DOCSLIB.ORG

Authenticate Me

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Authenticate Me Authenticate Me The importance of passwords Nima khademi Thesis submitted for the degree of Master in Information security 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Spring 2021 Authenticate Me The importance of passwords Nima khademi © 2021 Nima khademi Authenticate Me http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Abstract Authentication is the process of verifying that an individual, entity, or web- site is who it claims to be. Authentication in the context of web applications is commonly performed by submitting a username or ID and one or more items of private information that only a given user should know. Passwords have become the universal remote control of our digital authentication, yet they are taken lightly by the users. In this essay, I want to examine how password policies correlate to different attacks. Understanding how different password policies can have different impacts on security with regards to being too strict or loose with its requirements. i ii Contents 1 Introduction 1 1.1 Brief History . 2 1.2 Motivation . 2 1.3 Problem Statement . 3 1.4 Structure of Thesis . 3 1.5 Research Method . 4 2 Background 5 2.1 Authentication Cycle . 5 2.1.1 Web Application . 5 2.1.2 Linux(Unix) . 6 2.1.3 Microsoft Windows . 8 2.2 Storing Passwords . 9 2.2.1 Plaintext . 9 2.2.2 Encrypted Passwords . 9 2.2.3 Hashed Passwords . 10 2.2.4 Multiple Iteration Hashes . 12 2.2.5 Salted Hashes . 13 2.2.6 Dynamically allocated salt . 13 2.3 Password cracking methods . 13 2.3.1 Brute Force . 14 2.3.2 Dictionary Attack . 16 2.3.3 Hybrid Attack . 16 2.3.4 Lookup Tables . 17 2.3.5 Rainbow Tables . 17 2.4 Obtaining Passwords . 17 2.4.1 Shoulder Surfing . 18 2.4.2 Keylogger . 18 2.4.3 Phishing Attack . 18 2.4.4 MITM (Man In The Middle) . 18 2.5 Common Safety Measures . 19 2.5.1 Creating Passwords . 19 2.5.2 Password Manager . 20 2.5.3 Enable Multifactor Authentication . 21 2.5.4 Protect Your Email . 22 2.6 Personal identification number (PIN) . 22 2.6.1 Patterns . 23 iii 3 Password Policy 25 3.1 Policy Criteria . 26 3.1.1 Password length . 27 3.1.2 Special characters . 27 3.1.3 Numerical characters . 27 3.1.4 Reusing passwords . 27 3.1.5 Time . 27 3.1.6 Uppercase/Lowercase . 28 3.1.7 Positional . 28 3.1.8 Login attempts . 28 3.1.9 Slowdowns . 28 3.1.10 Strength barometer . 28 3.1.11 Dictionary . 28 3.2 Policy examples . 28 3.3 Threats . 29 3.3.1 Brute force attack . 29 3.3.2 Offline attacks . 30 3.3.3 Known passwords . 30 3.4 Security vs Usability . 30 4 Password alternatives 41 4.1 Something the individual possesses . 42 4.1.1 Yubikey . 42 4.1.2 Cautions . 46 4.1.3 Beyond identity . 46 4.1.3.1 Making SSO more secure . 47 4.1.4 General pros and cons . 50 4.2 Something the individual is . 51 4.2.1 Taking biometrics to the next level with Windows Hello 51 4.2.2 General pros and cons . 52 4.3 Something the individual does . 53 4.3.1 Keystrokes . 53 4.3.2 Draw a secret . 54 5 Data analysis 57 5.1 Findings . 57 5.2 Q&A . 58 5.2.1 What are the characteristics of the passwords that are cracked first? . 58 5.2.2 What are your thoughts about the basic16 policy? . 59 5.2.3 Do you think basic16 presents the most difficult challenge in cracking passwords? . 60 5.2.4 To what extent do the criteria in a policy matter for your approach with regard to cracking passwords? And How do you alter your approach based on the criteria? More specifically, does the basic16 policy compared to the comprehensive8 policy change the way you start cracking passwords? . 60 iv 5.2.5 How do you calculate password entropy, is the Shannon calculation recommended? And how does this change your approach to cracking passwords? . 61 5.2.6 Do you see the “forgot password” function often used in exploitation? . 62 5.2.7 What alternatives do you see as the future of authen- tication? . 62 5.3 Experiment . 63 5.3.1 Results . 65 5.4 Discussion . 69 6 Conclusion 73 7 Future work 75 8 Terminology and Glossary 77 8.1 Password Strength . 77 8.2 Password characters . 77 8.3 Entropy . 77 8.4 Character classes . 78 v vi List of Figures 2.1 Web authentication process . 6 2.2 Entry from passwd file . 7 2.3 Entry from shadow file . 7 2.4 Linux authentication process . 8 2.5 Windows authentication process . 9 2.6 Symmetric key encryption . 10 2.7 Asymmetric key encryption . 10 2.8 Hash authentication process . 11 2.9 One way hash . 12 2.10 Different value hashes . 12 2.11 Multiple iteration hashing . 13 2.12 Salted hashing . 13 2.13 Main In The Middle Attack . 19 3.1 User experience . 32 3.2 User experience . 34 3.3 Character positions . 35 4.1 Biometric modalities . 