Difference between revisions of "Encrypting E-mail with GnuPG, Thunderbird and Enigmail"
BobJonkman (talk | contribs) (Categorized: KWCrypto) |
BobJonkman (talk | contribs) (→Bob Jonkman: Full name for 0xABad1dea) |
||
(66 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | On Monday, 2 December 2013 I'm giving a presentation at KWLUG on ''Encrypting E-mail with GnuPG, Thunderbird and Enigmail'' which will be followed by a [[Formal Keysigning]] with a | + | On [http://kwlug.org/node/909 Monday, 2 December 2013] I'm giving a presentation at [http://kwlug.org/ KWLUG] on ''Encrypting E-mail with GnuPG, Thunderbird and Enigmail'' which will be followed by a [[Formal Keysigning]]. |
+ | |||
+ | I'm using this page to develop my presentation notes. If you have comments, criticisms, or suggestions please put them on the [[Talk:Editing Encrypting E-mail with GnuPG, Thunderbird and Enigmail|Talk]] page. | ||
+ | |||
+ | --Bob. | ||
+ | |||
+ | ----- | ||
+ | I've started to convert this page to [http://sobac.com/kwcrypto/kwlug-2013-12-02/ presentation slides] | ||
+ | [[User:BobJonkman|BobJonkman]] 19:52, 19 November 2013 (UTC) | ||
+ | |||
+ | ----- | ||
+ | |||
+ | == Intro to Crypto == | ||
+ | === Why use Encrypted E-mail? === | ||
+ | * Security | ||
+ | ** Encrypted mail cannot be read by a Man In The Middle (MITM) | ||
+ | * Authenticity (Integrity) | ||
+ | ** Signed mail cannot be modified in transit, accidentally by mis-configured servers, or maliciously by MITM | ||
+ | * Non-repudiability | ||
+ | ** Signed mail can only come from the sender | ||
+ | |||
+ | === Why NOT use Encrypted E-mail? === | ||
+ | [[File:Security-538.png|frame|right|Rubber Hose Cryptanalysis (using a $5 wrench). http://xkcd.com/538 ]] | ||
+ | * Need the other party to use the same encryption | ||
+ | * Locked-in format | ||
+ | ** Lose your secret key, lose your mail | ||
+ | ** Need to keep revoked keys to read old mail | ||
+ | ** If your key is compromised, all your old mail is compromised (no forward secrecy) | ||
+ | * Non-repudiability | ||
+ | ** Politicians? CEOs? | ||
+ | * Rubber Hose Cryptanalysis (or $5 Wrench Cryptanalysis) | ||
+ | * It's '''hard'''! | ||
+ | ** and looks geeky... | ||
+ | |||
+ | ==== Unencrypted, unsigned message ==== | ||
+ | <pre>Date: Mon, 25 Nov 2013 18:27:22 -0500 | ||
+ | From: Crypto Guy <cryptoguy@sobac.com> | ||
+ | To: Crypto Guy <cryptoguy@sobac.com> | ||
+ | Subject: Hello! | ||
+ | |||
+ | Hello World! | ||
+ | </pre> | ||
+ | |||
+ | ==== Unencrypted, signed message ==== | ||
<pre> | <pre> | ||
− | + | Date: Mon, 25 Nov 2013 18:27:22 -0500 | |
− | + | From: Crypto Guy <cryptoguy@sobac.com> | |
+ | To: Crypto Guy <cryptoguy@sobac.com> | ||
+ | Subject: Hello! | ||
+ | |||
+ | -----BEGIN PGP SIGNED MESSAGE----- | ||
+ | Hash: SHA1 | ||
+ | |||
+ | Hello World! | ||
− | + | ||
+ | -----BEGIN PGP SIGNATURE----- | ||
+ | Version: GnuPG v1.4.14 (GNU/Linux) | ||
+ | Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ | ||
+ | |||
+ | iQEcBAEBAgAGBQJSk9zaAAoJENrSxFs55fZVAAgIAK2BKzV/qUTXCu0gEWJq2U3z | ||
+ | mZ6nsfzjs8aXJe8CT/c7kr7HSgSV57kvukIbvcUP5sCGwpIfwK04qA0Af4J9jXp7 | ||
+ | Wq1/k0wjA1WzhCWUEEjdBs/05bAbQ78ulTbhFlII2ywLgH6BYxgjceZa9abgF8Di | ||
+ | xHkRWEAI6q+scoEhi0rCGlCX3UX/pkiZ1GlaxxxMBu1J5DbFaAJZ1MiPUDOLQN9w | ||
+ | 5LzIqi4rKTtnCQo6G3WWRg5HvPMHHmUJoaZfZpnPrszf4ttG0vrFLxJKUqZszDyr | ||
