Bestand wählen

What is this PGP thing, and how can I use it?

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Erkannte Entitäten
the the and the and the 1st I also thank you again and my name is Gayle Thompson and
I were a couple of have with missing here
the sketch and co-organize keep
we are here to find the answers to the question
what is the UP thing and how can I use it you can find me on the Internet here just about any
and I saw a lot of
that that you speak is lives have the software the really using today so if you can copy on your disk and then pass that key along to somebody else and it also has my public key on there so if you copy with listings on your desk will get to them later this is going to the slides because this form doesn't make it very clear that's 0 and so I'm not going to be parsing too much in this presentation do I don't I want to go back and forth to show some of the commands were to run all the commands were in the slide the unit to go and grab those if you are interested in if you
are you like of PGP pro or if you are more edges in the command line or if after this you're interested in learning more about PGP in general I wrote an extensive blog post about a year ago now that details just about everything I know about all this stuff it uses the command line tools rather than the the the gooey tool that were using to the but all the same concepts apply and it's it does a lot of really good job of explaining the why you're doing any of these things as well as other so I will be using a program called GPG tools to actually a
suite of programs from you can download those from the internet at GPG tools . org or they're on the USP that I've given so this is a model of them that's about the
so because the security software we actually have to verify that the packages the crack package
and Mason made the joke that let this be the last package that you don't verify that we we are going to verify so if you have a trusted PGP version then what you can do is
download the GPG signature from GVG tools right here download the key
from here the imported in the GPG tools or into your favourite
GPG Programme PGP implementation and then you can verify the fingerprint of the public key
here and run this command on the command line to actually make sure that you
have the software they expect to have probably those you didn't already have a GPG implantation your
computer so we're instead going to verify the shot of the back so I've given you
something and they could very well be malicious and it could be I could have given you the wrong piece of software accidently I didn't install from that binary myself and so what we're going to do is check it against the shot that GPG tools . org says that says the problem so sure some just is the simplest way to verify that the file that you're looking at is there file that somebody wanted you to have c can be sure that the person Y knew about the piece of software is the same person is lying the on the internet on on the website the downloaded from and maybe that person lying to you is actually a developer so this is the command that you're gonna run to make the to verify the package and its can output a number you want to make sure that the number matches up to this 1 the so once you're satisfied that
you have the right piece of software Enceladus like you would normally and there's nothing special here to
installing a package and containing extra she
could and move on I have helpers Morgan make sure that you're being dealt with so the next step is going to be building key pairs and uploading public
keys what the heck is a keeper to
get anywhere if PGP you're need 1 of these things and it's composed of 2 parts of plants called a pair as a public key which is you're gonna
publish and and it's used to encrypt
messages to the owner of that key and the verify messages from you messages yeah from you to that person 2 other people so you tell people use your public key to verify messages these and a private which you keep secret safe and it never goes on the internet and it allows you to decrypt messages that people in crypts to using a public key and to sign messages so that others can be sure that you made the algorithms that use that separate public and private keys are
more secure for several reasons and but the primary 1 is that the problem was the pay that teachers never goes out onto the internet i in the case of PGP it's also passed through a pass-phrase encrypted and even then you still this is still not something you never put on the drop box or facebook or whatever you can to using these days to share files on if you must move it around a USB is the easiest and the best way to do that but then you wanna make sure that that is the status destroyed everything else killed this is how we're actually going to do this so reminded generate energy I
click the top note left corner to do that and it's going to fill in a lot of your information automatically Our and make sure that we take the longest length 1496 should be that number but it has a bigger 1 on your machine use it instead and then we're going to check expires i unchecked it but we actually want to check it and change the data about a year out from now and the reason that we do this is so that if you ever completely lose access to a key it'll invalidate itself automatically after some amount of time and you can change the expiration date you can just right click on on the key your secret key and change expression at any time you just need unmarked key but this means that is sort of a dead man's switch it it means that you're not accidently leaving your key out so that people still think that it's a valid way of contacting this so what we do is key I'm going to pause
here to make sure that everybody's got a the right so now we have to use what can we do with them and that it yeah this software that I give you that and automatically if you use mailed that have to send e-mail it's now got a couple of encryption tools in there so 1 of them to sign 1 of his 2 incorrect arm you cannot sign every outgoing e-mail anyone heard anybody and if you know that you're communicating somebody who also has a key and you have that the then you can encrypt to them and that's a good practice as well just so that we got more noise when the NSA is trying to crack encryption things what on the simplest thing that we can do that's not already configured for you is to sign get comments so there's a little bit of configuration here to deal and the 1st is we need this tell get that we
