The Care and Training of a PGP

The Care and Training of a PGP

It's a whole the same as ever world of needing to keep your personal
information, be it sensitive or nonsensitive, secure from prying eyes.
Recent events have only brought that to light.

In this workshop, we'll not only go over how to do such things as
exchange public keys, decrypt messages, and send encrypted emails; but
also what each of those steps mean, why they are important, and what is
really happening.

You'll need at least one form of photo ID, your own computer, and a
smile.

A438eb5b27da0f50dc120f9bfbdd9c16?s=128

Caleb Hearth

January 06, 2015
Tweet

Transcript

  1. The Care and Training of a PGP or: PGP and

    You
  2. ` thoughtbot Keep Ruby Weird Pretty Good Weekly (calebthompson.io/pretty-good)

  3. What is PGP

  4. StreetPass for nerds

  5. • Pretty Good Privacy (OpenPGP) is a standard that enables

    encrypted communication between individuals.
  6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ! You may have

    received an email with a "NONAME" or "signature.asc" attachment and wondered what it was, or you might have seen an "armored" email wrapped in something like this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 ! iQEcBAEBCAAGBQJUqFYaAAoJEBYhrcKgrOcK1PwIAKmBHbUwz8jC0vMWwMi5dOQc ZSYCAy0D5r6xRinItelIx0cHFkys3kVIYpEyXRlfHz6EwRJsJcIohcqAMK+xmxtD ZwWjv0QkY0upDBZOnG0Zm4D13hTFLP19RSi5nYMH0ozNVsOCwiizIOYeAvcnzUaC mXLK9eY5lsFUmDVtc7sU9N1pAHoR/yXrGYVLm8Q4W3NMIjrWMfg4SuMKDcg7wapR wYNI97EYeYVG7n3DTvATtWgWpLnLpsHYcAe4dA7qLvOiz4x4eyz02Z7jNjXXyF0c kQAA1BHcYeCjn01QeRkNkM+8t/GmydTJ5Ui81kEHrtFWkaqqI7LK6jBMhMz/yt4= =bJzJ -----END PGP SIGNATURE-----
  7. None
  8. Okay, Thanks for Coming.

  9. • This is a PGP-signed message, and it is cryptographically

    verifiable as having been signed by a specific key and representing a specific message.
  10. • PGP also allows you to encrypt messages, so that

    only intended recipients who control their secret keys can read them.
  11. • Messages might be actual messages, but they can also

    be things like hashes of software packages, which means you can be sure that a package came from a specific key.
  12. • Debian, RVM, Apache, Kernel.org, Aptitude, and others use this

    to help increase security pretty much for free (from the end-user perspective).
  13. • how to generate keys

  14. • how to send and receive encrypted messages

  15. • how to sign other people’s keys

  16. • how to trust other people’s keys

  17. • but not only how

  18. • what all of that means

  19. • why we would ever want to do it

  20. Let’s install the thing

  21. • OpenPGP is a standard (RFC 4880)

  22. • pgp is a implementation owned by Symantec

  23. • GnuPG, or GNU Privacy Guard (or GPG), is a

    FOSS implementation of OpenPGP
  24. • gpg, gpg2, gpg21

  25. • classic, stable, modern

  26. brew install gnupg2

  27. None
  28. brew uninstall gnupg2 gpg-agent dirmngr

  29. brew tap homebrew/versions brew update brew install gnupg21

  30. cp ~/.gnupg ~/.gnupg.stable

  31. Generating a key

  32. • To get anywhere with PGP, you'll need to have

    a keypair.
  33. A keypair is composed of two parts

  34. • A public key, which you'll publish, allows others to

    encrypt messages to you and verify messages from you.
  35. • A private key, which you'll keep secret and safe,

    allows you to decrypt the messages encrypted to your public key and to sign messages so that others can verify they are from you.
  36. • Algorithms which separate keys into public/private pairs are more

    secure for several reasons, including that the private key should never be on the Internet.
  37. $ gpg --full-gen-key

  38. Please select what kind of key you want: (1) RSA

    and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
  39. RSA keys may be between 1024 and 4096 bits long.

