lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d68885cff84739d6e564ca4409959ae08cee67ec
hpr-knowledge-base/hpr_transcripts/hpr1524.txt

726 lines
48 KiB
Plaintext
Raw Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 1524
Title: HPR1524: WASHLUG 20150515 GPG and E-mail
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1524/hpr1524.mp3
Transcribed: 2025-10-18 04:41:13
---
Music
So, you know, if you're interested in security, there are Bruce Schneier's newsletter,
Sands Institute has a daily newsletter of their top stories and usually some pretty
good information there. A couple of things that I read every day. So, shall we get started?
Hello. I think I probably have gotten my name around a little bit. I'm Kevin O'Brien.
And I'm a member of this group and very happy to do this presentation.
Yeah, thank you. Thank you. I missed last month because of a conflict with church.
Linux uses group meeting was on Holy Thursday and I am in the church choir.
So, I was where God wanted me to be for that moment. Otherwise, I probably would have been here.
But we just came off of very successful Penguin Con. The two complaints I heard warmed my heart wonderfully.
One of them was, there's too many times I want to see both of these presentations that are opposite each other.
And if you're a programmer, you love hearing that. And the other one was, these rooms aren't big enough.
So...
Oh, yes. I was there for one of those awful things. Poor Ruth. Almost horse by the end of that.
I would have thought a different county would have been here.
You know, I'm an old funny dutty. So, it's like, you know, that's rap. That's not music.
I am. Yes, I'm proud of it. I came by it honestly, along with the gray here.
In the second choice, if you've got to do that, get microphones and amplifiers for the people that acted.
Well, yeah. It's just one of those things I hadn't thought of that, oh wait a minute, where's the music?
I was trying really hard to make sure we had projectors. And mostly that worked.
So, anyway, we're starting to work on next year already. So, that's the nature of these cons. It's a year-round activity.
So, this is here more about it.
Yeah, we could do that. We could do that.
I'm 10 minutes or so, depending on how many of them you may not be strict on its time.
But is people to come up and talk about something for a short period of time?
I just take a room somewhere and say, you know, this is our unconference over here in this room, you know, Barc Ampett.
But we ought to let you talk about what you're here for. We can do that.
So, encryption, you know, your basic problem is a communications issue.
How do you communicate securely if you don't control the entire channel?
And, you know, there have been any number of attempts to do this.
You know, you can go back a couple of thousand years. There's the Caesar cipher, which is basically the same as Rott 13,
move everything in certain number of spaces.
There was the German enigma machine, which was very, very complex, but crackable.
And I would say one of the reasons it was crackable is it was at the end a purely mechanical process.
And any mechanical process can be engineered if you're sufficiently ingenious, because you can't be random and mechanical.
We get into the electronic communication. And, you know, if I pick up the phone and call,
I send an email, whatever. How do I know someone isn't listening in?
And that's where encryption can come into it.
And part of the problem is how do you establish communicate?
We know that you can create a very, very robust cipher.
And if I want to communicate with Mike, and we agree on what the cipher is, I can use that cipher to encrypt messages.
I'm going to be very careful if possible and not say encode, because those are two different things.
Encrypt means I'm applying cryptographic obfuscation. Encode could just mean I'm using a code like Morse code.
You know, no secrecy in Morse code is just a way of asking as a code.
So Mike and I agree on a cipher, and then I can use it to send him messages.
Well, that's great, but how do we do the agreeing on a cipher part?
We could get together. We're both in the room right now. I could write down, here's the cipher, give it to him.
Now I've just written it down, so there's already an element of insecurity about all of that, you know, what if his pocket is picked.
But, you know, the biggest part of it is it restricts me to communicating only with people I can first physically get in contact with.
Because anything else, I mean, do I send him an email with the cipher in it? Well, that can be intercepted.
I pick up the phone and call him, say, here's the cipher, the phone could be tapped.
So how can I securely create a communications channel?
And in theory, it was first worked out by three people, Whitfield Diffie, Ralph Merkel, and what's Helmann's first name, I don't know.
So it's the Diffie, Helmann, Merkel, a protocol that they worked out was a theoretical one that said, well, if you could do this, you could create the secure channel.
They didn't figure out how to do it. They just sort of said it was theoretically possible.
And then the people who worked it out were three people at MIT.
And I've got the names here, Ronald Revesst, Adi Shamayor, and Leonard Adelman. So Revesst, Shamayor, Adelman, RSA.
So you're probably familiar with the initials RSA. And these were the three guys.
And what they came up with was a type of a one-way function. Now, one-way function in mathematics is something where you can go from A to B relatively easily, but it's almost impossible to go from B to A.
And the one they came up with involved at the heart of it, taking two very large prime numbers and multiplying them.
Multiplying two numbers is something computers can do very quickly and easily.
Then the problem on the other end of it is can you take an extremely large number and factor it into the prime factors.
And that's where it becomes computationally infeasible. Now, when I say computationally infeasible, there's always got to be just a little bit of an asterisk that said at what level of technology are we talking about?