want to sign all of the comments that we make so from the terminal this is how you make that happen the then we need to tell get which key assignments from but GVG Esprit spot by default it'll use the only predicating that but but it's still a good practice to have this in there so I have my whole name and e-mail address and here GPG will find is just fine but it makes a little bit more sense but sometimes if you're having issues just go ahead and use your TID which is the last 8 characters in your finger which you can get by right clicking on your key to the details and so what this does is every commit you make you attach a signature objects to and and those get pushed up automatically was get pushes and others who are using who care about the stuff basically can verify that you whether it off how we do that so verifying which get is not super difficult
especially if you use aliases and so we get signatures is
the simplest way to do this so it's going to to print out in addition to normal commit message and to commit shot and maybe the deaf status the diff it's in also includes the GPG output for verifying for when it verifies that that commit correct get shoulder the same thing but as for specific commit issue and then you can do get tagged hyphen Hyphen verify with a tag name to verify that a specific tag was done so you'll see tags a little bit more often in the wild because it's easier to convince people that they should be signing tags than it is why would we do any of this while assigned commits as I wrote
this thing here's proof I wrote it and I thought I was good enough
to include in this repository and I've proven that somebody else didn't do this and said it was assigned tags as I release this year's purses almost the same thing but I didn't
necessarily write everything all I did was probably run the tests and so this is ready to go at least a gem version work what this does for us as a get your signature in as many places as possible to
can be configured to automatically download keys to verify signatures and that means you got more ways to establish trust so for example if Aaron Patterson was signing all of his commits and rails equally pretty sure that this person is doing a lot of cool work is who you think tender loving so you can say while I trust of this person's rights on a and signed the keys and then you know that anybody that he has signed which would include me and is probably do this so they are by sort of a transitive trust and frankly it super easy to do so I wouldn't do signing and
verifying gems this is where we get into worse
rails conspecific and 1st of all there's no good way at all to do this there is a weight assigned
genomes and it comes in this model which is included in every Ruby insulation so the last couple of years and it's not great it uses some other algorithm that is in my opinion not as powerful and and it defaults to not verifying
when you sign jet were when you create Jens release gems or installed so it's useless but what it does is it uses open-access OK so this
is the same sort of cues that we use for SSL unfortunately the the same sort of user we use rests on the internet which means that there's no centralized there's no way to distribute them just get them along with the pair like the gem that's installed or the website the visit and there's am a centralized authority a certificate authority so you is so this isn't taking
advantage of the Web of trust Î PGP provides which is like well you know you trust Aaron he trusts me world could go it requires you to trust a certificate authority many in the case of as SSL on the internet it be stuff and you've actually implicitly trusted all of the certificate authority that matter to you by having a mac computer were having a windows computer or installing from they just do that for years on a decision that you make which is different in GP where you do make that decision explicitly and private keys on unencrypted this is not a limitation of Open SSL this is a limitation of
gen security the why but that's he is a self signed so most the time when you get a genome that is sigh it's going to be then the signature file where the public key is actually is can assign itself and so the only way you can trust it is if you explicitly trust that 1 key and even as the root of the certificate authority has to self signed to be valid In this silly silly thing open system is you just that so verifying signature were shot is dealing meaningless if you can't trust is come from a person that you believe just checking that they sign something doesn't mean anything it means that they know how to use open SSL for GPG this is actually did at the beginning we blindly trusted that the website we downloaded suffer from was from controlled by a the people that we thought it was but they were providing the shot the GBT signature the key in the software that was signed so none of it is actually very useful on but it's the closest we can get unless you actually know 1 of those indicators or there in the web of trust which there so on the package in a signature all come from the same source it can effect by everyone this is true of genomes is not really something you can get around unless there's another way to also get this key so with in the case of gems there's really no other way to get the keys year verifying in the case of GVG would key servers and get people upload their own case we've get people to give you USB stick with the keys on yeah and there are no key servers for Open SSL the and the servers at this basically the distributed system of a sort of like DNS for the are you upload your key and that propagate out to bunch of different servers and then anybody can use their own server of choice to pull them at the In the case of Jens there included the keys in the SER chains are included in the gen pop all you can't specify a system-wide trust would GPG you can say I will trust anybody who has any sort of signature or you can say I only trust people who lots I myself or you can say if the cool people I believe it back signatures are included in the genesis legends look like
