Web of Trust

Schematic representation of a web of trust

Network of trust or Web of Trust ( WOT ) in cryptology is the idea of verifying the authenticity of digital keys through a network of mutual confirmations ( signatures ), combined with the individually assigned trust in the confirmations of the others ("Owner Trust") to secure. It represents a decentralized alternative to the hierarchical PKI system.

Problem

The public key encryption provides (opposite the symmetric encryption ) the advantage that the exchanged keys do not have a secure channel to be transmitted, but the public is. To transfer the key, you can therefore use a network of key servers , to which everyone can upload their public keys and from which each can retrieve the key of the person with whom he would like to communicate. This creates another problem, however: a person could publish a key with which they pretend to be someone else. So there must be a way to check the authenticity of a key.

The solution to this problem is to have the authenticity of a public key confirmed by a trustworthy entity using a digital certificate . For public key infrastructures, this is a certification authority ; in the Web of Trust, however, all participants take on this function.

Working principle

Alice signiert den Schlüssel von Bob und vertraut Bobs Schlüsselsignaturen
Bob signiert den Schlüssel von Carl
      (Bobs Vertrauen in Carls Schlüsselsignaturen ist weder bekannt noch relevant)
Somit betrachtet Alice den Schlüssel von Carl als gültig.

It is important not to confuse the two types of trust involved here:

On the one hand, you trust that a key (that you haven't signed yourself) is valid (authentic), i.e. that the owner of the key is really the person (or institution) you think it is.
On the other hand, one trusts (or only partially or not at all) that the owner of a key only carries out careful key signatures, i.e. that the statement expressed by the signature that a certain key belongs to a certain person is reliable. This trust is called the “Owner Trust”.

These two types of trust are independent of each other:

You can be sure that a certain key belongs to a certain person. This belief is in no way shaken by considering that person's key signatures as worthless.
One can fully trust a person's key signatures without having a key that is considered valid for that person. (Until a valid key is available, however, any key signatures of the person are worthless.)

There is also a third category of trust implicitly, namely in the security of the signing key. A person whose certificates are fully trusted may, with good reason, also have keys that are less secure due to the way they are used (their certificates are correspondingly less valuable). "Owner trust" is defined for each key, so that one can define this trust differently for the same key owner with several keys.

OpenPGP offers the option of providing a key certificate with an indication (albeit imprecise) of how thoroughly the authenticity of the key has been checked. The users of the WoT generally do not know how thoroughly the identity of the key and that of the owner and which components of the key have been checked in the first place. The signer may know the owner personally, have used an ID (or similar) to verify a stranger, or not even that; Especially in the case of foreign names, he may have accepted a different spelling. The verification of the key information can be limited to the name (names are not unique); it can include any or all of the email addresses and even the comments. Even in the case of a check that is known to be comprehensive, the security of checking an ID card or an e-mail address is not even remotely comparable to the technical security of conventional cryptography. The security of the WoT is therefore limited, which can be compensated in part by requiring more signatures in order to view a key as valid, but this reduces the usability of the WoT accordingly. A key can be validated using any number of intermediate steps (but can be limited), but all keys involved (apart from the one to be validated) must have a corresponding owner trust.

Certificates from the Web of Trust

With the Web of Trust, a certificate consists of the digital signature that another person who also takes part in the Web of Trust gives on a key after they have verified the identity of the key holder (typically during a face-to-face encounter).

RFC 2440 (now replaced by RFC 4880 ) describes a procedure for connecting these certificates to the key and adding a rating. The certificate is uploaded with the key to a global network of key servers and can thus be accessed by anyone.

The key holder collects as many of these signatures as possible. People who do not know the key holder and who have no personal contact with him / her can see a high level of legitimacy in the identity through the certificates and can trust it.

example

In a web of trust it works like this:

