1
<chapter id="wise" xreflabel="4">
12
&Gnupg; is a complex tool with technical, social, and legal issues
14
Technically, it has been designed to be used in situations having
15
drastically different security needs.
16
This complicates key management.
17
Socially, using &gnupg; is not strictly a personal decision.
18
To use &gnupg effectively both parties communicating must use it.
19
Finally, as of 1999, laws regarding digital encryption, and in particular
20
whether or not using &gnupg; is legal, vary from country to country and
21
is currently being debated by many national governments.
25
This chapter addresses these issues.
26
It gives practical advice on how to use &gnupg; to meet your security needs.
27
It also suggests ways to promote the use of &gnupg; for secure
28
communication between yourself and your colleagues when your colleagues
29
are not currently using &gnupg;.
30
Finally, the legal status of &gnupg; is outlined given the current status
31
of encryption laws in the world.
36
Defining your security needs
40
&Gnupg; is a tool you use to protect your privacy.
41
Your privacy is protected if you can correspond with others without
42
eavesdroppers reading those messages.
46
How you should use &gnupg; depends on the determination and resourcefulness
47
of those who might want to read your encrypted messages.
48
An eavesdropper may be an unscrupulous system administrator casually
49
scanning your mail, it might be an industrial spy trying to collect
50
your company's secrets, or it might be a law enforcement agency trying
52
Using &gnupg; to protect against casual eavesdropping is going to be
53
different than using &gnupg; to protect against a determined adversary.
54
Your goal, ultimately, is to make it more expensive to recover the
55
unencrypted data than that data is worth.
59
Customizing your use of &gnupg; revolves around three issues:
60
<itemizedlist spacing="compact">
63
the key size of your public/private keypair,
69
protecting your private key, and
75
managing your web of trust.
80
A well-chosen key size protects you against brute-force attacks on
82
Protecting your private key prevents an attacker from simply using your
83
private key to decrypt encrypted messages and sign messages in your name.
84
Correctly managing your web of trust prevents attackers from masquarading
85
as people with whom you communicate.
86
Ultimately, addressing these issues with respect to your own security
87
needs is how you balance the extra work required to use &gnupg; with
88
the privacy it gives you.
97
Selecting a key size depends on the key.
98
In OpenPGP, a public/private keypair usually has multiple keys.
99
At the least it has a master signing key, and it probably has one or
100
more additional subkeys for encryption.
101
Using default key generation parameters with &gnupg;, the master
102
key will be a DSA key, and the subkeys will be ElGamal keys.
106
DSA allows a key size up to 1024 bits.
107
This is not especially good given today's factoring technology, but
108
that is what the standard specifies.
109
Without question, you should use 1024 bit DSA keys.
113
ElGamal keys, on the other hand, may be of any size.
114
Since &gnupg; is a hybrid public-key system, the public key is used
115
to encrypt a 128-bit session key, and the private key is used to
117
Key size nevertheless affects encryption and decryption speed
118
since the cost of these algorithms is exponential in the size of
120
Larger keys also take more time to generate and take more space
122
Ultimately, there are diminishing returns on the extra security
123
a large key provides you.
124
After all, if the key is large enough to resist a brute-force
125
attack, an eavesdropper will merely switch to some other method for
126
obtaining your plaintext data.
127
Examples of other methods include robbing your home or office
129
1024 bits is thus the recommended key size.
130
If you genuinely need a larger key size then you probably already
131
know this and should be consulting an expert in data security.
137
Protecting your private key
141
Protecting your private key is the most important job you have to
142
use &gnupg; correctly.
143
If someone obtains your private key, then all data encrypted to
144
the private key can be decrypted and signatures can be made in your name.
145
If you lose your private key, then you will no longer be able to
146
decrypt documents encrypted to you in the future or in the past,
147
and you will not be able to make signatures.
148
Losing sole possession of your private key is catastrophic.
152
Regardless of how you use &gnupg; you should store the public
153
key's <link linkend="revocation">revocation certificate</link>
154
and a backup of your private key on write-protected media in a safe place.
155
For example, you could burn them on a CD-ROM and store them in your
156
safe deposit box at the bank in a sealed envelope.
157
Alternatively, you could store them on a floppy and hide it in your
159
Whatever you do, they should be put on media that is safe to store
160
for as long as you expect to keep the key, and you should store
161
them more carefully than the copy of your private key you use daily.
