The Care and Training of a PGP

Transcript

1. The Care and Training of a PGP or: PGP and

   You

2. ` thoughtbot Keep Ruby Weird Pretty Good Weekly (calebthompson.io/pretty-good)

3. What is PGP

4. StreetPass for nerds

5. • Pretty Good Privacy (OpenPGP) is a standard that enables

   encrypted communication between individuals.

6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ! You may have

   received an email with a "NONAME" or "signature.asc" attachment and wondered what it was, or you might have seen an "armored" email wrapped in something like this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 ! iQEcBAEBCAAGBQJUqFYaAAoJEBYhrcKgrOcK1PwIAKmBHbUwz8jC0vMWwMi5dOQc ZSYCAy0D5r6xRinItelIx0cHFkys3kVIYpEyXRlfHz6EwRJsJcIohcqAMK+xmxtD ZwWjv0QkY0upDBZOnG0Zm4D13hTFLP19RSi5nYMH0ozNVsOCwiizIOYeAvcnzUaC mXLK9eY5lsFUmDVtc7sU9N1pAHoR/yXrGYVLm8Q4W3NMIjrWMfg4SuMKDcg7wapR wYNI97EYeYVG7n3DTvATtWgWpLnLpsHYcAe4dA7qLvOiz4x4eyz02Z7jNjXXyF0c kQAA1BHcYeCjn01QeRkNkM+8t/GmydTJ5Ui81kEHrtFWkaqqI7LK6jBMhMz/yt4= =bJzJ -----END PGP SIGNATURE-----
7. None

8. Okay, Thanks for Coming.

9. • This is a PGP-signed message, and it is cryptographically

   verifiable as having been signed by a specific key and representing a specific message.

10. • PGP also allows you to encrypt messages, so that

    only intended recipients who control their secret keys can read them.

11. • Messages might be actual messages, but they can also

    be things like hashes of software packages, which means you can be sure that a package came from a specific key.

12. • Debian, RVM, Apache, Kernel.org, Aptitude, and others use this

    to help increase security pretty much for free (from the end-user perspective).

13. • how to generate keys

14. • how to send and receive encrypted messages

15. • how to sign other people’s keys

16. • how to trust other people’s keys

17. • but not only how

18. • what all of that means

19. • why we would ever want to do it

20. Let’s install the thing

21. • OpenPGP is a standard (RFC 4880)

22. • pgp is a implementation owned by Symantec

23. • GnuPG, or GNU Privacy Guard (or GPG), is a

    FOSS implementation of OpenPGP

24. • gpg, gpg2, gpg21

25. • classic, stable, modern

26. brew install gnupg2

27. None

28. brew uninstall gnupg2 gpg-agent dirmngr

29. brew tap homebrew/versions brew update brew install gnupg21

30. cp ~/.gnupg ~/.gnupg.stable

31. Generating a key

32. • To get anywhere with PGP, you'll need to have

    a keypair.

33. A keypair is composed of two parts

34. • A public key, which you'll publish, allows others to

    encrypt messages to you and verify messages from you.

35. • A private key, which you'll keep secret and safe,

    allows you to decrypt the messages encrypted to your public key and to sign messages so that others can verify they are from you.

36. • Algorithms which separate keys into public/private pairs are more

    secure for several reasons, including that the private key should never be on the Internet.

37. $ gpg --full-gen-key

38. Please select what kind of key you want: (1) RSA

    and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1

39. RSA keys may be between 1024 and 4096 bits long.

    What keysize do you want? (2048) 4096 Requested keysize is 4096 bits

40. Please specify how long the key should be valid. 0

    = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Tue Dec 22 17:53:00 2015 CST Is this correct? (y/N) y =

41. • This step allows you to limit the length of

    time your keys will be valid for. • It's possible to refresh the key before it expires so you're not losing a key if it runs out of time and you still have access to it. • If you lose your secret key, it will automatically invalidate when it expires. • I didn't want to bother with refreshing my key regularly, so mine never expires. Several others at thoughtbot have an expiration for 1 year after the key was generated. • It’s best to have one, just remember to refresh your key at whatever interval you define.

