Open Source crypto toolkits

Security works best with open source software; not because everybody validates the code used, but because everybody has the freedom do this. The additional fact that open source toolkits function well makes them very suitable for everyday use in security-aware situations.

This workshop is intended for system administrators and programmers who build open source toolkits into their secured systems. The two main open source crypto toolkits are presented, namely GnuPG and OpenSSL. These tools are approached over a commandline, because this provides the best portability between operating systems. This workshop takes one day and extends upon the knowledge of the course What is crypto?

PGP keys versus X.509 certificates

OpenSSL is the most-used open source implementation of the X.509 certification standaard (RFC 2459) and the Public Key Infrastructure based on it. GnuPG on the other hand is the open source implementation of OpenPGP (RFC 2440). These practically usable crypto-systems serve similar goals, but also differ on a number of points.

• Origin of the two standards
• Representation of keys, digital signatures, encryption
• Certificates and keys
• Exchange of keys
• Trust infrastructure

Digital signatures

Both PGP and X.509 support digital signatures, for example for use in emails, or to demonstrate that plain files are in their original condition.

• Detached and attached signatures
• Sending signatures in emails
• Content of the data structures
• Revocation of a signatures
• Signing for certificates and keys
• Root certificates and trust bases

Encryption

Encryption can be used to limit the visibility of information to a select group.

• Combining signatures and encryption
• Encryption of files and emails
• Encryption of partitions
• Encryption for multiple recipients
• Sharing a decryption key