Rayed Alrashed, profile picture
Uploaded byRayed Alrashed
PPTX, PDF1,889 views

Introduction to Cryptography & PGP

This document provides an introduction to cryptography, focusing on hashing, encryption, and PGP (Pretty Good Privacy). It explains the differences between hashing and encryption, and discusses password security, symmetric and asymmetric encryption, and the use of keys in secure communication. The document also delves into practical aspects of PGP for secure email communication, signing messages, and the importance of public key infrastructure.

Embed presentation

Downloaded 11 times
Introduction to Cryptography & PGP Rayed Alrashed 20 Feb 2019
Contents • Hashing • Encryption • PGP • Q & A
Hashing • Same input always give same output • Tiny modification change everything • Can get input from output ca6b17144b1291d0cfd06a2e36f3d266pa$$w0rd pa$$w0rd pas$w0rd ca6b17144b1291d0cfd06a2e36f3d266 aa60e7d94eac169ccff57ec1f56adec1 ?????? aa60e7d94eac169ccff57ec1f56adec1 HashFunction
Hashing • Input any size • Output always fixed size (md5=16, sha1=20, sha256=64) • hash value, fingerprint, digest, checksum ca6b17144b1291d0cfd06a2e36f3d266password (10 B) Document (10 KB) Audi (10 MB) Video (100 MB) DVD (1GB) e5f71ea3e05d0007f20ee321f1551e70 aa60e7d94eac169ccff57ec1f56adec1 94ec7185d65dcb09b4c6369819d9ba73 55641e78d24ba54619ec021eba782413 HashFunction *****
Hashing: Hash Function • Hash Function (FAST) • Hash Tables • Randomization • Load Balancing • Cryptographic Hash Function (Slow by design) • Data integrity: did my data change? • Password verification • Signatures: more on that later
Hashing: Passwords 1 • Clear text password, stored as is • Admin can see them • If data is leaked, passwords is exposed ahmed my_password ibrahim $ecure93123 saleh my_password
Hashing: Passwords 2 • Don’t store password, store the hash of a password • Admin can NOT see the original password • If data is leaked, passwords not exposed, but it can be cracked ahmed 55641e78d24ba54619ec021eba782413 ibrahim 94ec7185d65dcb09b4c6369819d9ba73 saleh 55641e78d24ba54619ec021eba782413 • But wait … “ahmed” & “saleh” use the same password • Rainbow table … hackers can reverse the hash!!!!
Hashing: Passwords 3 • Salt • Random data (salt) is added before hash • hashed = sha256( salt + clear password) • Same password = different hash • Rainbow Table can’t be used • Repeat • Repeat hashing 1000 time! • Make it much harder to brute force username password salt (random) stored ibrahim my_password 9321312 93213123c4a23ffe8b236814f6f4 910bc097e25 saleh my_password 3432455 3432455d2b64e5b352200855682c 906faed3fbb Not Stored!
Encryption
