T4 Flashcards
Recap on the Tutorials: What are the first four about?
Chapter 1
T1: Exposed Attack Surface (Nmap, NetDiscover)
Chapter 2
T2: DES vs AES encryption with OpenSSL
T3: Bash Scripts Dictionary Attack on Symmetric Key Encryption
T4: Symmetric AND Public Key with GPG
4 Main Activities in T4
- Generating and Managing Keys
- Encryption
- Verifying Authenticity
- “Web-of-trust”
GPG
GnuPG
A software tool used for both symmetric and asymmetric encryption
implementation of the OpenPGP standard
Common uses of GPG
- Encrypting emails
- Encrypting generic input files
- Authenticating messages
GUI?
There are many GUIs facilitating the usage of GPG but we are interested in the basic operations so we use command line
After entering “gpg –gen-key” what happens?
First Step
Asks to enter name and email, then creates the keys.
*May take some time because kernel needs tp collect enough “entropy” to make secure random numbers
gpg –list-public-keys
gpg –list-secret-keys
Second Step
Lists all public keys
Lists all private keys
Stored in “hidden directory in user home directory
*Doesn’t actually show keys it shows their id
gpg –output revoke.asc –gen-revoke <KEY-ID></KEY-ID>
Third Step
What it does:
Creates a certificate to revoke a key if it is ever compromised.
(maybe you no longer have access to your private key and want to tell others its not valid)
Why it’s critical:
Prevents others from trusting a key that is no longer secure or in your possession
If private key is compromised, its important that we eliminate it ASAP
Command to enter reason for revocation, and then saves it as a human-readable file revoke.asc. You shold store this securely offline
What warning do we see after creating revocation certificate?
Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable.
If an attacker gets the revocation certificate, they can invalidate your key and disrupt its use – if you print to store offline make sure system doesn’t store print job temporarily
gpg –export -a >Key-ID< mykey.asc
Fourth Step
We have our public key, but no one knows it…
This command exports public key into ASCII (text version instead of binary) for easy sharing
Can make available online but MUST use httpS not http
Why can we not put public key on website using http?
Data is sent in plaintext over http, its not encrypted. If you publish public key on a website using HTTP, and attacker could intercept the connection nad replace your key with their own
Man-in-theMiddle Attacks — interception!
After exported ASCII file for public-key, there is a text version of it
The private-key remains stored in home directory.
Is it secure?
How can I manage the confiddentialist of my private-key?
- Default permissions restrict access to home directory
- Could use software tools for encrypting home directory
- Could store private key somewhere else
LUKS disk encryption
> gpg –send-keys –keyserver >KEY-SERVER< >KEY-ID<
Fifth Step
Uploads public-key to specified key server
> gpg –search-keys ‘g.dangelo@unibo.it’
If the output of the command reports the public-key that I’m looking for then I can import it in my
keyring. **What does this mean? **Warning: think carefully about the security implications of this action. What are the security implications?
Attacker can upload their own key to the keyserver pretending it belongs to the professor’s email.
Ask the person directly for the key fingerprint, and use the gpg –fingerprint >Key-ID< command to check
Use gpg –import keyfile.asc to import the key