42. GnuPG needs to construct a user ID to identify your

    key. ! Real name: Caleb Thompson Email address: [email protected] Comment: You selected this USER-ID: "Caleb Thompson <[email protected]>" ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

43. • Enter a passphrase. • It’s like a password, but

    longer and more secure • It’s the weakest part of this whole system, so make it as strong as you can • Make sure nobody’s watching you set it

44. gpg: key D658D2CC marked as ultimately trusted public and secret

    key created and signed. ! pub rsa4096/D658D2CC 2014-12-22 [expires: 2015-12-22] Key fingerprint = 7CCF 75EC 8930 D351 3A35 D4AF 78DA E141 D658 D2CC uid [ultimate] Caleb Thompson <[email protected]> sub rsa4096/11597F23 2014-12-22 [expires: 2015-12-22]

45. $ gpg --send-keys D658D2CC # <- your new key id

46. But I have more than one email address

47. $ gpg --edit-key [email protected]

48. Secret key is available. ! pub rsa4096/D658D2CC created: 2014-12-22 expires:

    2015-12-22 usage: SC trust: ultimate validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1). Caleb Thompson <[email protected]>

49. gpg> adduid Real name: Caleb Thompson Email address: [email protected] Comment:

    You selected this USER-ID: "Caleb Thompson <[email protected]>" ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

50. pub rsa4096/D658D2CC created: 2014-12-22 expires: 2015-12-22 usage: SC trust: ultimate

    validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1) Caleb Thompson <[email protected]> [ unknown] (2). Caleb Thompson <[email protected]> ! gpg> save

51. $ gpg --list-keys […] pub rsa4096/D658D2CC 2014-12-22 [expires: 2015-12-22] uid

    [ultimate] Caleb Thompson <[email protected]> uid [ultimate] Caleb Thompson <[email protected]> sub rsa4096/11597F23 2014-12-22 [expires: 2015-12-22]

52. $ gpg --send-keys YOURKEYID

53. Signing and Encrypting Messages

54. • Signing a message is a verifiable way of proving

    that you wrote it

55. • Signing does not prevent anyone from reading a message

56. • Many ways to sign, we’ll look at two common

    ones

57. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ! Clearsigning -----BEGIN PGP

    SIGNATURE----- Version: GnuPG v2 ! iQEcBAEBCAAGBQJUqDw2AAoJEBYhrcKgrOcKrfMH/joZohSt43Ro30wEphI19UOD IIuFHs+AAdfWSYgTJXZ8yNDrTjiOCe7pLRGguu0ALCq7PXoS+H4kAvohXGLzobyu 3oIyN1KyMT5a9Tj8r8Q6xHf8V6anaafhiZ8MIOD/aZpGOvJRMM5lCF+tiVS6hJz5 mRaKCWQu6+sdbz+Ndo8H0cpfIsVgH+ZkKoHYmRLlALATYwTK6Gh42AcvZ2OYErs2 GQbu16FK4kT8TWxvsAFQSa/8t8MgFNYQgh4JRxSqCFv5UDZiIqldWQWEz7pobYzA ornulaninwi2ZuVqjD+9sQqqoNSbytvzkd2fbcZs+v0w0WWnezUoHjyfN6jnMp0= =keqq -----END PGP SIGNATURE-----

58. $ gpg --clearsign - [your message here] ^D [ascii-armored message

    and signature output]

59. Detached binary signature

60. $ cat "Hi how are you" > innocent-msg $ gpg

    --detach-sign --output innocent-msg.sig innocent-msg

61. • Verifying signatures

62. $ # For a clearsigned message (or other signatures that

    include the message): $ gpg --decrypt msg.sig

63. Hi gpg: Signature made Sat Jan 3 13:12:21 2015 CST

    using RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full]

64. $ # For a detached signature: $ gpg --verify innocent-msg.sig

    innocent-msg

65. gpg: Signature made Sat Jan 3 13:12:21 2015 CST using

    RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full]

66. Signing a key: what and how?

67. • Signing a key uses the same (or similar) mechanics

    internally as signing a message

68. • Has different semantic meaning:

69. • Assert that you’ve verified identity (driver’s licence, passport, etc.)

