SlideShare a Scribd company logo

Berlinsides 2015

A
aestetix

The document discusses PGP (Pretty Good Privacy) trust levels and signatures. It expresses frustration with the complexity of PGP trust models. It then provides examples of using a PGP key database to analyze trends in PGP usage, such as the number of users from certain email providers, news organizations, intelligence agencies, and universities that utilize PGP. It also examines which PGP keys have been signed the most.

Engineering
1 of 20
Download to read offline
—WHY I HATE PGP— aestetix
https://help.ubuntu.com/community/GnuPrivacyGuardHowto
WHAT THE FUCK DO TRUST LEVELS MEAN?!?!
! • Direct Trust ! • Hierarchical Trust ! • Cumulative Trust A few types of “trust”:
From RFC 4880 “OpenPGP Message Format" (5.2.1. Signature Types) ! 0x10: Generic certification of a User ID and Public-Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID. ! 0x11: Persona certification of a User ID and Public-Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. ! 0x12: Casual certification of a User ID and Public-Key packet. The issuer of this certification has done some casual verification of the claim of identity. ! 0x13: Positive certification of a User ID and Public-Key packet. The issuer of this certification has done substantial verification of the claim of identity. ! Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types.
How my trust tool works: Example `pgpring -S -k keystore` output: ! pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: sig::::681D3A753B6C249E:2013-12-22:::::13: sub:q:4096:1:E8A53B713BA1A13E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: pub:q:1024:17:DD6909ABB128136B:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: sig::::31B221441DDAA684:1998-09-17:::::10: sig::::DD6909ABB128136B:1998-09-17:::::10: sub:q:2048:16:0BE4CB3712565F36:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: pub:q:1024:17:7C951D88B8CCB59D:2009-01-02::::Carol <carol@mail.com>: sig::::7C951D88B8CCB59D:2009-01-02:::::13: sub:q:1024:16:CFFB706540C239DA:2009-01-02::::Carol <carol@mail.com>: pub:q:1024:1:CE040C74F9A3F1DD:1997-05-03::::RGB <rgb@nym.alias.net>: sig::::CE040C74F9A3F1DD:1998-02-18:::::10: pub:q:2048:1:C56C3CAA9995BDE7:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: sig::::C56C3CAA9995BDE7:2011-05-27:::::13: sub:q:2048:1:8F38A91BB2F768B8:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: pub:rq:1024:1:BDAB86311EA5DE89:1999-06-29::::Rudolph Pereira <rudolph@getsystems.com>: rev::::BDAB86311EA5DE89::::::20: sig::::BDAB86311EA5DE89:1999-06-29:::::10: pub:q:2048:1:5964884DB64C74F1:2012-09-30::::Cheng Ye <yecheng91@msn.com>: sig::::5964884DB64C74F1:2012-09-30:::::13: sub:q:2048:1:DB6BF5D7096C9858:2012-09-30::::Cheng Ye <yecheng91@msn.com>:
From RFC 4880 “OpenPGP Message Format" pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: ! Where field separator is “:” ! 0 - record type 1 - validity 2 - key length 3 - algorithm 4 - key id 5 - date created 6 - expiration date 7 - certificate serial number 8 - owner trust 9 - name/email (user id) 10 - signature class
Convert keystore to sql database while (<FILE>) { my @key = split(':', $_); ! # Get rid of annoying characters for (@key) { s/'//g; s////g; s///g; } # Guide to key format # 0 - record type # 1 - validity # 2 - key length # 3 - algorithm # 4 - key id # 5 - date created # 6 - expiration date # 7 - certificate serial number # 8 - owner trust # 9 - name/email (user id) # 10 - signature class # 11 - parent (if subkey) ! if ($key[0] eq "pub") { $pubkey = $key[4]; $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '');"; } else { $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '$pubkey');"; } $dbh->do($query); }
What email providers have “secure” users? Example query: select count(user_id) from key_store where user_id like '%gmail.com%' and record_type = 'pub'; gmail 334,333 hotmail 107,813 yahoo 60,446 hushmail 5,016
What news organizations have “secure” users? Example query: select count(user_id) from key_store where user_id like '%wsj.com%' and record_type = 'pub'; wall street journal 18 new york times 159 fox news (wtf?) 3
What “intelligence” agencies have “secure” users? Example query: select count(user_id) from key_store where user_id like ‘%nsa.gov%' and record_type = 'pub'; nsa.gov 54 cia.gov 39 .mil 7,908 dhs.gov 28 goatse.cx 0
How do universities use PGP? query: select user_id, count(*) as freq from key_store where user_id like '%.edu%' and record_type = 'pub' group by user_id order by freq desc limit 10; +----------------------------------------------+------+ | user_id | freq | +----------------------------------------------+------+ | Re-An M. Pasia <rpasia@wesleyan.edu> | 181 | | nylee <nylee@mail.stut.edu.tw> | 26 | | Charles <charles@hm.edu> | 18 | | Bobby <bobby@hm.edu> | 16 | | Cheung Chi Wai <chiwai@cuhk.edu.hk> | 14 | | Robert S. Newnam <rnewnam@udel.edu> | 13 | | Shawn Nock <nock@email.arizona.edu> | 12 | | Gaby Abed <ihabed@uncc.edu> | 12 | | Steven I. Altchuler <altchuler@alum.mit.edu> | 12 | | Rafael Villavicencio <rafael@virginia.edu> | 12 | +----------------------------------------------+------+
Who has signed the most keys? query: select parent, count(*) as freq from key_store use index (record_type_parent) where record_type = 'sig' group by parent order by freq desc limit 10; +------------------+-------+ | parent | freq | +------------------+-------+ | F7F0E70F307D56ED | 12627 | Noèl Köthe <noel@guug.de> | 9710B89BCA57AD7C | 10629 | PGP Global Directory Verification Key | 2F951508AAE6022E | 8825 | Karlheinz Geyer (RBOS) <karlheinz.geyer@lhsystems.com> | 57930DAB0B86B067 | 7479 | Joost van Baal <joostvb@logreport.org> | 30028D244813B5FE | 6223 | Andreas Scherbaum <ads@ufp.de> | 18A0CC8D5706A4B4 | 6221 | Simon Richter <Simon.Richter@picotux.com> | D2BB0D0165D0FD58 | 5832 | CA Cert Signing Authority (Root CA) <gpg@cacert.org> | 948FD6A0E10F502E | 5231 | Marcus Frings <protagonist@gmx.net> | DE7AAF6E94C09C7F | 5106 | Peter Palfrader | E544DE079B7C328D | 4254 | Luk Claes <luk@lugwv.be> +------------------+-------+
http://trust.aestetix.com http://trust.aestetix.com/index.pl? pgpid=d255d3f5c868227f&Submit=Submit