+ | V5Lx/IjKAZBwoRRjfpRZILFHWoveaw5MG8487jM76W7LiVTEsX2AFGI3R6uy+KA= | ||
+ | =0p58 | ||
+ | -----END PGP SIGNATURE----- | ||
+ | </pre> | ||
+ | |||
+ | ==== Encrypted, signed message ==== | ||
+ | <pre> | ||
+ | Date: Date: Mon, 25 Nov 2013 18:27:22 -0500 | ||
+ | From: Crypto Guy <cryptoguy@sobac.com> | ||
+ | To: Crypto Guy <cryptoguy@sobac.com> | ||
+ | Subject: Hello! | ||
+ | |||
+ | -----BEGIN PGP MESSAGE----- | ||
+ | Charset: ISO-8859-1 | ||
+ | Version: GnuPG v1.4.14 (GNU/Linux) | ||
+ | Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ | ||
+ | |||
+ | hQEMA7bHREkg/1GxAQf/dmPoG27m33QGlUEZ0F9rlndQJFgeAyPBpXVEV2uCgaGw | ||
+ | rCzeBOkcE7FMmo2MjiozS64QaynPAGuHYoKwRIYS06Aa3ll2FwFO4O2tGiC1jsGQ | ||
+ | EUgjIE8h4iqIG4D5uzsv/iQ14QWJm4vaACxLCEtSaIRYcNB6Kxvy0phydltc3cp1 | ||
+ | Ri1OlYPV799yiT7bcdT3ntTew5UF853mUrEIPt3NRfEDrC/m8ScTCT9SD2VRzlfA | ||
+ | qMviBt20XgApQscLBOWCAHv+1u2eUQ8AM3OsAZ/K4mw+s/jcWNNqLG9DRrrHJzMK | ||
+ | YXiZtLuE02eqpXjxrgfKmUloWAu7p9uQHMRwJjIy89LAugFdmW8HY1eZbpu7kUQU | ||
+ | 9PvGydWd0QUPjkG7CXEeh63hmmbJgmJdjqOVjDuXhuHI1xU9+psmLPEszAY1TP9f | ||
+ | V4WR7SAIIVtE5r2S3YRwgyXWsPF+VgesBiUtQ7mroSGeVJ6GRR/rn0IdnLabrJsb | ||
+ | WXiCAtNajDx/x1QGcxFDIQjNsnqvzraSHwcpX6XelRCIz3jyS3SKDdR0T/x5YkmA | ||
+ | mkmXDZlLUntyjbJjZF0LmB96PTAi8JT/OG4QCxTsPMIpkLJZOcQ4SnHsaxfVgLqg | ||
+ | gOt5bxT9ybGt17xrw/j/mKpcq9cbyXFVJoRr73OVE8Wg2IYBye4TPu/HfXIGUh70 | ||
+ | s4dE1Jc+iqdVLqJ2w3qGo4v8B2pg6bPLde7TT/7NrrvEWg0Zxlr+SFr+60xiyPGu | ||
+ | 8eJHtQYSXe4OOc2FZev9mb0M2IIr0zpd7q5MvUqE+4b/VUtmadUFcExuUdaayS0P | ||
+ | rgLVNx3285jGXzelaFB2/+Gzx/m7MMXsKMBX7Q== | ||
+ | =jfdJ | ||
+ | -----END PGP MESSAGE----- | ||
</pre> | </pre> | ||
− | + | === Crypto Theory === | |
+ | ==== Symmetric Key Encryption ==== | ||
+ | * Substitution cipher, Caesar cipher | ||
+ | ** Key = -1 | ||
+ | *** Encrypt: <span style="padding:0 .5em; background:#DFD;">IBM</span> ⇒ <span style="padding:0 .5em; background:#F88;">'''-'''1</span> = <span style="padding:0 .5em; background:#DDF;">HAL</span> | ||
+ | *** Decrypt: <span style="padding:0 .5em; background:#DDF;">Khmtw Trdq Fqnto</span> ⇒ <span style="padding:0 .5em; background:#F88;">'''+'''1</span> = <span style="padding:0 .5em; background:#DFD;">Linux User Group</span> | ||
+ | ** Key = 13 (ROT13) | ||
+ | *** Encrypt: <span style="padding:0 .5em; background:#DFD;">Linux User Group</span> ⇒ <span style="padding:0 .5em; background:#F88;">'''+'''13</span> = <span style="padding:0 .5em; background:#DDF;">Yvahk Hfre Tebhc</span> | ||
+ | *** Decrypt: <span style="padding:0 .5em; background:#DDF;">Yvahk Hfre Tebhc</span> ⇒ <span style="padding:0 .5em; background:#F88;">'''+'''13</span> = <span style="padding:0 .5em; background:#DFD;">Linux User Group</span> | ||
+ | * Need a secure way to share key | ||
+ | |||
+ | ==== Public/Private Key Encryption ==== | ||
+ | ===== The Math ===== | ||
+ | Based on '''One-way function''': Easy to do, hard to reverse | ||
+ | * 59 x 61 = ???? | ||
+ | ** 59 x 61 = 3599 | ||
+ | * 3551 = ?? x ?? | ||
+ | ** 3551 = 53 x 67 | ||
+ | |||
+ | ===== The Theory ===== | ||
+ | [[File:CryptopartyGenericLogo-transparent.png|right|thumb|A Key Pair]] | ||
+ | Generate a keypair | ||
+ | * Add name, e-mail and comment (doesn't have to be your real name or e-mail) | ||
