The document provides an overview of cryptography, detailing its purpose, types (symmetric and asymmetric), and basic functioning. It explains various public key algorithms, particularly focusing on OpenPGP/GnuPG for secure communication, including encryption, decryption, and key management. Additionally, it discusses the importance of trust in cryptographic keys and the creation of a web of trust among users.

1. RshqSJS/JqxSJ Hqfubswlrq Wdqqhu Oryhodfh Wuldqjoh Olqxa Xvhuv Jurxs 11-Dsulo-2002

2. OpenPGP/GnuPG Encryption Tanner Lovelace Triangle Linux Users Group 11-April-2002

3. What is Cryptography? Cryptography The science of using mathematics to encrypt and decrypt data. A method of securely sending data over an insecure communications medium. Cryptanalysis The science of analyzing and breaking secure communications. Cryptology is the combination of the two.

4. There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. -- Bruce Schneier, Applied Cryptography

5. Why do you need cryptography? Privacy Keep communications secret Integrity Keep communications secure Authentication Know who you’re communicating with Nonrepudiation A sender shouldn’t be able to deny that they sent a message

6. Cryptography Background Two main types of cryptography Symmetric Same key encrypts/decrypts DES, AES, IDEA Asymmetric Different keys for encryption/decryption Also called public key cryptography RSA, Diffie-Hellman, ElGamal

7. Bits, bytes, and Key Lengths, oh my! Which is better? 128 bit keys? 1024 bit keys? Answer: neither Symmetric encryption is much faster than asymmetric Asymmetric makes communicating with people you don’t know much easier

8. How does encryption work? Encryption Decryption Plaintext Ciphertext Original Plaintext Encryption Key Decryption Key Asymmetric Encryption Decryption Plaintext Ciphertext Original Plaintext Key Key Symmetric

9. How do I know this is secure? Symmetric The only way to decrypt without the key is to try all possible combinations. With a 128 bit key, there are 2 128 possible combinations Comparison Our sun should go nova in approximately 2 30 years The universe is only 2 34 years old. Asymmetric You don’t, but smart people think it is.

10. Not Secure?!? What’s up? Asymmetric algorithms are built upon certain assumptions that have not been proved Factoring large numbers Computing discrete logrithms These are similar to the P vs. NP problem in classical computer science Which is why you hear the press talking about the possibility of codes being broken easily.

11. Public Key Algorithms Diffie-Hellman (key exchange) First public key algorithm published (1976) Whitfield Diffie and Martin Hellman Alice and Bob chose a large prime n and another number g . Alice chooses a random large integer a and sends Bob X = g a mod n . Bob chooses a random large integer b and sends Alice Y = g b mod n . Alice computes k = Y a mod n . Bob computes k’ = X b mod n . k and k’ are equal ( g ab mod n ) and cannot be computed by someone watching the exchange!

12. Public Key Algorithms RSA (Rivest, Shamir, and Adleman) [1977] Choose two random large prime numbers p and q . Compute n = pq . Choose a number e such that e is between 1 and pq and e is relatively prime to ( p – 1)( q – 1). Compute d from e ( d = e -1 mod (( p -1)( q -1))) Multiplicative inverse To encrypt, calculate c = m e mod n . To decrypt, calculate m = c d mod n .

13. What is OpenPGP/GnuPG Pretty Good Privacy Encryption program written by Phill Zimmerman in 1991. Zimmerman was later criminally charged with releasing it on the Internet. (Charges were eventually dropped.) OpenPGP A standard for encrypted/signed messages. RFC 2440, November 1998 Gnu Privacy Guard An implementation of OpenPGP. Does not use patented algorithms.

14. What can PGP/GnuPG do? Encrypt / Decrypt Messages Files Digital Signatures Key management Create secret and public keys Manage a list of keys Certify keys Revoke or disable keys

15. Encryption PGP uses multiple forms of encryption to encrypt different parts of a message Symmetric encryption fast Asymmetric encryption easy to distribute Message is encrypted with a symmetric algorithm Symmetric session key is encrypted with an asymmetric algorithm. In addition, the message is compressed beforehand, just to remove redundancy that could help cryptanalysis.

16. Encryption

17. Encryption To encrypt a file, you need to specify options Recepient (can be yourself) Binary or ascii mode Output filename Input filename % gpg -r [UID]-a –o [outname] –e [file] Will also work with streams.

18. Decryption Only need to specify the decrypt option % gpg -d [file] Will prompt for pass phrase

19. Signature Integrity Message is hashed Hash is encrypted with private key Message can be hashed again to prove it hasn’t changed. Authentication Hash can be decrypted with a public key Proves that the private key was used to encrypt. But not necessarily that a particular person encrypted the message. What?!?

20. Signature Can be combined with encryption Can be integrated or detached % gpg –a --sign[file] % gpg –a --detach-sign[file] Detached signatures are useful for signing binary packages. Used with rpm (--addsign and –resign options)

21. Key Management Session keys Created at use Only used once Need a very good source of randomness Asymmetric keys GPG allows you to create and manage Public portion of key can be published

22. Web of Trust How do you know what keys to trust? You can only physically check a finite number of keys PGP allows you to sign someone elses key. Done when you have verified that a key is valid. Allows you to accept the validity of a key of someone you’ve never met. If Alice trusts Bob and Bob trusts Charles, then Alice can also trust Charles.

23. Web of Trust

24. GPG Key Creation % gpg --gen-key Generates a public/private key pair. Because of the RSA patent, it defaults to using DH/ElGamal (Discrete Logorithm Problem) Choose a key length (use at least 1024 bits) User data (name, e-mail) Pass phrase

25. Key revocation Always generate a revocation certificate after creating a key! If you lose your pass phrase, will allow you to cancel your key. % gpg --gen-revoke [UID] Need the pass phrase (to get to the secret key)

26. Key functions List keys and signatures % gpg --list-keys % gpg --list-sigs % gpg --fingerprint Import % gpg --import [filename] Export % gpg --export [UID] By default export is binary. Use “-a” to do ascii-armor.

27. Key servers You could exchange keys by e-mail or web page, but there is a better way. PGP and GnuPG support a remote key server Send % gpg --keyserver [ks] --send-key [UID] Receive % gpg --keyserver [ks] --recv-key [UID] Default key server can be put in options file. If default server set, gpg will automatically look there for new keys.

28. Key signing ONLY SIGN A KEY WHEN YOU ARE ABSOLUTELY SURE IT IS AUTHENTIC!!! Use the edit key function % gpg --edit-key [UID] Will bring up a command prompt Can sign, revoke, change trust, delete, etc… >sign Make sure you send the newly signed key to a key server.

29. Conclusion GPG is a tool you can use to improve communication security. Don’t consider it an end result, but a link in a chain. It is integrated into a few packages, but the interface could be better Barrier to use Better when used all the time.

30. References Garfinkel, Simson, PGP, Pretty Good Privacy , 1995, O’Reilly & Associates. Schneier, Bruce, Applied Cryptography , 1996, Wiley. Various crypto links http://www.x5.net/faqs/crypto/ http://www.pgpi.org/doc/guide/6.5/en/intro/ http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html http://www.mcc.ac.uk/cos/security/PGP_why_and_how.html http://www.wired.com/wired/archive/people/whitfield_diffie/ http://www.iae.nsk.su/pages/CRYPTO/rsafaq.html http://www.philzimmermann.com/ http://www.openpgp.org/ http://www.gnupg.org/