Email Security with OpenPGP - An Appetizer

•Download as PPTX, PDF•

1 like•5,409 views

A 10 minute presentation on the concepts of PGP encryption and key management (public key cryptography, digital signatures), and pointers on how to get started.

Technology

Email Security with OpenPGP –
An Appetizer
OWASP Austin CryptoParty
David Ochel
2015-01-27
This work is licensed under a Creative Commons Attribution 4.0 International License.

“On the Internet, nobody knows
you’re a dog”
PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified,
https://www.flickr.com/photos/tara_siuk/3027646100/
Bob
© Wilson Afonso, CC BY 2.0, no changes,
https://www.flickr.com/photos/wafonso/4444143159
Alice

• Pretty Good Privacy (PGP) –
a software program
– Commercial – Symantec
– Free – GnuPG
• A protocol/standard
– OpenPGP – RFC 4880 et al.
• Based on encryption technology
– Public-key (asymmetric) cryptography
– But also secure hashing, symmetric encryption, …
PGP – OWASP Austin 2015 Page 3

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf
zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR
13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz
ckKzFHhuppZyCytwRQIDAQAB
-----END PUBLIC KEY-----
1. Key Generation: Math!
– Generate two linked keys (“public” and “private”)
– Public key: distribute widely;
private key: keep secret!
– Keyrings!
PGP – OWASP Austin 2015 Page 4

Encryption
2. Encryption / Decryption
PGP – OWASP Austin 2015 Page 5

Encryption
PGP – OWASP Austin 2015 Page 6

Encryption
PGP – OWASP Austin 2015 Page 7
3. Encryption / Decryption!

Electronic
Signature
Plaintext
Hash Value
Signature
PGP – OWASP Austin 2015 Page 8

Avoiding Mallory,
The Man in the Middle
PGP – OWASP Austin 2015 Page 13
Charlie
Bob
Mallory,
The malicious Interceptor
Needs to send a
Secret Email
trust
trust Alice

Web of Trust – Keys Signed by Many
Key Holders – On Public Keyservers
PGP – OWASP Austin 2015 Page 16
http://pgp.mit.edu/pks/lookup?search=leo%4
0debian&op=vindex&fingerprint=on

A Key-Signing Party?
1. Obtain fingerprint (and key ID) of user – in
person!
2. Validate user’s ID and make a note that you
have validated
3. Go home and retrieve key (look up on
keyserver by key ID), check fingerprint, sign
key, and upload signed key
Fingerprint – cryptographic hash of a public key
PGP – OWASP Austin 2015 Page 17

How to get started with PGP?
• Obtain GnuPG (or other OpenPGP alternative),
and GUI or plugin for application of choice
• Generate a key(pair)
• Protect private key with strong password
– Make a backup of the private key (hardcopy?)
• Use it!
– Encrypt files on your disk
– Encrypt emails
– Trade public keys with your OWASP friends
PGP – OWASP Austin 2015 Page 18

Resources – Google…
• Public-key Cryptography
• Implementations
– GnuPG (command line) – http://www.gnupg.org
– Enigmail (Thunderbird plugin)
– Web plugins
– Outlook plugin (part of Gpg4win)
– Android
– iOS
– …
• keybase.io – trust into keys through social media
• OpenPGP Card – store private keys on a smart card
PGP – OWASP Austin 2015 Page 19

Contact: David Ochel
do@ochel.net, @lostgravity, http://secuilibrium.com
Key ID: 0xA26EF725
Fingerprint: 4233 C5AA 73F9 EC1F D54B
CC31 A2F8 3F14 A26E F725
PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/

What's hot

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...

AlienVault

The Making of a simple Cyber Threat Intelligence Gathering System

Niran Seriki, CCISO, CISM

Hacking Portugal and making it a global player in Software development As technology and software becomes more and more important to Portuguese society it is time to take it seriously and really become a player in that world. Application Security can act as an enabler, due to its focus on how code/apps actually work, and its enormous drive on secure-coding, testing, dev-ops and quality. This presentation will provide a number of paths for making Portugal a place where programming, TDD, Open Source, learning how to code, hacking and DevOps are first class citizens.

