Announcement
Debian-NYC Workshop #4
An Introduction to Secure Digital Communications using OpenPGP
This workshop occurred on March 24th.
Date and Time: March 24, 2010 at 7:00 PM
Duration: 2.5 Hours
The first part of this workshop will be a discussion of some of the problems facing secure communications on a public network, concepts that can be used to solve those problems, and an introduction to OpenPGP, a tool that implements those concepts and allows secure communications.
The second part will be a guided, hands-on lab using OpenPGP tools to generate the digital keys needed to communicate securely, to obtain the keys of others, and to use those keys to encrypt data to a recipient.
Participants should bring a portable computer to the workshop, have some experience using a command-line interface to their computer, and should be sure to have an implementation of OpenPGP[0] installed on their computer before the presentation.
Location: Manhattan. As there is some physical security at the space being provided for the presentation, the exact location will be emailed to those who are RSVP'ed.
Please RSVP below or to David Rocamora[1]
[0] The implementation of OpenPGP used by the presenters will be the GNU Privacy Guard(GPG). This is automatically installed on all Debian systems as the "gnupg" package.
[1] dave at n22t dot com
Outline of Workshop
The workshop is over, but here's the notes outline that we built to make it. It's pretty rough.
- Introductions
- Who we are
- DebianNYC folks
- Introductions (just names of everyone)
- What we will happen in this workshop
- what is OpenPGP
- why would you want to use it?
- A guided workshop in creating an OpenPGP key and using OpenPGP tools to certify other users, verify signatures, and encrypt and decrypt data.
- how might you use it?
- Terminology/History
- 2 sentences: "You may have heard people call it PGP or GPG or whatever. We're going to use the term OpenPGP because it refers to the standard that all these tools implement.
- A discussion about what OpenPGP is and what sorts of problems it can solve
- our goal is to introduce you to OpenPGP, help you understand it's basic concepts, and give you the tools you'll need to start using it every day.
- Who we are
- The Talk
- Broadly: what kinds of problems do we have on a public network? (ask audience -- goal is to elicit the following sub-points)
- Personal identity on the Internet is quite fluid
- Pretty much anyone can pretend to be you, and it's difficult to be sure that someone who contacts you is the person you think it is.
- Very little is confidential
- Surprise! Many people (and machines!) can read your email, the information (including passwords) you type into web forms, files you upload, etc.
- An example
- Sending a password through e-mail to a co-maintainer of a web site
- getting a note from your boss to disable the web site for customer X
- distributing software -- how do you know that this came from the people you think it came from?
- Personal identity on the Internet is quite fluid
- What kinds of special tools can we use to solve these problems?
- Cryptography ("hidden writing") offers tools to help keep information private, and to know the identity of our communications partners
- A brief overview of cryptography
- For the purposes of this workshop:
- Encryption offers a way of transforming information to make it unreadable to anyone except those possessing special knowledge. (unopenable boxes and a corresponding magic key)
- Digital signatures offer a way mark information that only someone with special knowledge can do, but everyone else can verify. (verifiable, untamperable wax imprints and corresponding seal)
- What OpenPGP is slightly more specifically
- A set of tools that allow you to use encryption to:
- assert your own identity,
- verify other people's identity, and
- protect the confidentiality of your information
- Perhaps some history? -- better to be brief, people can always look it up on their own
- It also links in to this public key infrastructure and a web of trust
- A set of tools that allow you to use encryption to:
- Some examples of what we can use OpenPGP for
- Briefly run through these, perhaps as bullets on a slide:
- Confidential Email
- Attributable Email
- Identify people you have never met in person
- Verified data (like backups)
- Confidential data (like backups)
- Verifying/certifying software
- Proving your identity to services like SSH
- Verifying the identity of remote systems like SSH and https
- Generally what is happening behind the scenes in the workshop portion
- Go over what it means to make a key, what it means to certify another person's key/UserID, what it means to sign and encrypt data. No code examples or follow along things, just an overview of what is going to happen next
- Making a key
- produces a public and secret key, choices about User ID, expiration
- certifying another user's key
- Getting your own key certified
- using the key to sign data
- using OpenPGP to encrypt data to another user
- Using your key to decrypt data
- using OpenPGP to verify signatures from another user
- Broadly: what kinds of problems do we have on a public network? (ask audience -- goal is to elicit the following sub-points)
- Workshop Portion
- We'll run through encrypting and decrypting a file.
- We already started discussing this.
- We'll run through encrypting and decrypting a file.
- In summary
- You've been introduced to OpenPGP
- You know what kinds of things you can do with it
- You have a key now (or know how to make one!)
Some resources (http://understandingcrypto.info ?)
- Afterword
- concepts of cryptography primitives
- Ciphers and encryption algorithms
- Asymmetric crypto: public and secret keys (keypairs)
- Data signed by a secret key can be certified by anyone holding the corresponding public key
- Data encrypted to a public key can only be decrypted by someone who holds the corresponding secret key
- Public key infrastructure
- "The original social network" -- maybe this doesn't fit here but it is cool and should be in the workshop
- concepts of cryptography primitives