Tài liệu PGP - Step by Step pptx

Trang 1

PGP - Step by Step

Hello, my name is Stephen Northcutt, and in our next hour together we will be discussing the

application of cryptography, as opposed to the theory of cryptography

I can’t stress the objective of this course strongly enough I hope you will consider getting Pretty

Good Privacy (PGP) and trading keys with people that we may need to communicate with in a

secure manner PGP is easy, widespread, and free to low cost There is no excuse for not having

this tool in your toolbox

Let me illustrate with a story SANS’ web server is on a BSDI box For now, GCC is really a

challenge on BSDI That is OK, since it is the fastest OS in the galaxy and you don’t *really* want

too many applications compiled on a production web server But Gnu PGP likes to compile with

GCC We always wanted PGP, but what to do?

Trang 2

What You Will Get From This

Course

– Secure your email

– Digitally sign your email

– Secure a file at rest on the disk

– Obtain and use a certificate

So, SANS gets a call at the end of March from the FBI’s National Infrastructure Protection Center

(NIPC) asking for help to get the word out to intervene on the 911 (or Chode) virus since at that

moment, none of the anti-virus companies had code to stop it We had to send the advisory out on

April 1st For my international friends, April 1st is called April Fool’s Day and is a traditional day

for jokes Worse, to get the report to as many people as possible, we said “send this to as many

people as possible” - a hallmark of virus hoax letters If we had PGP, we could have easily signed

the message We have a backup trick for now! As it was, I spent the next three days answering,

“why didn’t you sign your advisory messages?”

In a sense, we can consider PGP a form of Public Key Infrastructure (PKI) Once this structure is in

place, it is fairly easy to maintain and manage from an administrator’s point of view Depending on

how much security you wish to impart to your users, you could even automate the tasks Automation

will be covered in this course, as well as applicable security models for using automation

If you choose, you can build an E-Commerce site or a secured Extranet with the infrastructure you

are learning to build in this course Of course, you will have to scale the systems up quite a bit in

order to accommodate the large number of users you hopefully will attract to your site

Trang 3

You Will Learn in This

Segment:

• How to install PGP on an email system

• How to use PGP to encrypt data

• How to sign data and what that means

This segment will step you through how to install PGP onto your email client The purpose of starting

with this step is to familiarize you with the basic structure of PKI, and help you understand how PKI

works with other systems

PGP is a good starting place as it is very simple to install on your system, and will give you a very

good look into PKI and how it works There are many steps that you can perform manually (like

exporting and importing information) which will give you a great feel for what larger PKI systems are

doing

Please note that PGP is freeware, and that you would not want to use it for your business You can

use it for personal use, but should not try and use it to generate money for your company without

purchasing licenses for PGP from Network Associates, Inc (NAI) If you choose to use PGP for your

business, the purchased copy works very much the same way, but has many added features I found it

rather challenging to buy PGP, though I went to the NAI web site and clicked Buy and Shopping

Cart and it said “A salesperson will call” instead of letting me give them a credit card number and

download the software Now, once a week, NAI calls and tries to sell me anti-virus software - go

figure Not to worry, NAI may not be in business much longer the way they are going, but PGP

always finds a way to survive To be legal, I just went to Best Buy and bought a few boxes of

McAfee Office 2000 and then downloaded the latest freeware version to use

Trang 4

Purpose of PKI

• Two main uses

– Secure data (hide data)

PGP encrypts email and can be used to encrypt files on your hard drive The version of PGP you are

going to be downloading also has a Virtual Private Network (VPN) client (PGPNet) included

Strictly speaking, calling PGP a PKI component could lead to criticism from purists, and we will see

why as we examine certificates However, the commercial version of PGP supports both X.509 PKI

and VPN IPSec functionalities Since one of the big hurdles is to get people comfortable with and

using encryption, I think this is fully reasonable

Technically, VPN is both authentication and securing data You have to authenticate with your VPN

server (as the client), and once you have established your identity with the server, your VPN system

then encrypts the data, hiding it from view The main purpose of VPN, however, is to enable you to

use a public network for private network traffic The enhanced PGPNet is a VPN! Freeware PGP

gives you authentication and data security for email - you can use a public mail network to send

private mail.