42 4.2 Example of different Yubikeys . 43 4.3 Kerberos workflow overview . 48 4.4 Hierarchical chain of trust . 49 4.5 Mesh chain of trust . 49 4.6 Beyond identity flow . 50 4.7 4 step plan for Windows Hello . 52 5.1 Result of password analysis basic12 vs basic16 . 65 5.2 Result of password analysis basic12 starting with uppercase character and ending with a digit . 66 5.3 Result of password analysis basic12 starting with uppercase character or containing an uppercase character . 67 5.4 Result of password analysis basic12 ending with a digit or contain a digit . 68 5.5 Result of password analysis basic12 contain a special character 69 8.1 How to Calculate Password Entropy . 78 vii viii List of Tables 2.1 Hybrid dictionary . 17 2.2 Factors . 21 3.1 Attack resistance . 34 3.2 Policy A . 36 3.3 Policy B . 36 3.4 Policy used at UiO . 38 ix x Chapter 1 Introduction Computer security is often associated with three main areas. Confiden- tiality, is about ensuring resources are not read by others (read access), In- tegrity, which is about ensuring resources are not edited/changed by others (write access), and Availability, which is about ensuring the resources are accessible. This is often abbreviated to the CIA model. In the authentica- tion process still, the most common way is by providing a username and password. This can be seen as a two-step process • Identification - who you are (username) • Authentication - proving you are who you claim to be (password) Proving user identity is usually done by using one or more of the fol- lowing four means, something the individual knows (e.g. password, PIN, answers to pre-arranged questions), something the individual possesses (token, e.g. smart-card, electronic key-card, physical key), something the individual is (static biometrics, e.g. fingerprint, retina, face), and something the individual does (dynamic biometrics, e.g. voice pattern, handwriting, typing rhythm). Of these four means, passwords are the most used. Passwords are there- fore an important personal security entity that needs to be chosen with some prerequisites in mind. There are many attempts to set password poli- cies to help users pick a more secure password. Policies that set rules for how many characters a password can have, some minimum requirements for characters both special and regular to be included, and so on. Yet pass- word cracking is still a major problem. In these big data times, we have a vast amount of different data that can help us understand the different ways passwords are being used by regular users. How users react to poli- cies that differentiate between the level of security that is taken into con- sideration. The key for system administrators is to find a.
Load more

Recommended publications
  • Biometric Authentication, May Be the Key…
    How FIDO technology and StarSign® security can make the difference for your business The building blocks for any enterprise security solution As our physical and digital lives become more and more interconnected, so do the technologies that protect and secure us. With so many parts of our lives requiring secure access – Enterprises are racing to find a solution that provides unbeatable security for people, places, and both physical and digital assets – that also ensure convenience and the fostering of secure habits among their workforces. FIDO’s passwordless authentication technology alongside biometric authentication, may be the key… FIDO standards Biometric FIDO is an identity authentication and security protocol The use of biological designed to reduce the data about an individual world’s reliance on to authenticate identity – passwords – without typically use fingerprint compromising security. scanners or retinal readers. Secure protocol Convenient authentication Trusted access Powering authentication We help organizations to secure identities, protect data, and successfully master the IT challenges of all channels, from cloud services and mobile applications to IoT. Using FIDO and biometric authentication as a starting point, Enterprises can create sophisticated, secure access and control solutions to support: Secure physical Secure Secure access transactions communications Secure Secure Secure mobile authentication signatures payments Work Life Home Besides FIDO, our solutions enable secure seamless access in many different real-world scenarios, at home, at work and on the move: Garage access $ Individually provide physical 420p.a. access to secure parking area. A Widmeyer survey found that businesses lost over $420 ($0.22 per hour) per employee per year Building access in productivity thanks to Room by room, or person struggles with passwords.