+ | * <span style="padding:0 .5em; background:#E0F;">Public Key</span>, <span style="padding:0 .5em; background:#F09;">Private (Secret) Key</span> | ||
+ | * Anything encrypted by one key is decrypted by the other | ||
+ | ** Encrypt: <span style="padding:0 .5em; background:#DFD;">Hello World</span> ⇒ <span style="padding:0 .5em; background:#E0F;">Public Key</span> = <span style="padding:0 .5em; background:#DDF;">|-|3110 '//0|21|)</span> | ||
+ | ** Decrypt: <span style="padding:0 .5em; background:#DDF;">|-|3110 '//0|21|)</span> ⇒ <span style="padding:0 .5em; background:#F09;">Secret Key</span> = <span style="padding:0 .5em; background:#DFD;">Hello World</span> | ||
+ | |||
+ | |||
+ | :* Encrypt: <span style="padding:0 .5em; background:#DFD;">Linux Is Cool</span> ⇒ <span style="padding:0 .5em; background:#F09;">Secret Key</span> = <span style="padding:0 .5em; background:#DDF;">1!/\/|_|>< !5 (001</span> | ||
+ | :* Decrypt: <span style="padding:0 .5em; background:#DDF;">1!/\/|_|>< !5 (001</span> ⇒ <span style="padding:0 .5em; background:#E0F;">Public Key</span> = <span style="padding:0 .5em; background:#DFD;">Linux Is Cool</span> | ||
+ | |||
+ | ===== In Practice ===== | ||
+ | *GnuPG/PGP uses a symmetric key, not Public/Secret keys to encrypt a message | ||
+ | *Symmetric Key generated by Pseudo Random Number Generator (PRNG) | ||
+ | *Symmetric Key is encrypted with recipient's Public Key | ||
+ | |||
+ | [[File:Alice+Bob+Evelyn+Mallory+Trent-by-@0xABad1dea.png|thumb|right|[https://twitter.com/0xabad1dea/status/400676797874208768 The Players] by [https://twitter.com/@0xABad1dea @0xABad1dea]]] | ||
+ | * Bob encrypts a message to Alice | ||
+ | ** GnuPG/PGP generates a random <span style="padding:0 .5em; background:#F88;">Symmetric Key</span> | ||
+ | ** <span style="padding:0 .5em; background:#DFD;">Message</span> ⇒ <span style="padding:0 .5em; background:#F88;">Symmetric Key</span> = <span style="padding:0 .5em; background:#DDF;">|\/|355463</span> | ||
+ | ** <span style="padding:0 .5em; background:#F88;">Symmetric Key</span> ⇒ <span style="padding:0 .5em; background:#E0F;">Alice's Public Key</span> = <span style="padding:0 .5em; background:#DDF;">5`/|\/||\/|37|2!( |<3`/</span> | ||
+ | ** Bob sends <span style="padding:0 .5em; background:#DDF;">|\/|355463</span> <span style="padding:0 .5em; background:#DDF;">5`/|\/||\/|37|2!( |<3`/</span> to Alice | ||
+ | |||
+ | * Alice decrypts a message from Bob | ||
+ | ** Alice receives <span style="padding:0 .5em; background:#DDF;">|\/|355463</span> <span style="padding:0 .5em; background:#DDF;">5`/|\/||\/|37|2!( |<3`/</span> from Bob | ||
+ | ** <span style="padding:0 .5em; background:#DDF;">5`/|\/||\/|37|2!( |<3`/</span> ⇒ <span style="padding:0 .5em; background:#F09;">Alice's Secret Key</span> = <span style="padding:0 .5em; background:#F88;">Symmetric Key</span> | ||
+ | ** <span style="padding:0 .5em; background:#DDF;">|\/|355463</span> ⇒ <span style="padding:0 .5em; background:#F88;">Symmetric Key</span> = <span style="padding:0 .5em; background:#DFD;">Message</span> | ||
+ | |||
+ | * Bob signs a message | ||
+ | ** <span style="padding:0 .5em; background:#DFD;">Message</span> ⇒ <span style="padding:0 .5em; background:#CCC;">Hash</span> = <span style="padding:0 .5em; background:#DFD;">ABC</span> | ||
