Jump to content

Key server (cryptographic): Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Prz (talk | contribs)
105 edits
Deleted the nonsense section on how keys are "weakened", and added section about problems with keyservers.
Importing Wikidata short description: "Server on which public keys are stored for others to use"
 
(135 intermediate revisions by more than 100 users not shown)
Line 1: Line 1:
{{Short description|Server on which public keys are stored for others to use}}
In [[computer security]], a '''key server''' is a computer — typically running special software — which provides cryptographic [[key (cryptography)|key]]s to users or other programs. The users' programs can be working on the same network as the key server or on another networked computer.
In computer security, a '''key server''' is a computer that receives and then serves existing cryptographic keys to users or other programs. The users' programs can be running on the same network as the key server or on another networked computer.


The keys distributed by the key server are almost always provided as part of a cryptographically-protected [[identity certificate]] containing not only the key but also 'entity' information about the owner of the key. The certificate is usually in a standard format, such as the [[OpenPGP]] public key format, the [[X.509]] certificate format, or the [[PKCS]] format. Further, the key is almost always a public key for use with an [[asymmetric key]] [[encryption]] algorithm.
The keys distributed by the key server are almost always provided as part of a cryptographically protected public key certificates containing not only the key but also 'entity' information about the owner of the key. The certificate is usually in a standard format, such as the OpenPGP public key format, the X.509 certificate format, or the PKCS format. Further, the key is almost always a public key for use with an asymmetric key encryption algorithm.


== History ==
==History==
Key servers were developed as a result of the invention of [[public key cryptography]].
Key servers play an important role in [[public key cryptography]].
In public key cryptography an individual is able to generate a [[key pair]] which
In public key cryptography an individual is able to generate a [[key pair]], where one of the keys is kept private
while the other is distributed publicly. Knowledge of the public key does not compromise the security of public key cryptography. An
included two related keys. One of the keys in the pair is meant to be kept private
individual holding the public key of a key pair can use that key to carry out cryptographic operations that allow secret communications with strong authentication of the holder of the matching private key. The
while the other is meant to be distributed. Public key cryptosystems are designed
in a way such that the distribution of the public key of the key pair should not
need to have the public key of a key pair in order to start
communication or verify signatures is a bootstrapping problem. Locating keys
significantly weaken the security provided by encryption with the key pair. If an
on the web or writing to the individual asking them to transmit their public
individual has the public key of a keypair, they are able to use that key to
keys can be time consuming and unsecure. Key servers act as central repositories to
initiate secret communications with the holder of the matching secret key. The
need to have the public key of a key pair in possession in order to start
alleviate the need to individually transmit public keys and can act as the root of a [[chain of trust]].
communication or verify signatures is a bootstrapping problem. Locating keys
on the web or writing to the individual asking them to transmit their public
keys can be time consuming. Key servers act as central repositories to
alleviate the need to individually transmit public keys.


The first web-based [[PGP]] keyserver was written for a thesis by [[Marc Horowitz]],
The first web-based [[Pretty Good Privacy|PGP]] keyserver was written for a thesis by Marc Horowitz,<ref>{{cite web
| url=https://www.mit.edu/afs/net.mit.edu/project/pks/thesis/paper/thesis.html
while he was studying at [[MIT]]. Horowitz' keyserver was called the HKP Keyserver
| title=A PGP Public Key Server
after a web-based protocol it used to allow people to interact with the
| first=Marc
| last=Horowitz
| date=1996-11-18
| accessdate=2018-05-02}}</ref> while he was studying at [[MIT]]. Horowitz's keyserver was called the HKP Keyserver
after a web-based OpenPGP HTTP Keyserver Protocol (HKP),<ref>{{cite web
| url=https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
| title=The OpenPGP HTTP Keyserver Protocol (HKP)
| first=David
| last=Shaw
| date=March 2003
| publisher=[[Internet Engineering Task Force]]
| accessdate=2018-05-02}}</ref> used to allow people to interact with the
keyserver. Users were able to upload, download, and search keys either through
keyserver. Users were able to upload, download, and search keys either through
the [[HTTP]]-based HKP protocol on port 11371, or through web pages which ran CGI
HKP on TCP port 11371, or through web pages which ran CGI
scripts. Before the creation of the HKP Keyserver, keyservers relied on email
scripts. Before the creation of the HKP Keyserver, keyservers relied on email
processing scripts for interaction.
processing scripts for interaction.