So computationally infeasible is a moving target. And so there is an arms race between the people who are trying to create security and the people who are trying to eliminate security.
Which is why having the NSA responsible for both of those things is fundamentally really stupid.
You can do a calculation that says capability and requirement.
You can do a calculation that says given the current level of computing power, if we devoted all the computers in the entire world for a period of time of six billion years, they still probably wouldn't do it.
I would call that computationally infeasible.
With the no and no algorithms.
Exactly.
And I think, you know, I'm not morally opposed to spying per se.
I just think that having the NSA with a dual mission, they're supposed to be protecting our security.
And spying.
And it looks like they put spying as a higher priority and are therefore reducing our security.
At a good example of that is something called elliptical curve encryption.
Which is just an algorithm for creating encryption keys that should be very safe and very secure and very efficient.
And the National Institute of Standard and Technology put together a working group.
And, oh, the chair of the working group was an NSA person.
And they came back with a recommendation that had a number of people kind of scratching their heads saying, hmm, something's funny about this.
This is supposed to be very efficient, but the algorithm takes forever to run.
Well, in hindsight, I think most people think the NSA deliberately screwed it up because a good, efficient, safe algorithm would have gotten in the way of their ability to decrypt and read all of this traffic.
So just one of the ways your government works to make you less safe.
So how do we do this thing?
What they came up with was something called a key pair, public key and a private key.
And you basically, RSA, those three guys, came up with an algorithm for doing that.
And what you can do with that is when you create a key pair, you have a public key and the public key, you know, you can take out an ad in the paper and print it.
I have mine on my website. You can go there and, you know, if you take a look at the about page, you're going to see my public key.
There are public key servers all over. I may drop in on the MIT one at some point tonight.
And you can go there and find someone's public key. So I'm looking for, and let's say I look for Mike Bernzen, you know, I could type in his name and they would come back and say, well, we've got this key.
Are you looking for, you know, was it MLB.org? It was yours. And I would recognize that and say, yeah, Beth, that's a line. And it would give me the whole print out of your public key.
I don't know if this is going too far strings, but there's these algorithms have anything to say about the magnitude of the public key versus the private key.
Yeah, there's a bit strength that you can choose. At one time, people were doing 1024 bit. I think at this point, 1024 bit is no longer secure. You know, that arms race thing caught up.
Right now, the distinction is between 2048 and 4096.
Oh, you mean the size of the public versus private? Oh, okay. I'm sorry. I misunderstood.
Right. Well, the two keys are not the two prime numbers. No, okay. No, no, right. You don't even know the prime numbers generally.
Right. No, what you do when you're creating it, the algorithm is pulling the two large prime numbers. It's mixing in some randomness into the sauce.
And taking all of that together and coming out with it. So I'm going to take you through that process and you'll see where the randomness comes into it.
So the idea is that the public key, you can just give out to anyone. They need to use that public key to encrypt a message to you.
Right. So I can't send Mike a message until I have his public key. Now, that public key can be used to encrypt a message, but not to decrypt.
So the NSA could not take that public key and decrypt the message I've just created as far as I know.
I can't question me to get your private key. Well, exactly. So if I encrypt the message to Mike and I encrypt it with his public key, he's the only one that can ever decrypt it because he's the only one with the private key.
So the question out from me shows in a direction that you need the private key that you code it, but it really can't, you can't do anything with it once it's encrypted.
Only the recipient. Right. Only the recipient can, but anyone else can not actually unencrypted with the public key.
No, they cannot. They cannot. And you cannot have secure communication until you first have the key.
So if you wish to send an encrypted message to someone, you have to get their public key. First, if you don't do that.
Mike, I got a message from Tony Beamus from Sunday Morning Linux review and that was a friend of mine. And he had encrypted it.
That's because Tony and I did a talk on encryption at PangleCon. So we're working with the stuff. I couldn't decrypt it.
So back to him and say, Tony, what's going on? I can't decrypt it. So I don't know what you used to encrypt this message. And it was like, oh crap, I forgot. I was on my Android phone and I don't have your key there. I must have used my own.
Well, I can't. I'm sorry. I can't decrypt that. So that's the basics of it. Because with this, I don't have to worry about the secure channel. I just put my public key out there.
I say to anyone, get it. It's on a public key server. If anyone wants to go and the key servers sync with each other, sort of like the way DNS servers do.
So it doesn't matter which key server you upload the key to within a fairly short time. It'll be on all of them.
So you can get the key and then you can use that to send an encrypted message. Now the other thing you can do is a little bit different.
That's the beauty of the system. It doesn't matter. It's public.
You're assuming that how can you upload this to someone else? He's only gotten so far.
Okay. You're talking about the person who's receiving it can't decrypt it. No. No.
No, I know what he's getting at. And I will address it. I will address it. And that's the whole web of trust thing that you have to build.
And I'm going to get there. But generally speaking, I mean, you know, if the NSA goes to the MIT key server, which they undoubtedly do, because it's public, they can get all the public keys and fat lot of good will do them.
So, you know, encrypting a message is one thing. There's another thing you can do. And that is what's called digital signing. And you may have seen digitally signed messages.
