SlideShare a Scribd company logo

Berlinsides 2015

A
aestetix

The document discusses PGP (Pretty Good Privacy) trust levels and signatures. It expresses frustration with the complexity of PGP trust models. It then provides examples of using a PGP key database to analyze trends in PGP usage, such as the number of users from certain email providers, news organizations, intelligence agencies, and universities that utilize PGP. It also examines which PGP keys have been signed the most.

Engineering
1 of 20
Download to read offline
—WHY I HATE PGP— aestetix
https://help.ubuntu.com/community/GnuPrivacyGuardHowto
WHAT THE FUCK DO TRUST LEVELS MEAN?!?!
! • Direct Trust ! • Hierarchical Trust ! • Cumulative Trust A few types of “trust”:
From RFC 4880 “OpenPGP Message Format" (5.2.1. Signature Types) ! 0x10: Generic certification of a User ID and Public-Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID. ! 0x11: Persona certification of a User ID and Public-Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. ! 0x12: Casual certification of a User ID and Public-Key packet. The issuer of this certification has done some casual verification of the claim of identity. ! 0x13: Positive certification of a User ID and Public-Key packet. The issuer of this certification has done substantial verification of the claim of identity. ! Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types.
How my trust tool works: Example `pgpring -S -k keystore` output: ! pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: sig::::681D3A753B6C249E:2013-12-22:::::13: sub:q:4096:1:E8A53B713BA1A13E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: pub:q:1024:17:DD6909ABB128136B:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: sig::::31B221441DDAA684:1998-09-17:::::10: sig::::DD6909ABB128136B:1998-09-17:::::10: sub:q:2048:16:0BE4CB3712565F36:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: pub:q:1024:17:7C951D88B8CCB59D:2009-01-02::::Carol <carol@mail.com>: sig::::7C951D88B8CCB59D:2009-01-02:::::13: sub:q:1024:16:CFFB706540C239DA:2009-01-02::::Carol <carol@mail.com>: pub:q:1024:1:CE040C74F9A3F1DD:1997-05-03::::RGB <rgb@nym.alias.net>: sig::::CE040C74F9A3F1DD:1998-02-18:::::10: pub:q:2048:1:C56C3CAA9995BDE7:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: sig::::C56C3CAA9995BDE7:2011-05-27:::::13: sub:q:2048:1:8F38A91BB2F768B8:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: pub:rq:1024:1:BDAB86311EA5DE89:1999-06-29::::Rudolph Pereira <rudolph@getsystems.com>: rev::::BDAB86311EA5DE89::::::20: sig::::BDAB86311EA5DE89:1999-06-29:::::10: pub:q:2048:1:5964884DB64C74F1:2012-09-30::::Cheng Ye <yecheng91@msn.com>: sig::::5964884DB64C74F1:2012-09-30:::::13: sub:q:2048:1:DB6BF5D7096C9858:2012-09-30::::Cheng Ye <yecheng91@msn.com>:
From RFC 4880 “OpenPGP Message Format" pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: ! Where field separator is “:” ! 0 - record type 1 - validity 2 - key length 3 - algorithm 4 - key id 5 - date created 6 - expiration date 7 - certificate serial number 8 - owner trust 9 - name/email (user id) 10 - signature class
Convert keystore to sql database while (<FILE>) { my @key = split(':', $_); ! # Get rid of annoying characters for (@key) { s/'//g; s////g; s///g; } # Guide to key format # 0 - record type # 1 - validity # 2 - key length # 3 - algorithm # 4 - key id # 5 - date created # 6 - expiration date # 7 - certificate serial number # 8 - owner trust # 9 - name/email (user id) # 10 - signature class # 11 - parent (if subkey) ! if ($key[0] eq "pub") { $pubkey = $key[4]; $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '');"; } else { $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '$pubkey');"; } $dbh->do($query); }
What email providers have “secure” users? Example query: select count(user_id) from key_store where user_id like '%gmail.com%' and record_type = 'pub'; gmail 334,333 hotmail 107,813 yahoo 60,446 hushmail 5,016
What news organizations have “secure” users? Example query: select count(user_id) from key_store where user_id like '%wsj.com%' and record_type = 'pub'; wall street journal 18 new york times 159 fox news (wtf?) 3
What “intelligence” agencies have “secure” users? Example query: select count(user_id) from key_store where user_id like ‘%nsa.gov%' and record_type = 'pub'; nsa.gov 54 cia.gov 39 .mil 7,908 dhs.gov 28 goatse.cx 0
How do universities use PGP? query: select user_id, count(*) as freq from key_store where user_id like '%.edu%' and record_type = 'pub' group by user_id order by freq desc limit 10; +----------------------------------------------+------+ | user_id | freq | +----------------------------------------------+------+ | Re-An M. Pasia <rpasia@wesleyan.edu> | 181 | | nylee <nylee@mail.stut.edu.tw> | 26 | | Charles <charles@hm.edu> | 18 | | Bobby <bobby@hm.edu> | 16 | | Cheung Chi Wai <chiwai@cuhk.edu.hk> | 14 | | Robert S. Newnam <rnewnam@udel.edu> | 13 | | Shawn Nock <nock@email.arizona.edu> | 12 | | Gaby Abed <ihabed@uncc.edu> | 12 | | Steven I. Altchuler <altchuler@alum.mit.edu> | 12 | | Rafael Villavicencio <rafael@virginia.edu> | 12 | +----------------------------------------------+------+
Who has signed the most keys? query: select parent, count(*) as freq from key_store use index (record_type_parent) where record_type = 'sig' group by parent order by freq desc limit 10; +------------------+-------+ | parent | freq | +------------------+-------+ | F7F0E70F307D56ED | 12627 | Noèl Köthe <noel@guug.de> | 9710B89BCA57AD7C | 10629 | PGP Global Directory Verification Key | 2F951508AAE6022E | 8825 | Karlheinz Geyer (RBOS) <karlheinz.geyer@lhsystems.com> | 57930DAB0B86B067 | 7479 | Joost van Baal <joostvb@logreport.org> | 30028D244813B5FE | 6223 | Andreas Scherbaum <ads@ufp.de> | 18A0CC8D5706A4B4 | 6221 | Simon Richter <Simon.Richter@picotux.com> | D2BB0D0165D0FD58 | 5832 | CA Cert Signing Authority (Root CA) <gpg@cacert.org> | 948FD6A0E10F502E | 5231 | Marcus Frings <protagonist@gmx.net> | DE7AAF6E94C09C7F | 5106 | Peter Palfrader | E544DE079B7C328D | 4254 | Luk Claes <luk@lugwv.be> +------------------+-------+
http://trust.aestetix.com http://trust.aestetix.com/index.pl? pgpid=d255d3f5c868227f&Submit=Submit

