Sie sind auf Seite 1von 28

Encrypted Email and

Community Webs of Trust


David Huerta - CryptoParty Phoenix

Photo credit: Whitney Museum

Obligatory Bio Slide!

CryptoPartying since 2012


before it was cool
Self Employed
Also from PHX!
Fan of burgers and the American
way
Trade: Photog skills for Mr. Robot*
skillz?
@huertanix
*mr. robot sux

Are you sure you need PGP?

Alternatives to PGP

Signal

Peerio*

Wickr

Ricochet

Photo credit: Open Whisper Systems

PGP (BY ITSELF) IS


NOT ANONYMOUS!

Photo credit: Gloving Light

Email

Photo credit: Kate Beaton

Email: How old? 1971.

Hella metadata

from address

ALL to addresses

subject line (!!!)

headers

timestamps

Email is spoofable

Email Headers
Delivered-To: huertanix@gmail.com
Received: by 10.176.6.101 with SMTP id f92csp2394918uaf;
Tue, 22 Nov 2016 09:27:42 -0800 (PST)
X-Received: by 10.28.15.138 with SMTP id 132mr3393427wmp.41.1479835662819;
Tue, 22 Nov 2016 09:27:42 -0800 (PST)
Return-Path: <chiron.hypatia@gmail.com>
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com. [2a00:1450:400c:c09::22b])
by mx.google.com with ESMTPS id b5si18858903wjw.261.2016.11.22.09.27.42
for <huertanix@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 22 Nov 2016 09:27:42 -0800 (PST)
Received-SPF: pass (google.com: domain of chiron.hypatia@gmail.com designates 2a00:1450:400c:c09::22b as permitted
sender) client-ip=2a00:1450:400c:c09::22b;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com;
spf=pass (google.com: domain of chiron.hypatia@gmail.com designates 2a00:1450:400c:c09::22b as permitted sender)
smtp.mailfrom=chiron.hypatia@gmail.com;
dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
Received: by mail-wm0-x22b.google.com with SMTP id f82so1577wmf.1
for <huertanix@gmail.com>; Tue, 22 Nov 2016 09:27:42 -0800 (PST)
X-Received: by 10.28.58.14 with SMTP id h14mr3527970wma.7.1479835661965; Tue, 22 Nov 2016 09:27:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.1.202 with HTTP; Tue, 22 Nov 2016 09:27:40 -0800 (PST)
In-Reply-To: <20161122163215.6245C1421AD@theochino.com>
References: <20161122163215.6245C1421AD@theochino.com>
From: Cassandra Dunlop <chiron.hypatia@gmail.com>
Date: Tue, 22 Nov 2016 12:27:40 -0500
Message-ID: <CAD9k8LnrrnEV_5hyPf-KmbH+unD1qjGdtx2mOi+ejnB5XL3R-A@mail.gmail.com>
Subject: Fwd: #NYCPrivacy : 4th Meeting Agenda - 11/22/2016 - 7 pm
To: David Huerta <huertanix@gmail.com>
Content-Type: multipart/mixed; boundary=001a1148f6f2f56b040541e716b2
--001a1148f6f2f56b040541e716b2
Content-Type: multipart/alternative; boundary=001a1148f6f2f56aff0541e716b0

PGP
Photo credit: Phil Zimmerman

PGP Prereqs

Software

Mac OS X: GPGTools

Windows: GPG4Win

Android: K9 Mail

Optional: Hardware (!) Keys

Yubikey

Nitrokey?

