Email Security with OpenPGP - An Appetizer
-
Upload
david-ochel -
Category
Technology
-
view
883 -
download
1
Transcript of Email Security with OpenPGP - An Appetizer
Email Security with OpenPGP –An Appetizer
OWASP Austin CryptoParty
David Ochel
2015-01-27
This work is licensed under a Creative Commons Attribution 4.0 International License.
“On the Internet, nobody knows you’re a dog”
PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified, https://www.flickr.com/photos/tara_siuk/3027646100/
Bob
© Wilson Afonso, CC BY 2.0, no changes, https://www.flickr.com/photos/wafonso/4444143159
Alice
• Pretty Good Privacy (PGP) –a software program– Commercial – Symantec
– Free – GnuPG
• A protocol/standard– OpenPGP – RFC 4880 et al.
• Based on encryption technology– Public-key (asymmetric) cryptography
– But also secure hashing, symmetric encryption, …
PGP – OWASP Austin 2015 Page 3
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf
zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR
13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz
ckKzFHhuppZyCytwRQIDAQAB
-----END PUBLIC KEY-----
1. Key Generation: Math!
– Generate two linked keys (“public” and “private”)
– Public key: distribute widely; private key: keep secret!
– Keyrings!
PGP – OWASP Austin 2015 Page 4
Encryption
2. Encryption / Decryption
PGP – OWASP Austin 2015 Page 5
Encryption
PGP – OWASP Austin 2015 Page 6
Encryption
PGP – OWASP Austin 2015 Page 7
3. Encryption / Decryption!
ElectronicSignature
Plaintext
Hash Value
Signature
PGP – OWASP Austin 2015 Page 8
Avoiding Mallory, The Man in the Middle
PGP – OWASP Austin 2015 Page 13
Charlie
Bob
Mallory,
The malicious Interceptor
Needs to send aSecret Email
trust
trust Alice
Web of Trust – Keys Signed by Many Key Holders – On Public Keyservers
PGP – OWASP Austin 2015 Page 16http://pgp.mit.edu/pks/lookup?search=leo%40debian&op=vindex&fingerprint=on
A Key-Signing Party?
1. Obtain fingerprint (and key ID) of user – in person!
2. Validate user’s ID and make a note that you have validated
3. Go home and retrieve key (look up on keyserver by key ID), check fingerprint, sign key, and upload signed key
Fingerprint – cryptographic hash of a public key
PGP – OWASP Austin 2015 Page 17
How to get started with PGP?
• Obtain GnuPG (or other OpenPGP alternative), and GUI or plugin for application of choice
• Generate a key(pair)
• Protect private key with strong password– Make a backup of the private key (hardcopy?)
• Use it!– Encrypt files on your disk
– Encrypt emails
– Trade public keys with your OWASP friends
PGP – OWASP Austin 2015 Page 18
Resources – Google…• Public-key Cryptography
• Implementations– GnuPG (command line) – http://www.gnupg.org
– Enigmail (Thunderbird plugin)
– Web plugins
– Outlook plugin (part of Gpg4win)
– Android
– iOS
– …
• keybase.io – trust into keys through social media
• OpenPGP Card – store private keys on a smart card
PGP – OWASP Austin 2015 Page 19
Contact: David Ochel
[email protected], @lostgravity, http://secuilibrium.com
Key ID: 0xA26EF725
Fingerprint: 4233 C5AA 73F9 EC1F D54B
CC31 A2F8 3F14 A26E F725
PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/