Hacking Portugal v1.1

Dinis Cruz

Jcv course contents

Vasanti Dutta

David Klein - Defending Against Nation Sate Attackers & Ransomware

CSNP

The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

SecuRing

Cyber threat Intelligence and Incident Response by:-Sandeep Singh

OWASP Delhi

From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.

Cyber threat intelligence: maturity and metrics

Mark Arena

Real World Threat Hunting Security threats have grown from network annoyances to attacks on sensitive infrastructure; penetrating network perimeters, moving laterally within networks, breaching new device types, and cloaking movements. This presentation will share techniques utilized by Cisco to detect and investigate sophisticated, embedded threats. The speaker, who has conducted monitoring and investigations on customer networks, will review recent real attacks observed on customer networks, from discovery to remediation, and provide lessons learned. These interactive case examples will highlight how to identify these threats using security intelligence, expert staff, and the Cisco OpenSOC platform. Examples of attacks and illustrations: * Sophisticated phishing attacks targeted at customer environments. * Breaches and data exfiltration resulting from the high-profile HeartBleed and Shellshock vulnerabilities. * Sophisticated malware targeting financial institutions with the goal of data theft. * Use of full packet capture to identify data exfiltration.

CONFidence2015: Real World Threat Hunting - Martin Nystrom

PROIDEA

Berkarir di Cyber Security

Satria Ady Pradana

Owasp Mobile Top 10 - M7 & M8

5h1vang

Transactions and customer interactions flowing through your contact center and other customer support lines are the financial lifeblood of your enterprise. Unfortunately, security threats such as Telephony Denial of Service (TDoS) attacks and fraudulent social engineering schemes are dramatically increasing and becoming more difficult to detect and prevent. These and other threatening, negative value calls are having a significant, operational impact on many financial, heath care, retail, emergency response, and other organizations across North America.

Keeping Denial of Service and Financial Fraud out of Your Contact Center

Case IQ

Corporate Espionage without the Hassle of Committing Felonies

John Bambenek

Security experts from Mediacurrent, Townsend Security and Lockr uncover how you can protect your site from the growing cybercrime business by starting off on the right foot. This interactive webinar will get you the foundation you need to protect your site and your organization when using Drupal. YOU'LL LEARN: Security by design in Drupal Site audit and security best practices Encrypting sensitive data Key management (encryption & API) Resources to improve security

Security by Design: An Introduction to Drupal Security

Tara Arnold

Delivered at ACSC in Canberra on 11 April 2018. Better font colours. This presentation builds upon previous research Intel 471 has undertaken with Dhia Majoub (Cisco/OpenDNS) and Jason Passwaters (Intel 471) Upgrading your Cyber Threat Intelligence to Track Down Criminal Hosting Infrastructure Dhia Majoub - https://www.sans.org/summit-archives/file/summit-archive-1517343456.pdf VB 2017: BPH exposed - RBN never left they just adapted and evolved. Did you? Jason Passwaters / Dhia Majoub - https://www.virusbulletin.com/conference/vb2017/abstracts/bph-exposed-rbn-never-left-they-just-adapted-and-evolved-did-you

The Cybercriminal Underground: Understanding and categorising criminal market...

Mark Arena

While network security teams are starting to shift their focus from perimeter defense to post-breach detection, traditional detection tools fall short of the mark, either generating far too many false-positives or altogether failing to detect attacks in real time. Modern Deception, which Gartner recently rated as a top security technology, changes the game. The goal of a deception defense is to lure attackers to ‘decoy’ assets that look and feel real but aren’t. By engaging with a deception environment that automatically updates to match the real network or cloud environment, attackers or malicious insiders essentially reveal themselves to the organization without knowing it. Learn how your organization can use deception defenses to ensure an efficient and strong post-breach defense.