Encryption: … vs Encoding • Convert data from form to form • Doesn’t protect data • e.g. Base 64 $ echo "I love Riyadh" | base64 SSBsb3ZlIFJpeWFkaAo= $ echo "SSBsb3ZlIFJpeWFkaAo=" | base64 -D I love Riyadh • e.g. Compression $ echo "I love Riyadh" | gzip > riyadh.gz $ gunzip < riyadh.gz I love Riyadh • Why? Binary can’t be used … email! • Why? Smaller data size • Why? Other systems used different encoding? Mac vs Windows (before Unicode)
Encryption: Symmetric 🔑 Key 🔑 Key Alice Bob
Encryption: Symmetric • Secure • Fast • Many algorithms: AES, DES, Blowfish • But … how to share a key!
Encryption: Asymmetric Alice Bob 🔑 Public 🔑 Private 🔑 Public 🔑 Private
Encryption: Asymmetric • Public Key Encryption • Generate a pair of keys: • Private: Kept securely • Public: can be shared with others • Used: HTTPS, PGP, SSH • E-Commerce isn’t possible without it • Many algorithms: RSA, ElGamal ‫د‬.‫طاهر‬‫الجمل‬
Encryption: Asymmetric • Problem? • Hacker replace Bob public key with his own! • Solution: • Public Key Infrastructure PKI (HTTPS) • Web of Trust (PGP) • Manual checking (SSH) • more on that later …
Encryption: Signing • Alice Signing: • Hash = sha256(Data) • Signature = Encrypt(Hash, Alice Private Key) • Send: Data + Signature • Bob Verifying: • Hash1 = sha256(Data) • Hash2 = Decrypt(Signature, Alice Public Key) • Signature is Valid if Hash1 == Hash2
Encryption: Fingerprint -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFxrqqABCADc0RjmaEh4OIWyd92HVJxVZZB7MCCF95hx7ORrnGc4RnHKKUR3 zSBL3LchjKvwyUZ2wNhPXy/zc/ocbAwgGqkhCJGozP5af+VSzAxBBcDa6aJW3zgU P9oOq4UWE90jXrPlVJ1rbgX98DgeWl1h9IcJAq7vUj0XORbRIFTYWkUpEN3JSIAE IqvDyYa7NG0FvuUPlMJ+OUHP8ub4ZPel5l54aHs585bhIRTzHTeG6zbzVinnOQ+Y ZVOsZYZ+r/MXYTu0HPndIaTCVPQ9DQJvVey0LNBSMu2QMJw8Kr8HD5ZPS/h4jrRC 7uraUxrFUr+LYfedGHNkDM92YMvkN513nMahABEBAAG0IFJheWVkIEFscmFzaGVk IDxyYXllZEByYXllZC5jb20+iQFUBBMBCAA+FiEEQz48QnngwBgg5LGwaTbe5KZu wk4FAlxrqqACGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQaTbe 5KZuwk7gvQf+Nh2qmP3H7WDZhzMsaUwt4C9Tdj5IzTrZhEzr+W4KJNXVYErTZfGP IrlJD/zbB9NGz2cwsSk18kWtuHKCwjM8nl5jGeQsPbCc1qFeQeYXYeU+sgape9A4 6KHGB1UNd9A8JwUHUn/50/CLNEA8dWUXSQoLzTF5TZFSGvE1YxP8Lc/kYZOXQhNo 9w3mFgzl+O6Pk+2P9N70jJE3cymqtiBsfFFPGqMGr0S8LBRwxtib/75kqGmXhBrq f+v8qpypeKBTnywOGsQ1QNy5ddyIE6P2rgZHunGeixuRt6swfD7DwmHOCP5DCqAb thRlIquQiQfBqdpBskr7nG1cktfQzKj1F7kBDQRca6qgAQgAurfBxwjFxm5A7pE6 rMkILqOJeMxQuZsFYs8rm5BM1L/zARUVxcQIPtLXx/Afvx+XGPAey9Ojaj1n4o3y W8wkNlJG41EduR4Q9I5NLiPKyR8B2dDClXn7wpzInnwxu5+0od6FQqa8MvS9RYwK KANT4Q6cS5bVjYuDFBFfOXLmZw/BQCMESrJ5d28umGBTODdsb3GqNkbjfB36LC2W eDiyiOek2b07EK2BXx+CsffFVrk+0jF0OD9PG48Yy1qFeJwGQIJNfHT2Xp1HGXYV MHBp9454cI0MHX7+mQhHSB/keLyUIYqtmrxqdROGe0083GPgV0a/b7Z+y6+HruVV ceQrWQARAQABiQE8BBgBCAAmFiEEQz48QnngwBgg5LGwaTbe5KZuwk4FAlxrqqAC GwwFCQPCZwAACgkQaTbe5KZuwk4MSgf7BLi6HrisPcGHNIbWV7QdpfAnly1MHdYc DK5qLzx0DX9T+NzBiR2z833BXhNT2BxSr3sKpaN4EopXYwgBu9y+drnL4QSl/p8P