Any cryptographic system depends upon some degree of trust. Earlier, we discussed how strong cryptography depends upon a secure key exchange process. In this video, learn about the different trust models, including personal knowledge, the web of trust, and the public key infrastructure.
- [Instructor] Any cryptographic system depends upon some degree of trust. Earlier in this course, I discussed how strong cryptography depends upon a secure key exchange process. The two people communicating must be confident that they are really communicating with each other and not an impersonator and that nobody is going to be able to eavesdrop on the communication where they exchange encryption keys. The Diffie-Hellman key exchange protocol helps us with preventing eavesdropping, but we still require some way to ensure that we're not communicating with an imposter.
In asymmetric cryptography, every user possesses a personal secret key that they don't need to share with anyone else. They can also share their public keys freely so that there's no risk of eavesdropping. These two factors combine to eliminate the need for eavesdropping protection during key exchange. However, we do still need to worry about imposters. How do we know that the person sending us their public key really is who they claim to be? There are three basic ways that we can obtain this assurance.
In-person key exchange which, as I discussed earlier, is cumbersome and difficult. We can also use a concept known as the Web of Trust or more commonly, rely upon the Public Key Infrastructure or PKI. The Web of Trust was first introduced by Phil Zimmermann with the introduction of his PGP encryption software. The Web of Trust recognizes that it simply isn't possible for you to personally meet everyone that you want to exchange messages with. Just imagine what that will be like for your email account today.
The Web of Trust depends upon indirect relationships such as those you would find on LinkedIn. While you might not know the person you wish to communicate with personally, you might know somebody who knows that person. Or perhaps you have a third-level connection where you know somebody who knows somebody who knows that person. The Web of Trust takes advantage of this by using digital signatures to vouch for the public keys of individuals. Every participant signs the public keys of everyone they know when they verify that the public key belongs to that person.
And then everyone in the system builds a list of the people they trust to vouch for others. If this web becomes large enough, there is a reasonable expectation that indirect trust relationships will allow most people to communicate with most other people. The problems with a Web of Trust include that its decentralized approach makes it very difficult to manage. There is a high barrier to entry for new people and the Web of Trust requires a good deal of technical knowledge on behalf of each user.
For these reasons, the Web of Trust never really took off outside of the technical community. The Public Key Infrastructure or PKI builds upon the Web of Trust approach, but introduces centralized authorities who can make the process easier. That's the subject of my next video.
- Symmetric and asymmetric cryptography
- Reviewing the four major goals of cryptography
- Cryptographic math
- Choosing encryption algorithms
- Symmetric cryptography
- Common cipher modes
- Elliptic curve and quantum cryptography
- Public key infrastructure
- Creating and revoking a digital certificate
- Brute force and knowledge-based attacks
- Digital rights management