An edited version of this paper appeared with the title "Modeling Trust With PGP 6.5.1" in the August 1999 issue of Information Security Magazine.
Just four and a half years ago, Phil Zimmermann received the Electronic Frontier Foundation (EFF) Pioneer Award even as federal prosecutors were considering indicting him for violation of laws governing the export of munitions. Why was he so "honored"? Zimmermann, you see, is the developer of Pretty Good Privacy (PGP), possibly the most popular cryptographic software for individuals.
Over the years, PGP has evolved from a tool used largely by crypt-weenies to a widely used commercial product. A freeware version of PGP for non-commercial uses is available from MIT (http://web.mit.edu/network/pgp.html), while Network Associates, Inc. (NIA), the company that bought PGP, distributes the commercial product (http://www.nai.com/asp_set/products/tns/).
But what began as a simple way to protect e-mail and disk files continues its expanded applicability as an entire "security solution" with NIA's recent release of PGP 6.5.1. PGP plays a pivotal role in NIA's Total Network Security (TNT) suite, which includes their Gauntlet Firewall, Cybercop Intrusion Protection software, PGP VPN (Virtual Private Network), and PGP Data Security. This suite of products include client-server encryption, self-decrypting archives (SDA), integrated PGP command line functionality, support for Outlook 2000 and Outlook Express 5.0, and HTTP Proxy Support.
Among the more interesting capabilities is the PGP certificate server, providing an organization with the ability to build their own public key infrastructure (PKI) to protect their intranet or other private network application. The Net Tools PKI Server is a fully-functional certificate authority (CA) supporting X.509v3 certificates, root server key protection with Chrysalis Luna smartdisk technology, certificate revocation list (CRL) capability, Secure Sockets Layer/Transaction Layer Security (SSL/TLS) transaction support, and an integrated LDAP directory server.
This suite of products demonstrates a great deal of flexibility in the one area that is imperative for the secure use of cryptography — namely, trust. People use public key cryptography so that they can have secure, private communication. But when you get a public key from someone, how do you know that that person is who they purport to be?
It has been noted that, on the Internet, "You are either born with [trust] or have it granted upon you." Classic PGP used a "web of trust" model whereby individuals exchanged keys with each other. Since the individuals were typically known to each other, trust was implicit in the personal acquaintance and users maintained their own keyring with known public keys. Furthermore, suppose that one of my friends, Alice, gives me a key from Bob. If I trust Alice (and the way in which she verifies keyholder identities), I might choose to trust Bob's key as valid and add it to my keyring. I may or may not choose to trust keys that Bob gives me. The extent of this web of trust is up to me.
The web of trust model is severely limited, however, in that it is not scalable to very large systems (such as the Internet with a user base in excess of 100 million users) nor are the keys authenticated. Even PGP public keyservers only supply a public repository of PGP keys — as reported by the submitter of the key.
Certificates are the preferred way today to build a scalable network to allow two relative strangers to securely, privately communicate with confidence. Certificates, issued by a certification authority (CA), bind an identity and public key to a user. The CA signs the certificate with its private key to ensure its authenticity. Since any organization — such as a business, university, or hospital — can issue certificates and become a CA, CAs' certificates themselves may be signed by well-known, trusted root CAs, such as those operated by EnTrust and VeriSign. It is this certificate chain that forms a highly scalable hierarchy of trust.
Ironically, one new feature has already stirred up controversy precisely because trust can be circumvented! PGP 6.5.1 allows users to encrypt files and folders into a self-decrypting archive that can be used by others even if they don't have PGP (much the same way you can create a self-extracting archive with ZIP). While this sounds like a nifty idea, it means that a user may execute a program on their system sent in an e-mail attached SDA merely because they "trust" the sender (shades of Melissa and Worm.ExploreZip, eh?). It has also already been suggested that, at least for Internet applications, SDAs are prone to attack and can be tampered with in transit. This, then, might be one feature to use carefully.
PGP has long been the market leader in personal cryptography protection. And without sacrificing support for the individual, it has clearly grown up to be enterprise-ready.