Fidelis - Live Demonstration of Deception Solution

Fidelis Cybersecurity

Down The Rabbit Hole, From Networker to Security Professional

Satria Ady Pradana

Cryptogaphy

Mustahid Ali

Cyber Threat Intelligence: Building and maturing an intelligence program that...

Mark Arena

Delivered at ACSC in Canberra on 11 April 2018. I uploaded a version with easier to read font colours at https://www.slideshare.net/MarkArena/the-cybercriminal-underground-understanding-and-categorising-criminal-marketplace-activity-93856202 This presentation builds upon previous research Intel 471 has undertaken with Dhia Majoub (Cisco/OpenDNS) and Jason Passwaters (Intel 471) Upgrading your Cyber Threat Intelligence to Track Down Criminal Hosting Infrastructure Dhia Majoub - https://www.sans.org/summit-archives/file/summit-archive-1517343456.pdf VB 2017: BPH exposed - RBN never left they just adapted and evolved. Did you? Jason Passwaters / Dhia Majoub - https://www.virusbulletin.com/conference/vb2017/abstracts/bph-exposed-rbn-never-left-they-just-adapted-and-evolved-did-you

The Cybercriminal Underground: Understanding and categorising criminal market...

Mark Arena

What's hot (20)

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...

The Making of a simple Cyber Threat Intelligence Gathering System

Hacking Portugal v1.1

Jcv course contents

David Klein - Defending Against Nation Sate Attackers & Ransomware

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

Cyber threat Intelligence and Incident Response by:-Sandeep Singh

Cyber threat intelligence: maturity and metrics

CONFidence2015: Real World Threat Hunting - Martin Nystrom

Berkarir di Cyber Security

Owasp Mobile Top 10 - M7 & M8

Keeping Denial of Service and Financial Fraud out of Your Contact Center

Corporate Espionage without the Hassle of Committing Felonies

Security by Design: An Introduction to Drupal Security

The Cybercriminal Underground: Understanding and categorising criminal market...

Fidelis - Live Demonstration of Deception Solution

Down The Rabbit Hole, From Networker to Security Professional

Cryptogaphy

Cyber Threat Intelligence: Building and maturing an intelligence program that...

The Cybercriminal Underground: Understanding and categorising criminal market...

Viewers also liked

NIST CyberSecurity Framework: An Overview

Tandhy Simanjuntak

What You Need to Know About Email Authentication

Kurt Andersen

Powerful email protection

F-Secure Corporation

Email security

Indrajit Sreemany

Email Security Presentation

Yosef Gamble

NISTs Cybersecurity Framework -- Comparison with Best Practice

David Ochel

Email Security Overview

- Mark - Fullbright

S/MIME & E-mail Security (Network Security)

Prafull Johri

NIST Cybersecurity Framework - Mindmap

WAJAHAT IQBAL

Introduction to NIST Cybersecurity Framework

Tuan Phan

Iso 27001 2013 Standard Requirements

Uppala Anand

In this article I will provide an Overview of A new Information Security Management System Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier . ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining and Continually Improving an Information Security Management System. ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing and maintaining security. In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements , Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.

ISO/IEC 27001:2013 An Overview

Ahmed Riad .

Email Security and Awareness

Sanjiv Arora

ISO 27001 - Information Security Management System

Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master

Viewers also liked (14)

NIST CyberSecurity Framework: An Overview

What You Need to Know About Email Authentication

Powerful email protection

Email security

Email Security Presentation

NISTs Cybersecurity Framework -- Comparison with Best Practice

Email Security Overview

S/MIME & E-mail Security (Network Security)

NIST Cybersecurity Framework - Mindmap

Introduction to NIST Cybersecurity Framework

Iso 27001 2013 Standard Requirements

ISO/IEC 27001:2013 An Overview

Email Security and Awareness

ISO 27001 - Information Security Management System

Similar to Email Security with OpenPGP - An Appetizer

FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...