And those you can read the message. The message itself is perfectly clear. Then there's something that actually looks an awful lot like base 64 because essentially it is at the bottom that says this is the digital signature.
So what that does is it provides essentially that the technical term is non repudiation. All right. I signed this with my key.
And I'm the only one who could have done that. And if someone somehow gets in the middle and changes the message, it's like changing one bit and then running the MD five on a file.
You'll get an entirely different MD five hash. If you if you change anything in the message, it suddenly won't match up with what's in the digital signature.
So that's the other thing you can those are the basically the two things you do is you either digitally sign, which is just a way of saying, yeah, I did this. I'm standing behind it.
You know this came from me or encrypt, which is to say, I only want the intended recipient to be able to see this.
I'm not sure what good it does to.
No, he sends me a message or he's going to send you a message saying, I'll be there to you tonight.
I didn't send yourself that message.
And you can't do it.
Yes, I can.
I don't care what the message is.
Oh, I know I want to do somewhere on Wednesday.
He sent you a completely different message signed with or encrypted with your private key and value that I've got to get trust out of the way now.
Apparently, or we'll never get on with the presentation.
No, I mean, that is an issue.
How do you know just because you go to a key server and it says Kevin O'Brien, how do you know that it really is my key that you're looking at?
And how do we do that?
Well, it's not perfect, but there is what's called a web of trust that you build up.
And the way that works is you get your key signed by other people who know you.
And that could mean, for instance, Tony and I have signed each other's key.
It's pretty easy for me to know that I'm talking to Tony because I see him a lot.
I talked to him on the phone.
What have you?
So all I have to do is say, Tony, is this your key?
Now, most keys are identified with an eight character thumbnail.
Could be a little larger, but typically eight characters is enough.
So I would just say, ah, the eight character thumbnail I have for you is blah, blah, blah, blah, blah, blah, blah.
Is that correct? And he says, yeah, I'm talking to him on the phone.
I know what he sounds like.
So I say great.
And so I will sign that key and mark it that I trust it.
Now, there's different levels of trust.
All right. There's, oh, I met this guy.
And he had a driver's license that had the same name and photo.
So it's probably OK.
Or this is someone I know.
So it's even higher.
And then the very highest one is ultimate.
And I only assign that to my own key.
I trust my key ultimately.
I trust Tony's key highly.
I trust someone who's shown me an ID moderately.
What does that actually do now?
Well, as a practical matter, possibly not much.
It's a matter of whether anyone cares to verify.
Who signed the key and with what level of trust?
Gotcha.
See, if I wanted to talk to what's the name, I don't know him.
But I know Kevin.
So Kevin signs his key.
Yeah.
I can find it.
That's on the key, sir.
Well, so I can find out what Kevin trusts.
Right.
I might, you know, I might assign him a little bit.
I would have been assigning the next lower level of trust.
Because it's one level removed.
And, you know, I might have been drunk when I said I know who he was.
So you wouldn't give it at the same level of trust.
And in fact, at like Linux conventions and similar sorts of places,
it's not uncommon to have a key signing party arranged.
And you come there with your eighth character, thumbnail ID of your key,
and identification.
And, you know, people will take a look at that and then sign your key on that basis.
So, that's what the web of trust is about.
It's not 100% perfect, but...
It's only the last eight they are assigning full fingerprint.
Well, you can...
If someone has their entire team memorized and will keep causing their entire key then great.
Yeah.
No, the eighth character one is enough to make the connection.
So, two products that...
The first one was something called PGP, pretty good privacy.
Created by a guy named Phil Zimmerman.
Employed originally something slightly different,
but after a while he decided to go with RSA as the standard for what he did.
Now, he created this PGP government actually started into down the road of prosecuting him
for violating the munitions act because he put it on the internet.
Well, anyone can get it.
So, you're exporting deadly munitions to the rest of the world now,
and they gave up.
They never actually followed through all the way on the prosecution.
But it was not considered at the time, and it wasn't really, it was not open.
It was not open source.
It was not free software, however you want to put it.
And I think these days we understand you don't want encryption that you can't look at in some way and at least understand what's going on.
So, what happened was they came up with a sort of reverse engineered approach called Gnu Privacy Guard, GPG.
Shortly after that Zimmerman open source PGP anyway.
So, you can get open PGP or GPG.
They're absolutely equivalent.
So, I just use GPG because, you know, I'm on a Linux box.
Why the hell wouldn't I? It comes with a distro.
So, with the command GPG in the argument dash, dash, gen dash key.
I can see it's copyright by the free software foundation.
What kind of key do you want?
Now, you got a few options here.
Notice that if you only want to digitally sign, you could choose three or four.
And that would only give you a digital signing key.
It would not give you the whole key pair.
So, if you want the whole key pair, you got to go with one or two.
They give you a couple of different options.
I don't have a PhD in cryptography.
So, I'm not going to tell you what the difference is between those two options.
I'm just going to say I always go RSA.
It's kind of industry standard.
So, I want to get a key pair.
