The OpenPGP protocol provides a long time adopted and widespread tool for secure and authenticated asynchronous communications, as well as supplies data integrity and authenticity validation for software distribution. In this work, we analyze the Web-of-Trust on which the OpenPGP public key authentication mechanism is based, and evaluate a threat model where its functionality can be jeopardized. Since the threat model is based on the viability of compromising an OpenPGP keypair, we performed an analysis of the state of health of the global OpenPGP key repository. Despite the detected amount of weak keypairs is rather low, our results show how, under reasonable assumptions, approximately 70% of the Web-of-Trust strong set is potentially affected by the described threat. Finally, we propose viable mitigation strategies to cope with the highlighted threat.
CITATION STYLE
Barenghi, A., di Federico, A., Pelosi, G., & Sanfilippo, S. (2015). Challenging the trustworthiness of PGP: Is the web-of-trust tear-proof? In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 9326, pp. 429–446). Springer Verlag. https://doi.org/10.1007/978-3-319-24174-6_22
Mendeley helps you to discover research relevant for your work.