A 10 minute presentation on the concepts of PGP encryption and key management (public key cryptography, digital signatures), and pointers on how to get started.
Unraveling Multimodality with Large Language Models.pdf
Email Security with OpenPGP - An Appetizer
1. Email Security with OpenPGP –
An Appetizer
OWASP Austin CryptoParty
David Ochel
2015-01-27
This work is licensed under a Creative Commons Attribution 4.0 International License.
9. Avoiding Mallory,
The Man in the Middle
PGP – OWASP Austin 2015 Page 13
Charlie
Bob
Mallory,
The malicious Interceptor
Needs to send a
Secret Email
trust
trust Alice
10. Web of Trust – Keys Signed by Many
Key Holders – On Public Keyservers
PGP – OWASP Austin 2015 Page 16
http://pgp.mit.edu/pks/lookup?search=leo%4
0debian&op=vindex&fingerprint=on
11. A Key-Signing Party?
1. Obtain fingerprint (and key ID) of user – in
person!
2. Validate user’s ID and make a note that you
have validated
3. Go home and retrieve key (look up on
keyserver by key ID), check fingerprint, sign
key, and upload signed key
Fingerprint – cryptographic hash of a public key
PGP – OWASP Austin 2015 Page 17
12. How to get started with PGP?
• Obtain GnuPG (or other OpenPGP alternative),
and GUI or plugin for application of choice
• Generate a key(pair)
• Protect private key with strong password
– Make a backup of the private key (hardcopy?)
• Use it!
– Encrypt files on your disk
– Encrypt emails
– Trade public keys with your OWASP friends
PGP – OWASP Austin 2015 Page 18
13. Resources – Google…
• Public-key Cryptography
• Implementations
– GnuPG (command line) – http://www.gnupg.org
– Enigmail (Thunderbird plugin)
– Web plugins
– Outlook plugin (part of Gpg4win)
– Android
– iOS
– …
• keybase.io – trust into keys through social media
• OpenPGP Card – store private keys on a smart card
PGP – OWASP Austin 2015 Page 19
Asynchronous Internet communication (email!) has two issues:
Privacy
Authenticity
Created 1991 by Phil Zimmermann as opern-source privacy tool
PGP, Inc. (’96), Network Associates, (‘97), PGP Corp. (‘02), Symantec (‘10)
Standardized as OpenPGP (RFC 4880, etc.) starting ‘98
GUN Privacy Guard (GnuPG, GPG) starting ’97
There are a number of good and easy-to-use tools out there implementing PGP. We are going to fcous on understanding the principles behind it, since that enables “secure” use of the tools.
Public-key cryptography
The title is a 1024 bit RSA key.
In practice, there is symmetric encryption and hashing involved.
In reality, we hash messages before encrypting them in order to create an eletronic signature.
In reality, we hash messages before encrypting them in order to create an eletronic signature.