WEBVTT

00:00.390 --> 00:06.240
One of the fun parts of being an I.T. trainer is that every time you get cocky and you think you know

00:06.270 --> 00:12.180
everything there is about a particular topic something comes along and teaches you that that's not necessarily

00:12.180 --> 00:13.220
the truth.

00:13.230 --> 00:21.720
This episode is DGP or Pretty Good Privacy and it is an encryption cryptosystem that's been around for

00:21.750 --> 00:25.010
over 25 years and it's actually kind of interesting.

00:25.020 --> 00:29.310
This is something I used to use a long time ago had kind of forgotten about.

00:29.370 --> 00:34.770
And then once I saw that come out here added this back in as an objective I had quite a lesson.

00:34.770 --> 00:41.610
So let's talk about what is first of all PDP was invented by a guy named Phil Zimmerman way back in

00:41.610 --> 00:42.950
1991.

00:43.350 --> 00:48.300
That type of internet back there in the late 80s early 90s didn't have encryption.

00:48.300 --> 00:54.450
I know today we have secure protocols for this that and the other we can use things like bit locker

00:54.450 --> 00:55.920
to lock down a hard drive.

00:55.920 --> 01:00.680
We got all this encryption and all of these crypto systems all over the place.

01:00.690 --> 01:02.970
But back then there really wasn't any.

01:02.970 --> 01:09.930
If you wanted to encrypt a e-mail there were really good options as mine back then was starting to form.

01:09.930 --> 01:16.680
But for the normal rank and file person there wasn't a nice little program you could pull down install

01:16.710 --> 01:20.790
and start doing encryption until TGP came along.

01:20.790 --> 01:26.030
So PGE was originally invented for email encryption.

01:26.250 --> 01:31.380
Mr. Zimmerman wanted to encrypt stuff sent an e-mail so other people couldn't read it.

01:31.410 --> 01:35.110
Now PGE has evolved tremendously over the years.

01:35.250 --> 01:40.980
So it does all kinds of stuff today it is that you can use it to sign files.

01:40.980 --> 01:43.580
You can use it to encrypt e-mail.

01:43.590 --> 01:46.920
You can encrypt individual files you can encrypt partitions.

01:46.920 --> 01:49.970
You can even do full disk encryption with GPS.

01:49.980 --> 01:57.420
So before we start going into where we're using it let's make sure we understand how the encryption

01:57.420 --> 01:58.180
works.

01:58.260 --> 02:05.790
PGE counts on the idea of a random key that's generated by the encryptor the encryptor creates a random

02:05.790 --> 02:13.740
key and then they encrypt their data using that random key and then they encrypt the key using the receiver's

02:13.740 --> 02:14.540
public key.

02:14.540 --> 02:17.570
So you will definitely have a key exchange going on here.

02:17.760 --> 02:22.950
So you've got your encrypted data and your encrypted key and then you send an encrypted message.

02:23.040 --> 02:26.480
Decryption works pretty much the exact same way in reverse.

02:26.490 --> 02:31.410
So we start with our encrypted message and we separate the encrypted key from the data it's very easy

02:31.410 --> 02:32.920
to make that separation.

02:33.210 --> 02:38.820
And then we take the encrypted key and we decrypt it with the private key.

02:38.820 --> 02:41.890
So this works very much like a classic asymmetric key.

02:42.210 --> 02:49.070
We now have the temporary key the random key and we can use that to decrypt the data.

02:49.140 --> 02:51.690
And the end result is we have our plain text.

02:51.840 --> 02:57.600
So if you noticed from that diagram We've got two keys we've got a public private key and then we also

02:57.600 --> 02:58.980
have this random key.

02:58.980 --> 03:05.330
So for those of you who are familiar with T.L. acet if you watch my episodes on T.L. s asymmetric had

03:05.330 --> 03:12.570
scription you'll know that in a lot of situations we use asymmetric encryption only to transfer a session

03:12.600 --> 03:15.090
key and then we switch to symmetric.

03:15.090 --> 03:17.510
So PGE works very similar to this.

03:17.520 --> 03:23.910
This is fascinating because you got to keep in mind Phil Zimmerman invented all of this by himself.

03:23.910 --> 03:30.630
PGE is an open standard but unlike so many other cryptographic systems we use he just came up with this

03:30.930 --> 03:34.260
on his own and it is did the test of time.

03:34.260 --> 03:37.530
Now granted there's been a lot of improvements over the years.

03:37.830 --> 03:44.100
For example originally it would be using something called El-Gamal which is really just Diffie Helman

03:44.400 --> 03:48.180
and also he had to invent his own certificates.

03:48.210 --> 03:52.730
He doesn't use X-Com 5 0 9 certificates like the rest of the Internet does.

03:52.740 --> 03:59.640
There is a special type of certificate called DGP so also one other thing it's actually kind of interesting

03:59.940 --> 04:05.410
is Mr. Zimmerman came up with something very different called web of trust.

04:05.490 --> 04:06.950
So let me show you how this works.

04:06.960 --> 04:11.580
Now if you've watched other episodes you're familiar with the idea of public key infrastructure where

04:11.580 --> 04:19.470
we have a certificate authority intermediate authorities and then individual folks so any time a certificate

04:19.470 --> 04:25.650
has to be checked it's signed by the certificate authority and the intermediates do the day to day checking

04:25.650 --> 04:26.550
of the certificate.

04:26.560 --> 04:35.100
So TKI is the way the entire internet works so let me show you another way instead of the nice pyramid.

04:35.270 --> 04:43.010
Imagine you have one certificate that trust another certificate and then that certificate trust another

04:43.010 --> 04:45.320
certificate and you end up with this mesh.

