Using PGP and GPG - PowerPoint PPT Presentation

1 / 52
About This Presentation
Title:

Using PGP and GPG

Description:

beware of line wrap and funky characters ... Fred Flintstone (fake) fredf_at_jellystone.park ... 20 characters of english text as passphrase = 26 bits of entropy ... – PowerPoint PPT presentation

Number of Views:1037
Avg rating:3.0/5.0
Slides: 53
Provided by: jamesele
Category:

less

Transcript and Presenter's Notes

Title: Using PGP and GPG


1
Using PGP and GPG
  • James Leinweber
  • Wisconsin State Laboratory of Hygiene
  • Badger Incident Response Team
  • "There are two kinds of cryptography in this
    world
  • cryptography that will stop your kid
    sister from reading your files,
  • and cryptography that will stop major
    governments ...
  • -- Bruce Schneier (preface to Applied
    Cryptography, 1994)

2
Outline
  • Whirlwind tour of PGP and GPG use
  • About PGP
  • Keys and Trust
  • Platforms, Future trends, URLs
  • (PGP Pretty Good Privacy, GPG GNU Privacy
    Guard)

3
PGP verify a security bulletin
  • major vendors and organizations sign their
    security bulletins
  • Microsoft, Apple, Cisco, Redhat, US-CERT, CIAC
  • push the PGP plugin icon to check the signature
  • automatically downloads missing keys from
    keyservers

4
PGP sign an e-mail
  • use the clearsign icon PGP added
  • runs PGP after the spell checker, which is good
  • beware of line wrap and funky characters
  • if the e-mail client modifies the message after
    the plugin signs it, the signature wont verify
  • a big culprit Microsoft word as the editor
  • or use the PGP tray icon to sign the current
    window

5
GPG clear-sign a text file (inline)
  • jiml_at_lidskialf jiml echo how now brown cow gt
    cow
  • jiml_at_lidskialf jiml gpg --clearsign cow
  • jiml_at_lidskialf jiml cat cow.asc
  • -----BEGIN PGP SIGNED MESSAGE-----
  • Hash SHA1
  • how now brown cow
  • -----BEGIN PGP SIGNATURE-----
  • Version GnuPG v1.2.1 (GNU/Linux)
  • iD8DBQFDVqUmQaGReVxryLkRAhOgAKDnUceWvGEe6KUMrQGhfx
    l0ZNlz9ACgsnk0
  • MFSXxGnjPYSvVyafIDzstjA
  • qv6M
  • -----END PGP SIGNATURE-----

6
GPG sign and encrypt a file
  • jiml_at_lidskialf jiml echo "how now brown cow" gt
    cow
  • jiml_at_lidskialf jiml gpg -es cow
  • gpg WARNING using insecure memory!
  • gpg please see http//www.gnupg.org/faq.html for
    more information
  • You need a passphrase to unlock the secret key
    for
  • user "James E. Leinweber ltjiml_at_slh.wisc.edugt"
  • 1024-bit DSA key, ID 5C6BC8B9, created 2002-10-04
  • jiml_at_lidskialf jiml ls -l cow
  • -rw-rw-r-- 1 jiml jiml 18 Oct 19
    1453 cow
  • -rw-rw-r-- 1 jiml jiml 669 Oct 19
    1453 cow.gpg

7
GPG decode an encrypted file
  • jiml_at_lidskialf jiml cat cow.asc
  • -----BEGIN PGP MESSAGE-----
  • Version GnuPG v1.2.1 (GNU/Linux)
  • hQIOAs5POfx7DetEAf9HsrIJfj/1XcNytWvG3wr5yebO/cKv
    ot1e12sxt0ev7R
  • khAwxNBdm33MHGSHaodQekPwaJg7AnlwKpRfhvgtDukCwxHUJL
    wHsqDdJDDcVdr
  • XL2sEd9dfPymiHVsTCCnqXs5zzl0ed8iOs5avXpzVn9y2N30s0
    8/rmFH2NSOiuVg
  • wHei21ab5QqNvzhUfjLj3lu2mNtQnh9IQijVilpu6WC8QHhiL
    ATbrBsqcoyfgCU
  • sA
  • WDMm
  • -----END PGP MESSAGE-----
  • jiml_at_lidskialf jiml gpg -d cow.asc
  • You need a passphrase to unlock the secret key
    for
  • user "James E. Leinweber ltjiml_at_slh.wisc.edugt"
  • 2048-bit ELG-E key, ID F1EC37AD, created
    2002-10-04 (main key ID 5C6BC8B9)
  • gpg encrypted with 2048-bit ELG-E key, ID
    F1EC37AD, created 2002-10-04

