[an error occurred while processing this directive] [an error occurred while processing this directive]
[an error occurred while processing this directive] [an error occurred while processing this directive]
;) Packet-Securitydot com
[an error occurred while processing this directive] [an error occurred while processing this directive]

Papers By Bagarre:

  • Intro to PGP
  • Chris Snell give a good explaination of what Pretty Good Privacy is and how it works.

  • Intro to Pseudo Code
  • A good read on the basics of pseudo code and program management.

  • I'd rather be fragging
  • Bypassing those Linksys boxes, some ACLs and tons of other fun stuff.

  • The Art of Wardialing
  • A lost art? Not worth exploring? I think not.

  • deny, Deny, DENY
  • If you didn't say it could come in, it shouldn't. This will be a discussion on router ACLs and the construction of a DMZ.

  • OPP Other People's Passwords
  • How do you get your users to use good passwords? How important is it?

  • The Enemy Within
  • Do you trust your users? Should you? The internal threat is real and needs to be addressed with written policy, permissions and well planned grouping.

  • Who's Watching Who?
  • The intruder is no doubt looking at your traffic. You should too. How will you know what's not normal if you've never seen your normal traffic on the wire?

      [an error occurred while processing this directive]
    [an error occurred while processing this directive]
    [an error occurred while processing this directive]
    Introduction to PGP
    (Pretty Good Privacy)

    By: Chris Snell
    [an error occurred while processing this directive]
    Loading Document
    If the page does not load, click here.
    [an error occurred while processing this directive] [an error occurred while processing this directive]

    Imagine that I have something I want to FedEx to you. I don't want anyone, especially those slimy FedEx bastards, looking at it, x-raying it, opening it, etc. I also want you to be able to tell that it really came from me, and not some clever imposter. I could put this item in a box (lead lined of course) and then lock it. What are some ways to lock it? Padlock and combination locks.

    There are basically 2 types of cryptography. Symmetric and asymmetric. First, symmetric. For this, both sender and receiver (or encryptor and decryptor) need to have the same key. This would be like using padlock on the box. We both have the same key, which makes it easy to lock and unlock, but this also introduces other issues, mainly, how do I get the key to you. I could mail it, but then FedEx could just intercept it and make a copy. Now they have it. Or they could switch keys and now you can't open the box. Same for combination locks. How could I get you the combo to unlock the box? If I see you in person, I can tell you, but if I see you in person, I wouldn't need FedEx. Also, symmetric keys are subject to brute forcing. In the crypto world this does not mean taking a crowbar or hacksaw and ripping the box apart, but simply trying every feasible combination until the lock opens. They could do this with keys as well, by figuring out how many pins there are and either picking it (easy way), or making blanks for each possible pin length combination (extremely highly improbable, but maybe they really want inside the box and aren't that smart). [an error occurred while processing this directive] [an error occurred while processing this directive]

    So, how about that asymmetric crypto I mentioned earlier? Asymmetric means that one key locks, and one key unlocks (or encrypts and decrypts, but you probably figured where this was going by now). Following my analogy,this would be like a high tech electronic combo lock. I use one combination to lock, and you use your private combination to unlock. Now we've got FedEx right where we want them. Carrying my mail, and that's it.

    Now we move into logistic concerns (and just in time, because that analogy was wearing thin). You have your special unlocking combo, which we will call the *private key* from now on. This is all well and good. The key I used to lock it will be called the *public key* from now on as well. This system is often referred to as the Public Key Infrastructure or PKI. How does it work? Glad you asked.

    Like I said you have your private key. And paired with this key is your public key. You make your public key, well, public. There are keyservers all over the internet just for this purpose. This way, anyone who wants to send you something just looks up your public key. They then use that to encrypt the mail, document, whatever, then send it to you. All you have to do is use your private key to unlock it. The two keys are mathematically related in such a way that only the private key can decrypt something encrypted by its corresponding public key, but one cannot be derived from the other. How that all happens is something best left to people a lot better at math than me, and it involves a lot of one-way hashes and things of that nature. [an error occurred while processing this directive] [an error occurred while processing this directive]

    Another fun thing to do is use your private key to sign your emails. When you use your privatekey like this, then any one who downloads your public key from a keyserver can verify your signature. It's kind of like having FedEx deliver a notarized letter. Other people can sniff traffic and read it, but if they tamper with it, it will be evident.

    Ok, that's enough theory stuff. How exactly does it work? Go to pgp.com. PGP stands for Pretty Good Privacy. It's a program written specifically to do all this. It's fairly user friendly, once you get used to it. Another good one is called GPG, or Gnu Privacy Guard. It does the same thing, but is Open Source, so it is unencumbered by patents and such (I prefer this one for these reasons). One GPG program for windows is called WinPT, and another is called GPG Shell. You can find this stuff on www.gnupg.org. Download either one of these. After installation, one of the first things you will do is Generate a KeyPair. The defaults should be safe, but for maximum safety, you can pick the maximum key size, which is something like 4096 bytes. Follow the directions. I'll include links below that actually walk you through the process. It's more involved than I want to get into here. This is already too long. Now setup the plugins for your mail client. The only real problem is that you can't use it with webmail like Yahoo! unless you pay for their premium service. You usually need to be using a program like Outlook or Outlook Express, or Eudora (my favorite for windows actually), and pgp or gnupg will usually help you set up the plugins for that. [an error occurred while processing this directive] [an error occurred while processing this directive]

    One other thing, then I'm done with this for now. Pick a good passphrase. They call it a passphrase because it should be significantly longer than a simple password. Here's a good read/method for picking passphrases: http://world.std.com/~reinhold/diceware.html. Check it out.

    Here's the links:
    Introduction to GnuPgP part 1
    Introduction to GnuPgP part 2

    If you still need help setting this up, just google for PGP Howto, I'm sure there will be like 40 million hits.

    This ran on a lot longer than I thought it would, and we just scratched the surface. This is actually important technology, it's here to protect our privacy, so I for one would like to see more people use it. Anything I can do to make it easier for someone to adopt this, I will do.

      -Chris

    Bagarre's note:
    CTO1 Chris Snell is currently a member of Fleet Information Warfare Center's Red Team Operations, like myself. With any luck, he'll send me a little bio to put here instead of my ramblings.

    [an error occurred while processing this directive] [an error occurred while processing this directive]

    Loading Document
    If the page does not load, click here.

    Google Packet-Security.com
    [an error occurred while processing this directive]
    [an error occurred while processing this directive]