+ | ** <span style="padding:0 .5em; background:#DFD;">ABC</span> ⇒ <span style="padding:0 .5em; background:#F09;">Bob's Secret Key</span> = <span style="padding:0 .5em; background:#DDF;">4|>(</span> | ||
+ | |||
+ | * Alice checks Bob's signature | ||
+ | ** <span style="padding:0 .5em; background:#DDF;">4|>(</span> ⇒ <span style="padding:0 .5em; background:#E0F;">Bob's Public Key</span> = <span style="padding:0 .5em; background:#DFD;">ABC</span> | ||
+ | ** <span style="padding:0 .5em; background:#DFD;">Message</span> ⇒ <span style="padding:0 .5em; background:#CCC;">Hash</span> = <span style="padding:0 .5em; background:#DFD;">ABC</span> | ||
+ | ** Same result? Message is untampered! | ||
+ | |||
+ | === Practical GnuPG/PGP === | ||
+ | * Keep your <span style="padding:0 .5em; background:#F09;">Secret Key</span> secret! | ||
+ | * But you can distribute your <span style="padding:0 .5em; background:#E0F;">Public Key</span> widely | ||
+ | ** Upload your <span style="padding:0 .5em; background:#E0F;">Public Key</span> to keyservers | ||
+ | ** Send your <span style="padding:0 .5em; background:#E0F;">Public Key</span> by e-mail | ||
+ | * Use a <span style="padding:0 .5em; background:#E0F;">Public Key</span> to encrypt a message | ||
+ | ** Only that person's <span style="padding:0 .5em; background:#F09;">Secret Key</span> can decrypt it | ||
+ | ** You can only encrypt a message to someone whose <span style="padding:0 .5em; background:#E0F;">Public Key</span> you have | ||
+ | * Use your <span style="padding:0 .5em; background:#F09;">Secret Key</span> to sign a message | ||
+ | ** Anyone can use your <span style="padding:0 .5em; background:#E0F;">Public Key</span> to verify the signature | ||
+ | ** You can sign messages for everyone! | ||
+ | *** But only people who have your <span style="padding:0 .5em; background:#E0F;">Public Key</span> can verify the signature | ||
+ | *** Shows others that encryption is not such a weird thing | ||
+ | * If I download your <span style="padding:0 .5em; background:#E0F;">Public Key</span>, how do I know it's really yours? | ||
+ | ==== Keysigning! ==== | ||
+ | |||
+ | * You tell me what your Key Fingerprint is. | ||
+ | * I verify that's the same Key Fingerprint on your Public Key I download | ||
+ | * If I believe that's your Public Key, I sign it. | ||
+ | |||
+ | |||
+ | * <span style="padding:0 .5em; background:#E0F;">Alice's Public Key</span> ⇒ <span style="padding:0 .5em; background:#F09;">Bob's Secret Key</span> = <span style="padding:0 .5em; background:#DDF;">5!6|>0|></span> | ||
+ | * <span style="padding:0 .5em; background:#E0F;">Alice's Public Key</span> + <span style="padding:0 .5em; background:#DDF;">5!6|>0|></span> = <span style="padding:0 .5em; background:#E0F;">Alice's Public Key</span><span style="padding:0 .5em; background:#DDF;">5!6|>0|></span> | ||
+ | * Alice is popular: <span style="padding:0 .5em; background:#E0F;">Alice's Public Key</span><span style="padding:0 .5em; background:#DDF;">5!6|>0|></span><span style="padding:0 .5em; background:#E0F;"></span><span style="padding:0 .5em; background:#DDF;">5!6(4|201</span><span style="padding:0 .5em; background:#E0F;"></span><span style="padding:0 .5em; background:#DDF;">5!6|\/|41(01|\/|</span> | ||
+ | ** Alice's Public Key is signed by Bob, Carol and Malcolm | ||
+ | |||
+ | |||
+ | ==== Web of Trust ==== | ||
+ | * Carol's Public Key has been signed by others | ||