    What keysize do you want? (2048) 4096 Requested keysize is 4096 bits
  40. Please specify how long the key should be valid. 0

    = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Tue Dec 22 17:53:00 2015 CST Is this correct? (y/N) y =
  41. • This step allows you to limit the length of

    time your keys will be valid for. • It's possible to refresh the key before it expires so you're not losing a key if it runs out of time and you still have access to it. • If you lose your secret key, it will automatically invalidate when it expires. • I didn't want to bother with refreshing my key regularly, so mine never expires. Several others at thoughtbot have an expiration for 1 year after the key was generated. • It’s best to have one, just remember to refresh your key at whatever interval you define.
  42. GnuPG needs to construct a user ID to identify your

    key. ! Real name: Caleb Thompson Email address: caleb@example.com Comment: You selected this USER-ID: "Caleb Thompson <caleb@example.com>" ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  43. • Enter a passphrase. • It’s like a password, but

    longer and more secure • It’s the weakest part of this whole system, so make it as strong as you can • Make sure nobody’s watching you set it
  44. gpg: key D658D2CC marked as ultimately trusted public and secret

    key created and signed. ! pub rsa4096/D658D2CC 2014-12-22 [expires: 2015-12-22] Key fingerprint = 7CCF 75EC 8930 D351 3A35 D4AF 78DA E141 D658 D2CC uid [ultimate] Caleb Thompson <caleb@example.com> sub rsa4096/11597F23 2014-12-22 [expires: 2015-12-22]
  45. $ gpg --send-keys D658D2CC # <- your new key id

  46. But I have more than one email address

  47. $ gpg --edit-key caleb@example.com

  48. Secret key is available. ! pub rsa4096/D658D2CC created: 2014-12-22 expires:

    2015-12-22 usage: SC trust: ultimate validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1). Caleb Thompson <caleb@example.com>
  49. gpg> adduid Real name: Caleb Thompson Email address: cthompson@example.com Comment:

    You selected this USER-ID: "Caleb Thompson <cthompson@example.com>" ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
  50. pub rsa4096/D658D2CC created: 2014-12-22 expires: 2015-12-22 usage: SC trust: ultimate

    validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1) Caleb Thompson <caleb@example.com> [ unknown] (2). Caleb Thompson <cthompson@example.com> ! gpg> save
  51. $ gpg --list-keys […] pub rsa4096/D658D2CC 2014-12-22 [expires: 2015-12-22] uid

    [ultimate] Caleb Thompson <cthompson@example.com> uid [ultimate] Caleb Thompson <caleb@example.com> sub rsa4096/11597F23 2014-12-22 [expires: 2015-12-22]
  52. $ gpg --send-keys YOURKEYID

  53. Signing and Encrypting Messages

  54. • Signing a message is a verifiable way of proving

    that you wrote it
  55. • Signing does not prevent anyone from reading a message

  56. • Many ways to sign, we’ll look at two common

    ones
  57. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ! Clearsigning -----BEGIN PGP

    SIGNATURE----- Version: GnuPG v2 ! iQEcBAEBCAAGBQJUqDw2AAoJEBYhrcKgrOcKrfMH/joZohSt43Ro30wEphI19UOD IIuFHs+AAdfWSYgTJXZ8yNDrTjiOCe7pLRGguu0ALCq7PXoS+H4kAvohXGLzobyu 3oIyN1KyMT5a9Tj8r8Q6xHf8V6anaafhiZ8MIOD/aZpGOvJRMM5lCF+tiVS6hJz5 mRaKCWQu6+sdbz+Ndo8H0cpfIsVgH+ZkKoHYmRLlALATYwTK6Gh42AcvZ2OYErs2 GQbu16FK4kT8TWxvsAFQSa/8t8MgFNYQgh4JRxSqCFv5UDZiIqldWQWEz7pobYzA ornulaninwi2ZuVqjD+9sQqqoNSbytvzkd2fbcZs+v0w0WWnezUoHjyfN6jnMp0= =keqq -----END PGP SIGNATURE-----
  58. $ gpg --clearsign - [your message here] ^D [ascii-armored message

    and signature output]
  59. Detached binary signature

  60. $ cat "Hi how are you" > innocent-msg $ gpg

    --detach-sign --output innocent-msg.sig innocent-msg
  61. • Verifying signatures

  62. $ # For a clearsigned message (or other signatures that

    include the message): $ gpg --decrypt msg.sig
  63. Hi gpg: Signature made Sat Jan 3 13:12:21 2015 CST

    using RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <caleb@calebthompson.io>" [full] gpg: aka "Caleb Thompson <cjaysson@gmail.com>" [full] gpg: aka "Caleb Thompson <caleb@thoughtbot.com>" [full]
  64. $ # For a detached signature: $ gpg --verify innocent-msg.sig

    innocent-msg
  65. gpg: Signature made Sat Jan 3 13:12:21 2015 CST using

    RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson <caleb@calebthompson.io>" [full] gpg: aka "Caleb Thompson <cjaysson@gmail.com>" [full] gpg: aka "Caleb Thompson <caleb@thoughtbot.com>" [full]
  66. Signing a key: what and how?