Recommended

PythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみたPythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみたitoxdev
 
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB
 
Malcon2017
Malcon2017Malcon2017
Malcon2017Andriy Brukhovetskyy
 
Reading the .explain() Output
Reading the .explain() OutputReading the .explain() Output
Reading the .explain() OutputMongoDB
 
Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]Alexander Hendorf
 
Your Presentation Name Here
Your Presentation Name HereYour Presentation Name Here
Your Presentation Name HereFreedSoftwares
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmllBenjamin Delpy
 

Recommended

PythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみたPythonでJWT生成からボット作成、投稿までやってみた
PythonでJWT生成からボット作成、投稿までやってみたitoxdev
 
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB
 
Malcon2017
Malcon2017Malcon2017
Malcon2017Andriy Brukhovetskyy
 
Reading the .explain() Output
Reading the .explain() OutputReading the .explain() Output
Reading the .explain() OutputMongoDB
 
Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]Data mangling with mongo db the right way [pyconit 2016]
Data mangling with mongo db the right way [pyconit 2016]Alexander Hendorf
 
Your Presentation Name Here
Your Presentation Name HereYour Presentation Name Here
Your Presentation Name HereFreedSoftwares
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmllBenjamin Delpy
 
Books
BooksBooks
Booksflaglio
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBMongoDB
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Powerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation PipelinePowerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation PipelineMongoDB
 
Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016Jacob Aae Mikkelsen
 
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証Masayuki Nii
 
Bitcoin
BitcoinBitcoin
BitcoinGureya Daharewa David
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBMongoDB
 
Shmoocon
ShmooconShmoocon
Shmooconaestetix
 
Slides for talk
Slides for talkSlides for talk
Slides for talkaestetix
 
Dragon con 2013
Dragon con 2013Dragon con 2013
Dragon con 2013aestetix
 
Shmoocon - Beyond Nymwars
Shmoocon - Beyond NymwarsShmoocon - Beyond Nymwars
Shmoocon - Beyond Nymwarsaestetix
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Java security
Java securityJava security
Java securityBart Blommaerts
 
