From 70cf9e8369ecc9762d0dacc1f2d879119cab7c09 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Wed, 26 Jan 2022 18:26:32 +0200 Subject: docs: expand on the motivation for subkeys --- sq-guide.md | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 112 insertions(+), 22 deletions(-) diff --git a/sq-guide.md b/sq-guide.md index ffe68e9..fc8b2ed 100644 --- a/sq-guide.md +++ b/sq-guide.md @@ -668,32 +668,122 @@ security, and without losing access to older files and messages. ## Why use subkeys? -Even someone having only one cryptographic key may benefit from having -other keys for specific purposes. For example, they might have a very -strong primary key as their primary key, and additional, auxiliary -keys for encryption or digital signatures. Such auxiliary keys can be -tied to the primary key using _certifications_, which we'll cover in -more detail later. For now, a certification uses the primary key to -declare that the auxiliary key can be used instead of the primary key -for a specific purpose. The auxiliary key then becomes a _subkey_, -and other users of OpenPGP will use it automatically, if they have -your certificate. This setup has several benefits: - -* you can have separate subkeys for encryption, signing, or - authentication -* it's harder to leak or misuse the primary key, as it's only used - rarely -* you can use a smaller key when less security is OK in exchange for - faster use -* you can have a separate subkey for each device you have, or put - them on a hardware security token -* you can replace the subkeys easily: others trust your certificate, - and will happily use any subkey they can verify using your - certificate +To understand why subkeys are useful, it is good to understand some of +the ways in which the security provided by cryptography can be attacked. + +An attacker can break the security that cryptography provides by +various means. It's good to understand these, even if they're not +directly relevant to most people's use of cryptography. The attacks +can be broken down to at least the following classes (alas, it's not +an exhaustive list): + +* attacks on the mathematics underlying the cryptography + - this is the worst kind of attack, but it's also the most rare: + it seems to happen on the order of about once per decade + - the mathematics usually relies on "puzzles" where it's easy show + that a solution is correct, but hard to come up with a solution + without trying every possible solution + - if an attacker finds a way to bypass the puzzle, or to find an + easy way to solve a puzzle, they may weaken the protection + cryptography provides sufficiently that the defenders had best + change to something new + - defense: regularly review the strength of cryptographic + algorithms, and upgrade to newer ones in the OpenPGP standard and + its implementations +* attacks on the implementation of the cryptography + - this is more common: they happen on the order of once per year + - an implementation might be faulty so that the keys it generates + are weak: for example, if a random number generator is used badly, + it might be possible to guess the keys, because the number of + possible keys is greatly reduced + - defense: use a recent version of the software, upgrade when + serious bugs are fixed +* attacks on the keys being used + - we, the authors of this guide, don't know how common this is + - for example, if the keys are short, it may become possible for + attackers to try every possible key + - if an attacker can steal a private key, and break the passphrase + protecting it, they can just use it as if they were the legitimate + holder of the key + - we can assume that the more a key is used, the more ciphertext + material the attackers have to analyze, the easier it is for them + to break a specific key + - defense: use task specific keys and replace them with new ones + from time to time +* attacks on passwords or passphrases + - passwords leak from large services frequently, order of weekly + - from experience, we know that people in general use weak passwords + to protect logins to computers and services, and there is no + reason to think that's not true about encryption keys + - we also know people in general use the same or same few passwords + in many situations, which means that when (not if) passwords leak, + attackers can try all leaked passwords, and have a reasonable + chance of finding some that are used + - defense: strong passphrases, or (better) use hardware tokens +* attacks on the way the software being used + - we, the authors of this guide, don't know how common this is, + except that spousal abuse happens daily, and that now includes + spouses installing spyware on devices + - if an attacker can convince you to install a modified version of + the cryptographic software you use, or change its configuration, + you might end up encrypting everything to the attacker's key as + well as to any the keys you intended to use + - likewise, an attacker may be able to install or configure your + device themselves, which makes this kind of attack even easier for + them + - defense: there seems to be no good way to guard against a targeted + attack by a motivated attacker with sufficient resources +* attacks on the person using cryptography + - we, the authors of this guide, don't know how common this is, + except that spousal abuse happens daily + - in some countries, law enforcement or border agents can legally + force you to disclose the password your private key is protected + with, if they can find no reason to accuse you of a crime + - gangsters, spies, and abusive spouses can use, or threaten to use, + violence to force you to reveal your passphrase + - defense: there's no good way to guard against a targeted attack by + a motivated attacker with sufficient resources + +OpenPGP supports _subkeys_. These are auxiliary keys, tied to a +primary key using _certifications_, which we'll cover in more detail +later. For now, a certification uses the primary key to declare that +the auxiliary key can be used instead of the primary key for a +specific purpose. The auxiliary key then becomes a _subkey_, and other +users of OpenPGP will use it automatically, if they have your +certificate. All of this is managed pretty much automatically using OpenPGP software. +Subkeys allow you to, for example, have different keys for different +purposes. You can also have different subkeys for different devices. + +* on your laptop + - a key to sign email sent from that laptop + - a key to decrypt email sent to you + - a key to sign changes in version control + - a key for logging into servers via SSH + - a key for logging into web sites +* on your phone + - a key to sign email sent from the phone + - a key to decrypt email sent to you + +All of these would be separate, distinct subkey. If senders encrypt +messages meant for you using every encryption subkey you have, you can +read encrypted messages on both your phone and your laptop. +(Unfortunately, some OpenPGP implementations do not encrypt to all +subkeys currently. This is hopefully a temporary problem, and only +affects encryption of messages for you.) + +You would store the main key in a secure way, such as on an encrypted +USB drive, using it only to certify new subkeys. At other times, you +would store the USB drive in a safe, physically secure place. + +If your phone is stolen, you only need to revoke that subkey. + +When you want to have new subkeys, you can just create them, and when +others get your updated certificate, they'll start using them +automatically. ## Why would keys expire automatically? -- cgit v1.2.1