Pretty Good Privacy PGP

About This Presentation

Title:

Description:

Number of Views:57

Avg rating:3.0/5.0

Slides: 7

Provided by: csU68

Category:

more less

Transcript and Presenter's Notes

Title: Pretty Good Privacy PGP

1
Pretty Good Privacy (PGP)

2
Difference with X.509

Users create and sign their own certificate.
//in X.509, a CA does that.//
In PGP, a digital certificate can be signed by
multiple users. (to add trustworthiness)
//in X.509, only one signer exists.//
ltgt Signing can be done with a hash function.

3
Design Issues

When A is sending his signature to B, some
intruder can intercept As message and put his
own message that contains a forged signature.
Issue How does B verify that it is the valid
certificate of A.
ltgt It is easy to impersonate a user.

4
Building Trust

A difficult problem (there is no central trusted
authority.)
In one version of PGP, B makes a phone call to A
to confirm the received public key.
gtgt requires As phone number
gtgt voice recognition
gtgt Can be time consuming.

5
Building Trust

PGP empowers a users to verify the
trustworthiness of another users certificate.
Example B can be given the task of verifying
As signature to other users.
B sends to C his self-signed certificate.
B also sends to C As certificate after adding
his signature (signed hash).
C can verify the signature on phone with B. //man
in the middle attack possible.//
ltgt If C trusts B, it will trust As signatures.

6
Web of Trust

If a user D trusts C, he can obtain As signature
from him (C).
C sends D his certificate and As certificate
that contains Ds signature (signed hash).
ltgt Now the As certificate contains three
signatures A, B, and C.
ltgt D might like to verify Bs signatures on it.
gtgt Web of trust is distributed in PGP.
gtgt Web of trust is centralized in X.509.
//emanates from the CA.//