+ | * <span style="padding:0 .5em; background:#E0F;">Carol's Public Key</span><span style="padding:0 .5em; background:#DDF;">5!641!(3</span><span style="padding:0 .5em; background:#E0F;"></span><span style="padding:0 .5em; background:#DDF;">5!6|\/|41(01|\/|</span> | ||
+ | ** Carol's Public Key is signed by Alice and Malcolm | ||
+ | * <span style="padding:0 .5em; background:#DDF;">5!641!(3</span> ⇒ <span style="padding:0 .5em; background:#E0F;">Alice's Public Key</span> = <span style="padding:0 .5em; background:#E0F;">Carol's Public Key</span> | ||
+ | ** Alice signed Carol's Public Key, ∴ Alice trusts Carol | ||
+ | ** Bob signed Alice's Public Key, ∴ Bob trusts Alice | ||
+ | ** By association, Bob trusts Carol (a little) | ||
+ | ** Bob also signed Malcolm's Public Key, ∴ Bob trusts Malcolm | ||
+ | ** Both Alice and Malcolm signed Carol's Public Key, so Bob trusts Carol (more than a little) | ||
+ | * Alice and Malcolm are Trusted Introducers for Carol | ||
+ | |||
+ | == Demonstration == | ||
+ | === Install Enigmail === | ||
+ | === Use Wizard === | ||
+ | === Generate keypair === | ||
+ | If your '''Key Fingerprint''' is <span style="background:#fff;">04F7 742B 8F54 C40A E115 26C2 </span><span style="background:#ffc">B912 89B0 </span><span style="background:#ff6;">D2CC E5EA</span> | ||
+ | * Then your '''Long KeyID''' is 0x<span style="background:#ffc">B91289B0D2CCE5EA</span> | ||
+ | * And your '''Short KeyID''' is 0x<span style="background:#ff6;">D2CCE5EA</span> | ||
+ | * '''Short KeyID''' is unique to about 1 in 10 billion (2^32) | ||
+ | * '''Long KeyID''' is unique to about in 10^20 (2^64) | ||
+ | * '''Key Fingerprint''' is unique to about 10^48 (2^160) | ||
+ | * Number of atoms in the universe is about 10^80 | ||
+ | |||
+ | === Configure Enigmail === | ||
+ | Generally, use the defaults. | ||
+ | * I chose DSA for my key because of patent restrictions in 1999 | ||
+ | * Use PGP/MIME to hide signature blocks | ||
+ | ** But displaying signature blocks may encourage others to use encryption | ||
+ | ** Some mailing lists may remove PGP/MIME signature attachments | ||
+ | |||
+ | === Retrieve a Public Key === | ||
+ | * E-mail address is convenient, but may return multiple keys | ||
+ | * '''KeyID''' search will return one key. Prefix KeyIDs with "0x" | ||
+ | |||
+ | === Sending a Message === | ||
+ | * OpenPGP → Default Composition Options → Signing/Encryption Options | ||
+ | * OpenPGP → Per-Recipient Options | ||
+ | |||
+ | === Receiving a Message === | ||
+ | |||
+ | How to use PGP to verify an e-mail is authentic | ||
+ | |||
+ | [[File:XKCD-pgp-1181.png|center|thumb|If you want to be extra safe, check that there's a big block of jumbled characters at the bottom.<BR>from http://xkcd.com/1181 ]] | ||
+ | |||
+ | Fortunately, Enigmail checks a little more thoroughly! | ||
+ | |||
+ | === Keysigning with Enigmail === | ||
+ | * OpenPGP → Key Management → Edit → Sign Key | ||
+ | |||
+ | == Resources == | ||
+ | [[File:The Crypto Nut from 1269.png|right|thumb|What do to with encrypted mail and who to do it with http://xkcd.com/1269]] | ||
+ | === Other tools === | ||
+ | * Evolution — Built-in support for GnuPG | ||
+ | * Claws — Plugins PGP/Core, PGP/Inline, PGP/MIME | ||
+ | * KMail — use gnupg2 package | ||
+ | * Mutt — Built-in support | ||