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...SparkPost
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?Francois Marier
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
 

More Related Content

What's hot

Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBMongoDB
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Powerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation PipelinePowerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation PipelineMongoDB
 
Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016Jacob Aae Mikkelsen
 
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証Masayuki Nii
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBMongoDB
 

What's hot (10)

Books
BooksBooks
Books
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwords
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDB
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Powerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation PipelinePowerful Analysis with the Aggregation Pipeline
Powerful Analysis with the Aggregation Pipeline
 
Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016Geb for Testing Your Grails Application GR8Conf India 2016
Geb for Testing Your Grails Application GR8Conf India 2016
 
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
Cocoa勉強会#47-NSURLConnectionのデリゲートメソッドと認証
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
ETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDBETL for Pros: Getting Data Into MongoDB
ETL for Pros: Getting Data Into MongoDB
 

Viewers also liked

Slides for talk
Slides for talkSlides for talk
Slides for talkaestetix
 
Dragon con 2013
Dragon con 2013Dragon con 2013
Dragon con 2013aestetix
 
Shmoocon - Beyond Nymwars
Shmoocon - Beyond NymwarsShmoocon - Beyond Nymwars
Shmoocon - Beyond Nymwarsaestetix
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 

Viewers also liked (6)

Shmoocon
ShmooconShmoocon
Shmoocon
 
Slides for talk
Slides for talkSlides for talk
Slides for talk
 
Dragon con 2013
Dragon con 2013Dragon con 2013
Dragon con 2013
 
Shmoocon - Beyond Nymwars
Shmoocon - Beyond NymwarsShmoocon - Beyond Nymwars
Shmoocon - Beyond Nymwars
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Similar to Berlinsides 2015

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...SparkPost
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?Francois Marier
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScriptFrancois Marier
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedinovia
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?pqrs1234
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Raconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationRaconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationJean-Christophe Sirot
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 

Similar to Berlinsides 2015 (20)

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Java security
Java securityJava security
Java security
 
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Application Security
Application SecurityApplication Security
Application Security
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Raconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationRaconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certification
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
 

Recently uploaded

main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniquesugginaramesh
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 

Recently uploaded (20)

main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniques
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 