when you land on top of them so you've got each of these Douggie's at files and if they happen to be signed with most gems aren't because it is difficult to do comment as a sort of a clear to be useful then they include a signature file for each files well required reading if any of this is interesting to this gem stuff
on this slide is about 2 weeks time in this is where I distilled all this information just given you from so sought my citations as well the so backing up a bit how to other people take care of these problems while
the most common and simplest way to do this is manually just like we did when we installed GPG tools an archive so to single file a we shot from the and this is what most of the packages are doing force automatic attitude homebrew etc automate this so aptitude
GPG verifying homebrew and has a shot so as long as you trust the package itself then you can trust that the person who authored the the recipe for installing a piece of software has downloaded the right piece of software that the 1 that they expected to them the an RBM actually distributes Michael purposes personal key I'm in automatically verifies that during installation so to fix this
problem for ourselves we need some sort of automatic verification before installation we should be verifying signatures no matter what every time install something we should verify that was correctly that means that the person who signed it the Packard on the package hasn't been tampered with since a person who signed it signed it it should be configurable to verify trust so if I have a lot of a large web of trust myself that I should say you should be verifying that on the person who wrote the software somewhere in my web of trust and if either of those checks fail if you configured trust or if the signature fills the gym shouldn't install at all because it's not what we expect is not what we think it is which means that it may be malicious so we need stronger web of trust connections throughout the community I couldn't verify 1
maintainer we can probably trace paths to others conferences are a great way to build these cross-organization interstate or even transcontinental connections in the web of trust open companies could have centralized keys so far apart actually has 1 of these this is not how we use it this is how I think we should use it maybe have begun pushing for us they should sign each maintainers employees and contributors so an extra contributors doing a lot of work for us keys I'm so that at things like this 1 were in person we should be verifying that we should be using this company key to verify individuals keys and then also these events we can have thought what's signed testable skewed or 18 t is key on which means that if you have met mean and thought but has signed Mikey and testable has signed up what's key and testable is also signs Justin Searle's key injustice strolls releases a piece of software you can verify with only 4 hops the maintainer is who they say they are and then you got a web of trust connections people we need better tools support for all of so
tools so we use the big 1 is regions regions solution
is simple on paper difficult implement it's we could use OpenPGP instead of SSL I hate planned 1 office and actually work on a gentle to do this to the light assigned keys with PGP and verify them on installation there is already a tool that does this but in my opinion it is too difficult to use so what's adoption get get already support showing signatures
so get have could also do that without much more work and this is what it by the way will help but when you actually verify some the signature was with show signature which along or show signatures on log or show I'm having a standard way to
claim social accounts so this is a little bit difficult to see but you can see that there's a couple of highlighted use writings on here both of them say at Caleb Thompson and then link to the Twitter status or get a repository where I make an assertion that I am the person who controls this account in this key so by doing that you can be sure that somebody who controls get have and somebody who controls the key with this fingerprint are the same person you can't be sure that they are killed Thompson because you haven't looked at my ID on given that maybe you do know that the key and the social account is connected so connecting these 2 ideas we can say we could have get and show a
badge like that would verified icon that says yes this commit it was signed and is correct and because I have up will kill Thompson has uploaded his key and that he has signed this commit great on people do things for badges it's crazy but and this is just a set of small thing that get help could be doing that would mean that some people have you know 5 more people may be starts and intimates that the program signing keys so this is we
talk about signing keys is actually how we do that so Mason's they're worried output and the sunny T is like signing a message on the uses the same
mechanics internally but you're writing onto a signature file it has a different semantic meaning what you're doing is
asserting that you verified on our identities he
looked at somebody's driver's license or passport and the name on that document matches up to the name on the user ID is on on the key you're asserting that you verified the you have the right key so I give you
I give you my king I will later give you my finger my keys fingerprints and with those 2 things you can be sure that you have the thing that I wanted you to have and you're asserting that that person has verified ownership of the key
which means that they can unlock the private key and use it this is uncommon that actually see done because it's sort of difficult but it boils down to and so once you sign a key you expert to a file in crypt at an e-mail it to the person and by using the you the e-mail on the user ID and then they can decrepit important on teaching and uploaded to accuser and because it's a little bit complicated doesn't happen super often but if we had tooling that made that easier than because have it would mean that the level trusses little bit stronger so signing a key establishes transitive trust announces the