Public and Private Keys

Based on cool math trix from the 70s

Public Key == Lockbox and Private Key ==


Private Key

Give away lockboxes, never share private key,


not even to your Bae/Government/Keybase

Can also sign messages by creating a


mathematical proof that can be verified by
anyone with your public key

-----BEGIN PGP PUBLIC KEY BLOCK----Version: SKS 1.1.5


Comment: Hostname: pgp.mit.edu
mQENBFNqenABCADAtL9oVEDGJRwn5et6uzX41yQhy6cSM0P5n1nVu8N2w0Ym0IlkKDoY2ZIJ
dm0OuLEulyO8OVP6SjnavPS3aQ+Q9E4U4IW9AbzJbhFF2REGfqlh7Kr4h6B//mRK2U4f8t3O
pRYFOhmYNtiYkucVBlmd7N2SYa/Ct+2GquCftswgVEcpJVJSf7vzdqn62Ej6OqoVuP8eaN2+
TPvu1C5VMuqzHhFe607UuAN952xINla4szC1xIKc86rR3blsbFE3q/HUusfyybWYGycg480b
QjJrQlDjsbyokzVn4Ykt9hrjui/lOvLDXwk7sP58N0l/MpZjX3PYzpPZtYNzfuyhiPmXABEB
AAG0HldpbGwgQnJhZGxleSA8d2lsbEB6eXBob24uY29tPokBHAQQAQIABgUCVb2FbwAKCRBW
7EUg8mYJwd/WB/4gAEHG0sti6jGxrgfkTjnQ7AXUjaEPVV/eWGyzrHMI8pKPiTLzzmGpvZac
SACFJIKopYNEcGyg+wOtesKcpKAtdt+M2Y5ys3RQvG96HT/z24IbCr+ZR8hpKscIy+HYco6u
fGgE2RgoOMdKcGdv+VFUAO6O+2nSZVTBhDRg0dahsiS2DACKUs7xZcb4p7eExzPLLssE/r/D
CoPJWHpNfEDe0nAEb7Td9Xl7GOgl6FP0xzRSKXvLuUImk6Kh9KqYo7pTrqfdgfT2BQ8NCvQv
cM2DmTwgTleIH+CZ8xgrwNOs9a7+29W47PAoQpc/k3DpXD1/e6JY8nVpsG10EiaokwyLiQEc
BBMBCgAGBQJVAORpAAoJEDXXJr2uCfMowRUH/R7g8u6QkFYrKuQSXt6FwYKSEWXGOMQBUd3N
23nQKmAagb/P/0oOcEWydin4Jpz1qeMmT2H3u2azZo8pHO8M5/4vzADUCRCfw2tvGnc5FbEx
s+LKzZnKkWkRvxUWF2iN5BHCFBHP5dwYwp0LdMRvgvG8omGmbABMZVhuskYz7uS7QyJimiXq
CGNyqBxuOZ6jgvLEuw9WyTzDolxxhIz2/FjE+0BYphNHUirpt3b8e43nNwHCQNOw+ND/KvFM
XB3qpIk4glwtuJhLpFxoMVKRLL05h6PE1J9HNChNtIdo9ixEX3QaHl1ezTV5ibwYaiQdPcoK
SBmwu6DFla1kaqtYd0SJAT4EEwECACgFAlRJfeYCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQW
AgMBAh4BAheAAAoJEAYIBvDadL5eGsQH/1SvdDmNw0QfC6Ytlqor+bgTXR3DzqWBHX0gRcaU
nP549G+OH1I0HG2Sz//cqlgEbvSd3hixoYGjzLOzl/d+NpffJFjZM8oZXrwe4JjyjNvcEOJo
4+P+1unGSQ5KAAcZrXOHptHpp7emJjt++i9Mcbk50suvmvSMHP+JwDnnbJw+vK83ApnhFhoI
MJBcM8MM1VSSBKBWGD39o/HkKKZ4hCWdg6ksWpS0cmmQOaa18rg0Z7uClC5NW1XQ4AnScL2N
go+OvVl1pvF2yFI9C6Yb3L6jxUAUPXhDjKdoBRQasOSxI26P755AO6uhF1zotQzJ1/qqaXmh
d1Y/2m5D2RVD9HeJAhwEEwEKAAYFAlUA4i0ACgkQT/4z+9oYHZnmPA/+OL2u3HQIcNQh2WsD
TCia5XNY/rb0uL4XbXZst3btnerA4G3CAdfo1kMP2FHttMxNDxDGhwCzK3JjdWwGnQkJ6bPb
LeU7XPUFHMLB/sWhRsH7DcVEKzZ/FL69MufoQK6+tVPkjg5wHzHUobz/MEc72uthHGqV0Ky0
sGrbFMySf+RrYmzp4fY709+h0gZ1Znv4bJXQLUePSd868DSBHyMIvP5zoxUVIvF7CNvNz9GC
6T65VZbcDt85cahFY1tnpaRcO0nrb0wUyQr65PzCePZY7uYkmBTBc72F/GGAiVEhhU7q2qSN
KyzRRkJ6QwaMbwBIQDuBILnGVhBUqIv4+tTegLBDvE485Tfpbv/09rWL4x9g7zHQSkMx1z11
j1Puabfq8HcXDNX/lNvkAHhC0BbfXfwYjSbQqgLGzi9Za/ZA0lmnVeXH+zHOilS818U/SJgO
