Pretty Good privacy. we will discuss in this document about the E-mail security protocol number 2 which is PGP, you will learn about the working of PGP, PGP Algorithms, PGP Key Rings, PGP Certificates and about the Web Trust in PGP.
Pretty Good Privacy,PGP Confidentiality and Authentication,Secure/Multipurpose Internet Mail Extension (S/MIME),Secure/Multipurpose Internet Mail Extension (S/MIME),Enhanced Security Services,E-mail Threats
Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.
Distribution of Symmetric and Asymmetric Key
Digital Signature: DSA
X.509 Certificate
Man-in-the Middle Attack
Check a digital certificate while accessing a secure website and compare its structure with X.509 standard
User/Entity Authentication
Kerberos
Authentication with Digital Certificate
Pretty Good Privacy,PGP Confidentiality and Authentication,Secure/Multipurpose Internet Mail Extension (S/MIME),Secure/Multipurpose Internet Mail Extension (S/MIME),Enhanced Security Services,E-mail Threats
Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.
Distribution of Symmetric and Asymmetric Key
Digital Signature: DSA
X.509 Certificate
Man-in-the Middle Attack
Check a digital certificate while accessing a secure website and compare its structure with X.509 standard
User/Entity Authentication
Kerberos
Authentication with Digital Certificate
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
"The Fundamental of SSL" it is the first part of this Topic in which we covered covers the deep understanding of Secure Socket Layer, its position in the TCP/IP suit, its sub protocols and the working or Handshake Protocol.
This presentation will explain all about why and how email security should be implemented.
> Intro to Email Secuirty
> CIA for Email Security
> Steps to secure mail
> PGP ( All 5 Services)
> S/MIME (With its functions)
It is a presentation on Email Security made to present in one of our PPT lectures during my second year of B.Tech.
E mail security using Certified Electronic Mail (CEM)Pankaj Bhambhani
When scientists "invented" electronic mail 30 years ago, they had in mind the exchange of messages between a small number of computers in few universities. Because they worked within a closed network nobody was concerned about misuse.
Today everything changed: Internet became an open network and the e-mail protocol SMTP is used to send billions of messages. Among them a lot with sensitive, private or valuable information. Unfortunately the e-mail protocol is still lacking inherent security and thus it is imperative:As an e-mail receiver without additional security functions you can not trust neither the e-mail sender nor its content!
Pgp-Pretty Good Privacy is the open source freely available tool to encrypt your emails then you can very securely send mails to others over internet without fear of eavesdropping by cryptanalyst.
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
"The Fundamental of SSL" it is the first part of this Topic in which we covered covers the deep understanding of Secure Socket Layer, its position in the TCP/IP suit, its sub protocols and the working or Handshake Protocol.
This presentation will explain all about why and how email security should be implemented.
> Intro to Email Secuirty
> CIA for Email Security
> Steps to secure mail
> PGP ( All 5 Services)
> S/MIME (With its functions)
It is a presentation on Email Security made to present in one of our PPT lectures during my second year of B.Tech.
E mail security using Certified Electronic Mail (CEM)Pankaj Bhambhani
When scientists "invented" electronic mail 30 years ago, they had in mind the exchange of messages between a small number of computers in few universities. Because they worked within a closed network nobody was concerned about misuse.
Today everything changed: Internet became an open network and the e-mail protocol SMTP is used to send billions of messages. Among them a lot with sensitive, private or valuable information. Unfortunately the e-mail protocol is still lacking inherent security and thus it is imperative:As an e-mail receiver without additional security functions you can not trust neither the e-mail sender nor its content!
Pgp-Pretty Good Privacy is the open source freely available tool to encrypt your emails then you can very securely send mails to others over internet without fear of eavesdropping by cryptanalyst.
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
Interested in protecting your information, but don’t really know where to start?
In this workshop we will give a brief explanation of how encryption works followed by a practical tutorial on how to communicate securely. Subjects of discussion will include:
- Irreversible functions and how they can hide data
- Creating a Cryptographic identity
- Sending a secure message with PGP
- Overview of applications and plugins with built-in encryption
- Getting your machine set up to use these tools seamlessly
- Common security problems
Workshop participants should have Thunderbird or Apple Mail.app setup and configured with their email accounts prior to this workshop.
Participants should also download the following ahead of time:
Windows:
gpg4win
Enigmail Plugin
Mac:
gpgtools
The research of the digital certified mail up to implementing the base algorithm and then, go through more on pretty good privacy (PGP) applied to the email system.