+ | * GMail — Use Chromium and plugin cr-gpg | ||
+ | * Other Webmail (Yahoo!, Hotmail, &c.) — Cut'n'paste with Firefox plugin WebPG (doesn't work for me) | ||
+ | |||
+ | === Support === | ||
+ | * KWCrypto Interest Group: http://sobac.com/kwcrypto | ||
+ | * PGP-Basics mailing list: http://groups.yahoo.com/neo/groups/PGP-Basics/info | ||
+ | |||
+ | * KWLUG: http://kwlug.org | ||
+ | : IRC: irc://irc.freenode.net/kwlug | ||
+ | |||
+ | This presentation is online at http://sobac.com/KWCrypto/kwlug-2013-12-02/ | ||
+ | |||
+ | ==== Bob Jonkman ==== | ||
+ | : E-mail: mailto:bjonkman@sobac.com | ||
+ | : Microblog: [http://sn.jonkman.ca/bobjonkman @bobjonkman@sn.jonkman.ca] or http://sn.jonkman.ca/bobjonkman | ||
+ | : XMPP: xmpp:bjonkman@sobac.com | ||
+ | |||
+ | |||
+ | [[File:CC-BY-NC-88x31.png|left|link=https://creativecommons.org/licenses/by-nc/2.5/]]Thanx to Randall Monroe for releasing [http://xkcd.com/ XCKD] comics under a [http://xkcd.com/license.html CC-BY-NC 2.5] license! | ||
+ | |||
+ | |||
+ | [[File:Public-Domain-88x31.png|left|link=https://creativecommons.org/publicdomain/zero/1.0/]] The [https://www.cryptoparty.in/ Cryptoparty] keypair logo from the [https://www.cryptoparty.in/spread/artwork Cryptoparty Artwork] repository on [https://github.com/cryptoparty/artwork GitHub] is available in the [https://creativecommons.org/publicdomain/zero/1.0/ Public Domain]. | ||
+ | |||
+ | |||
+ | [https://twitter.com/0xabad1dea/status/400676797874208768 The Players] by Melissa Beth Elliott ([https://twitter.com/0xabad1dea @0xABad1dea] on Twitter) is used [https://twitter.com/0xabad1dea/status/407019563038306304 with permission]. | ||
+ | |||
+ | |||
+ | [[File:CC-BY-88x31.png|left|link=https://creativecommons.org/licenses/by/4.0/]]This rest of this presentation is © 2013 by [[User:BobJonkman|Bob Jonkman]] and released under a [https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0] license. | ||
− | |||
− | |||
− | |||
− | |||
[[Category:KWCrypto]] | [[Category:KWCrypto]] |
Latest revision as of 03:53, 1 December 2013
On Monday, 2 December 2013 I'm giving a presentation at KWLUG on Encrypting E-mail with GnuPG, Thunderbird and Enigmail which will be followed by a Formal Keysigning.
I'm using this page to develop my presentation notes. If you have comments, criticisms, or suggestions please put them on the Talk page.
--Bob.
I've started to convert this page to presentation slides BobJonkman 19:52, 19 November 2013 (UTC)
Contents
Intro to Crypto
Why use Encrypted E-mail?
- Security
- Encrypted mail cannot be read by a Man In The Middle (MITM)
- Authenticity (Integrity)
- Signed mail cannot be modified in transit, accidentally by mis-configured servers, or maliciously by MITM
- Non-repudiability
- Signed mail can only come from the sender
Why NOT use Encrypted E-mail?
- Need the other party to use the same encryption
- Locked-in format
- Lose your secret key, lose your mail
- Need to keep revoked keys to read old mail
- If your key is compromised, all your old mail is compromised (no forward secrecy)
- Non-repudiability
- Politicians? CEOs?
- Rubber Hose Cryptanalysis (or $5 Wrench Cryptanalysis)
- It's hard!
- and looks geeky...
Unencrypted, unsigned message
Date: Mon, 25 Nov 2013 18:27:22 -0500 From: Crypto Guy <cryptoguy@sobac.com> To: Crypto Guy <cryptoguy@sobac.com> Subject: Hello! Hello World!
