SlideShare a Scribd company logo

Email Security with OpenPGP - An Appetizer

Download as PPTX, PDF
David Ochel
David Ochel

A 10 minute presentation on the concepts of PGP encryption and key management (public key cryptography, digital signatures), and pointers on how to get started.

Technology
1 of 14
Email Security with OpenPGP – An Appetizer OWASP Austin CryptoParty David Ochel 2015-01-27 This work is licensed under a Creative Commons Attribution 4.0 International License.
“On the Internet, nobody knows you’re a dog” PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified, https://www.flickr.com/photos/tara_siuk/3027646100/ Bob © Wilson Afonso, CC BY 2.0, no changes, https://www.flickr.com/photos/wafonso/4444143159 Alice
• Pretty Good Privacy (PGP) – a software program – Commercial – Symantec – Free – GnuPG • A protocol/standard – OpenPGP – RFC 4880 et al. • Based on encryption technology – Public-key (asymmetric) cryptography – But also secure hashing, symmetric encryption, … PGP – OWASP Austin 2015 Page 3
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR 13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz ckKzFHhuppZyCytwRQIDAQAB -----END PUBLIC KEY----- 1. Key Generation: Math! – Generate two linked keys (“public” and “private”) – Public key: distribute widely; private key: keep secret! – Keyrings! PGP – OWASP Austin 2015 Page 4
Encryption 2. Encryption / Decryption PGP – OWASP Austin 2015 Page 5
Encryption PGP – OWASP Austin 2015 Page 6
Encryption PGP – OWASP Austin 2015 Page 7 3. Encryption / Decryption!
Electronic Signature Plaintext Hash Value Signature PGP – OWASP Austin 2015 Page 8
Avoiding Mallory, The Man in the Middle PGP – OWASP Austin 2015 Page 13 Charlie Bob Mallory, The malicious Interceptor Needs to send a Secret Email trust trust Alice
Web of Trust – Keys Signed by Many Key Holders – On Public Keyservers PGP – OWASP Austin 2015 Page 16 http://pgp.mit.edu/pks/lookup?search=leo%4 0debian&op=vindex&fingerprint=on
A Key-Signing Party? 1. Obtain fingerprint (and key ID) of user – in person! 2. Validate user’s ID and make a note that you have validated 3. Go home and retrieve key (look up on keyserver by key ID), check fingerprint, sign key, and upload signed key Fingerprint – cryptographic hash of a public key PGP – OWASP Austin 2015 Page 17
How to get started with PGP? • Obtain GnuPG (or other OpenPGP alternative), and GUI or plugin for application of choice • Generate a key(pair) • Protect private key with strong password – Make a backup of the private key (hardcopy?) • Use it! – Encrypt files on your disk – Encrypt emails – Trade public keys with your OWASP friends PGP – OWASP Austin 2015 Page 18
Resources – Google… • Public-key Cryptography • Implementations – GnuPG (command line) – http://www.gnupg.org – Enigmail (Thunderbird plugin) – Web plugins – Outlook plugin (part of Gpg4win) – Android – iOS – … • keybase.io – trust into keys through social media • OpenPGP Card – store private keys on a smart card PGP – OWASP Austin 2015 Page 19
Contact: David Ochel do@ochel.net, @lostgravity, http://secuilibrium.com Key ID: 0xA26EF725 Fingerprint: 4233 C5AA 73F9 EC1F D54B CC31 A2F8 3F14 A26E F725 PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/

Recommended

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsDavid Ochel
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software DevelopmentNarudom Roongsiriwong, CISSP
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 

Recommended

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsDavid Ochel
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software DevelopmentNarudom Roongsiriwong, CISSP
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemThe Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemNiran Seriki, CCISO, CISM
 
Hacking Portugal v1.1
Hacking Portugal v1.1Hacking Portugal v1.1
Hacking Portugal v1.1Dinis Cruz
 