Alice creates a key pair for herself and signs it. It also sends the public portion of a key server (key server) so other participants easy access to it.
Bob wants to communicate with Alice in encrypted form. To do this, he gets Alice's key from a key server, but still has to make sure that he really got the right key: An attacker could impersonate Alice and send a key he generated to the key server. Anyone who thinks they are encrypting a message for Alice only would in fact be encrypting it for the attacker.
Bob asks Alice (e.g. during a phone call or a personal meeting) for the fingerprint of her public key. He compares this with that of the key that he received from the key server.
If both fingerprints match, Bob can assume that he has received the correct key. That is why he signs Alice's public key (more precisely: one or more of her user IDs) with his private one and sends this signature to the key server.
If Carl would like to communicate with Alice in encrypted form, he and Bob obtain Alice's public key from the key server. Then he discovers that Bob has already checked Alice's key. If Carl already knows Bob's key and he trusts Bob that Bob will perform a thorough check before signing someone else's keys, then he doesn't have to meet Alice first and repeat this check. He trusts Alice's key solely on the basis of Bob's trusted signature. If Carl wants to increase his level of security or, in particular, he only trusts Bob's signature to a limited extent, he can configure his cryptosystem in such a way that there must be several signatures that he accepts so that a key is automatically considered valid.

Formalization

The key management in a web of trust takes place with the help of key rings. In the public keyring of a user own and foreign public keys and associated certificates are stored, the private keyring (private keyring) contains own private keys. Each user assigns trust in the owner to the public keys (“Owner Trust”). The degree of trust in the authenticity of other keys (“key legitimacy”) is derived from this. Trust in the authenticity of external keys is established either via direct trust (i.e. the personal verification of the authenticity of the public key of another user) or via the owner trust of the signers of the external keys.

Owner Trust

Each user sets the value for Owner Trust for the keys in his public keyring himself (i.e. this information is not made public); The following values are available for selection at GnuPG (the RfC does not provide any information on this):

" Unknown " for keys for which no explicit specification has yet been made (default value)
" No confidence " ( "not trusted") for key whose certifications explicitly not familiar is (d. E., Signatures of these keys are ignored for the validity of calculations)
" Low trust " ("marginal") for keys that are only partially trusted (i.e., by default, three signatures of such keys are required to validate a key)
" Full confidence " ( "complete") for keys, which will be fully familiar (d. E., Default ranges such a signature out to validate a key)
" Absolute trust " ("ultimate") for keys that you have generated yourself (this relationship is not fixed; you can give your own keys a different value and also assign this value to someone else's keys; a single signature is always sufficient for such keys, to validate a key)

With the standard method for calculating validity (WoT), GnuPG needs at least one key with absolute trust in the keyring, because otherwise no key is valid (and only the signatures of valid keys are taken into account).

Normal signatures only affect the validity of the signed key, not its owner trust! This must be specified individually for each key in the local database (with GnuPG; the RfC also allows corresponding signatures (“Trust Packet”) in the keyring).

Signatory Trust

If Alice signs Bob's public key and then transmits this signature to a key server, this signature can be used by third parties to assess the authenticity of Bob's public key. To do this, they (essentially) check

whether Alice's public key is valid for you (because you signed it yourself or it was valid via the WoT) and
whether you have assigned a positive owner trust (“marginal” or “complete”) to Alice's public key.

If both are the case, then Bob's key either becomes valid through Alice's signature alone (“complete”) or possibly together with others (“marginal”). This does not change the owner trust of Bob's key.

Which owner trust Alice has specified for Bob's key does not play a role in this process because this information is not publicly known. The public is only informed that Alice is convinced of the identity of the key owner (Bob). What Alice thinks of Bob's signatures has no influence on the WoT of other users.

Key legitimacy

The trust in the authenticity of a public key is expressed by the “key legitimacy” value. It is calculated from the Signatory Trust of the signing keys as follows:

be the number of signatures whose Signatory Trust is "marginal" ${\ displaystyle x}$
Let the number of signatures with a Signatory Trust be “marginal” that is required for a key to be classified as authentic ${\ displaystyle X}$
be the number of signatures whose Signatory Trust is "complete" ${\ displaystyle y}$
Let be the number of signatures with a Signatory Trust “complete” that is required for a key to be classified as authentic ${\ displaystyle Y}$

