level 2. {{gpgol-tofu-fully.png}} Full trust! Level 3. {{gpgol-invalid-sig.png}} Invalid sig. Level 0. {{gpgol-conflict.png}} Tofu conflict. User attention required. |
Contents
Automated Encryption
This page is intended as a discussion base for validity display and opportunistic mail encryption and how to use the trust-model tofu+pgp for automated encryption.
TODO:
Things to do after discussion and Feedback not integrated in this draft
- The yellow checker does not work as a symbol.
- Level 5 is not part of the screenshots.
What are our goals and how do we archive them?
- Prevent mass surveillance: By providing a fully automated encryption mode that requires no user interaction by default and uses a trust model based on the history of communication.
- Spam phishing: By using signatures to verify the senders address.
- Targeted (spear) phishing or CEO-Fraud: By including Web of Trust / pgp trust in our trust model and so enable verification levels that go above anything that could be reached through automation or a very convincing communication history.
- Man in the Middle attacks: By tracking the consistency of the used encryption / signature key for a given sender address.
Details
Trust Levels
Definitions of wording:
userid: The userid on a key that matches the smtp Address of the sender.
tofu: Information we have about the communication history and reflects a bit the API of gpgme_tofu_info_t. As tofu info is bound to a given key + userid it is also sometimes called "binding".
key source: The source where the key was imported from, e.g. if if was automatically imported over https, or if it comes from public keyservers.
Key with enough history for basic trust:
Level 0
Defined as:
(userid.validity <= Marginal AND tofu.signcount == 0 AND tofu.enccount == 0 AND key.source NOT in [cert, pka, danke, wkd])
Explanation:
With trust-model tofu+pgp this level is used only for Keys that were never used before to verify a signature and not obtained by a source that gives some indication that this is an actual key for this address.
The Key should not be used for opportunistic encryption to avoid the problem that the recipient might not be able to decrypt the message because it is a wrong or outdated key.
Usage:
- Do not automatically encrypt to Level 0.
Level 1
Defined as:
((userid.validity == Marginal AND tofu.validity < "Key with enough history for basic trust") AND key.source NOT in [cert, pka, dane, wkd]):
Explanation:
This level means that there is some confidence that the recipient actually can use the key as we have seen at least one signature or we have a weak trust path over the web of trust.
So it is unlikely that the recipient can't decrypt and thus its ok to use that Key for opportunistic encryption encryption but when receiving a signed message it should only show in details that a message was signed.
There may be some indication that the sender demonstrated a willingness to use crypto mails, especially if opportunistic encryption is disabled.
Usage:
- Automatically encrypt to Level 1
- Don't show verified messages as much more trusted then an unverified message.
Level 2
Defined as:
(userid.validity == Marginal AND ((tofu.validity >= "Key with enough history for basic trust" AND tofu.signfirst >= 3 Days ago) OR key.source IN [cert, pka, dane, wkd])):
Explanation:
The "automated user" that never uses any Certificate Manager or GnuPG will only see Level one and Level two as this is the highest level reachable through full automation.
We have basic confidence that the Sender is who he claims because we either have an established communication history or some "good enough" source of the key (e.g. the mail provider + https) provided the key for this sender.
Conflicts in this level are discussed more details below in the part about Conflict handling.
Usage:
- Automatically encrypt to Level 2
- Show verified messages as more trusted then an unverified message.
Level 3
Defined as:
userid.validity == Full AND "no key with ownertrust ultimate signed this userid."
Explanation:
Level 2 is good enough for most use cases, but some organisations or individuals or policies may require and assurance of confidentiality that may never reached through automation.
The idea is that Level 3-4 provide flexibility for Organisational Measures like: You may only send restricted documents to Level 4 keys.
The level is reached either through Web of Trust or if a user explicitly set the tofu Policy to "Good" for this key.
Automatically this Level can only be also be reached through WoT if a user trusted at least one other key.
This is also the level for S/MIME Mails.
Usage:
- Automatically encrypt to Level 3
- You can assert in the ui that according to gnupg the sender is who he claims to be.
Level 4
Defined as:
userid.validity == ultimate OR (userid.validity == full AND "any key with ownertrust ultimate signed this userid.")
Explanation:
Same reason as for Level 3. But even more restricted to direct trust, meaning that:
Either yourself or someone that is allowed to make that e.g. your central "CA" style person you may have in an organisation has signed that key.
For a user this could also mean something like "with this communication partner I want to be absolutely sure that I'm always using the right key. So I manually verify the fingerprint. And mark that with a local or public signature on that key.
Usage:
- Automatically encrypt to level 4
- Show verified messages as "the best". Stars and sprinkle level ;-)
Rationale
Time delay for level 2
A time delay is supposed to make it more expensive for an attacker to reach level 2 as we then start to make claims about the attacker.
The assumption is that an attack that is kept up over some time is more difficult. Especially if it involves some external factors, like a phishing website etc. which might be turned off.