  67. • Signing a key uses the same (or similar) mechanics

    internally as signing a message
  68. • Has different semantic meaning:

  69. • Assert that you’ve verified identity (driver’s licence, passport, etc.)

  70. • Assert that you’ve verified that you have the right

    key
  71. • Assert that you’ve verified ownership (can use private key)

  72. • Assert that you’ve verified ownership (can use private key)

    • (It’s less common to actually do this step)
  73. • Announces to the world that if they trust you

    to verify these things, they can trust that the keys of people you have signed are more likely to represent the people they want to communicate with.
  74. • Fundamental to the Web of Trust

  75. None
  76. $ gpg --sign-key --ask-cert-level Terence

  77. pub rsa2048/5BE915C7 created: 2013-11-27 expires: 2016-11-26 usage: SC trust: marginal

    validity: full sub rsa2048/1B1DAFC7 created: 2013-11-27 expires: 2016-11-26 usage: E [ full ] (1). Terence Lee <hone02@gmail.com> ! ! pub rsa2048/5BE915C7 created: 2013-11-27 expires: 2016-11-26 usage: SC trust: marginal validity: full Primary key fingerprint: 43C9 BCC5 3DE7 C6D8 DD79 D42E FB54 F2C6 5BE9 15C7 ! Terence Lee <hone02@gmail.com> ! This key is due to expire on 2016-11-26.
  78. How carefully have you verified the key you are about

    to sign actually belongs to the person named above? If you don't know what to answer, enter "0". ! (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking. ! Your selection? (enter '?' for more information):
  79. (1) I have not checked at all.

  80. (2) I have done casual checking.

  81. (3) I have done very careful checking.

  82. Are you sure that you want to sign this key

    with your key "Caleb Thompson <cthompson@example.com>" (D658D2CC) ! I have checked this key casually. ! Really sign? (y/N) y
  83. • Somehow get the key to Terence

  84. Be Pragmatic $ gpg --send-keys 5BE915C7

  85. Be really safe • Sign each UID separately • Export

    UIDs to separate files • Encrypt each UID and email to the associated email address • Include instructions for importing encrypted keys and pushing to a keyserver
  86. Get my key $ gpg --recv-keys A0ACE70A

  87. Sign my key $ gpg --fingerprint caleb@calebthompson.io pub rsa2048/A0ACE70A 2013-08-12

    Key fingerprint = B432 C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A uid [ full ] Caleb Thompson <caleb@calebthompson.io> uid [ full ] Caleb Thompson <cjaysson@gmail.com> uid [ full ] Caleb Thompson <caleb@thoughtbot.com> sub rsa2048/545CA4DF 2013-08-12
  88. Trusting a key: Should I do it?

  89. • First of all, trust is private and local

  90. • Unlike keysigning, it is never broadcast • So you

    can be honest about it.
  91. • Having trusted keys makes the Web of Trust more

    useful to you
  92. • Marking a key as trusted means that keys that

    key has signed are implicitly trusted at a higher level
  93. • Not “would this person take a bullet for me”

  94. • How much do you trust them to verify identities

    (as we did in the key signing section)
  95. $ gpg --edit-key caleb@example.com

  96. gpg> trust pub rsa4096/D658D2CC created: 2014-12-22 expires: 2015-12-22 usage: SC

    trust: ultimate validity: ultimate sub rsa4096/11597F23 created: 2014-12-22 expires: 2015-12-22 usage: E [ultimate] (1). Caleb Thompson <cthompson@example.com> [ultimate] (2) Caleb Thompson <caleb@example.com> ! Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) ! 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu ! Your decision? 4
  97. 1 = I don't know or won't say 2 =

    I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu
  98. gpg> save Key not changed so no update needed.

  99. Sending encrypted mail

  100. Signing Git commits & tags

  101. Signing software releases

  102. PGP and You http://robots.thoughtbot.com/pgp-and-you

  103. Keysigning Party !!1!

  104. • You should have a key now • You know

    how to verify and sign a key
  105. • Come up to the podium with your laptop •

    Share your name and key id • Wait for us to get your key • Confirm your fingerprint • Show us your ID
  106. $ gpg --recv-keys [the key id]

  107. Bibliography • Color scheme: http://www.colourlovers.com/palette/482774/ dream_magnet • Speaker image credit:

    Terence Lee (@hone02) • https://www.gnupg.org/gph/en/manual/x135.html • http://www.chaosreigns.com/code/sig2dot/ • https://gnupg.org/faq/whats-new-in-2.1.html • http://jetsetnick.wordpress.com/2011/03/26/london-3ds- streetpass-event-27th-march-2011/