PGP Stephen Smith – December 11, 2013

Outline - Pretty Good Privacy  History  How It Works  How To Use It  Questions  I Get Taken Away In Handcuffs

History of PGP

Separated At Birth?

History of PGP  Uploaded to Peacenet  Message board for activists  Encryption viewed as “munitions”  NSA banned >40-bit ciphers from export  Zimmerman charged as arms dealer  Charges dropped after several years

History of PGP  How they got around it  Sold books containing entire source code  Cut binding off, scan with OCR, presto!  Export of books protected under 1 st Amendment  Crypto now free speech too  Bernstein v. United States  Junger v. Daley

History of PGP  PGP Corporation founded in 2001  Sold to Symantec in 2010  Open source version also available GnuPG (GNU Privacy Guard)

How Does It Work?

Step One: Text Compression  Smaller size  Faster transmission  Improved resistance to frequency analysis  Incomplete message = harder to break

Step Two: Encryption  Session key is randomly generated  “Random” = very strict meaning in cryptography  Session key used to encrypt message  Cipher used = AES

AES  Advanced Encryption Standard  Rijndael Joan Daemen and Vincent Rijmen  Block cipher  As opposed to stream cipher  Chunks data up, shuffles it in predictable fashion  …predictable to anyone with the key, that is

AES  Attacked via side channels  Weaknesses in implementation, not math  Math-only attacks getting progressively better

Step 3: Authentication  Session key encrypted with sender’s public key  Cipher used = RSA

RSA  Ron Rivest, Adi Shamir, Leonard Adleman  Developed 3 years earlier at GCHQ  British NSA  Not declassified until 1997  Explaining it would be a bit mathy for ten minutes  It’s not THAT hard, just a little complex  Involves prime numbers and modular arithmetic You already know one, you’ll know the other in a minute

RSA  Attacked by prime factoring  Getting better every year  Shor’s algorithm + quantum computer  Next step = Elliptic Curve Cryptography (ECC)  ECDSA = Elliptic Curve Digital Signature Algorithm  Ars Technica posted a good summary last week

Step 4: Hash Production  Message in, hashtext out  Hashtext encrypted with sender’s private key Ensures message can’t be modified and rehashed  Cipher used = SHA

SHA  Secure Hashing Algorithm (SHA-3)  Keccak Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche  Hash function  Modular arithmetic  One-way function

SHA  Attacked by collisions  Predictable output  Identical output for different input The birthday paradox

Step 4.5: Why Three Ciphers?  Message encrypted with AES session key  AES is way faster than RSA  Session key encrypted with RSA public key  RSA has public/private keypairs  Message hashed with SHA  SHA ensures consistent output  Coordinating all this is why PGP is awesome.

Step 5: Message Sent & Received  Both aspects of secure are now present  Encryption  Authentication  Message is sent, entire process is reversed  Session key decrypted by receiver’s private key  Message decrypted with session key  Original hash decrypted with sender’s public key  Received message hashed and compared  Text decompressed

Summary  Message is encrypted and signed  Message is transmitted  Message is checked for integrity and decrypted

How To Use It  Outlook  PGP For Outlook  Thunderbird  Enigmail  Gmail, Hotmail, etc.  Say hi to the NSA for me!

Questions?

Sources Cited Singh, S. (2000). The code book: The science of secrecy from ancient egypt to quantum cryptography. New York City: Anchor. Ferguson, N., Schneier, B., & Tadayoshi, K (2010). Cryptography engineering: Design principles and practical applications. New York City: Wiley. PGP International. (1999). How pgp works. Retrieved from