The document discusses PGP (Pretty Good Privacy) and how it can be used to securely communicate and store secrets. It explains that PGP uses public-key cryptography to provide confidentiality, integrity, and authenticity. It also discusses how to generate a PGP key pair, and the importance of revoking keys if they are compromised or the user no longer needs them.
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
PGP for Smarties Guide
1. PGP for Smarties
PGP for Smarties
Jan Schaumann <jschauma@etsy.com>
B60D A9F7 0D89 544A 7995
7D25 5A5B 4375 275F 0BB5
http://etsy.me/TF8k2c @jschauma
Wednesday, September 5, 12
2. PGP for Smarties
http://etsy.me/N1UIjg
2 08/28/12
Wednesday, September 5, 12
3. PGP for Smarties
http://etsy.me/Tkbefn
3 08/28/12
Wednesday, September 5, 12
4. PGP for Smarties
Common threats to security:
4 08/28/12
Wednesday, September 5, 12
5. PGP for Smarties
PGP stands for…
http://etsy.me/SYTYfA
5 08/28/12
Wednesday, September 5, 12
6. PGP for Smarties
PGP stands for…
The
Pacific
Golden
Plover
(Pluvialis fulva)
is a
medium-sized
plover.
http://etsy.me/SYTYfA
5 08/28/12
Wednesday, September 5, 12
7. PGP for Smarties
Pretty Good Privacy
http://etsy.me/SYVdeP
6 08/28/12
Wednesday, September 5, 12
8. PGP for Smarties
Pretty Bad Privacy
http://etsy.me/hHFUdi
7 08/28/12
Wednesday, September 5, 12
9. PGP for Smarties
Definitions
“PGP” == “Pretty Good Privacy”
8 08/28/12
Wednesday, September 5, 12
10. PGP for Smarties
Definitions
“PGP” == “Pretty Good Privacy”
“OpenPGP” is a standard to provide encryption,
decryption, signing, and key management functions.
(RFC4880)
8 08/28/12
Wednesday, September 5, 12
11. PGP for Smarties
Definitions
“PGP” == “Pretty Good Privacy”
“OpenPGP” is a standard to provide encryption,
decryption, signing, and key management functions.
(RFC4880)
“GnuPG” == “GNU Privacy Guard” aka “gpg”
8 08/28/12
Wednesday, September 5, 12
12. PGP for Smarties
OpenPGP
• uses a combination of strong public-key and symmetric
cryptography
• provides security services for electronic communications and
data storage
– authentication (via digital signatures)
– confidentiality (via encryption)
– integrity (via digital signatures)
– key management
– expiration
9 08/28/12
Wednesday, September 5, 12
13. PGP for Smarties
Buzzword Bingo
10 08/28/12
Wednesday, September 5, 12
14. PGP for Smarties
Buzzword Bingo
http://etsy.me/iFfqUa
10 08/28/12
Wednesday, September 5, 12
15. PGP for Smarties
Buzzword Bingo
http://etsy.me/SZ1G9q
http://etsy.me/iFfqUa
10 08/28/12
Wednesday, September 5, 12
16. PGP for Smarties
Buzzword Bingo
http://etsy.me/SZ1G9q
http://etsy.me/iFfqUa
http://etsy.me/N20IIG
10 08/28/12
Wednesday, September 5, 12
17. PGP for Smarties
Buzzword Bingo
http://etsy.me/SZ1G9q
http://etsy.me/iFfqUa
http://etsy.me/N20IIG
http://etsy.me/TAHXKG
10 08/28/12
Wednesday, September 5, 12
18. PGP for Smarties
Buzzword Bingo
http://etsy.me/SZ1G9q
http://etsy.me/iFfqUa
http://etsy.me/N20IIG
http://etsy.me/TAIEUh
http://etsy.me/TAHXKG
10 08/28/12
Wednesday, September 5, 12
19. PGP for Smarties
Buzzword Bingo
http://etsy.me/SZ1G9q
http://etsy.me/iFfqUa
http://etsy.me/N20IIG
http://etsy.me/MHNUDQ
http://etsy.me/TAIEUh
http://etsy.me/TAHXKG
10 08/28/12
Wednesday, September 5, 12
20. PGP for Smarties
http://etsy.me/uLLUaI
11 08/28/12
Wednesday, September 5, 12
23. PGP for Smarties
In general:
• people who work together need to occasionally share secrets
13 08/28/12
Wednesday, September 5, 12
24. PGP for Smarties
In general:
• people who work together need to occasionally share secrets
