The Customize Windows

Technology Journal

You are here:Home » How Does Web of Trust (WOT) Work

By Updated on

How Does Web of Trust (WOT) Work

Advertisement

In cryptology, Web of Trust (WOT) is the idea of securing the authenticity of digital keys through a network of mutual confirmations (signatures), combined with the individually assigned trust in the confirmations of others (“owner trust”). It is a decentralized alternative to the hierarchical PKI system.

Public key encryption offers the advantage (compared to symmetric encryption) that the key to be exchanged does not have to be transmitted over a secure channel, but is public. To transmit the key, it is therefore possible to use a network of key servers to which anyone can upload their public keys and from which anyone can retrieve the key of the person with whom they want to communicate. However, this creates another problem: a person could publish a key with which he or she impersonates someone else. So there must be a way to check the authenticity of a key. The solution to this problem is to have a trusted entity confirm the authenticity of a public key through a digital certificate. In the case of public key infrastructures, this is a certificate authority; in the Web of Trust, on the other hand, all participants take on this function.

 

Principle of Operation

 

Alice signs Bob’s key and trusts Bob’s key signatures. Bob signs Carl’s key (Bob’s trust in Carl’s key signatures is neither known nor relevant). Alice therefore considers Carl’s key to be valid.

It’s important not to confuse the two types of trust involved:

Advertisement

---

  1. On the one hand, you trust that a key (which you have not signed yourself) is valid (authentic), i.e. that the owner of the key is really the person (or institution) you think it is.
  2. On the other hand, one trusts (or only partially or not at all) that the owner of a key only makes careful key signatures, i.e. that the claim expressed by the signature of the person that a certain key belongs to a particular person is reliable. This trust is called an “owner trust”.

These two types of trust are independent of each other:

  1. You can be sure that a certain key belongs to a specific person. This conviction is in no way shaken by considering that person’s key signatures worthless.
  2. One can fully trust a person’s key signatures without having a key of that person that is considered valid. (However, until a valid key is available, any key signatures of the person are worthless.)
  3. Implicitly, there is a third category of trust, namely that of the security of the signing key. A person whose certificates are fully trusted may also have keys that are not very secure due to the way they are used (correspondingly less are their certificates worth) for good reason. “Owner Trust” is set per key, so that you can set this trust differently for the same key owner if there are several keys.

OpenPGP offers the possibility to add a (albeit imprecise) indication of how thoroughly the authenticity of the key has been checked. Users of WoT generally do not know how thoroughly the identity of the key and the owner have been checked, and which components of the key have been checked in the first place. The signer may know the owner personally, may have used an ID (or similar) to verify a stranger, or not even that; especially in the case of foreign names, he may also have accepted a different spelling. Verification of key information may be limited to the name (names are not unique); it can include one or all of the email addresses and even the comments. Even in the case of a well-known comprehensive audit, the security of verifying an ID card or email address is not even close to the technical security of common cryptography. So the security of WoT is limited, which can be partially compensated for by requiring more signatures to consider a key valid, but this reduces the usability of WoT accordingly. The validation of a key can be carried out via any (but limitable) number of intermediate steps, but for this to happen, all keys involved (except for the one to be validated) must have a corresponding owner trust.

 

Web of Trust Certificates

 

In the Web of Trust, a certificate consists of the digital signature that another person, who also participates in the Web of Trust, gives to a key after assuring themselves of the identity of the key holder (typically in a face-to-face encounter). RFC 2440 (now replaced by RFC 4880) describes a procedure for associating these certificates with the key and providing them with a rating. The certificate is uploaded with the key to a worldwide network of key servers and can thus be accessed by anyone.

The key holder accumulates as many of these signatures as possible. People who do not know the key holder and do not have any personal contact with him or her can see and trust a high degree of legitimacy of the identity through the certificates.