mk02IsQiXdUdhGAzlELBz8nrB9W45KjyqOkFScYbfeEZKO65z6+Jd8mfFF9i/QZh Q1S9rDnAvb2moLOAXfhYO5dBEsSzA+Q1DtcQ4tvyjxjcdUBOH08+daguRvA7EgrY 6GqgXWR2IQftQ6iEk1g7o3taKpT3gkzbA/ssaY045bcQxhvTL4yIuDGKYXt56R1e b0owb9YS/iVD2DhbZfToKJplSlxlcFFy1o5a05Kwf2oESJmWMStFOA== =F2UD -----END PGP PUBLIC KEY BLOCK----- Fingerprint 433E 3C42 79E0 C018 20E4 B1B0 6936 DEE4 A66E C24E • Public Key is very long • Hard to compare keys • Fingerprint short, good for management • Hash of the Key!
PGP
PGP: Why? • Communicate securely • Use a shared password? But how to exchange it! • Public-key cryptography • Designed for email • GPG or PGP?
PGP: Keys • User Alice: gpg --gen-key gpg --list-keys gpg --export alice@example.com > alice gpg --export —armor alice@example.com > alice.pub.asc • User Bob: gpg --import alice.pub.asc
PGP: Encryption & Decryption • Bob … Encrypting: gpg --encrypt -r alice@example.com my_file # -r = recipient # You can have many recipients # You can’t decrypt the file … unless! • Alice Decrypt: gpg my_file.gpg
PGP: Signing Emails • Alice: gpg --clearsign my_vote.txt • Bob … verify: gpg --verify my_vote.txt.asc I vote for blue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I vote for blue -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEQz48QnngwBgg5LGwaTbe5KZuwk4FAlxrsQwACgkQaTbe5KZu wk5Ljgf/aHXQmXiX1wl+BmL6fJfOzntPawCaF7MN/cP/60IlXsL7IWHnEjVH6RQV vZN7iRXeTnyCVzG0pehTuV2Zew6KS8E8QlgA3yFVM7jYrJ2yvIq7WabE3Hg8ZJky UOG5dyUs31rbMDT4Ti0YEG9CaEghM7PGngq3ezWQlscWGUfrQBUWX7T7YEVXGI0A bsFNMmIYSV69wlWuz8/vNypMp9Hvk8MHcvkKNAhE6HhEOV/wOVRPL5NKYQY6lUNw 9D1I3DZx1rm2Ni6uQZzrdrON88IkNXm2AcpPlEH3cSfecCIXAgSOlNSmSq928R7w O/q/kqKME5T5srqGZKbijDwFuzrDEQ== =QSh2 -----END PGP SIGNATURE----- gpg: Good signature gpg: BAD signature
PGP: Signing Files • Sign a file without changing it • Good for binary file (e.g. Executable, Image, Audio, etc …) • You must send 2 files: Original & Signature • Binary Signature gpg --detach-sign invoice.jpg gpg --verify invoice.jpg.sig • Text Signature gpg --detach-sign --armor invoice.jpg gpg --verify invoice.jpg.asc
PGP: Encryption with a Password • Alice: gpg --symmetric my_secret # It will ask for passphrase (password) • Bob: gpg my_secret.gpg # It will ask for same passphrase! • How to send passphrase from user 1 to user 2 securely?
PGP: … vs PKI • PGP • Web of Trust • User sign each other keys • Public Key Infrastructure • Certificate authorities (CA) • You trust what CA sign • Public key + user info + CA signature = Certificate • OS ship (and update) a list of trusted CAs
More Info • https://en.wikipedia.org/wiki/Cryptographic_hash_function • https://en.wikipedia.org/wiki/Salt_(cryptography) • https://en.wikipedia.org/wiki/Rainbow_table • GPG Tutorial: https://futureboy.us/pgp.html
Thank You

