Challenging the Trustworthiness of PGP: Is the Web-of-Trust Tear-Proof?

  • Alessandro Barenghi
  • Alessandro Di Federico
  • Gerardo PelosiEmail author
  • Stefano Sanfilippo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)


The OpenPGP protocol provides a long time adopted and widespread tool for secure and authenticated asynchronous communications, as well as supplies data integrity and authenticity validation for software distribution. In this work, we analyze the Web-of-Trust on which the OpenPGP public key authentication mechanism is based, and evaluate a threat model where its functionality can be jeopardized. Since the threat model is based on the viability of compromising an OpenPGP keypair, we performed an analysis of the state of health of the global OpenPGP key repository. Despite the detected amount of weak keypairs is rather low, our results show how, under reasonable assumptions, approximately 70 % of the Web-of-Trust strong set is potentially affected by the described threat. Finally, we propose viable mitigation strategies to cope with the highlighted threat.


Web-of-Trust WoT OpenPGP GPG PGP 


  1. 1.
    Barenghi, A., Beretta, M., Di Federico, A., Pelosi, G.: Snake: an end-to-end encrypted online social network. In: Bourgeois, J., Magoulès, F. (eds.) 2014 IEEE International Conference on High Performance Computing and Communications, 6th IEEE International Symposium on Cyberspace Safety and Security, 11th IEEE International Conference on Embedded Software and Systems, HPCC/CSS/ICESS 2014, Paris, France, 20–22 August 2014. IEEE (2014)Google Scholar
  2. 2.
    Bernstein, D.J., Lange, T.: Batch NFS. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 38–58. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  3. 3.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP Message Format. RFC 4880, updated by RFC 5581 (2007)Google Scholar
  4. 4.
    Callas, J., Donnerhacke, L., Finney, H., Thayer, R.: OpenPGP Message Format. Internet RFC 2440 (1998)Google Scholar
  5. 5.
    Chokhani, S., Ford, W.: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 2527, obsoleted by RFC 3647 (1999)Google Scholar
  6. 6.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, updated by RFCs 5746, 5878, 6176 (2008)Google Scholar
  7. 7.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2(2), 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  8. 8.
    El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Hall, T.A., Keller, S.S.: The FIPS 186–4 Elliptic Curve Digital Signature Algorithm Validation System. NIST (2014).
  10. 10.
    Heininger, N.: Factoring as a Service. CRYPTO 2013 Rump session (2013).
  11. 11.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: Kohno, T. (ed.) Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, 8–10 August 2012, pp. 205–220. USENIX Association (2012)Google Scholar
  12. 12.
    Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768-bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  13. 13.
    Koch, W.: The GNU Privacy Guard (2015).
  14. 14.
    Lenstra, A.K.: Integer factoring. Des. Codes Crypt. 19(2/3), 101–128 (2000)MathSciNetCrossRefGoogle Scholar
  15. 15.
    McGee, D.: PGP Packet Parser Library (2015).
  16. 16.
    Minsky, Y., Clizbe, J., Fiskerstrand, K.: Synchronizing Key Server (SKS) Software Package (2015).
  17. 17.
    Minsky, Y., Trachtenberg, A., Zippel, R.: Set reconciliation with nearly optimal communication complexity. IEEE Trans. Inf. Theory 49(9), 2213–2218 (2003)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Mozilla Security Engineering Team: Phasing Out Certificates with SHA-1 based Signature Algorithms (2014).
  19. 19.
    National Institute of Standards and Technology: Digital Signature Standard (DSS). Federal Information Processing Standards Publication (FIPS) 186-4. U.S. Department of Commerce (2013).
  20. 20.
    Nguyên, P.Q.: Can we trust cryptographic software? Cryptographic flaws in GNU privacy guard v1.2.3. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 555–570. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  21. 21.
    Palmer, C., Sleevi, R.: Gradually Sunsetting SHA-1 (2014).
  22. 22.
    Peixoto, T.P.: The Graph-tool Python Library (2014).
  23. 23.
    Penning, H.P.: PGP Pathfinder and Key Statistics (2015).
  24. 24.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Shaw, D.: OpenPGP HTTP Keyserver Protocol (HKP). Expired Internet-Draft (2013).
  26. 26.
    Somogyi, S.: End-to-End Chrome Browser Extension (2015).
  27. 27.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  28. 28.
    Symantec Corp.: Symantec Encryption (PGP) Docs. Article Tech202483 (2015)Google Scholar
  29. 29.
    The Free Software Foundation: Email Self-Defense Campaign (2015).
  30. 30.
    Ulrich, A., Holz, R., Hauck, P., Carle, G.: Investigating the OpenPGP web of trust. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 489–507. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  31. 31.
    Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving SSH-style host authentication with multi-path probing. In: Isaacs, R., Zhou, Y. (eds.) 2008 USENIX Annual Technical Conference, Boston, MA, USA, 22–27 June 2008, pp. 321–334. USENIX Association (2008)Google Scholar
  32. 32.
    Zhu, Y., et al.: End-to-End for Yahoo! Mail (2015).

Copyright information

© Springer International Publishing Switzerland 2015

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (, which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  • Alessandro Barenghi
    • 1
  • Alessandro Di Federico
    • 1
  • Gerardo Pelosi
    • 1
    Email author
  • Stefano Sanfilippo
    • 1
  1. 1.Department of Electronics, Information and Bioengineering – DEIBPolitecnico di MilanoMilanoItaly

Personalised recommendations