=== Enterprise PGP ===
== Public versus private keyservers ==


A separate key server, known as the PGP Certificate Server, was developed by [[PGP, Inc.]] and was used as the software (through version 2.5.x for the server) for the default key server in PGP through version 8.x (for the client software), keyserver.pgp.com. [[Network Associates]] was granted a [[patent]] co-authored by [[Jon Callas]] (United States Patent 6336186)<ref>{{US patent|6336186|Cryptographic system and methodology for creating and managing crypto policy on certificate servers}}</ref> on the key server concept.
The most important universally accessible key servers are those computers, located around the world, which store and provide [[OpenPGP]] keys over the Internet for users of that cryptosystem. In this instance, the computers can be, and are, mostly run by individuals as a [[pro bono]] service, facilitating the [[web of trust]] model PGP uses. There are also multiple proprietary [[public key infrastructure]] systems which maintain key servers for their users; only their users are likely to be aware of them at all.


To replace the aging Certificate Server, an [[LDAP]]-based key server was redesigned at [[Network Associates]] in part by [[Randy Harmon]] and [[Len Sassaman]], called PGP Keyserver 7. With the release of PGP 6.0, LDAP was the preferred key server interface for Network Associates’ PGP versions. This LDAP and LDAPS key server (which also spoke HKP for backwards compatibility, though the protocol was (arguably correctly) referred to as “HTTP” or “HTTPS”) also formed the basis for the PGP Administration tools for private key servers in corporate settings, along with a [[Database schema|schema]] for [[Fedora Directory Server|Netscape Directory Server]].
== Privacy concerns ==

PGP Keyserver 7 was later replaced by the new [[PGP Corporation]] PGP Global Directory of 2011 which allows PGP keys to be published and downloaded using HTTPS or LDAP.<ref>{{cite web | url=https://keyserver.pgp.com/vkd/VKDHelpPGPCom.html | title=PGP Global Directory - Terms and Conditions }}</ref>

=== OpenPGP ===
The OpenPGP world largely used its own development of keyserver software independent from the PGP Corporation suite. The main software used until the 2019 spamming attack was "SKS" (Synchronizing Key Server), written by Yaron Minsky.<ref name=sks-attack/> The public SKS pool (consisting of many interconnected SKS instances) provided access via HKPS (HKP with TLS) and HTTPS. It finally shut down in 2021 following a number of [[General Data Protection Regulation|GDPR]] that it was unable to process effectively.<ref name=sks-archive>{{cite web |title=SKS Keyservers |url=https://www.sks-keyservers.net/ |url-status=dead |archive-url=https://web.archive.org/web/20220119094712/https://www.sks-keyservers.net/ |archive-date=2022-01-19 }}</ref>

A number of newer pools using other software has been made available following the shutdown of the SKS pool, see {{slink||Keyserver examples}}.

==Public versus private keyservers==

Many publicly accessible key servers, located around the world, are computers which store and provide [[OpenPGP]] keys over the Internet for users of that cryptosystem. In this instance, the computers can be, and mostly are, run by individuals as a [[pro bono]] service, facilitating the [[web of trust]] model PGP uses.

Several publicly accessible [http://wiki.cacert.org/KeyServers S/MIME key servers] are available to publish or retrieve certificates used with the [[S/MIME]] cryptosystem.

There are also multiple proprietary [[public key infrastructure]] systems which maintain key servers for their users; those may be private or public, and only the participating users are likely to be aware of those keyservers at all.

