diff options
author | Lars Wirzenius <lwirzenius@wikimedia.org> | 2020-01-31 16:27:42 -0800 |
---|---|---|
committer | Lars Wirzenius <lwirzenius@wikimedia.org> | 2020-01-31 16:27:42 -0800 |
commit | edcb8a55354f5ce781ebb0e139b38dae0ca76749 (patch) | |
tree | 295d34e1a3a7d380bbcffd33dce0fa36bdac55a3 | |
parent | a2d00cd5d3d057f3be18fdcdfd607e5157e6e9dc (diff) | |
download | wmf-talks-edcb8a55354f5ce781ebb0e139b38dae0ca76749.tar.gz |
Change: use beamer for PGP talk
-rw-r--r-- | pgptalk.md (renamed from pgptalk.mdwn) | 45 |
1 files changed, 36 insertions, 9 deletions
diff --git a/pgptalk.mdwn b/pgptalk.md index 593b6a5..1a9dd78 100644 --- a/pgptalk.mdwn +++ b/pgptalk.md @@ -1,4 +1,7 @@ -class: center, middle +--- +title: PGP basics +date: Version 1.0.1 for 2019-05-08 +... PGP and GnuPG—some basics ============================================================================= @@ -6,7 +9,6 @@ PGP and GnuPG—some basics Use of unnecessary swearing while using crypto software... has been approved -Verion 1.0.1 for 2019-05-08 --- @@ -44,6 +46,8 @@ Threat models download * **eavesdrop** your communications to steal sensitive information +--- + * An attacker may be... * a government: US, UK, Russia, China, etc, possibly illegally @@ -53,6 +57,7 @@ Threat models * a minor criminal * someone with too much time and a twisted sense of humour * someone you know who doesn't like you + --- Defences @@ -114,9 +119,14 @@ Basics of public key cryptography * Prove data or message is from you by **signing**: encrypt with your secret key, anyone can check by decrypting with your public key + * actually, a cryptographic **hash** is signed, not the whole + message + * Keep communications **secret**: everyone can encrypt with your public key, only you can decrypt using your secret key +--- + * Public key cryptography solves the key distribution problem. Traditional (symmetric) cryptography requires a shared secret or code between sender and receiver, and this can be complicated to @@ -137,17 +147,16 @@ Storing keys securely on a USB stick, and only use it in a device whose security you trust -* Subkeys: the main key is kept safe and forms the identity, but - additional keys, linked to the main key. New subkeys can be +* Subkeys: the main key is kept safe and forms the identity, and + subkeys are additional keys, linked to the main key. New subkeys can be generated at will for specific purposes, such as for keeping on a laptop for email +--- + * Subkeys can be stored on your normal devices, since they're easy to replace with new ones if they're compromised -* Subkeys can also be stored on special devices for more secure key - storage, such as Yubikeys - * A secret key is data "at rest" (as opposed to "in transit"), and is basically only protected by the passphrase you set. @@ -157,6 +166,14 @@ Storing keys securely * You can change the passphrase later if you want to make it stronger. +* Subkeys can also be stored on special devices for more secure key + storage, such as Yubikeys + + * Highly recommended for many use cases + + * Hardware restrictions prevent access of key + + --- Creating a key, with subkeys, with GnuPG @@ -194,6 +211,8 @@ Publishing a public key * 32-bit (8 hex digit) short ids are no longer secure, and there are hoax keys with real names (see <https://evil32.com/>) +--- + * **In principle** it doesn't matter which keyserver you use, the built-in default should be good enough, except sometimes it isn't @@ -228,13 +247,18 @@ Signing a key money and your car" * "Is confident" is up to the signer, there are no rules +--- + * Key signatures are also published on the keyservers + * However, this is currently not possible due to attack + * You can tell GnuPG which keys' signatures you trust, and how much, and GnuPG will tell you if you can trust a key, even if you haven't signed it yourself * compare with introducing people in real life + * "I trust Alice to introduce me to new people and not lie who they are" @@ -302,7 +326,7 @@ Receiving a signature for your key Signing a key: the easy way ============================================================================= -* On Debian and derived Linux distributions +* Works on Debian and derived Linux distributions, maybe others * **`apt install signing-party`** @@ -369,6 +393,8 @@ Using a USB stick: overall approach * make backup copies of the stick; probably best give each backup copy a dedicated filesystem label so you know which one is which +--- + * To use the main key, set **`export GNUPGHOME=/media/liw/usb-stick`** for key signing, importing signatures, creating new subkeys @@ -397,6 +423,8 @@ Using a USB stick: moving main key * **`mv ~/.gnupg /media/liw/usbstick/gnupg`** +--- + * Import the exported keys to laptop * **`gpg --import secret.key`** @@ -419,4 +447,3 @@ This content is licensed under the Creative Commons Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence. [CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/ - |