Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Care and Training of a PGP

The Care and Training of a PGP

It's a whole the same as ever world of needing to keep your personal
information, be it sensitive or nonsensitive, secure from prying eyes.
Recent events have only brought that to light.

In this workshop, we'll not only go over how to do such things as
exchange public keys, decrypt messages, and send encrypted emails; but
also what each of those steps mean, why they are important, and what is
really happening.

You'll need at least one form of photo ID, your own computer, and a
smile.

Caleb Hearth

January 06, 2015
Tweet

More Decks by Caleb Hearth

Other Decks in Technology

Transcript

  1. • Pretty Good Privacy (OpenPGP) is a standard that enables

    encrypted communication between individuals.
  2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ! You may have

    received an email with a "NONAME" or "signature.asc" attachment and wondered what it was, or you might have seen an "armored" email wrapped in something like this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 ! iQEcBAEBCAAGBQJUqFYaAAoJEBYhrcKgrOcK1PwIAKmBHbUwz8jC0vMWwMi5dOQc ZSYCAy0D5r6xRinItelIx0cHFkys3kVIYpEyXRlfHz6EwRJsJcIohcqAMK+xmxtD ZwWjv0QkY0upDBZOnG0Zm4D13hTFLP19RSi5nYMH0ozNVsOCwiizIOYeAvcnzUaC mXLK9eY5lsFUmDVtc7sU9N1pAHoR/yXrGYVLm8Q4W3NMIjrWMfg4SuMKDcg7wapR wYNI97EYeYVG7n3DTvATtWgWpLnLpsHYcAe4dA7qLvOiz4x4eyz02Z7jNjXXyF0c kQAA1BHcYeCjn01QeRkNkM+8t/GmydTJ5Ui81kEHrtFWkaqqI7LK6jBMhMz/yt4= =bJzJ -----END PGP SIGNATURE-----
  3. • This is a PGP-signed message, and it is cryptographically

    verifiable as having been signed by a specific key and representing a specific message.
  4. • PGP also allows you to encrypt messages, so that

    only intended recipients who control their secret keys can read them.
  5. • Messages might be actual messages, but they can also

    be things like hashes of software packages, which means you can be sure that a package came from a specific key.
  6. • Debian, RVM, Apache, Kernel.org, Aptitude, and others use this

    to help increase security pretty much for free (from the end-user perspective).
  7. • GnuPG, or GNU Privacy Guard (or GPG), is a

    FOSS implementation of OpenPGP
  8. • A public key, which you'll publish, allows others to

    encrypt messages to you and verify messages from you.
  9. • A private key, which you'll keep secret and safe,

    allows you to decrypt the messages encrypted to your public key and to sign messages so that others can verify they are from you.
  10. • Algorithms which separate keys into public/private pairs are more

    secure for several reasons, including that the private key should never be on the Internet.
  11. Please select what kind of key you want: (1) RSA

    and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
  12. RSA keys may be between 1024 and 4096 bits long.

    What keysize do you want? (2048) 4096 Requested keysize is 4096 bits
  13. Please specify how long the key should be valid. 0

    = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Tue Dec 22 17:53:00 2015 CST Is this correct? (y/N) y =
  14. • This step allows you to limit the length of

    time your keys will be valid for. • It's possible to refresh the key before it expires so you're not losing a key if it runs out of time and you still have access to it. • If you lose your secret key, it will automatically invalidate when it expires. • I didn't want to bother with refreshing my key regularly, so mine never expires. Several others at thoughtbot have an expiration for 1 year after the key was generated. • It’s best to have one, just remember to refresh your key at whatever interval you define.
  15. GnuPG needs to construct a user ID to identify your

    key. ! Real name: Caleb Thompson Email address: [email protected] Comment: You selected this USER-ID: "Caleb Thompson <[email protected]>" ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  16. • Enter a passphrase. • It’s like a password, but

    longer and more secure • It’s the weakest part of this whole system, so make it as strong as you can • Make sure nobody’s watching you set it
  17. gpg: key D658D2CC marked as ultimately trusted public and secret

    key created and signed. ! pub rsa4096/D658D2CC 2014-12-22 [expires: 2015-12-22] Key fingerprint = 7CCF 75EC 8930 D351 3A35 D4AF 78DA E141 D658 D2CC uid [ultimate] Caleb Thompson <[email protected]> sub rsa4096/11597F23 2014-12-22 [expires: 2015-12-22]
  18. Secret key is available. ! pub rsa4096/D658D2CC created: 2014-12-22 expires:

    2015-12-22 usage: SC trust: ultimate validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1). Caleb Thompson <[email protected]>
  19. gpg> adduid Real name: Caleb Thompson Email address: [email protected] Comment:

    You selected this USER-ID: "Caleb Thompson <[email protected]>" ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
  20. pub rsa4096/D658D2CC created: 2014-12-22 expires: 2015-12-22 usage: SC trust: ultimate

    validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1) Caleb Thompson <[email protected]> [ unknown] (2). Caleb Thompson <[email protected]> ! gpg> save
  21. $ gpg --list-keys […] pub rsa4096/D658D2CC 2014-12-22 [expires: 2015-12-22] uid