Generation of Anonymous Signature and Message using Identity Based Group Blin...IDES Editor
The essential functionality of any digital
transaction system is the protection of the anonymity of user
and the message. Group signature allows any valid group
member to sign any number of messages on behalf of the
group without revealing the member identity. A blind signature
is a cryptographic scheme produces a signature, where the
digital signature is obtained on a message from a signer
without revealing any information about the message. In this
paper we bring in a new cryptographic scheme called a Group
Blind Digital Signature combines the existing concept of a
Group Digital Signature and a Blind Digital Signature. This
scheme is useful in many applications where anonymity is
very important like evoting and ecash. This blind group
signature scheme uses the identity based signature in which
the public key can be derived from any arbitrary unique string.
This reduces the complexity involved in certificate
management as compared to the traditional public key
signature scheme. Moreover, this signature scheme based on
the bilinear pairings enables utilizing smaller key sizes
International Journal of Engineering Research and Development (IJERD)IJERD Editor
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals,
yahoo journals, bing journals, International Journal of Engineering Research and Development, google journals, hard copy of journal
Symmetric-Key Based Privacy-Preserving Scheme For Mining Support Countsacijjournal
In this paper we study the problem of mining support counts using symmetric-key crypto which is more
efficient than previous work. Consider a scenario that each user has an option (like or unlike) of the
specified product, and a third party wants to obtain the popularity of this product. We design a much more
efficient privacy-preserving scheme for users to prevent the loss of the personal interests. Unlike most
previous works, we do not use any exponential or modular algorithms, but we provide a symmetric-key
based method which can also protect the information. Specifically, our protocol uses a third party that
generates a number of matrixes as each user’s key. Then user uses these key to encrypt their data which is
more efficient to obtain the support counts of a given pattern.
SYMMETRIC-KEY BASED PRIVACYPRESERVING SCHEME FOR MINING SUPPORT COUNTSacijjournal
In this paper we study the problem of mining support counts using symmetric-key crypto which is more
efficient than previous work. Consider a scenario that each user has an option (like or unlike) of the
specified product, and a third party wants to obtain the popularity of this product. We design a much more
efficient privacy-preserving scheme for users to prevent the loss of the personal interests. Unlike most
previous works, we do not use any exponential or modular algorithms, but we provide a symmetric-key
based method which can also protect the information. Specifically, our protocol uses a third party that
generates a number of matrixes as each user’s key. Then user uses these key to encrypt their data which is
more efficient to obtain the support counts of a given pattern.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
The Complete Questionnaires About FirewallVishal Kumar
Hello Guys, here are the answers to the most frequently asked questions in an interview about Network firewalls. you will get here the answers of all the Firewall related Question asked in the interview.
This document will make you understand the basic issues related to E-mail like, Spamming, Bombing, Malware, Email Spoofing and Email Bankruptcy, etc. after that you will learn about the first Email security protocol Privacy Enhanced Mail (PEM), step-by-step working of PEM.
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitVishal Kumar
This Document will show you how get the privileges through exploiting the vulnerabilities using the Metasploit in Kali Linux. this will help a pen-tester to examine the security level of a system.
Auditing System Password Using L0phtcrackVishal Kumar
The objective of this presentation is to help peoples to learn how to use L0htCrack tool to attain and crack the user password from any Windows Machine.
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
This Lab will show you how to dump the Windows protected password storage SAM file using the tool pwdump7 and then crack the hash with an hash cracker tool that is Ophcrack and extract the plain-text password.
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
In this presentation we will learn about the Record Protocol, Alert Protocol, Closing and Resuming SSL Connections and Attacks on SSL.
The Part - 1 cab be founded at : https://www.slideshare.net/vishalkumar245/fundamental-of-secure-socket-layer-ssl-part-1
The Fundamental of Electronic Mail (E-mail)Vishal Kumar
This document contain the complete information about the Electronic mail. you will learn the basic structure and flow of email message, the Header and response codes, etc.
Fundamental of Secure Socket Layer (SSl) | Part - 1Vishal Kumar
"The Fundamental of SSL" it is the first part of this Topic in which we covered covers the deep understanding of Secure Socket Layer, its position in the TCP/IP suit, its sub protocols and the working or Handshake Protocol.
The presentation is contains the Overview of the Hawkeye Malware. you will find the execution working flow and how this malware spread across the network inside this presentation
Exploiting parameter tempering attack in web applicationVishal Kumar
Web Parameter Tampering attack involve the manipulation of parameter exchanged between a client and a server to modify application data such as user credentials and permissions, prices, and product quantities.