Recommended

PythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみたPythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみた
itoxdev
 
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB
 
Malcon2017
Malcon2017Malcon2017
Malcon2017
Andriy Brukhovetskyy
 
Reading the .explain() Output
Reading the .explain() OutputReading the .explain() Output
Reading the .explain() Output
MongoDB
 
Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]
Alexander Hendorf
 
Your Presentation Name Here
Your Presentation Name HereYour Presentation Name Here
Your Presentation Name Here
FreedSoftwares
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmll
Benjamin Delpy
 

Recommended

PythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみたPythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみた
itoxdev
 
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB
 
Malcon2017
Malcon2017Malcon2017
Malcon2017
Andriy Brukhovetskyy
 
Reading the .explain() Output
Reading the .explain() OutputReading the .explain() Output
Reading the .explain() Output
MongoDB
 
Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]
Alexander Hendorf
 
Your Presentation Name Here
Your Presentation Name HereYour Presentation Name Here
Your Presentation Name Here
FreedSoftwares
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmll
Benjamin Delpy
 
Books
BooksBooks
Books
flaglio
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwords
Francois Marier
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDB
MongoDB
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
Powerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation PipelinePowerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation Pipeline
MongoDB
 
Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016
Jacob Aae Mikkelsen
 
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Masayuki Nii
 
Bitcoin
BitcoinBitcoin
Bitcoin
Gureya Daharewa David
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDB
MongoDB
 
