Crypto hlug


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Crypto hlug

  1. 1. Practical Cryptography A Users Guide Hugo Mills
  2. 2. Whats in this talk● Introduction & Theory – Symmetric Crypto – Public Key Crypto – Encryption and signing● GPG/PGP – What it is – Key creation and basic management – Encryption & decryption – Signing – Key management
  3. 3. Whats in the next talk(s)?● gpg – Mail client integration; GUIs● ssh – Key creation; Use; Key management; Agents● X.509 certificates – Generating certs; Management in browsers; Apache and HTTPS
  4. 4. Theory: Traditional CryptoHello, QRGEFWorld AJJTO Symmetric Cryptography
  5. 5. Theory: Traditional CryptoHello, Hello,World WorldQRGEF QRGEF AJJTO AJJTO
  6. 6. Symmetric systems● DES● 3DES● AES (Rijndael)● Blowfish● Twofish
  7. 7. Theory: Public Key Crypto AHello, QRGEFWorld AJJTO B
  8. 8. Theory: Public Key Crypto Hello, Hello, World WorldA B QRGEF QRGEF AJJTO AJJTO
  9. 9. Public/Private Keys● Public Key ● Private key – Can be seen by – Must be kept secret anyone – Can be used to find – System still secure matching public key B A● Keys generated together as a keypair
  10. 10. Public-key systems● RSA● ElGamal● DSA
  11. 11. The Important BitWhat one key does, the other undoes.
  12. 12. Theory: Signatures Hello, WorldB A Hello, Hello, World World 20958 20958
  13. 13. Part 2GPG (PGP)
  14. 14. GPG: What does it do?● Everything: – Encryption – Decryption – Signing – Signature checking – Web of trust
  15. 15. Key creation$ gpg --gen-key...Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only)Your selection? 1DSA keypair will have 1024 bits.ELG-E keys may be between 1024 and 4096 bitslong.What keysize do you want? (2048) 2048Requested keysize is 2048 bits
  16. 16. Key creationPlease specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsKey is valid for? (0) 5yKey expires at Wed 30 Jan 2013 14:28:40 GMTIs this correct? (y/N) y
  17. 17. Key creationYou need a user ID to identify your key; thesoftware constructs the user IDfrom the Real Name, Comment and Email Address inthis form:"Heinrich Heine (Der Dichter) <heinrichh@...>"Real name: Harry PearceEmail address: Section DYou selected this USER-ID:"Harry Pearce (Section D) <>"Change (N)ame, (C)omment, (E)mail or(O)kay/(Q)uit? oYou need a Passphrase to protect your secret key.Enter passphrase:
  18. 18. Key creationgpg: key 603652F2 marked as ultimately trustedpublic and secret key created and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1ugpg: next trustdb check due at 2013-01-30pub 1024D/603652F2 2008-02-01 [expires: 2013-01-30] Key fingerprint = 628B 640D A7A6 4F98 D746 E355 8B26 B823 6036 52F2uid Harry Pearce (Head of Section D) <>sub 2048g/FFC30BC8 2008-02-01 [expires: 2013-01-30] All done, keypair created.
  19. 19. Encryptionpearce@willow:~$ lsmy-secrets.txtpearce@willow:~$ cat my-secrets.txtSection D personnelCarter, AdamYounis, ZafarPortman, JoWynn-Jones, MalcolmJames, Connie
  20. 20. Encryption$ gpg -e my-secrets.txtYou did not specify a user ID. (you may use "-r")Current recipients:Enter the user ID. End with an empty recipients:2048g/0FC718A8 2007-12-07 "Harry Pearce (Head ofSection D) <>"Enter the user ID. End with an empty line:$ lsmy-secrets.txt my-secrets.txt.gpg
  21. 21. Decryptionpearce@willow:~$ gpg -d my-secrets.txt.gpgYou need a passphrase to unlock the secret key foruser: “Harry Pearce (Section D) <>”2048-bit ELG-E key, ID FFC30BC8, created 2008-02-01(main key ID 603652F2)Enter passphrase:Section D personnelCarter, AdamYounis, ZafarPortman, JoWynn-Jones, MalcolmJames, Connie
  22. 22. Signaturespearce@willow:~$ cat will.txtIn the event of my death, I hereby leave all myworldly goods and chattels to the Battersea Dogs Home.Harry Pearce.pearce@willow:~$ gpg --clearsign will.txtYou need a passphrase to unlock the secret key foruser: "Harry Pearce (Section D) <>"1024-bit DSA key, ID 603652F2, created 2008-02-01pearce@willow:~$ lsmy-secrets.txt my-secrets.txt.gpg will.txtwill.txt.asc
  23. 23. Signaturespearce@willow:~$ cat will.txt.asc-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1In the event of my death, I hereby leave all myworldly goods and chattelsto the Battersea Dogs Home.Harry Pearce.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.6 (GNU/Linux)iD8DBQFHoztsiya4I2A2UvIRAqHrAJ9SzWJkBcBQepCIrtZNTTz8gdqBuACfXlC2rWl83jYJKlJbmNx7THQRIWw==mBj0-----END PGP SIGNATURE-----
