1 / 21

Cryptography Tool

Cryptography Tool. PGP. Introduction. Why PGP? History of PGP First version released by Philip Zimmermann in 1991 Politics issue (Senate Bill 266) Anti-crime bill: enable government to read encrypted messages. Philip under criminal investigation Violation of export restrictions.

Download Presentation

Cryptography Tool

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography Tool PGP By Xiaoheng Wu

  2. Introduction • Why PGP? • History of PGP • First version released by Philip Zimmermann in 1991 • Politics issue (Senate Bill 266) • Anti-crime bill: enable government to read encrypted messages. • Philip under criminal investigation • Violation of export restrictions

  3. Introduction Cont. • Patent issue with PGP • Old version with RSA and IDEA(expires 2007) • Another patent free, but incompatible version uses: Triple-DES, with DSS/Diffie-Hellman. • A typical commercial PGP, such as ViaCrypt PGP offers many features • Encrypt, sign, encrypt and sign, verify signature, key management, and so on.

  4. How PGP works • Compress data • Create a session key randomly • Encrypt message using a block cipher algorithm • Use public key cryptography encrypt the session key • Transmit the ciphertext and encrypted session key.

  5. PGP Encryption source: An Introduction to Cryptography

  6. How PGP Works Cont. • Decryption works in the reverse order. • If a PGP server receives a message, it decrypts the encrypted session key using your private key. • Use this decrypted session key to decrypt the ciphertext. • Then it decompresses the deciphered text to produce the original plaintext.

  7. PGP Decryption source: An Introduction to Cryptography

  8. PGP Keys • The larger the key, the more secure the encryption • You decide the size of the key • Public keyring and private keyring • Keyrings are files with a specific data structure • Passphrase used to generate your private key • Question: How to choose a passphrase? • Answer: easy to remember, difficult to guess. (no famous quotes)

  9. Message Digest • Fingerprint of your message or file • MD5 in PGP • 128-bit MD5 has serious weakness • In 1996, Hans Dobbertin, a German cryptographer, partially broke MD5 • SHA-1 in PGP • 160-bit SHA-1 developed by NSA • Extremely well designed • For compatibility reason, MD5 still used for RSA signatures

  10. Certificates • Make sure the public key belongs to the person associated with that signature • PGP certificates consist of • Public key • User id or name • Email address or ICQ. • One or more signatures • validity period • Preferred algorithm(CAST, AES, IDEA, Triple-DES, and Twofish ) • Pitfall: Not attest the authenticity as a whole, only vouches the public key is bound to the appeared identity on the certificate.

  11. Certificate Revocation • Validity period • If a certificate expired, it becomes invalid • Why a certificate need to be revoked? • Private key is comprised • Does not mean anything bad about the public key owner, only saying the users can no longer authenticate you by your public key. • Communicating that a certificate has been revoked • Post your revoked certificate on a server • In PKI environment, Certificate Revocation List

  12. Protect Public key • Problem • If Trudy substituted his public key for Alice’s public key, she would be able to decrypt the messages that sent to Alice and encrypt it using Alice’s public key and send it to Alice again. No one suspects anything wrong. • Forge the signature using her private key.

  13. Protect Public Key Cont. • Solution • Get Alice’s key in person • Have your friend David signs Alice’s public key if he knows Alice’s public key and can be trusted. • Any certificates from Certificate Authority can be trusted • Store your own public keyring on your PC

  14. Check trust level, computer the result. Example: two marginally trusted signatures is as credible as one fully trusted signature PGP trust level: complete trust, marginal trust, no trust PGP let you decide who you can trust standard public key management schemes Internet Privacy Enhance Mail (PEM) Requires mandatory trust Relay on CA tells you who you can trust Validating Keys

  15. Vulnerabilities • Passphrase attack • Easy to remember, difficult to guess • Public key tampering • Make sure the public key is directly from that person or signed by a trusted third party. • Access control of your own public and private keyrings • Make a copy of both keyrings

  16. Vulnerabilities Cont. • Not quite deleted files • Marked that deleted location for reusability • Overwrite that marked location on the disk • PGP’s Secure Wipe and Freespace features to clear any fragments left by your word processor • Viruses or Trojan horses • Attacks on passphrass, private key, and deciphered text. PGP offers no solution. Helpfully, you can be notified as soon as possible. • Imitation of PGP has malfunctions: not check signature. • Solution: directly download PGP from PGP Corporation

  17. Vulnerabilities Cont. • Virtual memory or swap files • Fairly low risk because PGP does not keep sensitive data long in memory • Write sensitive data to the disk using LRU memory replacement algorithm. (data: passphrase, private key, or deciphered text ) • Solution: overwrite your swap files or simply turn off your virtual memory feature. • Physical security breach • Burglary, trash-picking, bribery, or blackmail

  18. Vulnerabilities Cont. • Tempest attacks • detect the electromagnetic signals emitted from video screen • “Secure Viewer” feature (PGP 6.0 or later) • using a special font that may reduce the levels of radio frequency emissions • LCD has no such emissions • Bogus timestamp • Create a signature certificate of a signature certificate with a trustworthy timestamp. • Multi-user system • PGP is designed for a single user system • Be aware of the risk on a multi-user system

  19. Vulnerabilities Cont. • Traffic analysis • Observing the size of the message, source and destination, the time it is sent. • PGP alone has no solution for this problem • Requires a special communication protocol that can reduce the traffic information • Cryptanalysis • PGP uses the best block cipher algorithms in the world • No successfully attacks on public key cryptography since 1978

  20. References • www.pgp.com • http://web.mit.edu/network/pgp.html • http://www.mit.edu/~prz/EN/background/index.html

  21. The End PGP gives you Pretty Good Privacy

More Related