email security pgp / pretty good privacy · 2018. 11. 29. · pgp vs gpg vs openpgp ... –...
TRANSCRIPT
1
Crypto application:
PGP (Pretty Good Privacy)
PGP vs GPG vs OpenPGP
• Pretty Good Privacy (PGP) written by Phil Zimmerman and released in 1991
• OpenPGP is an IETF standard with which both pieces of software are compliant
• Gnu Privacy Guard (GPG) similar software released in 1999 under the GPL open source license.– Based on the OpenPGP standards
2
Security issues for E-mail• Confidentiality
– Sys Admin, Email provider can read– Could be captured and read by anyone on your LAN
• Integrity– contents could be changed by anyone on the network.
• Authenticity– Easy to insert any e-mail header: “From”– Difficult to know if it was sent by the “Sender”
Targeted Attack - Recap
• Targeting a specific organization/group or person
• Email with malicious attachments– Executable– Word document
Targeted AttackTo: your e-mail address
From: Fakrul Alam [email protected]
Subject: my request
Hello,
I have been looking for someone who can answer questions in the attached file. I hope you can help me.
Thanks !
Example of Spoof Mail
Cryptography - PGP
• PGP is based on asymmetric (public-key) encryption
Asymmetric Encryption Recap
• Solves the problem of securely sharing (generating) secret keys and key explosion
• Public and private key mathematically related to each other– Cannot derive one from the other
• Encrypt with one and decrypt with the other– Encrypt with private, only public can decrypt– Encrypt with public, only private can decrypt
Signing & Encrypting
• Data can be signed with private key to be verified by anyone who has the public key– Remember digital signature?– Does not always have to be hash and encrypt!
• Since public keys are also data, they can be signed too!– Digital Certificates?
How PGP Works
Encrypt with receiver’s public key
Sign with sender’s
private key 🔐🔐Document Signed & Encrypted
document
🔐🔐🔐🔐
Decrypt with local private key
Verify (decrypt) with sender’s
public key
Document Signed & Encrypted document
SENDER
RECEIVER
Trust
• Chain of Trust (centralized/hierarchical)– Certain globally trusted bodies sign the public keys for
everyone
• Web of Trust (decentralized)– You pick whom you trust, and decide if you trust who they
trust
• Helps verify/associate a public key to an individual
• Which one is better?
Sample Web of Trust
Alice
Bob
Eve
Tashi
Carlos
• You can share your “trust-information” by publishing someone’s public key with your PGP sign – signed with your private key
PGP by GnuPG
• Create your keys– Public and Private keys
• Identify a key by– Key ID (like 0x23AD8EF6)
• Verify someone’s public key by– Key fingerprint
• Find public keys on public key servers– Like http://pgp.mit.edu
Key Management
• Use graphical tools– GPG Keychain for OS X– Kleopatra/GPA for Windows
• Use the command linegpg --list-keys
Key Management
• On printed media– Business cards
• Digital– Email– Sneakernet
• Online– OpenPGP key servers (pgp.mit.edu)
• But does not say anything about whether you trust a key
Key Management
• Make sure you specify the expiry (validity period)– Ensures that in case your private key is compromised, the
key-pair can only be used until it expires
• The expiry period can be changed anytime after creating the key
• However, before a key-pair expires, it is important you create a new key pair, sign it with the old one, and publish the signed new key to everyone in your web of trust– So that they can sign your new key
Key Management - Revocation
• Used to mark a key as invalid– Either before an expiry, or– If the private key has been compromised
• Always generate a revocation certificate as soon as you create your key– Don’t keep you revocation cert together with your private
key– gpg --gen-revoke IDENTITY
Key Management - Partying
• Key signing parties– To build your web of trust
• Each participant carries some form of ID, and a copy of their key fingerprint
– and maybe some 🍻🍻
• Each participant decides whether to sign someone’s keys– Based on their personal policies
How PGP Works
• To check your GPG version
How PGP Works
• Use “gpg --help” or “man gpg”
Generate Public-Private key pair
• Create the GPG public-private key pair
• We will opt for the default algorithm: RSA and RSA
Generate Public-Private key pair
• We will opt for 2048 bits
It is important to select key expiry period• You do not want a key that never expires• Many organizations operate with a 1 year key validity• Need to inform others when you change your keys
Generate Public-Private key pair
• Type your name and email address– Along with the comment will be used as USER-ID
Anyone can generate keys with your email!How can you identify your key uniquely?• Fingerprint!
Generate Public-Private key pair
Generate Public-Private key pair
• GPG will create the key pair
Read the messages carefully and take note of the contents:• Key ID• Key Fingerprint• Expiry• User ID
Generate Public-Private key pair
• List your keys:
Sign data & verify
• Create a file for signing
• Sign the data (type the passphrase)
Sign data & verify
• Have a look inside the signed file
Sign data & verify it
• ”Good signature from” indicates that the file was signed by the private key correctly
• The “WARNING” message is because we signed it as a cleartext signature – cleartext signature is readable without any special tool– If signed as a detached signature (--detach-sign), it would
create a separate file just for the signature
Export key (public)
• You can export a key to a file– for backup or further submission to public key servers
• The -a option generates the output in ASCII format
Export key (public) – key server• You can either use the CLI:
– Need to specify the key ID
– You can also specify a key server
• Or submit the keys (ASCII) directly on a key server
Find keys – key server
Import keys (public)
• You can import keys in a file
• Or import from public key servers
• Find the imported key
Verify the fingerprint
• Make sure to verify the fingerprint of every imported key
Signing keys• You can sign someone’s public key (trust)
• Make sure you verify their key fingerprint and any form of identification
Verify signatures
• The [email protected] has been signed by [email protected]
Publishing signed keys• You can now push the signed key to public key
server– Publishing your web of trust
• Verify on the key server
Encrypt Message• You must have the public keys of the intended
recipient– Create a file to encrypt
– Sign (with your private key) and Encrypt (with recipient’s public key) the file
Decrypt Message
• Try to read the encrypted message
Decrypt Message
• Decrypt the file
– The file was:• Signed with [email protected]’s private key• encrypted with [email protected]’s public key
References:
• https://www.gnupg.org/gph/en/manual/book1.html
Lab Exercise
42
Lab Exercise - 1
• Download and install PGP software– Windows: gpg4Win (https://www.gpg4win.org)– OS X: GPG Suite (https://www.gpgtools.org)
Lab Exercise - 2
• Generate and publish key pair– Windows: Follow the lab manual pgp-lab.pdf– OS X/Linux: Follow the slide
Lab Exercise - 3
• Setup mail client:– Thunderbird with Enigmail (follow the slides)
• Send Signed/Encrypted email (follow the slides)
Thunderbird with Enigmail• Download and install Thunderbird
– Add Enigmail (Tools > Add-ons)– Restart Thunderbird
Thunderbird with Enigmail
• Setup Enigmail
Thunderbird with Enigmail
• Setup Enigmail– Select the key-pair you generated earlier
Thunderbird with Enigmail
• Setup Enigmail
Thunderbird with Enigmail
• Send signed email
Thunderbird with Enigmail
• Send signed and encrypted email– You will need the public key of the recipient