Here’s how it works in a Web of Trust:

  1. Alice creates a pair of keys for herself and signs it. It also sends the public part to a key server so that other participants have easy access to it.
  2. Bob wants to communicate with Alice in encrypted form. To do this, he obtains Alice’s key from a key server, but still has to make sure that he really got the right key: An attacker could impersonate Alice and send a key he generated to the key server. Anyone who thinks they are encrypting a message just for Alice would actually be encrypting it for the attacker.
  3. Bob asks Alice (e.g. during a phone call or a face-to-face meeting) for the fingerprint of her public key. He compares this with that of the key he received from the key server.
  4. If both fingerprints match, Bob can assume that he has received the correct key. That’s why he signs Alice’s public key (more precisely: one or more of her user IDs) with his private one and sends this signature to the key server.
  5. If Carl now wants to communicate with Alice in encrypted form, he obtains the public key from the key server, just like Bob Alice’s. Then he realizes that Bob has already checked Alice’s key. If Carl already knows Bob’s key, and he trusts Bob to do a thorough check before signing someone else’s keys, then he doesn’t have to meet Alice and repeat it. He trusts Alice’s key solely because of Bob’s trusted signature. If Carl wants to increase his level of security, or if he has limited confidence in Bob’s signatures specifically, he can configure his cryptosystem to require multiple signatures he accepts for a key to be automatically considered valid.
How Does Web of Trust WOT Work

 

Principles of the Web of Trust

 

Several key principles underpin the functioning of the Web of Trust:

  1. Decentralization: The Web of Trust operates without a centralized authority, allowing users to interact and establish trust directly with one another.
  2. Transitivity: Trust relationships in the Web of Trust can be transitive, meaning that if user A trusts user B and user B trusts user C, user A may also trust user C to some extent.
  3. Endorsement and Reputation: Trust is earned through endorsements and feedback from other users. A user’s reputation within the Web of Trust is influenced by the endorsements they receive from peers.
  4. Dynamic and Adaptive: The Web of Trust is dynamic and adaptive, with trust relationships evolving over time based on ongoing interactions and feedback from the community.

 

Applications of the Web of Trust

 

The Web of Trust has found diverse applications across various online platforms and services. Pioneered by the Pretty Good Privacy (PGP) encryption system, the Web of Trust enables users to securely exchange encrypted emails by verifying each other’s public keys through trusted introducers or by directly validating key fingerprints. In software development and distribution, the Web of Trust facilitates the verification of digital signatures and code signatures, allowing users to validate the authenticity and integrity of software packages and updates.

Some social networking platforms incorporate elements of the Web of Trust into their friend or connection networks, enabling users to designate trusted contacts and control access to their personal information and updates.

 

Challenges and Considerations

 

While the Web of Trust offers numerous benefits, it also presents several challenges and considerations. Malicious users may attempt to subvert the Web of Trust by creating multiple fake identities or personas (Sybil attacks) to artificially inflate their trust ratings or manipulate the trust relationships within the network.

As the size of the Web of Trust grows, managing and validating trust relationships becomes increasingly complex. Scalability issues may arise, particularly in large-scale decentralized systems. Participation in the Web of Trust requires users to share information about their interactions and endorsements, raising privacy concerns regarding the collection and dissemination of personal data. The usability of Web of Trust systems can be a barrier to adoption for non-technical users. Complex key management processes and cryptographic concepts may pose challenges for individuals unfamiliar with encryption technologies.

Pinterest

Here’s what we’ve got for you which might like :

  • Email encryption is used to send sensitive information by email from sender to recipient. Encryption between the end devices of sender and recipient is possible as end-to-end encryption. Email encryption often goes hand in hand with the digital signature and is actually combined with it in many standards such as X.509 or PGP. The goal […]

  • A replay attack is a crypto-analytical form of attack on the authenticity of data in a communication protocol. In this case, the attacker sends previously recorded data to simulate a foreign identity, for example. Suppose Alice wants to prove her identity to Bob. They both know Alice’s secret password. Alice calculates the hash value of […]

  • Code tampering can be disastrous since it’s done with malicious intentions. The main motto of attackers for tampering with software codes is to invade customer data privacy. But, apart from that, gaining unauthorized control on the codes, modifying them to change their behaviour, disabling security protocols, installing backdoor gateways, inserting malicious codes via injections, altering […]

  • In the case of digital signatures, it should be virtually impossible to forge or falsify a signature, or to generate a second message for which this signature is also valid.

performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us