1 / 8

CSCI 530L

CSCI 530L. Public Key Infrastructure. Who are we talking to?. Problem: We receive an e-mail. How do we know who it’s from? E-Mail address Can be spoofed easily E-Mail Header Most of it can be spoofed, but not all of it Pain to go through all the information

vlad
Download Presentation

CSCI 530L

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCI 530L Public Key Infrastructure

  2. Who are we talking to? • Problem: We receive an e-mail. How do we know who it’s from? • E-Mail address • Can be spoofed easily • E-Mail Header • Most of it can be spoofed, but not all of it • Pain to go through all the information • Call the person, and ask them if they sent it • If you received the e-mail at 3:00 PM PDT, and the guy is in India, it’s 3:00 AM there.

  3. Solution • We should have a way of verifying, in the e-mail, who it is really from • Digital Signature • Uniquely verifies that a sender has sent the document, similar to a real signature • Takes a hash of the message – digest • Encrypts the digest using the private key • Anyone who reads the e-mail can see the signature, decrypt it using the public key, and if the digest matches the message, then this user sent the message

  4. Another problem • How do you know who owns this public key? It’s just floating around on the web!!! • If you know that person, you could ask him to come over to you and read off his public key ID • If you know person “A” who has verified that this public key belongs to person “B”, and you know and trust person “A”, then by association, you can trust the public key of person “B” • “Web of Trust” • This is the idea behind PGP

  5. PGP – Pretty Good Privacy • Today, the standard is OpenPGP • Uses the concept of public key cryptosystem in which one key is public and one key is private. • Uses the private key for encryption and digital signatures • Publish the public key to a Keyserver • Example: pgp.mit.edu • Can view and obtain other people’s public keys from the keyserver • If you know that the key does belong to that particular person, you can sign the key, stating “I trust that person” • If your friend trusts you, then he will sign your key, and see who else signed your key and who’s key you have signed, creating this web of trust

  6. Drawbacks to PGP • You have to rely upon your trust of someone else to verify • No real central authority • If Harry decides to turn rogue, then everyone who trusted Harry or who is trusted by Harry will start to not trust people, breaking the web of trust

  7. Lab Assignment • We are going to use the implementation called GnuPG, or Gnu Privacy Guard, along with the Mozilla Thunderbird Extension “Enigmail” • You will have to create a PGP key, and upload your public key to the pgp.mit.edu keyserver • You will have to sign my public key that is posted • I have many posted, but I specify which one I want you to sign • You will have to send me a digitally signed e-mail to demonstrate that everything is set up.

  8. Lab Assignment Continued • We want you do to this on your home or primary machine, so there will be no formal lab sessions this week • This lab is due by 9/15/06 3:30 PM PDT for everyone • There are questions that must be answered. E-mail these TO YOUR LAB ASSISTANT ONLY, but send the signed e-mail to joseph.greenfield@usc.edu

More Related