summaryrefslogtreecommitdiff
path: root/pgptalk2.md
blob: 44625874d2818fac0480105a921efd372358e289 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
# Goals of this talk

* Why is cryptography important?
* How does cryptography work, conceptually?
* How do I use cryptography, specifically?
* What should I do next?

![cat](Anca.jpg)

---

* Why would anyone attack **you**?
    * you, your data, or your computing resources might be valuable
    * you might be a stepping stone to another target, such as
      your employer
    * you might be an easy target

![cat](Bancho.jpg)

---

* An attacker may want to...

    * **impersonate** you to someone else, or someone else to you
    * **falsify** a file you need or provide, such as a software
      download
    * **eavesdrop** your communications to steal sensitive information

![cat](Sphynx.jpg)

---

* An attacker may be...

    * a government: US, UK, Russia, China, etc
    * law enforcement or espionage, in any country
    * a large private organisation
    * a criminal organisation
    * a minor criminal
    * someone with too much time and a twisted sense of humour
    * someone you know who doesn't like you
    * in all cases, the attack may be illegal, but might not be

![cat](Lizard.jpg)

---

# Defences

* cryptography, especially widespread use (HTTPS is almost everywhere!)

* tools, training, infosec, opsec, good habits

* compare with driving: errands vs F1

* a sufficiently motivated or well-funded attacker will eventually win

![cat](Chat.jpg)

---

# Everyday uses of cryptography

* email: sign as much as possible, encrypt at least sensitive

* git: signed tags for releases, maybe sign (some) commits

* software releases: sign downloadable files (.tar.gz, etc)

* amaze people at parties, be an international celebrity

![cat](Down.jpg)

---

# Cryptography concepts

* Symmetric: one key

* Asymmetric: two linked keys

![cat](June.jpg)

---

# History

* 1977: first public invention of public key cryptography

* 1991: PGP or Pretty Good Privacy, first popular, freely usable
  implementation of public key cryptography

* 1990s: US crypto export restrictions; massive innovation boom

* 1995: SSH, SSL

* late 90s: crypto wars

* 2000s, 2010s: crypto gets widely used and entrenched

* 2020s: second crypto wars

---

# Crypto tooling

* SSH, HTTPS are used everywhere

  * use for connections, transfers: "data in transit"

* PGP went proprietary, GnuPG (gpg) is a free replacement

  * use for messages, files, signatures: "data at rest"
  * OpenPGP standard, GnuPG most popular implementation
  * versions exist for all popular computer operating systems

![cat](Box.jpg)

---

# Demos

* generate a key
* sign a key, share signed key with its owner
* encrypt and sign a message
* decrypt a message, check its signature

<!--

Notes:

- ssh into liwmf, sudo doesn't work (tty perm problem)

- gpg --quick-gen-key 'Laurentius Wisconsinius <lwirzenius@wikimedia.org>'
- gpg -K

- curl https://liw.fi/pgp.txt > liw.pub
- gpg --import liw.pub
- gpg --list-keys
- gpg --sign-key DBE5439D97D8262664A1B01844E17740B8611E9C
- gpg --export  --armor DBE5439D97D8262664A1B01844E17740B8611E9C > signed-liw.pub
- gpg -K
- gpg --encrypt --armor -r DBE5439D97D8262664A1B01844E17740B8611E9C -r B906C37CF6674C198EA2F7B1A300CE8C4E4D797F signed-liw.pub
- less signed-liw.pub.asc
- gpg --decrypt < signed-liw.pub.asc

- cp signed-liw.pub.asc /tmp

- gpg --decrypt < /tmp/signed-liw.pub.asc
- gpg --decrypt /tmp/signed-liw.pub.asc  | gpg --import

- echo this is secret message | gpg --clearsign --armor -r B906C37CF6674C198EA2F7B1A300CE8C4E4D797F > msg.asc
- less msg.asc
- cp msg.asc /tmp

- as liwmf:
- gpg < /tmp/msg.asc

- as liw:
- vi /tmp/msg.asc

- as liwmf:
- gpg < /tmp/msg.asc

-->

---

# Now what?

* Make a key, start using it, get it signed by co-workers

  * Link: [GitHub's guide](https://help.github.com/en/github/authenticating-to-github/generating-a-new-gpg-key)
  * Link: [Lars's old guide](https://blog.liw.fi/posts/2017/05/29/using_a_yubikey_4_for_ensafening_one_s_encryption/)

* Ask for help or hands-on training if you need it

* This talk (source): <http://git.liw.fi/wmf-talks>

---

# Legalese

Copyright 2020 Wikimedia Foundation

This content is licensed under the Creative Commons
Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.

[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/

Pictures from Wikimedia Commons:



* [June_odd-eyed-cat_cropped.jpg](https://commons.wikimedia.org/wiki/File:June_odd-eyed-cat_cropped.jpg)
* [Cat_into_the_box.jpg](https://commons.wikimedia.org/wiki/File:Cat_into_the_box.jpg)
* [Banho_de_Sol_(2422073851).jpg](https://commons.wikimedia.org/wiki/File:Banho_de_Sol_(2422073851).jpg)
* [Anca_the_Weasel_(26984433186).jpg](https://commons.wikimedia.org/wiki/File:Anca_the_Weasel_(26984433186).jpg)
* [Cats_lying_down;_March_2016_(01).jpg](https://commons.wikimedia.org/wiki/File:Cats_lying_down;_March_2016_(01).jpg)
* [Chat_import_1.jpg](https://commons.wikimedia.org/wiki/File:Chat_import_1.jpg)
* [Cat_playing_with_a_lizard.jpg](https://commons.wikimedia.org/wiki/File:Cat_playing_with_a_lizard.jpg)
* [1_adult_cat_Sphynx._img_047.jpg](https://commons.wikimedia.org/wiki/File:1_adult_cat_Sphynx._img_047.jpg)


---
title: "Basics of cryptography"
subtitle: "OpenPGP and GnuPG"
author: "Lars Wirzenius / Wikimedia Foundation"
date: "Version 2.0 for 2020-04-29"
...