Presentation is loading. Please wait.

Presentation is loading. Please wait.

2B3304 - Data Security of Workstations 1 March - May 2009 OpenPGP 2B6309 Data Security of Workstations Lars Noodén ( )

Published byCameron Johnston Modified over 8 years ago

Similar presentations

Presentation on theme: "2B3304 - Data Security of Workstations 1 March - May 2009 OpenPGP 2B6309 Data Security of Workstations Lars Noodén ( )"— Presentation transcript:

1 2B3304 - Data Security of Workstations 1 March - May 2009 OpenPGP 2B6309 Data Security of Workstations Lars Noodén ( lars.nooden@gmail.com )

2 2B3304 - Data Security of Workstations 2 March - May 2009 Definitions Authenticity – making sure the message is really from who it claims to be from. Privacy – making sure that it is not read by others either in transit, or while on the server or local hard disk. Integrity – making sure the message has not changed since writing, either by accident or on purpose

3 2B3304 - Data Security of Workstations 3 March - May 2009 Definitions cipher – an algorithm for encrypting or decrypting individual letters, bytes or bits hash – a short and (hopefully) unique digest of a longer stream of data e.g. MD5, SHA1, SHA2 collision – two different inputs which produce the same checksum

4 2B3304 - Data Security of Workstations 4 March - May 2009 Pretty Good Privacy 1991 – PGP ("Pretty Good Privacy") 1993 – Problems w/ US government start 1996 – Problems w/ US government resolved 1998 – OpenPGP specification (RFC 2440) 1999 – GPG 2001 – A5-0264/2001 2007 – ?

5 2B3304 - Data Security of Workstations 5 March - May 2009 Further Reading An Illustrated Guide to Cryptographic Hashes. (2005) http://unixwiz.net/techtips/iguide-crypto-hashes.html "Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard" http://www.computerworld.com/securitytopics/security/story/0,,9 5343,00.html RFC 1321 http://tools.ietf.org/html/rfc1321

6 2B3304 - Data Security of Workstations 6 March - May 2009 Pretty Good Privacy Protocol vs Program PGP is an open standard OpenPGP, specifically, is the correct name OpenPGP is defined in RFC 4880 http://tools.ietf.org/html/rfc4880 The OpenPGP specification can be used by any program, open source or closed source

7 2B3304 - Data Security of Workstations 7 March - May 2009 OpenPGP PKI encryption public key for encryption private key for decryption Digital signatures e.g. Ubuntu and Debian repositories Written with the goal to protect privacy even in the digital era keep encryption legal in the US

8 2B3304 - Data Security of Workstations 8 March - May 2009 Goals Authenticity Privacy Integrity

9 2B3304 - Data Security of Workstations 9 March - May 2009 Authenticity Electronic Signatures: branch of cryptography OpenPGP specification defined in RFC 4880 http://tools.ietf.org/html/rfc4880 Whole messages can be signed Digital Signature Algorithm (DSA) Using GPG or PGP programs PGP started at MIT by Phil Zimmerman in 1991 http://web.mit.edu/pgp/

10 2B3304 - Data Security of Workstations 10 March - May 2009 Privacy Whole messages can be encrypted Elgamal or rsa encryption algorithms Using GPG or PGP programs Any message not encrypted can be read in transit, while on either server, or on the local hard disk. Big companies try to get hold of their competitors' mail when they can.

11 2B3304 - Data Security of Workstations 11 March - May 2009 Any unencrypted message can be read smtpsmtp imapimap TCP / IP smtpsmtp smtpsmtp imapimap smtpsmtp UTF-8 UTF-8 mail server

12 2B3304 - Data Security of Workstations 12 March - May 2009 Integrity Whole messages can be digitally signed parts can be signed individually signature can be inline or attached Separate files can be signed as well e.g. Ubuntu and Debian repositories

13 2B3304 - Data Security of Workstations 13 March - May 2009 Further Reading "Vast Spy System Loots Computers in 103 Countries" (2009) http://www.nytimes.com/2009/03/29/technology/29spy.html

14 2B3304 - Data Security of Workstations 14 March - May 2009 PGP and Package Management

15 2B3304 - Data Security of Workstations 15 March - May 2009 Repositories Distros sign their packages using OpenPGP authenticity integrity Debian and debian-derivatives use apt-secure see also apt-key Only the Release File is signed contains list of all packages and their MD5 checksums

16 2B3304 - Data Security of Workstations 16 March - May 2009 OpenPGP in Repositories Only the Release File is signed contains list of all package names and their MD5 checksums Intended to prevent man-in-the-middle attacks ( between user and repository ) replacing illegitimate packages on a mirror