• people who work together need to occasionally share secrets
across physical distances
13 08/28/12
Wednesday, September 5, 12
25. PGP for Smarties
In general:
• people who work together need to occasionally share secrets
• people who work together need to occasionally share secrets
across physical distances
• people who work together need to occasionally share secrets
across physical distances and timezones
13 08/28/12
Wednesday, September 5, 12
26. PGP for Smarties
In general:
• people who work together need to occasionally share secrets
• people who work together need to occasionally share secrets
across physical distances
• people who work together need to occasionally share secrets
across physical distances and timezones
• people who work together don't always work together
13 08/28/12
Wednesday, September 5, 12
27. PGP for Smarties
In general:
• people who work together need to occasionally share secrets
• people who work together need to occasionally share secrets
across physical distances
• people who work together need to occasionally share secrets
across physical distances and timezones
• people who work together don't always work together
• people need to store secrets:
• store it on a computer system owned by your company
=> multiple users besides you have full access
• store it on a computer system owned by yourself =>
company-related information leaked
13 08/28/12
Wednesday, September 5, 12
28. PGP for Smarties
In general:
§ people need to
communicate securely
http://etsy.me/TAORQb
14 08/28/12
Wednesday, September 5, 12
29. PGP for Smarties
In general:
§ people need to
communicate securely
http://etsy.me/TAORQb
• people need to store date
securely
http://etsy.me/SZ4Qdd
14 08/28/12
Wednesday, September 5, 12
30. PGP for Smarties
Common threats to security:
16 08/28/12
Wednesday, September 5, 12
31. PGP for Smarties
Cryptography may provide:
§ secrecy or confidentiality
§ accuracy or integrity
§ authenticity
17 08/28/12
Wednesday, September 5, 12
32. PGP for Smarties
Why we want secrecy:
18 08/28/12
Wednesday, September 5, 12
33. PGP for Smarties
Why we want integrity:
Date: Sat, 23 Jun 2012 11:59:40 -0400
From: Chad Dickerson <chad@etsy.com>
To: Jan Schaumann <jschauma@etsy.com>
Subject: Important
X-Mailer: iPad Mail (9B206)
Jan,
Can you disable Allspaw’s VPN access? We’ll have to let
him go. Also, party at my place, byob.
Chad
Sent from my iPad 19 08/28/12
Wednesday, September 5, 12
34. PGP for Smarties
Why we want integrity:
Date: Sat, 23 Jun 2012 11:59:40 -0400
From: Chad Dickerson <chad@etsy.com>
To: Jan Schaumann <jschauma@etsy.com>
Subject: Important
X-Mailer: iPad Mail (9B206)
Jan,
Can you get Allspaw’s jacket size? We’re planning a
surprise gift. Also, party at my place, byob.
Chad
Sent from my iPad 19 08/28/12
Wednesday, September 5, 12
35. PGP for Smarties
Why we want authenticity:
Date: Sat, 23 Jun 2012 11:59:40 -0400
From: Chad Dickerson <chad@etsy.com>
To: Jan Schaumann <jschauma@etsy.com>
Subject: Important
X-Mailer: iPad Mail (9B206)
Jan,
Can you disable Allspaw’s VPN access? We’ll have to let
him go. Also, party at my place, byob.
Chad
Sent from my iPad 19 08/28/12
Wednesday, September 5, 12
36. PGP for Smarties
Symmetric- or private-key
cryptography
http://etsy.me/TASe9N
21 08/28/12
Wednesday, September 5, 12
37. PGP for Smarties
Symmetric- or private-key
$ cat secret
Oehpr Fpuarvre rkcrpgf gur Fcnavfu Vadhvfvgvba.
$
22 08/28/12
Wednesday, September 5, 12
38. PGP for Smarties
Symmetric- or private-key
$ cat secret
Oehpr Fpuarvre rkcrpgf gur Fcnavfu Vadhvfvgvba.
