SlideShare a Scribd company logo

Design and Analyze Secure Networked Systems - 5

D
Don Kim

The document outlines methods for securing software distribution using software signing techniques, including the use of GPG and PGP for authenticity verification. It details the steps for signing and verifying software, including generating message digests and using public/private key pairs. It also compares Public Key Infrastructure (PKI) to PGP, highlighting their differences in key management and security.

Software
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Design and Analyze Secure Networked Systems 5 Prof. Edward Chow @ Colorado Univ. Note by waegaein@github.com
Software Signing • Provide ways to verify authenticity and integrity of software which are distributed via web. • GPG GNU Privacy Guard (GnuPG or GPG) is a tool for secure communication. It can be used to generate public/private key pair. • PGP Pretty Good Privacy (PGP) is encryption program that follows OpenPGP standard for encyption/decryption of data.
Sign Software 1. Finish a version for release. 2. Generate MD5 and SHA1 message digest of the software. 3. Generate PGP signature of the digest, using private key. 4. Distribute the software with the signature. 5. Distribute the public key, which pairs with the private key used for signing, to key servers.
Sign Software Key server Version for release Mirror site Software Author
Sign Software Key server Version for release Message DigestHash e.g. SHA-256 Mirror site Software Author
Sign Software Key server Version for release Message DigestHash e.g. SHA-256 (private key) Mirror site Software Author Encrypt
Sign Software Key server Version for release Message DigestHash e.g. SHA-256 (private key) Software Distribution Mirror site Software Author Encrypt
Sign Software Key server Upload distribution Version for release Message DigestHash e.g. SHA-256 (private key) Software Distribution Mirror site Software Author Encrypt
Sign Software Software Author Key server Upload public key Upload distribution Version for release Message DigestHash e.g. SHA-256 Encrypt (private key) Software Distribution Mirror site
Verify Software 1. Download software and its signature. 2. Retrieve public key from key server. 3. Decrypt the signature into a digest. 4. Generate a digest by hashing the software. 5. If the two digests are identical, the software is verified. 6. If different, the software or signature is considered to be altered.
Verify Software Software User Key server Mirror site
Verify Software Software User Retrieve public key Download distribution Key server Mirror site
Verify Software Software User Retrieve public key Download distribution Key server Mirror site
Verify Software Software User Decrypt (public key) Retrieve public key Download distribution Key server Mirror site
Verify Software Software User Hash Decrypt (public key) Retrieve public key Download distribution Key server Mirror site
Verify Software Software User Hash Decrypt (public key) = Verified / Altered Retrieve public key Download distribution Key server Mirror site
Mirror Sites • Voluntarily distribute software releases of other organizations to provide faster access. • Not managed by the original author organizations. • Encouraged to download bundle from mirrors. • Encouraged to download hash and signatures only from the original.
PKI vs PGP • PKI • uses CA to vet and bind public keys to user ID. • takes longer to register/verify • is centralized thus have SPOF. • costs fee from CA. • PGP • uses Web of Trust (Key servers) to vet and bind public key to user ID. • is hard to revoke keys • is distributed. • is free.
Misc. How much is encryption safe? • SHA-1 was cracked by Google 2017. • … This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations … • 110 years of single-GPU == 1 year of 110 GPUs == 24 hours of 40,150 GPUs == 1 hour of 963,600 GPUs == 1 minute of 57,816,000 GPUs == 10 seconds of 346,896,000 GPUs (== 9,435,571,200,000 KRW for only GPUs…)

More Related Content

PDF
Design and Analyze Secure Networked Systems - 4
Don Kim
 
PDF
Secure Software Distribution in an Adversarial World
Diogo Mónica
 
PPTX
Attacking VPN's
n|u - The Open Security Community
 
PDF
How to Build a Custom Plugin in Rundeck
Rundeck
 
PDF
HashiTalks 2020 - Chef Tools & Terraform: Better Together
Matt Ray
 
PPTX
Pwning the Enterprise With PowerShell
Beau Bullock
 
PPTX
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
ODP
Kali linux and some features [view in Full screen mode]
abdou Bahassou
 
Design and Analyze Secure Networked Systems - 4
Don Kim
 
Secure Software Distribution in an Adversarial World
Diogo Mónica
 
Attacking VPN's
n|u - The Open Security Community
 
How to Build a Custom Plugin in Rundeck
Rundeck
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
Matt Ray
 
Pwning the Enterprise With PowerShell
Beau Bullock
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Kali linux and some features [view in Full screen mode]
abdou Bahassou
 

What's hot (20)