70. • Assert that you’ve verified that you have the right

    key

71. • Assert that you’ve verified ownership (can use private key)

72. • Assert that you’ve verified ownership (can use private key)

    • (It’s less common to actually do this step)

73. • Announces to the world that if they trust you

    to verify these things, they can trust that the keys of people you have signed are more likely to represent the people they want to communicate with.

74. • Fundamental to the Web of Trust

75. None

76. $ gpg --sign-key --ask-cert-level Terence

77. pub rsa2048/5BE915C7 created: 2013-11-27 expires: 2016-11-26 usage: SC trust: marginal

    validity: full sub rsa2048/1B1DAFC7 created: 2013-11-27 expires: 2016-11-26 usage: E [ full ] (1). Terence Lee <[email protected]> ! ! pub rsa2048/5BE915C7 created: 2013-11-27 expires: 2016-11-26 usage: SC trust: marginal validity: full Primary key fingerprint: 43C9 BCC5 3DE7 C6D8 DD79 D42E FB54 F2C6 5BE9 15C7 ! Terence Lee <[email protected]> ! This key is due to expire on 2016-11-26.

78. How carefully have you verified the key you are about

    to sign actually belongs to the person named above? If you don't know what to answer, enter "0". ! (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking. ! Your selection? (enter '?' for more information):

79. (1) I have not checked at all.

80. (2) I have done casual checking.

81. (3) I have done very careful checking.

82. Are you sure that you want to sign this key

    with your key "Caleb Thompson <[email protected]>" (D658D2CC) ! I have checked this key casually. ! Really sign? (y/N) y

83. • Somehow get the key to Terence

84. Be Pragmatic $ gpg --send-keys 5BE915C7

85. Be really safe • Sign each UID separately • Export

    UIDs to separate files • Encrypt each UID and email to the associated email address • Include instructions for importing encrypted keys and pushing to a keyserver

86. Get my key $ gpg --recv-keys A0ACE70A

87. Sign my key $ gpg --fingerprint [email protected] pub rsa2048/A0ACE70A 2013-08-12

    Key fingerprint = B432 C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A uid [ full ] Caleb Thompson <[email protected]> uid [ full ] Caleb Thompson <[email protected]> uid [ full ] Caleb Thompson <[email protected]> sub rsa2048/545CA4DF 2013-08-12

88. Trusting a key: Should I do it?

89. • First of all, trust is private and local

90. • Unlike keysigning, it is never broadcast • So you

    can be honest about it.

91. • Having trusted keys makes the Web of Trust more

    useful to you

92. • Marking a key as trusted means that keys that

    key has signed are implicitly trusted at a higher level

93. • Not “would this person take a bullet for me”

94. • How much do you trust them to verify identities

    (as we did in the key signing section)

95. $ gpg --edit-key [email protected]

96. gpg> trust pub rsa4096/D658D2CC created: 2014-12-22 expires: 2015-12-22 usage: SC

    trust: ultimate validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1). Caleb Thompson <[email protected]> [ultimate] (2) Caleb Thompson <[email protected]> ! Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) ! 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu ! Your decision? 4

97. 1 = I don't know or won't say 2 =

    I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu

98. gpg> save Key not changed so no update needed.

99. Sending encrypted mail

100. Signing Git commits & tags

101. Signing software releases

102. PGP and You http://robots.thoughtbot.com/pgp-and-you

103. Keysigning Party !!1!

104. • You should have a key now • You know

     how to verify and sign a key

105. • Come up to the podium with your laptop •

     Share your name and key id • Wait for us to get your key • Confirm your fingerprint • Show us your ID

106. $ gpg --recv-keys [the key id]

107. Bibliography • Color scheme: http://www.colourlovers.com/palette/482774/ dream_magnet • Speaker image credit:

     Terence Lee (@hone02) • https://www.gnupg.org/gph/en/manual/x135.html • http://www.chaosreigns.com/code/sig2dot/ • https://gnupg.org/faq/whats-new-in-2.1.html • http://jetsetnick.wordpress.com/2011/03/26/london-3ds- streetpass-event-27th-march-2011/