├── README.md ├── intro ├── de │ ├── intro.html │ └── intro.md └── images │ ├── enigmail-logo.png │ ├── logo-gnupg.png │ ├── logo.png │ ├── thunderbird-logo.jpeg │ └── tor-logo.jpg ├── keys └── de │ ├── images │ ├── CAlist.png │ ├── CryptoKey.svg │ ├── PrivKey.svg │ ├── PubKey.svg │ └── PublicKeyCryptography.png │ ├── keys.html │ └── keys.md ├── otr └── en │ ├── images │ ├── adium.jpg │ ├── logo.png │ └── pidgin.png │ ├── otr.html │ └── otr.md └── risk └── en ├── images └── logo.png ├── risk.html └── risk.md /README.md: -------------------------------------------------------------------------------- 1 | # CryptoParty Slides 2 | 3 | ## Description 4 | 5 | An attempt to create a universal basic set of presentation slides to help teach basic conepts at Cryptoparties. 6 | 7 | ## Layout 8 | 9 | We are trying to follow a convention to make navigation easier: 10 | 11 | slides// 12 | 13 | ## Producing slide shows with Pandoc 14 | 15 | ```bash 16 | $ cd /slides/intro/en/ 17 | $ pandoc -t slidy -s intro.md -o intro.html 18 | $ cd /slides/otr/en/ 19 | $ pandoc -t slidy -s otr.md -o otr.html 20 | $ cd /slides/risk/en/ 21 | $ pandoc -t slidy -s risk.md -o risk.html 22 | ``` 23 | 24 | This produces an HTML + javascript slide presentation that can be viewed via a web browser. 25 | 26 | More information here [http://johnmacfarlane.net/pandoc/README.html#producing-slide-shows-with-pandoc](http://johnmacfarlane.net/pandoc/README.html#producing-slide-shows-with-pandoc) 27 | -------------------------------------------------------------------------------- /intro/de/intro.html: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 13 | 15 | 16 | 17 |

18 |

19 |

20 | Eine Einführung 21 |

22 |

{{Speaker Name}} — {{Month}} {{Date}}, {{Year}}

23 |

24 |

25 |

Ablauf

26 |

Kurze Einführung
Fragen, Fragen, Fragen und Themen
Thementeile
Klicken, Helfen, Installieren

32 |

33 |

34 |

Vorstellung

35 |

Team
Ort

39 |

40 |

41 |

Motivation

42 |

Privatheit herstellen - Recht auf Informationelle Selbstbestimmung

43 |

„Die Regierung kann deine Daten nicht schützen”: Im Gespräch: CSU-Politiker Uhl, FAZ, 17.07.2013
46 |
„Bundesinnenminister Hans-Peter Friedrich […] rief die Deutschen dazu auf, selbst mehr für den Schutz ihrer Daten zu tun.”: Spiegel Online 2013-07-16
49 |

51 |

„Privacy is necessary for an open society in the electronic age.”
„Privacy is the power to selectively reveal oneself to the world” ~Cypherpunk Manifesto

52 |

53 |

54 |

Werkzeugkasten

55 |

hier: eine Lösung pro Problem (der Einfachheit halber)

58 | 59 | 64 | 69 | 74 | 79 | 84 | 89 |

60 \| Email 61 \|	62 \| Thunderbird, Enigmail, GnuPG 63 \|
65 \| Chat 66 \|	67 \| Pidgin, OTR-Plugin 68 \|
70 \| Anonymes Internet 71 \|	72 \| TorBrowserBundle 73 \|
75 \| Datenspeicher 76 \|	77 \| Truecrypt 78 \|
80 \| Schlüsselverwaltung 81 \|	82 \| Seamonked 83 \|
85 \| VPN 86 \|	87 \| (…erst mal nicht) 88 \|

90 | 91 |

92 |

93 |

94 |

Open Source

95 |

„Free Software”, nicht Freibier -- Peer-Review schafft Funktionssicherheit

98 |

99 |

100 |

Sicherheitsziele

101 |

103 | Privatheit 104 |
106 | Vertraulichkeit 107 |

109 | Inhalt 110 |
112 | Kommunikations-/Metadaten (Sender, Absender, Zeit) 113 |

