gpg - encryption & signing
DESCRIPTION
A presentation on how GPG works.TRANSCRIPT
-
1 David Morgan 2006-2013
GPG GPG encryption & signingencryption & signing
David Morgan
David Morgan 2006-2013
Functional purposes of Functional purposes of cryptograhycryptograhy
Confidentiality ensuring illegibility to outsiders
Authentication ensuring ostensible and actual sender are one
and the same
Data integrity ensuring non-alteration in transit
-
2 David Morgan 2006-2013
GPG GPG GNU Privacy GuardGNU Privacy Guard An implementation of OpenPGP
Open-PGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures.
Abstract, OpenPGP RFC4880
David Morgan 2006-2013
Cryptographic processingCryptographic processing
plaintext
cipher
cryptogram
cryptogram
reverse cipher
plaintext
Encryption(data sender)
Decryption(data receiver)
-
3 David Morgan 2006-2013
Cryptographic strengthCryptographic strength Difficulty of recovering plaintext from ciphertext
without the key
Does not depend on the cipher (algorithm) standard algorithms are published
So everything depends on the key key loss/compromise/interception=Achilles heel
David Morgan 2006-2013
Key distribution managementKey distribution management Good: protect it Better: dont distribute it
-
4 David Morgan 2006-2013
Best key distribution philosophyBest key distribution philosophy DONT What good would it do after all to develop impenetrable cryptosystems, if their users were forced to share their keys with a Key Distribution Center that could be compromised by either burglary or subpoena? Whitfield Diffie
David Morgan 2006-2013
2 broad categories2 broad categories Secret-key cryptography
versus
Public-key cryptographynew!
( 1970 )
-
5 David Morgan 2006-2013
Known synonymously as:Known synonymously as:
One technology single-key private-key symmetric secret-key shared-key conventional
Versus the other dual-key public-key asymmetric
David Morgan 2006-2013
good
DecryptDecrypt--key distribution demandskey distribution demands Secret-key
distribute but protect low risk
Public-key none, you dont need to distribute it no risk b
etter!
-
6 David Morgan 2006-2013
Keys: secretKeys: secret--key cryptokey crypto
plaintext
cipher
cryptogram
cryptogram
reverse cipher
plaintext
(same key)
Encryption(data sender)
Decryption(data receiver)
David Morgan 2006-2013
Keys: publicKeys: public--key cryptokey crypto
plaintext
cipher
cryptogram
cryptogram
reverse cipher
plaintext
Encryption Decryption
(differentkey)
-
7 David Morgan 2006-2013
Wait a minuteWait a minute who sends the key(s) to whom? what/which key(s) does he send?
David Morgan 2006-2013
SecretSecret--key crypto: key crypto: data sender is key senderdata sender is key sender
plaintext
cipher
cryptogram
cryptogram
reverse cipher
plaintext
(same key)
Encryption(data sender)
Decryption(data receiver)
Key sender
Key sent
-
8 David Morgan 2006-2013
What if itWhat if its publics public--key? key? more guys/keysmore guys/keys
if there are 2 guys, there are 2 key pairs (4 keys) who sends the key? what key does he send? what does that accomplish?
David Morgan 2006-2013
WellWell only public keys can be sent! so either guy could be the key sender and he would send his public key (only! ever!) sepending who sends, accomplishes
confidentiality, or authentication
-
9 David Morgan 2006-2013
Data receiver as key senderData receiver as key sender
plaintext
cipher
cryptogram
cryptogram
inverse cipher
plaintext
Encryption(data sender)
Decryption(data receiver)
(data receiversprivate key)
Key sender
Key sent(data receivers public key)
David Morgan 2006-2013
Functional achievement checklistFunctional achievement checklist
Data receiver as key senderData receiver as key sender
Confidentiality
Authentication
Data integrity
-
10
David Morgan 2006-2013
Data sender as key senderData sender as key sender
plaintext
cipher
cryptogram
cryptogram
inverse cipher
plaintext
Encryption(data sender)
Decryption(data receiver)
(datasendersprivate key)
Key sender
Key sent(data senders public key)
David Morgan 2006-2013
Confidentiality
Authentication
Data integrity
Data sender as key senderData sender as key sender
Functional achievement checklistFunctional achievement checklist
-
11
David Morgan 2006-2013
But canBut cant we have both together?t we have both together?
Confidentiality
Authentication
Data integrity
Certainly! if you just encrypt and decrypt twice
David Morgan 2006-2013
Encrypting the whole message Encrypting the whole message twice is too expensive!!twice is too expensive!!
Make a little token1 from a big message with a hash function2
Encrypt the token instead of the message
1also called a message digest or hash2also called a digest function, like MD5 or SHA1 or RIPEMD-160
-
12
David Morgan 2006-2013
Confidential Confidential andand authenticauthentic**
plaintext
cipher
cryptogram
cryptogram
reverse cipher
Encryption(data sender)
Decryption(data receiver)
H
S
plaintext S
H H
senders private
senders public
receivers public
receivers private
H - hashS - signature OK if same
*gpg encrypt and sign
David Morgan 2006-2013
authentic but not confidentialauthentic but not confidential**
plaintext
Encryption(data sender)
Decryption(data receiver)
H
S
plaintext S
H H
senders private senders public
H - hashS - signature
OK if same
*gpg sign only,also useful
-
13
David Morgan 2006-2013
gpggpg default directories and filesdefault directories and files/
tom dick harry
home
.gnupg
.gnupg .gnupg
gpg.conf pubring secring
gpg.conf pubring secring gpg.conf pubring secring
David Morgan 2006-2013
gpggpg key management optionskey management options --gen-key
create keypair and store on disk --export
take public key from disk and output to file --import
take public key from file and output to disk
-
14
David Morgan 2006-2013
gpggpg encryption optionsencryption options --encrypt --recipient
encrypt file with users pubkey from disk --decrypt
decrypt file using private key from disk that matches public key with which file was encrypted
David Morgan 2006-2013
gpggpg signing optionssigning options --sign
create digest of file, encrypt it with private key --verify
decrypt senders digest, generate your own, check theyre the same
-
15
David Morgan 2006-2013
Example: believing in fedoraExample: believing in fedora
1) this files digests,for the other files,make them believable
2) signature ondigests file makesit believable
David Morgan 2006-2013
Get fedora projectGet fedora projects public keys public key
-
16
David Morgan 2006-2013
Add fedoraAdd fedoras key to your s key to your keyringkeyring
David Morgan 2006-2013
Use it: file really from fedora?Use it: file really from fedora?
if the key is really fedoras, the file is really from them
we believe so
-
17
David Morgan 2006-2013
Do downloads check out?Do downloads check out?o
sten
sible
per
fedo
ra a
nd
we
belie
ve
it!ac
tual
OK, exceptwhats up with disc2 ??
David Morgan 2006-2013
gpagpa GUI frontend to GUI frontend to gpggpg
-
18
David Morgan 2006-2013
EnigmailEnigmail integrates integrates GPG+emailGPG+email
Others: http://www.gnupg.org/related_software/frontends.html
David Morgan 2006-2013
InfoInfo official page
http://www.gnupg.org GPG Mini HowTo
good, quick bare essentials http://www.dewinter.com/gnupg_howto/
english/GPGMiniHowto.html GNU Privacy Handbook
more thorough and explanatory http://www.gnupg.org/gph/en/manual.html
RFC4880 (OpenPGP message format)