Merge branch 'neal/rework-intro-cryptography' into 'main'

Rework the introduction to cryptography chapter.

Closes #15

See merge request sequoia-pgp/sq-user-guide!7

1 files changed, 222 insertions, 91 deletions

diff --git a/sq-guide.md b/sq-guide.md
index d8d2ad4..9f4469b 100644
--- a/sq-guide.md
+++ b/sq-guide.md
@@ -255,37 +255,212 @@ $ cargo install --path=sequoia/sq
 [README.md]: https://gitlab.com/sequoia-pgp/sequoia/-/blob/main/README.md
 
 
-# On public key cryptography {#public-key-cryptography}
-
-The science of keeping private communications private, verifying the
-source of messages, and verifying that messages haven't been modified
-in transit, is called _cryptography_. It is not just for spies.
-Cryptography allows everyday activities such as shopping and banking
-to happen without rampant theft. It also allows journalists working on
-stories about the rich, powerful, or corrupt to communicate with their
-sources without fear of prematurely revealing what they're doing.
-
-Cryptography uses mathematics to turn messages and a key into an opaque form and
-back. The opaque form, also known as _ciphertext_,
-is impossible for anyone to understand without the use of the key. As
-long as the secret key remains secret, the content of the communication is
-kept secure.
-
-A key is a very large random number used for encryption and digital
-signatures. In public key cryptography a key consists of a private and
-a public part. In `sq`, the private part is just called the  _key_, and
-you keep it secret. The public part is called a _certificate_ and
-you're meant to share it with anyone you want to communicate with.
-
-The private and public parts (the key and the certificate) are tied together
-with mathematics in such a way that they have a very useful feature:
-if you encrypt something using the public part, the result can only be
-decrypted with the private part. And also vice versa: if you encrypt
-something using the private part, only the public part can decrypt
-this. Since anyone can decrypt, this operation is called a _digital
-signature_. (This is a very rough simplification.)
-
-This allows some very interesting things:
+# On cryptography {#cryptography}
+
+The science of keeping private communication private
+(confidentiality), verifying that a message hasn't been modified
+(integrity), and determining who created a message (authentication) is
+called _cryptography_.
+
+Cryptography is not just for spies.  Cryptography allows everyday
+activities such as shopping and banking to happen without rampant
+theft. It also allows journalists working on stories about the rich,
+powerful, or corrupt to communicate with their sources with less fear
+of prematurely revealing what they're doing.
+
+Just as having a seat belt in a car won't help you if you don't use
+it, or may even hurt you if you use it wrong, you need to understand a
+few concepts to effectively use cryptography.  This chapter presents
+the essential ideas that you need to understand to not just be safe,
+but to avoid endangering yourself or others.
+
+If you are concerned about a targeted attack on you or people you
+communicate with, then this chapter is not enough.  You also need
+training in operational security from a digital security trainer.
+[Freedom of the Press Foundation][] is one organization that offers
+training material, and courses.
+
+  [Freedom of the Press Foundation]: https://freedom.press/training/
+
+## Public key cryptography
+
+OpenPGP uses public key cryptography.  To use public key cryptography,
+you need two things: a _public key_ and a _private key_.
+
+A public key and a private key form a pair.  They work together as
+follows.  Say Alice wants to send a confidential message to Bob.  She
+encrypts the message using Bob's public key, sends him the encrypted
+message, and Bob decrypts it using his private key:
+
+```text
+       Alice       |        Internet        |      Bob
+                   |                        |
+  Encrypt Message  |                        |   Decrypt Message
+  with Bob's      --->  Encrypted Message  ---> with Bob's
+  Public Key       |                        |   Private Key
+```
+
+How Alice sends the message to Bob doesn't matter.  Someone who
+intercepts the message can't decrypt it unless they have Bob's private
+key.  And, even though Alice encrypted the message using Bob's public
+key, Bob's public key can't be used to help decrypt the message.  A
+public key is a one-way street.
+
+The term public key includes the word public, because for it to be
+useful, it needs to be widely published: Alice needs Bob's public key
+to encrypt a message to him.
+
+Likewise, the private key includes the word private, because it should
+be hidden.  If someone else had Bob's private key, they could decrypt
+the message that Alice sent him.
+
+In short: you want people to have access to your public key; it should
+be public.  Your private key, however, is private; like a secret, you
+shouldn't share your private key with anyone.
+
+Digital signatures work in a similar manner.  Alice creates a digital
+signature using her private key (because no one else should be able to
+sign a document in her name!).  And, to verify a signature, Bob uses
+her public key, because anyone should be able to verify the signature.
+
+In OpenPGP, your public key is just one part of a thing called a
+_certificate_.  A certificate is a collection of public keys (you need
+a different one for encryption and signing), some information about
+you, like your name or alias, and your email address, and information
+about what features your software supports.  A certificate doesn't
+include your private keys.  You can and should share your certificate
+with people you want to communicate with.
+
+In OpenPGP, private keys are stored in a _key_.  A certificate never
+includes private keys; a key does include private keys.  You should
+share your certificate with other people; you should never share your
+key with other people.
+
+
+```text
+  Do Share                 Keep Private
+
+  OpenPGP                  OpenPGP
+  Certificate              Key
