 if it's in mixed case and hope in PGP if it's all lowercase. So I was told I needed to have something about me so if you don't know who I am I'm the guy giving the talk. And apparently I started this back in March 2012 because I wanted to use OpenPGP with TLS and it seemed like it would be easiest to do both client and server in Haskell and I was not aware of any options other than one set of findings to GPG me and GPG me was suboptimal for various reasons and even though there's there's now a better set of bindings for GPG me it's it's still got the limitations of GPG me itself and I think it's still useful to have a separate implementation so in 2011 two different people independently started writing OpenPGP implementations one of whom actually wanted to do the same stuff with RFC 6.091 and that's that's how we found out about our competing projects and we've made a slight effort to merge our code bases but it's proven to be difficult for various reasons and basically we now just share a test suite and it's possible that will be improved in future so it's really difficult to have a program make use of OpenPGP because you either have to shell out to GNU PG itself or you use GPG me which is a library that shells out to GNU PG with a different API and I think that's why there's like 15 different Python libraries for OpenPGP and only two of them use GPG me and the rest call GPG directly so one of the problems or what one of the frequent complaints about GNU PG is that it's difficult to use so a library that's not difficult to use would theoretically be useful for making easier to use interfaces and of course I enjoy threads on Debian project about key size and hash algorithms and having a library to facilitate that is it's pretty great so there are three components in the suite. OpenPGP and OpenPGP ASCII armor are libraries and OpenPGP tools are the tools they're available from Hackage, Zackage and Debian and nowhere else that I'm aware of. OpenPGP ASCII armor is pretty boring it's the ASCII armor codec it's been unchanged since sometime in 2012 I think and it is I think the only Haskell implementation everybody else just uses it and even though it could be improved nobody has pushed for it to be changed so maybe that will happen in future. HOpenPGP is more interesting it does the rest of RFC 4880 compression signatures it's it's kind of a beast it's not entirely portable because it uses Haskell features that are not present on all of Debian's architectures and the API keeps changing and is going to keep changing for the foreseeable future. So yesterday Zack asked me if I was going into the internals and I said I wasn't because I hadn't thought of a good way to do that but since this is the functional programming track and it's about Haskell I'm now going to show you how some of this works so this is a data type called TK. TK stands for transferable key it represents a transferable public or secret key as defined by RFC 4880 and the it mostly mirrors the binary structure of such a series of packets which is the public or secret key represented by the pair on top any number of replication signatures any number of UIDs and their corresponding certifications any number of user attribute sets and their corresponding certifications and any sub keys so probably some of these should be non-empty lists instead of lists the brackets represent lists of whatever types inside and the parentheses and commas represent tuples which in this case are all pairs so we could with the type system actually say that some of these are not allowed to be empty they need at least one element so at some point in the future I'll probably do that for correctness sake and the last line of the the data declaration which is in record syntax is for automatically deriving instances of type classes so the eck and show type classes allow you to compare for equality and convert to string respectively and GHC will derive those automatically if it knows how and in this case it does because each of the types contained within this structure also have the corresponding instances but for ORD which is a class that allows you to see whether something is less than greater than or equal we're defining this by hand and so we're saying that a transformable key gets ordered solely on the basis of the contents of the public or secret key so that may not be the best idea but that's what's happening now did any of the non-haskelers understand any of that okay so we're also defining an instance for indexable which is how I've chosen to represent key rings for now so we make an indexable set of all the keys you insert and then we have an index for the UIDs the 20 octet fingerprints the 8 octet key IDs and the entire public key payload itself which is probably the cause of DKG's laptop heating up and spinning for 90 minutes at a time but we can work on that later and then this is the semi-group instance this is a semi-group is a set with an associative binary operator for a long time I wanted to make a monoid but I couldn't figure out how to do the identity element so I made a semi-group instead so this says how to basically merge two keys so if you have key A and key B we're gonna take the public or secret key from key A and we're just gonna throw away the that part from key B and then for the revocations UIDs UIDs and subkeys we're just gonna merge them together with the functions at the bottom in the work laws there and so right so that's just an abbreviation for no sort of pen we need more conspiracy theories it's true so the this this is gonna be theoretically useful for if somebody wants to build the tool to fetch keys from a key server and then just merge the new signatures onto an existing key or something like that and so the very first thing I had to do after defining a bunch of types was serialization so actually the serialization was less important than the parsing part which is the next slide but so this expresses how to write out a public key payload which is most of the public key to a byte string and so on on top we have a v3 