ABSTRACT
We present the design and implementation of a trust-on-first-use (TOFU) policy for OpenPGP. When an OpenPGP user verifies a signature, TOFU checks that the signer used the same key as in the past. If not, this is a strong indicator that a key is a forgery and either the message is also a forgery or an active man-in-the-middle attack (MitM) is or was underway. That is, TOFU can proactively detect new attacks if the user had previously verified a message from the signer. And, it can reactively detect an attack if the signer gets a message through. TOFU cannot, however, protect against sustained MitM attacks. Despite this weakness, TOFU's practical security is stronger than the Web of Trust (WoT), OpenPGP's current trust policy, for most users. The problem with the WoT is that it requires too much user support. TOFU is also better than the most popular alternative, an X.509-based PKI, which relies on central servers whose certification processes are often sloppy. In this paper, we outline how TOFU can be integrated into OpenPGP; we address a number of potential attacks against TOFU; and, we show how TOFU can work alongside the WoT. Our implementation demonstrates the practicality of the approach.
- Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, and Robin Sommer. Here's my cert, so trust me, maybe?: Understanding TLS errors on the web. In Proceedings of the 22nd International Conference on World Wide Web, WWW '13, pages 59--70, Republic and Canton of Geneva, Switzerland, 2013. International World Wide Web Conferences Steering Committee. Google Scholar
- Rainer Böhme and Jens Grossklags. The security cost of cheap user interaction. In Proceedings of the 2011 Workshop on New Security Paradigms Workshop, NSPW '11, pages 67--82, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Rainer Böhme and Stefan Köpsell. Trained to accept?: A field experiment on consent dialogs. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '10, pages 2403--2406, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- I. Brown, A. Back, and B. Laurie. Forward secrecy extensions for OpenPGP. Internet-Draft draft-brown-pgp-pfs-03, IETF Secretariat, October 2011. https://tools.ietf.org/html/draft-brown-pgp-pfs-03.Google Scholar
- J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. OpenPGP Message Format. RFC 4880 (Proposed Standard), November 2007. Updated by RFC 5581.Google Scholar
- Mark Davis and Michel Suignard. Unicode security mechanisms. Technical Report Version 8.0, The Unicode Consortium, June 2015. http://www.unicode.org/reports/tr39/.Google Scholar
- Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, pages 581--590, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- Paul Ducklin. The TURKTRUST SSL certificate fiasco --- what really happened, and what happens next? https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/, January 2013. {Online; accessed 23-March-2016}.Google Scholar
- Evgeniy Gabrilovich and Alex Gontmakher. The homograph attack. Communications of the ACM, 45(2):128, February 2002. Google ScholarDigital Library
- Zulfikar Ramzan. Phishing attacks and countermeasures. In Peter Stavroulakis and Mark Stamp, editors, Handbook of Information and Communication Security, pages 433--448. Springer Berlin Heidelberg, 2010.Google ScholarCross Ref
- P. Resnick. Internet Message Format. RFC 2822 (Proposed Standard), April 2001. Obsoleted by RFC 5322, updated by RFCs 5335, 5336. Google ScholarDigital Library
- Mark Risher. Protecting Gmail in a global world. http://googleforwork.blogspot.de/2014/08/protecting-gmail-in-global-world.html, August 2014. {Online; accessed 23-March-2016}.Google Scholar
- Ryan Sleevi. Sustaining digital certificate security. https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html, October 2015. {Online; accessed 23-March-2016}.Google Scholar
- Marc Stiegler. An introduction to petname systems. http://www.skyhunter.com/marcs/petnames/IntroPetNames.html, February 2005 (updated June 2010).Google Scholar
- Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM'09, pages 399--416, Berkeley, CA, USA, 2009. USENIX Association. Google ScholarDigital Library
- Dan Wendlandt, David G. Andersen, and Adrian Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Annual Technical Conference, pages 321--334, 2008. Google ScholarDigital Library
- Wikipedia. Flame (malware) --- Wikipedia, The Free Encyclopedia, 2015. {Online; accessed 23-March-2016}.Google Scholar
Index Terms
- TOFU for OpenPGP
Recommendations
On the (In)Security of ElGamal in OpenPGP
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityRoughly four decades ago, Taher ElGamal put forward what is today one of the most widely known and best understood public key encryption schemes. ElGamal encryption has been used in many different contexts, chiefly among them by the OpenPGP standard. ...
A new signature scheme without random oracles
Digital signature is commonly used for authentication of a user or data. In order to ensure the security of a signature scheme, it is important to design a signature scheme with a security proof. In 1999, Gennaro et al. and Cramer et al. respectively ...
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'
Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low ...
Comments