Unencrypted, signed message
Date: Mon, 25 Nov 2013 18:27:22 -0500 From: Crypto Guy <cryptoguy@sobac.com> To: Crypto Guy <cryptoguy@sobac.com> Subject: Hello! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello World! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSk9zaAAoJENrSxFs55fZVAAgIAK2BKzV/qUTXCu0gEWJq2U3z mZ6nsfzjs8aXJe8CT/c7kr7HSgSV57kvukIbvcUP5sCGwpIfwK04qA0Af4J9jXp7 Wq1/k0wjA1WzhCWUEEjdBs/05bAbQ78ulTbhFlII2ywLgH6BYxgjceZa9abgF8Di xHkRWEAI6q+scoEhi0rCGlCX3UX/pkiZ1GlaxxxMBu1J5DbFaAJZ1MiPUDOLQN9w 5LzIqi4rKTtnCQo6G3WWRg5HvPMHHmUJoaZfZpnPrszf4ttG0vrFLxJKUqZszDyr V5Lx/IjKAZBwoRRjfpRZILFHWoveaw5MG8487jM76W7LiVTEsX2AFGI3R6uy+KA= =0p58 -----END PGP SIGNATURE-----
Encrypted, signed message
Date: Date: Mon, 25 Nov 2013 18:27:22 -0500 From: Crypto Guy <cryptoguy@sobac.com> To: Crypto Guy <cryptoguy@sobac.com> Subject: Hello! -----BEGIN PGP MESSAGE----- Charset: ISO-8859-1 Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ hQEMA7bHREkg/1GxAQf/dmPoG27m33QGlUEZ0F9rlndQJFgeAyPBpXVEV2uCgaGw rCzeBOkcE7FMmo2MjiozS64QaynPAGuHYoKwRIYS06Aa3ll2FwFO4O2tGiC1jsGQ EUgjIE8h4iqIG4D5uzsv/iQ14QWJm4vaACxLCEtSaIRYcNB6Kxvy0phydltc3cp1 Ri1OlYPV799yiT7bcdT3ntTew5UF853mUrEIPt3NRfEDrC/m8ScTCT9SD2VRzlfA qMviBt20XgApQscLBOWCAHv+1u2eUQ8AM3OsAZ/K4mw+s/jcWNNqLG9DRrrHJzMK YXiZtLuE02eqpXjxrgfKmUloWAu7p9uQHMRwJjIy89LAugFdmW8HY1eZbpu7kUQU 9PvGydWd0QUPjkG7CXEeh63hmmbJgmJdjqOVjDuXhuHI1xU9+psmLPEszAY1TP9f V4WR7SAIIVtE5r2S3YRwgyXWsPF+VgesBiUtQ7mroSGeVJ6GRR/rn0IdnLabrJsb WXiCAtNajDx/x1QGcxFDIQjNsnqvzraSHwcpX6XelRCIz3jyS3SKDdR0T/x5YkmA mkmXDZlLUntyjbJjZF0LmB96PTAi8JT/OG4QCxTsPMIpkLJZOcQ4SnHsaxfVgLqg gOt5bxT9ybGt17xrw/j/mKpcq9cbyXFVJoRr73OVE8Wg2IYBye4TPu/HfXIGUh70 s4dE1Jc+iqdVLqJ2w3qGo4v8B2pg6bPLde7TT/7NrrvEWg0Zxlr+SFr+60xiyPGu 8eJHtQYSXe4OOc2FZev9mb0M2IIr0zpd7q5MvUqE+4b/VUtmadUFcExuUdaayS0P rgLVNx3285jGXzelaFB2/+Gzx/m7MMXsKMBX7Q== =jfdJ -----END PGP MESSAGE-----
Crypto Theory
Symmetric Key Encryption
- Substitution cipher, Caesar cipher
- Key = -1
- Encrypt: IBM ⇒ -1 = HAL
- Decrypt: Khmtw Trdq Fqnto ⇒ +1 = Linux User Group
- Key = 13 (ROT13)
- Encrypt: Linux User Group ⇒ +13 = Yvahk Hfre Tebhc
- Decrypt: Yvahk Hfre Tebhc ⇒ +13 = Linux User Group
- Key = -1
- Need a secure way to share key
Public/Private Key Encryption
The Math
Based on One-way function: Easy to do, hard to reverse
- 59 x 61 = ????
- 59 x 61 = 3599
- 3551 = ?? x ??
- 3551 = 53 x 67
The Theory
Generate a keypair
- Add name, e-mail and comment (doesn't have to be your real name or e-mail)
- Public Key, Private (Secret) Key
- Anything encrypted by one key is decrypted by the other
- Encrypt: Hello World ⇒ Public Key = |-|3110 '//0|21|)
- Decrypt: |-|3110 '//0|21|) ⇒ Secret Key = Hello World
- Encrypt: Linux Is Cool ⇒ Secret Key = 1!/\/|_|>< !5 (001
- Decrypt: 1!/\/|_|>< !5 (001 ⇒ Public Key = Linux Is Cool
In Practice
- GnuPG/PGP uses a symmetric key, not Public/Secret keys to encrypt a message
- Symmetric Key generated by Pseudo Random Number Generator (PRNG)
- Symmetric Key is encrypted with recipient's Public Key
- Bob encrypts a message to Alice
- GnuPG/PGP generates a random Symmetric Key
- Message ⇒ Symmetric Key = |\/|355463
- Symmetric Key ⇒ Alice's Public Key = 5`/|\/||\/|37|2!( |<3`/
- Bob sends |\/|355463 5`/|\/||\/|37|2!( |<3`/ to Alice
- Alice decrypts a message from Bob
- Alice receives |\/|355463 5`/|\/||\/|37|2!( |<3`/ from Bob
- 5`/|\/||\/|37|2!( |<3`/ ⇒ Alice's Secret Key = Symmetric Key
- |\/|355463 ⇒ Symmetric Key = Message
- Bob signs a message
- Message ⇒ Hash = ABC
- ABC ⇒ Bob's Secret Key = 4|>(
- Alice checks Bob's signature
- 4|>( ⇒ Bob's Public Key = ABC
- Message ⇒ Hash = ABC
- Same result? Message is untampered!