key so it outputs the octet 3 to show that it's v3 key and then it has a big endian creation time and the v3 expiration and the public key algorithm and the public key itself and the reason we do put pka a instead of more specialized function is that there is a put instance for a public key algorithms already and so we can just use that and on the bottom it's a v4 key and we're just throwing away the v3 expiration field because it's not relevant so that helps produce a byte string from a key and this is the other direction this will parse a public key payload so this is using the serial library and if the binary library continues to improve it might be good to switch to that instead so this yes I'm curious about why you have the public key algorithm separate from the public key object given that it seems like the public key object could know its own algorithm or would that so the way the the the types are so somewhat of a rats nest the you're as what are you asking is I'm not I'm not a Haskell programmer okay how about we come back to that at the end or something so this is the inverse operation we're grabbing an octet to find out the version then we're grabbing the creation time and then depending on the value of the version we either read a v3 or v4 key I had to change it to accept a version of 2 because there's all kinds of weird things on the key servers and I was trying to parse as much of it as possible and there are a lot of keys with that value and they seem to be exactly like v3 keys but I'm not sure so that might be something to figure out later and at the end it it's gonna come back with either a v3 or a v4 key or or fail entirely because it's a new or invalid key format so now we segue into the command line tools themselves which some of you have been using and maybe of more general interest so HKT is the H open PGP key ring tool and right now you can export keys list them and then you can also graph certifications and find paths between keys this is something DAV asked me about at Hope and it was easier than I thought to implement so an example of HKT is we can take the debbing key ring and list all keys with a creation time I greater than January 1st of this year so you can see all the keys in the debbing key ring that were created this year so there's two different ways to specify keys with this tool well you can either do a long key ID full fingerprint a user ID substring or a filter expression which is this basically a DSL I wrote that needs to be totally overhauled but lets you do things like a numeric compare on the timestamp so probably the the most popular tool right now is Hokie which has one sub command which is linked and that aims to let you know how you're doing with regard to the open PGP best practices document published by rise up so you can either use HKT to export a key and pipe it to Hokie or you can use GPG it takes a transferable key in RFC 4880 format in in open PGP packets so any compliant tool that exports a key in that format can be used as a source and you can get output with with pretty colors or you can get it in JSON or YAML if you change the output format and so if you read any of the messages on Debian project where I posted some statistics that came from the JSON output and post processing with the JQ so this example will export all RSA keys greater than 8k from the Debian key ring which I think is just one or two one and complain about how his expiration date is too far in the future so now there's hot which is meant to operate on either ASCII armor or individual open PGP packets so there's a filtering here that operates without context so and the syntax is also suboptimal for historical reasons that should be fixed so if we do the same export again to get the person with the big key and we pipe it to hot filter we have to specify filters for pub keys signatures and other packets which is really not ideal but if you don't do that it's gonna just let them all through and in this example I want only signature packets that are positive certifications and I want to dump them to the screen so this this also probably needs an overhaul so you can specify that filter without three different command-line switches so I talked briefly about the graphing done by HKT so this is the KSP key ring built by an e-ball prior to the conference and you can't really see what's going on here but so the the graph command outputs a file in or not a fallen outputs dot or I don't I don't really know the difference between dot and graph is formats so perhaps they're the same but okay all right so it outputs something that can be rendered by dot and then you can convert it into an image and so this is a small key ring if you try to do this on the debbing key ring or your personal key ring you're gonna be in a lot of pain but we might be able to optimize that so the other thing is that this is purely a self-contained operation it's verifying signatures on this key ring from this key ring so anybody not in the cure the KSP West is not gonna be used as a connector so this this is all pretty self-connected and then this stuff up here well actually I so I had to zoom in here so you could see so this is this is each arrow represents a certification that's verified and valid according to the the logic we're currently using which may be flawed and so number 23 up there is unevolves I forget which key but one of him and I guess that should be pretty self-explanatory and yes yes this specific image not this one the full image I mean you could you could generate it yourself what versions of hope and PGT tools are your examples drawing from what they were in diversions that are Jesse so unfortunately just yes so these these are from the Jesse version I'm using an unreleased version for pathfinding a little bit later because I am apparently a hypocrite and can't release early and release often so so that's that's nice healthy connections and then the upper right is people who are in either solo or pairs and you can see that the pairs on the right side are bidirectionally certified