Berlinsides 2015

  • 1. —WHY I HATE PGP— aestetix
  • 2.
  • 3.
  • 4.
  • 5.
  • 7. WHAT THE FUCK DO TRUST LEVELS MEAN?!?!
  • 8.
  • 9. ! • Direct Trust ! • Hierarchical Trust ! • Cumulative Trust A few types of “trust”:
  • 10. From RFC 4880 “OpenPGP Message Format" (5.2.1. Signature Types) ! 0x10: Generic certification of a User ID and Public-Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID. ! 0x11: Persona certification of a User ID and Public-Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. ! 0x12: Casual certification of a User ID and Public-Key packet. The issuer of this certification has done some casual verification of the claim of identity. ! 0x13: Positive certification of a User ID and Public-Key packet. The issuer of this certification has done substantial verification of the claim of identity. ! Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types.
  • 11.
  • 12. How my trust tool works: Example `pgpring -S -k keystore` output: ! pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: sig::::681D3A753B6C249E:2013-12-22:::::13: sub:q:4096:1:E8A53B713BA1A13E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: pub:q:1024:17:DD6909ABB128136B:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: sig::::31B221441DDAA684:1998-09-17:::::10: sig::::DD6909ABB128136B:1998-09-17:::::10: sub:q:2048:16:0BE4CB3712565F36:1998-09-17::::Jxfffffffcrgen Marschall <juergen.marschall@prompt.de>: pub:q:1024:17:7C951D88B8CCB59D:2009-01-02::::Carol <carol@mail.com>: sig::::7C951D88B8CCB59D:2009-01-02:::::13: sub:q:1024:16:CFFB706540C239DA:2009-01-02::::Carol <carol@mail.com>: pub:q:1024:1:CE040C74F9A3F1DD:1997-05-03::::RGB <rgb@nym.alias.net>: sig::::CE040C74F9A3F1DD:1998-02-18:::::10: pub:q:2048:1:C56C3CAA9995BDE7:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: sig::::C56C3CAA9995BDE7:2011-05-27:::::13: sub:q:2048:1:8F38A91BB2F768B8:2011-05-27:2016-05-25:::icemann1978@t-online.de <icemann1978@t-online.de>: pub:rq:1024:1:BDAB86311EA5DE89:1999-06-29::::Rudolph Pereira <rudolph@getsystems.com>: rev::::BDAB86311EA5DE89::::::20: sig::::BDAB86311EA5DE89:1999-06-29:::::10: pub:q:2048:1:5964884DB64C74F1:2012-09-30::::Cheng Ye <yecheng91@msn.com>: sig::::5964884DB64C74F1:2012-09-30:::::13: sub:q:2048:1:DB6BF5D7096C9858:2012-09-30::::Cheng Ye <yecheng91@msn.com>:
  • 13. From RFC 4880 “OpenPGP Message Format" pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <laura.schmitz87@icloud.com>: ! Where field separator is “:” ! 0 - record type 1 - validity 2 - key length 3 - algorithm 4 - key id 5 - date created 6 - expiration date 7 - certificate serial number 8 - owner trust 9 - name/email (user id) 10 - signature class
  • 14. Convert keystore to sql database while (<FILE>) { my @key = split(':', $_); ! # Get rid of annoying characters for (@key) { s/'//g; s////g; s///g; } # Guide to key format # 0 - record type # 1 - validity # 2 - key length # 3 - algorithm # 4 - key id # 5 - date created # 6 - expiration date # 7 - certificate serial number # 8 - owner trust # 9 - name/email (user id) # 10 - signature class # 11 - parent (if subkey) ! if ($key[0] eq "pub") { $pubkey = $key[4]; $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '');"; } else { $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '$pubkey');"; } $dbh->do($query); }
  • 15. What email providers have “secure” users? Example query: select count(user_id) from key_store where user_id like '%gmail.com%' and record_type = 'pub'; gmail 334,333 hotmail 107,813 yahoo 60,446 hushmail 5,016
  • 16. What news organizations have “secure” users? Example query: select count(user_id) from key_store where user_id like '%wsj.com%' and record_type = 'pub'; wall street journal 18 new york times 159 fox news (wtf?) 3
  • 17. What “intelligence” agencies have “secure” users? Example query: select count(user_id) from key_store where user_id like ‘%nsa.gov%' and record_type = 'pub'; nsa.gov 54 cia.gov 39 .mil 7,908 dhs.gov 28 goatse.cx 0
  • 18. How do universities use PGP? query: select user_id, count(*) as freq from key_store where user_id like '%.edu%' and record_type = 'pub' group by user_id order by freq desc limit 10; +----------------------------------------------+------+ | user_id | freq | +----------------------------------------------+------+ | Re-An M. Pasia <rpasia@wesleyan.edu> | 181 | | nylee <nylee@mail.stut.edu.tw> | 26 | | Charles <charles@hm.edu> | 18 | | Bobby <bobby@hm.edu> | 16 | | Cheung Chi Wai <chiwai@cuhk.edu.hk> | 14 | | Robert S. Newnam <rnewnam@udel.edu> | 13 | | Shawn Nock <nock@email.arizona.edu> | 12 | | Gaby Abed <ihabed@uncc.edu> | 12 | | Steven I. Altchuler <altchuler@alum.mit.edu> | 12 | | Rafael Villavicencio <rafael@virginia.edu> | 12 | +----------------------------------------------+------+
  • 19. Who has signed the most keys? query: select parent, count(*) as freq from key_store use index (record_type_parent) where record_type = 'sig' group by parent order by freq desc limit 10; +------------------+-------+ | parent | freq | +------------------+-------+ | F7F0E70F307D56ED | 12627 | Noèl Köthe <noel@guug.de> | 9710B89BCA57AD7C | 10629 | PGP Global Directory Verification Key | 2F951508AAE6022E | 8825 | Karlheinz Geyer (RBOS) <karlheinz.geyer@lhsystems.com> | 57930DAB0B86B067 | 7479 | Joost van Baal <joostvb@logreport.org> | 30028D244813B5FE | 6223 | Andreas Scherbaum <ads@ufp.de> | 18A0CC8D5706A4B4 | 6221 | Simon Richter <Simon.Richter@picotux.com> | D2BB0D0165D0FD58 | 5832 | CA Cert Signing Authority (Root CA) <gpg@cacert.org> | 948FD6A0E10F502E | 5231 | Marcus Frings <protagonist@gmx.net> | DE7AAF6E94C09C7F | 5106 | Peter Palfrader | E544DE079B7C328D | 4254 | Luk Claes <luk@lugwv.be> +------------------+-------+