pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake
pEp Foundation
Oberer Graben 4
CH-8400 Winterthur
Switzerland
hernani.marques@pep.foundation
https://pep.foundation/
Ucom Standards Track Solutions GmbH
CH-8046 Zuerich
Switzerland
+41 44 500 52 44
bernie@ietf.hoeneisen.ch (bernhard.hoeneisen AT ucom.ch)
https://ucom.ch/
In interpersonal messaging end-to-end encryption means for public key
distribution and verification of its authenticity are needed; the latter
to prevent man-in-the-middle (MITM) attacks.
This document proposes a new method to easily verify a public key is
authentic by a Handshake process that allows users to easily
verify their communication channel. The new method is targeted to
Opportunistic Security scenarios and is already implemented in several
applications of pretty Easy privacy (pEp).
In interpersonal messaging end-to-end encryption means for public key
distribution and verification of its authenticity are needed.
Examples for key distribution include:
Exchange keys out-of-band before encrypted communication
Use of centralized public key stores (e.g., OpenPGP Key Servers)
Ship the public key in-band when communicating
To prevent man-in-the-middle (MITM) attacks, additionally the
authenticity of a public key needs to be verified. Methods to
authenticate public keys of peers include, e.g., verify digital
signatures of public keys (which may be signed in an hierarchical or
flat manner, e.g., by a Web of Trust (WoT)), compare the public key’s
fingerprints via a suitable independent channel, or scan a QR mapping
of the fingerprint (cf. ).
This document proposes a new method to verify the authenticity of
public keys by a Handshake process that allows users to easily verify
their communication channel. Fingerprints of the involved peers are
combined and mapped to (common) Trustwords
. The successful manual comparison of the
these Trustwords is used to consider the communication channel as
trusted.
The proposed method is already implemented and used in applications of
pretty Easy privacy (pEp) . This document is targeted
to applications based on the pEp framework and Opportunistic Security
. However, it may be also used in other applications as
suitable.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this
document are to be interpreted as described in .
Handshake: The process when Alice – e.g. in-person or via phone –
contacts Bob to verify Trustwords (or by fallback: fingerprints) is
called Handshake. In more detail, this is described in this draft.
Trustwords: A scalar-to-word representation of 16-bit numbers (0 to
65535) to natural language words. When doing a Handshake, peers are
shown combined Trustwords of both public keys involved to ease the
comparison.
Trust on First Use (TOFU): cf.
Man-in-the-middle attack (MITM): cf.
To secure a communication channel, in public key cryptography the each
involved peer needs a key pair. Its public key needs to be shared to
other peers by some means. However, the key obtained by the receiver
may have been substituted or tampered with to allow for re-encryption
attacks. To prevent such man-in-the-middle (MITM) attacks, an
important step is to verify the authenticity of a public key obtained.
Such a verification process is useful in at least two scenarios:
Verify channels to peers, e.g., to make sure opportunistically
exchanged keys for end-to-end encryption are authentic.
Verify channels between own devices (in multi-device contexts),
e.g., for the purpose of importing and synchronizing keys among
different devices belonging to the same user
(cf. ). This scenario is comparable to
Bluetooth pairing before starting data transfers.
Current methods to authenticate public keys of peers include:
Digitally signed public keys are verified by a chain of trust. Two
trust models are common in today’s implementations.
Signing is carried out hierarchically, e.g. in a Public Key
Infrastructure (PKI) , in which case
the verification is based on a chain of trust with a Trust Anchor
(TA) at the root.
Signing of public keys is done in a flat manner (by a Web of Trust),
e.g., key signing in OpenPGP , where
users sign the public keys of other users. Verification may be
based on transitive trust.
Peers are expected to directly compare the public key’s fingerprints
by any suitable independent channel – e.g, by phone or with a
face-to-face meeting. This method is often used in OpenPGP
contexts.
The public keys’ fingerprints are mapped into a QR code, which is
expected to be scanned between the peers when they happen to meet
face-to-face. This method is e.g. used in the chat application
Threema .