Web Site Mirroring creates a replica of an existing site. It allows you to download a website to a local directory, analyze all directories HTML, Images, Flash, Videos, and other files from the server on your computer.
Collecting email from the target domain using the harvesterVishal Kumar
The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
2. 2
WWW.Prohackers.in
Table of Content
1. Introduction to PGP
2. The Working of PGP
a) Step 1: Digital Signature
b) Step 2: Compression
c) Step 3: Encryption
d) Step 4: Digital Enveloping
e) Step 1: Base-64 Encoding
3. PGP Algorithms
4. Key Rings
5. PGP Certificates
a) Introducer Trust
b) Certificate Trust
c) Key Legitimacy
6. Web of Trust
3. 3
WWW.Prohackers.in
1. Digital Signature
2. Compression
3. Encryption
5. Base-64 Encoding
Fig: PGP operation
4. Enveloping
Introduction
Phil Zimmerman is the father of the Pretty Good Privacy (PGP) protocol. The most
significant aspects of PGP are that it supports the basic requirements of cryptography, is
quite simple to use, and is completely free. Including its source code and documentation.
Moreover, for those organizations that require support, a low-cost commercial version of
PGP is available from an organization called Viacrypt (now Network Associates). PGP has
become extremely popular and is far more widely used, as compare to PEM. The E-mail
cryptographic support offered by PGP is shown below:
1 The Working of PGP
In PGP, the sender of the message needs to include the
identifiers of the algorithm used in the message, along with the
value of the keys. The broad-level steps of PGP are illustrated in
the fig. as shown, PGP starts with a digital signature, which is
followed by compression, then by encryption, then by digital
enveloping and finally, by Base-64 encoding.
PGP allows for three security options when sending an email
message. These options are.
Signature (steps 1 and 2)
Pretty Good Privacy (PGP)
Encryption Non-repudiation Message Integrity
Fig: - Security Features offered by PGP
4. 4
WWW.Prohackers.in
Signature and Base-64 encoding (Steps 1, 2 and 3)
Signature, Encryption, Enveloping, and Base064 encoding (Steps 1 to 5)
Let us discuss these five steps in PGP,
Step 1: Digital Signature
We had earlier discussed about the digital signature in the Step 1 of Privacy Enhance Mail
protocol.
Step 2: Compression
This is additional step in PGP. Here, the input message as well as the digital signature are
compressed together to reduce the size of final message that will be transmitted. For
this, the famous ZIP program is used. ZIP is based on Lempel-Ziv-algorithm.
The Lempel-Ziv-algorithm looks for repeated strings or words, and stores them in a
variable. It then replaces the actual occurrence of the repeated word or string with a
pointer to the crossponding variable. Since a pointer requires only a few bits of memory as
compare to original string, this this method reduces in the data being compressed.
For instance, consider the following string:
What is your name? My name is vishal
Using the Lempel-Ziv-algorithm, we would create two variables, say A and B and replace
the word is and name by pointer to A and B, respectively. This is shown in below image.
What is your name? My name is vishal
1. A = is 2. B = name
What 1 your 2? My 2 1 Vishal
Original String
Variable creation and
assignment
Compressed String
Fig: - Lempel-Ziv-Algorithm, as used by the ZIP program
5. 5
WWW.Prohackers.in
As we can see, the resulting string What 1 your 2? My 2 1 vishal, is smaller then compare
to original string what is your name? My name is vishal.
Step 3: Encryption
In this step the compressed output of stem 2 (the compression from of the original email
and digital signature together) are encrypted with a symmetric key. For this, generally the
IDEA algorithm in CFB mode is used. We have already discussed this process in PEM
(Privacy Enhance Mail) protocol.
Step 4: Digital Enveloping
In this case symmetric key used for encryption in step 3 is now encrypted with receiver
public key. The output of stem 3 and step 4 together forms a digital envelope. This is
shown in below figure:
Step 5: Base-64 encoding
The output of step 4 is Base-64 encoded; we have already discussed the process of this
encoding in PEM (Privacy Enhance Mail) protocol.
