Cryptography and Security
I have a bit of an interest in security, and have used cryptography for quite a long time.
Since November 1999 I have been a notary in the Thawte Web of Trust and can make an assertion about your identity. You can send me email encrypted with either PGP / GnuPG or S/MIME, but nobody ever does (except John Robinson and Chris Young).
For a number of years I have run a CA at work called "stat.auckland.ac.nz", and another at home called "Snap CA".
With the rise of wireless networking and everyone running off to use externally-hosted web services there is a need for pretty much everything to be encrypted. The only snag is that it is difficult to do and often user unfriendly, but it doesn't need to be.
Certification Authorities (CA)
I trust my browser, my browser trusts Thawte, Thawte asserts this website is genuine. Thus, you are reading the unaltered work of Stephen Cope*.
Anyone can start a CA, but the magical component - your browser trusting the CA - is what turns an activity anyone can do into a tightly controlled monopoly. (VeriSign bought my favourite CA for cheap certificates and jacked up the prices: Thawte.)
I started a CA at work to sign all the internal services we use: POP3s, IMAPS, HTTPS (not on external facing websites), LDAP, and SMTP. If we had to pay for a certificate for each of those services we'd be spending huge sums of money. Instead it was cheaper to start our own CA and install the CA certificate onto each client:
- Mac OS X (which covers the whole operating system and applications)
- Internet Explorer (which also covers Outlook)
- Firefox (which has its own store)
- Thunderbird (which has its own store)
For my personal server and its services I started another CA for that: Snap CA (after the name of the server). That's trusted by approximately four browsers and five computers worldwide. I also issued user certificates so that your browser could automatically authenticate to the webserver.
For a brief period we dallied with certificates from ipsCA (free for educational institutions), but Safari 4 doesn't like the self-signed root certificate, and sometimes Firefox gets grumpy about it, so we went running back to Thawte.
* In this example I am only referring to the HTTPS connection from your browser to this web server. The circumvention in this case is to edit the file on the file server here in the Department of Statistics. To know that I really wrote this page I would have to generate a signature in either GnuPG or similar and sign it with my personal key.
PGP and GnuPG email
This is my personal GnuPG key fingerprint:
pub 1024D/D63DFDD1 2009-06-10 [expires: 2014-06-09] Key fingerprint = 82E9 9BE4 6E14 C2D0 C6FB 8860 21D0 2B4D D63D FDD1 uid Stephen Cope (GnuPG at Home) sub 2048g/AB310520 2009-06-10 [expires: 2014-06-09] pub 1024D/901AF2F3 2010-05-13 [expires: 2012-05-12] Key fingerprint = B5F5 3AFD F282 3AD5 10DF AC9D 49C4 F808 901A F2F3 uid Stephen Cope (FireGPG at Work) sub 4096g/0DBE5F00 2010-05-13 [expires: 2012-05-12]