8
GPG verify a Redhat RPM
  • jiml_at_russell RPMS rpm --checksig
    gnupg-1.2.1-10.i386.rpm
  • gnupg-1.2.1-10.i386.rpm (sha1) dsa sha1 md5 gpg
    OK
  • validate with rpm --checksig
  • looks for the signing key on a system RPM keyring
  • older versions used the users keyring
  • but first, import keys with rpm --import
  • Redhat ships their keys in /usr/share/rhn
  • download 3rd party keys such as Postgres yourself
  • you should add your own organizational keys too
  • have your lead PGP users sign it, so people can
    trust it
  • never import an untrusted key

9
GPG sign an RPM file
  • jiml_at_lidskialf jiml cat .rpmmacros
  • _signature gpg
  • _gpg_path /home/jiml/.gnupg
  • _gpg_name WSLH RPM signing key
    ltlinuxadmin_at_slh.wisc.edugt
  • _gpg_bin /usr/bin/gpg
  • jiml_at_lidskialf jiml rpm --resign
    slh-scram-0.1-1.noarch.rpm
  • Enter pass phrase
  • Pass phrase is good.
  • Reading the directions takes more time than doing
    it
  • You have to generate a key before you sign

10
GPG investigate a key
  • mkdir bar
  • gpg --homedir bar --import SLH-RPM-GPG-KEY
  • gpg key D3E96E59 public key "WSLH RPM signing
    key ltlinuxadmin_at_slh.wisc.edugt" imported
  • jiml_at_lidskialf jiml gpg --homedir bar
    --fingerprint
  • bar/pubring.gpg
  • ---------------
  • pub 1024D/D3E96E59 2005-09-08 WSLH RPM signing
    key ltlinuxadmin_at_slh.wisc.edugt
  • Key fingerprint 0CAF AF49 E7EB 2E2D F3D6
    5E66 BC30 DB7D D3E9 6E59
  • sub 1024g/F415E89A 2005-09-08 expires
    2011-09-07
  • jiml_at_lidskialf jiml gpg --homedir bar
    --list-sigs
  • ---------------
  • pub 1024D/D3E96E59 2005-09-08 WSLH RPM signing
    key ltlinuxadmin_at_slh.wisc.edugt
  • sig 3 D3E96E59 2005-09-08 WSLH RPM
    signing key ltlinuxadmin_at_slh.wisc.edugt
  • sig 3 5C6BC8B9 2005-09-08 User id not
    found
  • sub 1024g/F415E89A 2005-09-08 expires
    2011-09-07

11
PGP verify a detached signature
  • Right-click the signature file
  • this one is from the Windows binary for GPG
  • Use the PGP context menu item for verify
  • If your keyring lacks the public key, PGP will
    search for it
  • Review the PGP log results

12
GPG verify subversion source
  • find a project you want, say subversion
  • or Ubuntu, or
  • Download the stuff
  • source tarball or ISO
  • detached signature file
  • ls l subversion
  • -rw-rw-r-- 1 jiml jiml 6982288 Apr 25
    1340 subversion-1.2.0-rc2.tar.bz2
  • -rw-rw-r-- 1 jiml jiml 562 Apr 25
    1340 subversion-1.2.0-rc2.tar.bz2.asc

13
GPG 1rst verify try
  • gpg --verify subversion-1.2.0-rc2.tar.bz2.asc
  • gpg WARNING using insecure memory!
  • gpg please see http//www.gnupg.org/faq.html for
    more information
  • gpg Signature made Thu 21 Apr 2005 064652 PM
    CDT using DSA key ID 641E358B
  • gpg Can't check signature public key not found
  • gpg Signature made Fri 22 Apr 2005 123009 AM
    CDT using DSA key ID F894BE12
  • gpg Can't check signature public key not found
  • gpg Signature made Fri 22 Apr 2005 051339 PM
    CDT using DSA key ID EC6B5156
  • gpg Can't check signature public key not found

14
GPG get missing keys
  • gpg --recv-keys --keyserver hkp//pgp.mit.edu
    641E358B F894BE12 EC6B5156
  • gpg WARNING using insecure memory!
  • gpg please see http//www.gnupg.org/faq.html for
    more information
  • gpg key 641E358B public key "Ben Reser
    ltben_at_reser.orggt" imported
  • gpg key F894BE12 public key "Brian W.
    Fitzpatrick ltfitz_at_apache.orggt" imported
  • gpg key EC6B5156 public key "Ben
    Collins-Sussman ltsussman_at_collab.netgt" imported
  • gpg Total number processed 3
  • gpg imported 3