Output of
Step 3
Sender
Symmetric key encrypted with the
receiver’s public key
Digital Envelope
Fig: - Formation of Digital Envelope
6. 6
WWW.Prohackers.in
2.2 PGP Algorithms
PGP supports a number of algorithms. The most common of them are listed below:
Algorithm type Description
Asymmetric Key RSA (Encryption and signing, Encryption only, Signing only)
DSS (Signing only)
Message Digest MD5, SHA-1, RIPE-MD
Encryption IDEA, DES-3, AES
2.3 Key Rings
When a sender wants to send an email message to a single recipient, there is no too much
of problem. Complexities are introduced when a message has to be sent to multiple
recipients. If Alice needs to correspond with 10 people, Alice needs the public key of all
the 10 people. Hence, Alice is said to need a key ring of 10 public key. PGP specific a ring
of public-private keys. This is because Alice may want to change her public-private key
pair, or may want to use a different key pair for different groups or users. In other
words, every PGP user need to have two sets of key rings: (a) A ring of her own public-
private key pair, (b) A ring of public key of other users.
The concept of key rings is shown in the below figure. Note that in one of the key rings,
Alice maintain a set of key pair; while in other she just maintain the public keys of other
users. Obliviously, she cannot have the private key of other users.
Table: - PGP Algorithms
Alice’s key ring, where she holds
her own public-private key pairs
Alice’s key ring, where she holds
only the public key of PGP users
in the system
Fig: Key rings maintain by a user in PGP
7. 7
WWW.Prohackers.in
2.4 PGP Certificates
In order to trust the public key of a user, we need to have that user’s digital certificate.
PGP can use certificate issued by a CA, or can use its own certificate system.
The originally, certificate issued by the root CA to the second-level CAs. The second level
CA can issue certificate to third-level CA and so on this can continue up-to the require
number of levels. At the lowest level, the last CA issues certificate to end user.
In PGP, there is no CA, anyone can sign a certificate to anyone else in the ring. Vishal can
sign the certificate to Deepak, Juhi, Harish and so on. There is no hierarchy of trust. This
creates a situation where a user can have certificates issued by different users. For
example; Juhi may have a certificate signed by Vishal and another one by Anita, this is
shown in the below figure. Hence, if Harish wants to verify Juhi’s certificate, he has two
paths: Juhi to Vishal and Juhi to Anita. Harish may fully trust Vishal, but not Anita, hence
there can be a multiple path in the line of trust from a fully or partially trusted authority
to a certificate.
The equivalent of CA (a user who issue certificate) in PGP is called introducer.
Vishal
Anita
Digital Certificate
User: Juhi
Issued by: Vishal
Digital Certificate
User: Juhi
Issued by: Anita
Juhi
Fig: Anyone can issue certificate to anyone else
8. 8
WWW.Prohackers.in
The whole concept can be understood better with the help of three ideas:
Introducer trust
Certificate trust
Key legitimacy
Let us discuss these three concepts now:
(a) Introducer trust
We know that there is no hierarchical CA structure in PGP. Hence it is natural that the
ring of trust in PGP cannot be very large, if every user has to trust every other user in
the system. Think about this, in real life, we do not fully trust everyone.
To resolve this issue PGP provides for multiple level of trust. The number of level depends
on the decision of implementing PGP. However, for simplicity, let us say that we have
decided to implement three level of trust to an introducer. These three levels are none,
partial, and complete. The introducer trust then specifies what level of trust the
introducer wants to allocate to other user in the system. For example, Vishal may now say
that he fully trust Juhi, where Anita says she only partial trust Juhi. Juhi says that she
does not trust Harish, Harish suggest that he partially trust Anita in turn, and so on. This
scenario is shown in the below figure.
Vishal
Anita
Digital Certificate
User: Juhi
Trust: Full
Digital Certificate
User: Juhi
Trust: Partial
Juhi
Fig: Introducer Trust
Digital Certificate
User: Anita
Trust: Partial
Digital
Certificate
User: Harish
Trust: None
Harish
9. 9
WWW.Prohackers.in
(b) Certificate trust
When a user A receives a certificate of another user B issued by this ruder C, depending
on the level of trust that A has in C, A assign a certificate trust level to that certificate
while storing it. It is normally the same as the introducer trust level that issued the
certificate this is shown in the below figure.
Background Information: Vishal and Anita have issued certificate to Juhi, Juhi send these certificates to Harish, so that
Harish can extract Juhi’s public key out of any of those certificates and use it in communication with Juhi. However,
Harish does not trust Vishal at all, but trust Anita fully.