== Problems with keyservers ==

=== Lack of retraction mechanism ===

The OpenPGP keyservers since their development in 1990s suffered from a few problems. Once a public key has been uploaded, it was purposefully made difficult to remove it as servers auto-synchronize between each other (it was done in order to fight government censorship). Some users stop using their public keys for various reasons, such as when they forget their pass phrase, or if their private key is compromised or lost. In those cases, it was hard to delete a public key from the server, and even if it were deleted, someone else can upload a fresh copy of the same public key to the server. This leads to an accumulation of old fossil public keys that never go away, a form of "keyserver plaque".

The lack of a retraction mechanism also breached the European [[General Data Protection Regulation]], which was cited as a reason for the closure of the SKS pool.<ref name=sks-archive/> Modern PGP keyservers allow deletion of keys. Because only the owner of a key's e-mail address can upload a key (see next section) in such servers, the key stays deleted unless the owner decides otherwise.

=== Lack of ownership check ===
The keyserver also had no way to check to see if the key was legitimate (belong to true owner). As consequence anyone can upload a bogus public key to the keyserver, bearing the name of a person who in fact does not own that key, or even worse, use it as vulnerability: the Certificate Spamming Attack.<ref name=sks-attack>{{Cite web|title=SKS Keyserver Network Under Attack|url=https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f|access-date=2020-09-17|website=Gist|language=en}}</ref><ref name="Gillmor"/>{{rp|at=&sect;2.2}}

Modern keyservers, starting with the PGP Global Directory, now use the e-mail address for confirmation. This keyserver sent an email confirmation request to the putative key owner, asking that person to confirm that the key in question is theirs. If they confirm it, the PGP Global Directory accepts the key. The confirmation can be renewed periodically, to prevent the accumulation of keyserver plaque. The result is a higher quality collection of public keys, and each key has been vetted by email with the key's apparent owner. But as consequence, another problem arise: because PGP Global Directory allows key account maintenance and verifies only by email, not cryptographically, anybody having access to the email account could for example delete a key and upload a bogus one.

The last Internet Engineering Task Force draft for HKP also defines a distributed key server network, based on DNS [[SRV record]]s: to find the key of ''someone@example.com'', one can ask it by requesting ''example.com''<nowiki/>'s key server.

=== Leakage of personal relationships ===


For many individuals, the purpose of using cryptography is to obtain a higher
For many individuals, the purpose of using cryptography is to obtain a higher
Line 40: Line 81:
authenticity of that key, potential relationships can be revealed by analyzing
authenticity of that key, potential relationships can be revealed by analyzing
the signers of a given key. In this way, models of entire social networks can be
the signers of a given key. In this way, models of entire social networks can be
developed. (Mike Perry's 2013 criticism of the Web of Trust mentions the issue
developed.
as already been "discussed at length".)<ref>{{cite web |last1=Perry |first1=Mike |title=[tor-talk] Why the Web of Trust Sucks |url=https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html |date=Sep 29, 2013}}</ref>


A number of modern key servers remove third-party signatures from the uploaded
== Problems with keyservers ==
key. Doing so removes all personal connections into the Web of Trust, thus preventing
any leakage from happening. The main goal, however, was to minimize the storage space
required, as "signature spamming" can easily add megabytes to a key.<ref>{{cite web |title=keys.openpgp.org FAQ |url=https://keys.openpgp.org/about/faq |website=keys.openpgp.org}}</ref><ref name="Gillmor">{{cite web |last1=Gillmor |first1=Daniel Kahn |title=Abuse-Resistant OpenPGP Keystores [draft-dkg-openpgp-abuse-resistant-keystore-06] |url=https://www.ietf.org/archive/id/draft-dkg-openpgp-abuse-resistant-keystore-06.html |publisher=Internet Engineering Task Force |date=18 August 2023}}</ref>{{rp|at=&sect;2.1}}


== Keyserver examples ==
The OpenPGP keyservers developed in the 1990s suffered from a few problems. Once a public key has been uploaded, it is difficult to remove. Some users stop using their public keys for various reasons, such as when they forget their pass phrase, or if their private key is compromised or lost. In those cases, it was hard to delete a public key from the server, and even if it were deleted, someone else can upload a fresh copy of the same public key to the server. This leads to an accumulation of old fossil public keys that never go away, a form of keyserver "plaque". Another problem is that anyone can upload a bogus public key to the keyserver, bearing the name of a person who in fact does not own that key. The keyserver had no way to check to see if the key was legitimate.