116 | Integrität 117 |
119 | Authentizität 120 |

122 | Nie wieder Spam? 123 |

126 | 127 | 128 | 129 | 130 | 131 |

132 |

133 |

Privatheit

134 |

„Wenn du nichts zu verbergen hast, dann hast du auch nichts zu befürchten.”
Grundrecht auf informationelle Selbstbestimmung (BVerfG 1983)
Beobachtung ändert Verhalten

139 |

Gefährdung durch: - Cookies, CCTV, Metadata, - Social Networks, Suchmaschinen, ISP

140 |

Gegenmaßnahmen: - Datensparsamkeit - Kryptographie/Inhaltsverschlüsselung - Anonymisierdienste - Verschlüsselte Speichermedien

141 |

142 |

143 |

Security vs Privacy

144 |

145 |

146 |

147 |

148 |

149 |

Anonymität

150 |

Aktionen und Person sind nicht zuzuordnen
Sender-/Empfängeranonymität
Pseudonyme
Verkettbarkeit von Pseudonymen schaffen Identität
Tor, Bitcoin, Freenet

157 |

158 |

159 |

Authentifikation

160 |

„Sichere Identität” schafft Kontinuität
Grundlage für Vertrauen/Beziehungen
Identitäten (Email/IP-Adresse) sind nicht authentisch
Grundlegende Methode: Public-Key Kryptographie
PGP (GnuPG), TLS, S/MIME

167 |

168 |

169 |

Integrität

170 |

Inhalt kann nicht unbemerkt verändert

173 |

174 |

175 |

Was ist "Crypto"?

176 |

Cryptography ist:

177 |

Ein Haufen komplizierte Mathematik
Grundlage für viele Sicherheitsmechanismen

181 |

Cryptography ist nicht:

182 |

Ersatz für vernünftiges Handeln (OPSEC)
Einfach zu programmieren
Leicht selbst zu erfinden

187 |

188 |

189 |

Crypto + Party = Cryptoparty

190 |

191 |

192 |

193 |

194 |

195 |

What Next?

196 |

197 | 198 | 199 | -------------------------------------------------------------------------------- /intro/de/intro.md: -------------------------------------------------------------------------------- 1 | % ![](../images/logo.png) 2 | % Eine Einführung 3 | % {{Speaker Name}} — {{Month}} {{Date}}, {{Year}} 4 | 5 | 6 | # Ablauf 7 | 8 | 9 | - Kurze Einführung 10 | - Fragen, Fragen, Fragen und Themen 11 | - Thementeile 12 | - Klicken, Helfen, Installieren 13 | 14 | # Vorstellung 15 | 16 | - Team 17 | - Ort 18 | 19 | 20 | # Motivation 21 | 22 | Privatheit herstellen 23 | - Recht auf Informationelle Selbstbestimmung 24 | 25 | 26 | „Die Regierung kann deine Daten nicht schützen” 27 | ~ Im Gespräch: CSU-Politiker Uhl, FAZ, 17.07.2013 28 | 29 | „Bundesinnenminister Hans-Peter Friedrich […] rief die Deutschen dazu auf, selbst mehr für den Schutz ihrer Daten zu tun.”
30 | ~ Spiegel Online 2013-07-16 31 | 32 | 33 | 34 | „Privacy is necessary for an open society in the electronic age.”
35 | „Privacy is the power to selectively reveal oneself to the world” 36 | ~[Cypherpunk Manifesto](http://www.activism.net/cypherpunk/manifesto.html) 37 | 38 | 39 | # Werkzeugkasten 40 | 41 | - hier: eine Lösung pro Problem (der Einfachheit halber) 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 |

Email	Thunderbird, Enigmail, GnuPG
Chat	Pidgin, OTR-Plugin
Anonymes Internet	TorBrowserBundle
Datenspeicher	Truecrypt
Schlüsselverwaltung	Seamonked
VPN	(…erst mal nicht)

51 | 52 |

53 | 54 | 55 | 56 | # Open Source 57 | 58 | - „Free Software”, nicht Freibier 59 | -- Peer-Review schafft Funktionssicherheit 60 | 61 | 62 | 63 | # Sicherheitsziele 64 | 65 |

Privatheit
Vertraulichkeit

Inhalt
Kommunikations-/Metadaten (Sender, Absender, Zeit)

Integrität
Authentizität

Nie wieder Spam?

