6. Is it that bad?
What kind of private
Information can be
captured?
6
http://herraiz.org
7. Non-cyphered information
● Geolocalization
● Using your IP address
● Web browser and operating system
● Any info written in a form
● Including passwords
● Cookies
● Have a look and take care
– http://www.youtube.com/watch?v=yyLdxO6xvh8
– http://www.youtube.com/watch?v=1FgKL2ywrX0
7
http://herraiz.org
8. Solution
Enforce cyphering
using public key
cryptography
8
http://herraiz.org
9. Cryptography
● Traditionally, cyphering was done using a
password and an algorithm
● Symmetric approach
● Password shared by both peers
● Public key cryptography
● Insecure channel
● Private and secure communication without any
previous physical contact
9
http://herraiz.org
16. How does it work?
● PKP Algorithms
● Prime number factorization
● From a mathematical point of view, all
messages can be decrypted
● From a computational point of view, decrypting
a message without the private key takes too
long
– Key length is a crucial property
16
http://herraiz.org
17. Now it's your turn
Go create your own
public-private
key pair
17
http://herraiz.org
18. Public key sample
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)
JeP5F/eRS9G8EE1fObRRW6mRf+bGSeluFEMiOi3UB/5P0GBx8iM0QIjezR0R+2n8
bMjuJmWHTjvEeplnx9iual4J4BT/9FznFs7o4tFVVfYBacFrhWjQyAf2xoP3gyn3
5OlV55VHVB+oidXUVNSNHZbXwrd1sH42x7x8o17PDFJrWjiq4kAb2EfSOIuSS6na
K9Y06bqh3yRbVtRdZOuCLcY8QJwt/mx//uQqG6NuSvYhx1QyC6g==XuDESOIuSSa
mQINBEtUTeQBEACejdGQhscmsDXM7xG2/ZYFpMQg/GmPlJ85uJJUkLr2T+5Rw8Xv
VfZjNZkMwsq94BGFrBxu477tKhQ5wiUBBz/jJ01a39Wrazgp21fvEon2T0Vay45t
2BYbU4AF815UL6o74YlW5SLdAofwylZS8pX4CKjGAB0T+fDiwkAepQl45nzX0ulv
-----END PGP PUBLIC KEY BLOCK-----
18
http://herraiz.org
20. Keyservers
● Internet hosts that contain public keys
● Federated services
● All servers contain all the public keys in the world
● Public keyserver in Spain thanks to RedIRIS
● URL: pgp.rediris.es
20
http://herraiz.org
21. Your turn again
Upload your
key to a server
Download your
mates' keys
21
http://herraiz.org
22. Message signing
Hi there!
Pub Pri Pub Pri
Keyserver
Pub Pub
22
http://herraiz.org
23. Message signing
Created with the
private key
Hi there!
Pub Pri Pub Pri
Keyserver
Pub Pub
23
http://herraiz.org
24. Message signing
Hi there!
Pub Pri Pub Pri
Keyserver
Pub Pub
24
http://herraiz.org
25. Signing and encrypting
Hi there!
Pub Pri Pub Pri
Keyserver
Pub Pub
25
http://herraiz.org
26. Signing and encrypting
Pub
FAD43A
Pub Pri Pub Pri
Keyserver
Pub Pub
26
http://herraiz.org
27. Signing and encrypting
Pub
FAD43A
Pub Pri Pub Pri
Keyserver
Pub Pub
27
http://herraiz.org
28. Signing and encrypting
Hi there!
Pub Pri Pub Pri
Keyserver
Pub Pub
28
http://herraiz.org
29. Signing and encrypting
Hi there!
Pub Pri Pub Pri
Keyserver
Pub Pub
29
http://herraiz.org
30. Identity certification
How do you know that
public keys belong to their
legitimate owners?
Public key Can we ensure that the
Barack Obama key does belong to
Barack Obama?
30
http://herraiz.org
32. Public key signing
● Public keys are plain text documents that can
be cryptographically signed
● Mutual public signing adds identity certification
to PKP schemes
32
http://herraiz.org
33. Public key signing
Barack Obama
Pub Pri Pub Pri
Keyserver
Pub Pub
33
http://herraiz.org
34. Public key signing
Barack Obama
Key FE0A7AF2
Name Barack Obama
Fingerprint
D0DA E915 BFDD E5CD 8BA0
B159 7E97 2ACB FE0A 7AF2
Pub Pri Pub Pri
Keyserver
Pub Pub
34
http://herraiz.org
35. Public key signing
Barack Obama
Key FE0A7AF2
Name Barack Obama
Fingerprint
D0DA E915 BFDD E5CD 8BA0
B159 7E97 2ACB FE0A 7AF2
Pub Pri Pub Pri
Keyserver
Pub Pub
35
http://herraiz.org
36. Public key signing
Show me
your passport
Barack Obama
Key FE0A7AF2
Name Barack Obama
Fingerprint
D0DA E915 BFDD E5CD 8BA0
B159 7E97 2ACB FE0A 7AF2
Pub Pri Pub Pri
Keyserver
Pub Pub
36
http://herraiz.org
37. Public key signing
Show me
your passport
Barack Obama
Key FE0A7AF2
Name Barack Obama
Fingerprint
Passport D0DA E915 BFDD E5CD 8BA0
Barack B159 7E97 2ACB FE0A 7AF2
Obama
Pub Pri Pub Pri
Keyserver
Pub Pub
37
http://herraiz.org
41. Public key signing
Barack Obama
Key signing is
often mutual
Pub Pri Pub Pri
Keyserver
Pub Pub
41
http://herraiz.org
42. Public key signing
Barack Obama
Trust chain
Pub
Pub
Is he Barack
Pub Obama?
42
http://herraiz.org
43. Signing party
● How we do sign everyone else in the group?
● Linear chain
– 2N signatures, weak chain
● Everybody signs everybody
– N2 signatures, strong chain
– Fast signing party protocol
43
http://herraiz.org
44. Take away
PKP
Each user creates
Secure comms.
a public-private
through
key pair
insec. channels
Trust chain
Keyservers
Identity cert.
contain every
through
key in the world
public key signing
44
http://herraiz.org