17 2B3304 - Data Security of Workstations 17 March - May 2009 Repository Chain of Trust user checks OpenPGP key for Release File gets MD5 sum, checks package integrity archive / repository makes inventory signed packages and their MD5 sums signs inventory list (Release File) using OpenPGP maintainer uploads PGP-signed packages key signed by other maintainers, web of trust

18 2B3304 - Data Security of Workstations 18 March - May 2009 package name MD 5 package name MD 5 package name MD 5... MD 5 release file distro's OpenPGP key package maintainer's OpenPGP key Repository package MD 5

19 2B3304 - Data Security of Workstations 19 March - May 2009 Getting Keys for APT One way to get a key wget http://dl.google.com/linux/linux_signing_key.pub -O- | sudo apt-key add - another way to get a key gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 7FAC5991 sudo apt-key add.gnupg/pubring.gpg

20 2B3304 - Data Security of Workstations 20 March - May 2009 Exercise Add Opera's own repository to your list of Ubuntu repositories found in: /etc/apt/sources.list Refresh the list of packages, and note the error apt-get update Now find the instructions for adding Opera's key Add Opera's PGP key Try refreshing the list of packages, then install (you will have to search Opera's site for instructions)

21 2B3304 - Data Security of Workstations 21 March - May 2009 deb http://deb.opera.com/opera/ stable non-free

22 2B3304 - Data Security of Workstations 22 March - May 2009 Web of Trust

23 2B3304 - Data Security of Workstations 23 March - May 2009 Trust How do you know the key is good? Direct – each key is verified individually Hierarchy – validity is traced back until a trusted key is found (aka root certificate) Web – multiple root certificates

24 2B3304 - Data Security of Workstations 24 March - May 2009 How much can a key be trusted? The validity of each key is rated from 1 to 5 1 I don't know or won't say 2I do NOT trust keys signed with this one will be ignored 3I trust marginally at least two marginal keys must have signed 4I trust fully at least one key with full trust has signed this one 5I trust ultimately I have the private key for this one

25 2B3304 - Data Security of Workstations 25 March - May 2009 Direct Trust A B

26 2B3304 - Data Security of Workstations 26 March - May 2009 Web of Trust ① ② ➌ ➊ ➋ ③ ② ① ④ B A

27 2B3304 - Data Security of Workstations 27 March - May 2009 Hierarchy ① ② ③ A B

28 2B3304 - Data Security of Workstations 28 March - May 2009 Further Reading "The Story of PGP" Web Monkey. Michael W. Lucas (2006) http://www.webmonkey.com/06/17/index4a.html "Why I Wrote PGP" Part of the Original 1991 PGP User's Guide (updated in 1999) Phil Zimmermann. http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

29 2B3304 - Data Security of Workstations 29 March - May 2009 What's in a Key?

30 2B3304 - Data Security of Workstations 30 March - May 2009 What's in a key ? Keys DSA signature RSA signature encryption ElGamal encryption Passphrase Metadata name e-mail address comment id fingerprint creation date expiration date

31 2B3304 - Data Security of Workstations 31 March - May 2009 PGP Algorithms Digital Signatures DSA – Digital Signature Algorithm 1024 bit key (exact) RSA – 768 to 32768 bit key larger = slower smaller = weaker Encryption Elgamal – 1024 to 4096 bit key larger = slower smaller = weaker

32 2B3304 - Data Security of Workstations 32 March - May 2009 Key Example Key fingerprint = C0AE 13D5 2B27 29D8 BB68 5AB8 D3D0 02F3 A774 9403 Public key = -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (Darwin) mQGiBEZBgxURBAD4z93T0hiJh7uRsGxG//PKg2Iw8zXnKjHHQPcE5QzCEWPmMPkj klATAsd/5RIDp/ox9DYartpxynvR3vuGF/KCgFmqztX89xQliU86Xv/lncOSZAIp XvkDXXAFGb3WP+BweFkKFTNHnXJfXNCweoIraVcvbBEEzhIL0SVW3jn0xwCgiLDs rDl08npdg6zzX2jKm1vyOL8EAPWKe0Ma9vZ/SVLH6FU2YEr4pV3Dwt1Vnrq9K.........AAAoJENPQAvOndJQDwcgAniQ4WRrGbNK9EoMpkXKep9GFoxmAAJ0VVlyVQRgL kKUfXo6RewcsG6uf8Q== =udlU -----END PGP PUBLIC KEY BLOCK-----

