Crypto Application PGP Pretty Good Privacy
Issue Date: Revision: PGP vs GPG vs OpenPGP
• Pretty Good Privacy (PGP) written by Phil Zimmerman and released in 1991
• OpenPGP is an IETF standard with which both pieces of software are compliant
• Gnu Privacy Guard (GPG) similar software released in 1999 under the GPL open source license. – Based on the OpenPGP standards
2 Security issues for E-mail
• Confidentiality – Sys Admins/Email providers can read – Anyone on your LAN can capture and read
• Integrity – contents could be changed by anyone on the network.
• Authenticity – Easy to insert any e-mail header: “From” – Difficult to know if it was sent by the “Sender” Targeted Attack - Recap
• Targeting a specific organization, group or person
• Email with malicious attachments – Executable – Word document Targeted Attack
To: your e-mail address
From: Fakrul Alam [email protected]
Subject: my request
Hello,
I have been looking for someone who can answer questions in the attached file. I hope you can help me.
Thanks ! Spoofed Mail Cryptography - PGP
• PGP is based on asymmetric (public-key) encryption Asymmetric Recap
• Solves the problem of securely sharing (generating) secret keys and key explosion
• Public and private key mathematically related to each other – Cannot derive one from the other
• Encrypt with one and decrypt with the other – Encrypt with private, only public can decrypt – Encrypt with public, only private can decrypt Signing & Encrypting
• Data can be signed with private key to be verified by anyone who has the public key – Remember digital signature? – Does not always have to be hash and encrypt!
• Since public keys are also data, they can be signed too! – Digital Certificates? How PGP Works
Sign with Encrypt with SENDER sender’s receiver’s private key public key � Document Signed & Encrypted document � Verify (decrypt) Decrypt RECEIVER with sender’s with local public key private key � Document Signed & Encrypted document Trust
• Chain of Trust (centralized/hierarchical) – Certain globally trusted bodies sign the public keys for everyone
• Web of Trust (decentralized) – You pick whom you trust, and decide if you trust who they trust
• Helps verify/associate a public key to an individual
• Which one is better? Sample Web of Trust
Alice Eve Carlos
Bob Tashi
• You can share your “trust-information” by publishing someone’s public key with your PGP sign – signed with your private key PGP by GnuPG
• Create your keys – Public and Private keys
• Identify a key by – Key ID (like 0x23AD8EF6)
• Verify someone’s public key by – Key fingerprint
• Find public keys on public key servers – Like http://pgp.mit.edu Key Management
• Use graphical tools – GPG Keychain for OS X – Kleopatra/GPA for Windows
• Use the command line gpg --list-keys Key Management
• On printed media – Business cards
• Digital – Email – Sneakernet
• Online – OpenPGP key servers (pgp.mit.edu)
• But does not say anything about whether you trust a key Key Management
• Make sure you specify the expiry (validity period) – If your private key is compromised, the key-pair can only be used until it expires
• The expiry period can be changed anytime after creating the key
• However, before a key-pair expires, it is important you create a new key pair, sign it with the old one, and publish the signed new key to everyone in your web of trust – So that they can sign your new key Key Management - Revocation
• Used to mark a key as invalid – Either before an expiry, or – If the private key has been compromised
• Always generate a revocation certificate as soon as you create your key – Don’t keep you revocation cert together with your private key gpg --gen-revoke IDENTITY Key Management - Partying
• Key signing parties – To build your web of trust
• Each participant carries some form of ID, and a copy of their key fingerprint – and maybe some �
• Each participant decides whether to sign someone’s keys – Based on their personal policies How PGP Works
• To check your GPG version How PGP Works
• Use “gpg --help” or “man gpg” Generate pub-pvt key pair
• Generate the GPG public-private key pair
• We will opt for the default algorithm: RSA and RSA Generate pub-pvt key pair
• 1024 bit key is not strong enough (key space). – We will opt for 2048 bits
It is important to select key expiry period • You do not want a key that never expires • Many organizations operate with a 1 year key validity • Need to inform others when you change your keys Generate pub-pvt key pair
• Type your name and email address – Along with the comment will be used as USER-ID
Anyone can generate keys with your email! How can you identify your key uniquely? • Fingerprint! Generate pub-pvt key pair Generate pub-pvt key pair
• GPG will create the key pair
Read the messages carefully and take note of the contents: • Key ID • Key Fingerprint • Expiry • User ID Generate pub-pvt key pair
• List your keys: Sign data & verify
• Create a file for signing
• Sign the data (type the passphrase) Sign data & verify
• Have a look inside the signed file Sign data & verify it
• ”Good signature from” indicates that the file was signed by the private key correctly
• The “WARNING” message is because of cleartext signature – readable without any special tool – If signed as a detached signature (--detach-sign), it would create a separate file just for the signature Export key (public)
• You can export a key to a file – for backup or further submission to public key servers
• The -a option generates the output in ASCII format Export key (public) – key server
• You can either use the CLI: – Need to specify the key ID
– You can also specify a key server
• Or submit the keys (ASCII) directly on a key server Find keys – key server Import keys (public)
• You can import keys in a file
• Or import from public key servers
• Find the imported key Verify the fingerprint
• Make sure to verify the fingerprint of every imported key Signing keys • You can sign someone’s public key (trust) • Make sure you verify their key fingerprint and any form of identification Verify signatures
• The [email protected] has been signed by [email protected] Publishing signed keys • You can now push the signed key to a public key server – Publishing your web of trust
• Verify on the key server Encrypt Message • You must have the public keys of the intended recipient – Create a file to encrypt
– Sign (with your private key) and Encrypt (with recipient’s public key) the file Decrypt Message
• Try to read the encrypted message Decrypt Message
• Decrypt the file
– The file was: • Signed with [email protected]’s private key • encrypted with [email protected]’s public key References:
• https://www.gnupg.org/gph/en/manual/book1.html 42 Lab Exercise
43 Lab Exercise 1
• Download and install PGP software – Windows: gpg4Win (https://www.gpg4win.org) – OS X: GPG Suite (https://www.gpgtools.org) Lab Exercise 2
• Generate and publish key pair – Windows: Follow the lab manual pgp-lab.pdf – OS X/Linux: Follow this slide Lab Exercise 3
• Sign each others key and publish – Build your web of trust
– Make sure to: • Verify the Key fingerprint • Verify any form of ID card Lab Exercise 4
• Setup mail client: – Thunderbird with Enigmail (follow the next slides)
• Send Signed/Encrypted email Thunderbird with Enigmail
• Download and install Thunderbird – Add Enigmail (Tools > Add-ons) – Restart Thunderbird Thunderbird with Enigmail
• Setup Enigmail Thunderbird with Enigmail
• Setup Enigmail – Select the key-pair you generated earlier Thunderbird with Enigmail
• Setup Enigmail Thunderbird with Enigmail
• Setup Enigmail Thunderbird with Enigmail
• Send signed email Thunderbird with Enigmail
• Send signed and encrypted email – You will need the public key of the recipient