    [Show full text]
  • A Tale of Two Studies: the Best and Worst of Yubikey Usability
    A Tale of Two Studies: The Best and Worst of YubiKey Usability †∗ ∗ ∗ ∗ z ∗ Joshua Reynolds , Trevor Smith , Ken Reese , Luke Dickinson , Scott Ruoti , Kent Seamons y ∗ z University of Illinois at Urbana-Champaign, Brigham Young University, MIT Lincoln Laboratory [email protected], ftsmith, ken.reese, [email protected], [email protected], [email protected] Abstract—Two-factor authentication (2FA) significantly device that authenticates the user after the user presses a improves the security of password-based authentication. button on the security key [8]. The button tap is a test of Recently, there has been increased interest in Universal 2nd user presence and prevents malware on the host device from Factor (U2F) security keys—small hardware devices that require users to press a button on the security key to authenticate. To using the security key surreptitiously. Most commonly, security examine the usability of security keys in non-enterprise usage, keys are designed to be plugged into a USB port, though we conducted two user studies of the YubiKey, a popular line they can also communicate with other devices using wireless of U2F security keys. The first study tasked 31 participants protocols (e.g., NFC, Bluetooth). with configuring a Windows, Google, and Facebook account to U2F security keys are designed to be easy-to-adopt and authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking use in day-to-day life, while protecting users against phishing themselves out of their operating system or thinking they had and man-in-the-middle attacks [8].
    [Show full text]
  • HACK Enpass Password Manager
    1 / 2 HACK Enpass Password Manager Mar 23, 2021 — So, is this password manager right for you or your business? In our Enpass review, we'll take a closer look at everything this software has to offer.. Results 1 - 100 of 338 — TOTP is an algorithm that computes a one-time password from a shared secret ... codes to protect your online accounts from hackers (bad guys). ... code in my password manager, especially for password managers that can ... Segregate data using Multiple vaults Enpass facilitates you with an option to .... Jan 9, 2019 — Password manager company OneLogin was actually hacked, and the ... EnPass: Here's something unusual—a password manager that goes .... Use Enpass audit tools to identify weak, identical, and old passwords. Your password manager is your digital security best friend. You are using a password .... The Synology Disk Station Manager (DSM) is the Operating System (OS) that runs on your Synology unit. ... a prerequisite while using Enpass it is not really neccessary to me to sync with CloudStation. ... For iOS 13/12 users: Open the Settings app > Passwords & Accounts > Add Account > Other ... Mikrotik hack github.. We will send a One-time password (OTP) to your registered email address and ... set of Enpass users by letting them store their time based one time passwords of ... Hackers use credit card skimmers to obtain the magnetic stripe information of a ... Open Google Chrome and click the GateKeeper Password Manager Chrome .... Jun 16, 2021 — Using an online password manager? … Are they safe from hackers?? Use Enpass to securely organize everything at one place.
    [Show full text]
  • The Webauthn Standard: Why It Should Matter to the Public Sector and How It Works Executive Summary
    WEBAUTHN WHITE PAPER SERIES: MAY 2020 The WebAuthn Standard: Why It Should Matter to the Public Sector and How It Works Executive Summary This paper is the second in a series of WebAuthn whitepapers published by Yubico. For an introduction to WebAuthn and why it is both more secure and easier to use, see the first paper, Introducing WebAuthn: Enabling a Streamlined and More Secure User Authentication Experience. Most websites, services, and applications have difficulty providing secure, convenient authentication for users. Passwords are the problem. They tend to be either so simple they are easily guessed by hackers or so complex they are hard for users to remember. And all passwords, regardless of their complexity, are vulnerable to phishing and data breaches. Fortunately, WebAuthn, a new web authentication standard approved in March 2019 by the World Wide Web Consortium (W3C), makes it easy for websites, services, and applications to offer strong authenti- cation without relying on passwords. By replacing passwords with strong authentication based on public key cryptography, in which the private key never leaves the user’s device, WebAuthn makes authentication both easier to use and more secure, benefitting users and service providers alike. The WebAuthn standard is already supported by all major browsers and most platforms including: ● Windows 10 ● Android ● Google Chrome ● Mozilla Firefox ● Microsoft Edge ● Apple Safari ● Apple iOS WebAuthn supports various models for account authentication, leveraging both external roaming authenticators, such as hardware security keys, and authenticators built into computing and mobile devices, such as fingerprint readers and facial recognition technology. Applications and web services can choose to implement WebAuthn for passwordless authentication, two-factor authentication (2FA), and multi-factor authentication (MFA).
