Download - Email Security with OpenPGP - An Appetizer
![Page 1: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/1.jpg)
Email Security with OpenPGP –An Appetizer
OWASP Austin CryptoParty
David Ochel
2015-01-27
This work is licensed under a Creative Commons Attribution 4.0 International License.
![Page 2: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/2.jpg)
“On the Internet, nobody knows you’re a dog”
PGP – OWASP Austin 2015 Page 2© ttarasiuk, CC BY 2.0, modified, https://www.flickr.com/photos/tara_siuk/3027646100/
Bob
© Wilson Afonso, CC BY 2.0, no changes, https://www.flickr.com/photos/wafonso/4444143159
Alice
![Page 3: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/3.jpg)
• Pretty Good Privacy (PGP) –a software program– Commercial – Symantec
– Free – GnuPG
• A protocol/standard– OpenPGP – RFC 4880 et al.
• Based on encryption technology– Public-key (asymmetric) cryptography
– But also secure hashing, symmetric encryption, …
PGP – OWASP Austin 2015 Page 3
![Page 4: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/4.jpg)
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgOtlqdRMXtP4e3EJjWbiiI2Yf
zo8s0spD+qzCOOUZw46ztyg0UmAr8dF0HT84CIUAudvYBvZsqcwrJKAo4V+3w0kR
13MgDL9K4rZTU/JF8ExQ2qP1sREbX1JeRW6tMkCwLYD14SCTVwuyMrrq0r+UgTDz
ckKzFHhuppZyCytwRQIDAQAB
-----END PUBLIC KEY-----
1. Key Generation: Math!
– Generate two linked keys (“public” and “private”)
– Public key: distribute widely; private key: keep secret!
– Keyrings!
PGP – OWASP Austin 2015 Page 4
![Page 5: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/5.jpg)
Encryption
2. Encryption / Decryption
PGP – OWASP Austin 2015 Page 5
![Page 6: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/6.jpg)
Encryption
PGP – OWASP Austin 2015 Page 6
![Page 7: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/7.jpg)
Encryption
PGP – OWASP Austin 2015 Page 7
3. Encryption / Decryption!
![Page 8: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/8.jpg)
ElectronicSignature
Plaintext
Hash Value
Signature
PGP – OWASP Austin 2015 Page 8
![Page 9: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/9.jpg)
Avoiding Mallory, The Man in the Middle
PGP – OWASP Austin 2015 Page 13
Charlie
Bob
Mallory,
The malicious Interceptor
Needs to send aSecret Email
trust
trust Alice
![Page 10: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/10.jpg)
Web of Trust – Keys Signed by Many Key Holders – On Public Keyservers
PGP – OWASP Austin 2015 Page 16http://pgp.mit.edu/pks/lookup?search=leo%40debian&op=vindex&fingerprint=on
![Page 11: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/11.jpg)
A Key-Signing Party?
1. Obtain fingerprint (and key ID) of user – in person!
2. Validate user’s ID and make a note that you have validated
3. Go home and retrieve key (look up on keyserver by key ID), check fingerprint, sign key, and upload signed key
Fingerprint – cryptographic hash of a public key
PGP – OWASP Austin 2015 Page 17
![Page 12: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/12.jpg)
How to get started with PGP?
• Obtain GnuPG (or other OpenPGP alternative), and GUI or plugin for application of choice
• Generate a key(pair)
• Protect private key with strong password– Make a backup of the private key (hardcopy?)
• Use it!– Encrypt files on your disk
– Encrypt emails
– Trade public keys with your OWASP friends
PGP – OWASP Austin 2015 Page 18
![Page 13: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/13.jpg)
Resources – Google…• Public-key Cryptography
• Implementations– GnuPG (command line) – http://www.gnupg.org
– Enigmail (Thunderbird plugin)
– Web plugins
– Outlook plugin (part of Gpg4win)
– Android
– iOS
– …
• keybase.io – trust into keys through social media
• OpenPGP Card – store private keys on a smart card
PGP – OWASP Austin 2015 Page 19
![Page 14: Email Security with OpenPGP - An Appetizer](https://reader030.vdocuments.us/reader030/viewer/2022020101/55a5f41e1a28abd53d8b4855/html5/thumbnails/14.jpg)
Contact: David Ochel
[email protected], @lostgravity, http://secuilibrium.com
Key ID: 0xA26EF725
Fingerprint: 4233 C5AA 73F9 EC1F D54B
CC31 A2F8 3F14 A26E F725
PGP – OWASP Austin 2015 Page 21http://xkcd.com/364/