165
To help safeguard your key, &Gnupg; does not store your raw
167
Instead it encrypts it using a symmetric encryption algorithm.
168
That is why you need a passphrase to access the key.
169
Thus there are two barriers an attacker must cross to access your private
170
key: (1) he must actually acquire the key, and (2) he must get past
175
Safely storing your private key is important, but there is a cost.
176
Ideally, you would keep the private key on a removable, write-protected disk
177
such as a floppy disk, and you would use it on a single-user machine
178
not connected to a network.
179
This may be inconvenient or impossible for you to do.
180
For example, you may not own your own machine and must use a computer
181
at work or school, or it may mean you have to physically disconnect
182
your computer from your cable modem every time you want to use &gnupg;
186
This does not mean you cannot or should not use &gnupg;.
187
It means only that you have decided that the data you are protecting is
188
important enough to encrypt but not so important as to take extra
189
steps to make the first barrier stronger.
194
A good passphrase is absolutely critical when using &gnupg;.
195
Any attacker who gains access to your private key must bypass the
196
encryption on the private key.
197
Instead of brute-force guessing the key, an attacker will almost
198
certainly instead try to guess the passphrase.
202
The motivation for trying passphrases is that most people choose
203
a passphrase that is easier to guess than a random 128-bit key.
204
If the passphrase is a word, it is much cheaper to try all the
205
words in the dictionaries of the world's languages.
206
Even if the word is permuted, &eg, k3wldood, it is still easier
207
to try dictionary words with a catalog of permutations.
208
The same problem applies to quotations.
209
In general, passphrases based on natural-language utterances
210
are poor passphrases since there is little randomness and lots
211
of redundancy in natural language.
212
You should avoid natural language passphrases if you can.
216
A good passphrase is one that you can remember but is hard for
218
It should include characters from the whole range of printable characters
220
This includes uppercase alphabetics characters, numbers, and special
221
characters such as <literal>}</literal> and <literal>|</literal>.
222
Be creative and spend a little time considering your passphrase; a
223
good choice is important to ensure your privacy.
230
Reacting to a compromised private key
234
Despite your precautions you may lose sole access to your private key.
235
For example, you may forget the passphrase, or someone who you think
236
can bypass the encryption gets access to it.
237
In that case then you need to spread the word that your key is no
239
To do that you use the key revocation certificate you should have generated
240
when you created the key.
241
Importing it onto your public keyring will revoke the public key
242
of the keypair you no longer wish to use.
243
It is then up to you to distribute the revoked public key to all
244
those who may encrypt documents to you.
248
A revoked public key only prevents future use of the private key.
249
Others will neither be able to encrypt documents to the key nor will
250
they be able to check signatures made with the private key.
251
Documents signed in the past can still be checked, however, and
252
documents encrypted in the past can still be decrypted.
256
It is important that you protect the revocation certificate carefully.
257
Anybody can add the certificate to your public key and distribute it,
258
and there is no way to revoke a revocation certificate.
259
Therefore, you should store the revocation certificate in a safe
260
place such as with the backup of your private key.
267
Managing your web of trust
271
As with protecting your private key, managing your web of trust is
272
another aspect of using &gnupg; that requires balancing security against
274
If you are using &gnupg; to protect against casual eavesdropping and
275
forgeries then you can afford to be relatively trusting of other
277
On the other hand, if you are concerned that there may be a determined
278
attacker interested in invading your privacy, then
279
you should be much less trusting of other signatures and spend more time
280
personally verifying signatures.
284
Regardless of your own security needs, through, you should
285
<emphasis>always be careful</emphasis> when signing other keys.
286
It is selfish to sign a key with just enough confidence in the key's
287
validity to satisfy your own security needs.
288
Others, with more stringent security needs, may want to depend on
290
If they cannot depend on you then that weakens the web of trust
291
and makes it more difficult for all &gnupg; users to communicate.
292
Use the same care in signing keys that you would like others to use when
293
you depend on their signatures.
297
In practice, managing your web of trust reduces to assigning trust to
298
others and tuning the options
299
<link linkend="marginals-needed"><option>--marginals-needed</option></link>
301
<link linkend="completes-needed"><option>--completes-needed</option></link>.
302
Any key you personally sign will be considered valid, but except for small
303
groups, it will not be practical to personally sign the key of every person
304
with whom you communicate.