15
validate keys (GPG and PGP)
  • check trust paths
  • tolerable for all 3, though not outstanding
  • (see next slide)
  • see if the project web site has the keys
  • in this case, no
  • tsk, tsk
  • see if the web site agrees with the key servers
  • cant in this case, can in others
  • but searching on the user names doesnt turn up
    any extraneous keys either, which is good
  • can google the signers and see what projects they
    are involved with

16
wotsap picture jiml -gt ben
17
GPG verify with known and trusted keys
  • gpg --verify subversion-1.2.0-rc2.tar.bz2.asc
  • gpg Signature made Thu 21 Apr 2005 064652 PM
    CDT using DSA key ID 641E358B
  • gpg Good signature from "Ben Reser
    ltben_at_reser.orggt"
  • gpg aka "Ben Reser
    ltbreser_at_siaer.netgt"
  • gpg aka "Ben Reser
    ltbreser_at_vecdev.comgt"
  • gpg aka "Ben Reser
    ltben_at_reser.orggt"
  • gpg aka "Ben Reser
    ltbreser_at_siaer.netgt"
  • gpg aka "Ben Reser
    ltbreser_at_vecdev.comgt"
  • gpg WARNING This key is not certified with a
    trusted signature!

18
PGP generating a key
19
PGP signing a key
20
GPG generating a key
  • gpg --gen-key
  • Please select what kind of key you want
  • (5) RSA (sign only)
  • Your selection? 5
  • What keysize do you want? (1024) 2048
  • Key is valid for? (0)
  • Real name Bucky Badger
  • Email address bbadger_at_wisc.edu
  • Comment another fake
  • You selected this USER-ID
  • "Bucky Badger (another fake)
    ltbbadger_at_wisc.edugt"
  • Change (N)ame, (C)omment, (E)mail or
    (O)kay/(Q)uit? O
  • You need a Passphrase to protect your secret key.
  • public and secret key created and signed.
  • key marked as ultimately trusted.

21
GPG signing a key
  • gpg --default-key bucky --edit-key fred
  • ...
  • pub 2048R/5B9494F3 created 2005-10-17 expires
    never trust u/u
  • sub 2048R/9E0F38DB created 2005-10-17 expires
    never
  • (1). Fred Flintstone (fake) ltfredf_at_jellystone.park
    gt
  • Commandgt sign
  • pub 2048R/5B9494F3 created 2005-10-17 expires
    never trust u/u
  • Primary key fingerprint D002 A4EE A00E 4E30
    55D1 E9A7 DD96 CCC6 5B94 94F3
  • Fred Flintstone (fake) ltfredf_at_jellystone.park
    gt
  • How carefully have you verified the key you are
    about to sign actually belongs
  • to the person named above? If you don't know
    what to answer, enter "0".
  • (0) I will not answer. (default)
  • (1) I have not checked at all.
  • (2) I have done casual checking.
  • (3) I have done very careful checking.
  • Your selection? 3
  • ...
  • You need a passphrase to unlock the secret key
    for

22
PGP keyring tool
23
PGP looking at a key
  • right click and pick properties
  • implicit trust when you have the private key
  • main tab is the signing key subkey tab is for
    encryption keys
  • valid means how much you believe the key
  • trust means how much you believe keys signed by
    this key

24
PGP searching wisc.edu
25
kgpg KDE frontend to gpg search settings
26
web interface to MIT key server
27
web interface to PGP, inc Keyserver
28
Recap what is PGP (GPG) used for?
  • verifying code integrity
  • source, binary
  • verifying message integrity
  • e.g. security bulletins
  • Encrypting things
  • files (especially password escrow)
  • e-mail (rarely!)
  • Signing things
  • to provide file/object integrity
  • to prevent spoofing (avoiding joe jobs)

29
Outline
  • Whirlwind tour of PGP and GPG use
  • About PGP
  • Keys and Trust
  • Platforms, Future trends, URLs

30
A (very) short timeline of PGP
  • 1976 Diffie Hellmans New Directions
    paper (NSA upset)
  • 1977 - Rivest, Shamir, Adelman patent RSA in US
  • 1991 - Phil R. Zimmerman decides to create PGP
  • 1.0 has bad homebrew crypto
  • 1993 US government files an ITAR export
    violation case against PRZ
  • 1994 incompatible PGP 2.6.2 resolves an RSA
    patent squabble
  • 1996 US government gives up on case against PRZ
  • 1998 RFC 2440, OpenPGP message format, version
    4 keys
  • 2000 - RSA patent expires GPG adds RSA key
    signing support
  • 2011 - IDEA block cipher patent expires, GPG
    will catch up to PGP 2.0