Paulo Henrique

MNSEC 2018 - Observations from the APNIC Community Honeynet Project

MNCERT

A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...

Jan Aerts

Ug soar 22sep21

Eric Gardner

Logs sammeln, visualisieren und nun? Dieser Vortrag stellt Graylog2 und dessen Alarmierungsmöglichkeiten in Verbindung mit Icinga 2 als Echtzeitüberwachungstool vor. Haben Sie schonmal check_logfiles verwendet, um im Server-Log nach Problemen zu suchen? Graylog2 bietet eine "Alert-Stream-Api" als Schnittstelle für Icinga 2 und dessen skalierbare Architektur an, welche jede Sekunde eine Vielzahl an Log-Alarmierungen senden und empfangen kann. Graylog2 ist eine freie Open-Source-Lösung für Log-Management, die Ihre Log-Dateien empfängt, aufbereitet und im ElasticSearch-Backend abspeichert. Diese Logs können in einer funktionsreichen Weboberfläche analysiert werden. Graylog2 kann Milliarden von Logeinträgen verwalten und kann ebenso viele verschiedene Formate aus unterschiedlichen Transportquellen aufbereiten. Icinga 1 und Icinga 2 sind Open-Source-Monitoring-Systeme der Enterprise-Klasse, die das Netzwerk und dessen Ressourcen überwachen, Benutzer über Probleme und deren Recovery notifizieren, sowie Performance-Daten für das Reporting generieren. Obwohl beide skalier- und erweiterbar sind, wurde Icinga 2 für die Überwachung von komplexen, großen Umgebungen über verteilte Standorte out-of-the-box entworfen. Der Vortrag bietet viele Internas der beiden beteiligten Entwickler und detaillierte Live Demo.

OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...

NETWAYS

Securing Back Office Business Processes with OpenVPN

A Green

Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2

Icinga

OSINT tools for security auditing [FOSDEM edition]

Jose Manuel Ortega Candel

OpenId Connect Protocol

Michael Furman

OSINT tools for security auditing with python

Jose Manuel Ortega Candel

Post password era - Bernard Toplak, OWASP Croatia Meetup 2016

Bernard Toplak

In this talk we will talk about how to ensure the security and quality of the software we deploy on Kubernetes using open-source tools like Sigstore, Kyverno and Syft/Grype. We will explain what a secure supply chain is, why it is important and how to implement it with these tools. We will also show you how to generate and verify SBOMs (Software Bill of Materials) of your OCI (Open Container Initiative) artifacts. And finally, we will show you some practical examples of how to use these technologies in action. We hope you enjoy it and find it useful!

KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes

sparkfabrik

Session slides from Future Insights Live, Vegas 2015: https://futureinsightslive.com/las-vegas-2015/ So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.

Privacy is a UX problem (David Dahl)

Future Insights

Sniffing

charismapribadi

Atm Security System Using Steganography Nss ptt by (rohit malav)

Rohit malav

Collect your logs, visualize them, and now what? This talk will introduce Graylog2 and its alert features in combination with a high performance monitoring core, Icinga 2. Have you ever used check_logfiles grep'ing the (remote) syslog? Introducing Graylog2's alert stream API combined with Icinga 2's scalable performance in checking for or receiving log alerts will show how to monitor your logs every second and beyond. This talk will provide insights presented by the two lead developers including a live demo. Graylog2 is a free and open source log management system that processes your logs, stores them in ElasticSearch and allows you to analyze them in a rich web interface. It is able to manage billions of log messages and parses many formats coming from many transports. Icinga 1 and Icinga 2 are enterprise-grade open source monitoring systems that keep watch over a network and any conceivable network resource, notify users of errors and recoveries, and generate performance data for reporting. Though both are scalable and extensible, Icinga 2 is designed to monitor complex, large environments across dispersed locations out-of-the-box.

OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...

NETWAYS

Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun! Additional materials: https://www.securing.biz/en/seven-step-guide-to-securing-your-aws-kingdom/index.html

Hunting for the secrets in a cloud forest

SecuRing

Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not "mistakenly" available to the public? In my presentation I'm going to present you hackish methods used by cyber criminals to find access keys, credentials and other secrets in the public Internet. How can Shannon Entropy help you to do that? This is a presentation about my tool the DumpsterDiver (https://github.com/securing/DumpsterDiver) and the BucketScanner (https://github.com/securing/BucketScanner).

Hunting for the secrets in a cloud forest

Pawel Rzepa

Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not "mistakenly" available to the public? In my presentation I'm going to present you hackish methods used by cyber criminals to find access keys, credentials and other secrets in the public Internet. How can Shannon Entropy help you to do that? During the presentation, I'll release my own scanners to search AWS space and in the end I will demonstrate my own tool to analyse big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It's gonna be fun!

CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)

PROIDEA

This presentation will encompass the following: • An overview of the OWASP IoT Top 10: Understanding IoT Vulnerabilities and Risks to Offices / Homes • Smart home wireless communication standards and their weaknesses: Bluetooth, Z-Wave, ZigBee, Wi-Fi, NFC, RFID • Exploiting vulnerable networked smart devices (e.g. smart TVs, refrigerators, etc.) as a means to get foot in the door and attack core infrastructure (laptops, workstations, servers) • Attacks against smart products connected to your network or controlled directly via your mobile device • Performing security evaluations of smart products using frameworks like the OWASP Application Security Verification Standard (ASVS) • Tools and resources for securing smart devices and their implementations • DEMOs – vulnerabilities and most common issues in smart devices – real examples of the OWASP IoT Top 10 • Exploiting smart devices, such as: TVs, media streaming devices, refrigerators, thermostats, smart plugs, security locks and cameras, health/fitness devices, wearables, office smart hubs, home automation products, and more… Originally presented at IT Audits & Control Conference 2015.

OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List

Bishop Fox

Similar to Email Security with OpenPGP - An Appetizer (20)

FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...

MNSEC 2018 - Observations from the APNIC Community Honeynet Project

A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...

Ug soar 22sep21

OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...

Securing Back Office Business Processes with OpenVPN

Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2

OSINT tools for security auditing [FOSDEM edition]

OpenId Connect Protocol

OSINT tools for security auditing with python

Post password era - Bernard Toplak, OWASP Croatia Meetup 2016

KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes

Privacy is a UX problem (David Dahl)

Sniffing

Atm Security System Using Steganography Nss ptt by (rohit malav)

OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...

Hunting for the secrets in a cloud forest

CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)

OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Scaling API-first – The story of a global engineering organization

Radu Cotescu

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Real Time Object Detection Using Open CV

Khem

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script

Artificial Intelligence Chap.5 : Uncertainty

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

How to Troubleshoot Apps for the Modern Connected Worker

Boost Fertility New Invention Ups Success Rates.pdf

🐬 The future of MySQL is Postgres 🐘

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Scaling API-first – The story of a global engineering organization

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Strategies for Landing an Oracle DBA Job as a Fresher

The 7 Things I Know About Cyber Security After 25 Years | April 2024

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Boost PC performance: How more available memory can improve productivity

Apidays New York 2024 - The value of a flexible API Management solution for O...

Real Time Object Detection Using Open CV

Email Security with OpenPGP - An Appetizer

1. Email Security with OpenPGP – An Appetizer OWASP Austin CryptoParty David Ochel 2015-01-27 This work is licensed under a Creative Commons Attribution 4.0 International License.

