Security Talk Pretty Good Privacy (PGP/GNUpg) · PDF file20061025 PGP/GNUpg 3...
Transcript of Security Talk Pretty Good Privacy (PGP/GNUpg) · PDF file20061025 PGP/GNUpg 3...
20061025 PGP/GNUpg 1
Security Talk: PGP/GNUpg
Security Talk
Pretty Good Privacy (PGP/GNUpg)
Brian Epstein <[email protected]>
20061025 PGP/GNUpg 2
Security Talk: PGP/GNUpg
● AIC triad – PGP/GNUpg● History of PGP/GNUpg/OpenPGP● Shared Key Cryptography● Public Key Cryptography● Cryptographic Hashing● Web of Trust
20061025 PGP/GNUpg 3
Security Talk: PGP/GNUpg
● Main Principles in Security– Availability– Integrity– Confidentiality
● PGP/GNUpg covers Integrity and Confidentiality
20061025 PGP/GNUpg 4
Security Talk: PGP/GNUpg
History of Pretty Good Privacy
● Pretty Good Privacy (PGP) created in 1991 by Phil Zimmermann
● OpenPGP rfc2440 created in 1998
● GNU Privacy Guard (GNUpg or GPG) created in 1999
● Commercial PGP changed hands twice in the past decade
20061025 PGP/GNUpg 5
Security Talk: PGP/GNUpg
Shared Key Cryptography● Also known as symmetric key, single-key or private key cryptography
● Analogous to a regular door key
– Cereal box decoder ring– ZIP file encryption– Excel Spreadsheet encryption
20061025 PGP/GNUpg 6
Security Talk: PGP/GNUpg
Shared Key Cryptography● Strengths
– Easy to use– Quick to understand– Keeps data confidentiality
● Weaknesses
– Vulnerable key exchange– Number of keys required is n(n – 1)/2– No integrity checking available (we don't know who encrypted)
20061025 PGP/GNUpg 7
Security Talk: PGP/GNUpg
Public Key Cryptography● Also known as asymmetric key or split key cryptography
● Each person has two keys
– Public key to share with the world– Private key to keep very secret.
20061025 PGP/GNUpg 8
Security Talk: PGP/GNUpg
Public Key Cryptography● Public key
– Data encrypted by this key can only be opened by its Private Key– Encrypting with public key ensures confidentiality– Alice encrypts with Bob's public key so that only Bob can read
● Private key
– Data encrypted by this key can only be opened by its Public Key– Encrypting with private key ensures integrity– Alice encrypts with her private key to prove to Bob that she
authored the email
20061025 PGP/GNUpg 9
Security Talk: PGP/GNUpg
Public Key Cryptography● Strengths
– Number of keys required is n*2– Keeps data integrity– Keeps data confidentiality
● Weaknesses
– Vulnerable key exchange– Key trust (PKI or Web of Trust)– More difficult to manage
20061025 PGP/GNUpg 10
Security Talk: PGP/GNUpg
PKI versus Web of Trust● Public Key Infrastructure (PKI) has a trust tree
20061025 PGP/GNUpg 11
Security Talk: PGP/GNUpg
PKI versus Web of Trust● PKI Strengths
– Single point of trust● PKI Weaknesses
– Must have a shared point of trust– Verisign, Thawte, RSA certificates– Must spend money
20061025 PGP/GNUpg 12
Security Talk: PGP/GNUpg
PKI versus Web of Trust● Web of Trust Strengths
– No single point of trust– Mesh network of trust– Usually free
● Web of Trust Weaknesses– Requires more work to setup consistently– How much do you trust your web?
20061025 PGP/GNUpg 13
Security Talk: PGP/GNUpg
Web of Trust● Should not be spoke and wheel● Should look like a web
20061025 PGP/GNUpg 14
Security Talk: PGP/GNUpg
● Good Web of Trust
20061025 PGP/GNUpg 15
Security Talk: PGP/GNUpg
● Spoke and Wheel
20061025 PGP/GNUpg 16
Security Talk: PGP/GNUpg
● Broken Spoke and Wheel
20061025 PGP/GNUpg 17
Security Talk: PGP/GNUpg
IAS Web of Trust
20061025 PGP/GNUpg 18
Security Talk: PGP/GNUpg
Demo
20061025 PGP/GNUpg 19
Security Talk: PGP/GNUpg
Questions?
20061025 PGP/GNUpg 20
Security Talk: PGP/GNUpg
Thanks, time to party!