These are some keyservers that are often used for looking up keys with <code>gpg --recv-keys</code>.<ref>{{cite web |title=recv-keys documentation |url=https://www.gnupg.org/gph/en/manual/r747.html |website=GPG Manual |accessdate=30 June 2020}}</ref> These can be queried via <code>https://</code> ([[HTTPS]]) or <code>hkps://</code> (HKP over [[Transport Layer Security|TLS]]) respectively.
To solve these problems, PGP Corp developed a new generation of key server, called the [https://keyserver.pgp.com/ PGP Global Directory]. This keyserver sent an email confirmation request to the putative key owner, asking that person to confirm that the key in question is his. If he confirms it, the PGP Global Directory accepts the key. This can be renewed periodically, to prevent the accumulation of keyserver plaque. The result is a higher quality collection of public keys, and each key has been vetted by email with the key's apparent owner.


* [https://keys.openpgp.org keys.openpgp.org]
== References ==
* [https://keys.mailvelope.com/manage.html keys.mailvelope.com/manage.html]
<references/>
* [https://pgp.mit.edu pgp.mit.edu]
* [https://keyring.debian.org keyring.debian.org] (only contains keys from Debian project members)
* [https://keyserver.ubuntu.com keyserver.ubuntu.com] (default in GnuPG since version 2.3.2)
* [https://pgp.surf.nl pgp.surf.nl]


==See also==
==See also==

{{Portal|Cryptography|Key-crypto-sideways.svg}}


*[[Lightweight Directory Access Protocol]]
*[[Lightweight Directory Access Protocol]]
*[[GnuPG]]


==References==
== External links ==
<references/>
* [http://www.mit.edu/afs/net.mit.edu/project/pks/thesis/paper/thesis.html Marc Horowitz' Thesis]
*{{dmoz|Computers/Security/Products_and_Tools/Cryptography/PGP/Key_Servers/|List of Key Servers}}
* [http://sourceforge.net/projects/pks/ OpenPGP Public Key Server (PKS)] - an OpenPGP key server software package distributed under the [[BSD license]].
* [http://savannah.nongnu.org/projects/sks/ Synchronizing Key Server (SKS)] - an OpenPGP key server software package distributed under the [[GPL]].
*[https://keyserver.pgp.com/ PGP Global Directory]


==External links==
<!-- Categories -->
* [https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00 The OpenPGP HTTP Keyserver Protocol (HKP)] (March 2003)
[[Category:Key management]]
* {{SourceForge|pks|OpenPGP Public Key Server}} - an OpenPGP key server software package distributed under a [[BSD license|BSD-style license]]. It has largely been replaced by SKS and Hockeypuck.
* [https://github.com/SKS-Keyserver/sks-keyserver Synchronizing Key Server (SKS)] - an OpenPGP key server software package distributed under the [[GPL]].
* [https://github.com/hockeypuck/hockeypuck Hockeypuck] - a synchronising OpenPGP keyserver software package distributed under the [[GNU Affero General Public License|AGPL]].
* [https://gitlab.com/hagrid-keyserver/hagrid Hagrid] - a non-synchronising, verifying OpenPGP keyserver software package distributed under the [[GNU Affero General Public License|AGPL]].
* [https://keyserver.pgp.com/ PGP Global Directory] hosted by the [[PGP Corporation]].


[[Category:Key management]]
<!-- Interlang -->
[[de:Schlüsselserver]]
[[it:Key server]]

Latest revision as of 10:13, 27 December 2024

In computer security, a key server is a computer that receives and then serves existing cryptographic keys to users or other programs. The users' programs can be running on the same network as the key server or on another networked computer.