The public keys’ fingerprints are mapped into numerical codes which
decimal digits only, which makes the strings the humans need to
compare longer and thus cumbersome. This method is e.g. used in the
chat application Signal .
Some of the methods can even be used in conjunction with Trustwords
or the PGP Word list .
None of the existing solutions meets all requirements set up by pEp
, e.g.:
Easy solution that can be handled easily by ordinary users
In case privacy and security contradict each other, privacy is
always preferred over security (e.g., the Web of Trust contradicts
privacy)
No central entities
Most of today’s systems lack easy ways for users to authenticate their
communication channel. Some methods leak private data (e.g., their
social graph) or depend on central entities. Thus, none of today’s
systems fulfills all of the pEp requirements (cf. above).
In pretty Easy privacy (pEp), the proposed approach for peers to
authenticate each other is to engage in the pEp Handshake.
In current pEp implementations (cf. ), the same kinds
of keys as in OpenPGP are used. Such keys include a fingerprint as
cryptographic hash over the public key. This fingerprint is normally
represented in a hexadecimal form, consisting of ten 4-digit
hexadecimal blocks, e.g.:
8E31 EF52 1D47 5183 3E9D EADC 0FFE E7A5 7E5B AD19
Each block may also be represented in decimal numbers from 0 to 65535
or in other numerical forms, e.g.
Hexadecimal: 8E31
Decimal: 36401
Binary: 1000111000110001
In the pEp Handshake the fingerprints of any two peers involved are
combined and displayed in form of Trustwords
for easy comparison by the involved
parties.
The default verification process involves three steps:
Combining fingerprints by XOR function
Any two peers’ fingerprints are combined bit-by-bit using the
Exclusive-OR (XOR) function resulting in the Combined Fingerprint
(CFP).
Mapping result to Trustwords:
The CFP is then mapped to 16-bit Trustwords (i.e., every 4-digit
hexadecimal block is mapped to a given Trustword) resulting in the
Trustword Mapping (TWM).
Verify Trustwords over independent channel
The resulting Trustwords (TWM) are compared and verified over an
independent channel, e.g., a phone line. If this step was
successful, the channel can be marked as authenticated.
The more an ordinary user needs to contribute to a process, the less
likely a user will carry out all steps carefully. In particular, it
was observed that a simple (manual) comparison of OpenPGP fingerprints
is rarely carried out to the full extent, i.e., mostly only parts of
the fingerprint are compared, if at all.
For usability reasons and to create incentive for people to actually
carry out Handshake (while maintaining an certain level of entropy),
pEp allows for different entropy levels, i.e.:
Full Trustword Mapping (F-TWM) [aka Full Trustwords] MUST represent
the maximum entropy achievable by the mapping. This means all
Trustwords of a TWM MUST be displayed and compared.
e.g. the fingerprint
F482 E952 2F48 618B 01BC 31DC 5428 D7FA ACDC 3F13
is mapped to:
dog house brother town fat bath school banana kite task
Partial Trustword Mapping (P-TWM) [aka Short Trustwords] requires
a number of Trustwords that MUST retain at least 64-bit of
entropy. This means while the first part of the TWM is displayed
and compared, the remaining Trustwords are omitted.
e.g. the fingerprint
F482 E952 2F48 618B 01BC [ 31DC 5428 D7FA ACDC 3F13 ]
is mapped to:
dog house brother town fat [ remaining Trustwords omitted ]
The pEp Handshake has three display modes for the verification
process. All of the following modes MUST be implemented:
P-TWM mode (default)
By default the P-TWM SHOULD be displayed to the user for comparison
and verification. An easy way to switch to F-TWM mode MUST be
implemented and an easy way to switch to fingerprint mode SHOULD be
implemented.
F-TWM mode
There are situations, where P-TWM is not sufficient
(e.g., communication parties that are more likely under attack), in
which the F-TWM MAY be displayed to the user by default. An easy
way to switch to P-TWM mode MUST be implemented and an easy way to
switch to fingerprint mode SHOULD be implemented.