Then be ${\ displaystyle L = {\ frac {x} {X}} + {\ frac {y} {Y}}}$

If the verified key is not authentic. With it is seen as "partially authentic" and with as "completely authentic". As a rule, you select and , so two signatures from partially trustworthy persons or one signature from a fully trustworthy person are required for a key to be classified as authentic. In principle, however, everyone can freely choose the values for and depending on their personal level of paranoia . ${\ displaystyle L = 0}$ ${\ displaystyle 0 <L <1}$ ${\ displaystyle L \ geq 1}$ ${\ displaystyle X = 2}$ ${\ displaystyle Y = 1}$ ${\ displaystyle X}$ ${\ displaystyle Y}$

rating

The Web of Trust enables its participants, on the one hand, to individually control who they classify as trustworthy. There is also free software for implementing the concept of the Web of Trust. On the other hand, it requires a high degree of prior knowledge from the user, it is not legally binding (e.g. a qualified electronic signature ), the revocation of a certificate is not immediately known to the general public, as it is in a PKI , nor is it realized in a comparable way.

Key server privacy issues

A fundamental problem is that the owner of a key cannot have any technical influence on the current implementations

who signs his public key and
whether someone uploads their public key to a public key server (or uploads again with new signatures).

However, personal data is attached to the key , which is also published: through the signatures of other people, the most important element of the Web of Trust, the key contains a list of the people who have verified the identity of the key holder, including the date of the verification . This data is publicly visible and automatically retrievable on a key server, and can thus be easily analyzed and thus the participation of the key holder in social networks can be determined.

In addition, a public list of all previous e-mail addresses of the key holder accumulates over time as long as the key holder does not change his key.

Not everyone is aware from the outset that by participating in the Web of Trust they are releasing data that they may not have wanted to declare public and that there is no way of ever having them removed again.

Public keys that have been exported to a key server cannot be deleted . The key servers are constantly synchronized with each other so that a new or supplemented key, including all signatures and comments, can be called up on all key servers in the world within a very short time after (re) uploaded, regardless of who uploaded the key and whether the key belongs to them .

With the usual implementations, the option of key revocation only consists of creating a key revocation certificate , which then also has to be uploaded to the key server, but there practically nothing else than adding the note to the existing key, the key should no longer be used. Software can, but does not have to, refuse such keys for encryption. The key revocation has nothing to do with the deletion of keys, signatures or comments.

The key holder thus has no way of influencing the dissemination of the data that is necessary for the functioning of the Web of Trust. This contradicts the purpose of encryption programs to protect personal data .

software

Well-known implementations of the Web of Trust are the commercial program Pretty Good Privacy (PGP) and the free program GNU Privacy Guard (GnuPG), which implement RFC 2440 .

PGP's extensive Web of Trust has been studied in depth. Not least because of the affinity of many members to international open source projects such as Debian and the support of organizations such as the computer journal C't as part of the Heise publishing house's "crypto campaign" (one so-called "strong set" ), in which there are only six connecting links between any two people.

Social networks

There are also applications of the basic social idea of the Web of Trust apart from cryptography. For example, the CouchSurfing network has a guarantee system in which "trustworthy" members can declare their trust in new members with a "guarantee", which increases the trust of the entire community in relation to the new member; each member who has received at least three guarantees may in turn vouch for other members. This creates a social network of trust.

literature

RFC 2440 (old) definition of certificates according to the OpenPGP format
RFC 4880 (new) definition of certificates according to the OpenPGP format
Hauke Laging: Introduction to the functionality of OpenPGP / GnuPG (section: indirect verification - the Web of Trust (WoT)). August 17, 2012, accessed September 24, 2012 .
Kai Raven: The OpenPGP Web of Trust. September 24, 2012, accessed September 24, 2012 .
Patrick Feisthammel: The web of trust (trust network). June 19, 2002, accessed August 30, 2012 .

Web links

Biglumber - mutual key signing coordination page
tent 0.4 - Announcement of the tent protocol for a web of trust

Individual evidence

↑ FAQ of the Keyserver of the Massachusetts Institute of Technology
↑ c't crypto campaign , accessed on February 17, 2013
↑ analysis of the strong set in the PGP web of trust , Henk P. Penning, January 2, 2013
↑ Dissecting the Leaf of Trust , Jörgen Cederlöf at http://www.lysator.liu.se

[1] FAQ of the Keyserver of the Massachusetts Institute of Technology

[2] 't crypto campaign , accessed on February 17, 2013

[3] ysis of the strong set in the PGP web of trust , Henk P. Penning, January 2, 2013

[4] Dissecting the Leaf of Trust , Jörgen Cederlöf at http://www.lysator.liu.se