CSCI 530LWho are we talking to?SolutionAnother problemPGP – Pretty Good PrivacyDrawbacks to PGPLab AssignmentLab Assignment ContinuedCSCI 530LPublic Key InfrastructureWho are we talking to?Problem: We receive an e-mail. How do we know who it’s from?E-Mail address Can be spoofed easilyE-Mail HeaderMost of it can be spoofed, but not all of itPain to go through all the informationCall the person, and ask them if they sent itIf you received the e-mail at 3:00 PM PDT, and the guy is in India, it’s 3:00 AM there.SolutionWe should have a way of verifying, in the e-mail, who it is really fromDigital SignatureUniquely verifies that a sender has sent the document, similar to a real signatureTakes a hash of the message – digestEncrypts the digest using the private keyAnyone who reads the e-mail can see the signature, decrypt it using the public key, and if the digest matches the message, then this user sent the messageAnother problemHow do you know who owns this public key? It’s just floating around on the web!!!If you know that person, you could ask him to come over to you and read off his public key IDIf you know person “A” who has verified that this public key belongs to person “B”, and you know and trust person “A”, then by association, you can trust the public key of person “B”“Web of Trust”This is the idea behind PGPPGP – Pretty Good PrivacyToday, the standard is OpenPGPUses the concept of public key cryptosystem in which one key is public and one key is private.Uses the private key for encryption and digital signaturesPublish the public key to a KeyserverExample: pgp.mit.eduCan view and obtain other people’s public keys from the keyserverIf you know that the key does belong to that particular person, you can sign the key, stating “I trust that person”If your friend trusts you, then he will sign your key, and see who else signed your key and who’s key you have signed, creating this web of trustDrawbacks to PGPYou have to rely upon your trust of someone else to verifyNo real central authorityIf Harry decides to turn rogue, then everyone who trusted Harry or who is trusted by Harry will start to not trust people, breaking the web of trustLab AssignmentWe are going to use the implementation called GnuPG, or Gnu Privacy Guard, along with the Mozilla Thunderbird Extension “Enigmail”You will have to create a PGP key, and upload your public key to the pgp.mit.edu keyserverYou will have to sign my public key that is postedI have many posted, but I specify which one I want you to signYou will have to send me a digitally signed e-mail to demonstrate that everything is set up.Lab Assignment ContinuedWe want you do to this on your home or primary machine, so there will be no formal lab sessions this weekThis lab is due by 9/15/06 3:30 PM PDT for everyoneThere are questions that must be answered. E-mail these TO YOUR LAB ASSISTANT ONLY, but send the signed e-mail to
View Full Document