electronic commerce school of library and information science pgp and cryptography i. what is...
TRANSCRIPT
Electronic Commerce
School of Library and Information Science
PGP and cryptography
I. What is encryption?
• Cryptographic systems
II. What is PGP?
• How does it work?
Electronic Commerce
School of Library and Information Science
IV. PGP and cryptography
What is encryption?
Oesday isthay ountcay?
Ps uijt?
Encryption is a method for protecting information by making it as difficult as possible to read or view
Why encrypt?
Privacy Authentication
Integrity Availability
Electronic Commerce
School of Library and Information Science
Plain text Cipher text
Blah Blah BlahBlah Blah BlahBlah Blah BlahBlah Blah BlahBlah Blah BlahBlah Blah BlahBlah Blah BlahBlah Blah Blah
xdffhliouse345fjged09e5fjsksqwfnxpdifuw0awdbczoksryaaaksjhaswe4ufdnaweaa2wfsawrkjsfya38yfkpo80sdw304v
Key
Encryption
Decryption
The key uses a mathematical algorithm to transform plaintext into ciphertext and back again
The basis of cryptography
Electronic Commerce
School of Library and Information Science
Cryptographic systems
There are two kinds of cryptosystems: symmetric and asymmetric
Symmetric cryptosystems use the same key (the secret key) to encrypt and decrypt a message
Asymmetric cryptosystems use one key (the public key) to encrypt a message and a different key (the private key) to decrypt it
These cryptosystems are also called “public key” cryptosystems
Electronic Commerce
School of Library and Information Science
http://www.certicom.com/ecc/wecc1.htm
Electronic Commerce
School of Library and Information Science
Symmetric cryptography (single or private key encryption)
~Two people agree on using a system*
~They agree to use a key
~ A takes a plaintext message, encrypts it with the system and the key
~A sends the ciphertext message to “B”@
~B decrypts the message with the same system and key
* Listen in on the agreement discussion
@ Attack by interception
Electronic Commerce
School of Library and Information Science
http://www.certicom.com/ecc/wecc1.htm
Electronic Commerce
School of Library and Information Science
Asymmetric, or public-key cryptography is more secure
It uses two keys, which are the property of people, not documents
Public key
This key is shared with the world
It is used to encrypt messages but should not be used to decrypt them (with one exception)
Private key
This is your private key and should not be shared
It is used to decrypt messages and should not be used for encryption (with one exception)
Electronic Commerce
School of Library and Information Science
PGP and cryptography
I. What is encryption?
• Cryptographic systems
II. What is PGP?
• How does it work?
Electronic Commerce
School of Library and Information Science
PGP, created by Phil Zimmermann, is a good example of public key cryptography
It gives you privacy by allowing you to encrypt your files and email so that nobody can read them except the people you choose
PGP allows you to create a digital signature on your files and email
A digital signature allows a reader to verify that it was you who wrote the email and that the email has not been altered
Electronic Commerce
School of Library and Information Science
PGP is basically used for 3 things
1. Encrypting a message or file so that only the recipient can decrypt and read it
The sender, by signing, guarantees to the recipient, that the message or file must have come from the sender and not an impostor
2. Clear signing a plain text message guarantees that it can only have come from the sender and not an impostor
In a plain text message, text is readable by anyone, but a PGP signature is attached
Electronic Commerce
School of Library and Information Science
3. Encrypting computer files so that they can't be decrypted by anyone other than the person who encrypted them
PGP uses public and private keys
Public keys are kept in individual key certificates
These include the owner’s user ID (the person’s name), a timestamp of when the key pair was generated, and the actual key “certificate”
Electronic Commerce
School of Library and Information Science
Secret key certificates contain the secret key “certificate”
Each secret key is also encrypted with its own password, in case it gets stolen
A key file, or key ring contains one or more of these key certificates
Public key rings contain public key certificates
Secret key rings contain secret key certificates
Electronic Commerce
School of Library and Information Science
The keys are symmetrical and are generated from the same algorithm
They are distinct
Knowing the public key tells you nothing about the private key
Anyone can slip a message under my door...
Only I can use my key to open the door to get the message
So long as I keep the key securely, no one has access to the message
Electronic Commerce
School of Library and Information Science
Using public key cryptography
1. A and B agree on a public key crypto system
2. B sends A her public key
3. A encrypts with B’s public key and sends the message to B
4. B decrypts the message using her private key
Or:
1. A gets B’s public key from a secure database
2. A encrypts the message with B’s key and sends the message to B
3. B decrypts the message using her private key
Electronic Commerce
School of Library and Information Science
Blah Blah
Blah Blah
Blah Blah
Blah Blah
Blah Blah
Blah Blah
Blah Blah
Blah Blah
A uses B’s public key
B uses her secret key
Encryption
algorithm
Decryption
algorithm
albhlabl
BalhHbla
albhhbla
bahlBlah
Encrypted message
Public Key Encryption
to produce
to read
Decrypted message
Electronic Commerce
School of Library and Information Science
Public key cryptography is strengthened by using a “digital signature”
This allows “digital authentication”
“Non-reputiability” is allows the receiver to verify that the sender actually sent the message
This uses the exception mentioned earlier
The private key is used to encrypt the digital signature
The public key is used to decrypt the digital signature
Electronic Commerce
School of Library and Information Science
Simple form
1. A uses her private key to encrypt her signature
2. B uses A’s public key to decrypt the signature
A more realistic version:
1. A creates a message and encrypts her signature with her private key
2. A encrypts the message and signature with B’s public key and sends it to B
3. B decrypts the message with her private key
4. B decrypts A’s signature using A’s public key, verifying the message
Electronic Commerce
School of Library and Information Science
A more secure version:
1. A signs a message with her private key, encrypts it with her public key and sends it to B
2. B decrypts with her private key and verifies the signature with A’s public key
3. B signs the same message with her private key, encrypts it with A’s public key and sends it back to A
4. A decrypts it with her private key and verifies B’s signature with B’s public key
5. If the message A has is the same one she sent, she knows B received it
This can be used to sign digital contracts!
Now, on to PGP