Practical GnuPG/PGP
- Keep your Secret Key secret!
- But you can distribute your Public Key widely
- Upload your Public Key to keyservers
- Send your Public Key by e-mail
- Use a Public Key to encrypt a message
- Only that person's Secret Key can decrypt it
- You can only encrypt a message to someone whose Public Key you have
- Use your Secret Key to sign a message
- Anyone can use your Public Key to verify the signature
- You can sign messages for everyone!
- But only people who have your Public Key can verify the signature
- Shows others that encryption is not such a weird thing
- If I download your Public Key, how do I know it's really yours?
Keysigning!
- You tell me what your Key Fingerprint is.
- I verify that's the same Key Fingerprint on your Public Key I download
- If I believe that's your Public Key, I sign it.
- Alice's Public Key ⇒ Bob's Secret Key = 5!6|>0|>
- Alice's Public Key + 5!6|>0|> = Alice's Public Key5!6|>0|>
- Alice is popular: Alice's Public Key5!6|>0|>5!6(4|2015!6|\/|41(01|\/|
- Alice's Public Key is signed by Bob, Carol and Malcolm
Web of Trust
- Carol's Public Key has been signed by others
- Carol's Public Key5!641!(35!6|\/|41(01|\/|
- Carol's Public Key is signed by Alice and Malcolm
- 5!641!(3 ⇒ Alice's Public Key = Carol's Public Key
- Alice signed Carol's Public Key, ∴ Alice trusts Carol
- Bob signed Alice's Public Key, ∴ Bob trusts Alice
- By association, Bob trusts Carol (a little)
- Bob also signed Malcolm's Public Key, ∴ Bob trusts Malcolm
- Both Alice and Malcolm signed Carol's Public Key, so Bob trusts Carol (more than a little)
- Alice and Malcolm are Trusted Introducers for Carol
Demonstration
Install Enigmail
Use Wizard
Generate keypair
If your Key Fingerprint is 04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
- Then your Long KeyID is 0xB91289B0D2CCE5EA
- And your Short KeyID is 0xD2CCE5EA
- Short KeyID is unique to about 1 in 10 billion (2^32)
- Long KeyID is unique to about in 10^20 (2^64)
- Key Fingerprint is unique to about 10^48 (2^160)
- Number of atoms in the universe is about 10^80
Configure Enigmail
Generally, use the defaults.
- I chose DSA for my key because of patent restrictions in 1999
- Use PGP/MIME to hide signature blocks
- But displaying signature blocks may encourage others to use encryption
- Some mailing lists may remove PGP/MIME signature attachments
Retrieve a Public Key
- E-mail address is convenient, but may return multiple keys
- KeyID search will return one key. Prefix KeyIDs with "0x"
Sending a Message
- OpenPGP → Default Composition Options → Signing/Encryption Options
- OpenPGP → Per-Recipient Options
Receiving a Message
How to use PGP to verify an e-mail is authentic
Fortunately, Enigmail checks a little more thoroughly!
Keysigning with Enigmail
- OpenPGP → Key Management → Edit → Sign Key
Resources
Other tools
- Evolution — Built-in support for GnuPG
- Claws — Plugins PGP/Core, PGP/Inline, PGP/MIME
- KMail — use gnupg2 package
- Mutt — Built-in support
- GMail — Use Chromium and plugin cr-gpg
- Other Webmail (Yahoo!, Hotmail, &c.) — Cut'n'paste with Firefox plugin WebPG (doesn't work for me)
Support
- KWCrypto Interest Group: http://sobac.com/kwcrypto
- PGP-Basics mailing list: http://groups.yahoo.com/neo/groups/PGP-Basics/info
- KWLUG: http://kwlug.org
This presentation is online at http://sobac.com/KWCrypto/kwlug-2013-12-02/
Bob Jonkman
- E-mail: mailto:bjonkman@sobac.com
- Microblog: @bobjonkman@sn.jonkman.ca or http://sn.jonkman.ca/bobjonkman
- XMPP: xmpp:bjonkman@sobac.com
Thanx to Randall Monroe for releasing XCKD comics under a CC-BY-NC 2.5 license!
The Cryptoparty keypair logo from the Cryptoparty Artwork repository on GitHub is available in the Public Domain.
The Players by Melissa Beth Elliott (@0xABad1dea on Twitter) is used with permission.
This rest of this presentation is © 2013 by Bob Jonkman and released under a CC-BY 4.0 license.