The Trust Network - distribution of public keys
The Trust Network is an important part of the whole system. Its purpose is to store public keys so that they can be retrieved. The problem is that when you send an email to somebody, and if you are using public key crypto, you need to know their public key. Current client software requires you to obtain the public key by some means before encrypted communication can begin.

By having your Public Key stored on a server people can obtain your public key at any time. And because you can also interrogate your public key yourself at any time you can ensure the public key has not been replaced. Once someone has your public key it is stored on their machine, and verified against the public key server when used. This increases the chance that a man in the middle attack is detected.

An additional security feature may be signed keys. This is effectivly a certificate. It means that the public key has been signed by the server as geniune. This means that any attempt to replace the key in transit will break the certificate.
Receiving Keys
The Server will receive keys by having the client connect to the server go through the following protocol :
  • Client sends a Message with their public key and email address signed by their private key.
  • Server confirms authenticity of public key by checking the signature. If authentic it will send a Confirm Message back to the client. It also sends a email message to the email address supplied informing the user that they have registered their public key.
  • Client receives their email, and replies to the email to activiate the Public Key. If no response comes from the client the Server will not distribute the Public Key.
    • Obtaining / Verifying a Public Key
    The Server will distribute a public key to any client which requests one using the following protocol: Client sends a message requesting the public key of a specific email address in the clear. This is not encrypted as there is no secret information to be protected. Server looks up email address and sends the Public Key signed by the Private Key of the owner of the Public Key. This protocol is the same weather requesting or verifying a Public Key.
    The Trust Network
    Public keys are used for both Encryption and Verification, so ensuring you have the correct public key is vitally important, otherwise your encrypted communications are vunrable, and you cannot be verify where messages come from.

    The traditional way of ensuring distributing public keys was a trust tree, where some organization at the top of the tree signs certificates of organizations below. In turn those organizations might distribute certificates and so on down. The purpose of this is to provide some certainty that the public key you have obtained is really the public key of the intended receipient of a message, and not a spy in the middle.

    The Trust Network is a set of Public Key Servers. Each server on the network has a full list of the other servers.When a new public key is received it sends the public key via secure channel to two servers on the list at random. These two servers will then periodically query the original server to ensure the Public Key has not been tampered with.

    Should tampering be detected by a server, it will send out a message to all the servers on the server list to check the server under suspicion. Each server will then query the Public Keys it has stored against the suspect server.

    Any Public Keys that have been tampered with will generate an additional message to the suspect server informing them of the mismatch, and what the correct key should be. If a server gets corrections from two servers for a Public Key it will change the Public Key stored to the one supplied, assuming the Public Keys from the other servers match.

    If a suspect Public Key is not corrected even when these messages have been sent to a server, the entire server will be marked on the list as 'defective'. A new server will be chosen to host the keys that previously belonged to the defective server, and all Public Keys stored on other servers relating to the defective server will be transmitted to the new server. The new server will only accept Public Keys if it receives two copies from different servers.

    The result of all this is that servers which have been hacked or modified in such a way to allow false Public Keys to be distributed will be discovered, and if the problem is not resolved, will be eliminated from the 'Trust Network'.
    Lightweight Directory Access Protocol
    The LightWeight Directory Access Protocol is already being used in a system much like that described above. In all probability we will end up using this protocol and the open source implementations of it to deliver Public Key Distribution. PGP uses LDAP to distribute keys. Like many of the other standards and protocols I have already found, I am investergating how this can be incorporated into the project.
    Home