SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn...
Transcript of SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn...
![Page 1: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/1.jpg)
Learn PGP
SIPB Cluedump, 19 October 2016
Anish Athalye (aathalye), Merry Mou(mmou), Adam Suhl (asuhl)
1 / 22
![Page 2: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/2.jpg)
2 / 22
![Page 3: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/3.jpg)
Overview
1. Theore�cal PGP / Intro to Security
2. Prac�cal PGP ‐ Installa�on, Usage, Demo
3. Do it yourself!
3 / 22
![Page 4: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/4.jpg)
THEORETICAL PGP!
4 / 22
![Page 5: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/5.jpg)
The ProblemI want to send and receive email from Bob and make sure:
No one else can read OR modify its contents
I trust that Bob is Bob, and Bob trusts that I am me
5 / 22
![Page 6: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/6.jpg)
The SolutionUse public key cryptography to achieve end‐to‐end encryp�on
6 / 22
![Page 7: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/7.jpg)
Public Key Cryptography(tl;dr edition)
Each person has a (private key, public key) pair
Two basic sets of opera�ons:
Encrypt / Decrypt
encrypt(plaintext, public key) -> ciphertext decrypt(ciphertext, private key) -> plaintext
Sign / Verify
sign(data, private key) -> signature verify(data, signature, public key) -> ok?
7 / 22
![Page 8: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/8.jpg)
Trust ModelsHow do you know that you can trust a key?
Centralized (e.g. HTTPS)
Cer�ficate Authority hierarchy
Decentralized (e.g. PGP)
Web of Trust
8 / 22
![Page 9: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/9.jpg)
Finding and Trusting KeysPublic key cer�ficate server: databases of public keys of people (of unverifiediden��es), so that you can send encrypted messages (signed with their publickey) to them.
Your keyring: list of public keys whose owners' iden��es are verified by you
Web of trust: "web" of public keys whose owners' iden��es are verified, usuallyvia in person contact (e.g. PGP key signing party)
9 / 22
![Page 10: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/10.jpg)
Using your KeySigning someone else's key to show that you trust that their key belongs to them(e.g. during a PGP key signing party)
Signing your so�ware release so that people can verify that you wrote it and thatit hasn't been modified
Signing your email and a�aching the signature with it so that the receiver canverify that you wrote it and that it hasn't been modified
Encryp�ng your email and sending the ciphertext so that no one else can tamperyour message (o�en you'll also sign the email)
Encryp�ng and signing your backups in Amazon S3 to make sure that Amazoncan't mess with your data and can't read your secret files
10 / 22
![Page 11: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/11.jpg)
Limitations of PGP
(aka, ways the NSA can still get you)
(aka, why PGP is only "pretty good"privacy)
Endpoint security
Metadata (e.g., subject line)
User error
Scalability
11 / 22
![Page 12: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/12.jpg)
PRACTICAL PGP!
12 / 22
![Page 13: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/13.jpg)
PGPGPOpenPGP ‐ the standard h�ps://tools.ie�.org/html/rfc4880
PGP ‐ 1st implementa�on of OpenPGP standard, now commercial proprietary
so�ware owned by Symantec
GPG ‐ GNU Private Guard, open source implementa�on of the OpenPGP
standard, the thing everyone uses
(But in reality, people use all three terms interchangeably)
13 / 22
![Page 14: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/14.jpg)
Installing PGP: Mac OS
Graphical clients also available (h�ps://gpgtools.org/)
Or, for CLI client only, brew install gpg2
EFF tutorial on installing h�ps://ssd.eff.org/en/module/how‐use‐pgp‐mac‐os‐x
With Apple Mail: h�ps://gpgtools.org/
14 / 22
![Page 15: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/15.jpg)
Installing PGP: Linuxapt install gnupg (or "pacman ‐S gnupg", etc.)
h�ps://ssd.eff.org/en/module/how‐use‐pgp‐linux
15 / 22
![Page 16: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/16.jpg)
Installing PGP: Windows¯\_( )_/¯
h�ps://ssd.eff.org/en/module/how‐use‐pgp‐windows
How to download GPG4Win + Thunderbird integra�on
tested, once this is installed, the CLI client works (in cmd.exe)
16 / 22
![Page 17: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/17.jpg)
Basic Operations
Create your key
gpg --gen-key
Figure out your key fingerprint
gpg --list-secret-keys --fingerprint
Upload key to keyserver
gpg --keyserver pgp.mit.edu --send-key <fingerprint orkey id>
17 / 22
![Page 18: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/18.jpg)
Basic Operations
(continued)
Download a key from the keyserversgpg --recv-key <fingerprint or key id>
Sign a blob of textgpg --clearsign
Sign and encrypt a blob of textgpg --sign --encrypt --armor
Decrypt a blob of textgpg --decrypt
Verify a signaturegpg --verify
18 / 22
![Page 19: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/19.jpg)
Signing keysVerify the person's iden�ty (e.g., with photo ID)Download their key from a keyserver:
gpg --keyserver pgp.mit.edu --recv-key <theirfingerprint or key id>
Sign the keygpg --sign-key
Check with the person that the fingerprint you see is correct before saying "yes"!Send their signed key to the keyserver
gpg --keyserver pgp.mit.edu --send-key <theirfingerprint or key id>
19 / 22
![Page 20: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/20.jpg)
Encrypt/decrypt youremail
Thunderbird: Install Enigmail
h�ps://ssd.eff.org has tutorials for se�ng up for se�ng up Enigmail withThunderbird
Apple Mail
h�ps://gpgtools.org/
Gmail:
Write email in a text editorEncrypt and sign the emailPaste it into gmail
20 / 22
![Page 21: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/21.jpg)
Other key maintenance
stuff
Backing up your key (.gnupg directory)
Key expira�on
Revoca�on cer�ficates (make one!)
Key comments
21 / 22
![Page 22: SIPB Cluedump Series 2019 - SIPB Cluedumps - Learn PGPcluedumps.mit.edu/w/images/3/31/2016-Learn-PGP.pdf · 2016-12-12 · Learn PGP SIPB Cluedump, 19 October 2016 Anish Athalye (aathalye),](https://reader033.fdocuments.in/reader033/viewer/2022060418/5f1553670f2f4a42e178e2d9/html5/thumbnails/22.jpg)
ResourcesSlides at git.io/learn‐pgp
GPG Best Prac�ces h�ps://riseup.net/en/security/message‐security/openpgp/gpg‐best‐prac�ces
EFF Surveillance Self Defense h�ps://ssd.eff.org/
Come to SIPB's PGP Key Signing and Movie Night Party on 10/27 7pm in theSIPB office (W20‐557)!
Bring your laptop and a government ID
22 / 22