PGP and SMIME

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> We're going to wrap up about the cryptography domain.
00:00
But before we do, we're going to
00:00
talk about email cryptosystems.
00:00
Cryptosystems provide the framework for security.
00:00
One common cryptosystem is referred to as S/MIME.
00:00
That stands for Secure Multi-part
00:00
Internet Mail Exchange or Extension.
00:00
You can hear it either way.
00:00
The idea here is that when we
00:00
create a security email message,
00:00
S/MIME is standards based and
00:00
>> it uses X.509 certificates.
00:00
>> Ultimately, the way the process works is as follows.
00:00
Let me go back and show you more
00:00
of my mad PowerPoint skills.
00:00
Okay. Let's talk about an email message.
00:00
When I send an email message,
00:00
I want it to be secure.
00:00
The first thing I think about doing
00:00
is that I create the contents.
00:00
Now, we'd want to encrypt
00:00
the message contents with symmetric cryptography,
00:00
because this could end up being a large amount of
00:00
data and symmetric cryptography is faster.
00:00
So it needs to be encrypted with symmetric key.
00:00
But here's the problem.
00:00
How do I get the shared key to the receiver?
00:00
I have to figure out a way till
00:00
the securely is distributed.
00:00
So what I do is I put
00:00
that symmetric key right on the message.
00:00
But if I do that and someone
00:00
>> else intercepts the message,
00:00
>> they can get my symmetric-key.
00:00
So I will encrypt that symmetric key
00:00
using a key I have from the receiver.
00:00
Now, which key do you think I have in the receiver?
00:00
I have the receiver's public key,
00:00
and I use that to encrypt
00:00
my symmetric key. What have I just done?
00:00
Use symmetric key exchange.
00:00
I also need to make sure that
00:00
the receiver knows the message has
00:00
not been modified in transit,
00:00
so I put a hash on the message.
00:00
Of course, the whole purpose of
00:00
a hash is to guarantee integrity.
00:00
What's the last thing I'm going to do?
00:00
How do I make sure the receiver is going to know who
00:00
that message comes from and that it comes from me?
00:00
Well, the way it works is
00:00
that the hash is encrypted with
00:00
the sender's private key
00:00
and that provides non-repudiation.
00:00
It's also called a digital signature.
00:00
We see here is the creation of a digital envelope
00:00
via S/MIME and everything follows the standards.
00:00
Breaking from the standards,
00:00
we have another email cryptosystem called
00:00
PGP, Pretty Good Privacy.
00:00
I love that name. Is developed
00:00
by a gentleman named Phil Zimmerman.
00:00
He was really strong in the privacy camp.
00:00
He proposed that the government would like to decrypt
00:00
anything that was encrypted, and that's true.
00:00
But Zimmerman asked why we were all
00:00
using these algorithms and standards provided
00:00
by the government if the government was going to be
00:00
so untrustworthy in relation to the cryptography.
00:00
Why wouldn't we use our own?
00:00
Zimmerman created the email application,
00:00
PGP, and he developed
00:00
his own encryption algorithm to support PGP.
00:00
That algorithm is called IDEA,
00:00
Internet Data Encryption Algorithm.
00:00
PGP doesn't use X.509 certificates.
00:00
It uses its own certificates and users
00:00
sign each other's certificates in
00:00
what turns out to be a Web Of Trust.
00:00
If you trust Mark and Mark trust Sally,
00:00
then you trust Sally. It works that way.
00:00
Also, instead of logging in with passwords,
00:00
users use passphrases and those are much more
00:00
secure than the eight-character passwords
00:00
review traditionally.
00:00
The downside is that it's proprietary.
00:00
You have to download special software to use it,
00:00
but it does provide an alternative to S/MIME.
00:00
To recap, we have S/MIME as
00:00
the standards-based email application and we have
00:00
PGP as a proprietary email application
00:00
using IDEA and a Web Of Trust.
Up Next