$ rot13 <secret
Bruce Schneier expects the Spanish Inquisition.
$
22 08/28/12
Wednesday, September 5, 12
39. PGP for Smarties
Symmetric- or private-key
$ cat secret
Oehpr Fpuarvre rkcrpgf gur Fcnavfu Vadhvfvgvba.
$ rot13 <secret
Bruce Schneier expects the Spanish Inquisition.
$
http://etsy.me/SZ1G9q
22 08/28/12
Wednesday, September 5, 12
40. PGP for Smarties
Asymmetric- or public-key
23 08/28/12
Wednesday, September 5, 12
41. PGP for Smarties
Public-key cryptography in a nutshell
http://etsy.me/SZ63kK
http://etsy.me/TAHXKG
http://etsy.me/TAIEUh
http://etsy.me/TARe5w
24 08/28/12
Wednesday, September 5, 12
42. PGP for Smarties
Public-key cryptography in a nutshell
25 08/28/12
Wednesday, September 5, 12
43. PGP for Smarties
Public-key cryptography in a nutshell
26 08/28/12
Wednesday, September 5, 12
44. PGP for Smarties
PGP can:
• provide secrecy or confidentiality (encryption)
• provide accuracy or integrity (checksum)
• provide authenticity (signature + WoT)
27 08/28/12
Wednesday, September 5, 12
45. PGP for Smarties
PGP can NOT:
• magically imply "security"
• know by itself whom to trust (or not)
• figure out how or when to share secrets
• protect you from all threats
28 08/28/12
Wednesday, September 5, 12
46. PGP for Smarties
Yahoo! Presentation, Confidential 29 08/28/12
Wednesday, September 5, 12
47. PGP for Smarties
Common threats to security:
https://xkcd.com/399/
30 08/28/12
Wednesday, September 5, 12
48. PGP for Smarties
Common threats to security:
$ man gpg | rman -t ascii | egrep -- "^[ ]*--[^ ]+$" |
sort -u | wc –l
167
$
31 08/28/12
Wednesday, September 5, 12
50. PGP for Smarties
Keypair generation
$ gpg --gen-key
[...]
Real name: Jan Schaumann
Email address: jschauma@etsy.com
[...]
You need a Passphrase to protect your secret key.
[...]
pub 2048R/275F0BB5 2012-04-24
Key fingerprint = B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
uid Jan Schaumann <jschauma@etsy.com>
[...]
$
33 08/28/12
Wednesday, September 5, 12
51. PGP for Smarties
Keypair generation
$ gpg --gen-key
[...]
Real name: Jan Schaumann
Email address: jschauma@etsy.com
[...]
You need a Passphrase to protect your secret key.
[...]
pub 2048R/275F0BB5 2012-04-24
Key fingerprint = B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
uid Jan Schaumann <jschauma@etsy.com>
[...]
$
$ ls ~/.gnupg/*ring.gpg
/Users/jschauma/.gnupg/pubring.gpg /Users/jschauma/.gnupg/secring.gpg
33 08/28/12
Wednesday, September 5, 12
52. PGP for Smarties
Common threats to security:
https://xkcd.com/538/
34 08/28/12
Wednesday, September 5, 12
53. PGP for Smarties
Revocation Certificate
$ gpg --output 275F0BB5-revocation-cert --gen-revoke 275F0BB5
sec 2048R/275F0BB5 2012-04-24 Jan Schaumann <jschauma@etsy.com>
[...]
You need a passphrase to unlock the secret key for
user: "Jan Schaumann <jschauma@etsy.com>"
2048-bit RSA key, ID 275F0BB5, created 2012-04-24
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
35 08/28/12
Wednesday, September 5, 12
54. PGP for Smarties
Let's have a look...
$ gpg --fingerprint jschauma@etsy.com
pub 2048R/275F0BB5 2012-04-24
Key fingerprint = B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
uid Jan Schaumann <jschauma@etsy.com>
sub 2048R/FA19BA98 2012-04-24
$
36 08/28/12
Wednesday, September 5, 12
55. PGP for Smarties
Let's have a look...
