Cryptography

Cryptography Fundamentals, Part 5 – Certificate Authentication

Security Ninja
March 5, 2015 by
Security Ninja

Certificate Authentication

Here's how to verify that the certificate is from the original sender with GnuPG.

[download]Download the Cryptography Fundamentals eBook (FREE)[/download]

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

Authenticating an OpenPGP certificate using GnuPG

Only OpenPGP certificates can be checked by users. For X.509 certificates, CAs are necessary. To check the authenticity of an OpenPGP certificate, we will use Kleopatra.

  1. Click on Certificates >Certify certificates.
  2. Select the certificate to verify.

  3. Select the certificate and decide the scope of the certificate's trust. We selected for "certify for everyone to see."

  4. Click on certify to check the authenticity of the certificate.

Certificate Distribution

Distribution of certificates using GnuPG

A certificate needs to be distributed. Here's how to export the secret key and public key to ASCII format.

How to export a secret key or certificates

  1. Click on the certificate to be exported.

  2. Click on File > "Export Secret Keys" or "Export Certificates".

  3. Choose the location where the secret keys or public key needs to be exported.

  4. Save the file in .asc format.

Secure Email using OpenPGP certificates.

We'll learn how we can apply encryption and decryption to a popular email service such as Gmail.

Gmail Encryption and Decryption process using GnuPG and "MyMail-Crypt"

After certificates are exported, they need to be distributed to the intended recipients. Certificates are usually distributed by email or to a centralized directory service. I created two certificates in Kleopatra, and exported the secret key and public key to a folder. I have to share my public key, so we'll send the public key certificate to the intended recipient. You can see the key distribution function in Kleopatra below.

Here's how to use encryption with the Mymail-crypt Gmail plugin, using Kleopatra generated certificates. These are the labels of our two Kleopatra certificates:

  1. Infosec_User1(Test PGP)
  2. Infosec_User2(Test PGP)

After the certificates (with public keys) are distributed, we can encrypt email.

Here are the instructions for "Infosec_User2," which can be repeated for "Infosec_User1."

  1. Install the "mymail-crypt" extension in Chrome for Gmail.
    030415_2206_Cryptograph10.png
  2. After installation, click on "my keys" and "Insert private key".
  3. Paste Infosec_User2(Test PGP)'s secret key from Kleopatra. Click on submit to register the key with the extension.
    030415_2206_Cryptograph11.png
  4. Click on "friends keys" and paste Infosec_User1 (Test PGP)'s public key.

030415_2206_Cryptograph12.png

Repeat for "Infosec_User1.".

Once both key pairs are registered, we can encrypt email. Open Gmail as the sender ("Infosec_User2.")

  1. The extension you installed adds three buttons to the Gmail UI, "Encrypt and sign," "Encrypt," and "Sign."

    030415_2206_Cryptograph13.png

  2. Enter your recipient's email address.
  3. Write something in the body of your email.

    030415_2206_Cryptograph14.png

  4. Enter the password or passphrase you created with your secret key.
  5. Click on "Encrypt".

030415_2206_Cryptograph15.png

  1. Send the email.
    On the receiver's end (Infosec_User1):
  2. Open the email.
    030415_2206_Cryptograph16.png
  3. The new Gmail extension adds a decrypt button to the UI.
  4. Enter passphrase associated with Infosec_User1's secret key for decryption.
  5. Click on Decrypt.

030415_2206_Cryptograph17.png

The email's decrypted!

Below, you can see what happens if you enter the wrong password.

030415_2206_Cryptograph18.png

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

If after decryption, you still get a message that says "Sender's identity cannot be verified," that's because you've only encrypted the email, as opposed to selecting "Encrypt and Sign."

Abbreviations

  • PKI: Public Key Infrastructure
  • DES: Data Encryption Standard
  • CBC: Cipher block chaining.
  • ECB: electronic codebook
  • OFB: output feedback
  • CFB: cipher feedback
  • PCBC: block chaining
  • CTR: counter
  • HMAC: Hash Message Authentication Code
Security Ninja
Security Ninja