Fingerprint mode (fallback)
To retain compatibility to existing OpenPGP users (that know
nothing about Trustwords), the fingerprint mode, a fallback to
compare the original fingerprints (usually in hexadecimal form) MAY
be used. Easy ways to switch to P-TWM and F-TWM modes SHOULD be
implemented.
If the verification process was successful, the user confirms it,
e.g. by setting a check mark. Once the user has confirmed it, the
trust level for this channel MUST be
updated accordingly.
A (global) adversary can pre-generate all Trustwords any two users
expect to compare and try to engage in MITM attacks which fit – it
MUST NOT be assumed public keys and thus fingerprints to be something
to stay secret, especially as in pEp public keys are aggressively
distributed to all peers. Also similar Trustwords can be generated,
which spelled on the phone might sound very similar.
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in .
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to , “[…] this will allow reviewers and
working groups to assign due consideration to documents that have the
benefit of running code, which may serve as evidence of valuable
experimentation and feedback that have made the implemented protocols
more mature. It is up to the individual working groups to use this
information as they see fit.”
In pEp for email contexts, Handshakes are already
implemented for the following platforms:
Android, in pEp for Android – release
Enigmail, in the Enigmail/pEp mode – release used for new Enigmail
users of version 2.0
iOS, in pEp for iOS – not yet released
Outlook, in pEp for Outlook – commercial release
In pEp for Outlook also keys from other devices can be imported by the
Handshake method.
Special thanks to Volker Birk and Leon Schumacher who developed the
original concept of the pEp Handshake.
This work was initially created by pEp Foundation, and then reviewed and
extended with funding by the Internet Society’s Beyond the Net Programme on
standardizing pEp.
IANA Registration of Trustword Lists: Guide, Template and IANA Considerations
This document specifies the IANA Registration Guidelines for Trustwords, describes corresponding registration procedures, and provides a guideline for creating Trustword list specifications. Trustwords are common words in a natural language (e.g., English) to which the hexadecimal strings are mapped to. This makes verification processes (e.g., comparison of fingerprints), more practical and less prone to misunderstandings.
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Internet Security Glossary, Version 2
This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.
Opportunistic Security: Some Protection Most of the Time
This document defines the concept "Opportunistic Security" in the context of communications protocols. Protocol designs based on Opportunistic Security use encryption even when authentication is not available, and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet.
pretty Easy privacy (pEp): Privacy by Default
Building on already available security formats and message transports (like PGP/MIME for email), and with the intention to stay interoperable to systems widespreadly deployed, pretty Easy privacy (pEp) describes protocols to automatize operations (key management, key discovery, private key handling including peer-to-peer synchronization of private keys and other user data across devices) that have been seen to be barriers to deployment of end-to-end secure interpersonal messaging. pEp also relies on "Trustwords" (as a word mapping of of fingerprints) to verify communication peers and proposes a trust rating system to denote secure types of communications and signal the privacy level available on a per-user and per-message level. In this document, the general design choices and principles of pEp are outlined.
OpenPGP Message Format
This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures. This document specifies the message formats used in OpenPGP. [STANDARDS-TRACK]
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]
Improving Awareness of Running Code: The Implementation Status Section
This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.
pretty Easy privacy (pEp): Secure and Trusted Email Communication
Early draft
pretty Easy privacy (pEp): Trust Rating System
Early draft
pretty Easy privacy (pEp): Key Synchronization Protocol
Early draft
Source code for pEp for Android
Source code for pEp for iOS
Source code for pEp for Outlook
Source code for Enigmail/pEp
Signal
Threema - Seriously secure messaging
PGP word list
Beyond the Net. 12 Innovative Projects Selected for Beyond the Net Funding. Implementing Privacy via Mass Encryption: Standardizing pretty Easy privacy’s protocols
[[ RFC Editor: This section should be empty and is to be removed
before publication ]]
Add description for further processes to change the trust level,
e.g., to remove trust or even mistrust a peer and alike.