+  +------------+           +-------------+-----------+
+  | Public     |           | Public      | Private   |
+  | Key        |           | Key         | Key       |
+  |            |           |             |           |
+  | Public     |           | Public      | Private   |
+  | Key        |           | Key         | Key       |
+  |            |           |             +-----------+
+  | User ID    |           | User ID     |
+  |            |           |             |
+  | Preference |           | Preferences |
+  +------------+           +-------------+
+```
+
+## Password-based encryption
+
+There is another type of encryption, which uses passwords.  This is
+called symmetric encryption, because you use the same key to encrypt
+and decrypt a message.
+
+OpenPGP also supports password-based encryption.  Oftentimes, your key
+will be protected with a password so you'll need to enter your
+password before you can decrypt or sign a message.  But, you can also
+use a password to encrypt a message.  Unlike a certificate, if you
+publish a password, then everyone can decrypt your message.  This
+means passwords are a lot more inconvenient than public keys.  Unlike
+public keys, you can't share them willy-nilly, and you definitely
+can't publish them in a directory like a telephone book.  Passwords
+have to stay secret to be useful.
+
+## Authentication
+
+Encryption and signing are two of the three essential functions that
+you need to communicate privately.  The last is called authentication.
+It helps answer the following questions: When Alice sends a message to
+Bob, does she have the right certificate?  And, when Bob receives a
+message from Alice, can he be sure it really came from her?
+
+Authentication helps prevent two different problems.  The first is
+impersonation.  If Alice and Bob communicate regularly, and Bob gets a
+message that purports to be from Alice, but is written in a different
+style, then he may become worried that it is not really from Alice.
+But, if Bob doesn't recognize these social cues, then he might be
+tricked.  This is how phishing works.  Today, people are taught to
+recognize impersonation.  This requires schooling, and vigilance.
+Authentication addresses this problem in a different, more reliable
+way: if Bob can authenticate Alice's key, and a message is signed
+using Alice's key, then Bob can be confident that the message really
+came from Alice.
+
+```
+           |                         |
+  Mallory ---> Message from "Alice" ---> Bob
+           |                         |
+```
+
+The second problem, interception, is more subtle and can't be solved
+using social cues.  If Mallory wants to read what Alice and Bob send
+to each other, then he can try to eavesdrop on their communication
+channel.
+
+Encryption is a prerequisite, but it is not sufficient to prevent
+Mallory from intercepting the messages.  Imagine that Alice and Bob
+send each other their certificates via email.  If Mallory is able to
+intercept these initial, unencrypted messages, then he can replace the
+certificates with his own.  Now, Alice and Bob will have the wrong
+certificates, and when Alice sends Bob a message, she'll encrypt it
+using Mallory's certificate.  When Mallory intercepts the message, he
+can decrypt it, since actually Alice encrypted it to him.  And, he can
+even fool Bob by reencrypting it using Bob's real certificate, and
+forwarding that version to Bob.  Bob will be able to decrypt the
+message as usual and won't suspect a thing!
+
+```
+          |                                     |
+  Alice ---> Message ---> Mallory ---> Message ---> Bob
+          |                                     |
+```
+
+The only practical way to prevent this type of attack is to
+authenticate certificates.
+
+Authentication can be done directly.  For instance, when Alice and Bob
+meet in person, Alice and Bob can exchange business cards with their
+certificates' ID numbers (in OpenPGP, ID numbers are called
+_fingerprints_).  When Bob gets home, he can add what the correct
+certificate for is Alice to his address book.  And, Alice can do the
+same for Bob.  Alice and Bob will now use the right certificate, and
+will detect an interception attack.  This is effective, because it's
+much harder for Mallory to switch the fingerprints at a physical
+meeting than to intercept and modify an email.
+
+Another approach is for Alice and Bob to use a trusted third party,
+which is sometimes called a _certification authority_ (_CA_).  For
+instance, if Alice and Bob work at the same company, their IT
+administrator could record everybody's fingerprint, and publish
+appropriate certifications in a publicly available directory.  Now,
+Alice just needs to authenticate the IT administrator; she doesn't
+have to worry about authenticating her coworkers' certificates.  A
+convenient way to run a CA like this is to use [OpenPGP CA][].
+
+  [OpenPGP CA]: https://openpgp-ca.org
+
+Interception attacks are a real concern.  The Government
+Communications Headquarters (GCHQ), Britain's intelligence and
+security organization, has proposed [Ghost], an authentication-layer
+backdoor that they want secure messengers to implement.  Their
+argument is that subverting authentication allows secure messengers to
+help governments without actually violating their claim that
+communication is end-to-end encrypted.  While technically true, this
+is the moral equivalent of building a backdoor into the encryption,
+and is, in effect, a new attempt at the failed [Crypto Wars] of the
+1990s.
+
+  [Ghost]: https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate
+  [Crypto Wars]: https://en.wikipedia.org/wiki/Crypto_Wars
+
+## Advantages of public key cryptography
+
+Using public key cryptography allows some very interesting things:
 
 * I can publish my certificate, and anyone can send me a confidential
   message by encrypting it using my certificate, and be assured that
@@ -296,86 +471,39 @@ This allows some very interesting things:
   communications with their sources. Corporations don't need to worry
   their trade secrets leak to competitors.
 