Okay.
How many bits long do I want it to be?
I already said 1024 is too small.
That does not provide security any longer.
20, 30 years ago, it might have been just fine.
Well, nothing lasts forever.
Okay.
NIST says 2048 will be perfectly secure until the year 2030.
Now, do you want to trust NIST?
I already mentioned they were somehow implicated in that elliptical curve thing.
On the other hand, they feel really burned by that whole thing.
And they're pissed.
You know, the argument between them is that, well, 4096 puts a little more of a computational load on there.
With today's computers, I'm not sure that it's really enough of a load to really matter.
So.
How long do you care about your message being it?
I ran across something somewhere that said 4096.
The keys were incompatible with some storage cards and stuff like that.
My guess is if that's an issue for you, you'll stumble across it.
But it's not an issue for me.
How long should the key be valid?
Now, you can have the key last in perpetuity.
I don't think that's a very sound policy, myself, because we have to consider what happens if for any reason your key is compromised, which can happen.
You know, I've been doing a series on this for Hacker Public Radio and I was explaining how to get stuff on to Android.
And as well, you export your key into this ASCII file and copy it onto your phone and then imported it into this thing.
And it was like, and now you've got your key in a readable text file sitting on your phone, dummy.
Delete the file.
Now, you might forget.
And last time I looked at this.
If you remember to delete.
I haven't.
And the other thing is, of course, that recent court rulings have said that, well, you really have no expectation of privacy in your phone.
So if the cops think you're a person of interest, they don't even need a warrant.
They'll just grab your phone and read everything that's on it.
Now, that could get overturned.
But it's not a good precedent.
So, you know, there is a process for revoking keys, and we'll talk about that.
But it's not a bad idea to just let the key expire after a few years.
You can always do another one.
I mean, the worst that's going to happen is that someone uses the old key and doesn't realize it's expired.
And it's like, oh, I don't have your key anymore.
You just say, we'll go to the key server and download it again.
Now, I've talked to some security people who say, yeah, that's really the best way to do it.
You can also use the other.
Oh, yeah, it doesn't disappear.
The possibility that somebody else out there might also be able to do it if here's been compromised.
Now, if somebody writing a message they think are secure.
If it's expired, you know, the key server should say, well, this key isn't valid anymore.
I mean, it doesn't remove it. It just marks it.
And it's the same thing if you actually do an actual revocation.
It doesn't make the key disappear. It just adds a little flag that says, oh, the owner revoked this.
You might want to think about this.
So, let's say...
After all, the key server is just a convenience in a way.
Right. So let's say two years for this key.
All right. So, May 14th at 8.47 p.m. Eastern daylight time in the year 2016.
Yeah, that sounds good.
Now, user ID.
This is built out of some information that you put in here.
So, the first thing is real name.
I would use my real name because otherwise, how is anyone going to find my key?
So, that's not where the security lies in this thing.
Unless you are so well known by some other...
Have you ever named, do you want people to know you find?
You know, Cloud 2 probably has Cloud 2 and this is real name for all I know.
Because I don't know anyone who calls him anything else except his mother, maybe.
That might email address.
A comment. Anything.
Yeah, I can't spell where the damn though.
I'm not that cool.
All right. So, now I get one more chance to look at this.
Yeah, that's okay.
Passphrase.
This is where the security comes in.
If someone got a hold of the binary of your private key and they know your passphrase,
you have no security anymore.
This matters, in other words.
I'm assuming that if you're doing...
You're going to all the trouble to create an encryption key that you are actually concerned about your privacy.
Which means putting in your cat's name fluffy as your passphrase would be really stupid.
This is one of those where your phrase should probably consist of several different words mixed up with numbers and, you know,
two Sanskrit higher regress and a squirrel sound.
So, in this particular one, I have five words.
Some of which are capitalized, five different numerals and two added marks.
When you call those symbols top of the numbers.
Special characters, thank you.
Now, did I do it right?
Apparently, I did.
Now, remember that we said that this was a combination of a random number generator and some prime numbers and blah, blah, blah entropy at work.
So, what are you going to do?
Basically, at this point, I just sort of move my mouse around a little bit.
You know, how much of a hurry are you in?
I'm just going to keep doing this because we're doing a presentation and I want to get out of here.
If I was just hanging around at home, I'd, you know, go surf the web for 20 minutes and come back and see when it was done.
But it's got a harvest some entropy in here and moving my mouse around.
Now, I heard someone at Pengwakan was talking about this said that if you move your mouse around slowly, it actually works faster.
I don't know if that's as opposed to like this.
This is the part where I just see.
This is live.
No, I know that you're doing it live because I've actually done this before.
But this particular part about it, move your mouse around.
Any cause you're getting random and the kernel is using it.
If you move the mouse slower, it tends to move more often towards the mouse.
See, at one point, people tried to put in algorithms to generate random numbers.
Now, by definition, if it's generated by an algorithm, it is not random.
And so we used to call them pseudo-random.
It's probably using either the interest rate or something else.
There's a lot of talk things about the movement of the mouse to generate random information.