$ gpg --fingerprint jschauma@etsy.com
pub 2048R/275F0BB5 2012-04-24
Key fingerprint = B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
uid Jan Schaumann <jschauma@etsy.com>
sub 2048R/FA19BA98 2012-04-24
$
$ gpg --export -a 275F0BB5
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.18 (Darwin)
mQENBE+W6hcBCADcP2qrc4tjVjJxvyCNPJZSxDmDLqWzo9KDEer77WeAocYuXC
[...]
bWxBdIK299dw4wRJi1Z2Ocg/VlZtflDF54ts55EDsQ==
=QJlN
-----END PGP PUBLIC KEY BLOCK-----
36 08/28/12
Wednesday, September 5, 12
56. PGP for Smarties
Wot a lot I got!
37 08/28/12
Wednesday, September 5, 12
57. PGP for Smarties
Wot a lot I got!
http://etsy.me/iFfqUa
37 08/28/12
Wednesday, September 5, 12
58. PGP for Smarties
Wot a lot I got!
http://etsy.me/TARe5w
http://etsy.me/iFfqUa
37 08/28/12
Wednesday, September 5, 12
59. PGP for Smarties
Wot a lot I got!
http://etsy.me/TARe5w
http://etsy.me/iFfqUa
http://etsy.me/TASWnp
37 08/28/12
Wednesday, September 5, 12
60. PGP for Smarties
Sharing secrets with Alice
$ gpg --encrypt -r alice@etsy.com secret
gpg: alice@etsy.com: skipped: public key not found
gpg: secret: encryption failed: public key not found
$
38 08/28/12
Wednesday, September 5, 12
61. PGP for Smarties
Public-key cryptography in a nutshell
25 08/28/12
Wednesday, September 5, 12
62. PGP for Smarties
Sharing secrets with Alice
$ gpg --encrypt -r alice@etsy.com secret
gpg: alice@etsy.com: skipped: public key not found
gpg: secret: encryption failed: public key not found
$
$ gpg --list-keys alice
gpg: error reading key: public key not found
$
40 08/28/12
Wednesday, September 5, 12
63. PGP for Smarties
Sharing secrets with Alice
$ gpg --encrypt -r alice@etsy.com secret
gpg: alice@etsy.com: skipped: public key not found
gpg: secret: encryption failed: public key not found
$
$ gpg --list-keys alice
gpg: error reading key: public key not found
$
$ gpg --search-keys alice@etsy.com
gpg: searching for "alice@etsy.com" from hkp server keys.gnupg.net
gpg: key "alice@etsy.com" not found on keyserver
$
40 08/28/12
Wednesday, September 5, 12
64. PGP for Smarties
Sharing secrets with Alice
$ gpg --search-keys alice
gpg: searching for "alice" from hkp server keys.gnupg.net
(1) Alice Cooper <alice@etsy.com>
2048 bit RSA key AB123456, created: 2009-11-25
Keys 1-1 of 1 for "alice". Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key AB123456 from hkp server keys.gnupg.net
gpg: key AB123456: public key ”Alice Cooper” <alice@etsy.com>"
imported
gpg: Total number processed: 1
gpg: imported: 1
$
42 08/28/12
Wednesday, September 5, 12
65. PGP for Smarties
Sharing secrets with Alice
$ gpg --encrypt -r alice@etsy.com secret
gpg: AB123456: There is no assurance this key belongs to the named user
pub 2048g/AB123456 1969-08-01 Vincent Damon Furnier <alice@etsy.com>
Primary key fingerprint: 666C E666 CC66 6EB6 66DB B0B6 6678 6667 AB12 3456
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
43 08/28/12
Wednesday, September 5, 12
66. PGP for Smarties
Common threats to security:
44 08/28/12
Wednesday, September 5, 12
67. PGP for Smarties
Keypair generation
$ gpg --gen-key
[...]
Real name: Chad Dickerson
Email address: chad@etsy.com
Comment: CEO
You selected this USER-ID:
”Chad Dickerson (CEO) <chad@etsy.com>"
[...]
You need a Passphrase to protect your secret key.
[...]
pub 2048R/E157FAB8 2006-09-01
Key fingerprint = E2A7 437A 7AB8 6EA1 7E1D F6DC BF09 CDC9 E157 FAB8
uid Chad Dickerson (CEO) <chad@etsy.com>
[...]
