The Help Desk

Shareware

Medical Packages

Digest Index

Computing Columns

Lecture Notes

Clinical Computing

Computers & Business

The Help Desk

Ask Dr Dave

General Practice Computing

Communications

Torn Money

Torn Money and the PGP Web of Trust

Introduction to PGP

This paper was presented at the Australian Unix Users Group conference in 1998 and led to a change in their procedure with regard to authenticating encryption keys. Perhaps these concepts would assist in GP's and Specialists getting authenticated keys published on a keyserver, through the assistance of a smaller group of trusted helpers, which might include visiting drug representatives, Xray imaging and Pathology service providers, practice management software support persons, Hardware suppliers, GP colleagues, IT trainers, RACGP Branch or GP Division staff etc,

Dr Hugh Nelson <hughnelson@helensvalesurgery.com.au> 27 May, 1999.

Jeanette McLeod, Greg Rose
QUALCOMM Australia
Suite 410, Birkenhead Point
Drummoyne,2047
NSW

Abstract

Legitimacy and trust are perhaps the most complicated aspects of PGP. The trust model used by PGP assumes that trust starts with bilateral arrangements (key signing) and grows organically to produce a decentralised "web" simply known as the "Web of Trust". Decentralisation is advantageous in that it foregoes the need for any central authority, yet the model as it stands does not scale well in a large open community. Torn Money has been designed as an authentication service primarily to facilitate the introduction of new users to the web of trust and also as a means of enhancing connectivity within the existing web.

Torn Money is a follow-up to the AUUGís PGP Key Signing Service, which in essence, seeks to maintain and support PGPís decentralised trust model.

Background

Pretty Good Privacy (or PGP) is a publicly, and internationally, available privacy program. Essentially, it uses public key cryptographic techniques to allow messages to be exchanged between people across public networks, while protecting the privacy of the contents and guaranteeing authenticity of the sender.

Traditionally, one of the problems with cryptographic systems was "key management". The key is the secret value that allows information to be encoded and/or decoded. Prior to the development of public key cryptography, the key had to be securely exchanged between parties before they could communicate. Public key systems are designed such that two separate keys are used, one of which can be made public (like a telephone number) while the other must be kept secure by the owner (like the telephone itself). In light of this development, it would appear that the problem of key management has been solved.

Unfortunately this is not the case. Key management is undeniably easier using public key systems, but the question now becomes one of authentication. How do you know, for sure, that the person you are sending a secret message to is really the person they claim to be? I could easily get a telephone connected in another name, and sit back waiting for phone calls intended for another person of that name.

One solution to the problem is to introduce the notion of "trusted parties", that is, people who you trust to introduce (and therefore authenticate) other parties to you. Using the telephone analogy, you would only say secret things on the phone if someone you trust had given you the telephone number, not if you had just looked it up in the phone book. This is what the PGP documentation refers to as the "Web of Trust". Its structure is likened to that of a web as each party involved, trusted by you, can introduce other parties whom you may or may not already know.

Another possible solution is the use of Certification Authorities, thereby enforcing a hierarchical structure on the Web of Trust. What this means is that any public key you acquire must now come with a list of certificates. For example, J. Smith's public key might come with a certificate from Widgets, Inc., stating that he works for them. In order to establish their authenticity, Widgets, Inc. would also require a certificate from someone asserting that they are a Delaware Corporation. To authenticate this, the state of Delaware would need a certificate to verify it was really what it claimed to be, and so on. Eventually the regression must stop, with a certificate being issued by some omnipresent authority (which, at the moment, is RSA Data Security Inc.).

Both schemes have flaws. The major problem with the Web of Trust is that it has to be big and well connected before it becomes useful, while the Certification Authority approach assumes the sort of control which is often the reason the parties wanted to communicate privately in the first place.

(The above is intended to be an absolutely minimal explanation of the concepts of public key cryptography and key management. If the concepts are not yet clear, the PGP documentation, which you should eventually read, explains it in more detail.)

Torn Money and the PGP Key Signing Service.

In an attempt to expand the Web of Trust, AUUG set up a PGP Key Signing Service in which it acted as an introducer for PGP keys. By virtue of the conferences it held, AUUG was in a position to physically meet with people, verify their identity and then issue key signatures attesting their identity. The high public profile of the organisation meant that key verification wasnít difficult, and as the procedures for the key signing were made public, it was easy to decide what level of trust to place in the authenticity of a key signed by AUUG. However, the service was beginning to introduce a hierarchy into the Web of Trust with AUUG inadvertently taking on the role of a Certification Authority. The implications of this brought the service to an end, as it was no longer conforming the PGP trust model. However, the service had one very innovative feature; it did not require people to have their key ready in advance.

Torn Money has been designed in the same vein as the Key Signing Service, with its main aim to facilitate PGP key signing. While this new service avoids the problems that the Key Signing Service was beginning to encounter, it manages to preserve the favourable features of the old service - namely, it still allows the verification of those who have not prepared their key in advance. The inspiration behind Torn Money comes from old spy films, where the possession of a significant half of a torn banknote established a person's identity. The beauty of such a concept is that it no longer requires an "authority" such as AUUG to oversee the key signing, the notion of the "torn" banknote means that any two parties can be involved and still effectively identify each other at a later date.

Introduction to Torn Money

PGP signing can occur whenever one interested party meets with another (conferences such as those hosted by AUUG or USENIX are a common forum for such an activity). People wishing to have their keys signed provide acceptable proof of identity together with their PGP fingerprint to the person or persons they wish to have sign their key. Their public key can then later be retrieved for signing from a key server or sent via email, with the supplied fingerprint providing verification of the key's authenticity. However, this kind of key signing is only meaningful if the interested parties already have PGP keys generated and their fingerprints with them. This is not always the case.