76 | 77 | 78 | 79 | 80 | 81 | # Privatheit 82 | 83 | - „Wenn du nichts zu verbergen hast, dann hast du auch nichts zu befürchten.” 84 | - Grundrecht auf informationelle Selbstbestimmung (BVerfG 1983) 85 | - Beobachtung ändert Verhalten 86 | 87 | Gefährdung durch: 88 | - Cookies, CCTV, Metadata, 89 | - Social Networks, Suchmaschinen, ISP 90 | 91 | Gegenmaßnahmen: 92 | - Datensparsamkeit 93 | - Kryptographie/Inhaltsverschlüsselung 94 | - Anonymisierdienste 95 | - Verschlüsselte Speichermedien 96 | 97 | 98 | # Security vs Privacy 99 | ![](images/house.jpg) 100 | 101 | # Anonymität 102 | 103 | - Aktionen und Person sind nicht zuzuordnen 104 | - Sender-/Empfängeranonymität 105 | - Pseudonyme 106 | - Verkettbarkeit von Pseudonymen schaffen Identität 107 | - Tor, Bitcoin, Freenet 108 | 109 | # Authentifikation 110 | 111 | - „Sichere Identität” schafft Kontinuität 112 | - Grundlage für Vertrauen/Beziehungen 113 | - Identitäten (Email/IP-Adresse) sind nicht authentisch 114 | - Grundlegende Methode: Public-Key Kryptographie 115 | 116 | - PGP (GnuPG), TLS, S/MIME 117 | 118 | 119 | # Integrität 120 | 121 | - Inhalt kann nicht unbemerkt verändert 122 | 123 | # Was ist "Crypto"? 124 | 125 | Cryptography ist: 126 | 127 | - Ein Haufen komplizierte Mathematik 128 | - Grundlage für viele Sicherheitsmechanismen 129 | 130 | Cryptography ist nicht: 131 | 132 | - Ersatz für vernünftiges Handeln (OPSEC) 133 | - Einfach zu programmieren 134 | - Leicht selbst zu erfinden 135 | 136 | 137 | # Crypto + Party = Cryptoparty 138 | ![](images/splash.jpg) 139 | 140 | 141 | # What Next? 142 | 143 | 144 | -------------------------------------------------------------------------------- /intro/images/enigmail-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/intro/images/enigmail-logo.png -------------------------------------------------------------------------------- /intro/images/logo-gnupg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/intro/images/logo-gnupg.png -------------------------------------------------------------------------------- /intro/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/intro/images/logo.png -------------------------------------------------------------------------------- /intro/images/thunderbird-logo.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/intro/images/thunderbird-logo.jpeg -------------------------------------------------------------------------------- /intro/images/tor-logo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/intro/images/tor-logo.jpg -------------------------------------------------------------------------------- /keys/de/images/CAlist.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/keys/de/images/CAlist.png -------------------------------------------------------------------------------- /keys/de/images/CryptoKey.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 174 | -------------------------------------------------------------------------------- /keys/de/images/PrivKey.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 190 | -------------------------------------------------------------------------------- /keys/de/images/PubKey.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 174 | -------------------------------------------------------------------------------- /keys/de/images/PublicKeyCryptography.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/keys/de/images/PublicKeyCryptography.png -------------------------------------------------------------------------------- /keys/de/keys.html: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 13 | 15 | 16 | 17 |

18 |

19 |

20 | Kryptographische Schlüssel 21 |

22 |

{{Speaker Name}} — {{Month}} {{Date}}, {{Year}}

23 |

24 |

25 |

Überblick

26 |

Kryptographische Schlüssel
Verschlüsseln und Signieren
Zertifikate
Sicherheitsannahmen