20061025 PGP/GNUpg 1
Security Talk: PGP/GNUpg
Security Talk
Pretty Good Privacy (PGP/GNUpg)
Brian Epstein <[email protected]>
20061025 PGP/GNUpg 2
Security Talk: PGP/GNUpg
● AIC triad – PGP/GNUpg● History of PGP/GNUpg/OpenPGP● Shared Key Cryptography● Public Key Cryptography● Cryptographic Hashing● Web of Trust
20061025 PGP/GNUpg 3
Security Talk: PGP/GNUpg
● Main Principles in Security– Availability– Integrity– Confidentiality
● PGP/GNUpg covers Integrity and Confidentiality
20061025 PGP/GNUpg 4
Security Talk: PGP/GNUpg
History of Pretty Good Privacy
● Pretty Good Privacy (PGP) created in 1991 by Phil Zimmermann
● OpenPGP rfc2440 created in 1998
● GNU Privacy Guard (GNUpg or GPG) created in 1999
● Commercial PGP changed hands twice in the past decade
Phil Zimmermann was the target of a criminal investigation for US export restrictions. Case was dropped in 1996, and PGP, Inc. was founded.
Network Associates Inc (NAI) acquired PGP Inc. in 1997.
PGP Corp acquired PGP from NAI in 2002.GNUpg was first released in 1999. It follows the
OpenPGP standard, RFC2440, released in 1998.
20061025 PGP/GNUpg 5
Security Talk: PGP/GNUpg
Shared Key Cryptography● Also known as symmetric key, single-key or private key cryptography
● Analogous to a regular door key
– Cereal box decoder ring– ZIP file encryption– Excel Spreadsheet encryption
20061025 PGP/GNUpg 6
Security Talk: PGP/GNUpg
Shared Key Cryptography● Strengths
– Easy to use– Quick to understand– Keeps data confidentiality
● Weaknesses
– Vulnerable key exchange– Number of keys required is n(n – 1)/2– No integrity checking available (we don't know who encrypted)
20061025 PGP/GNUpg 7
Security Talk: PGP/GNUpg
Public Key Cryptography● Also known as asymmetric key or split key cryptography
● Each person has two keys
– Public key to share with the world– Private key to keep very secret.
20061025 PGP/GNUpg 8
Security Talk: PGP/GNUpg
Public Key Cryptography● Public key
– Data encrypted by this key can only be opened by its Private Key– Encrypting with public key ensures confidentiality– Alice encrypts with Bob's public key so that only Bob can read
● Private key
– Data encrypted by this key can only be opened by its Public Key– Encrypting with private key ensures integrity– Alice encrypts with her private key to prove to Bob that she
authored the email
20061025 PGP/GNUpg 9
Security Talk: PGP/GNUpg
Public Key Cryptography● Strengths
– Number of keys required is n*2– Keeps data integrity– Keeps data confidentiality
● Weaknesses
– Vulnerable key exchange– Key trust (PKI or Web of Trust)– More difficult to manage
20061025 PGP/GNUpg 10
Security Talk: PGP/GNUpg
PKI versus Web of Trust● Public Key Infrastructure (PKI) has a trust tree
20061025 PGP/GNUpg 11
Security Talk: PGP/GNUpg
PKI versus Web of Trust● PKI Strengths
– Single point of trust● PKI Weaknesses
– Must have a shared point of trust– Verisign, Thawte, RSA certificates– Must spend money
20061025 PGP/GNUpg 12
Security Talk: PGP/GNUpg
PKI versus Web of Trust● Web of Trust Strengths
– No single point of trust– Mesh network of trust– Usually free
● Web of Trust Weaknesses– Requires more work to setup consistently– How much do you trust your web?
20061025 PGP/GNUpg 13
Security Talk: PGP/GNUpg
Web of Trust● Should not be spoke and wheel● Should look like a web
20061025 PGP/GNUpg 14
Security Talk: PGP/GNUpg
● Good Web of Trust
20061025 PGP/GNUpg 15
Security Talk: PGP/GNUpg
● Spoke and Wheel
20061025 PGP/GNUpg 16
Security Talk: PGP/GNUpg
● Broken Spoke and Wheel
20061025 PGP/GNUpg 17
Security Talk: PGP/GNUpg
IAS Web of Trust
20061025 PGP/GNUpg 18
Security Talk: PGP/GNUpg
Demo
20061025 PGP/GNUpg 19
Security Talk: PGP/GNUpg
Questions?
20061025 PGP/GNUpg 20
Security Talk: PGP/GNUpg
Thanks, time to party!