    [Show full text]
  • Yubikey + Microsoft. Your Defense Against Account Takeovers Secure Sign In
    YubiKey + Microsoft. Your defense against account takeovers Secure sign in. Easy to use. Phishing resistant. The YubiKey offers high security and best overall user experience for protecting Microsoft 365. Provide your ecosystem secure access to Microsoft apps with the ● Phishing-resistant security proven to stop account takeovers leading security key ● Frictionless user experience Remote workforce ● Easy to scale and support Improve security and productivity for remote ● Works with Azure Active Directory, Active Directory, workers access to Microsoft 365 collaboration and leading Identity and Access Management and productivity tools. (IAM) solutions 3rd party/Vendor access Ensure secure corporate system access to Microsoft 365 workloads by 3rd party entities. End customers YubiKeys safeguard end customer accounts. End account takeovers Frictionless user experience Easy to scale and support ● Phishing-resistant to advanced ● Functions seamlessly as ● Easy to deploy and manage Man-in-the-Middle attacks extension of computer, smart- ● User self-service for provisioning, phone, and tablets ● Hardware backed public-key registration, and account recovery cryptography ● Multiple form factors allow login ● Highly durable, no batteries, with a simple tap or touch ● Origin binding validates whether screens, or moving parts user is signing in to legitimate site ● Use once to create a trusted device or use per each login 10 million Log in 4X 90% Reduction YubiKeys Faster in help deployed than 2FA desk calls Modern authentication with a touch Integrated with leading Native passwordless support IAM solutions with Azure AD Use YubiKeys to secure authentication The YubiKey can authenticate directly with to Microsoft Office applications that are Azure Active Directory accounts using federated via Identity and Access passwordless logins.
    [Show full text]
  • The Case of Interaction Problems Between Password Managers and Websites
    They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites Nicolas HuamanC ∗ Sabrina Amft∗ Marten OltroggeC Yasemin Acary ∗ Sascha FahlC ∗ CCISPA Helmholtz Center for Information Security ∗Leibniz University Hannover yMax Planck Institute for Security and Privacy Abstract—Password managers are tools to support users with previous research on PWMs mostly focuses on PWM security the secure generation and storage of credentials and logins issues and usability and adoption challenges. Multiple studies used in online accounts. Previous work illustrated that building researched the security of different PWM types, finding that password managers means facing various security and usability challenges. For strong security and good usability, the interaction both browser-based and locally installed PWMs are vulner- between password managers and websites needs to be smooth and able to problems such as key theft or secret recovery from effortless. However, user reviews for popular password managers temporary files, as well as weaknesses within typical features suggest interaction problems for some websites. Therefore, to the such as autofill [64]. Other research focused on the usability best of our knowledge, this work is the first to systematically iden- of PWMs and were able to show that user adoption of PWMs tify these interaction problems and investigate how 15 desktop password managers, including the ten most popular ones, are is motivated by convenience of usage and usability [59]. affected. We use a qualitative analysis approach to identify 39 While security benefits can also be a driving factor for PWM interaction problems from 2,947 user reviews and 372 GitHub adoption, in the majority of cases these where only mentioned issues for 30 password managers.
    [Show full text]
  • Autocomplete with Api Request Android
    Autocomplete With Api Request Android unquietedPiled and forkedWalden Micah usually stuck deterring her septarium his stanchers screaks annexes woken blamefullyand necessitates or dabbed clean. remittently Is Shaw andmammonistic dutifully, how when disinterested Arne gimme is salaciously?Stanley? If autoplastic or The first step for this section of the tutorial is to retrieve the dependencies for Room as well as Lifecycle extensions. That request with autocomplete on how does not supported through it via google places of information about! Customizable vector maps autocomplete request for android app remains one. Get API Key name Android-GoogleCloud Application restrictions Android apps Restrict herself to your Android apps Add Item Package Name. In with api request? Google places api example javascript Fitness Plus. The feature is enabled by default. Jsonplaceholder is not want it gives us know its child views should enhance this request with autocomplete api. Google also started to require all API calls to use a valid API key, which has to be linked to a Google Cloud Platform account. Chrome also ensures that chain and android! Click name to glass the alternate site. Google places autocomplete swift github Welcome to distribute site. Please upgrade your request with many local business insider tells google developer may be requested during transit and view and. Google Chrome Privacy Whitepaper. Did you request with autocomplete requests and device variable instead of apis and in a new session will roll out as password and selection. See obtaining google autocomplete requests or android oreo devices for autocompleting a map on your name shown below retrofit is based apps that your device could improve and.
