Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Email Security with OpenPGP - An Appetizer

4,482 views

Published on

A 10 minute presentation on the concepts of PGP encryption and key management (public key cryptography, digital signatures), and pointers on how to get started.

Published in: Technology
  • Be the first to comment

Email Security with OpenPGP - An Appetizer

  1. 1. Email Security with OpenPGP – An Appetizer OWASP Austin CryptoParty David Ochel 2015-01-27 This work is licensed under a Creative Commons Attribution 4.0 International License.
  2. 2. “On the Internet, nobody knows you’re a dog” PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified, https://www.flickr.com/photos/tara_siuk/3027646100/ Bob © Wilson Afonso, CC BY 2.0, no changes, https://www.flickr.com/photos/wafonso/4444143159 Alice
  3. 3. • Pretty Good Privacy (PGP) – a software program – Commercial – Symantec – Free – GnuPG • A protocol/standard – OpenPGP – RFC 4880 et al. • Based on encryption technology – Public-key (asymmetric) cryptography – But also secure hashing, symmetric encryption, … PGP – OWASP Austin 2015 Page 3
  4. 4. -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR 13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz ckKzFHhuppZyCytwRQIDAQAB -----END PUBLIC KEY----- 1. Key Generation: Math! – Generate two linked keys (“public” and “private”) – Public key: distribute widely; private key: keep secret! – Keyrings! PGP – OWASP Austin 2015 Page 4
  5. 5. Encryption 2. Encryption / Decryption PGP – OWASP Austin 2015 Page 5
  6. 6. Encryption PGP – OWASP Austin 2015 Page 6
  7. 7. Encryption PGP – OWASP Austin 2015 Page 7 3. Encryption / Decryption!
  8. 8. Electronic Signature Plaintext Hash Value Signature PGP – OWASP Austin 2015 Page 8
  9. 9. Avoiding Mallory, The Man in the Middle PGP – OWASP Austin 2015 Page 13 Charlie Bob Mallory, The malicious Interceptor Needs to send a Secret Email trust trust Alice
  10. 10. Web of Trust – Keys Signed by Many Key Holders – On Public Keyservers PGP – OWASP Austin 2015 Page 16 http://pgp.mit.edu/pks/lookup?search=leo%4 0debian&op=vindex&fingerprint=on
  11. 11. A Key-Signing Party? 1. Obtain fingerprint (and key ID) of user – in person! 2. Validate user’s ID and make a note that you have validated 3. Go home and retrieve key (look up on keyserver by key ID), check fingerprint, sign key, and upload signed key Fingerprint – cryptographic hash of a public key PGP – OWASP Austin 2015 Page 17
  12. 12. How to get started with PGP? • Obtain GnuPG (or other OpenPGP alternative), and GUI or plugin for application of choice • Generate a key(pair) • Protect private key with strong password – Make a backup of the private key (hardcopy?) • Use it! – Encrypt files on your disk – Encrypt emails – Trade public keys with your OWASP friends PGP – OWASP Austin 2015 Page 18
  13. 13. Resources – Google… • Public-key Cryptography • Implementations – GnuPG (command line) – http://www.gnupg.org – Enigmail (Thunderbird plugin) – Web plugins – Outlook plugin (part of Gpg4win) – Android – iOS – … • keybase.io – trust into keys through social media • OpenPGP Card – store private keys on a smart card PGP – OWASP Austin 2015 Page 19
  14. 14. Contact: David Ochel do@ochel.net, @lostgravity, http://secuilibrium.com Key ID: 0xA26EF725 Fingerprint: 4233 C5AA 73F9 EC1F D54B CC31 A2F8 3F14 A26E F725 PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/

×