Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Email Security with OpenPGP - An Appetizer

4 548 vues

Publié le

A 10 minute presentation on the concepts of PGP encryption and key management (public key cryptography, digital signatures), and pointers on how to get started.

Publié dans : Technologie
  • Soyez le premier à commenter

Email Security with OpenPGP - An Appetizer

  1. 1. Email Security with OpenPGP – An Appetizer OWASP Austin CryptoParty David Ochel 2015-01-27 This work is licensed under a Creative Commons Attribution 4.0 International License.
  2. 2. “On the Internet, nobody knows you’re a dog” PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified, https://www.flickr.com/photos/tara_siuk/3027646100/ Bob © Wilson Afonso, CC BY 2.0, no changes, https://www.flickr.com/photos/wafonso/4444143159 Alice
  3. 3. • Pretty Good Privacy (PGP) – a software program – Commercial – Symantec – Free – GnuPG • A protocol/standard – OpenPGP – RFC 4880 et al. • Based on encryption technology – Public-key (asymmetric) cryptography – But also secure hashing, symmetric encryption, … PGP – OWASP Austin 2015 Page 3
  4. 4. -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR 13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz ckKzFHhuppZyCytwRQIDAQAB -----END PUBLIC KEY----- 1. Key Generation: Math! – Generate two linked keys (“public” and “private”) – Public key: distribute widely; private key: keep secret! – Keyrings! PGP – OWASP Austin 2015 Page 4
  5. 5. Encryption 2. Encryption / Decryption PGP – OWASP Austin 2015 Page 5
  6. 6. Encryption PGP – OWASP Austin 2015 Page 6
  7. 7. Encryption PGP – OWASP Austin 2015 Page 7 3. Encryption / Decryption!
  8. 8. Electronic Signature Plaintext Hash Value Signature PGP – OWASP Austin 2015 Page 8
  9. 9. Avoiding Mallory, The Man in the Middle PGP – OWASP Austin 2015 Page 13 Charlie Bob Mallory, The malicious Interceptor Needs to send a Secret Email trust trust Alice
  10. 10. Web of Trust – Keys Signed by Many Key Holders – On Public Keyservers PGP – OWASP Austin 2015 Page 16 http://pgp.mit.edu/pks/lookup?search=leo%4 0debian&op=vindex&fingerprint=on
  11. 11. A Key-Signing Party? 1. Obtain fingerprint (and key ID) of user – in person! 2. Validate user’s ID and make a note that you have validated 3. Go home and retrieve key (look up on keyserver by key ID), check fingerprint, sign key, and upload signed key Fingerprint – cryptographic hash of a public key PGP – OWASP Austin 2015 Page 17
  12. 12. How to get started with PGP? • Obtain GnuPG (or other OpenPGP alternative), and GUI or plugin for application of choice • Generate a key(pair) • Protect private key with strong password – Make a backup of the private key (hardcopy?) • Use it! – Encrypt files on your disk – Encrypt emails – Trade public keys with your OWASP friends PGP – OWASP Austin 2015 Page 18
  13. 13. Resources – Google… • Public-key Cryptography • Implementations – GnuPG (command line) – http://www.gnupg.org – Enigmail (Thunderbird plugin) – Web plugins – Outlook plugin (part of Gpg4win) – Android – iOS – … • keybase.io – trust into keys through social media • OpenPGP Card – store private keys on a smart card PGP – OWASP Austin 2015 Page 19
  14. 14. Contact: David Ochel do@ochel.net, @lostgravity, http://secuilibrium.com Key ID: 0xA26EF725 Fingerprint: 4233 C5AA 73F9 EC1F D54B CC31 A2F8 3F14 A26E F725 PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/

×