More Related Content

PDF
remote-method-guesser - BHUSA2021 Arsenal
byTobias Neitzel
 
PDF
IT Automation with Ansible
byRayed Alrashed
 
PDF
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
byNicky Bloor
 
PPTX
FreeIPA - Attacking the Active Directory of Linux
byJulian Catrambone
 
PDF
ACPI Debugging from Linux Kernel
bySUSE Labs Taipei
 
PPTX
Telephony API
byRashad Aliyev
 
PDF
Why is Kamailio so different? An introduction.
byOlle E Johansson
 
PPTX
NFVについて
byNaoto Umemori
 
remote-method-guesser - BHUSA2021 Arsenal
byTobias Neitzel
 
IT Automation with Ansible
byRayed Alrashed
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
byNicky Bloor
 
FreeIPA - Attacking the Active Directory of Linux
byJulian Catrambone
 
ACPI Debugging from Linux Kernel
bySUSE Labs Taipei
 
Telephony API
byRashad Aliyev
 
Why is Kamailio so different? An introduction.
byOlle E Johansson
 
NFVについて
byNaoto Umemori
 

What's hot

PDF
Siber Güvenlik ve Etik Hacking Sunu - 4
byMurat KARA
 
PDF
Siber Güvenlikte Yapay Zeka Uygulamaları - Webinar
byBGA Cyber Security
 
PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
PDF
ReCertifying Active Directory
byWill Schroeder
 
PDF
[CNCF TAG-Runtime 2022-10-06] Lima
byAkihiro Suda
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
PDF
Using eBPF to Measure the k8s Cluster Health
byScyllaDB
 
PDF
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 
PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
PPTX
Linux privilege escalation
bySongchaiDuangpan
 
PPTX
Ssh tunnel
byAmandeep Singh
 
ODP
eBPF maps 101
bySUSE Labs Taipei
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PPTX
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
PDF
Kamailio - SIP Routing in Lua
byDaniel-Constantin Mierla
 
PDF
Nmap scripting engine
byn|u - The Open Security Community
 
PDF
Launch the First Process in Linux System
byJian-Hong Pan
 
PPTX
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 
PDF
Ansible - Introduction
byStephane Manciot
 
Siber Güvenlik ve Etik Hacking Sunu - 4
byMurat KARA
 
Siber Güvenlikte Yapay Zeka Uygulamaları - Webinar
byBGA Cyber Security
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
ReCertifying Active Directory
byWill Schroeder
 
[CNCF TAG-Runtime 2022-10-06] Lima
byAkihiro Suda
 
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
Using eBPF to Measure the k8s Cluster Health
byScyllaDB
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
Linux privilege escalation
bySongchaiDuangpan
 
Ssh tunnel
byAmandeep Singh
 
eBPF maps 101
bySUSE Labs Taipei
 
I hunt sys admins 2.0
byWill Schroeder
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
Kamailio - SIP Routing in Lua
byDaniel-Constantin Mierla
 
Nmap scripting engine
byn|u - The Open Security Community
 
Launch the First Process in Linux System
byJian-Hong Pan
 
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 
Ansible - Introduction
byStephane Manciot
 

Similar to Introduction to Cryptography & PGP

PDF
Gpg basics
byobsidisconsortia
 
PPT
PGP S/MIME
bySou Jana
 
PPT
Pgp
byReham Maher El-Safarini
 
PPT
OpenPGP/GnuPG Encryption
byTanner Lovelace
 
PPT
Pgp smime
byTania Agni
 
PPTX
Pgp pretty good privacy
byPawan Arya
 
PPTX
PROTECTED CONTENT: END-TO-END PGP ENCRYPTION FOR DRUPAL
byDrupalCamp Kyiv
 
PPT
PGP (1). in information security and data
bygallanandhini
 
PDF
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
byVishal Kumar
 
PPTX
Pgp1
bySanjeevsharma620
 
PPT
Network Security: Standards and Cryptography
byJack Davis
 
DOCX
Pgp
byAbhishek Kesharwani
 
DOCX
Pgp
byAbhishek Kesharwani
 
PPTX
Linux securities
byGaurav Mishra
 
PDF
Crypto hlug
byfangjiafu
 
PPT
1329 n 9460
bykicknit123
 
DOCX
Unit 4
byVinod Kumar Gorrepati
 
PDF
Introduction PGP-GPG Subkey Management
byn|u - The Open Security Community
 
PDF
PBU-Intro_to_PGP
byauremoser
 
PPTX
Security
bySaqib Shehzad
 
Gpg basics
byobsidisconsortia
 
PGP S/MIME
bySou Jana
 
Pgp
byReham Maher El-Safarini
 
OpenPGP/GnuPG Encryption
byTanner Lovelace
 
Pgp smime
byTania Agni
 
Pgp pretty good privacy
byPawan Arya
 
PROTECTED CONTENT: END-TO-END PGP ENCRYPTION FOR DRUPAL
byDrupalCamp Kyiv
 
PGP (1). in information security and data
bygallanandhini
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
byVishal Kumar
 