31
The role of Cryptography
  • Confidentiality
  • symmetric block ciphers
  • AES, CAST, Twofish, 3DES, Serpent
  • fast, strong (only attack is random key guessing)
  • needs randomness to generate keys and
    initialization vectors
  • Integrity
  • message digests, signed by private keys
  • digests SHA-256 (soon), SHA1 (breaking), MD5
    (already deprecated)
  • digital signatures by RSA, DSA, Elliptic
  • weak, slow, and vulnerable to algorithmic and
    known plaintext attacks
  • so, use really big keys on tiny, random objects
    (hash, block key)
  • Key exchange the 1 cryptographic problem
    (solved)
  • public key encryption by RSA, ElGamal, Elliptic
  • pragmatics get public keys from keyservers, web
    sites, or e-mail
  • Authentication the 2 cryptographic problem
    (still annoying)
  • PGP trust model distributed (cheap! anyone can
    work at it!)

32
PGP uses the Digital Envelope Technique
  • as do 100 of other hybrid cryptosystems such as
    IPSEC, TLS/SSL, S/MIME, Microsoft encrypting file
    system,
  • compress the plaintext to remove redundancy
  • makes cryptanalysis harder and compensates for
    crypto overhead
  • on-line crypto such as TLS or IPSEC cant
    usefully do this
  • encrypt the plaintext using a symmetric key block
    cipher
  • using a new, random key with a new, random
    initialization vector
  • Hash the plaintext sign that with your private
    key
  • encrypt the block key to each recipients public
    key
  • dont forget to include yourself as a recipient
  • and your organizations additional data recovery
    key
  • Recipient
  • uses his private key to recover his copy of the
    block key
  • uses the block key to recover the plaintext
  • uses your public key to validate the message hash

33
If the crypto is excellent, why isnt the privacy?
  • rootkits, keystroke loggers, and other intrusions
  • FBI bugged Philadelphia mafia figure Nicodemo
    Scarfo in 1999
  • rubber hose cryptography attack
  • civilian version police serve a court order
  • why your signing key is different from your
    encryption key
  • how careful is the private key handling?
  • 20 characters of english text as passphrase 26
    bits of entropy
  • Secret Service uses grid computing for cracking
    passphrases
  • how trustworthy is the user?
  • can you believe his signature?
  • some people are sloppy about key signing
  • some people are sloppy about host security
  • non repudiation can you also believe his clock?
  • any backdoors in the software or hardware?
  • NSA, Clipper chips, skipjack, and key-escrow

34
key lengths state of the (public) break
35
Decisions, decisions
  • RSA versus DH/DSA?
  • the 1024 bit signing key for DH/DSA is getting
    too short
  • legacy/version 3 versus new/version 4?
  • you want the encryption subkey to be separate
  • expiration date? (none, or 1-5 years)
  • depends on the purpose
  • if it doesnt expire, you have to revoke it
  • impossible if you lost the private key or the
    passphrase
  • if it does expire, you have to get new signatures
  • default, preferred block algorithm? (CAST-128)
  • older clients lack AES, while GPG lacks IDEA
  • how many bits in the keys?
  • 1024 public / 128 symmetric OK for now (RSA or
    DH/DSA)
  • 2048 public / 256 symmetric better through 2015
    (RSA only)
  • gt2048 breaks older clients, and imposes excessive
    overhead

36
how not to bootstrap
  • C\install\gnupggt"C\Program Files\gnu\GnuPG\gpg.e
    xe" --verify gnupg-w32cli-1.4.2.exe.sig
  • gpg keyring C/Documents and Settings/jiml/Appli
    cation Data/gnupg\pubring.gpg' created
  • gpg Signature made 07/26/05 144428 using DSA
    key ID 57548DCD
  • gpg Can't check signature public key not found
  • GPG is available for windows
  • default locations may not be what you want
  • bootstrap process
  • (so-so) get PGP or GPG from a trusted source and
    verify the SHA1 checksum
  • (good) use an existing PGP or GPG and known key
    to validate it
  • Knoppix live Linux includes GPG, so any PC can
    help do this