    [ultimate] Caleb Thompson <[email protected]> uid [ultimate] Caleb Thompson <[email protected]> sub rsa4096/11597F23 2014-12-22 [expires: 2015-12-22]
  22. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ! Clearsigning -----BEGIN PGP

    SIGNATURE----- Version: GnuPG v2 ! iQEcBAEBCAAGBQJUqDw2AAoJEBYhrcKgrOcKrfMH/joZohSt43Ro30wEphI19UOD IIuFHs+AAdfWSYgTJXZ8yNDrTjiOCe7pLRGguu0ALCq7PXoS+H4kAvohXGLzobyu 3oIyN1KyMT5a9Tj8r8Q6xHf8V6anaafhiZ8MIOD/aZpGOvJRMM5lCF+tiVS6hJz5 mRaKCWQu6+sdbz+Ndo8H0cpfIsVgH+ZkKoHYmRLlALATYwTK6Gh42AcvZ2OYErs2 GQbu16FK4kT8TWxvsAFQSa/8t8MgFNYQgh4JRxSqCFv5UDZiIqldWQWEz7pobYzA ornulaninwi2ZuVqjD+9sQqqoNSbytvzkd2fbcZs+v0w0WWnezUoHjyfN6jnMp0= =keqq -----END PGP SIGNATURE-----
  23. $ cat "Hi how are you" > innocent-msg $ gpg

    --detach-sign --output innocent-msg.sig innocent-msg
  24. $ # For a clearsigned message (or other signatures that

    include the message): $ gpg --decrypt msg.sig
  25. Hi gpg: Signature made Sat Jan 3 13:12:21 2015 CST

    using RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full]
  26. gpg: Signature made Sat Jan 3 13:12:21 2015 CST using

    RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full] gpg: aka "Caleb Thompson <[email protected]>" [full]
  27. • Assert that you’ve verified ownership (can use private key)

    • (It’s less common to actually do this step)
  28. • Announces to the world that if they trust you

    to verify these things, they can trust that the keys of people you have signed are more likely to represent the people they want to communicate with.
  29. pub rsa2048/5BE915C7 created: 2013-11-27 expires: 2016-11-26 usage: SC trust: marginal

    validity: full sub rsa2048/1B1DAFC7 created: 2013-11-27 expires: 2016-11-26 usage: E [ full ] (1). Terence Lee <[email protected]> ! ! pub rsa2048/5BE915C7 created: 2013-11-27 expires: 2016-11-26 usage: SC trust: marginal validity: full Primary key fingerprint: 43C9 BCC5 3DE7 C6D8 DD79 D42E FB54 F2C6 5BE9 15C7 ! Terence Lee <[email protected]> ! This key is due to expire on 2016-11-26.
  30. How carefully have you verified the key you are about

    to sign actually belongs to the person named above? If you don't know what to answer, enter "0". ! (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking. ! Your selection? (enter '?' for more information):
  31. Are you sure that you want to sign this key

    with your key "Caleb Thompson <[email protected]>" (D658D2CC) ! I have checked this key casually. ! Really sign? (y/N) y
  32. Be really safe • Sign each UID separately • Export

    UIDs to separate files • Encrypt each UID and email to the associated email address • Include instructions for importing encrypted keys and pushing to a keyserver
  33. Sign my key $ gpg --fingerprint [email protected] pub rsa2048/A0ACE70A 2013-08-12

    Key fingerprint = B432 C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A uid [ full ] Caleb Thompson <[email protected]> uid [ full ] Caleb Thompson <[email protected]> uid [ full ] Caleb Thompson <[email protected]> sub rsa2048/545CA4DF 2013-08-12
  34. • Marking a key as trusted means that keys that

    key has signed are implicitly trusted at a higher level
  35. • How much do you trust them to verify identities

    (as we did in the key signing section)
  36. gpg> trust pub rsa4096/D658D2CC created: 2014-12-22 expires: 2015-12-22 usage: SC

    trust: ultimate validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1). Caleb Thompson <[email protected]> [ultimate] (2) Caleb Thompson <[email protected]> ! Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) ! 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu ! Your decision? 4
  37. 1 = I don't know or won't say 2 =

    I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu
  38. • You should have a key now • You know

    how to verify and sign a key
  39. • Come up to the podium with your laptop •

    Share your name and key id • Wait for us to get your key • Confirm your fingerprint • Show us your ID
  40. Bibliography • Color scheme: http://www.colourlovers.com/palette/482774/ dream_magnet • Speaker image credit:

    Terence Lee (@hone02) • https://www.gnupg.org/gph/en/manual/x135.html • http://www.chaosreigns.com/code/sig2dot/ • https://gnupg.org/faq/whats-new-in-2.1.html • http://jetsetnick.wordpress.com/2011/03/26/london-3ds- streetpass-event-27th-march-2011/