Anything.
Yes, correct.
You could use it in a rival time for network packets.
You could use anything.
There is a whole big discussion is to exactly what the random number.
And there are arguments that it isn't random and not correct.
But it's very, it's very, actually very, very real.
The thing about the mouse is that it's something that you have direct control of.
It's generating data.
Now, while we're on this.
There's a possibility.
You're a lack of random to 90, or from the computer's lack of randomness.
And I'm sick of it from other individuals lack of randomness.
Some's a lot of good problems.
Depending on what you're doing, it's probably better to have you moving a mouse around
than to have you type numbers.
Yes, but, you know, surfing the web.
Surfing the web.
Yeah, yeah.
Surf the web.
You could do, you know, use the mouse and type.
You interrupt.
You know, if you interrupt it.
Don't ask.
I mean, it's very specific.
Yeah.
There's a very, very wild to find exactly what.
Now, while I'm doing this.
All right.
It's going to take a while.
So, while I'm doing all of this.
I want to address something, which is.
I occasionally heard someone say, I didn't matter.
Now, NSA has more money than God.
They've got some place out in Utah that is like 17 city blocks wide.
Stuffed with hard drives and CPUs.
And they'll just throw money and computing power.
And, you know, there's nothing you can do.
The NSA's own behavior proves that false.
That's the site for which my philosophy is.
You just have to make more expensive bigger interest level.
Well, there is that.
Basically, if you're a person of the interest.
I don't know why I'm going backwards here.
Yeah, there's a couple of things that we can point to.
The first one is lava bit.
Any of you are familiar with that one?
Ladar Levison.
Supposedly secure email.
The problem was it was secure based on Ladar Levison holding the keys for all of his customers.
So, the NSA came and said, okay, we want the key to everything.
And he ended up shutting down his business rather than cooperate with them.
Now, this was a big deal.
And he is being prosecuted for contempt of court.
And has a defense fund and all of that.
But one of the things we see is that, you know, if the NSA could just decrypt anything anyway,
they wouldn't need to go through that.
The other thing is that we've since found out a lot about other things the NSA does,
which are basically how to get key loggers onto computers and all of these other kinds of things.
They've got any number of creative ways of trying to get at it, which again indicates,
you know, if they could just throw it into their computer system and decrypt it, they wouldn't...
I mean, a lot more time not at individuals, but at the backbone routers.
Oh, there's that too.
Traffic that wasn't routed to them by the telecos, anyway.
Right.
Well, this is...
The manager is watching traffic to be looking at the backbone line, then trying to get into your machine.
So when the Snowden revelations first came out, a lot of people were looking at this.
Bruce Schneier.
I pay a lot of attention to Bruce Schneier.
Because...
How come the need for bytes weren't up?
I have no idea. It's probably because I lead a sinful life, and this is my punishment.
I'm not because we're talking about the NSA.
I've probably gotten enough stuff in this state that some of the stuff it thought was random, isn't it?
Something's happening.
No, I'm not doing anything.
All right.
Fortunately, I already have a key, so we'll just skip over the rest of the...
Basically, that was the process you would go through on the command line.
The one thing we didn't get to was generating a revocation certificate.
And it recommends that you do that at the time that you're creating the key pair.
Revocation certificate is what you would send to the key server if for some reason you thought your key had been compromised,
or if for any reason at all you just wanted to revoke the key.
So we didn't get to that stage of this.
Now, there are alternative ways of doing this.
I do it on the command line because it's a Linux user's group.
I mean, why wouldn't I do the command line at the Linux user's group, right?
There are GUI programs available on a variety of platforms.
GPG is completely cross-platform.
It is not Linux only.
You can get it in Windows, Mac OS.
There is a KDE program called KGPG,
or if you're more on the GNOME side, right now I'm in Unity, which is a GNOME under the hood.
So Seahorse is an equivalent program.
Although I have to tell you, some of the stuff in Seahorse I haven't quite gotten to work yet.
That may be operator error, but when I Google it I find other people are having the same problems.
Yeah, I may move this thing back to KDE one of these days.
So those are the other things you can do.
Now, we said that you could go to these servers.
So I'm going to take you to a key server.
Eventually.
Yeah, it says I'm connected to WCCnet.
The Firefox should still open.
No, probably.
See if I remember.
Yes, I do.
So MIT, this is one of the large public key servers out there, pgp.mit.edu, and we do a search.
So let's see if I'm in here.
Now there's a lot of these.
Yeah, and that, and there's also one that is only 1024 bit, and that was in early, I was just playing around, but it exists.
You take a look at it, and you can see that here's my key, and my eight character, e50b64e, that identifies my key, and you can see that my friend Tony, as I said, signed it, and here is his key.
Now, there is the key.
So if you wanted to import this key, because you wanted to send me something, you would highlight everything from here all the way to the bottom.
So in other words, you've got to include that beginning and end of the pgp block.
And in some programs, there's just a window where you paste it in. In other ones, you need to paste it into a text file and then import the text file.
So those are a couple of good ways to import keys.
