Philip Sugg

Philip Sugg - Technical Writing Portfolio

Consumer Public Key Security

This project serves, first, as a sample of my writing abilities and technical knowledge.

It is also intended to be a useful source about a topic that deserves more attention: the increasing availability of public key encryption technology as a consumer-facing product. At the level of infrastructure, this technology is not new. The modern internet would be hard to imagine without technologies like HTTPS, SSL, SSH and other protocols, which rely on public key encryption to ensure privacy between clients and servers. Almost everyone who uses the internet relies on public key technology to keep their sensitive data (e.g., financial, medical) secure while it travels across the network.

But what has changed in recent years is the proliferation of this technology for consumers. Recognizable examples include security keys used as a second factor alongside a password, and “digital wallets” that hold electronic assets like Bitcoin. Public key encryption has the potential to be more secure than password-based systems alone, but it also requires different knowledge and care on the user’s part.

The purpose of this guide series is to explain the functional concepts of public key encryption by walking through how it works in various consumer settings. For the moment, it concentrates on one older but mature encryption technology, the GPG (Gnu Privacy Guard) system, which can be used to digitally “sign” and encrypt email. I begin with this technology not because I believe most users should begin signing or encrypting their emails, but because someone who learns GPG will learn widely applicable principles of public key encryption. GPG also has mature cross-platform integrations across operating systems and applications (e.g., Apple Mail). New users can learn how to use public keys without getting into excessively technical details, for example, at the command line.

I continue to work on drafts of additional topics which I will add in the coming months (see the “Todo” section below).

Current

So far, there are four training documents in this sequence. Together they make up a basic introduction to one mature implemention of user-driven public key security, the GPG (“Gnu Privacy Guard”) system.

Complete the guides in the order recommended below. The training alternates practical work with in-context review of core GPG concepts like identity and the “web of trust.”

A blend of theory and practice gives users an introduction to (1) what public-key encryption actually looks like in practice, and (2) background knowledge that clarifies how to manage a collection of public keys.

  1. Learning the GPG System with GPG Suite and Apple Mail (How-To)

  2. A New Paradigm for Consumer Security (Conceptual)

  3. Using GPG to Sign and Encrypt Ordinary Files (How-To)

  4. Foundational GPG Concepts (Conceptual)

These guides are modeled on the documentation categories set out in Docs for Developers: An Engineer’s Field Guide to Technical Writing (Apress, 2021). See “About These Docs”, below, for more information.

Background

Why public key encryption, and how does it differ from password-based authentication?

Almost everyone who uses the internet today is familiar with a password-based authentication system. Passwords are so common that the average user of the internet might think that there is no other option. It is easy to understand why passwords are such an appealing security model for most user-facing tasks. The conceptual model underlying them is incredibly straightforward:

  1. The user chooses a secret sequence of characters, which he or she sends to a server or authentication service.
  2. The server stores a copy of this secret securely, and prompts the user for it when he/she logs into the server.
  3. The user is granted access if he or she supplies a password that matches a version of the credentials stored on the server.

Passwords are so approachable because they are easy for the users to visualize: “The server has what I have in my head. If I give the server my credentials, I get in.”

The most obvious problem with passwords is that if someone manages to steal these credentials from either the user (e.g., a phishing attack) or the server (e.g., a hack), that unauthorized person has everything needed to gain access to the real user’s account. A simple password-based model concentrates all the risk in that single password; if the ‘plaintext’ of the password is stolen, or if a hacker manages to decipher it, then the only solution is to change to a new password.

Public key encryption distributes these risks differently. It offers a model in which client (user) and server have different credentials, each of which grant them specific, limited rights.

Instead of a single password that must be kept secret, public key encryption creates what are in effect two passwords:

  1. A “public” password (i.e., a “key”) which is held on the server or by other users, and which is intended to be shared
  2. A private password that the user keeps on his computer and that is never, under any circumstances shared with any other user.

Since the public and private keys are different, there has to be another method for providing access to the user other than a match between identical credentials. That method is a cryptographic algorithm, a mathematically secure way of comparing public and private keys and confirming that they are from a “matching set” of keys.

For more on the comparison with passwords, see here

Todo

Additional content to come includes:

  1. Pitfalls and Common Mistakes When Using the GPG System (Troubleshooting)

About These Docs

My framework for these guides is the excellent Docs for Developers: An Engineer’s Field Guide to Technical Writing. Documentation types laid out by this guide include:

  1. READMEs
  2. Getting Started
  3. Conceptual
  4. Procedural (Tutorial, How-To)
  5. Reference (APIs, Glossary, Troubleshooting, Change Notes)

Permalink