Jcv course contents
Jcv course contentsJcv course contents
Jcv course contentsVasanti Dutta
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber SecuritySatria Ady Pradana
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Keeping Denial of Service and Financial Fraud out of Your Contact Center
Keeping Denial of Service and Financial Fraud out of Your Contact CenterKeeping Denial of Service and Financial Fraud out of Your Contact Center
Keeping Denial of Service and Financial Fraud out of Your Contact CenterCase IQ
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...Mark Arena
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Cryptogaphy
CryptogaphyCryptogaphy
CryptogaphyMustahid Ali
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...Mark Arena
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationKurt Andersen
 

More Related Content

What's hot

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemThe Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemNiran Seriki, CCISO, CISM
 
Hacking Portugal v1.1
Hacking Portugal v1.1Hacking Portugal v1.1
Hacking Portugal v1.1Dinis Cruz
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Keeping Denial of Service and Financial Fraud out of Your Contact Center
Keeping Denial of Service and Financial Fraud out of Your Contact CenterKeeping Denial of Service and Financial Fraud out of Your Contact Center
Keeping Denial of Service and Financial Fraud out of Your Contact CenterCase IQ
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...Mark Arena
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...Mark Arena
 

What's hot (20)

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemThe Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering System
 
Hacking Portugal v1.1
Hacking Portugal v1.1Hacking Portugal v1.1
Hacking Portugal v1.1
 
Jcv course contents
Jcv course contentsJcv course contents
Jcv course contents
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber Security
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
 
Keeping Denial of Service and Financial Fraud out of Your Contact Center
Keeping Denial of Service and Financial Fraud out of Your Contact CenterKeeping Denial of Service and Financial Fraud out of Your Contact Center
Keeping Denial of Service and Financial Fraud out of Your Contact Center
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception Solution
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security Professional
 
Cryptogaphy
CryptogaphyCryptogaphy
Cryptogaphy
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
 
The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...The Cybercriminal Underground: Understanding and categorising criminal market...
The Cybercriminal Underground: Understanding and categorising criminal market...
 

Viewers also liked

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationKurt Andersen
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeDavid Ochel
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)Prafull Johri
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and AwarenessSanjiv Arora
 

Viewers also liked (14)

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email Authentication
 
Powerful email protection
Powerful email protectionPowerful email protection
Powerful email protection
 
Email security
Email securityEmail security
Email security
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best Practice
 
Email Security Overview
Email Security OverviewEmail Security Overview
Email Security Overview
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and Awareness
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 

Similar to Email Security with OpenPGP - An Appetizer

FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...Paulo Henrique
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNCERT
 
A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...
A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...
A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...Jan Aerts
 
OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...
OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...
OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...NETWAYS
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNA Green
 
Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2
Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2
Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2Icinga
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] Jose Manuel Ortega Candel
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016Bernard Toplak
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 
Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Future Insights
 
Atm Security System Using Steganography Nss ptt by (rohit malav)
Atm Security System Using Steganography Nss ptt by (rohit malav)Atm Security System Using Steganography Nss ptt by (rohit malav)
Atm Security System Using Steganography Nss ptt by (rohit malav)Rohit malav
 
OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...
OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...
OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...NETWAYS
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestPawel Rzepa
 
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)PROIDEA
 
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListOWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListBishop Fox
 

Similar to Email Security with OpenPGP - An Appetizer (20)

FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
 
A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...
A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...
A Kanterakis - PyPedia: a python crowdsourcing development environment for bi...
 
Ug soar 22sep21
Ug soar 22sep21Ug soar 22sep21
Ug soar 22sep21
 
OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...
OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...
OSMC 2014 | Log Monitoring simplified - Get the best out of Graylog2 & Icinga...
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPN
 
Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2
Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2
Log Monitoring Simplified - Get the best out of Graylog2 & Icinga 2
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition]
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 
Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)
 
Sniffing
SniffingSniffing
Sniffing
 
Atm Security System Using Steganography Nss ptt by (rohit malav)
Atm Security System Using Steganography Nss ptt by (rohit malav)Atm Security System Using Steganography Nss ptt by (rohit malav)
Atm Security System Using Steganography Nss ptt by (rohit malav)
 
OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...
OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...
OSMC 2014: Log monitoring simplified - Get the best out of Graylog2 & Icinga ...
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
 
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListOWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Email Security with OpenPGP - An Appetizer