Trang 5

Secure Email

-a Simple Ex-ample

• PGP – A pioneer, still going strong.

– PGP started out in 1991 as a way to bring privacy

to a very new, very public communication medium: email.

– PGP at version 2.6.2 became a de-facto standard

for email encryption.

– PGP became part of Network Associates, and

moved to version 6.0.X.

– PGP is now at version 6.5.8 with new features.

Phillip Zimmermann was the person that brought PGP to the world He wanted to make PGP a free

software tool to keep email private, releasing the software in 1991 The United States government

viewed this as a violation of the export restrictions for cryptographic software, and made his life

pretty tough until the case was dropped in 1996 Though there is now a commercial version of PGP,

Phil Zimmermann continues to make it possible to acquire free versions

Because it was free and very hard (at the time) to break, it became very effective in hiding data from

anyone There have been many versions of PGP and many restrictions placed on it, as a result The

Massachusetts Institute of Technology (MIT) distributes the new PGP and PGPNet version 6.5.8

Network Associates owns the commercial version of PGP, and in concert with MIT, distributes the

free version as well

Trang 6

How to Install and Use PGP

• What you will need

– An email system to exchange email

– To get PGP and get more information

PGP 6.5.x will work with Outlook 97, 98 or 2000 and Outlook Express 4.x/5.x Also, PGP 6.5.x will

support Qualcomm Eudora; Lotus Notes; Novell GroupWise; and the Claris emailer for Macintosh if

you are not using any of the Microsoft products On the UNIX side, support is available for exmh and

Mailcrypt, among others

You can run Windows 2000 to use PGP 6.5.x or PGP 6.5.xi Windows 2000 is a VPN beast, by the

way, and may well become a major player in the secured communications realm You can now run

the PGP 6.5.x products on Windows 95 and Windows 95a This used to be a big limitation The

newest version of PGP also supports the Intel III processor math enhancements as well

I will be covering the United States version of PGP in this presentation, but you can download the

International version of PGP and still follow along if you are unable to obtain the domestic US and

Canada version Keep in mind the key sizes will be different on the International version

Trang 7

Installing PGP on Your System

• System requirements for PGP 6.5.x.

– You will need.

• A machine running Windows 95, 98 or ME, or a Windows NT system with at least Service Pack

The free version of PGP does not support certificates The certificate limitation is really unfortunate,

since it means that mailers using PGP can’t inter-operate with those using Secure MIME (S/MIME) to

protect electronic mail The most popular certificate formats are PGP and X.509 Although they

contain essentially the same information, that information is formatted differently This is a strong

motivator to convince users to move to the commercial version of PGP

The certificate is how a user of public key cryptography publishes their public key A certificate

identifier is used to “point” to the individual that holds the corresponding secret key

With PGP the identifier is a name and email pair For instance:

John Green <jegreen@crosslink.net>

With X.509 the identifier is called the distinguished name You may have received email in a similar

format:

O=SANS Institute,OU=GIAC,CN=John Green

In this example, O stands for Organization, OU for Organizational Unit and CN for common name

Trang 8

Establish a Key (Generate a

Public / Private Key Pair)

• In PGP, you will get a screen like this wizard

to generate a key pair:

The first part of the wizard establishes the information (or label) that will be associated with your key

You will want to give your correct name, if you are not making a test key, so that your key will be

easy to identify You will also want to use your correct email address as it will be bound to your key

When you change email addresses, you will have to get a new key, as the trust level of your key will

look suspicious coming from a different email address then the one that is bound to your key

You can always get a permanent email address, which entails obtaining a domain, then either an email

forwarding service, or your own equipment This way you would never have to change your key

again

Remember though, you had better not forget your password or passphrase or lose that key - anything

that you have encrypted (files or email) and have not decrypted will be forever lost if you either lose

the key, or forget the password

Trang 9

Generating Your Key

• You will be prompted to choose a key type

and size:

You have two choices of key types, Diffie-Hellman/DSS or RSA Diffe-Hellman/DSS is an older

public key cryptography method with the “DSS” added later The DSS stands for Digital Signature