The keys distributed by the key server are almost always provided as part of a cryptographically protected public key certificates containing not only the key but also 'entity' information about the owner of the key. The certificate is usually in a standard format, such as the OpenPGP public key format, the X.509 certificate format, or the PKCS format. Further, the key is almost always a public key for use with an asymmetric key encryption algorithm.

History

[edit]

Key servers play an important role in public key cryptography. In public key cryptography an individual is able to generate a key pair, where one of the keys is kept private while the other is distributed publicly. Knowledge of the public key does not compromise the security of public key cryptography. An individual holding the public key of a key pair can use that key to carry out cryptographic operations that allow secret communications with strong authentication of the holder of the matching private key. The need to have the public key of a key pair in order to start communication or verify signatures is a bootstrapping problem. Locating keys on the web or writing to the individual asking them to transmit their public keys can be time consuming and unsecure. Key servers act as central repositories to alleviate the need to individually transmit public keys and can act as the root of a chain of trust.

The first web-based PGP keyserver was written for a thesis by Marc Horowitz,[1] while he was studying at MIT. Horowitz's keyserver was called the HKP Keyserver after a web-based OpenPGP HTTP Keyserver Protocol (HKP),[2] used to allow people to interact with the keyserver. Users were able to upload, download, and search keys either through HKP on TCP port 11371, or through web pages which ran CGI scripts. Before the creation of the HKP Keyserver, keyservers relied on email processing scripts for interaction.

Enterprise PGP

[edit]

A separate key server, known as the PGP Certificate Server, was developed by PGP, Inc. and was used as the software (through version 2.5.x for the server) for the default key server in PGP through version 8.x (for the client software), keyserver.pgp.com. Network Associates was granted a patent co-authored by Jon Callas (United States Patent 6336186)[3] on the key server concept.

To replace the aging Certificate Server, an LDAP-based key server was redesigned at Network Associates in part by Randy Harmon and Len Sassaman, called PGP Keyserver 7. With the release of PGP 6.0, LDAP was the preferred key server interface for Network Associates’ PGP versions. This LDAP and LDAPS key server (which also spoke HKP for backwards compatibility, though the protocol was (arguably correctly) referred to as “HTTP” or “HTTPS”) also formed the basis for the PGP Administration tools for private key servers in corporate settings, along with a schema for Netscape Directory Server.

PGP Keyserver 7 was later replaced by the new PGP Corporation PGP Global Directory of 2011 which allows PGP keys to be published and downloaded using HTTPS or LDAP.[4]

OpenPGP

[edit]

The OpenPGP world largely used its own development of keyserver software independent from the PGP Corporation suite. The main software used until the 2019 spamming attack was "SKS" (Synchronizing Key Server), written by Yaron Minsky.[5] The public SKS pool (consisting of many interconnected SKS instances) provided access via HKPS (HKP with TLS) and HTTPS. It finally shut down in 2021 following a number of GDPR that it was unable to process effectively.[6]

A number of newer pools using other software has been made available following the shutdown of the SKS pool, see § Keyserver examples.

Public versus private keyservers

[edit]

Many publicly accessible key servers, located around the world, are computers which store and provide OpenPGP keys over the Internet for users of that cryptosystem. In this instance, the computers can be, and mostly are, run by individuals as a pro bono service, facilitating the web of trust model PGP uses.

Several publicly accessible S/MIME key servers are available to publish or retrieve certificates used with the S/MIME cryptosystem.

There are also multiple proprietary public key infrastructure systems which maintain key servers for their users; those may be private or public, and only the participating users are likely to be aware of those keyservers at all.

Problems with keyservers

[edit]

Lack of retraction mechanism

[edit]

The OpenPGP keyservers since their development in 1990s suffered from a few problems. Once a public key has been uploaded, it was purposefully made difficult to remove it as servers auto-synchronize between each other (it was done in order to fight government censorship). Some users stop using their public keys for various reasons, such as when they forget their pass phrase, or if their private key is compromised or lost. In those cases, it was hard to delete a public key from the server, and even if it were deleted, someone else can upload a fresh copy of the same public key to the server. This leads to an accumulation of old fossil public keys that never go away, a form of "keyserver plaque".