world that if they trust you to verify these things they can trust the keys of the people you've signed and because they are more likely to represent the people that they actually say you haven't defining yourself but you trust your friend that they have this you've been introduced all this is fundamental to the Web of Trust awarded settle 1 I have a
picture this is a web of trust at the center
because it's mine and you see me but all of these lines are connection or signatures I've made with other people Amen the more closely related in the web of trust the closer people are and the single of the older my new 1 is color the sprinkle but it's just 1 like see graphs and aggressive of myself and to assign a lot of kids but but 1 thing that you can see here is I apologize for donning but this is Michael's t and Michael has signed Georges key we're all co-workers I haven't met due i haven't non verified Georges key in person because he lives in Stockholm New York and I but because Mike has signed it and I trust my to verify Georges identity then I can be reasonably sure that when I communicate with George privately or publicly by his resources it's great so signing t with the GVG kitchen
work and so the 1st thing we need to do is get
the key I've already given you mind on it was included on the USB stick but usually
some people upload these to the Internet somewhere problem their own server and include them in a header on e-mails or and upload them the key servers I don't and if they've upload
them to the key server that you can find them by searching we test from so if you do command f or look at key
right there and this box pop up you can search just about you can basically to search for a name or an e-mail address the probabilistic of addresses if you got this person next to them they can verify they are otherwise you can probably guess correctly and once you have that you can right click
and view details and I'll pop out the side window on and we need to do is confirm that that long string of text objection after expand the window to see because software on matches that's this is my finger and as I mentioned
earlier the last 4 digits are the key idea so if you're
searching for me you could search just on this or you could search for my name and that would be to the right key so we're doing this now but next on Morgan right click
again and we're going to assign key is can a pop up window like this on you're going to select your secret key it's probably error-free selected and you're going to say we've done careful checking from the other dropped and reasoning and say that is that I'm going to walk around with my idea on the show you that I am say and there's not really much more careful checking that you can do then to check simplicity do back background search guess but it doesn't help you just verifying person is in this is saying that name is the name on your screen so the other options or and I haven't verified and where I want say and that means that you may you've done some other verification we don't want you don't want to explicitly state how much done the level above that is have done no verification if you don't know verification he should not be signing a key the level above that level above that is I've done has rule verification or some verification that means you know binary that means that maybe somebody handed you an IDE or maybe somebody on this has been your friend and you you are pretty sure you know they are you never actually look at the but whatever you're willing to sign and that's the level that means that and then careful checking means that you looked at a piece of of state-issued identification there is something that and you're ready to sign said Signwiki is sort of like going to court and saying yeah that person is killed the I don't check that I have no idea I'm also don't check the signature expires and that's more for a certificate authority sell things that temporarily state that you're probably the right person and so that's not useful so all ordering is filling out these 2 things and then and checking those boxes and we can generate signature right so after we have
verify or reassigned we can go ahead and upload the key to the key server so you can right click again and send public heated keys so do this now for both yourself and for me but we're not this is the end of the talk a
few of them in the middle of the and and and
Gewichtete Summe
Schreiben <Datenverarbeitung>
Vorzeichen <Mathematik>
Radikal <Mathematik>
Metropolitan area network
Suite <Programmpaket>
Prädikat <Logik>
Generator <Informatik>
Suite <Programmpaket>
Einheit <Mathematik>
Rechter Winkel
Elektronischer Fingerabdruck
Lesen <Datenverarbeitung>
Virtuelle Maschine
Lesezeichen <Internet>
Direkte numerische Simulation
Elektronischer Fingerabdruck
Installation <Informatik>
Elektronische Publikation
Binder <Informatik>
Offene Menge
Web log
Arithmetischer Ausdruck
Einheit <Mathematik>
Prozess <Informatik>
Wurzel <Mathematik>
Funktion <Mathematik>
Software Development Kit
Installation <Informatik>
Vorzeichen <Mathematik>
Web Site
Elektronische Unterschrift
Arithmetisches Mittel
Verkettung <Informatik>
Twitter <Softwareplattform>
Web Site
Gewicht <Mathematik>
Kombinatorische Gruppentheorie
Data Mining
Physikalisches System
Elektronische Unterschrift
Inverser Limes
Einfach zusammenhängender Raum
Digitales Zertifikat
Matching <Graphentheorie>
Physikalisches System
Objekt <Kategorie>
Fundamentalsatz der Algebra
Offenes Kommunikationssystem
Digitales Zertifikat
HMS <Fertigung>
Innerer Punkt


Formale Metadaten

Titel What is this PGP thing, and how can I use it?
Serientitel RailsConf 2015
Teil 91
Anzahl der Teile 94
Autor Thompson, Caleb
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/30720
Herausgeber Confreaks, LLC
Erscheinungsjahr 2015
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract The need to keep your personal information, sensitive or nonsensitive, secure from prying eyes isn't new, but recent events have brought it back into the public eye. In this workshop, we'll build and upload public keys, explore Git commit signing, and learn to sign others' PGP keys. If we have time, we'll exchange key fingerprints and show IDs, then discuss signing and verifying gems. You'll need a photo ID and your own computer for this workshop.

Ähnliche Filme