So as we said, you have to do that before you can send a message to anyone.
So if you want to get into sending encrypted messages, start grabbing some public keys of people that you wish to correspond with, and you can start doing it.
Now, there is a point of view that says, well, if you start sending encrypted email, that'll make you stand out to the NSA.
That'll make you a person of interest.
I'm pretty sure I've got at least an FBI file at this point.
We're close in age. Were you a draft resistor? No. Oh, okay. You had a different way of getting there. Oh, well, that's another thing. I was a draft Dodger.
All of the above. That's a big difference. That's a huge difference.
Maybe it should be a huge difference. I'm just saying I have reason to suspect that I have a file.
Oh, yeah. Like the keystone cops sometimes. But my feeling is the more people use encryption, the less they can focus on anyone.
The other thing is I like to just use encryption with people that are into that sort of thing.
Because then if I ever have to send something encrypted, it doesn't stand out as much. I'm just known to be someone who sends encrypted messages around.
Indeed. Yeah. And in fact, I was poking around with Seahorse and it will manage both GPG and SSH keys.
So I know you're big on SSH keys. You do that at your work. So you have that. What do you do? Let's get to the practical part.
You know me. You've got your keys.
Okay. I kept clicking on it. So now it's.
Now email. If you're using mut on the command line, I'm sorry. I don't do that. If you're that sort of person, you probably can figure it out for yourself.
Google is your friend. I'm going to show you what I know.
I use two email programs. One of them is Gmail in a browser and the other is Thunderbird.
Each one of them has a plugin that will get the job done.
So there we go. Add on.
So if you're using Gmail, that applies that your connection to the Gmail server is encrypted as well.
Yeah, SSL. All Google connections are at this point.
So the. The plugin for Thunderbird is something called any mail. Open PGP message encryption. Remember I said PGP open PGP and GPG are equivalent.
So it doesn't make any difference. They'll both work. My experience is that if you install the plugin, it will find your key because in the file system, it's in a standardized place.
Although if that didn't happen, you could figure out where to point it.
So it says, hey, we found something. It's in user been GPG. Now, for some reason, that's not what I wanted to use. I could override it.
Past phrase. Remember the past phrase for five minutes. It's kind of like pseudo on a terminal window, right? That's also going to like a five minute stay alive.
The thing about using GPG or PGP or whatever is if you want security, you really need to use your past phrase every time you do things.
And that's why it's a limited. I'm just telling you, if you say screw this, it turns up to 10 hours.
That's your. I believe it does because I always have to come back and reauthorize it.
Well, you don't set it to hours so that you could exit. I'd leave it at the five minutes.
So does that mean that when it says remember past phrase, that mean that somewhere in your computer's memory, the past phrase in clear text sitting here for that amount of time.
Yeah, you know, if if that was an issue for you, now I'm not a Soviet agent. So well, he would say that wouldn't take it. Take it down. If that's your problem, you know, figure out, you know, what's the minimum length of time it would take the FBI to kick in the door and come in with a can of free on and freeze your ram chips.
And set it to below that amount of time. You can do that.
And then there were expert settings.
So, you know, if you go to the advanced settings, you can do some things like, you know, how do you select the keys? Do you want to always encrypt or sign replies to messages that were encrypted or signs to begin with?
You know, put a comment in the signature that just helps tell people what you were using to do this.
You know, here's key servers. There's a bunch of them. Note this pool.
So this is part of how all of these servers communicate with each other as they get into a pool. Someone out there's got an LDAP server.
So anyway, that was just showing you. So, you know, you can, you can get this. It's just the normal process that, you know, you're going to Thunderbird. You say, look for add-ons. You type in any mail. It comes up. You install it. No big deal.
So, let's say I wish to write a message. All right, so I open up my client. I want to write a message. And, oh, gee, who should I communicate with?
Oh, Ken Fallon from Hacker Public Radio.
I will warm the cockles of Ken's heart. Yeah, I am not a really good typist and even less so on a laptop. So, at this point, I've got my message.
I've got an open PGP up here. Look what I can do. I can sign it or I can encrypt it. Now, I can send a signed message to anyone in the world. I don't need to know anything about them.
I picked Ken because I just for the fun of it, I'm going to encrypt this message.
Up. That that one expired. All right, let's try it.
I'm just realizing that it's my key that it's saying that about.
No, no. All right, I'm not quite sure because last night it was.
Well, that should have gone and I could try signing or encrypting as the case may be. But that's any mail. It's pretty simple and straightforward.
If people send something to you, if it's encrypted and they used your public key, then a window pops up saying, enter your passphrase. If it was digitally signed, it'll tell you something like, hopefully, this signature is good.
Everything matches up. The message was not altered in any way. Now.
If you're sending someone you have this ad on in it, do you have to do something originally to get the right pass key or is it looking for it?
No, there usually be a little key chain with your correspondence key. There should be something in the setup that you say we're keeping it.
Yeah, just sort of saying if you're if you're about to send a mail to somebody that you haven't before, but you have a struct suspicion that they've got
a lot of key points. Yeah, I'm not, I, yeah, live demos and someone said, but yeah, that's the.