32 |

33 |

34 |

35 |

Schlüsselpaar

36 |

"Immer zu zweit sie sind! Ein Meister und ein Schüler!" ~ Meister Yoda (Episode 1)

37 |

38 | 39 | 40 | 45 | 50 |

41 \| öffentlicher Schlüssel 42 \|	43 \| privater Schlüssel 44 \|
46 \| 47 \|	48 \| 49 \|

51 | 52 |

53 | 54 |

Schnappschloß Tür-Analogie:

55 |

öffentlich: jeder kann die Tür zuziehen
privat: nur mit Schlüssel zu öffnen

59 |

60 |

61 |

Verschlüsseln

62 |

Macht Daten unlesbar
"ausser"
mit dem passenden Schlüssel.
Bsp: "Das wird jetzt kryptisch!"

68 |

hQEMA9WCTo3/O878AQf8Cl0QcfmgAO1vLDjfqC21hUqoZ6zI5qrgcwZO3uLH4RBr uDwG+wMo+Mx1fiqGCgwJRelRx03u1p5bi9IpVn9kPttFhmhIOVEuZ9fyyF1dYUe6 YOBnbdwaQ3IeI5p+JqrlG6Xgnw8pSrhlwGYOwg2ya+U9gMjcrFa6IgwpOKI3Dime kJcmkq5cQWyiyfK811romZzfUi66L02lTp8RchZjrvwvMOjcmbOKJrp56xWe1RP9 XqpRzoreiQmn8XgkHA6eTLmMFz79Jbpz/LLS21x0VVBmhojVTxiPmQXfdxazgeYZ FJ+mWrKTgrIMMXdVEL0YLDWdqh5N2ZY15jfnktf6ZdJVARIwGjjVdOpXZecJwgLY Ftllw5hXyA+QOdzK8IGiAy5hMfSSFew/mk6aLxa2txrtmOliO5ahJBz8N29hxczY EI8qdfou4kjpfY8ekB+qxWjYKpF9uA===VXx6

69 |

70 |

71 |

Public-Key Verschlüsselung

72 |

73 |

74 |

75 |

Signieren

76 |

Privater Schlüssel: ist nur dem Besitzer bekannt
Entschlüsseln kann nur mit privatem Schlüssel geschehen
Signatur ist Anwendung des Privaten Schlüssels auf Daten
Jeder andere kann dies mit dem Öffentlichen Schlüssel prüfen
Voraussetzung: Kenntnis des Öffentlichen Schlüssels

83 |

84 |

85 |

Zertifikat

86 |

Signatur über:

87 |

Identifikator: Name, Email, Web-Adresse,…
öffentlicher Schlüssel

91 |

92 | 93 |

Signierender Zertifizierer muß vorher prüfen: - Identifikator gehört zur Person - Person kennt passenden privaten Schlüssel

94 |

95 | 96 |

Glaubwürdigkeit von Zertifikaten - ist Vertrauenswürdigkeit des Zertifizierers

97 |

98 |

99 |

Sicherheit

100 |

Entschlüsseln ohne passenden Schlüssel: schwierig
Geheimhaltung d. priv. Schlüssels
Hauptproblem: Zertifizierungsstellen (CA)
z.B. im Browser 250 "vertrauenswürdige" Stellen
Jede CA kann alle Seiten signieren

107 |

108 |

109 |

Zusammenfassung

110 |

111 |

112 | 113 | 114 | -------------------------------------------------------------------------------- /keys/de/keys.md: -------------------------------------------------------------------------------- 1 | % ![](../images/logo.png) 2 | % Kryptographische Schlüssel 3 | % {{Speaker Name}} — {{Month}} {{Date}}, {{Year}} 4 | 5 | # Überblick 6 | 7 | - Kryptographische Schlüssel 8 | - Verschlüsseln und Signieren 9 | - Zertifikate 10 | - Sicherheitsannahmen 11 | 12 |