305
You will therefore have to assign trust to others.
309
It is probably wise to be accurate when assigning trust and then
310
use the options to tune how careful &gnupg; is with key validation.
311
As a concrete example, you may fully trust a few close friends that
312
you know are careful with key signing and then marginally
313
trust all others on your keyring.
314
From there, you may set <option>--completes-needed</option> to
315
<literal>1</literal> and <option>--marginals-needed</option> to
316
<literal>2</literal>.
317
If you are more concerned with security you might choose values of
318
<literal>1</literal> and <literal>3</literal> or <literal>2</literal>
319
and <literal>3</literal> respectively.
320
If you are less concerned with privacy attacks and just want some
321
reasonable confidence about validity, set the values to <literal>1</literal>
322
and <literal>1</literal>.
323
In general, higher numbers for these options imply that more people
324
would be needed to conspire against you in order to have a key validated
325
that does not actually belong to the person whom you think it does.
332
Building your web of trust
336
Wanting to use &gnupg; yourself is not enough.
337
In order to use to communicate securely with others you must have
339
At first glance, however, building a web of trust is a daunting task.
340
The people with whom you communicate need to use
341
&gnupg;<footnote><para>In this section, &gnupg; refers to the
342
&gnupg; implementation of OpenPGP as well as other implementations
343
such as NAI's PGP product.</para></footnote>, and there needs to be enough
344
key signing so that keys can be considered valid.
345
These are not technical problems; they are social problems.
346
Nevertheless, you must overcome these problems if you want to
351
When getting started using &gnupg; it is important to realize that you
352
need not securely communicate with every one of your correspondents.
353
Start with a small circle of people, perhaps just yourself and
354
one or two others who also want to exercise their right
356
Generate your keys and sign each other's public keys.
357
This is your initial web of trust.
358
By doing this you will appreciate the value of a small, robust
359
web of trust and will be more cautious as you grow your web
364
In addition to those in your initial web of trust, you may want to
365
communicate securely with others who are also using &gnupg;.
366
Doing so, however, can be awkward for two reasons:
367
(1) you do not always know when someone uses or is willing to use
368
&gnupg;, and (2) if you do know of someone who uses it, you may still have
369
trouble validating their key.
370
The first reason occurs because people do not always advertise that
372
The way to change this behavior is to set the example and advertise
373
that you use &gnupg;.
374
There are at least three ways to do this: you can sign messages you mail
375
to others or post to message boards, you can put your public key on your
376
web page, or, if you put your key on a keyserver, you can put your key
377
ID in your email signature.
378
If you advertise your key then you make it that much more acceptable
379
for others to advertise their keys.
380
Furthermore, you make it easier for others to start communicating
381
with you securely since you have taken the initiative and made it clear
382
that you use &gnupg;.
386
Key validation is more difficult.
387
If you do not personally know the person whose key you want to sign,
388
then it is not possible to sign the key yourself.
389
You must rely on the signatures of others and hope to find a chain
390
of signatures leading from the key in question back to your own.
391
To have any chance of finding a chain, you must take the intitive
392
and get your key signed by others outside of your intitial web of trust.
393
An effective way to accomplish this is to participate in key
395
If you are going to a conference look ahead of time for a key
396
signing party, and if you do not see one being held, offer to
397
<ulink url="http://www.herrons.com/kb2nsx/keysign.html">hold one</ulink>.
398
You can also be more passive and carry your fingerprint with you
399
for impromptu key exchanges.
400
In such a situation the person to whom you gave the fingerprint
401
would verify it and sign your public key once he returned home.
405
Keep in mind, though, that this is optional.
406
You have no obligation to either publically advertise your key or
407
sign other people's keys.
408
The power of &gnupg; is that it is flexible enough to adapt to your
409
security needs whatever they may be.
410
The social reality, however, is that you will need to take the initiative
411
if you want to grow your web of trust and use &gnupg; for as much of
412
your communication as possible.
418
Using &Gnupg; legally
422
The legal status of encryption software varies from country to country,
423
and law regarding encryption software is rapidly evolving.
424
<ulink url="http://cwis.kub.nl/~frw/people/koops/bertjaap.htm">Bert-Japp
425
Koops</ulink> has an excellent
426
<ulink url="http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm">Crypto
427
Law Survey</ulink> to which you should refer for the legal status of
428
encryption software in your country.