Transcript CSCI 530L Public Key Infrastructure

CSCI 530L
Public Key Infrastructure
Who are we talking to?

Problem: We receive an e-mail. How do we
know who it’s from?

E-Mail address


E-Mail Header



Can be spoofed easily
Most of it can be spoofed, but not all of it
Pain to go through all the information
Call the person, and ask them if they sent it

If you received the e-mail at 3:00 PM PDT, and the
guy is in India, it’s 3:00 AM there.
Solution

We should have a way of verifying, in the email, who it is really from

Digital Signature




Uniquely verifies that a sender has sent the document,
similar to a real signature
Takes a hash of the message – digest
Encrypts the digest using the private key
Anyone who reads the e-mail can see the signature,
decrypt it using the public key, and if the digest
matches the message, then this user sent the
message
Another problem

How do you know who owns this public key?
It’s just floating around on the web!!!


If you know that person, you could ask him to
come over to you and read off his public key ID
If you know person “A” who has verified that this
public key belongs to person “B”, and you know
and trust person “A”, then by association, you can
trust the public key of person “B”


“Web of Trust”
This is the idea behind PGP
PGP – Pretty Good Privacy


Today, the standard is OpenPGP
Uses the concept of public key cryptosystem in
which one key is public and one key is private.



Uses the private key for encryption and digital signatures
Publish the public key to a Keyserver
 Example: pgp.mit.edu
Can view and obtain other people’s public keys from the
keyserver
 If you know that the key does belong to that particular
person, you can sign the key, stating “I trust that person”
 If your friend trusts you, then he will sign your key, and see
who else signed your key and who’s key you have signed,
creating this web of trust
Drawbacks to PGP

You have to rely upon your trust of someone
else to verify


No real central authority
If Harry decides to turn rogue, then everyone
who trusted Harry or who is trusted by Harry
will start to not trust people, breaking the web
of trust
Lab Assignment



We are going to use the implementation called
GnuPG, or Gnu Privacy Guard, along with the
Mozilla Thunderbird Extension “Enigmail”
You will have to create a PGP key, and upload your
public key to the pgp.mit.edu keyserver
You will have to sign my public key that is posted


I have many posted, but I specify which one I want you to
sign
You will have to send me a digitally signed e-mail to
demonstrate that everything is set up.
Lab Assignment Continued

We want you do to this on your home or
primary machine, so there will be no formal
lab sessions this week


This lab is due by 9/15/06 3:30 PM PDT for
everyone
There are questions that must be answered. Email these TO YOUR LAB ASSISTANT ONLY, but
send the signed e-mail to
[email protected]