37
Outline
  • Whirlwind tour of PGP and GPG use
  • About PGP
  • Keys and Trust
  • Platforms, Future trends, URLs

38
about the web of trust
  • PGP authentication is based on chains of personal
    acquaintance
  • Alice signs Bobs key, who signs Charlies, who
    signs Deborahs,
  • keyservers merge signature chains when keys are
    repeatedly uploaded
  • how much faith do you put in signatures from
    people you dont know?
  • some UW folk are cavalier about what keys they
    sign
  • statistics this month
  • about 2 million keys on the keyservers
  • mostly abandoned
  • about 200,000 with a 3rd party signature
  • about 29,000 in the largest clique (strong set)
  • average trust path length is about 5 signatures
  • wikipedia has some good links

39
web of trust beware!
  • this search screenshot shows one real key, and
    many fake ones
  • the expanded fake has signatures from other fake
    keys
  • you really do have to know the signers before you
    can trust them

40
exploring the web of trust
  • extremely tedious by hand, so use a tool
  • see http//en.wikipedia.org/wiki/Web_of_trust
  • who does what where changes over time
  • Two current examples (Fall 2005)
  • text paths from
  • http//www.cs.uu.nl/people/henkp/henkp/pgp/
  • graphical paths from
  • http//www.lysator.liu.se/jc/wotsap/index.html

41
handling your key
  • generate it on the console of a secure machine
  • if you do it remotely the entropy usually sucks
  • protect the private key with a strong passphrase
  • dont use the passphrase in public
  • possible exception machine to machine
    application communication, e.g. ssh pubkey
  • avoid exposing the private key to the world
  • keep your secret keyring off multiuser hosts, and
    behind a firewall
  • if you need to transport it, encrypt it first
  • encrypted filesystems are good
  • USB fobs are better than laptop hard disks
    (physical security matters)
  • keep medium security keys on physically isolated
    hosts
  • e.g. a UW certificate-signing certificate, or
    CERT ns-master
  • never connected to a network signing is by
    sneakernet only
  • high security keys add splitting protocols
  • e.g. verisigns root keys

42
using multiple keyrings
  • both PGP and GPG let you change keyrings
  • created automatically on first use
  • two files, private and public
  • useful for RD, keysigning parties, etc.
  • gpg has many ways
  • on the command line
  • by environment variable
  • via the config file
  • examples
  • gpg homedir XXX
  • GNUPGHOMEXXX
  • export GNUPGHOME

43
key signing responsibilities
  • Dont sign a key locally until
  • you have evidence the fingerprint and owner are
    right
  • nothing bad happens if you have a good signature
    from an untrusted key
  • typical methods of building trust
  • signed by people you trust as introducers
  • phone the owner
  • find it on his web site plus the keyservers
  • without extraneous keys
  • observe it signing e-mail without repudiation for
    a few months
  • Never sign a key for export until
  • you have personally verified the fingerprint with
    the owner
  • and you have verified the identity of the owner
  • this can be by phone if you already know them
    well
  • normally in person, with 2 forms of good picture
    ID
  • e.g. passport
  • hence the popularity of PGP key-signing parties

44
key signing parties
  • a group of people get together to improve the web
    of trust
  • often a conference BOF (especially Debian )
  • there are FAQs and SOPs on various methods
  • simplest has participants bring namefingerprint
  • exchange these, verify identity, each participant
    reads his fingerprint
  • business cards work well for this
  • too slow for large parties
  • prep those with a pre-party keyring and xeroxed
    copies of a signed hash of all the key
    fingerprints
  • some protocols can handle participants without
    keys
  • based on secret phrases exchanged at the party
  • the party is about identity and fingerprints
  • signing the keys is a usually later, private
    operation
  • too slow and too insecure to do it during the
    party
  • try to turn them around in less than a week

45
key signing mechanics (post-party)
  • obtain the public key
  • from keyserver, e-mail, web site,
  • verify the fingerprint from the key signing party
  • add your signature
  • PGP right click, pick sign / gpg --edit-key
    sign
  • export the updated key
  • PGP select, right click, export / gpg export
  • encrypt it to itself, ascii-armored
  • e-mail the resulting .ASC file back to the owner
  • the owner decrypts it, imports it, and uploads to
    his favorite keyservers

