Home / Blog / We are renewing our PGP keys

We are renewing our PGP keys

Posted on 06/18/2020, by INCIBE
We are renewing our PGP keys

Introduction

Among the services provided by INCIBE-CERT, the incident management service is one of the most active. To that end, one of this issues that’s been taken into account, from the beginning, is the security of the communication that’s established with whoever reports a security incident.

The information systems of INCIBE have adequate security measures and in accordance with the National Security Framework.

The possible security measures include:

  • Using SPF y DKIM to validate the authenticity of our emails;
  • Receiving email by protecting SMTP communication with TLS (STARTTLS);
  • Publishing a MTA-STS policy, so that the previous protection cannot be trivially deleted by an active attacker;
  • Possibility of communicating with INCIBE-CERT through an HTTPS form para las personas que no deseen utilizar el correo electrónico.

Furthermore, INCIBE-CERT protects its communications by means of OpenPGP, so it is possible to encrypt a message for INCIBE-CERT with the corresponding public key. The responses sent from INCIBE-CERT also include a digital signature with the corresponding PGP key, allowing for the validation of the authenticity of the response.

New keys

The PGP keys INCIBE-CERT has been using the past two years, known as “2018-2020 keys”, expire in the coming days. For this reason, we’ve created new keys with which we’ll be able to continue securely communicating with our public in the coming years.

Below, the new keys to be used from now on are outlined:

General incidents (companies and the individuals)

The email address Buzón de INCIBE-CERT. es is the one for reporting the majority of incidents under the scope of action of INCIBE-CERT.

pub   ed25519 2020-06-15 [C] [caduca: 2022-06-15]
      0082 BF42 B2BB 9D89 3E7E  ED67 2DDD 99A6 252E 6573
uid        [  absoluta ] INCIBE-CERT incidents (2020-2022) <Buzón de INCIBE-CERT.>
sub   ed25519 2020-06-15 [S] [caduca: 2022-06-15]
sub   cv25519 2020-06-15 [E] [caduca: 2022-06-15]

Download incidencias.pub or incidencias.asc.

Academic network and research incidents

The email address Buzón is the one for reporting incidents from institutions affiliated with the Spanish academic and research network (RedIRIS).

pub   rsa4096 2012-05-16 [SC] [caduca: 2021-04-17]
      D2DE 1DBE F689 ED1E 0312  34D9 8984 EB58 2006 B232
uid        [  absoluta ] Buzón <Buzón>
sub   rsa4096 2019-07-01 [S] [caduca: 2021-06-30]

Download iris.pub or iris.asc.

Critical Infrastructure Incidents

The email address Buzón PIC de INCIBE-CERT des should be used exclusively for reporting incidents relating to strategic, essential services and critical infrastructure operators, designated pursuant to Law 8/2011 and Royal Decree-Law 12/2018. Unless you have received a communication expressly instructing you to use this contact point, this is not the appropriate way to communicate with INCIBE-CERT.

pub   ed25519 2020-06-15 [C] [caduca: 2022-06-15]
      F8F6 A1D7 D2E1 7E34 1C0A  F65D 81CA 08D6 0950 4943
uid        [  absoluta ] INCIBE-CERT - PIC (2020-2022) <Buzón PIC de INCIBE-CERT>
sub   ed25519 2020-06-15 [S] [caduca: 2022-06-15]
sub   cv25519 2020-06-15 [E] [caduca: 2022-06-15]

Download pic.pub or pic.asc.

CERT Contact

The email address Buzón de contacto INCIBE-CERT. may be used for general communications with the CERT. It should not be used for incident reporting, and unlike others is not monitored 24/7. Instead, use Buzón de INCIBE-CERT..

pub   ed25519 2020-06-15 [C] [caduca: 2022-06-15]
      628F A05D 5BFF 5E0C E5EF  75DA 64A2 99BC 6365 7274
uid        [  absoluta ] INCIBE-CERT Team (2020-2022) <Buzón de contacto INCIBE-CERT.>
sub   ed25519 2020-06-15 [S] [caduca: 2022-06-15]
sub   cv25519 2020-06-15 [E] [caduca: 2022-06-15]

Download cert.pub or cert.asc.

Obtaining the keys

You can download the above keys, individually, from the links provided, the OpenPGP keyserver or through Web Key Discovery.

gpg --search-keys Buzón de INCIBE-CERT.

You may also download all the keys (bundle.pub or bundle.asc).

Key verification

You can check that you have the correct key by running the command:

gpg --fingerprint  --list-keys <email>

And checking that it matches the output indicated in the above description for the appropriate key.

The different keys sign and are signed by Buzón de contacto INCIBE-CERT..

Likewise, in case of having already validated the previous keys, these sign in the same way the successor.

If you are part of the PGP Strong set, you may also be able to validate them through the Web of Trust.

Elliptic curve cryptography

We have also taken advantage renewing keys in order to move to elliptic curve cryptography. This involves using more modern cryptographic primitives (specifically Curve25519/Edwards25519, with additional information in RFC 7748 and in Recommendations for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters) as opposed to the traditional use of ARS, DSA or Elgamal. It also has the property of generating much smaller signatures, which is an advantage for those cases where the recipient does not have an email client capable of properly managing OpenPGP signatures. We strongly recommend integrating PGP encryption management into the email client, which prevents errors and greatly simplifies communication under this standard. More information in the Guide for Secure email encryption with PGP.

However, the use of more modern algorithms means that older clients may have difficulty operating with elliptic curve keys.

Customers without support for elliptic cryptography will be able to decrypt messages sent by INCIBE-CERT, but would be unable to encrypt INCIBE-CERT or validate their signature. In this case it is possible to receive a message like:

encryption failed: clave pública inutilizable

In particular, note that GnuPG 1.x is not compatible with this algorithm, since the GnuPG 1.4x branch is obsolete. It is maintained only for compatibility with outdated PGP-2 keys, and GnuPG 1 is not considered. Normally, systems where the gpg command corresponds to GnuPG 1.x have a gpg2 command with a later version.

GnuPG versions from 2.1.0, with libgcrypt 1.7.0 or higher, are able to work correctly with these keys.

It is widely supported by current programs, and these algorithms have been incorporated for years for inclusion in the next version of rfc 4880.

Tools

Some compatible tools or email clients:

More detailed information on the use of PGP is available in the Guide for secure email encryption with PGP.