Pgp1
bySanjeevsharma620
 
Network Security: Standards and Cryptography
byJack Davis
 
Pgp
byAbhishek Kesharwani
 
Pgp
byAbhishek Kesharwani
 
Linux securities
byGaurav Mishra
 
Crypto hlug
byfangjiafu
 
1329 n 9460
bykicknit123
 
Unit 4
byVinod Kumar Gorrepati
 
Introduction PGP-GPG Subkey Management
byn|u - The Open Security Community
 
PBU-Intro_to_PGP
byauremoser
 
Security
bySaqib Shehzad
 

Recently uploaded

PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PDF
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 

Introduction to Cryptography & PGP

  • 1.
    Introduction to Cryptography& PGP Rayed Alrashed 20 Feb 2019
  • 2.
  • 3.
    Hashing • Same inputalways give same output • Tiny modification change everything • Can get input from output ca6b17144b1291d0cfd06a2e36f3d266pa$$w0rd pa$$w0rd pas$w0rd ca6b17144b1291d0cfd06a2e36f3d266 aa60e7d94eac169ccff57ec1f56adec1 ?????? aa60e7d94eac169ccff57ec1f56adec1 HashFunction
  • 4.
    Hashing • Input anysize • Output always fixed size (md5=16, sha1=20, sha256=64) • hash value, fingerprint, digest, checksum ca6b17144b1291d0cfd06a2e36f3d266password (10 B) Document (10 KB) Audi (10 MB) Video (100 MB) DVD (1GB) e5f71ea3e05d0007f20ee321f1551e70 aa60e7d94eac169ccff57ec1f56adec1 94ec7185d65dcb09b4c6369819d9ba73 55641e78d24ba54619ec021eba782413 HashFunction *****
  • 5.
    Hashing: Hash Function •Hash Function (FAST) • Hash Tables • Randomization • Load Balancing • Cryptographic Hash Function (Slow by design) • Data integrity: did my data change? • Password verification • Signatures: more on that later
  • 6.
    Hashing: Passwords 1 •Clear text password, stored as is • Admin can see them • If data is leaked, passwords is exposed ahmed my_password ibrahim $ecure93123 saleh my_password
  • 7.
    Hashing: Passwords 2 •Don’t store password, store the hash of a password • Admin can NOT see the original password • If data is leaked, passwords not exposed, but it can be cracked ahmed 55641e78d24ba54619ec021eba782413 ibrahim 94ec7185d65dcb09b4c6369819d9ba73 saleh 55641e78d24ba54619ec021eba782413 • But wait … “ahmed” & “saleh” use the same password • Rainbow table … hackers can reverse the hash!!!!
  • 8.
    Hashing: Passwords 3 •Salt • Random data (salt) is added before hash • hashed = sha256( salt + clear password) • Same password = different hash • Rainbow Table can’t be used • Repeat • Repeat hashing 1000 time! • Make it much harder to brute force username password salt (random) stored ibrahim my_password 9321312 93213123c4a23ffe8b236814f6f4 910bc097e25 saleh my_password 3432455 3432455d2b64e5b352200855682c 906faed3fbb Not Stored!
  • 9.
  • 10.