What can you do with it? Not much. Maybe grab my key from a keyserver. Or grab it from here (select entire block including -----, right-click, FireGPG, Import): [skip PGP block]
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.5 (GNU/Linux) mQGiBEowM2wRBACH3Pkq30I/8ZdKMavzmK2QmK4ocPDBX/2YislgV5xn8WoMADGw Y5IohlFccniijaFBmcyosV59QsD+/UWS3oGTK4tGks4Ak6PxpTXVNXD06jeCK/XT DPLuVbmfkZevPVtiw1GC2w5swznJ98Y6b5V+K9jEWd/g7qeou/h3odREywCgwmDw F10SvnpTfqZeooI8YAAQWvcD/jE2RcbcvabRdQK9J2JN2wqcVopNxuk7gDRUVE4r cvmMF+6WklUeE1gFVyB6hHEIDMPPqJHtPgsjw2UANAuFLoeEBamN9rbX2GtRBr8M 4MEqDoYHhpTzVighoDQOLFZnLehOErYeAHRAzQoL4yDbpxUnLFd4Yi3IqFHzcrA8 z88pBACBvgoMPLJtdl3GJIcmB7Ao8dfWQsPtG26b6dAyOt0GidTsil7E//zDiZZ8 v6Ol/5zlVwm+U9/By2ByTjw98hEuumacaVxag8//QKyeuHSQ+jva+Q1bxAv3353M nheXvT71TxGKIgvlLAl7ySOtk62OseaiWB7GQgiTWf4Ysky+wLQdU3RlcGhlbiBD b3BlIDxncGdAc2RjLm9yZy5uej6IZgQTEQIAJgUCSjAzbAIbAwUJCWYBgAYLCQgH AwIEFQIIAwQWAgMBAh4BAheAAAoJECHQK03WPf3Rd9UAn0c8XE3uhufsfEQMFio4 CLQbdv64AKCEoTD7JW0N6xYc77wWVY9eyejrL4hGBBARAgAGBQJKMD8RAAoJEK3p T2UHeZ50lYoAoLwU4RUbnkUWKTkf9pnRWPvyz8dsAJ9OZUWQNSBQ5EgFxr+Dpuyx MRvHtbkCDQRKMDNyEAgAugSUHawChw2tCBwL5GPgJE1uUrLHZS5dH6VAT4hy05M4 IV15yJt8uC/e4fhLwXr7wCwBfIZdTiKOfrrh240+WmYSI0zKgnI3C4D7k1pjWK1A d4yusCvgblSoIo4o8+xxUQ+z2V3/rtQoqnM7NzdoaysVWzGtv5DdTH/h4dZV6Ldr 52PRQS46+PcPhKp6Wl1YXzXPlvgFCcj6Y0FQ0oY7BMk+RUShvwqZxxYUJmR3VS04 NQuC4k2Ph3NFbr6Pnat1GceD6RCJ0hDL+EZHGLzMNx2cBBrME7l4LBtCUi/+mU0v 2D4WOehSH8z3NfCwYttPJd3mO/D/tJZVna8oDU3ZawADBggAkySBIvU9Dvq1VPK6 SIXTbFPerRyhekFGyyB0vaYbqgwYz2XhNjzNncLDUCS9wukymjWUI9KBQdmmy5ze g/8IC+CoVb48gXG49K74rAlAq5XAqtz+4/9GWU3btyRGemDcSHVvcNsH0mOZAef7 ns6Tsda/uf/ETfY+VSi9M1M1RvCyB4MQ1rKrLICtntB2MBjZL1yUlaloQrhNJLq8 mO6uFSt9zw+o7gLPPm+tjeN9f63ARVooFKbo6fNbIKKoBjh7hh2ihXeNpgzm6HrC RyyziNXxG8Iqe4q+h6qqbC3syGLb6ZJCeUROzzE3t0hBSRYizFOpcIvUiEUY+NUs g6MBN4hPBBgRAgAPBQJKMDNyAhsMBQkJZgGAAAoJECHQK03WPf3REncAnRN923tC vFlpqkDgHmNJ7yDtHwmQAJ4qO/qVdxm3RDX9RIxrNSqn7zK4VQ== =460O -----END PGP PUBLIC KEY BLOCK-----
And my key for work:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (Darwin) mQGiBEvsjKcRBACfw43kTWE4YN1V2u36SoQTheSIyjigzLlcW0aleH6x0FZGydyE OKuSbQHI/WQLpRwEktY9Tiumoo3c/Wn+qtQFLjsFtShZt55AEIVkUcwcYbDPtUIM o6GCXVO0bfFm81Cmsjc8CDp7hR/+t8lzvNDRew8BPMxq8JuQuiW7fTW73wCgm1Mw 0muy/9ulsfwpsm1JbaBiW5kD/31l/GDe4HsHXg8eGH8S7aY51e/5eCzdrH7wKatR rcmict2KeE02pe+ZUNbbMrRMJgPiDm1S241YmW8hJKFiZTs6lRkWepxvVvBu876Z Qexz6t7V+3gIaDoopQT8Ae39rz4m8fynjKiqR9bTYLi6c2fFekX0kiOjmEGnzSzB 3GAhA/sG0jXgqdzIOuqQtAkvgMoB+pCX6cdpbqurfgBdXegRidW8s01ciEqf4pk9 S1cgpJfwfeOwV69W95LsdtPxfUxAGrkVluFuMd2yLqu47IrSvNJYKouvjnJ+OPtZ RjeAnBs3JgH3X+6AEhHcwfvvcsxp45g3T3Hp+tSRT6uujddHUbQ2U3RlcGhlbiBD b3BlIChGaXJlR1BHIGF0IFdvcmspIDxzLmNvcGVAYXVja2xhbmQuYWMubno+iGYE ExECACYFAkvsjKcCGyMFCQPCZwAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBJ xPgIkBry89iGAKCUAzXpHHi33dkj3Mk2Nk6jRb/yfgCgj4FAQg3IH9a7lfVr1t+K +8KMA1e5BA0ES+yMpxAQALLvyqFH6FTOVX3GDzuNy2/qRkYdYEv26zJe2UK5NJKe YO2JWhEBQuRfwUWF1R9rScqOMLYZqvfXszCsweO+gWgnH5w+LpdQEzZ7oJFm55td KTlXylxRRyXktWggJiplMvCMdsVtLkaWXZmpuiVB/AaNwSl/U8vftZ82EG8TBklF 0NR+yw4Y2L165jVY4Mfxjd77OaO2Lowbx0X9Pow/2vXxImwyydJO1i4jgDOWVSbt 7qcEFhgtf12XpD8TNH2cb1BOcV+Fq3WaWlp0Dzr04hlaXQ0PJ1nIdF2U3xdfSIOz UwNQazhY/J0+fjm5s97ZyfLSCwv43h/s0NpeTdvzehCbfFIAwEiIFxJp2mEZFyPi /7vbfaG3+tXLDkTweqX0+H4cQZItnP5fSKNdOUPxgIW97FaCFFEIfPKKRalq8++1 xuZQyu8XYfpeZ0Xu2zLxxJcCKzt+k2/9Zv1XKnQtcBIpXEDg4M2260nAzUMfeNP+ 8VbyJ0dms7fzJTsuqvKuiIw3thcJ7QCutf+k66GanJVGxkWToXp6VN9axthb/P9C S40aehuaFyqhPj2mkn2nkjtguNYh+Tji4bYhCXgSYrwbcsY37G55XCrkfICbHk5n iA3/81LiLjGNVHBNC57Y9LICRIK4BQoTa+97CixIr40itp007e1vy16xnuL+uFnP AAMHD/43VPmcVbrxf+K60oLhXYKnjc1ziAthFBP/KFpucTQZTE/CdDzvFcUxrbuo uml/OUxnPjrjUzbgOO6ClBy2h2yY6dXt1C2/vvhvLkaEhGmDInQZB4cBSbzU3o4V tzGfRnvnSREzEKGrTvAqduJpuYU5kQfKGTUXX6P1vZuJxROpfNlTqgh2dFRAhILD gSwYlU/VVe0cI127WnDscriCNLxmh2OraKt+ogGKcP5DeCHLDqxcOBzYJM5HBWY7 soV1uQK2AEZTB9TJ2gn3p1KtC2yXP2e/Fl7RdLjFXLEaf1PzQ2+Mprx9qeO+Mhox Hvme97CpV0aslW7nTp3L5eFawnQ+qGWm0lFKMbb9vTQFmynmUBxiBVpeqZz32vdr 5Ksx+H6p4T06+BDp7vt6UAc06Qqc6BzN9iABcHQ+afwQfzF+BgMWjZ53O6w0tWdN qUPqd9s+0oZbDdLN+ksP09x0j/tcXgZanOJUdUuUxNX/xQOGQ6oV8lgdHmzi4KTn aFa/v7YWBr5LbMhdNJfROUUZjcJDkwcWnZhouqN2HtK6XwtcmAm3qjxNELG+4VkP +NdBj702dbYtOdwQEpwh+BxEjC/LGiUyX5GQOVDqjZm2rVFPIk/Rkwj29VS+qVXq GNxoWOvbF+pAW711nPOR921voO2TvAEjJGSDxCq+VIKI3fwMdYhPBBgRAgAPBQJL 7IynAhsMBQkDwmcAAAoJEEnE+AiQGvLz+yYAoIXKlJ7a3bkaZSbVp4X6adnZZile AKCPwK7JPuYW5x+EJVOFvHhBraV+kA== =6Bkg -----END PGP PUBLIC KEY BLOCK-----
Also: PGP public key (.asc) for home, PGP public key (.asc) for work .
You can even do ridiculous things such as ...
user@host:~$ lynx -dump https://www.stat.auckland.ac.nz/~kimihia/crypto | gpg --import
To send GnuPG encrypted mail through web mail, eg, Google Mail, you need something in your web browser that works in with GnuPG on your computer. You really don't want Google Mail or any other service looking after your private key - what happens if your lousy password or authentication cookie gets sniffed?
James recommends FireGPG to GnuPG sign mail through Google Mail.
S/MIME email
Mail.app (on Mac OS X) works well for sending and receiving S/MIME email. Outlook seems to be able to handle it.
What I have not yet gotten working is S/MIME on Outlook Web Access. Perhaps it is something to do with Internet Explorer 8, but the S/MIME plugin may not be pulling its weight, or perhaps the PKI isn't set up correctly by the University of Auckland.
Here is my work public key for sending S/MIME emails to my work email address. (You can figure it out from the certificate.) [skip S/MIME block]
-----BEGIN CERTIFICATE----- (OH NO! This certificate has expired!) -----END CERTIFICATE-----
Also: S/MIME public key (.cer)
Can you trust this? Well, make sure you're getting the version from https://www.stat.auckland.ac.nz, and check the certificate on that HTTPS server is valid.