Standard, and was added to Diffie-Hellman to prevent man-in-the-middle attacks

Briefly, what this means, is that someone can intercept your public key and generate their own public

key and impersonate you A message is passed, you intercept it, decrypt it, read and alter (if

necessary) the message, and re-encrypt it with your imposter key The person that the message was

originally intended for, gets the message with the assumption that the person they sent it to, was the

originator of the message they just got The Digital Signature was added to include Station to Station

(STS) information into the Diffie-Hellman standard, preventing man-in-the-middle attacks

RSA is already a Digital Signature-based public key system There are no advantages between using

one over the other; they are essentially equal in power

Now, we have a very important issue about key length or key size The key length that you choose is

really based on how long you want to keep your information secret and how long the data needs to be

hidden

Trang 10

Generating Your Key

• Next, how long the key is good for and a pass

phrase to protect the key

• Notice you will have an indicator telling you how strong your pass phrase is:

512-bit key lengths are considered only marginally safe, and you do not have the option to choose that key

length in modern PGP Your lowest strength is 1024 Recently, it was thought that a 1024-bit key could be

safe for a decade in either a Diffie-Hellman/DSS or RSA scheme But, with Internet Worms and clustering

of high performance computers to crack these codes, 10 years of safety is not realistic The current default is

2048-bit and this is what I use

To break an RSA system, integer factorization is used, while discrete logarithms using prime numbers in the

factor is the attack used on the Diffie-Hellman/DSS system

Elliptic curve cryptography is slowly being brought in as the key sizes for Diffie-Hellman/DSS and RSA

keep getting bigger and bigger Elliptic curve cryptography can use a smaller key and protect as well as a

larger key in the previous systems Until Elliptic curve cryptography can be trusted to be safe (unlikely since

a 109-bit key has been cracked), the RSA and Diffie-Hellman/DSS systems will remain popular

Next, you need to set an expiration date and passphrase for your key For the purposes of this test, DO NOT

set an expiration date on your key The passphrase needs to be just that: a phrase Use a sentence that you

can remember Use spaces and punctuation as appropriate Use some non-alphanumeric data in addition to

proper punctuation This is what protects your key over time!

Trang 11

Generating Your Key

• You will then be told that the software is

generating a prime number to build the key

Next, you are prompted to send your key to a

key server We will cover this more later, but

for now leave that option unchecked.

The larger your passphrase, the harder it is to guess and break when attacks against your public key

are undertaken It is also much easier to remember a passphrase than a password, and it is much more

secure (as brute force attacks now have to take into account punctuation and spaces between words)

All the suggestions you have heard over the years about password strength should be considered, but a

sentence or phrase is a good idea Keep in mind that if you start using PGP either to encrypt or to

sign, you will be very sad if someone gets control of your private key! The most likely way this will

happen is if someone gets access to your system and can start a brute force attack At first glance, that

doesn’t seem so risky; but if they start typing in the phrases they read off your desk blotter or day

timer, it might only take them four or five tries! I do write down my secret passphrases, but I keep

them in a safety deposit box

Summary: long key lengths and a very hard-to-guess passphrase are critical disciplines for using

PGP!

Trang 12

Generating Your Key

• You have now generated your public / private key

pair, and you are now ready to open your mail client

to start encrypting your email.

• Here is an example of your key, and the other ‘keys’

in your key ring:

You will notice many pgp.com and nai.com addresses PGP has been bought by Network Associates

(NAI), and these keys are public keys that you can use to contact these individuals for technical and

customer support (Of course, they do not provide technical support for the freeware product.)

Every key you generate, and every public key you keep, will be displayed in this list Think of it as a

key ring where your house keys and car keys reside

This PGPKeys program/GUI is where you can adjust the trust you have for the certificates or keys

you have on your public key ring This means you decide if you trust the source of the key, and the

private key owner as the true owner of that key

Trang 13

Encryption of Email Content

• Now that you have PGP installed, what

do you do with it?

– Start by encrypting an email message

• First, open your email client In this

example I will use Outlook 98.

