feat: add openpgp workshop content

This commit is contained in:
Anton Livaja 2024-09-17 11:11:50 -04:00
parent f97628201e
commit 0d25c12500
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
6 changed files with 233 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 29 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 76 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 704 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

233
openpgp-workshop/index.md Normal file
View File

@ -0,0 +1,233 @@
# OpenPGP Workshop
[important reference](img/iceberg.png)
---
## What is OpenPGP
* OpenPGP is an open standard for encrypting and decrypting data, as well as
creating and managing digital signatures.
* It is based on the PGP (Pretty Good Privacy) protocol, which was originally
developed by Phil Zimmermann in the 1990s.
* Uses asymmetric / public key cryptography
---
## Implementations
* GPG
* Gnu Privacy Guard
* Best known and most widely used
* Great starting point
* There are lots of other implementations of OpenPGP:
* https://www.openpgp.org/software/developer/
---
## How Does It Work?
---
## Encrypt / Decrypt
![Encryption vs Decryption diagram](img/encrypt-decrypt.png)
---
## Sign / Verify
![Signing vs Verifying diagram](img/sign-verify.png)
---
## Diffie Helman Key Exchange
![Diffie Helman Key Exchange diagram](img/diffie-helman.png)
---
## OpenPGP Anatomy
* Many components but key ones are:
* Public Key
* Private Key
---
## Let's Try It!
* Most OS come with GPG pre-installed (not Windows!)
* `gpg --version`
* `man gpg`
* **THESE FOLLOWING KEYS WILL NOT BE SECURE, DO NOT USE THEM FOR ANYTHING OTHER THAN THIS EXERCISE!**
* Generate keypair: `gpg --expert --full-gen-key`
* 1, 4096, Enter (3072), Enter (0), y, "Test Key", "fired.if.use@this.key", Enter (""), O, "password1"
* During generation, **mash input devices for added entropy**
---
## Test Your GPG Key
* `gpg --list-keys`
* `echo "super secret text" > test.txt && cat test.txt`
* `gpg --encrypt --recipient <email/ID> test.txt`
* `gpg -er <email/ID> <filename> && cat text.txt.gpg`: notice it's a binary
* You can use `--armor/-a` to encode it as ASCII so you can send the encrypted data as text
* `gpg --armor -er <email/ID> test.txt && cat test.txt.asc`
* `rm test.txt && ls`: remove original file
* `gpg --decrypt test.txt.gpg && cat test.txt && rm test.txt`
* `gpg --decrypt test.txt.asc && cat test.txt && rm text.txt`
---
## Sharing Your Public Key 🔑
* `gpg --list-keys`
* `gpg --export --armor <email/ID> > <name>.asc`
* `gpg --import <name>.asc`
* Task: pair up and exchange your keys, then encrypt data to each other
* Tip: you may encrypt the data to multiple people
---
## What's Happening Behind the Scenes
* GPG generates a symmetric key (AES) and uses that to encrypt the bulk of the data
* RSA/ECC is used only to encrypt the symmetric key
* The encrypted data packet contains metadata about which public keys were encrypted to
* This can be hidden using `--hidden-recipient/-R`
* Inspect packets using `gpg --list-packets <file.asc/file.gpg>`
---
## Verifying Signatures 📝
* Go to: https://www.qubes-os.org/downloads/
* Download:
* Qubes-R*.iso
* Cryptographic hash values
* Detached PGP signature
* Qubes release signing key
* They have a guide that's worth reading: https://www.qubes-os.org/security/verifying-signatures/
* Task: verify the signatures for the software are valid
---
## Solution
* `gpg --import qubes-release-*`: import qubes signing key
* `gpg --verify *.DIGESTS`: verify signature
* `sha256sum -c Qubes-<...>.iso.DIGESTS`: verify hashes match
---
## Secure Key Management 🔒
* You should assume your computer is compromised
* How do we protect the GPG private key?
* Never expose them to an untrusted environment
---
## Basic: On-board generation:
* YubiKey offers generating keys inside of the YubiKey
* Cryptographic attestation keys were never exposed available: https://developers.yubico.com/PGP/Attestation.html
* CON: can't back up the keys
* PRO: simple setup
---
## Advanced - cold / virtualization
* Can use `gpg` / `sq` / `keyfork`
* [Hashbang GPG Guide](https://book.hashbang.sh/docs/security/key-management/gnupg/): helpful guide for GPG - good resource for beginners who want to do the advanced setup
* [openpgp-card-tools](https://codeberg.org/openpgp-card/openpgp-card-tools): great for loading keys onto smart cards
* Can use a variety of smart cards: NitroKey3, SoloKey, Yubikey
* NitroKey and SoloKey are fully open which is great for verifiability - may requires flashing firmware
* [openpgp-card-tools](https://codeberg.org/openpgp-card/openpgp-card-tools) is helpful for loading the card
* Airgapped system (preferred)
* Virtual machine on a hypervisor via hardware virtualization (ok for some threat models)
---
## Backup Trick 🧙
* Generate long lived keys
* Load them onto smart card
* Take plaintext key data and put it in a dir
* Encrypt the dir to your public key
* Delete keys so that only ones that remain are on smart cards (recommended to have at least 2 or 3, for redundancy)
* Smart cards have a "brick" after x attempts feature
---
## SSH Usage
* OpenPGP keys can be used for SSH as well 🪄:
* `gpg --export-ssh-key <email/keyID>`
* Set up shell to use smart card for ssh:
```
# always use smart card for ssh
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
```
---
## Git Usage
* You can sign commits using OpenPGP / GPG
```~/.bashrc
GPG_TTY=$(tty)
export GPG_TTY
```
```~/.gitconfig
[user]
email = <email>
name = <name>
signingKey = <key_id>
[commit]
gpgSign = true
[merge]
gpgSign = true
[gpg]
program = gpg
```
---
## Further Studies
* [OpenPGP for application developers](https://openpgp.dev/book/): Deep dive on OpenPGP
* [Sequoia](https://sequoia-pgp.org/): alternate OpenPGP implementation in rust
* [openpgp-card](https://codeberg.org/openpgp-card)
* [openpgp-card-tools](https://codeberg.org/openpgp-card/openpgp-card-tools)
* [ssh-agent](https://codeberg.org/openpgp-card/ssh-agent)