Torn Money side steps this issue by providing a way in which interested parties can successfully identify each other at a later date. Conceptually, this means that upon meeting, interested parties will establish their identities as before and then obtain a "secret". The possession of this secret is what enables secure future communication. With this in place, those who are unprepared now have the opportunity to create a PGP key at some later time and then communicate the required details to those parties from which they obtained their secret. By revealing the secret they were given, they are able to prove their identity, thus validating their key for signing.

While conceptually this scheme makes it viable for two unprepared parties to trade details, Torn Money's primary function is to introduce newcomers to the web of trust and enhance connectivity. It is therefore essential that one of the parties involved already belong to the web of trust so that their signature will act to initiate a newcomer. This person, call them an "expert user", will effectively become the "owner" of the torn money. It is their responsibility to generate and distribute the torn money, but they are in no way to be considered an "authority". To such effect, the newcomer is well advised to participate in the torn money scheme with as many expert users as they can.

What Exactly is Torn Money?

Torn Money borrows its form from that of a banknote. It is simply a piece of paper containing pairs of related secrets (which function something like a banknote's serial number). Upon generating a piece of torn money, the expert user will be required to enter their name, email address, PGP Key ID and fingerprint, and the number of new comers they wish to sign keys for. This information is required to facilitate future communication between the owner of the torn money and the recipients.

The generated piece of torn money will contain the owner's name and PGP fingerprint at the top, as well as a sentence comprising eight, four letter words - their secret. Next there is a blank table of n rows, where n is the number of newcomer keys the owner elected to sign. This is left blank so that the expert user can note down the name, email address and identification information (optional) of anyone wishing to participate. Lastly, the remainder of the document is divided into n sections, designed to be "torn" off by the owner and distributed among the participants. Each section contains the name of the expert user, their email address, PGP key ID and fingerprint, the web address of the Torn Money web site, and eight, four letter words - the participant's secret. (See Appendix 1 for a sample of Torn Money).

After verifying a newcomer's identify, the expert user notes down their details in a row in the table and gives them the tear-off section corresponding to their row number. This piece of Torn Money should be kept safe as it is now the only existing link between the expert user's identification information and the new user. For security reasons it is also vital that no one else has access to the Torn Money as it contains the new user's secret.

Once the newcomer has generated their own PGP key, they should send email to the expert user(s) for which they have Torn Money. To be secure, this email should be encrypted using the expert userís PGP key (obtained from either the expert user or a key server and verified with the fingerprint on the newcomers half of the torn money), and signed using the newcomer's PGP key in order to prove ownership. The content of this mail should comprise the new user's PGP public key itself and the secret eight, four-letter words from the Torn Money.

Upon receiving this message, the expert user must verify the secret they have been sent before signing the new key. The new user's secret is derived from a combination of the expert user's secret, their row number in the table on the expert's half of the Torn Money, and the expert user's name. Thus the expert user must provide these details exactly to the Torn Money verification program, in order to authenticate the contents of the email message. Once this has been achieved, the expert user can sign the new user's key and return it.

Note: The use of Torn Money is in no way restricted to newcomer/expert user pairs. As our overall objective is to increase connectivity within the web of trust, established users of PGP who may arrive at a gathering ill equipped for key signing are also encouraged to use Torn Money.

Torn Money Generation and Verification

Torn Money can be generated in two ways: either by using the web interface at the USENIX web site, or by downloading the source for it and generating it on your own computer. The same option applies to the verification part of the procedure - a web interface is available, and the source for it comes as part of the download for the Torn Money program.

User Support

Once the Torn Money project is complete, full documentation and procedures for use will be made available from the USENIX web site. At this point in time we envision the users of Torn Money to comprise three distinct groups: new users of PGP seeking connection to the Web of Trust, expert users willing to certify new users, and people wishing to advertise gatherings (e.g. Conferences, Seminars, etc) where PGP key signing or exchange of Torn Money can occur. As such, a series of pages will be dedicated to each group.

Newcomers Instruction Page:

In support of new users of PGP and Torn Money, a series of help pages will be made available and the web address included on their piece of Torn Money. These pages will include information on PGP and trust, the function of Torn Money and its usage, links to key servers, and the details of any gatherings at which the exchange of Torn Money can occur.

Expert Users Instruction and Generation Page:

A set of pages will also be aimed at established users of PGP who wish to generate their own pieces of Torn Money. These pages will include information on the function of Torn Money and its usage as applicable to an expert user, as well as details on how to generate Torn Money and how to verify responses from recipients. The date and location of any gatherings at which the exchange of Torn Money can occur will be made available, and expert users intending to engage in key signing (and specifically, the distribution of Torn Money) will be given the option to register their attendance at specific functions.

Organisers Page:

As part of the Torn Money key signing service, support will be given to functions and gatherings at which key signing can occur. This support will be provided through a series of pages on the USENIX web site which will allow organisers to register their functions as forums for PGP key signing and the distribution of Torn Money. The time, date and location of the function will be made publicly available so that expert users may indicate their attendance and hence their willingness to certify new users, and newcomers seeking an introduction to the Web of Trust may see when they next have the opportunity to be certified.

All feedback, questions and concerns regarding Torn Money can be directed to Greg Rose and/or Jeanette McLeod. Over time appropriate FAQís will be compiled and posted to the web site and Torn Money will be revised to better meet user needs.

Concluding Remarks

Successful world wide use of PGP depends on a wide-spread, well connected Web of Trust. Torn Money has been designed with this goal in mind. The project is due for completion sometime in October, and the web pages discussed in this document will be made available from the USENIX web site http://www.usenix.org. In the mean time any feedback on the project is most welcome, and Torn Money is available for trial usage on request.

Appendix 1