  • 1. Email Security with OpenPGP – An Appetizer OWASP Austin CryptoParty David Ochel 2015-01-27 This work is licensed under a Creative Commons Attribution 4.0 International License.
  • 2. “On the Internet, nobody knows you’re a dog” PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified, https://www.flickr.com/photos/tara_siuk/3027646100/ Bob © Wilson Afonso, CC BY 2.0, no changes, https://www.flickr.com/photos/wafonso/4444143159 Alice
  • 3. • Pretty Good Privacy (PGP) – a software program – Commercial – Symantec – Free – GnuPG • A protocol/standard – OpenPGP – RFC 4880 et al. • Based on encryption technology – Public-key (asymmetric) cryptography – But also secure hashing, symmetric encryption, … PGP – OWASP Austin 2015 Page 3
  • 4. -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR 13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz ckKzFHhuppZyCytwRQIDAQAB -----END PUBLIC KEY----- 1. Key Generation: Math! – Generate two linked keys (“public” and “private”) – Public key: distribute widely; private key: keep secret! – Keyrings! PGP – OWASP Austin 2015 Page 4
  • 5. Encryption 2. Encryption / Decryption PGP – OWASP Austin 2015 Page 5
  • 6. Encryption PGP – OWASP Austin 2015 Page 6
  • 7. Encryption PGP – OWASP Austin 2015 Page 7 3. Encryption / Decryption!
  • 9. Avoiding Mallory, The Man in the Middle PGP – OWASP Austin 2015 Page 13 Charlie Bob Mallory, The malicious Interceptor Needs to send a Secret Email trust trust Alice
  • 10. Web of Trust – Keys Signed by Many Key Holders – On Public Keyservers PGP – OWASP Austin 2015 Page 16 http://pgp.mit.edu/pks/lookup?search=leo%4 0debian&op=vindex&fingerprint=on
  • 11. A Key-Signing Party? 1. Obtain fingerprint (and key ID) of user – in person! 2. Validate user’s ID and make a note that you have validated 3. Go home and retrieve key (look up on keyserver by key ID), check fingerprint, sign key, and upload signed key Fingerprint – cryptographic hash of a public key PGP – OWASP Austin 2015 Page 17
  • 12. How to get started with PGP? • Obtain GnuPG (or other OpenPGP alternative), and GUI or plugin for application of choice • Generate a key(pair) • Protect private key with strong password – Make a backup of the private key (hardcopy?) • Use it! – Encrypt files on your disk – Encrypt emails – Trade public keys with your OWASP friends PGP – OWASP Austin 2015 Page 18
  • 13. Resources – Google… • Public-key Cryptography • Implementations – GnuPG (command line) – http://www.gnupg.org – Enigmail (Thunderbird plugin) – Web plugins – Outlook plugin (part of Gpg4win) – Android – iOS – … • keybase.io – trust into keys through social media • OpenPGP Card – store private keys on a smart card PGP – OWASP Austin 2015 Page 19
  • 14. Contact: David Ochel do@ochel.net, @lostgravity, http://secuilibrium.com Key ID: 0xA26EF725 Fingerprint: 4233 C5AA 73F9 EC1F D54B CC31 A2F8 3F14 A26E F725 PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/

Editor's Notes

  1. Asynchronous Internet communication (email!) has two issues: Privacy Authenticity
  2. Created 1991 by Phil Zimmermann as opern-source privacy tool PGP, Inc. (’96), Network Associates, (‘97), PGP Corp. (‘02), Symantec (‘10) Standardized as OpenPGP (RFC 4880, etc.) starting ‘98 GUN Privacy Guard (GnuPG, GPG) starting ’97 There are a number of good and easy-to-use tools out there implementing PGP. We are going to fcous on understanding the principles behind it, since that enables “secure” use of the tools.
  3. Public-key cryptography The title is a 1024 bit RSA key.
  4. In practice, there is symmetric encryption and hashing involved.
  5. In reality, we hash messages before encrypting them in order to create an eletronic signature.
  6. In reality, we hash messages before encrypting them in order to create an eletronic signature.
  7. Keyring!