The lack of a retraction mechanism also breached the European General Data Protection Regulation, which was cited as a reason for the closure of the SKS pool.[6] Modern PGP keyservers allow deletion of keys. Because only the owner of a key's e-mail address can upload a key (see next section) in such servers, the key stays deleted unless the owner decides otherwise.

Lack of ownership check

[edit]

The keyserver also had no way to check to see if the key was legitimate (belong to true owner). As consequence anyone can upload a bogus public key to the keyserver, bearing the name of a person who in fact does not own that key, or even worse, use it as vulnerability: the Certificate Spamming Attack.[5][7]: §2.2 

Modern keyservers, starting with the PGP Global Directory, now use the e-mail address for confirmation. This keyserver sent an email confirmation request to the putative key owner, asking that person to confirm that the key in question is theirs. If they confirm it, the PGP Global Directory accepts the key. The confirmation can be renewed periodically, to prevent the accumulation of keyserver plaque. The result is a higher quality collection of public keys, and each key has been vetted by email with the key's apparent owner. But as consequence, another problem arise: because PGP Global Directory allows key account maintenance and verifies only by email, not cryptographically, anybody having access to the email account could for example delete a key and upload a bogus one.

The last Internet Engineering Task Force draft for HKP also defines a distributed key server network, based on DNS SRV records: to find the key of someone@example.com, one can ask it by requesting example.com's key server.

Leakage of personal relationships

[edit]

For many individuals, the purpose of using cryptography is to obtain a higher level of privacy in personal interactions and relationships. It has been pointed out that allowing a public key to be uploaded in a key server when using decentralized web of trust based cryptographic systems, like PGP, may reveal a good deal of information that an individual may wish to have kept private. Since PGP relies on signatures on an individual's public key to determine the authenticity of that key, potential relationships can be revealed by analyzing the signers of a given key. In this way, models of entire social networks can be developed. (Mike Perry's 2013 criticism of the Web of Trust mentions the issue as already been "discussed at length".)[8]

A number of modern key servers remove third-party signatures from the uploaded key. Doing so removes all personal connections into the Web of Trust, thus preventing any leakage from happening. The main goal, however, was to minimize the storage space required, as "signature spamming" can easily add megabytes to a key.[9][7]: §2.1 

Keyserver examples

[edit]

These are some keyservers that are often used for looking up keys with gpg --recv-keys.[10] These can be queried via https:// (HTTPS) or hkps:// (HKP over TLS) respectively.

See also

[edit]

References

[edit]
  1. ^ Horowitz, Marc (1996-11-18). "A PGP Public Key Server". Retrieved 2018-05-02.
  2. ^ Shaw, David (March 2003). "The OpenPGP HTTP Keyserver Protocol (HKP)". Internet Engineering Task Force. Retrieved 2018-05-02.
  3. ^ Cryptographic system and methodology for creating and managing crypto policy on certificate servers
  4. ^ "PGP Global Directory - Terms and Conditions".
  5. ^ a b "SKS Keyserver Network Under Attack". Gist. Retrieved 2020-09-17.
  6. ^ a b "SKS Keyservers". Archived from the original on 2022-01-19.
  7. ^ a b Gillmor, Daniel Kahn (18 August 2023). "Abuse-Resistant OpenPGP Keystores [draft-dkg-openpgp-abuse-resistant-keystore-06]". Internet Engineering Task Force.
  8. ^ Perry, Mike (Sep 29, 2013). "[tor-talk] Why the Web of Trust Sucks".
  9. ^ "keys.openpgp.org FAQ". keys.openpgp.org.
  10. ^ "recv-keys documentation". GPG Manual. Retrieved 30 June 2020.
[edit]
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Key_server_(cryptographic)&oldid=1265526153"