$ gpg --send-keys E157FAB8
gpg: sending key E157FAB8 to hkp server keys.gnupg.net
$
45 08/28/12
Wednesday, September 5, 12
68. PGP for Smarties
Key Verification
• easily done in person
• easiest done if both parties actually know each
other
• reasonable authentication (for some
organizations, anyway – mix and match):
• Staff Directory info
• IRC handle
• shared domain username
• email
46 08/28/12
Wednesday, September 5, 12
69. PGP for Smarties
Key Verification
http://etsy.me/SZ9AQc
50 08/28/12
Wednesday, September 5, 12
70. PGP for Smarties
Web of Trust
52 08/28/12
Wednesday, September 5, 12
73. PGP for Smarties
Donald Sutherland
(Animal House)
John Belushi Kevin Bacon
(Animal House)
55 08/28/12
Wednesday, September 5, 12
74. PGP for Smarties
Donald Sutherland
(Lost Angels)
John Belushi Kevin Bacon
Pauly Shore
(Lost Angels)
56 08/28/12
Wednesday, September 5, 12
75. PGP for Smarties
Andy Dick
(In the Army now)
Donald Sutherland
John Belushi Kevin Bacon
Pauly Shore
(In the Army now)
57 08/28/12
Wednesday, September 5, 12
76. PGP for Smarties
Andy Dick
(Zoolander)
Claudia Schiffer
(Zoolander)
Donald Sutherland
John Belushi Kevin Bacon
Pauly Shore
58 08/28/12
Wednesday, September 5, 12
77. PGP for Smarties
Andy Dick
Claudia Schiffer
(Life without Dick)
Donald Sutherland
John Belushi Kevin Bacon
Sarah Jessica
Parker
(Life without Dick)
Pauly Shore
59 08/28/12
Wednesday, September 5, 12
78. PGP for Smarties
Andy Dick
Claudia Schiffer
Donald Sutherland
John Belushi Kevin Bacon
(Footlose)
Sarah Jessica
Parker
(Footlose)
Pauly Shore
60 08/28/12
Wednesday, September 5, 12
79. PGP for Smarties
Andy Dick
Claudia Schiffer
Donald Sutherland
John Belushi Kevin Bacon
Sarah Jessica
Parker
Pauly Shore
61 08/28/12
Wednesday, September 5, 12
80. PGP for Smarties
Problems with the Web of Trust
62 08/28/12
Wednesday, September 5, 12
82. PGP for Smarties
Web of Trust
• you have to trust every signing entity in your
trustpath
• the shorter the trustpath, the better
• the more nodes in your WoT, the better
• the more edges in your WoT, the better
• the fewer leaves, the better
• the more signatures a key has, the better
64 08/28/12
Wednesday, September 5, 12
83. PGP for Smarties
Key Verification
• becomes “Key Signing”
• makes no assertion of quality of character,
coding skills, weight-lifting abilities, taste in
movies, etc
• only asserts “I have verified that the key with
the fingerprint X belongs to person Y”
• nothing else
65 08/28/12
Wednesday, September 5, 12
84. PGP for Smarties
Key Signing
• retrieve signee’s key
• identify signee
• signee presents or confirms his/her key’s
fingerprint
• signer sends encrypted content to email on key
• signee decrypts, responds
• signer signs and uploads signee’s key
66 08/28/12
Wednesday, September 5, 12
85. PGP for Smarties
Long-Distance Key Signing
§ same as before modulo:
§ identify signee
› by trusted proxy (ie via WoT)
› call phone-# (desk + cell) listed in Staff
Directory
› multi-channel challenge response (Skype+IRC
+Email)
› control of uid on shared host
67 08/28/12
Wednesday, September 5, 12
86. PGP for Smarties
Please sign responsibly!
https://www.xkcd.com/364/
68 08/28/12
Wednesday, September 5, 12
87. PGP for Smarties
Wishlist
• key generation part of new-hire orientation
• manager signs new-hire key on first day
• team signs new-hire key on first team meeting
• regular keysigning events
• sensitive/important data is actually signed
• encrypted backups (+ self-restore)
• signed packages
• …
69 08/28/12
Wednesday, September 5, 12
88. PGP for Smarties
Be paranoid!
70 08/28/12
Wednesday, September 5, 12