Remembering out when you were generating your key, it seemed that was what it was playing you about is that you weren't connected to the key ring.
Right.
So with Gmail, there's something similar.
Yeah, it doesn't have to be. This is this is a plugin that's available in Firefox as well. I don't know how many other browsers, but definitely Firefox and Chrome. It's called MailValope.
Secure bail open PGP encryption. Yeah, and when I first looked at it a few months ago, it was encrypt only they have since added digital signing, which is a nice thing.
All right, so can access all of my data. Yep, those are the permissions.
So this should work better because I'm seeing my key ring here. I don't know why I wasn't seeing it in Thunderbird, but so I've got.
So are you using the same key for both Thunderbird and Google Mail? Yeah, okay.
I mean, I be generated one key. I generated one key. So here's the process. If you.
If you have generated a key, what you want to do is you want to export is the phrasing you export the key and that creates an ASCII text file and that ASCII text file can then be imported anywhere else.
But if you had like in my case, I have several different, you know, I've got a desktop. I've got a laptop. I've got an Android phone.
I want to have it available to me wherever I am. So I export the key as this ASCII text file and then I can go in and import it into whatever program and say, yeah, this is my key.
So if I wanted to import, for instance, I showed you that you could go to a key server and get the public, anyone's public key, I could just paste it right in there.
If instead I had it as a text file, I could choose the file and bring it in that way.
If for some reason I had never gotten around to generating a key, you know, you can go through the whole process here and any mail will let you generate a key as well.
It's supposed to.
No, I don't believe so.
So anyway, those are the keys that I have. So what happens if you install this? And I'm sure many people here have used Gmail.
So you're probably used to what it looks like. But when I go to compose, you're going to see something down here that's just a little bit different.
You probably haven't seen that in a composed window before.
So let's try this again.
Last time I did this, it didn't work. So I better put in I hope.
So if I just click sand, I haven't done anything. This is where I need to make use of that other window over here.
So I've got two things up here. The first one is the signing. So if I click that, it's just going to add a digital signature.
The second one with the lock is the encryption. Now this is like a sub-edit window. I've got all of my message text in there.
And what I'm going to do is either add a signature or add an encryption. So let's add an encryption just for fun.
Now I transfer. And this is what my message now looks like.
Now if I click sand, that's why I don't really want to type it in again.
So I didn't need to use my passphrase to encrypt it because it's Ken's public key I'm using. I don't need to prove who I am. I simply have his key.
So anyway, I'm going to click sand.
Now the last thing I want to mention, my Android phone, what I use there, there's a program called canine mail that I use in place of Thunderbird.
And with canine mail, you can use with a program called APG Android privacy guard. You can download APG from Google Play Store.
Download canine mail from the Google Play Store if you wish. So just those two things really work together well.
So what you have to do is you have to export your key from your desktop and get it onto your phone. Now I use something called AirDroid that I really like. It allows me to create a Wi-Fi connection.
So I basically turn my phone into a web server for a few minutes just long enough for me to make a connection from my desktop. And then over Wi-Fi I can upload a file.
So I took my exported key, uploaded it. And then all I had to do was go into APG and say, here it is, point it there. Now one of the things I ran into initially was it was not, it wouldn't let me see the directory that I actually had uploaded it to.
So I then used a file manager when I use this called Astro, but there's tons of them. And once I open that up, then all of a sudden I could see everything. And so I told APG, here's my key, bring it in. At which point my canine mail suddenly has signed and encrypt every time I create a message. It's like a checkbox that I can put in and get that going.
Obviously, if I am signing, I have to put in my passphrase. I can tell you I've done it. A long complicated passphrase is twice as annoying when you're doing it on a cell phone.
So that's about what I had for tonight.
One thing you may ask, can you send yourself an encrypted mail so that we can see it on the other side receiving one? Can you just send yourself a mail?
The problem is, if I do, I'll be sending it to Thunderbird, which is not cooperating with me at the moment for reasons I have not quite figured out.
Well, let's see if I can...
So, this is where now I have to.
Okay? Good. Thanks for the suggestion.
I have not looked at that. I have looked at...
There are a couple of things that I know that are available for like instant messaging.
Maxi Marlin spike, I think, has a program that is well thought of. There's another one. Do I have it on my phone?
I can't remember the main offhand of the other one that I was looking at.
There's one that Steve Gibson was very high on.
I don't offhand know what it is, but I know Maxi Marlin spike did one.
There's one on my phone other than that. I don't use chat very much.
So, this was really... these are the things that I use and therefore I've looked at and I know something about.
Anything else? Well, thank you. It's been pleasure.
So, what's the connection between the key...
What's the connection between the RAM, the... between the large prime numbers and the key?
You're getting into what is the actual algorithm involved in calculating this?
Get a good book on cryptography.
Right.
I mean, one of the things we did was write a program.
Yeah.
And Bruce Neier does have a well-regarded book on cryptography.
Well, it was kind of interesting. He announced that it could be found in a way that sort of...