46
key servers
  • keyserver.pgp.com is an island
  • doesnt share with other keyservers
  • as of v9, adds machine-generated e-mail
    validation signatures
  • these are not part of the web of trust
  • they do mean a key owner responded at that e-mail
    address
  • web of trust servers communicate
  • hkp// (Horowitz Keyserver Protocol on port
    11371)
  • wwwkeys.pgp.net
  • pgp.mit.edu
  • supports various protocols (http, hkp, )
  • runs older code (no pictures, no deletion, )
  • can do it by hand via various web interfaces
  • pgp, mit, or google pgp keyserver

47
key upload advice
  • keyservers have lots of junk keys
  • deleting keys is hard to impossible
  • two main problems
  • lost passphrase, cant recover private key
  • lost the entire private key (e.g. sole hard drive
    crashed)
  • dont upload a key for about 4 months
  • it may take a few tries generating keys before
    you like the results
  • you may not turn out to send lots of stuff to
    large mailing lists
  • for a handful of correspondents, just e-mail them
    your public key
  • for never expires keys, you should
  • generate an (ASCII) revocation first
  • print that out, and stick that in your safety
    deposit box
  • PGP and GPG can both send via hkp//
  • another way is ASCII export to a file, then web
    upload

48
Outline
  • Whirlwind tour of PGP and GPG use
  • About PGP
  • Keys and Trust
  • Platforms, Future trends, URLs

49
PGP versus GPG
  • commercial PGP
  • pro
  • capabilities PGP (with IDEA cipher), S/MIME
  • GUI interfaces
  • commercial client plugins
  • Microsoft Outlook, Lotus Notes, Mozilla
    Thunderbird, Mac mail.app, various IM clients
  • con
  • limited platforms 32-bit windows, recent Mac
    OS X
  • hard core users hate the lack of control in the
    v9 interface
  • expensive to distribute widely
  • what heavy e-mail users and CSIRT teams need
  • both for plug-in ease of use and for legacy PGP
    interoperability
  • GnuPG
  • pro
  • many platforms windows, Mac OS X, most Unix
    (bundled with Linux and BSD)
  • free source can be audited
  • con
  • GUI interfaces are still in beta
  • lacks IDEA S/MIME still experimental

50
PGP and GPG version interoperability
  • Interoperability is good with recent versions
  • GPG gt 1.2 (1.4 is current)
  • PGP gt 7 (9 is current)
  • for older versions, your mileage will vary
  • verifying signatures usually works
  • especially from older signers to newer verifiers
  • decryption often works (but IDEA is a problem for
    GPG)
  • there are many potential incompatibilities even
    within PGP
  • many versions changed message formats or key
    formats
  • older clients have key size and cipher
    limitations
  • archaic clients choke if a v3 key bears a DSA
    signature
  • but why are you trusting crypto code over two
    years old?
  • sharing keys works
  • importing PGP private keys into GPG works well
  • the other direction may be harder
  • import/export of public keys back and forth is
    easy

51
future developments
  • eventually GnuPG 2.0 will include S/MIME support
  • NIST will
  • convene a conference next month on better hash
    functions
  • update DSS to allow SHA-256 (PGP and GPG will rev
    to match)
  • Everyone will add elliptic curve support by 2010
    (patents permitting)
  • crypto hardware is becoming common
  • US banks have to move to 2-factor authentication
    by 2007
  • crypto acceleration becoming common in CPUs
  • private keys may be stored in a trusted module
  • beware of vendors offering treacherous computing
    DMCA etc.
  • PKI may finally arrive
  • Web of trust is too hard for ordinary mortals?
  • Wisconsin DOA will deploy S/MIME to state
    agencies
  • standardizing on outlook client, oracle mail and
    calendar server
  • via a Secure Message Gateway appliance
    (Tumbleweed)
  • UW-Madison is piloting S/MIME now

52
sites and sources
  • www.pgp.com
  • commericial PGP
  • www.gnupg.org
  • GPG handbook
  • note macgpg.sourceforge.net
  • http//en.wikipedia.org/wiki/Web_of_trust
  • has good links to path finding tools and strong
    set analysis
  • http//csrc.nist.gov/crytpval/
  • FIPS 180-2 secure hash standard
  • sha-1, sha-224, sha-256, sha-384, sha-512
  • FIPS 186-2 Digital Signature Standard
  • (DSA, RSA, ECDSA algorithms)
  • FIPS 197, Advanced Encryption Standard
  • http//www.rsasecurity.com/rsalabs/
  • excellent background information on cryptography
  • RFCs
  • 2015 OpenPGP-MIME (but client support is still
    dicey)
  • 2440 OpenPGP
  • Books
Write a Comment
User Comments (0)
About PowerShow.com