    [Show full text]
  • Yubikey 5 Series
    YubiKey 5Ci YubiKey 5 NFC YubiKey 5 Nano YubiKey 5 Series: The Multi-Protocol Security Key YubiKey 5C YubiKey 5C Nano Streamline authentication for existing enterprise systems and pave the way to a passwordless The YubiKey 5 Series security keys deliver future. expanded authentication options ● Strong Single Factor—Passwordless: Replaces weak Relying solely on username and password passwords with passwordless tap-n-go secure login. security puts enterprise data at risk ● Strong Two Factor—Password + Authenticator: Adds a tap- Catastrophic security breaches top world headlines n-go second factor for secure two factor authentication. every day, and for good reason. A single corporate security breach costs an average of $3.86M1, and 81% ● Strong Multi-Factor—Passwordless + PIN: Combines of breaches are caused by stolen or weak passwords.2 tap-n-go authentication with a PIN, to solve high As a result, IT organizations cannot rely exclusively on assurance requirements such as financial transactions, passwords to protect access to corporate data. Adopting or submitting a prescription. stronger employee and customer authentication is The YubiKey delivers strong authentication at scale essential to avoiding risk and becoming the next target. The YubiKey multi-protocol support streamlines authenti- From smart card to a passwordless future cation for existing systems while paving the way forward The YubiKey 5 Series is a hardware based authentication to a passwordless future. solution that provides superior defense against account ● Authentication and cryptographic protocols supported takeovers and enables compliance. The YubiKey offers include FIDO Universal 2nd Factor (U2F), WebAuthn/ strong authentication with support for multiple protocols, FIDO2, Personal Identity Verification-compatible (PIV) including existing Smart Card authentication, and WebAuthn/ Smart Card, and OpenPGP smart card.
    [Show full text]
  • 5 Effective Ways to Reduce Cybersecurity Risk in 2021
    EBOOK 5 EFFECTIVE WAYS TO REDUCE CYBERSECURITY RISK IN 2021 EBOOK 5 EFFECTIVE WAYS TO REDUCE CYBERSECURITY RISK IN 2021 Introduction With the rapid rise in cyberattacks in the past year, cybersecurity has quickly become the top priority for businesses around the world. With companies forced to switch to remote work to survive the pandemic, the stakes have never been higher. In 2020 alone, the National Vulnerability Database (NVD) published 18,362 vulnerabilities in total.1 Many organizations, including U.S. government agencies, have recently fallen prey to various kinds of cyberattacks. The 2020 Cost of a Breach Report by the Ponemon Institute states that it takes, on average, about 280 days for companies to identify and contain a breach.2 This is a major concern since the longer a breach goes undetected, the more damage it can cause. IT leaders must constantly be vigilant to keep their infrastructure and data secure. Managing security, of course, isn’t just a one-time job. It is a continuous process that requires time, proactive effort and keeping up with ever-changing technology. This eBook outlines five security measures an organization can take to reduce its exposure to cyber risk. 1. Gain Complete Visibility of Assets Complete visibility requires the ability to discover all endpoints and network devices. A remote monitoring and endpoint management solution takes care of the discovery process. With the discovery data, your endpoint management tool should then build a network topology map showing the connectivity of all devices. Having full visibility of your IT networks is critical to detecting and resolving IT incidents that can disrupt services to the business.