A time delay gives others the chance to intervene if they detect an attack e.g. if it is organisationwide.
It also mitigates User Experience problems arising from the use of the encryption count in GnuPG's calculation for basic history because if you encrypt 20 drafts or 20 mails / files quickly to the same key it should not become level 2 before you have seen a signature.
A concern is that using the time of the first signature verification before reaching level 2 make lead to bad user experience. E.g.: You look at the same message after three days. Now it's level 2, last time you looked it was level 1.
Presentation
There should only be prominent information when reading a signed mail if:
- There is additional information that the sender is really is the intended communication partner. (Level >= 2)
This could be displayed as a checker or a seal ribbon or something. It should be prominent and next to the signed content. There should be a distinction between Levels two, three and four but it may be slight.
Don't treat signed mails worse then an unsigned mail
A MUA should not treat any signed mail worse then an unsigned mail. If a sender is not verified it should be displayed similar to an unsigned mail because in both cases you have no information that the Sender is actually your intended Communication partner. You may want to show a tofu Conflict more prominent as user interaction is required at this point.
Especially: ignore GPGME's Red suggestion An attacker would have removed the signature instead of invalidating it. It should be treated like an unsigned mail and only additional info in details should be shown for diagnostic purposes. Similarly when Red is set because a key is expired or so. It's not more negative then a unsigned mail so only if your MUA shows unsigned mails as "Red" may you treat signed mails this way, too ;-)
Conflict handling
What happens when there is a conflict in the tofu trust model, so you have seen two keys for a senders mailbox and the keys are not cross-signed and both are valid.
When can this happen:
Attacks:
- There is a man in the middle trying to intercept encrypted communication and he did not control all of your communication history.
- There is an impostor trying to claim a false identity.
- There is a Troll trying to hurt usability so much that automated encryption is no longer used.
- There is a man in the middle that controlled all your communication history (e.g. your router)
Misuse:
- A user generated two keys e.g. on two devices and did not cross sign them and uses both.
- A user lost control of his old key, and did not have a revocation certificate.
Both misuse cases should be handled on the senders side because he controls or lost control of the involved keys and can take steps / inform himself what went wrong.
Case two very likely more common as case one would also lead to problems already because the communication partners of the second key would not know to which key they should encrypt the user would be able to read mails on one device but not at the other et. cetra.
Loosing keys can also be assisted by software that provides a bad user experience or does not follow common practices.
Resolving conflicts on the senders side
A tofu aware GUI should (even when TOFU is disabled) check when a secret key is used for signing if there are other secret keys with the same uid available and they are not cross signed a GUI should offer that option.
Similarly, if a signature is verified by a MUA and there are secret keys available with the same userid and they are not cross signed this should be told to the user and offered to do if possible.
WKD Checks
A tofu aware GUI should check when signing or from time to time if a different key is uploaded to a WKD for this userid and warn in that case. This will also make a permanent man in the middle attack by a mail service provider more expensive as it would mean providing a different key to the attacked user then to others.
Automated conflict resolution by recipients
Recipient means here that if there are two keys seen for one sender address when verifying a mail, the recipient is the person doing the verification.
A conflict should then be automatically resolved by keeping the old key in use for automated encryption to this address until it is revoked or explicitly marked as bad and treating the new key for validity display just like a fresh key.
- Policy bad for the new key.
- Policy ask for the old key.
The conflict would be detectable in the interface because it will no longer be shown that the sender is verified. A details dialog should provide a clear and easy option to switch keys for this recipient.
The new key will then get policy auto and the old key as policy bad.
E.g if your communication partner has lost his old key through misuse.
How would this relate to attacks?
- Man in the middle without full control of communication history.
- A man in the Middle attack will be prevented and may be detected.
- Impostor attack would still be prevented because the new key is never shown as valid / verified unless user interaction is done.
- The DOS Crypto Attack will be prevented as conflicts are not shown so prominent.
Key discovery and Opportunistic Encryption (Mail only)
A MUA should offer automated key discovery and opportunistic encryption. The WKD / WKS helps with automated key discovery and should be used (by using --locate-key)
To determine if a mail can be sent automatically encrypted one of the following rules must match for each recipient:
- There is a Fully / Ultimately valid key for the recipient.
- This is a marginally valid key for the recipient and the first UserID that matches the recipients mailbox has a signcount of at least one. Or the recipients key was obtained through a slightly authenticated source (e.g. WKD).
Auto Key Retrieve
Additionally to WKD lookup, if you receive a message from an Unknown Key a MUA should automatically retrieve it from a public keyserver or a Web Key directory. This Key can then be used for opportunistic encryption because you have seen a signature it is very likely that the recipient can decrypt. (auto-key-retrieve in gnupg)
Screenshots from GpgOL
No key was found. Level 0.
The first signed message form someone else. Level 1.
The second message. Level 1.
Basic trust! Level 2.
Full trust! Level 3.
Invalid sig. Level 0.
Tofu conflict. User attention required.