Improving Robustness of PGP Keyrings by Conflict Detection

  • Qinglin Jiang
  • Douglas S. Reeves
  • Peng Ning
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2964)


Secure authentication frequently depends on the correct recognition of a user’s public key. When there is no certificate authority, this key is obtained from other users using a web of trust. If users can be malicious, trusting the key information they provide is risky. Previous work has suggested the use of redundancy to improve the trustworthiness of user-provided key information. In this paper, we address two issues not previously considered. First, we solve the problem of users who claim multiple, false identities, or who possess multiple keys. Secondly, we show that conflicting certificate information can be exploited to improve trustworthiness. Our methods are demonstrated on both real and synthetic PGP keyrings, and their performance is discussed.


Malicious Node Malicious User Initial Trust False Identity Improve Robustness 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahuja, R., Magnanti, T., Orlin, J.: Network flows: theory, algorithms, and applications. Prentice Hall, Englewood Cliffs (1993)Google Scholar
  2. 2.
    Beth, T., Borcherding, M., Klein, B.: Valuation of trust in open networks. In: Gollmann, D. (ed.) ESORICS 1994. LNCS, vol. 875, pp. 3–18. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Blaze, M., Feigenbaum, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 6-8, pp. 164–173 (1996)Google Scholar
  4. 4.
    Burmester, M., Desmedt, Y., Kabatianski, G.A.: Trust and security: A new look at the byzantine generals problem. In: Proceedings of the DIMACS Workshop on Network Threats, December 1996. DIMACS, vol. 38, American Mathematical Society Publications (1996)Google Scholar
  5. 5.
    Douceur, J.R.: The sybil attack. In: Proceedings for the 1st International Workshop on Peer-to-Peer Systems (IPTPS 20), MIT Faculty Club, Cambridge, MA, USA (March 2002)Google Scholar
  6. 6.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: RFC 2693: SPKI certificate theory (September 1999)Google Scholar
  7. 7.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W H Freeman & Co., New York (1979)zbMATHGoogle Scholar
  8. 8.
    Jiang, Q., Reeves, D.S., Ning, P.: Improving robustness of PGP keyrings by conflict detection. Technical Report TR-2003-19, Department of Computer Science, N.C. State University (October 2003)Google Scholar
  9. 9.
    Josang, A.: The consensus operator for combining beliefs. Artificial Intelligence 141(1), 157–170 (2002)CrossRefMathSciNetGoogle Scholar
  10. 10.
    Khanna, S., Motwani, R., Sudan, M., Vazirani, U.V.: On syntactic versus computational views of approximability. In: IEEE Symposium on Foundations of Computer Science, pp. 819–830 (1994)Google Scholar
  11. 11.
    Maurer, U.: Modelling a public-key infrastructure. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 324–350. Springer, Heidelberg (1996)Google Scholar
  12. 12.
    Medina, A., Lakhina, A., Matta, I., Byers, J.: BRITE: Universal topology generation from a user’s perspective. Technical Report BU-CSTR- 2001-003, Boston University (2001)Google Scholar
  13. 13.
    Mendes, S., Huitema, C.: A new approach to the X.509 framework: Allowing a global authentication infrastructure without a global trust model. In: Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, USA, February 1995, pp. 172–189 (1995)Google Scholar
  14. 14.
    Menezes, A., Van Oorschot, P., Vanstone, S.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  15. 15.
    Reiter, M., Stubblebine, S.: Toward acceptable metrics of authentication. In: IEEE Symposium on Security and Privacy, pp. 10–20 (1997)Google Scholar
  16. 16.
    Reiter, M., Stubblebine, S.: Resilient authentication using path independence. IEEE Transactions on Computers 47(12) (December 1998)Google Scholar
  17. 17.
    Drew Streib, M.: Keyanalyze - analysis of a large OpenPGP ring,
  18. 18.
    Tarah, A., Huitema, C.: Associating metrics to certification paths. In: Deswarte, Y., Quisquater, J.-J., Eizenberg, G. (eds.) ESORICS 1992. LNCS, vol. 648, pp. 175–189. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  19. 19.
    Int’l Telecommunications Union/ITU Telegraph & Tel. ITU-T recommendation X.509: The directory: Public-key and attribute certificate frameworks (March 2000)Google Scholar
  20. 20.
    Zimmermann, P.: The official PGP user’s guide. MIT Press, Cambridge (1995)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Qinglin Jiang
    • 1
  • Douglas S. Reeves
    • 1
  • Peng Ning
    • 1
  1. 1.Cyber Defense Lab, Departments of Computer Science and Electrical and Computer EngineeringN.C. State University RaleighUSA

Personalised recommendations