04:45.320 --> 04:53.150
This web of trust web of trust was I'm not going to say Phil Zimmerman invented the concept but he was

04:53.150 --> 04:57.670
the first person to really push this concept forward a complete alternative TKI.

04:57.740 --> 05:02.990
There's some big benefits of web of trust with with this you don't have any Veras signs or any big companies

05:02.990 --> 05:04.020
charging you money.

05:04.100 --> 05:07.510
It's just a matter of having a buddy who knows a friend who knows a pal.

05:07.700 --> 05:14.570
And back in the TGP days I actually did this you would have people who would call themselves accountants

05:14.870 --> 05:15.980
and they would be.

05:16.010 --> 05:22.100
They were like CPA as they were they were people who were trusted by a lot of people and you could go

05:22.100 --> 05:27.050
to them you call them on the telephone remember those things and you'd call them on the phone then you

05:27.050 --> 05:32.070
would submit a request to these guys and they would sign your certificate.

05:32.160 --> 05:34.040
It's a wacky way to do things.

05:34.040 --> 05:40.040
The only downside to this is that over time people got lazy and a lot of times people would accept certificates

05:40.040 --> 05:45.200
without going through the due diligence of a phone call making sure the person is legit and all of that.

05:45.290 --> 05:48.000
And we started to run into some problems with it.

05:48.020 --> 05:54.980
So the reality is is that DGP recognize that web of trust really wasn't working that well and pretty

05:54.980 --> 05:59.110
much all PGE solutions today use good old piquet.

05:59.300 --> 06:01.320
And it works just fine.

06:01.370 --> 06:05.920
So even the web of trust was a failure.

06:06.010 --> 06:07.900
Didn't need to have web of trust.

06:07.900 --> 06:10.280
They put a lot of time and energy into making that happen.

06:10.480 --> 06:15.400
But BGP works just fine in a TKI solution as well.

06:18.000 --> 06:23.010
There have been tremendous amounts of change with PDP over the years.

06:23.010 --> 06:26.100
Today there are really three big players in the world.

06:26.220 --> 06:34.200
GP first of all the original GP group or what's left of them is currently a part of Symantec Corporation.

06:34.320 --> 06:38.980
This organization only does one thing but boy does it do it well.

06:39.080 --> 06:45.690
It encrypts mass storage so they will do seining and they will also do disk encryption.

06:45.690 --> 06:51.360
What's cool about these tools is they work great with existing alternatives for example bit Locher in

06:51.360 --> 06:54.720
windows or file vault for the Mac folks.

06:55.050 --> 06:58.760
And it's really designed more for a cloud and an enterprise solution.

06:58.800 --> 07:04.050
So instead of having a bunch of systems with bit locker and fire file vault whatever you can just PDP

07:04.050 --> 07:07.110
them all regardless as the operating system and it works great.

07:07.110 --> 07:10.350
This is a proprietary solution and you got to pay some money for it.

07:11.440 --> 07:17.380
For those of you who like free there is the open TGP standard open TGP is not only a standard but it's

07:17.380 --> 07:21.230
a group of people who support this and they support it really well.

07:21.280 --> 07:26.220
The big job of open TGP is encrypted email.

07:26.260 --> 07:28.430
It has complete support for Piquet's.

07:28.720 --> 07:36.180
And it also works well with alternative ways to encrypt email for example good old famous as mine it's

07:36.180 --> 07:37.740
actually a fascinating process.

07:37.740 --> 07:43.860
You can get open TGP and it manifests as a plug in that you put into your existing email if you have

07:43.920 --> 07:50.850
Outlook or thunder bolts or anything like that you can just add extensions to that and you get full

07:50.850 --> 07:57.120
support for digital signing encryption the whole shebang exchanging a public keys.

07:57.120 --> 07:59.690
It works great.

07:59.740 --> 08:01.740
It's kind of a hassle to go through all this though.

08:01.810 --> 08:06.400
If you actually want to generate your own certificates and you know have a third party sign them in

08:06.400 --> 08:11.540
there are places that can do that Comodo in particular is a great source for that.

08:11.560 --> 08:13.010
It's a little bit of a pain.

08:13.030 --> 08:18.400
The nice part is though if you want to encrypt e-mail there are wonderful solutions out there that take

08:18.400 --> 08:20.950
all of this off your hands personally.

08:20.980 --> 08:28.360
My favorite is proton mail proton mail which I personally use on a daily basis is just a web interface

08:28.360 --> 08:34.390
so if you like using Gmail or Yahoo you'd be familiar with the interface but the differences is that

08:34.750 --> 08:38.170
from the proton mail server to whoever else.

08:38.170 --> 08:40.020
And they also have to be on Proton mail.

08:40.450 --> 08:41.850
It's fully encrypted.

08:42.010 --> 08:47.500
So whereas your G-mail could conceivably be intercepted where your Yahoo might be able to be read by

08:47.500 --> 08:52.580
third parties with Proton mail there's no way to do that and it completely uses open TGP.

08:52.750 --> 08:57.080
Nice part is we don't even see it it works that transparently.

08:57.260 --> 08:59.880
The last place that we see open TGP.

09:00.020 --> 09:07.160
Ansari Well it is open BGB but DGP is new privacy guard or better known as GBG.

09:07.220 --> 09:13.910
This is a complete free tool set and it is based on open BGP.

09:14.150 --> 09:21.800
But whereas open TGP only does email GBG does file and disk encryption and if you're going to be encrypting

09:21.800 --> 09:24.440
in the Linux world you're probably going to be using those

09:29.050 --> 09:42.910
on.