and on the left they're just one way so you can also find paths in this key ring and it uses a dykstra path finding algorithm to determine the shortest paths and so the there were four paths that were seven hops and they all start with key 118 which in this case is one of each one's keys and you can see the path from him to the four people on the right so and for some reason a lot tech lets me do unicode characters for for some things and not for others so this has been sanitized a little question so could you use this to figure out which the most advantageous mutual key signings yes sorry dad asked that if you could use this to see what the most advantageous key signings would be and I think so and I've actually been specifically specifically targeting people here if they are at maximum hops for me you can also use it to find your path to someone else for the the usual reasons I guess so you can also use the same output to see the the nexus is of pads and so this is as of this morning which all of these numbers have gone up since the beginning of the conference and actually T marble and tumbleweed at switched places just this morning so it's a race what are those numbers mean yet so the number on the left is the it's an ID number it's the same as in the previous slides it's just a arbitrary ID after whatever ordering was done to make the graph and it it's static within this hearing and then the right side is how many of the paths from everybody or from each person to each other person contained that key as a middle hop so so that there are 592 paths from eat someone to someone else that go through all tag shortest pads or just pads in general shortest paths how does it deal with equally equal length pads does count twice it is repeat Daniel asked how it deals with two equally long paths and I believe it should give you both but I am not sure so these should look a little more familiar if you read Devin project so there were a hundred twenty three K's in the KSP key ring one of them's DSA two of them are 8k one of them 16k two of them have what rise up considers a weak cash with a higher preference on the hash preferences sub packet and there's there's still controversy about expiration times but according to the guidelines this is how they stack up and this is about user IDs and user attributes and someone is using rife MD 160 for self sigs and most people are not and this is more than there are keys is that because it's per self-sig on each this is as well as usually yes this is each each valid certification for each UID or UIT so if you have not not for some use yes not for some use so there's that and so with the with the tools you can also do what if scenarios so the top is the strong connectivity of the KSP key ring on August 21st and so there's 87 people in a strong set and two pairs which I think are probably just one person each with two keys that are cross-signed but might not be and if you filter out all ripe MD 160 and sha one signatures that strong set drops down to 69 keys so you can see how the web of trust might be strengthened or weakened by various operations and so over the conference I think each of those top numbers has gone up by about eight and the one of one of the two clusters has disappeared entirely so we're we're gaining strong connectivity throughout the the conference so all right so there's there's someone working on using the H open PGP and open PGP ask your armor libraries in the hackage server and cabal I don't know how that'll turn out but there's there's a branch you can look at it if you're interested I would like to see more yes Eric oh so hackage is a software distribution system for Haskell it's like c-pan or the cheese shop or whatever Ruby has and then cabal is the tool equivalent to pip or gem or c-pan or what have you to fetch and build and install so I'd like to to see further work trying to reduce duplicated effort with the open PGP library Daniel has asked for some sort of key cannot localizer so keys can be dipped more easily the API needs improvements we have the potential for other language bindings because Haskell has a bidirectional foreign function interface so we can come up with a C API for the Haskell library and then any other language with a C API FFI can theoretically bind to H open PGP through that the hard part I believe will be coming up with APIs that make sense so if anybody has any ideas about that that'd be great people want to make GUIs I'd be happy about that key ring operations are a pain so if somebody can come up with a better way to store keys on disk so that they're easily no okay yes so we were playing around with the PGPG 2.1 this week and it's got a new disk format called keybox which I'm guessing this is your tool doesn't support yet yeah that's right I looked at keybox a little and I forget well I forget the details but it seemed like it wouldn't help but maybe I misunderstood it the well so so yeah yeah yeah so the difficulty is the performance problem I'm alluding to is with indexing a whole bunch of keys and then retrieving them from wherever they're indexed so another idea Daniel had was validating key server that would only accept valid keys and signatures through cryptographic verification just just accept SKS which will then screw it up right right so yes there there are problems if you want to gossip with the SKS protocol but for background none of the public key servers do any cryptographic verification of keys at all no they don't I actually run one of the SKS key servers on the network yep and none of them do cryptographic verification so the idea here is that maybe we could think about setting up key servers that did that and then they would not actually probably gossip with SKS because they wouldn't have they wouldn't be able to accept some of the things that are on the SKS key servers right so so I do very limited hash verification in my key server not before validating the signature but making sure that the there's a two bytes which basically say the hash function that then you can use to say yes