QRyYBwljdZJecUTV0OCceYMS+iejyk4z/CEpTdW8oYS6LogXhQOlaNpKHbM/VZH+tE3UUk+G
kItDiuXwhf7GUyvdB1nJf9ybTyfA/Xff0WNdaTzL4jP+ZP+ojNQl2Z4IYYgHxyEXD8EFrdTV
lndX1oNRMIKxcd2K5pYYH1Z+fBXg8BdyXaKEauD9eSHvqd2ZSyzem64MYpTNe5jqejupwEFK
FZTzyWYfMUMFGrGZHGuJAhwEEwEKAAYFAlXFVwMACgkQXjTHUUoRU2rEGA/8D+JxMLNLNIM8
UYJ3cak/3NWt11nmsCC7ldnm1DRmWI/h9A7j4fbh6p8tMAPYjAlGXR+Nnv3+sNXMJjPrZk6c
MX+ZPzCAbEauV3eoidFu2K17wkcQdapgAXo+xsUDWxM8Kxq7QHBlnw9evjZvM0kjfit2sGli
W8Lqpldwc9j+1rtW8MwKIigWptIIO1BWISBK+VBUEB3zm92jA21dQflQuPzvZMNVwAnhEqCs
BnkqvwnWqTBY7RudwamQxnj8c3RdGsindpfDtjiViEp207/ojvO1lW8fSa+OOp7SM3Y5097W
xHjBSxJrq4X/XZROlI54N4yUsWL0nXZ06jSD3ekYMdEuez2GRdH7gdhAK00/+OUvgEZJkmAj
cmiRFBwSs/iN1nlYbdaxcAIguHQidup8Lx1sV0i8Cvtrsfh3vQvvuYj4dMfZKRwkHUO5g+x5
F+8LpLFnfaAdeS49eL6afK0KMRgfqdNwcAUOUcw2owAtZGxyDy2Ux8K75K4+Uzw4GLhhLskf
W02etoUKJmYtMgTglv2XuYvuN4iOe50/zD4oVYgvBOy0J4nrMdv43c0PjRkNwlS1iXdatC9V
Mpf6WTiS0DteF4xLRwPByBI2yXmMd3fbgR1GuQQMeb5Q6dKYT/bEGK11aJv7Ls6fE2+8rbf/
YKFVcQimiU6/fCT2fTS/Ahi0JVdpbGwgQnJhZGxleSA8YnJhZGxleS53aWxsQGdtYWlsLmNv
bT6JARwEEAECAAYFAlW9hW8ACgkQVuxFIPJmCcHrYQgAl8j3slGyXXLDRIfAT8qyqW2ETuBn
G9Bv9pVj98O0jA1vs2JKfz1Y3eyD271PGgzzMjHfFwLprWcs7PSL6+HxlVtOL3y+Ue9s+bvz
O4bwlGarlh953pu6f1iGR5Cgq6Y9G9M/gsUo3wb2gsyDHBLaL5R/5HxIVveFbHLO+TLSwYYE
RQOSXGyTxm14MgJuSkLsAtzM2XtRunOql6KKZ6bu7UUpqlb4MnFAFaXWy/Nx9oKltWiEugmx
Fqii3df0Qiz2Dj0TLQBsZ+9oxKC15hfkmrk6kSp2VS1Zr9INbo10CKo82ubqW2FQ524PnTAR
V8KHfTEO4cCyk2b2tnfIhZVKdIkBHAQTAQoABgUCVQDkZgAKCRA11ya9rgnzKETpCAC0wVRq
RK9zmScnypamh4RvxpGs2rYGJmWF89g3+Br2MCvB9rrqUImJjeOTaUPYg85+mK94FRPe4l2H
ClpBS1AyxY/df60UWPV6KBM8mSrKVWSrCVoSWEqwlV0qwlAxLy2a7tGiVsHIOOzY7H2NY0On

tl;dr

Fingerprints, Key IDs

PGP public keys are yuge compared to modern,


ECC-based counterparts (Minilock)

Hashing creates a mathematically unique


identifier for a key, called a fingerprint

A shorter 32-bit Key ID is used for identifying


keys but IS NO LONGER reliable to be unique
because of advances in GPU technology

1482 F3BF 3F16 6BD4 3525 D55E 35D7 26BD AE09 F328
Fingerprint

1482 F3BF 3F16 6BD4 3525 D55E 35D7 26BD AE09 F328
32-Bit Key ID

1482 F3BF 3F16 6BD4 3525 D55E 35D7 26BD AE09 F328
64-Bit Key ID

Arrreee youuuu
readyyyyyyy???

Photo credit: DealNews.com

Mac OS X

Mac OS X

Mac OS X

Windows

Windows

Windows

Windows

Windows

Windows

brb

Parting Notes

Hardcore threat model security protips for PGP


from The Grugq: https://gist.github.com/grugq/
03167bed45e774551155

Questions? Comments?
huertanix@nycresistor.com

My PGP Fingerprint: 1482 F3BF 3F16 6BD4


3525 D55E 35D7 26BD AE09 F328