Fig: certificate Trust
Result: when Juhi sends the two certificates (issued by Vishal and Anita) to Harish, Harish adds them to his database of
certificate. It is actually the ring of public key of other users. Apart from adding them there, Harish record the fact that it
does not want to trust Juhi’s certificate issued by Vishal (because he does not trust Vishal), but want to trust Juhi’s
certificate issued by Anita (because he trust Anita)
10. 10
WWW.Prohackers.in
This concept is explained in the diagram. Let us take another example to ensure that
there is no confusion. Imagine that there is a set of users in the system. Assume that
Mahesh fully trust Naren, partially trust Ravi and Anmol, and has no trust in Amit.
i. Naren issue two certificates: one to Amrita (with public key K1) and another to
Pallavi (with public key K2). Mahesh stores the public key and certificates or Amrita
and Pallavi in his key ring of public keys with certificate trust level equal to fully.
ii. Ravi issues a certificate to Uday (with public key K3). Mahesh stores the public key
and certificate of Uday in his ring of public key with certificate trust level equal to
partial.
iii. Anmol Issue Two Certificates: one to Uday (with public key K3), and another to
Parag (with public Key K4). Mahesh stores the public keys and certificates of Uday
and Parag in his ring of public key with certificate trust level equal to partial. Note
that Mahesh has now two certificates for Uday, one issued by Ravi, and the other
issued by Anmol, both with partial level of certificate trust.
iv. Amit issue a certificate to Parag (with public key K4). Mahesh stores the public key
and certificate of Parag in his ring or public keys with certificate trust level equal
to none. Mahesh can also discard this certificate.
(c) Key legitimacy
The objective behind the introducer trust and certificate trust is to decide whether to
trust the public key of a user. In PGP terms, this is called Key Legitimacy. Mahesh needs
to know how legitimate are the public keys of Amrita, Pallavi, Uday, and Parag and so on.
PGP define the following the simple rule to decide the key legitimacy: the level of key
legitimacy for a user is the weighted trust level for that user. For example, suppose we
have assigned certain weights to certificate trust level, as shown in the below figure:
Weight Meaning
0 No trust
½ Partial trust
1 Complete or Full trust
11. 11
WWW.Prohackers.in
In this situation in order to trust a public key (i.e. certificate) of any other user, Mahesh
needs one fully trusted certificate or two partial trusted certificates. Thus Mahesh can
fully trust Amrita and Pallavi based on the certificates they had received from Naren.
Mahesh can also trust Uday, based on tow partial trusted certificates that Uday had
received from Ravi and Anmol.
2.5 Web Trust
The earlier discussion leads to a potential problem. What happens if nobody creates
certificate for fully or partially trusted entity? In our example, on what basis would we
trust Naren’s public key, if no one has created a certificate for Naren? To resolve this
problem, several schemes are possible in PGP, as outlined below.
(a) Mahesh can physically obtain the public key of Naren by meeting in person and
getting the key on a piece of paper or as a disk file.
(b) This can be done telephonic as well.
(c) Naren can email his public key to Mahesh. Both Naren and Mahesh compute the
message digest of this key. If MD5 is used, the result is a 16-byte digest. If SHA-1
is used, the result is 20-byte digest. In hexadecimal, the digest become a 32-digit
value in MD5, and a 40-digit value in SHA-1. This is displayed as 8 groups of 4-digit
value in MD5, and 10 groups of 4-digit values in SHA-1, and is called fingerprint.
Before Mahesh adds this public key of Naren to his ring, he can call up Naren to tell
him what fingerprint value he has obtained to cross-check with the fingerprint
value that is separately obtained by Naren. This ensures that the public key value is
not changed in the email transit. To make matters better, PGP assign a unique
English word to a 4-digit hexadecimal number group, so that instead of speaking out
the hexadecimal string of numbers, users can speak out normal English words as
define by PGP. For example PGP may assign a word India to a hexadecimal pattern of
4AOB, etc.
(d) Mahesh can obtain Naren’s public key from CA.
Regardless of the mechanism, eventually this process of obtaining key of other users and
sending our own to others creates which is called web of trust between groups of people.
12. 12
WWW.Prohackers.in
This keeps the public key ring getting bigger and bigger, and helps secure the email
communication
Whenever a user needs to revoke his/her public key (because of loss of private key, etc)
he/she needs to send a key revocation certificate to the other users. This certificate is
self-signed by the user with his/her private key.
Thanks for reading this presentation
Please give us your feedback at
info@prohackers.in
Your feedback is most valuable for us for improving the presentation
You can also suggest the topic on which you want the presentation
Website: www.prohackers.in
FB page: www.facebook.com/theprohackers2017
Join FB Group: www.facebook.com/groups/group.prohackers/
Watch us on: www.youtube.com//channel/UCcyYSi1sh1SmyMlGfB-Vq6A
***Thanks***