this hash is actually valid and throw away a signature that is obviously not the right one and particularly that's useful for the subkey damage that PKS used to do so it's why I've got there but my main issue with doing validating key servers is how do you then form a key server network where the keys are different on different key servers and that's already causing me problems as someone running a known SKS key server if you talk loudly the room like should pick up and notice you didn't talk about implementing a GPG compatible interface on the previous slide are you interested in doing that is that something that might happen I say this particularly because you for hypothetically it would be good if something like the GPG extensions for Thunderbird would use open PGP instead so my focus thus far has been to try to do things that GPG can't do or doesn't do well I have no objection to people trying to write a GPG clone but for now it's it's more interesting for me to have a tool that can do something I can't do Joey yeah have you looked into how well you handle encryption and decryption right to some extent yeah I mean have you looked at are there incompatibilities I don't know how good a standard open PGP is standards go so so far so the there's a there's a test suite which needs needs more tests but much of the data in the test suite has been produced by canoe PG and then there's stuff pulled off the key servers so I'm there's there's a lot of sanity checking against the real-world data I forgot the original questions I was wondering you're clearly using it a lot for key management analysis but what about actually using it to encrypt and involve yeah other other than test cases I haven't really done that so there was a little while I was working on secret key decryption because I wanted to use a stronger cipher for my secret key and I thought I couldn't redo a cipher with GPG but then it turned out I could so so the decryption support is there but not the re-encryption and for mostly for fear reasons I haven't really been doing anything that's not read only so if you if you want to modify files you have to redirect to to another file and do it yourself so yeah if anyone would like to help contribute there's some ideas and I guess we can we can continue with questions now or if anyone wants me to demo something maybe I could try that Micah yes sir can you show how you generated that set of keys that would make it would be ideal to track down inside here yep if I can figure out X-Rander No. No. All right. Yeah. All right. That's the stop. OK. So you wanted the paths. The paths that you were using to track down the people to sign. OK. So that's the command I used. And so find paths, keyring. So there's three key selection things we're doing. The first is what subset of the keyring to use for pathfinding. And then the next one is which keys to use as a starting point and then which keys to use as an ending point. So if we do any, any, any, we're using the entire keyring and finding paths from every person to every other person. But if you were just interested in your own key to somewhere else, you could, to slow that down. And this takes like a couple minutes. So I'm not going to do it again. Can you do it from your key as a starting point? Yeah. So are these slower still foot? Yeah. It's going to be quicker for me to just use right now. So which one of those any do you put go the second one? But there's a problem with the syntax right now that won't let you do that. Does the any, any, any work with what's out there and Jesse now? No, this is, you can see the first word is I'm using a but if you all nag me, I will upload. Please do it. Not right now. You're live. Can you use the PGP to sign your changes file and just upload it right now? No. So, um, actually, so, okay, so I should show you the output first. So this makes sense. Okay. So and the left. Um, gee. Wow. That's engineering. Okay. So, uh, so each line is a tuple of so the, the first number before the comma is the length of the path. This is just so I could sort. And then after the comma is a list of the shortest path, um, the shortest path as, as determined. So, um, so the first line is one to one, which is zero hops because it's self signed. And then the second one is from one to two, which is achieved by traversing key number five. And then so on and so forth. And then at the bottom of the file, there's a mapping of the key number to the fingerprint. So you have some idea who those people might be. Um, and obviously this could be made a lot more user friendly if you wanted. Um, so if you grip. So I'm number six. Um, so if you grep for any path that starts with six or ends with six, uh, you're going to get. Thank you. So, uh, so now I have all the paths from me or to me, uh, ordered by hops. So, uh, at the bottom, uh, you can see that, uh, Gua Yixuan and I are, uh, furthest from each other. Um, and then some other people are, are slightly closer. And so if you, if you want to find who's farthest from you, that's how you do it. But currently there's no way for me to do it or everybody leaves because this is not yet committed. Um, it's committed. You can build it yourself. You can, you, the current version will give you those numbers. Uh, it won't give you the length and it won't give you the finger print. So, um, yes and no. If you can figure out who those people are, you can do it. Or actually the, the changes in the get repose. So you can, you can build it yourself instead of waiting for me to upload the package. Anything else? The, the, the source code is, is in git and the packaging is in darks. That's, that's true. This is a bit... Just to keep us on our toes. Sadly, Yohim, uh, went home. Uh, or you could troll him about that right now. But yeah, everything we package in the, uh, Debian Haskell Group is, that has the Debian directory in darks. Almost everything. Eric. Are there PHP bindings? Uh, not yet, but I'm aware of, uh... Anyway, else? Thanks for working on this, man. Yeah, thank you. Yeah! Okay, well then, thank you.