    Encryption: … vsEncoding • Convert data from form to form • Doesn’t protect data • e.g. Base 64 $ echo "I love Riyadh" | base64 SSBsb3ZlIFJpeWFkaAo= $ echo "SSBsb3ZlIFJpeWFkaAo=" | base64 -D I love Riyadh • e.g. Compression $ echo "I love Riyadh" | gzip > riyadh.gz $ gunzip < riyadh.gz I love Riyadh • Why? Binary can’t be used … email! • Why? Smaller data size • Why? Other systems used different encoding? Mac vs Windows (before Unicode)
  • 11.
  • 12.
    Encryption: Symmetric • Secure •Fast • Many algorithms: AES, DES, Blowfish • But … how to share a key!
  • 13.
  • 14.
    Encryption: Asymmetric • PublicKey Encryption • Generate a pair of keys: • Private: Kept securely • Public: can be shared with others • Used: HTTPS, PGP, SSH • E-Commerce isn’t possible without it • Many algorithms: RSA, ElGamal ‫د‬.‫طاهر‬‫الجمل‬
  • 15.
    Encryption: Asymmetric • Problem? •Hacker replace Bob public key with his own! • Solution: • Public Key Infrastructure PKI (HTTPS) • Web of Trust (PGP) • Manual checking (SSH) • more on that later …
  • 16.
    Encryption: Signing • AliceSigning: • Hash = sha256(Data) • Signature = Encrypt(Hash, Alice Private Key) • Send: Data + Signature • Bob Verifying: • Hash1 = sha256(Data) • Hash2 = Decrypt(Signature, Alice Public Key) • Signature is Valid if Hash1 == Hash2
  • 17.
    Encryption: Fingerprint -----BEGIN PGPPUBLIC KEY BLOCK----- mQENBFxrqqABCADc0RjmaEh4OIWyd92HVJxVZZB7MCCF95hx7ORrnGc4RnHKKUR3 zSBL3LchjKvwyUZ2wNhPXy/zc/ocbAwgGqkhCJGozP5af+VSzAxBBcDa6aJW3zgU P9oOq4UWE90jXrPlVJ1rbgX98DgeWl1h9IcJAq7vUj0XORbRIFTYWkUpEN3JSIAE IqvDyYa7NG0FvuUPlMJ+OUHP8ub4ZPel5l54aHs585bhIRTzHTeG6zbzVinnOQ+Y ZVOsZYZ+r/MXYTu0HPndIaTCVPQ9DQJvVey0LNBSMu2QMJw8Kr8HD5ZPS/h4jrRC 7uraUxrFUr+LYfedGHNkDM92YMvkN513nMahABEBAAG0IFJheWVkIEFscmFzaGVk IDxyYXllZEByYXllZC5jb20+iQFUBBMBCAA+FiEEQz48QnngwBgg5LGwaTbe5KZu wk4FAlxrqqACGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQaTbe 5KZuwk7gvQf+Nh2qmP3H7WDZhzMsaUwt4C9Tdj5IzTrZhEzr+W4KJNXVYErTZfGP IrlJD/zbB9NGz2cwsSk18kWtuHKCwjM8nl5jGeQsPbCc1qFeQeYXYeU+sgape9A4 6KHGB1UNd9A8JwUHUn/50/CLNEA8dWUXSQoLzTF5TZFSGvE1YxP8Lc/kYZOXQhNo 9w3mFgzl+O6Pk+2P9N70jJE3cymqtiBsfFFPGqMGr0S8LBRwxtib/75kqGmXhBrq f+v8qpypeKBTnywOGsQ1QNy5ddyIE6P2rgZHunGeixuRt6swfD7DwmHOCP5DCqAb thRlIquQiQfBqdpBskr7nG1cktfQzKj1F7kBDQRca6qgAQgAurfBxwjFxm5A7pE6 rMkILqOJeMxQuZsFYs8rm5BM1L/zARUVxcQIPtLXx/Afvx+XGPAey9Ojaj1n4o3y W8wkNlJG41EduR4Q9I5NLiPKyR8B2dDClXn7wpzInnwxu5+0od6FQqa8MvS9RYwK KANT4Q6cS5bVjYuDFBFfOXLmZw/BQCMESrJ5d28umGBTODdsb3GqNkbjfB36LC2W eDiyiOek2b07EK2BXx+CsffFVrk+0jF0OD9PG48Yy1qFeJwGQIJNfHT2Xp1HGXYV MHBp9454cI0MHX7+mQhHSB/keLyUIYqtmrxqdROGe0083GPgV0a/b7Z+y6+HruVV ceQrWQARAQABiQE8BBgBCAAmFiEEQz48QnngwBgg5LGwaTbe5KZuwk4FAlxrqqAC GwwFCQPCZwAACgkQaTbe5KZuwk4MSgf7BLi6HrisPcGHNIbWV7QdpfAnly1MHdYc DK5qLzx0DX9T+NzBiR2z833BXhNT2BxSr3sKpaN4EopXYwgBu9y+drnL4QSl/p8P mk02IsQiXdUdhGAzlELBz8nrB9W45KjyqOkFScYbfeEZKO65z6+Jd8mfFF9i/QZh Q1S9rDnAvb2moLOAXfhYO5dBEsSzA+Q1DtcQ4tvyjxjcdUBOH08+daguRvA7EgrY 6GqgXWR2IQftQ6iEk1g7o3taKpT3gkzbA/ssaY045bcQxhvTL4yIuDGKYXt56R1e b0owb9YS/iVD2DhbZfToKJplSlxlcFFy1o5a05Kwf2oESJmWMStFOA== =F2UD -----END PGP PUBLIC KEY BLOCK----- Fingerprint 433E 3C42 79E0 C018 20E4 B1B0 6936 DEE4 A66E C24E • Public Key is very long • Hard to compare keys • Fingerprint short, good for management • Hash of the Key!