2. “On the Internet, nobody knows you’re a dog” PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified, https://www.flickr.com/photos/tara_siuk/3027646100/ Bob © Wilson Afonso, CC BY 2.0, no changes, https://www.flickr.com/photos/wafonso/4444143159 Alice

3. • Pretty Good Privacy (PGP) – a software program – Commercial – Symantec – Free – GnuPG • A protocol/standard – OpenPGP – RFC 4880 et al. • Based on encryption technology – Public-key (asymmetric) cryptography – But also secure hashing, symmetric encryption, … PGP – OWASP Austin 2015 Page 3

4. -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR 13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz ckKzFHhuppZyCytwRQIDAQAB -----END PUBLIC KEY----- 1. Key Generation: Math! – Generate two linked keys (“public” and “private”) – Public key: distribute widely; private key: keep secret! – Keyrings! PGP – OWASP Austin 2015 Page 4

5. Encryption 2. Encryption / Decryption PGP – OWASP Austin 2015 Page 5

6. Encryption PGP – OWASP Austin 2015 Page 6

7. Encryption PGP – OWASP Austin 2015 Page 7 3. Encryption / Decryption!

8. Electronic Signature Plaintext Hash Value Signature PGP – OWASP Austin 2015 Page 8

9. Avoiding Mallory, The Man in the Middle PGP – OWASP Austin 2015 Page 13 Charlie Bob Mallory, The malicious Interceptor Needs to send a Secret Email trust trust Alice

10. Web of Trust – Keys Signed by Many Key Holders – On Public Keyservers PGP – OWASP Austin 2015 Page 16 http://pgp.mit.edu/pks/lookup?search=leo%4 0debian&op=vindex&fingerprint=on

11. A Key-Signing Party? 1. Obtain fingerprint (and key ID) of user – in person! 2. Validate user’s ID and make a note that you have validated 3. Go home and retrieve key (look up on keyserver by key ID), check fingerprint, sign key, and upload signed key Fingerprint – cryptographic hash of a public key PGP – OWASP Austin 2015 Page 17

12. How to get started with PGP? • Obtain GnuPG (or other OpenPGP alternative), and GUI or plugin for application of choice • Generate a key(pair) • Protect private key with strong password – Make a backup of the private key (hardcopy?) • Use it! – Encrypt files on your disk – Encrypt emails – Trade public keys with your OWASP friends PGP – OWASP Austin 2015 Page 18

13. Resources – Google… • Public-key Cryptography • Implementations – GnuPG (command line) – http://www.gnupg.org – Enigmail (Thunderbird plugin) – Web plugins – Outlook plugin (part of Gpg4win) – Android – iOS – … • keybase.io – trust into keys through social media • OpenPGP Card – store private keys on a smart card PGP – OWASP Austin 2015 Page 19

14. Contact: David Ochel do@ochel.net, @lostgravity, http://secuilibrium.com Key ID: 0xA26EF725 Fingerprint: 4233 C5AA 73F9 EC1F D54B CC31 A2F8 3F14 A26E F725 PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/

Editor's Notes

Asynchronous Internet communication (email!) has two issues: Privacy Authenticity
Created 1991 by Phil Zimmermann as opern-source privacy tool PGP, Inc. (’96), Network Associates, (‘97), PGP Corp. (‘02), Symantec (‘10) Standardized as OpenPGP (RFC 4880, etc.) starting ‘98 GUN Privacy Guard (GnuPG, GPG) starting ’97 There are a number of good and easy-to-use tools out there implementing PGP. We are going to fcous on understanding the principles behind it, since that enables “secure” use of the tools.
Public-key cryptography The title is a 1024 bit RSA key.
In practice, there is symmetric encryption and hashing involved.
In reality, we hash messages before encrypting them in order to create an eletronic signature.
In reality, we hash messages before encrypting them in order to create an eletronic signature.
Keyring!

Email Security with OpenPGP - An Appetizer

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to Email Security with OpenPGP - An Appetizer

Similar to Email Security with OpenPGP - An Appetizer (20)

Recently uploaded

Recently uploaded (20)

Email Security with OpenPGP - An Appetizer

Editor's Notes