PGP was first developed to encrypt email content to keep it private This would be a great first step

-to send a friend (or yourself) an encrypted email so that you can see what it looks like -to the outside

world

In this demonstration, I will be sending the email to myself, which means I will be encrypting the

message with my public key, and decrypting it with my private key (both of which are on the same

system that I am using to send the email from)

If you do not have an email client that uses PGP as a plugin, this is not a big problem On the bottom

right hand side of your screen, after installing PGP, you should see a lock in your system tray Click

on the lock and you will notice that one of the options is Clipboard You can always take a plaintext

message, copy it to the Clipboard, and then encrypt it This is not quite as nice as a plugin, but hey, it

beats giving away your organization’s secrets!

Trang 14

• You can see in Outlook that you now

have an additional set of icons in your

tool bar, and selections under “PGP”.

You can now see on your Outlook client the new item in your menu bar called PGP, and three new

icons on your icon tool bar These icons are used by clicking on the icon Once you click on the

icon, it stays depressed (appears depressed) When you send the message by clicking on the send

button, your email will be processed depending on the icon(s) you selected

The first icon is for encryption of a message, the second is for signing the message or adding your

signature to protect the message (more on that later) The last icon is to launch the PGPKeys GUI to

access your public key ring

You will only see all three icons when you click on “Compose a message” or “New message” If you

are looking at your Inbox, you will only see the icon for Launch PGPKeys

Trang 15

• To encrypt or sign email, it is as easy as

clicking one or both of the icons before

you send the email:

You can see here that you have icons for encrypting the email and signing the email with your private

key

Also note, that if you upgrade your Outlook and/or MS Office to Office 2000, your PGP system will

still work fine; you will not have to re-install it

Trang 16

• To encrypt the email, click just the

encrypt icon It will appear depressed

on your tool bar.

• When you are finished with the email

that you want to send, push the Send

button on your Outlook The email will

be encrypted and sent.

When you push the “send” button, a dialog box will flash onscreen,stating that your email is being

encrypted It will stay onscreen longer if your processor is slower If you send this email to yourself,

it will quickly appear in your mailbox with the encrypted text and version numbers showing in the

email

Trang 17

• Here is an example of what an

encrypted email looks like Notice the

lock icon:

Notice the large block of encryption and version numbers This will help you see what version of

PGP was used to send you the message A recipient with an older version of PGP may have difficulty

decrypting a message from a sender who used a newer version of PGP to encrypt it

You want to keep the newest version of PGP on your system for this reason, or at least try to stay

pretty current

Trang 18

• The lock icon in the previous slide looks like

an unlocked lock As you can see by the auto

help, it is the button you would press to

decrypt the mail.

• You can only decrypt the email if you have

the private key The email is encrypted with

the public key, and then sent to the person

that has the private key to be decrypted.

You will get the Unlock icon in any email you open up, whether or not you have received encrypted

email If you have received an email that has been signed by someone that you don’t have an

established relationship with (i.e you have not exchanged keys yet), you can check the message with

the included key that comes with the message You can double check the signature against a key

server key, if that person has put a public key on a server Your software will ask you if this person is

someone you trust You have the ability to add or subtract from the trust of the public key you have in

your key ring There are parameters to change trust in any public key you have

Wake up - if you were zoning out and thinking this is too easy, here are some points to remember

about trust PGP uses a cumulative trust model We will refer to this later in the presentation as a

“web of trust”

For PGP, a certificate is valid if it is signed by a trusted individual whose certificate is valid, or (and

this is a huge point) it is signed by a group of people that are generally trusted whose certificates are

all valid

X.509 certificates use a hierarchical trust model: if you trust the one person or entity authorized to

sign a certificate, then you trust the certificate

Tiêu đề	Introduction to PGP – SANS GIAC LevelOne
Tác giả	Stephen Northcutt
Trường học	University of Somewhere
Chuyên ngành	Cybersecurity
Thể loại	Khóa học giới thiệu
Năm xuất bản	2000/2001
Thành phố	Unknown

Định dạng
Số trang	37
Dung lượng	763,07 KB