  • 18.
  • 19.
    PGP: Why? • Communicatesecurely • Use a shared password? But how to exchange it! • Public-key cryptography • Designed for email • GPG or PGP?
  • 20.
    PGP: Keys • UserAlice: gpg --gen-key gpg --list-keys gpg --export alice@example.com > alice gpg --export —armor alice@example.com > alice.pub.asc • User Bob: gpg --import alice.pub.asc
  • 21.
    PGP: Encryption & Decryption •Bob … Encrypting: gpg --encrypt -r alice@example.com my_file # -r = recipient # You can have many recipients # You can’t decrypt the file … unless! • Alice Decrypt: gpg my_file.gpg
  • 22.
    PGP: Signing Emails •Alice: gpg --clearsign my_vote.txt • Bob … verify: gpg --verify my_vote.txt.asc I vote for blue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I vote for blue -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEQz48QnngwBgg5LGwaTbe5KZuwk4FAlxrsQwACgkQaTbe5KZu wk5Ljgf/aHXQmXiX1wl+BmL6fJfOzntPawCaF7MN/cP/60IlXsL7IWHnEjVH6RQV vZN7iRXeTnyCVzG0pehTuV2Zew6KS8E8QlgA3yFVM7jYrJ2yvIq7WabE3Hg8ZJky UOG5dyUs31rbMDT4Ti0YEG9CaEghM7PGngq3ezWQlscWGUfrQBUWX7T7YEVXGI0A bsFNMmIYSV69wlWuz8/vNypMp9Hvk8MHcvkKNAhE6HhEOV/wOVRPL5NKYQY6lUNw 9D1I3DZx1rm2Ni6uQZzrdrON88IkNXm2AcpPlEH3cSfecCIXAgSOlNSmSq928R7w O/q/kqKME5T5srqGZKbijDwFuzrDEQ== =QSh2 -----END PGP SIGNATURE----- gpg: Good signature gpg: BAD signature
  • 23.
    PGP: Signing Files •Sign a file without changing it • Good for binary file (e.g. Executable, Image, Audio, etc …) • You must send 2 files: Original & Signature • Binary Signature gpg --detach-sign invoice.jpg gpg --verify invoice.jpg.sig • Text Signature gpg --detach-sign --armor invoice.jpg gpg --verify invoice.jpg.asc
  • 24.
    PGP: Encryption witha Password • Alice: gpg --symmetric my_secret # It will ask for passphrase (password) • Bob: gpg my_secret.gpg # It will ask for same passphrase! • How to send passphrase from user 1 to user 2 securely?
  • 25.
    PGP: … vsPKI • PGP • Web of Trust • User sign each other keys • Public Key Infrastructure • Certificate authorities (CA) • You trust what CA sign • Public key + user info + CA signature = Certificate • OS ship (and update) a list of trusted CAs
  • 26.
    More Info • https://en.wikipedia.org/wiki/Cryptographic_hash_function •https://en.wikipedia.org/wiki/Salt_(cryptography) • https://en.wikipedia.org/wiki/Rainbow_table • GPG Tutorial: https://futureboy.us/pgp.html
  • 27.