-* I can send them a reply, encrypting it with my private key, and they
-  can be sure it's from me, because they can decrypt it using my
+* I can send them a reply, sign it with my private key, and the recipient
+  can be sure it's from me, because they can check the signature using my
   public certificate.
 
   Examples: The CFO can't be fooled by forged emails from the CEO
   telling them to pay a fraudulent invoice. Activists can't be fooled
-  by messages from the secret police to go the town square at noon
+  by messages from the secret police to go to the town square at noon
   wearing a pink rose. Journalists can be sure the message is from
-  their source and not someone who's trying to mess with reporting.
+  their source and not someone who's trying to interfere with their reporting.
 
 * These can be combined: If I have their certificate, I can be sure
-  that the message they send me is really from them, and that only
+  that the message someone send me is really from them, and that only
   they can read my response.
 
-* I can publish a software release, and encrypt the file using my
+* I can publish a software release, and sign the file using my
   private key. Anyone downloading the release can be sure they get
-  what I published by decrypting it with my certificate.
+  what I published by checking the signature with my certificate.
 
 The mathematical and cryptographic details of how this works are
 outside the scope of this guide, but see the [references](#references)
 for links to explanations.
 
-## Symmetric cryptography
-
-The complement to public key cryptography is _secret key
-cryptography_, which is also known as _symmetric cryptography_.
-(Public key cryptography is also known as _asymmetric cryptography_.)
-In symmetric cryptography there is no public and private parts of an
-encryption key. There is only one part, and the same key is used both
-for encrypting and for decrypting data. This is in many ways easier to
-understand, but is usually more awkward to use.
-
-Symmetric cryptography is best suited when only one person needs to
-know the key, or when everyone who needs the key can get it in person.
-The key in symmetric cryptography is also known as a _shared secret_.
-This has several problems:
-
-* when it comes to people, keeping secrets is difficult, and shared
-  secrets especially so
-* all parties need to meet someone in the inner circle, unless they
-  already have a secure communication channel
-* it's hard to remove someone from the inner circle: you need a new
-  secret and you need to share it with everyone, except the unwanted
-  person
-
-Public key cryptography makes key management easier: everyone only has
-their own secret to take care of, and new messages can be encrypted to
-everyone except an unwanted person. Also, secure communication is
-possible between parties previously unknown to each other.
-
-
-aspect            symmetric     public key
--------           ----------    -----------
-speed             fast          slow
-key size          short         long
-key management    hard          easy
-
-Table: comparison of types of cryptography
-
-The benefit is that symmetric cryptography tends to run faster and
-have shorter keys compared to public key cryptography, for similar
-levels of resistance against attacks.
-
-OpenPGP actually uses both symmetric and public key cryptography: one
-for the bulk of encryption, for speed, and the other for easier key
-management. The user does not actually need to care, but understanding
-is always good.
-
-
 ## Limitations of cryptography
 
 When thinking about cryptography it's important to remember that
 it has limitations. For example, no cryptography can prevent the
 intended recipient from willfully sharing an encrypted message they
-receive. If you send a photo of your safe combination to someone,
+receive. If you send a photo of your safe combination to someone
 encrypted with their certificate, they can decrypt it, and share the
 picture with the highest bidder.
 
 Also, no cryptography provides any protection if keys aren't kept
-private. If I accidentally publish my encryption key as a front page
+private. If I accidentally publish my key as a front page
 advert on the New York Times, cryptography can't prevent others from
 using that to decrypt messages intended for me, or publishing messages
 that claim to be from me.
@@ -395,9 +523,12 @@ alternatives.
 For most people, these are quite unlikely scenarios. Most people do
 not actually have enemies who are a threat specifically to them. If
 you do, or you suspect you do, be very careful what you do and what
-advice you follow. This guide is not likely to be all you need to
-know.
+advice you follow.  You need to seek advice beyond this guide.  In
+particular, you need training in operational security.  A digital
+security trainer can help you.  [Freedom of the Press Foundation][] is
+one organization that offers training material, and courses.
 
+  [Freedom of the Press Foundation]: https://freedom.press/training/
 
 # General principles of the `sq` interface
 
@@ -641,8 +772,8 @@ key, subkeys inherit them from their primary.
 ## Why use signatures?
 
 Digital signatures are used to show who sent a message and that it
-hasn't been changed. See the chapter on [public key
-cryptography](#public-key-cryptography) for a longer discussion.
+hasn't been changed. See the chapter on [cryptography](#cryptography)
+for a longer discussion.
 
 It's important to note that signatures are good not just for messages,
 but for any kind of data, including files and cryptographic keys.