summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <lwirzenius@wikimedia.org>2020-01-31 16:27:42 -0800
committerLars Wirzenius <lwirzenius@wikimedia.org>2020-01-31 16:27:42 -0800
commitedcb8a55354f5ce781ebb0e139b38dae0ca76749 (patch)
tree295d34e1a3a7d380bbcffd33dce0fa36bdac55a3
parenta2d00cd5d3d057f3be18fdcdfd607e5157e6e9dc (diff)
downloadwmf-talks-edcb8a55354f5ce781ebb0e139b38dae0ca76749.tar.gz
Change: use beamer for PGP talk
-rw-r--r--pgptalk.md (renamed from pgptalk.mdwn)45
1 files changed, 36 insertions, 9 deletions
diff --git a/pgptalk.mdwn b/pgptalk.md
index 593b6a5..1a9dd78 100644
--- a/pgptalk.mdwn
+++ b/pgptalk.md
@@ -1,4 +1,7 @@
-class: center, middle
+---
+title: PGP basics
+date: Version 1.0.1 for 2019-05-08
+...
PGP and GnuPG&mdash;some basics
=============================================================================
@@ -6,7 +9,6 @@ PGP and GnuPG&mdash;some basics
Use of unnecessary swearing while using crypto software...
has been approved
-Verion 1.0.1 for 2019-05-08
---
@@ -44,6 +46,8 @@ Threat models
download
* **eavesdrop** your communications to steal sensitive information
+---
+
* An attacker may be...
* a government: US, UK, Russia, China, etc, possibly illegally
@@ -53,6 +57,7 @@ Threat models
* a minor criminal
* someone with too much time and a twisted sense of humour
* someone you know who doesn't like you
+
---
Defences
@@ -114,9 +119,14 @@ Basics of public key cryptography
* Prove data or message is from you by **signing**: encrypt with your
secret key, anyone can check by decrypting with your public key
+ * actually, a cryptographic **hash** is signed, not the whole
+ message
+
* Keep communications **secret**: everyone can encrypt with your
public key, only you can decrypt using your secret key
+---
+
* Public key cryptography solves the key distribution problem.
Traditional (symmetric) cryptography requires a shared secret or
code between sender and receiver, and this can be complicated to
@@ -137,17 +147,16 @@ Storing keys securely
on a USB stick, and only use it in a device whose security you
trust
-* Subkeys: the main key is kept safe and forms the identity, but
- additional keys, linked to the main key. New subkeys can be
+* Subkeys: the main key is kept safe and forms the identity, and
+ subkeys are additional keys, linked to the main key. New subkeys can be
generated at will for specific purposes, such as for keeping on a
laptop for email
+---
+
* Subkeys can be stored on your normal devices, since they're easy
to replace with new ones if they're compromised
-* Subkeys can also be stored on special devices for more secure key
- storage, such as Yubikeys
-
* A secret key is data "at rest" (as opposed to "in transit"), and is
basically only protected by the passphrase you set.
@@ -157,6 +166,14 @@ Storing keys securely
* You can change the passphrase later if you want to make it
stronger.
+* Subkeys can also be stored on special devices for more secure key
+ storage, such as Yubikeys
+
+ * Highly recommended for many use cases
+
+ * Hardware restrictions prevent access of key
+
+
---
Creating a key, with subkeys, with GnuPG
@@ -194,6 +211,8 @@ Publishing a public key
* 32-bit (8 hex digit) short ids are no longer secure, and there
are hoax keys with real names (see <https://evil32.com/>)
+---
+
* **In principle** it doesn't matter which keyserver you use, the
built-in default should be good enough, except sometimes it isn't
@@ -228,13 +247,18 @@ Signing a key
money and your car"
* "Is confident" is up to the signer, there are no rules
+---
+
* Key signatures are also published on the keyservers
+ * However, this is currently not possible due to attack
+
* You can tell GnuPG which keys' signatures you trust, and how
much, and GnuPG will tell you if you can trust a key, even if
you haven't signed it yourself
* compare with introducing people in real life
+
* "I trust Alice to introduce me to new people and not lie who
they are"
@@ -302,7 +326,7 @@ Receiving a signature for your key
Signing a key: the easy way
=============================================================================
-* On Debian and derived Linux distributions
+* Works on Debian and derived Linux distributions, maybe others
* **`apt install signing-party`**
@@ -369,6 +393,8 @@ Using a USB stick: overall approach
* make backup copies of the stick; probably best give each backup
copy a dedicated filesystem label so you know which one is which
+---
+
* To use the main key, set **`export GNUPGHOME=/media/liw/usb-stick`**
for key signing, importing signatures, creating new subkeys
@@ -397,6 +423,8 @@ Using a USB stick: moving main key
* **`mv ~/.gnupg /media/liw/usbstick/gnupg`**
+---
+
* Import the exported keys to laptop
* **`gpg --import secret.key`**
@@ -419,4 +447,3 @@ This content is licensed under the Creative Commons
Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.
[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/
-