  24. 24. Verify a signaturepearce@willow:~$ gpg --verify will.txt.ascgpg: Signature made Fri 01 Feb 2008 15:31:56 GMTusing DSA key ID 603652F2gpg: Good signature from "Harry Pearce (SectionD) <>"
  25. 25. Key Distribution● Q. How to get your public key to someone?● A. A Public Key server!●● Upload your key to the server● Others can download it – Verify your signatures – Encrypt files for you to read
  26. 26. Key Distributionpearceh@willow:~$ gpg --send-keys --keyserver 603652F2gpg: sending key 603652F2 to hkp
  27. 27. Key Distributionpearce@willow:~$ gpg --recv-keys --keyserver EA2B228Fgpg: requesting key EA2B228F from hkp key EA2B228F: public key "Hugo Mills (Universityof Southampton) <>" importedgpg: 3 marginal(s) needed, 1 complete(s) needed, PGPtrust modelgpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q,0n, 0m, 0f, 1ugpg: next trustdb check due at 2013-01-30gpg: Total number processed: 1gpg: imported: 1
  28. 28. Web Of Trust● Q. How do I know the key is good?● A. Web of Trust●● Signing a key – I have verified the identity of the person – I have verified that this key is controlled by that person – I trust this person to perform those same checks well
  29. 29. Web Of Trust A A AA A A? A
  30. 30. Keysigning● Signing a key is a statement that: – I believe and have verified that this key is controlled by a person matching the identity in the key – I trust this person to perform similarly good identity checks●● Beforehand – gpg --fingerprint 603652F2 – Print out several copies on slips of paper
  31. 31. Keysigning● When you meet – Exchange fingerprint slips and ID papers – Check ID papers against person (does the photo match?) – Check ID papers against the key details – Initial the slip and keep it – Hand papers back● What to accept for ID? – Passport, national ID card, photo driving license, other government-issued photo ID – Some people only accept passport – up to you
  32. 32. Keysigning● After you meet – gpg --recv-keys keyid – gpg --fingerprint keyid ● Check this with the fingerprint on paper – dd if=/dev/urandom count=64 bs=1 | hexdump >person.gpg ● Encrypt and mail it to their email addresses, asking for it to be returned to you. – Check the returned mail against the copy you kept – Sign and upload the key
  33. 33. Keysigningpearce@willow:~$ gpg --ask-cert-level --sign-key EA2B228F[...]pub 1024D/EA2B228F created: 2007-09-06 expires: 2009-09-05usage: SC trust: unknown validity: unknown Primary key fingerprint: 8995 11CC 3CA7 690C C09E 43B3 420D F030EA2B 228F Hugo Mills (University of Southampton) <>This key is due to expire on 2009-09-05.How carefully have you verified the key you are about to signactually belongsto the person named above? If you dont know what to answer,enter "0". (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking.
  34. 34. KeysigningYour selection? (enter `? for more information): 3Are you sure that you want to sign this key with yourkey "Harry Pearce (Section D) <>" (603652F2)I have checked this key very carefully.Really sign? (y/N) yYou need a passphrase to unlock the secret key foruser: "Harry Pearce (Section D) <>"1024-bit DSA key, ID 603652F2, created 2008-02-01passphrasepearce@willow:~$ gpg --send-keys EA2B228Fgpg: sending key EA2B228F to hkp server done.
  35. 35. Key Management● List public keys – gpg --list-keys● List public keys and their fingerprints – gpg --fingerprint● List public keys and their signatures – gpg --list-sigs● Can do this for a particular key using key ID, name or email address to search
  36. 36. Key Management● gpg --edit-key – Interactive key viewer and editor – Sign keys, check signatures, remove sigs – Add/remove subkeys (other identities, email addresses, etc) – Change trust parameters – Revoke keys – Option to save changes on exit
  37. 37. Key Revocation● If your key becomes compromised, or otherwise defunct – Private key file lost, stolen or compromised – Lost passphrase – No longer used – Newer key in use● Use a revocation certificate to cancel your key● Generate cert when you generate key
  38. 38. Key revocation● Generate a revocation cert – gpg --gen-revoke 603652F2 >revoke.gpg ● Best when you generate the key ● Keep this file safe● To revoke the key, import it into GPG – gpg --import <revoke.gpg – gpg --send-keys 603652F2
  39. 39. Further reading● gpg --edit-key has a “help” command●
  40. 40. Any questions?