Crypto Application PGP

Issue Date: Revision: PGP vs GPG vs OpenPGP

• Pretty Good Privacy (PGP) written by Phil Zimmerman and released in 1991

• OpenPGP is an IETF standard with which both pieces of software are compliant

• Gnu Privacy Guard (GPG) similar software released in 1999 under the GPL open source license. – Based on the OpenPGP standards

2 Security issues for E-mail

• Confidentiality – Sys Admins/ providers can read – Anyone on your LAN can capture and read

• Integrity – contents could be changed by anyone on the network.

• Authenticity – Easy to insert any e-mail header: “From” – Difficult to know if it was sent by the “Sender” Targeted Attack - Recap

• Targeting a specific organization, group or person

• Email with malicious attachments – Executable – Word document Targeted Attack

To: your e-mail address

From: Fakrul Alam [email protected]

Subject: my request

Hello,

I have been looking for someone who can answer questions in the attached file. I hope you can help me.

Thanks ! Spoofed Mail - PGP

• PGP is based on asymmetric (public-) Asymmetric Recap

• Solves the problem of securely sharing (generating) secret keys and key explosion

• Public and private key mathematically related to each other – Cannot derive one from the other

• Encrypt with one and decrypt with the other – Encrypt with private, only public can decrypt – Encrypt with public, only private can decrypt Signing & Encrypting

• Data can be signed with private key to be verified by anyone who has the public key – Remember ? – Does not always have to be hash and encrypt!

• Since public keys are also data, they can be signed too! – Digital Certificates? How PGP Works

Sign with Encrypt with SENDER sender’s receiver’s private key public key � Document Signed & Encrypted document � Verify (decrypt) Decrypt RECEIVER with sender’s with local public key private key � Document Signed & Encrypted document Trust

• Chain of Trust (centralized/hierarchical) – Certain globally trusted bodies sign the public keys for everyone

(decentralized) – You pick whom you trust, and decide if you trust who they trust

• Helps verify/associate a public key to an individual

• Which one is better? Sample Web of Trust

Alice Eve Carlos

Bob Tashi

• You can share your “trust-information” by publishing someone’s public key with your PGP sign – signed with your private key PGP by GnuPG

• Create your keys – Public and Private keys

• Identify a key by – Key ID (like 0x23AD8EF6)

• Verify someone’s public key by – Key fingerprint

• Find public keys on public key servers – Like http://pgp.mit.edu

• Use graphical tools – GPG Keychain for OS X – Kleopatra/GPA for Windows

• Use the command line gpg --list-keys Key Management

• On printed media – Business cards

• Digital – Email – Sneakernet

• Online – OpenPGP key servers (pgp.mit.edu)

• But does not say anything about whether you trust a key Key Management

• Make sure you specify the expiry (validity period) – If your private key is compromised, the key-pair can only be used until it expires

• The expiry period can be changed anytime after creating the key

• However, before a key-pair expires, it is important you create a new key pair, sign it with the old one, and publish the signed new key to everyone in your web of trust – So that they can sign your new key Key Management - Revocation

• Used to mark a key as invalid – Either before an expiry, or – If the private key has been compromised

• Always generate a revocation certificate as soon as you create your key – Don’t keep you revocation cert together with your private key gpg --gen-revoke IDENTITY Key Management - Partying

• Key signing parties – To build your web of trust

• Each participant carries some form of ID, and a copy of their key fingerprint – and maybe some �

• Each participant decides whether to sign someone’s keys – Based on their personal policies How PGP Works

• To check your GPG version How PGP Works

• Use “gpg --help” or “man gpg” Generate pub-pvt key pair

• Generate the GPG public-private key pair

• We will opt for the default algorithm: RSA and RSA Generate pub-pvt key pair

• 1024 bit key is not strong enough (key space). – We will opt for 2048 bits

It is important to select key expiry period • You do not want a key that never expires • Many organizations operate with a 1 year key validity • Need to inform others when you change your keys Generate pub-pvt key pair

• Type your name and email address – Along with the comment will be used as USER-ID

Anyone can generate keys with your email! How can you identify your key uniquely? • Fingerprint! Generate pub-pvt key pair Generate pub-pvt key pair

• GPG will create the key pair

Read the carefully and take note of the contents: • Key ID • Key Fingerprint • Expiry • User ID Generate pub-pvt key pair

• List your keys: Sign data & verify

• Create a file for signing

• Sign the data (type the passphrase) Sign data & verify

• Have a look inside the signed file Sign data & verify it

• ”Good signature from” indicates that the file was signed by the private key correctly

• The “WARNING” message is because of cleartext signature – readable without any special tool – If signed as a detached signature (--detach-sign), it would create a separate file just for the signature Export key (public)

• You can export a key to a file – for backup or further submission to public key servers

• The -a option generates the output in ASCII format Export key (public) – key server

• You can either use the CLI: – Need to specify the key ID

– You can also specify a key server

• Or submit the keys (ASCII) directly on a key server Find keys – key server Import keys (public)

• You can import keys in a file

• Or import from public key servers

• Find the imported key Verify the fingerprint

• Make sure to verify the fingerprint of every imported key Signing keys • You can sign someone’s public key (trust) • Make sure you verify their key fingerprint and any form of identification Verify signatures

• The [email protected] has been signed by [email protected] Publishing signed keys • You can now push the signed key to a public key server – Publishing your web of trust

• Verify on the key server Encrypt Message • You must have the public keys of the intended recipient – Create a file to encrypt

– Sign (with your private key) and Encrypt (with recipient’s public key) the file Decrypt Message

• Try to read the encrypted message Decrypt Message

• Decrypt the file

– The file was: • Signed with [email protected]’s private key • encrypted with [email protected]’s public key References:

://www.gnupg.org/gph/en/manual/book1.html 42 Lab Exercise

43 Lab Exercise 1

• Download and install PGP software – Windows: (https://www.gpg4win.org) – OS X: GPG Suite (https://www.gpgtools.org) Lab Exercise 2

• Generate and publish key pair – Windows: Follow the lab manual pgp-lab.pdf – OS X/: Follow this slide Lab Exercise 3

• Sign each others key and publish – Build your web of trust

– Make sure to: • Verify the Key fingerprint • Verify any form of ID card Lab Exercise 4

• Setup mail client: – Thunderbird with (follow the next slides)

• Send Signed/Encrypted email Thunderbird with Enigmail

• Download and install Thunderbird – Add Enigmail (Tools > Add-ons) – Restart Thunderbird Thunderbird with Enigmail

• Setup Enigmail Thunderbird with Enigmail

• Setup Enigmail – Select the key-pair you generated earlier Thunderbird with Enigmail

• Setup Enigmail Thunderbird with Enigmail

• Setup Enigmail Thunderbird with Enigmail

• Send signed email Thunderbird with Enigmail

• Send signed and encrypted email – You will need the public key of the recipient