He wasn't actually telling you to go out and do it, but sort of implying that he wasn't going to haunt you to the rest of your life if you did.
It was like, well, someone's done this, so there it is.
Now, he does make it to Penguin Con from time to time and...
Oh, yeah. And I think it was 2013. He was there.
And I got my copy of Schneier on Security Signed.
I like that.
Yeah. He moved back to... I think in the Boston area now. He was in England for a while.
Let's see. What was he? He invented which encryption algorithm?
I mean, if you look it up in Wikipedia, it was like two fish or something that he did, that he created that.
And then I think he was the CEO of Counter-Pain Security.
And then...
Well, yeah. He...
The latest... And he talks about the fact that...
Yeah, the newest encryption standard. He submitted something.
They chose a different line, but he said, you know, the one they chose is perfectly good, you know...
Far as we know.
As far as we know.
The problem is, usually thinking about a dual key system, there are many tweaking systems that are really too rough.
Yeah.
And unless the algorithms are really simple, they're really hard to figure out if there's truly a third key involved.
And one of the things... He has a book that I recommend called Beyond Fear.
And he started writing it shortly after 9-11.
And basically, the point of what he was writing was...
There was no possible way to have 100% security.
And the cost of doing it would make it a very bad world to live in.
So let's think about this sensibly.
And in the book, he lays out a model that says, you know, here are the five questions you should be asking yourself
whenever you're looking at security.
And, you know, it's stuff like...
I can't remember all of them off the top of my head, but it's sort of like...
First of all, what are you trying to protect?
You know, what is the asset you're worried about?
Secondly, well, you know, what threats should you be worried about with respect to that particular asset?
And then, you know...
The consequence of...
Right.
And, yeah, what is the cost of the protection?
Would your proposed countermeasures actually do anything to reduce that threat?
What are...
You know, the law of unintended consequences.
You know, back when I was teaching statistics, I used to have so much trouble explaining to my students that
if you reduce type 1 error, you increase type 2 error.
And, you know, that's just the nature of the universe that that happens.
I also think it's very important.
What is the length of time you need to protect the scene?
And so, you know, he goes through all of them.
I'm trying to stay here a year from now, you really care if somebody knew that.
Yeah.
Well, you might.
You might.
It's just enacting control, how big of keys.
Some of the stock goes into some active encryption afterwards.
And it's just a lot of how deep do you need to protect that secret?
Right.
For how long may depend on how much effort you want to put into it?
Right.
Yeah.
And for those who are newly paranoid, there are USB keys that will do all of the key signing,
load the key up and can't get the key back out of the USB device once it's loaded.
You're a key or something?
You're a key.
You're a key?
Yeah, yeah, yeah.
Yeah.
I actually have one of those.
Yeah.
I got it from Mark Stanislaw, who is another one of our speakers at PenguinCon,
but he's spoken here a few times.
He works for a company in Ann Arbor called Duo Security.
So he did a talk on two-factor authentication, which is oddly enough what his company does.
What's that I heard you can use that for the key factor system in those keys?
Yeah.
Yeah.
I got one from him at Indiana Linux Fest a few years ago.
Did you just make what you have?
Yeah.
That was the whole thing about two-factor that Mark was talking about is a password plus a pin is not two-factor.
It's just a slightly more complicated password.
Yeah.
It's not two-factor, but it's doubly passworded.
Yeah, but that doesn't...
Well...
If I've broken one, I probably have both.
Exactly.
You want...
You want to pick something from what...
Yeah.
Well, you aren't going to two-factor.
It's what you have, what you know, and who you want.
The point is it's not two-factor.
It's something...
Something is better than nothing.
It ain't two-factor.
So his company, Duo Security, does offer a two-factor system of some kind.
But it looks like it's really geared towards companies.
So...
Do you want to look at that?
Well...
Yeah.
We actually pilot that work.
Oh.
Cool.
Tell us.
It's a sort of a home-based system.
Yeah.
So you...
Something you have, right?
Right.
Something you've known, something...
What's something you have?
So you...
So you log in...
You try...
You connect to your VPN.
And the VPN back and...
Contacts the fuel system.
Right.
Put it as a message to your phone and say, hey...
Are you actually trying to log in?
Yeah.
Okay, then you log in.
So...
In essence, that's pretty similar to...
Like with Google two-factor A.
Which I have turned on.
I encourage everyone.
Turn on two-factor.
Yes, it's a pain in the neck that you go to log in on a new computer.
You've got to wait a few seconds.
But...
You've got a text message on your phone with a six-digit number to type in.
And then they're more than happy to let you in.
So the only issue when it doesn't break is the Mac address.
I think it's a cookie or something.
I should add...
I do.
You can connect it for us.
Okay.
It's actually...
It's both.
And it's...
It's obviously the set of time I would say.
You don't want to try...
You don't want to do this again in the next 30 days.
And then you can do a thing about the virus you have to interact with it.
Yeah.
For the next 30 days.
And then you have to do it again.
For the next 30 days.
For the next 30 days.
Reference in New Issue Copy Permalink