Department of Communication and Operating Systems

Computer and Network Security |

Lecturer : M.Younis Popal

Contact : [email protected]

Sunday, July 29, 2018 (Cryptography (2))

1
2
Content

 HTTP
 HTTP Limitation
 HTTPS
 Encryption in Practice
 PGP
 Creating keys
 Exporting keys
 Importing keys
 Encrypting messages
 Decrypting messages
 Signing messages

2
3
HTTP (HyperText Transfer Protocol)

 HTTP means HyperText Transfer Protocol.

 HTTP is the underlying protocol used by the World Wide Web and this protocol defines how
messages are formatted and transmitted, and what actions Web servers and browsers should take
in response to various commands.

3
4
HTTP Limitation

 Security Concern
 Privacy
 Anyone can see content
 Integrity
 Someone might alter content. No encryption methods are used
 Subject to man in the middle and eavesdropping.
 Authentication
 Not clear who you are talking with. Authentication is sent in the clear text

4
5
HTTP over SSL (Secure Socket Layer)

 HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL.

 SSL acts like a sub layer under regular HTTP application layering.

 HTTPS encrypts an HTTP message prior to transmission and decrypts a message upon Arrival

 HTTPS by default uses port 443 as opposed to the standard HTTP port of 80

5
6
HTTPS Transaction

6
7
SSL with HTTP

 Secure Sockets Layer technology protects Web site and makes it easy for Website visitors to trust
in three essential ways:
 Privacy
 An SSL Certificate enables encryption of sensitive information during online
transactions.
 Integrity
 Provide message integrity
 Authentication
 Each SSL Certificate contains unique, authenticated information about the certificate
owner.

7
8
SSL and TLS

 SSL/TLS. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols
 provide secure communications on the Internet for such things as web browsing, e-Mail
 There are slight differences between SSL and TLS, but the protocol remains substantially the
same

8
9
Encryption in Practice

 We have talked about

 Cryptography
 Encryption
 Decryption
 Encryption Types
 Symmetric
 Asymmetric
 Digital Signature
 Digital Certificate
 Certificate Authority

9
10
Encryption in Practice: PGP

 PGP (Pretty Good Privacy) is a public key encryption program that has become the most popular
standard for email encryption
 In addition to encrypting and decrypting email, PGP is used to sign messages so that the receiver
can verify both the identity of the sender and the integrity of the content
 PGP uses a private key that must be kept secret and a public key that sender and receiver must
share.
 The technology is also known as GPG (Gnu Privacy Guard or GnuPG).
 Different standards for PGP exist, but perhaps the most popular is OpenPGP.

10
11
Encryption in Practice: PGP

 To send a PGP-encrypted message, you use your recipient's public key to encrypt it.

 your recipient would then use his or her corresponding private key to decrypt it

 For instance, if you wanted to send a PGP-encrypted message to [email protected], you

would encrypt it using the public key of [email protected]

 He would then decrypt it using the private key stored on his personal computer

11
12
Encryption in Practice: PGP

12
13
PGP: Objectives

 Key management

 Create a keypair

 Import and export public keys

 Revoke a keypair

 Encryption and decryption

 Signing

13
14
Preparing to Create a Keypair

 Choose a good passphrase

 Long
 hard to guess
 contains special characters
 Choose an algorithm
 DSA
 RSA
 Choose a key length
 use the largest practical length
 Recommended 2048 bytes

14
15
Creating the Keypair

 Command: --gen-key
--gen-key
--gen-key
1

15
16
Exporting Your Public Key

 gpg –export uid>public.gpg

 Example: gpg –export [email protected] > pub.gpg
 Above process generate a binary file to change create an encoded ASCII file use “armor”
parameter with “gpg” command
 Example: gpg –armor –export [email protected] > pub.asc

16
17
Publishing Your keys

 Never publish your private key

 Be sure your exported public key is correct and you have a revocation certificate!
 Put it on your web site, a floppy disk, a USB memory key, etc.
 Send your public key to a public key server
 List of public servers for putting your public keys
 keyserver.ubuntu.com
 pgp.mit.edu
 keyserver.pgp.com
 keys.gnupg.net
 For sending public key to “keys.gnupg.net”
 Command: gpg –send-keys keyID
 For getting keyed:
 gpg –dry-run –import pubkey.asc

17
18
Publishing Your keys

18
19
Publishing Your keys

19
20
Getting the Key

 From website
 gpg –recv-keys keyID website
 Example: gpg –recv-keys A29C2DC8 keys.gnupg.net
 From a file
 gpg –import public_key.asc

20
21
Your Keyring

 List all keys in your keyring

 gpg –list-keys
 With signatures
 gpg --list-sigs
 Delete a key ( on your key ring? )
 gpg --delete-key uid

21
22
Encrypting the Files

 gpg –e –r recipient filename

 Example: gpg –e –r ahmad simple.txt
 Example: gpg –armor –e –r simple.txt

22
23
Encrypting the Files

23
24
Decrypting the encrypted message/file

 gpg –d filename
 Example: gpg –d simple.txt.asc

24
25
Signing a Message

 gpg –armor –sign –e –r ahamd com1.txt

25
26
Question

26