PDF
Secrets as Code
Johann Gyger
 
PPTX
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
CloudVillage
 
PDF
Integrating Icinga 2 and ntopng - Icinga Camp Milan 2019
Icinga
 
PDF
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
PDF
New Products Overview: Use Cases and Demos
Caitlin Magat
 
PDF
Building security into the pipelines
Vandana Verma
 
PPT
Major project presentation
Shubham Khandelwal
 
PPTX
Network Intelligence for a secured Network (2014-03-12)
Andreas Taudte
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PDF
Practical Guide to Securing Kubernetes
Lacework
 
PDF
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
PPTX
An Adversarial View of SaaS Malware Sandboxes
Jason Trost
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 1)
Sam Bowne
 
PPTX
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
PDF
Building layers of defense for your application
VMware Tanzu
 
PDF
Shamoon
Shakacon
 
PDF
Compliance as Code Everywhere
Matt Ray
 
PPTX
Pentest Apocalypse
Beau Bullock
 
PDF
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Secrets as Code
Johann Gyger
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
CloudVillage
 
Integrating Icinga 2 and ntopng - Icinga Camp Milan 2019
Icinga
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
New Products Overview: Use Cases and Demos
Caitlin Magat
 
Building security into the pipelines
Vandana Verma
 
Major project presentation
Shubham Khandelwal
 
Network Intelligence for a secured Network (2014-03-12)
Andreas Taudte
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Practical Guide to Securing Kubernetes
Lacework
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
An Adversarial View of SaaS Malware Sandboxes
Jason Trost
 
CNIT 128 3. Attacking iOS Applications (Part 1)
Sam Bowne
 
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
Building layers of defense for your application
VMware Tanzu
 
Shamoon
Shakacon
 
Compliance as Code Everywhere
Matt Ray
 
Pentest Apocalypse
Beau Bullock
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Ad

Similar to Design and Analyze Secure Networked Systems - 5 (20)

PDF
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
CODE BLUE
 
PDF
Securing Source Code on Endpoints
thomashelsley
 
PDF
Oh The Places You'll Sign.pdf
LibbySchulze
 
PPT
Network security-primer-9544
Hfz Mushtaq
 
PDF
Infiltrating the Supply Chain Attack: Advanced Payload Delivery and Evasion T...
null - The Open Security Community
 
PPT
Open source technology
aparnaz1
 
PPTX
Node.js Module: I Choose You!
Bethany Nicolle Griggs
 
PPTX
Password Pusher Media Resources
Peter Giacomo Lombardo
 
PPTX
presentation_finals
Shivashish Kumar
 
PDF
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
PPT
BlackDuck Suite
jeff cheng
 
PPTX
CryptoGraphy Module in Mulesoft
shyamraj55
 
PDF
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
PDF
Open source software governance with DejaCode
nexB Inc.
 
PPTX
Open source technologies
BrizGo
 
PDF
ZKorum: Building the Next Generation eAgora powered by SSI
SSIMeetup
 
PDF
Cyanogen Platform SDK
Adnan Begovic
 
PDF
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack
 
PDF
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
PDF
Safeguarding artifact integrity in your Software Supply Chain
Giovanni Galloro
 
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
CODE BLUE
 
Securing Source Code on Endpoints
thomashelsley
 
Oh The Places You'll Sign.pdf
LibbySchulze
 
Network security-primer-9544
Hfz Mushtaq
 
Infiltrating the Supply Chain Attack: Advanced Payload Delivery and Evasion T...
null - The Open Security Community
 
Open source technology
aparnaz1
 
Node.js Module: I Choose You!
Bethany Nicolle Griggs
 
Password Pusher Media Resources
Peter Giacomo Lombardo
 
presentation_finals
Shivashish Kumar
 
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
BlackDuck Suite
jeff cheng
 
CryptoGraphy Module in Mulesoft
shyamraj55
 
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
Open source software governance with DejaCode
nexB Inc.
 
Open source technologies
BrizGo
 
ZKorum: Building the Next Generation eAgora powered by SSI
SSIMeetup
 
Cyanogen Platform SDK
Adnan Begovic
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
Safeguarding artifact integrity in your Software Supply Chain
Giovanni Galloro
 
Ad

More from Don Kim (10)

