Still, it is our right to protect our privacy. So what we need are
tools that scramble our information in such a way that it is not
possible to crack the code in any reasonable amount of time.
Enter cryptography. The science of creating precisely those tools,
and PGP (which stands for Pretty Good Privacy), a program
initially created by Phil Zimmermann that
uses several strong cryptographic algorithms to protect the information fed into
it in such a way that only the person that has the right key can decrypt it.
"Strong" in this case means that the only way the original information can be
recreated from the scrambled data in a timely manner is to feed that data and
the right key to the decryption algorithm. The key is thus the only
item that must remain secret.
Ok, so now we have a tool to encrypt and decrypt information.
Lets go back to your childhood. Remember the hard part of using
a code? Right, it was transferring the information on how you
could decrypt the code to the other person(s) you would like to
communicate with. Only relatively recently (in the late 1970s) this
problem was solved by the creation of public key cryptography,
where the keys are split into two pieces, one of which can be made
public (like a telephone number) and the other one which must
be kept secure by the owner (like the telephone itself).
Key management would seem to be a solved problem.
Another answer to the problem is to have Certification Authorities, forming
a hierarchical structure. When you get a public key, you would also get a list
of certificates. For example, J. Smith's public key might come with a certificate
from Widgets, Inc., stating that he works for them. In turn, Widgets, Inc., would
need a certificate from someone stating that it is a Delaware Corporation. The state
of Delaware would need a certificate stating that it really was what it said it was,
presumably issued by the omnipresent authority (which, at the moment, is RSA Data
Security Inc.).
Both schemes have flaws. The big problem with the Web of Trust is that it has to
be big and well connected before it is useful, while the Certification Authority
one implies a sort of control which is often the reason the parties wanted to
communicate privately in the first place.
A conference or any mutual gathering offer great opportunities for significantly
extend the Web of Trust and a PGP key-signing party is the most effective
way to do so!
The others present can verify my passport if they wish and take note, now knowing the
association between the key and the person who stood up at the meeting.
We hope to see you all at the SANE'98 PGP Key-Signing Party! Until that time
have a nice time and keep that privacy sensitive information safe...
Written by Hans van de Looy and Edwin Kremer with some text borrowed
from the USENIX `key-signing' member service introduction by Greg Rose.
No large international event which includes system and network
security and privacy of information among its topics, can be complete
without a PGP key-signing party. During this gathering participants who
already have one or more PGP key-pair(s) can meet others and, by using
a safe protocol, sign their (public) keys so that the web of trust can grow
a little wider.
1. Introduction to Encryption, PGP and PGP Keys
Remember when you were a child and communicated with your best friends
in code so that only you and your friends could read the message? The world
is not, or rather has never been, a very safe place to keep a secret. And all of
us have some secrets we either want to keep to ourself or share with
only a select group of trusted friends. Using old-fashioned or
standard modern storage and communication means this is no easy task.
Disks or tapes might get stolen and communication lines can be tapped.
Unfortunately that isn't so. Key management is undeniably easier using
public key systems, but the question becomes one of authentication.
How do you know, for sure, that the person you think you are sending
the secret message to is really the person you wanted to send it to?
I could easily get a telephone connected in another name, and sit
back waiting for phone calls intended for another person of that name.
2. Key Authentication: The Web of Trust
One answer to the authentication problem is to have trusted parties
who introduce other parties to you. This is what the PGP documentation
calls the "Web of Trust". It is a web because each party in it can introduce
other parties whom you may or may not already know. Using the telephone
analogy, you would only say secret things on the phone if someone you
trust had given you the telephone number, not if you had just looked
it up in the phone book.
3. The Key-Signing Party
Great! you say. So what is this key-signing thing all about? A celebration
of persons that own a key-pair and want to party? Well, no... A key-signing
party is not exactly a party in that sense...
A key-signing party is a gathering of people interested in
extending the Web of Trust. In fact, they even prepared to join the
party by submitting some information about their PGP keys to the
person hosting the key-signing party, e.g.:
User ID : Hans Van de Looy <hans@unicorn.xs4all.nl>
Key ID : 0x0A7B84E7
Type/Size : RSA/2048
Fingerprint: 64 07 5D 4C 3F 81 22 73 52 9D 87 08 51 AA 35 F0
At the gathering, I might stand up and say "I'm Hans Van de Looy,
here is my passport and business card, and the key with fingerprint
64 07 5D 4C ... really does belong to me."
4. How to join the PGP Key-Signing Party
A PGP Key-Signing Party follows a strict protocol that we describe
below. In order to join the SANE'98 PGP Key-Signing Party, you'll have to
prepare a couple of things: please read the instructions below carefully.
-- This info should be submitted no later than
November 15th, 1998 --
(see the example above)
Last modified: October 20, 1998 (<pgp-keys@nluug.nl>)