4 - Application-Layer Security (Privacy Cont'd)

Question 1

Privacy Cont’d

Answer 1

2013’s lesson:
Snowden: Our online activity is being surveilled at a massive scale!

We can make it harder for them to spy on us using E2EE (e.g. TLS) and anonymization services (e.g. Tor)

That works well for browsing and other direct end-to-end communication! But what about our emails?

Question 2

E-mail privacy

Answer 2

In principle: only the intended destination of an email should be able to read the email!

end-to-end encryption necessary for private emails

• Your email provider should not be able to read your emails!
• SSL/TLS should still be used to conceal metadata (email header)

E2EE for emails can be done by encrypting the mail’s content

Most common approaches to do so are

• S/MIME (RFC 5751)
• PGP or OpenPGP (RFC 4880)
• The use of PGP was requested by Snowden for communicating with Greenwald

Question 3

Symmetric vs. Asymmetric Cryptography

Answer 3

Symmetric cryptography uses one key K for en- and decryption or signing and checking
- Example: password for file encryption

Asymmetric cryptography (or public-key cryptography) uses two different keys for en- and decryption or signing and checking

• Things encrypted using the public key Kpub can only be decrypted with the private key Kpriv and vice versa
• Example: SSL/TLS, PGP

Question 4

Pretty Good Privacy (PGP)

Answer 4

Designed and implemented by Phil Zimmerman
(see SDS Introduction slides)
- He simply integrated the best available crypto algorithms as building blocks into a general-purpose tool for signing and encrypting of arbitrary data (i.e. not only emails, but also files etc.)
- PGP is freely available for basically all platforms (called OpenPGP)

OpenPGP provides services such as

• Encryption
• Digital signatures
• Compression
• Key management
• Certificate services