PDF
Clean Code - 5
Don Kim
 
PDF
Clean Code - 4
Don Kim
 
PDF
Clean Code - 3
Don Kim
 
PDF
Clean Code - 2
Don Kim
 
PDF
Clean Code - 1
Don Kim
 
PDF
Design and Analyze Secure Networked Systems - 7
Don Kim
 
PDF
Design and Analyze Secure Networked Systems - 6
Don Kim
 
PDF
Design and Analyze Secure Networked Systems - 3
Don Kim
 
PDF
Design and Analyze Secure Networked Systems - 2
Don Kim
 
PPTX
Design and Analyze Secure Networked Systems - 1
Don Kim
 
Clean Code - 5
Don Kim
 
Clean Code - 4
Don Kim
 
Clean Code - 3
Don Kim
 
Clean Code - 2
Don Kim
 
Clean Code - 1
Don Kim
 
Design and Analyze Secure Networked Systems - 7
Don Kim
 
Design and Analyze Secure Networked Systems - 6
Don Kim
 
Design and Analyze Secure Networked Systems - 3
Don Kim
 
Design and Analyze Secure Networked Systems - 2
Don Kim
 
Design and Analyze Secure Networked Systems - 1
Don Kim
 

Recently uploaded (20)

PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PDF
Website Design Services for Small Businesses.pdf
ecomme9
 
PDF
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
CapCut Video Editor 6.8.1 Crack for PC Latest Download (Fully Activated) 2025
itskinga12
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Website Design Services for Small Businesses.pdf
ecomme9
 
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
CapCut Video Editor 6.8.1 Crack for PC Latest Download (Fully Activated) 2025
itskinga12
 

Design and Analyze Secure Networked Systems - 5

  • 1. Design and Analyze Secure Networked Systems 5 Prof. Edward Chow @ Colorado Univ. Note by waegaein@github.com
  • 2. Software Signing • Provide ways to verify authenticity and integrity of software which are distributed via web. • GPG GNU Privacy Guard (GnuPG or GPG) is a tool for secure communication. It can be used to generate public/private key pair. • PGP Pretty Good Privacy (PGP) is encryption program that follows OpenPGP standard for encyption/decryption of data.
  • 3. Sign Software 1. Finish a version for release. 2. Generate MD5 and SHA1 message digest of the software. 3. Generate PGP signature of the digest, using private key. 4. Distribute the software with the signature. 5. Distribute the public key, which pairs with the private key used for signing, to key servers.
  • 4. Sign Software Key server Version for release Mirror site Software Author
  • 5. Sign Software Key server Version for release Message DigestHash e.g. SHA-256 Mirror site Software Author
  • 6. Sign Software Key server Version for release Message DigestHash e.g. SHA-256 (private key) Mirror site Software Author Encrypt
  • 7. Sign Software Key server Version for release Message DigestHash e.g. SHA-256 (private key) Software Distribution Mirror site Software Author Encrypt
  • 8. Sign Software Key server Upload distribution Version for release Message DigestHash e.g. SHA-256 (private key) Software Distribution Mirror site Software Author Encrypt
  • 9. Sign Software Software Author Key server Upload public key Upload distribution Version for release Message DigestHash e.g. SHA-256 Encrypt (private key) Software Distribution Mirror site
  • 10. Verify Software 1. Download software and its signature. 2. Retrieve public key from key server. 3. Decrypt the signature into a digest. 4. Generate a digest by hashing the software. 5. If the two digests are identical, the software is verified. 6. If different, the software or signature is considered to be altered.
  • 11. Verify Software Software User Key server Mirror site
  • 12. Verify Software Software User Retrieve public key Download distribution Key server Mirror site
  • 13. Verify Software Software User Retrieve public key Download distribution Key server Mirror site
  • 14. Verify Software Software User Decrypt (public key) Retrieve public key Download distribution Key server Mirror site
  • 15. Verify Software Software User Hash Decrypt (public key) Retrieve public key Download distribution Key server Mirror site
  • 16. Verify Software Software User Hash Decrypt (public key) = Verified / Altered Retrieve public key Download distribution Key server Mirror site
  • 17. Mirror Sites • Voluntarily distribute software releases of other organizations to provide faster access. • Not managed by the original author organizations. • Encouraged to download bundle from mirrors. • Encouraged to download hash and signatures only from the original.
  • 18. PKI vs PGP • PKI • uses CA to vet and bind public keys to user ID. • takes longer to register/verify • is centralized thus have SPOF. • costs fee from CA. • PGP • uses Web of Trust (Key servers) to vet and bind public key to user ID. • is hard to revoke keys • is distributed. • is free.
  • 19. Misc. How much is encryption safe? • SHA-1 was cracked by Google 2017. • … This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations … • 110 years of single-GPU == 1 year of 110 GPUs == 24 hours of 40,150 GPUs == 1 hour of 963,600 GPUs == 1 minute of 57,816,000 GPUs == 10 seconds of 346,896,000 GPUs (== 9,435,571,200,000 KRW for only GPUs…)