    [Show full text]
  • In 2021 Vow to Start Using a Password Manager
    In 2021 vow to start using a password manager Kurt Jefferson, Editor, Central Kentucky Computer Society I keep telling students in my CKCS classes that they need to start using a password manager. You should be using a password manager on your iPad, iPhone, Mac, Windows PC, and Linux PC. Seriously? Yes. With a good password manager, you only need to remember one password. That’s right. You don’t need to remember the one you use when you buy from Amazon. And the password you use to pay your water bill. And the one you use to log into your bank account. Password managers are apps that securely keep track of your passwords, allow you to create private notes, automatically log you into your password-protected websites, and more. Some of the best include: 1Password Dashlane LastPass Keeper NordPass RoboForm Sticky Password bitwarden RememBer Enpass If you’re reluctant to use a password manager, wired.com says you’ve got company. “Password managers are vegetables of the Internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food,” writes Wired in an article headlined, “The Best Password Managers to Secure Your Digital Life.” As I read that I said to myself, “Ain’t that the truth.” I know plenty of really smart people who are committed to their habits, who are stubborn, and who simply cannot change. They don’t use password managers. You probably know your web browser will save your passwords automatically for you. The website Tech Republic says this is a bad idea.
    [Show full text]
  • Year in Review 2019
    Year in Review 2019 2 Table of contents WELCOME WORD 3 TRANSPARENCY 4 SOCIAL RESPONSIBILITY 5 Support to communities and NGOs 5 Internet freedom and human rights 6 Supporting social causes 6 Testimonials by NGOs and activists 7 SERVICE IMPROVEMENTS 8 Faster VPN with NordLynx 8 Windows and Android app tweaks 9 macOS and iOS app improvements 9 NEW PRODUCT LAUNCHES 10 Password management tool 10 File encryption tool 11 NordVPN Teams 11 THE INCIDENT 12 SECURITY MEASURES WE PROMISED LAST YEAR 13-14 THANK YOU PAGE 15 22 Welcome word NordVPN was created eight years ago around a single idea: to free the internet from censorship and surveillance. Since then, we’ve worked relentlessly to make it available and open to everyone. 2019 proved to be another eventful year for NordVPN. It brought us new product launches, significant improvements in our service, important partnerships, and some hard lessons too. In this Annual Report, you will find NordVPN’s key highlights from 2019. Enjoy! Ruby Gonzalez Head of Communications at NordVPN Timeline of 2019 Jan Feb Mar Apr May Jun CSN Partnership NordVPN meme contest IFF event, EU Copyright Directive RightsCon event Jul Aug Sep Oct Nov Dec OrgCon event Became sponsors of App security audit, NordLocker and NordPass NordVPN Teams Digital Security Helpline server breach launch, Versprite partnership, launch, Bug Bounty, Contract for the web launch, VPN trust initiative TEDxLiverpool 3 Transparency NordVPN is committed to protecting user privacy and security online. We are 100% true to our zero-logs policy — we never log the activities of our users.
    [Show full text]
  • An Advanced Introduction to Gnupg
    An Advanced Introduction to GnuPG Neal H. Walfield August 15, 2017 2 Copyright © 2017 g10 Code GmbH. This work is licensed under a Creative Commons Attribution 4.0 Interna- tional License. Contents I Main Matter 5 1 Key Creation 7 1.1 Keys Aren’t Forever, Revocation Certificates Are . 8 1.1.1 Backing Up a Revocation Certificate . 10 1.1.2 Publishing a Revocation Certificate . 11 1.1.3 Recruiting Your Friends . 12 1.2 Tweaking, Twiddling, and Frobbing . 13 1.3 Security Tokens . 14 1.3.1 Hardware . 15 1.3.2 Creating a Key . 17 1.3.3 Tails . 19 1.3.4 Initializing the Security Token . 21 1.3.5 Formatting the Removable Storage Devices . 24 1.3.6 Generating the Keys . 25 1.3.7 Saving Your Progress . 27 1.3.8 Creating a Backup . 28 1.3.9 Copying the Keys to the Security Token . 29 1.3.10 Using the Keys . 33 1.3.11 Saving the Revocation Certificate . 35 1.3.12 Signing Keys with an Offline Master . 35 1.4 Key Expiration . 39 1.5 Subkey Rotation . 40 3 4 CONTENTS Part I Main Matter 5 Chapter 1 Key Creation Today, creating an OpenPGP key could hardly be easier or less error prone. It’s as simple as thinking of a password and using gpg ’s --quick-gen-key command: $ gpg --quick-gen-key ’Juliet Capulet <[email protected]>’ About to create a key for: "Juliet Capulet <[email protected]>" Continue? (Y/n) y ... gpg: revocation certificate stored as ’/home/jc/.gnupg/openpgp-revocs.d/98DB84C56F56DB5CF4733CCDEACAE136B8AF8CC2.rev’ public and secret key created and signed.
    [Show full text]