Even better, this certificate is signed by Thawte, so you can verify their signature of it. This is the magic that makes S/MIME "easier" than PGP.
Where can you get your next S/MIME certificate from?
Supplier | Product | Price | Features | |
---|---|---|---|---|
Thawte | Thawte Personal Freemail | Free | Your name with 50 assurance points; discontinued October 2009 | |
AusCERT PKI | Personal Certificates (Enterprise plus Service) | Free | Your educational or research organisation pays AUD$7,000 p.a. +GST and you get a free certificate. | |
Comodo | Free Secure Email Certificate | Free / Business: USD$12 | Free for personal use | |
StartSSL | An account | Free | Your name on the certificate once you get enough points, or pay to get authenticated | |
VeriSign | Digital IDs for Secure Email | USD$19.95 | First hit is free for refugees from Thawte | |
CAcert | Client certificates (un-assured) | Free | Unfortunately, no software trusts their root certificate out of the box |
Grid Computing
How does Grid computing fit in here? Again, all the infrastructure is based around Certification Authorities certifying that you're connecting to a valid host and that you exist. Globus has this built in.
Grix requests a certificate and Grisu can manage user certificates, which are then authorised by the CA and given permission to access services. Grisu lets you then use those certificates to let you submit jobs.
Globus looks for CA certificates in /etc/grid-security/certificates, which is helped if you have a link from $GLOBUS_LOCATION/TRUSTED_CA to $X509_CERT_DIR. For Fedora Core 10 this will help:
GLOBUS_LOCATION=/usr/share/globus X509_CERT_DIR=/etc/grid-security/certificates
These can be exported on a per-user basis. Also worth looking at, depending where you are keeping your private X509 keys (Grisu will know), is the X509_USER_PROXY value, which usually points to /tmp/x509up_* .
user@host:~$ ls -l $GLOBUS_LOCATION/TRUSTED_CA lrwxrwxrwx 1 root root 31 2009-09-03 14:32 /usr/share/globus/TRUSTED_CA -> /etc/grid-security/certificates
Here is a handy shell script to help you upload files using gsiftp. You'll need to customise this with the remote hostname and your remote username and home directory, but assuming the same local and remote username and you're uploading to ATLAS at the Max-Planck-Institut für Gravitationsphysik:
#!/bin/bash
# copies a single file to ATLAS
if [ "X" == "X"$1 ] ; then
echo usage: globus-copy-to-atlas: filename directory-on-atlas
exit 1
fi
# this is the most important environment variable
if [ "X" == "X"$X509_CERT_DIR ] ; then
export X509_CERT_DIR=/etc/grid-security/certificates
fi
globus-url-copy file://`hostname `/`pwd`/$1 \
gsiftp://${USER}@atlas1.atlas.aei.uni-hannover.de/home/${USER}/$2
if [ "X" != "X"$3 ] ; then
echo additional arguments ignored
fi
That's just a quick script. You can customise it and make something a bit better if you want. It makes a guess at the X509 certificate directory if it is not set.
On Fedora 10 you also need to install most of the globus-* packages, and also get a copy of the public CA keys from somewhere. I just snagged them from another machine that had been setup correctly, but that may not be the most Fedora-like way (if such a thing exists).
user@remote:~$ tar c /etc/grid-certificates > ~/certs.tar tar: warning about being unable to read some private files* user@remote:~$ scp ~/certs.tar local: && logout user@local:~$ (this step is an exercise for the reader)
* This will attempt to pick up the private host key from the system you're copying from. As this is unique to each host and also protected you won't be able to get it and tar will complain. Don't worry. This is not fatal. This is intentional. If you're really worried you can generate your own host key.
Usability
Pretty much the usability is terrible, the whole way through the system. Things don't work. They're not documented. They're not tested. Everything is all highly site-dependent.
Thawte has a very good setup on their website, but that hasn't been maintained in many years and has problems with Internet Explorer 8 (pro tip: turn on compatibility mode).
Mac OS X has a very slick key and certificate management tool in Keychain Access, however it sends your certificate signing request out by email, and so the person on the other end needs the right infrastructure to handle it. (When I receive the email I sign them by hand, one at a time, in a rather labour intensive process.)
Mac OS X's mail application has good support for S/MIME and makes it very easy, while mutt has superb GnuPG integration.
Outlook: haven't used it much but some people like it. Outlook Web Access: haven't got it working yet, and it hates even valid certificates.
Closing Notes
It's worth the effort.