Among the services provided by INCIBE-CERT, the incident management service is one of the most active. To that end, one of this issues that’s been taken into account, from the beginning, is the security of the communication that’s established with whoever reports a security incident.
The information systems of INCIBE have adequate security measures and in accordance with the National Security Framework.
The possible security measures include:
- Using SPF y DKIM to validate the authenticity of our emails;
- Receiving email by protecting SMTP communication with TLS (STARTTLS);
- Publishing a MTA-STS policy, so that the previous protection cannot be trivially deleted by an active attacker;
- Possibility of communicating with INCIBE-CERT through an HTTPS form para las personas que no deseen utilizar el correo electrónico.
Furthermore, INCIBE-CERT protects its communications by means of OpenPGP, so it is possible to encrypt a message for INCIBE-CERT with the corresponding public key. The responses sent from INCIBE-CERT also include a digital signature with the corresponding PGP key, allowing for the validation of the authenticity of the response.
The PGP keys INCIBE-CERT has been using the past two years, known as “2018-2020 keys”, expire in the coming days. For this reason, we’ve created new keys with which we’ll be able to continue securely communicating with our public in the coming years.
Below, the new keys to be used from now on are outlined:
The email address es is the one for reporting the majority of incidents under the scope of action of INCIBE-CERT.
pub ed25519 2020-06-15 [C] [caduca: 2022-06-15] 0082 BF42 B2BB 9D89 3E7E ED67 2DDD 99A6 252E 6573 uid [ absoluta ] INCIBE-CERT incidents (2020-2022) <> sub ed25519 2020-06-15 [S] [caduca: 2022-06-15] sub cv25519 2020-06-15 [E] [caduca: 2022-06-15]
The email address is the one for reporting incidents from institutions affiliated with the Spanish academic and research network (RedIRIS).
pub rsa4096 2012-05-16 [SC] [caduca: 2021-04-17] D2DE 1DBE F689 ED1E 0312 34D9 8984 EB58 2006 B232 uid [ absoluta ] <> sub rsa4096 2019-07-01 [S] [caduca: 2021-06-30]
The email address des should be used exclusively for reporting incidents relating to strategic, essential services and critical infrastructure operators, designated pursuant to Law 8/2011 and Royal Decree-Law 12/2018. Unless you have received a communication expressly instructing you to use this contact point, this is not the appropriate way to communicate with INCIBE-CERT.
pub ed25519 2020-06-15 [C] [caduca: 2022-06-15] F8F6 A1D7 D2E1 7E34 1C0A F65D 81CA 08D6 0950 4943 uid [ absoluta ] INCIBE-CERT - PIC (2020-2022) <> sub ed25519 2020-06-15 [S] [caduca: 2022-06-15] sub cv25519 2020-06-15 [E] [caduca: 2022-06-15]
The email address may be used for general communications with the CERT. It should not be used for incident reporting, and unlike others is not monitored 24/7. Instead, use .
pub ed25519 2020-06-15 [C] [caduca: 2022-06-15] 628F A05D 5BFF 5E0C E5EF 75DA 64A2 99BC 6365 7274 uid [ absoluta ] INCIBE-CERT Team (2020-2022) <> sub ed25519 2020-06-15 [S] [caduca: 2022-06-15] sub cv25519 2020-06-15 [E] [caduca: 2022-06-15]
Obtaining the keys
You can download the above keys, individually, from the links provided or the OpenPGP keyserver.
You can check that you have the correct key by running the command:
gpg --fingerprint --list-keys <email>
And checking that it matches the output indicated in the above description for the appropriate key.
The different keys sign and are signed by .
Likewise, in case of having already validated the previous keys, these sign in the same way the successor.
If you are part of the PGP Strong set, you may also be able to validate them through the Web of Trust.
Elliptic curve cryptography
We have also taken advantage renewing keys in order to move to elliptic curve cryptography. This involves using more modern cryptographic primitives (specifically Curve25519/Edwards25519, with additional information in RFC 7748 and in Recommendations for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters) as opposed to the traditional use of ARS, DSA or Elgamal. It also has the property of generating much smaller signatures, which is an advantage for those cases where the recipient does not have an email client capable of properly managing OpenPGP signatures. We strongly recommend integrating PGP encryption management into the email client, which prevents errors and greatly simplifies communication under this standard. More information in the Guide for Secure email encryption with PGP.
However, the use of more modern algorithms means that older clients may have difficulty operating with elliptic curve keys.
Customers without support for elliptic cryptography will be able to decrypt messages sent by INCIBE-CERT, but would be unable to encrypt INCIBE-CERT or validate their signature. In this case it is possible to receive a message like:
encryption failed: clave pública inutilizable
In particular, note that GnuPG 1.x is not compatible with this algorithm, since the GnuPG 1.4x branch is obsolete. It is maintained only for compatibility with outdated PGP-2 keys, and GnuPG 1 is not considered. Normally, systems where the gpg command corresponds to GnuPG 1.x have a gpg2 command with a later version.
It is widely supported by current programs, and these algorithms have been incorporated for years for inclusion in the next version of rfc 4880.
Some compatible tools or email clients:
- Claws Mail (multiplatform email client);
- Emacs (moduleEasy PG);
- encrypt.to (web submission);
- End-to-end (≥ April 2016);
- Enigmail (extension for Thunderbird / Postbox email clients);
- GnuPG ≥ 2.1.0 with libgcrypt ≥ 1.7.0 (April 2016);
- GnuPG for OS X;
- gpg4o ≥ 5.0;
- Gpg4win ≥ 3.0.0 (September 2017);
- includes Kleopatra and the extension for Outlook GpgOL.
- GPG Suite ≥ 2017.1 (September 2017);
- contains GPG Mail (extension for Apple Mail).
- K-9 Mail;
- Mutt / NeoMutt;
- OpenKeychain ≥ 4.9 (February 2018);
- R2Mail2 ≥ 2.06;
More detailed information on the use of PGP is available in the Guide for secure email encryption with PGP.