Shmoocon
ShmooconShmoocon
Shmoocon
aestetix
 
Slides for talk
Slides for talkSlides for talk
Slides for talk
aestetix
 
Dragon con 2013
Dragon con 2013Dragon con 2013
Dragon con 2013
aestetix
 
Shmoocon - Beyond Nymwars
Shmoocon - Beyond NymwarsShmoocon - Beyond Nymwars
Shmoocon - Beyond Nymwars
aestetix
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
Luminary Labs
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Java security
Java securityJava security
Java security
Bart Blommaerts
 
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
SparkPost
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
Francois Marier
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 

More Related Content

What's hot

What's hot (10)

Books
BooksBooks
Books
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwords
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDB
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Powerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation PipelinePowerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation Pipeline
 
Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016
 
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDB
 

Viewers also liked

Slides for talk
Slides for talkSlides for talk
Slides for talk
aestetix
 
Dragon con 2013
Dragon con 2013Dragon con 2013
Dragon con 2013
aestetix
 
Shmoocon - Beyond Nymwars
Shmoocon - Beyond NymwarsShmoocon - Beyond Nymwars
Shmoocon - Beyond Nymwars
aestetix
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
 

Viewers also liked (6)

Shmoocon
ShmooconShmoocon
Shmoocon
 
Slides for talk
Slides for talkSlides for talk
Slides for talk
 
Dragon con 2013
Dragon con 2013Dragon con 2013
Dragon con 2013
 
Shmoocon - Beyond Nymwars
Shmoocon - Beyond NymwarsShmoocon - Beyond Nymwars
Shmoocon - Beyond Nymwars
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Similar to Berlinsides 2015

You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
Francois Marier
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
Otávio Santana
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
Otavio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Otávio Santana
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
Francois Marier
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 
Application Security
Application SecurityApplication Security
Application Security
florinc
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
 

Similar to Berlinsides 2015 (20)

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Java security
Java securityJava security
Java security
 
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Application Security
Application SecurityApplication Security
Application Security
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Raconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationRaconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certification
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
 

Recently uploaded

(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 

Recently uploaded (20)

Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 

Berlinsides 2015

  • 1. —WHY I HATE PGP— aestetix
  • 2.
  • 3.
  • 4.
  • 5.
  • 7. WHAT THE FUCK DO TRUST LEVELS MEAN?!?!
  • 8.
  • 9. ! • Direct Trust ! • Hierarchical Trust ! • Cumulative Trust A few types of “trust”:
  • 10. From RFC 4880 “OpenPGP Message Format" (5.2.1. Signature Types) ! 0x10: Generic certification of a User ID and Public-Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID. ! 0x11: Persona certification of a User ID and Public-Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. ! 0x12: Casual certification of a User ID and Public-Key packet. The issuer of this certification has done some casual verification of the claim of identity. ! 0x13: Positive certification of a User ID and Public-Key packet. The issuer of this certification has done substantial verification of the claim of identity. ! Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types.
  • 11.
  • 12. How my trust tool works: Example `pgpring -S -k keystore` output: ! pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: sig::::681D3A753B6C249E:2013-12-22:::::13: sub:q:4096:1:E8A53B713BA1A13E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: pub:q:1024:17:DD6909ABB128136B:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: sig::::31B221441DDAA684:1998-09-17:::::10: sig::::DD6909ABB128136B:1998-09-17:::::10: sub:q:2048:16:0BE4CB3712565F36:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: pub:q:1024:17:7C951D88B8CCB59D:2009-01-02::::Carol <carol@mail.com>: sig::::7C951D88B8CCB59D:2009-01-02:::::13: sub:q:1024:16:CFFB706540C239DA:2009-01-02::::Carol <carol@mail.com>: pub:q:1024:1:CE040C74F9A3F1DD:1997-05-03::::RGB <rgb@nym.alias.net>: sig::::CE040C74F9A3F1DD:1998-02-18:::::10: pub:q:2048:1:C56C3CAA9995BDE7:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: sig::::C56C3CAA9995BDE7:2011-05-27:::::13: sub:q:2048:1:8F38A91BB2F768B8:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: pub:rq:1024:1:BDAB86311EA5DE89:1999-06-29::::Rudolph Pereira <rudolph@getsystems.com>: rev::::BDAB86311EA5DE89::::::20: sig::::BDAB86311EA5DE89:1999-06-29:::::10: pub:q:2048:1:5964884DB64C74F1:2012-09-30::::Cheng Ye <yecheng91@msn.com>: sig::::5964884DB64C74F1:2012-09-30:::::13: sub:q:2048:1:DB6BF5D7096C9858:2012-09-30::::Cheng Ye <yecheng91@msn.com>:
  • 13. From RFC 4880 “OpenPGP Message Format" pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: ! Where field separator is “:” ! 0 - record type 1 - validity 2 - key length 3 - algorithm 4 - key id 5 - date created 6 - expiration date 7 - certificate serial number 8 - owner trust 9 - name/email (user id) 10 - signature class
  • 14. Convert keystore to sql database while (<FILE>) { my @key = split(':', $_); ! # Get rid of annoying characters for (@key) { s/'//g; s////g; s///g; } # Guide to key format # 0 - record type # 1 - validity # 2 - key length # 3 - algorithm # 4 - key id # 5 - date created # 6 - expiration date # 7 - certificate serial number # 8 - owner trust # 9 - name/email (user id) # 10 - signature class # 11 - parent (if subkey) ! if ($key[0] eq "pub") { $pubkey = $key[4]; $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '');"; } else { $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '$pubkey');"; } $dbh->do($query); }
  • 15. What email providers have “secure” users? Example query: select count(user_id) from key_store where user_id like '%gmail.com%' and record_type = 'pub'; gmail 334,333 hotmail 107,813 yahoo 60,446 hushmail 5,016
  • 16. What news organizations have “secure” users? Example query: select count(user_id) from key_store where user_id like '%wsj.com%' and record_type = 'pub'; wall street journal 18 new york times 159 fox news (wtf?) 3
  • 17. What “intelligence” agencies have “secure” users? Example query: select count(user_id) from key_store where user_id like ‘%nsa.gov%' and record_type = 'pub'; nsa.gov 54 cia.gov 39 .mil 7,908 dhs.gov 28 goatse.cx 0
  • 18. How do universities use PGP? query: select user_id, count(*) as freq from key_store where user_id like '%.edu%' and record_type = 'pub' group by user_id order by freq desc limit 10; +----------------------------------------------+------+ | user_id | freq | +----------------------------------------------+------+ | Re-An M. Pasia <rpasia@wesleyan.edu> | 181 | | nylee <nylee@mail.stut.edu.tw> | 26 | | Charles <charles@hm.edu> | 18 | | Bobby <bobby@hm.edu> | 16 | | Cheung Chi Wai <chiwai@cuhk.edu.hk> | 14 | | Robert S. Newnam <rnewnam@udel.edu> | 13 | | Shawn Nock <nock@email.arizona.edu> | 12 | | Gaby Abed <ihabed@uncc.edu> | 12 | | Steven I. Altchuler <altchuler@alum.mit.edu> | 12 | | Rafael Villavicencio <rafael@virginia.edu> | 12 | +----------------------------------------------+------+
  • 19. Who has signed the most keys? query: select parent, count(*) as freq from key_store use index (record_type_parent) where record_type = 'sig' group by parent order by freq desc limit 10; +------------------+-------+ | parent | freq | +------------------+-------+ | F7F0E70F307D56ED | 12627 | Noèl Köthe <noel@guug.de> | 9710B89BCA57AD7C | 10629 | PGP Global Directory Verification Key | 2F951508AAE6022E | 8825 | Karlheinz Geyer (RBOS) <karlheinz.geyer@lhsystems.com> | 57930DAB0B86B067 | 7479 | Joost van Baal <joostvb@logreport.org> | 30028D244813B5FE | 6223 | Andreas Scherbaum <ads@ufp.de> | 18A0CC8D5706A4B4 | 6221 | Simon Richter <Simon.Richter@picotux.com> | D2BB0D0165D0FD58 | 5832 | CA Cert Signing Authority (Root CA) <gpg@cacert.org> | 948FD6A0E10F502E | 5231 | Marcus Frings <protagonist@gmx.net> | DE7AAF6E94C09C7F | 5106 | Peter Palfrader | E544DE079B7C328D | 4254 | Luk Claes <luk@lugwv.be> +------------------+-------+