13 | 14 | # Schlüsselpaar 15 | 16 | "Immer zu zweit sie sind! Ein Meister und ein Schüler!" 17 | ~ Meister Yoda (Episode 1) 18 | 19 |

20 | 21 | 22 | 23 | 24 |

öffentlicher Schlüssel	privater Schlüssel

25 | 26 |

27 | 28 | Schnappschloß Tür-Analogie: 29 | 30 | - öffentlich: jeder kann die Tür zuziehen 31 | - privat: nur mit Schlüssel zu öffnen 32 | 33 | 34 | # Verschlüsseln 35 | 36 | - Macht Daten unlesbar 37 | - "ausser" 38 | - mit dem passenden Schlüssel. 39 | - Bsp: "Das wird jetzt kryptisch!" 40 | 41 | hQEMA9WCTo3/O878AQf8Cl0QcfmgAO1vLDjfqC21hUqoZ6zI5qrgcwZO3uLH4RBr 42 | uDwG+wMo+Mx1fiqGCgwJRelRx03u1p5bi9IpVn9kPttFhmhIOVEuZ9fyyF1dYUe6 43 | YOBnbdwaQ3IeI5p+JqrlG6Xgnw8pSrhlwGYOwg2ya+U9gMjcrFa6IgwpOKI3Dime 44 | kJcmkq5cQWyiyfK811romZzfUi66L02lTp8RchZjrvwvMOjcmbOKJrp56xWe1RP9 45 | XqpRzoreiQmn8XgkHA6eTLmMFz79Jbpz/LLS21x0VVBmhojVTxiPmQXfdxazgeYZ 46 | FJ+mWrKTgrIMMXdVEL0YLDWdqh5N2ZY15jfnktf6ZdJVARIwGjjVdOpXZecJwgLY 47 | Ftllw5hXyA+QOdzK8IGiAy5hMfSSFew/mk6aLxa2txrtmOliO5ahJBz8N29hxczY 48 | EI8qdfou4kjpfY8ekB+qxWjYKpF9uA===VXx6 49 | 50 | 51 | 52 | 53 | # Public-Key Verschlüsselung 54 | 55 |

56 | 57 | 58 | # Signieren 59 | 60 | - Privater Schlüssel: ist nur dem Besitzer bekannt 61 | - Entschlüsseln kann nur mit privatem Schlüssel geschehen 62 | 63 | - Signatur ist Anwendung des Privaten Schlüssels auf Daten 64 | - Jeder andere kann dies mit dem Öffentlichen Schlüssel prüfen 65 | 66 | - Voraussetzung: Kenntnis des Öffentlichen Schlüssels 67 | 68 | 69 | # Zertifikat 70 | 71 | Signatur über: 72 | 73 | - Identifikator: Name, Email, Web-Adresse,… 74 | - öffentlicher Schlüssel 75 | 76 |

77 | 78 | Signierender Zertifizierer muß vorher prüfen: 79 | - Identifikator gehört zur Person 80 | - Person kennt passenden privaten Schlüssel 81 | 82 |

83 | 84 | Glaubwürdigkeit von Zertifikaten 85 | - ist Vertrauenswürdigkeit des Zertifizierers 86 | 87 | 88 | # Sicherheit 89 | 90 | - Entschlüsseln ohne passenden Schlüssel: schwierig 91 | - Geheimhaltung d. priv. Schlüssels 92 | - Hauptproblem: Zertifizierungsstellen (CA) 93 | - z.B. im Browser 250 "vertrauenswürdige" Stellen 94 | - Jede CA kann alle Seiten signieren 95 | 96 | 97 | # Zusammenfassung 98 | 99 | - -------------------------------------------------------------------------------- /otr/en/images/adium.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/otr/en/images/adium.jpg -------------------------------------------------------------------------------- /otr/en/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/otr/en/images/logo.png -------------------------------------------------------------------------------- /otr/en/images/pidgin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/otr/en/images/pidgin.png -------------------------------------------------------------------------------- /otr/en/otr.html: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Cryptoparty - Private Conversations Online using OTR 11 | 13 | 15 | 16 | 17 |