33 2B3304 - Data Security of Workstations 33 March - May 2009 Revokation Certificate Example Revokation key = -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.6 (Darwin) Comment: A revocation certificate should follow iFIEIBECABIFAkZBgXILHQFubyByZWFzb24ACgkQcvrYn9QAoDVUxACgp5eYvib9 pOuzo2QFoKwYfiTDZCkAn2j7BktjV1Aj3XCT2Neuak5e+wrF =ymx9 -----END PGP PUBLIC KEY BLOCK----- note that this certificate is short enough to use from a paper printout

34 2B3304 - Data Security of Workstations 34 March - May 2009 Revokation / Expiration Revokation lost keys compromised keys keys no longer in use Expiration lost keys die out automatically if expiration date is not renewed can sometimes help limit life of compromised keys expired keys can be used to decrypt/verify

35 2B3304 - Data Security of Workstations 35 March - May 2009 Creating Keys Use the DSA algorithm for signatures Always assign an expiration date at least until you are familiar with managing keys can be extended later as needed Create a revocation certificate archive on paper, even if you have to copy by hand

36 2B3304 - Data Security of Workstations 36 March - May 2009 Managing keys Key servers remote database Key rings local database Authentication agent local cache Fingerprints verification hash Key signing ultimately by trusted key web of trust hierarchy

37 2B3304 - Data Security of Workstations 37 March - May 2009 PGP Tools Text interface – for remote access, programs or scripts pgp gpg Graphical interface Kgpg Mac GPG

38 2B3304 - Data Security of Workstations 38 March - May 2009 GnuPG OpenPGP – specification (1998) See RFC 4880 http://tools.ietf.org/html/rfc4880 PGP – proprietary software GnuPG – Free Software (gpl) unencumbered encryption algorithms

39 2B3304 - Data Security of Workstations 39 March - May 2009 Further Reading Elgamal encryption scheme http://crypto.cs.uiuc.edu/wiki/index.php/Elgamal_encryption_scheme FIPS-186-3, draft for the third revision to the official DSA specification. http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3 _March2006.pdf

40 2B3304 - Data Security of Workstations 40 March - May 2009 Further Reading "Chapter 8 - Public-Key Encryption" Handbook of Applied Crytpography. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. (2001) http://www.cacr.math.uwaterloo.ca/hac/

41 2B3304 - Data Security of Workstations 41 March - May 2009 Two Tools for Encrypting E-mail Enigmail for Mozilla Thunderbird (not Gallo Thunderbird) https://addons.mozilla.org/en-US/thunderbird/addon/71 FireGPG for Mozilla Firefox works with Gmail http://firegpg.tuxfamily.org/

42 2B3304 - Data Security of Workstations 42 March - May 2009 "www.pgp.net" mirror: http://www.no.pgp.net/pgpnet/ WWW database of PGP keys http://www.no.pgp.net/pgpnet/wwwkeys.html pool.sks-keyservers.net subkeys.pgp.net pgp.mit.edu ldap://certserver.pgp.com

43 2B3304 - Data Security of Workstations 43 March - May 2009 Further Reading "Is Your T-Shirt a Lethal Weapon?" David Loundy (1996). http://www.loundy.com/Roadside_T-Shirt.html

44 2B3304 - Data Security of Workstations 44 March - May 2009 In-Class Exercise Install Fluxbox Install two additional themes for Fluxbox Compare with KDE and FVWM-Crystal

45 2B3304 - Data Security of Workstations 45 March - May 2009 OpenPGP 2B6309 Data Security of Workstations Lars Noodén ( lars.nooden@gmail.com )

46 2B3304 - Data Security of Workstations 46 March - May 2009

Download ppt "2B3304 - Data Security of Workstations 1 March - May 2009 OpenPGP 2B6309 Data Security of Workstations Lars Noodén ( )"

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Email Security 1. email is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.

Security 1. is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
CIS 193A – Lesson6 CRYPTOGRAPHY RAPELCGRQ. CIS 193A – Lesson6 Focus Question Which cryptographic methods help computer users maintain confidentiality,

CIS 193A – Lesson6 CRYPTOGRAPHY RAPELCGRQ. CIS 193A – Lesson6 Focus Question Which cryptographic methods help computer users maintain confidentiality,
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Pretty Good Privacy (PGP). How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public.

Pretty Good Privacy (PGP). How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public.
Lecture 5: Email security: PGP Anish Arora CSE 5473 Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CSE 5473 Introduction to Network Security.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptographic Technologies

Cryptographic Technologies
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 9: Email Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.
SMUCSE 5349/49 Email Security. SMUCSE 5349/7349 Threats Threats to the security of e-mail itself –Loss of confidentiality E-mails are sent in clear over.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.

Similar presentations

Ads by Google