to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

Transcription

1 In the world of secure , there are many options from which to choose from to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many cryptographical concepts to achieve a supposedly unbreakable system. What makes PGP so secure though? There are few parts that go into creating PGP encryptions: public/private key pairs, one-way hash functions, and a trust system called web of trust. Similarly, Secure/Multipurpose Internet Mail Extensions (S/MIME) is another form of encryption commonly used throughout the world. S/MIME utilizes certificates in order to exchange information securely, with the goal being end-to-end security rather than total security. Lastly, one may choose to utilize a DomainKeys Identified Mail system to ensure non-repudiation, and to try and protect against spam/unwanted messages. First we look at PGP. In the tests that were run for this, GPGTools, software that is compliant with PGP standards and made specifically for integration with a Mac s Mail.app program. After installing said software, it prompts for an and a size of key desired. The normal setting is at 2048 for key length, with a more secure option at 4096, and a less secure option of These settings change how strong the RSA encryption algorithm will have to work in order to produce the public/private key pairs, but do not affect the length of encrypted messages or anything else for that matter. What it does afterwards is upload the public key to a server where others can look your key up via the you provided, and send you encrypted messages by encrypting with the public key. With PGP, you can send encrypted messages, encrypted messages that are signed, or just simply signed messages. From within Mail.app, the s sent and received from

2 friends appear normal, but looking through an web client, the s appear as jumbled up alphanumeric characters (see last page for example message). The advantage to using PGP for security here is that even if you send the exact same message more than once, the encryption will come out different every time, as part of the encryption algorithm for PGP has a random key generator, which is then encrypted with the public key and sent along side the encrypted data being sent. Something unique about PGP is that the system does not use conventional certificate authorities to validate everyone is who they say they are. Instead, signatures play a huge role in identifying those that can or should not be trusted. If someone wanted to be added into someone else s key ring, and subsequently become a trusted person, a simple way of doing that is to prove your identity to a trusted person and have them sign your public key. This is basically saying that someone else vouches for your identity and that they trust you to not be harmful to the overall efforts of secrecy in a group. One question that could come up here though would be the reliability of signatures, and whether or not they can be forged or copied from one message to another to claim to be someone else. Thankfully though, signatures are impossible to forge without already knowing the private key because signing a message involves the private key and is verified by using the public key to decrypt, which is true in both PGP and S/MIME. Next up is S/MIME, a deceptively simpler way of encrypting messages. Under S/MIME, authentication, integrity, non-repudiation, and security are provided much like in PGP. Authentication is provided via the certificates that are essential to S/MIME, non-

3 repudiation and integrity via signatures, and security with encryption. The difference between S/MIME and PGP is that they use different encryption algorithms and hashes to achieve a similar goal. With S/MIME, one has to first acquire and install certificates for themselves and then for every other person that they wish to communicate with. These can either be temporary certificates that are usually free, or must be bought from a trusted certificate authority for durations of time. This introduces the idea of rogue certificate agencies though, as someone or some group could then try and clone certificates to gain access to otherwise secured s. PGP circumvents this mostly via its web of trust, but here in S/MIME it is a serious issue. Thankfully, with S/MIME, it is easy to stop a certificate from working if it is compromised, as a legitimate certificate authority can shut down a rogue certificate via revocation. There are also two different kinds of certificates that one could obtain to be used with S/MIME: the first kind only ensuring non-repudiation where the sender can be identified, and the second where the sender s company name and more can be verified. Lastly there is DKIM, which is the simplest to understand, but also the easiest to break down from the research that was done. It encapsulates a message with a signature not by either of the sending or receiving parties, but by a third party that verifies the identity of the sender and the receiver. The lengths used for DKIM tend to be 512 bits, but again, the bigger the size, the more security it offers. In using this form of encryption, the message is given a signature by a signer, and then verified on the other side by a verifier which looks up and finds the senders public key. DKIM was first used in order to

4 combat spam messages in s, as changing the from address field can be done with relative ease. Because of the growing capacity of computers, it is becoming more and more important to have bigger key sizes for encryption purposes. The most common minimum requirement for all of the protocols is 1024 bits. This is because at current computing speeds, it would take a relatively impractical amount of time to factor the key and use it to read the information. For most of the protocols, the normal option used keys of size 2048, and for the highly paranoid, keys of size Over all, the protocols discussed are simple to use with modern clients. Although they might not necessarily be usable for web-clients, that sacrifice allows for another layer of security as the physical device which holds the certificates and public/private key pairs needs to be possessed to enable forgery or snooping.

5 -----BEGIN PGP MESSAGE----- Version: GnuPG/MacGPG2 v (Darwin) hqemay2+gd2ag+vcaqf/q8d84maoksllijz5kq1oc2fngiltdk66f2+iz23tkmts BE36wNWjYu/kfsxM/pzFidFbbAqzkuQES3qHPoxHeMvt2yx8hVpRUEzEm0JY6kvg XHcBA4IHQbXjK2CHw0SxkF2H+iy9OonwzC4sbSJurZYW1Kr+rh9gI/wo8KMlXK5u nldyg/r3iiuqyig/jkkmke0nilbtkkzrodqvaniwym1tpf4t7wvtls5vyxziobsa HPKnT0FeU5qgQ1fzWDDTmqUNvhUJtlXSPv5Qc/ULsOlCO91nx9EYc1bLyAKkx8R w asaf3ybilrficdj0xbknsn5oxjvy5aqd5imkvgpjdiubdammnb6dxk5nugeh/rfx whhxvau6mabnj3xuyh7w/umrwlbhviw4mz+xzlycd82luqagroiumbzooe2 GoR4O PnLVTVGQpL72qvjPgXxUoEF5bgDw/hf9RZ5/qAJ9osGQk2+o8WtOroLFjnVxCJlP ulcb1s4lpxd3h+guzjgxr1+jyrruaipm0f9qkcrmj7atyshtbvsysrovrs4z8rjz KdHCiWSsxalkT3FoaKwGESaE3d9Dv4ZjCQivI5xqx9qgvU4/B1v+fTLfK/BAwWL5 QsD1+ilVEDUmLSYBpxSWfjotUzt03/6e2m176cnZYb6UoYFMbPxTIEpCwOkUR5R7 ond0jfreh94fjsnz1glswaqb9kzhksk5f8vfvd8u8u8mqa96u3szqbbz/rih8bq7 kx0gb232/abjqtiwb20w9uqghvzzsnevcwkxextkg5pmvl+vwpidaqbpge55ma VH N2GsrurRgG/7C83uTxEsbxl3b1iif+J4ORcnZVSTb+fXi+CAse+1/OvFt8FN+NAI nwqxsrsocvzo39odqn4s3wmn7czrwn+ri213hrpk3nwjzvz0q5v0pxwhowm4gio A VyPaK8YGbLrxQb8MPROr5QJL4yzP =gg END PGP MESSAGE----- Which translates to: Dear Christian, This is a test of PGP encryption via GPG for mac, Chris