18 |

Cryptoparty - Private Conversations Online using OTR

19 |

20 | {{Speaker Name}} 21 |

22 |

{{Month}} {{Date}}, {{Year}}

23 |

24 |

25 |

Cryptoparty

26 |

27 |

28 |

29 |

30 |

31 |

Alice and Bob

32 |

Alice and Bob both know how to use PGP.
They both know each other’s public keys.
They don’t want to hide the fact that they talked, just what they talked about.
Alice uses her public key to sign a message
Bob should know who he’s talking to
She then uses Bob’s public key to encrypt it
No one other than Bob can read the message
Bob decrypts it and verifies the signature

42 |

43 |

44 |

Plot Twist

45 |

Bob’s computer is subpoenaed by the FBI
Or just broken into by a Virus, trojan or some spyware.
Bob's key's and emails are recovered.
Decrypt past messages
Learn their content
Learn that Alice sent them
And have a mathematical proof they can show to anyone else.

54 |

55 |

56 |

What went wrong?

57 |

The software created lots of incriminating records
Key material that decrypts data sent over the public Internet
Signatures with proofs of who said what
Alice better watch what she says
Her privacy depends on Bob’s actions

64 |

65 |

66 |

Casual Conversations and OTR

67 |

Alice and Bob talk in a room
No one else can hear
Unless being recorded
No one else knows what they say
Unless Alice or Bob tell them
No one can prove what was said
Not even Alice or Bob
These conversations are “off-the-record”
There is Legal support for having casual conversations.
Illegal to record conversations without notification
We can have them over the phone
Illegal to tap phone lines

81 |

82 |

83 |

Perfect Forward Secrecy

84 |

Future key compromises should not reveal past communication.
Like when Bob's laptop was stolen.
Use a short-lived encryption key
Discard it after use
Securely erase from memory
Use long-term keys to help distribute & authenticate the short-lived key

92 |

93 |

94 |

Repudiable Authentication

95 |

You are assured the correspondent is who you think it is.
Can’t maintain privacy if attackers can impersonate friends
But we do not want digital signatures
Non-repudiation in digital security means that there is proof of the integrity and origin of data.
Use Message Authentication Codes (MACs)

102 |

103 |

104 |

Encryption

105 |

No one else can read your instant messages, not even the server

108 |

109 |

110 |

Deniability

111 |

Shared key authentication.
Alice and Bob have same MK.
MK required to compute MAC.
Bob cannot prove that Alice generated the MAC, he could have done it, too.
Anyone who can verify can also forge messages after a conversation to make them look like they came from you.
So messages you send do not have digital signatures that are checkable by a third party. (Doesn't work in court)
However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

120 |

121 |

122 |

What you need

123 |

Windows / Linux - pidgin with OTR plug-in. Download pidgin first from pidgin.im and then the plug in from cypherpunks.ca/otr
Mac OS - download adium from adium.im (you don't need an additional plug in).

127 |

There are also OTR enabled smartphone apps

128 |

Android (Gibberbot).
iOS (Chatsecure).

132 |

133 |

134 |

Then what do I do?

135 |

Set up an address for people to reach you at.
Find the person you want to speak to. Make contact.
Go off the record.
Manually verify fingerprints to be sure it is who you think it is and to enable encryption.
Make sure logging is disabled in your chat client's settings!
Make sure to also ask the person you want to speak to do the same!
Discuss a shared secret to authenticate your conversation partner with.
That's it! Remember to end the chat session and close any open windows when you are done chatting.

145 |

146 |

147 |

What OTR can do and what it can't

148 |

Pros:

149 |

Secure
Works on a number of devices.
Once you've set it up, it's pretty easy to use.

154 |

Cons:

155 |

You both have to be online.
And it is both. You can only have two in a secure chat.
The conversation is only secure while its happening. If you keep logs, they won't be encrypted.

160 |

161 |

162 |

Over to you :)

163 |

Now let's install Pidgin, Adium, or Bitlbee on your PC, Mac or Linux machine.
Gibberbot on Android or Chatsecure on iOS.

167 |

Things to do once program is intalled:

168 |

Ensure you know what a fingerprint is and how to find yours.
Ensure you know how to verify someone elses fingerprint.
Ensure you know how to turn your chat client's logging setting off.
Test by having an encrypted chat with a new friend at the Cryptoparty.

174 |

175 |

176 |

Howto: install pidgin and pidgin-otr on Ubuntu/Debian

177 |

178 |

179 |

180 |

as root:

181 |

apt-get install pidgin pidgin-otr

184 |

185 |

186 |

Howto: install Pidgin + OTR plugin on Windows

187 |

188 |

189 |

190 |

Goto http://www.pidgin.im/download/windows
Click the Download Pidgin for Windows link
Save the installation file, then navigate to it and double click it. Install it.
Goto http://www.cypherpunks.ca/otr
Click the Win32 installer for pidgin link in the OTR plugin for Pidgin section
Save the installer, then navigate to it and double click it. Install it.
After you have successfully installed Pidgin and OTR you may delete the installation programs from your computer.
Run Pidgin. Enable the OTR plugin: OTR: Tools -> Plugins. Check the Box "off the record messaging" to enable the plugin.

200 |

201 |

202 |

Howto: install Adium on Mac

203 |

204 |

205 |

206 |

Goto http://adium.im/ and download Adium.
Adium comes with otr preinstalled.
Save the installation file, then navigate to it and install it.
After you have successfully installed Adium you may delete the installation files from your computer.
Run Adium.

213 |

214 |

215 |

Getting a jabber account with jabber.ccc.de

216 |

Run Pidgin.
Setup your chat account. (Accounts > Manage Account > Add)
Protocol: XMPP
Username: [whatever you like!]
Domain: jabber.ccc.de
Password: [whatever you like!]
Check 'create this new account on the server'

225 |

226 |

227 |

Starting An Encrypted Chat

228 |

Add a Buddy
Start Chatting with a buddy.
Click on "Not Verified"
Use Manual Fingerprint Verification.
Get your buddy to send you their fingerprint or show you in person.
Let them do the same for you.

236 |

237 |

238 |

Questions?

249 |

250 | 251 | 252 | -------------------------------------------------------------------------------- /otr/en/otr.md: -------------------------------------------------------------------------------- 1 | % Cryptoparty - Private Conversations Online using OTR 2 | % {{Speaker Name}} 3 | % {{Month}} {{Date}}, {{Year}} 4 | 5 | # Cryptoparty 6 | ![](images/logo.png) 7 | 8 | # Alice and Bob 9 | 10 | - Alice and Bob both know how to use PGP. 11 | - They both know each other’s public keys. 12 | - They don’t want to hide the fact that they talked, just what they talked about. 13 | - Alice uses her public key to sign a message 14 | - Bob should know who he’s talking to 15 | - She then uses Bob’s public key to encrypt it 16 | - No one other than Bob can read the message 17 | - Bob decrypts it and verifies the signature 18 | ![](images/threat1.png) 19 | 20 | # Plot Twist 21 | 22 | - Bob’s computer is subpoenaed by the FBI 23 | - Or just broken into by a Virus, trojan or some spyware. 24 | - Bob's key's and emails are recovered. 25 | - Decrypt past messages 26 | - Learn their content 27 | - Learn that Alice sent them 28 | - And have a mathematical proof they can show to anyone else. 29 | ![](images/threat2.png) 30 | 31 | # What went wrong? 32 | 33 | - The software created lots of incriminating records 34 | - Key material that decrypts data sent over the public Internet 35 | - Signatures with proofs of who said what 36 | - Alice better watch what she says 37 | - Her privacy depends on Bob’s actions 38 | 39 | # Casual Conversations and OTR 40 | 41 | - Alice and Bob talk in a room 42 | - No one else can hear 43 | - Unless being recorded 44 | - No one else knows what they say 45 | - Unless Alice or Bob tell them 46 | - No one can prove what was said 47 | - Not even Alice or Bob 48 | - These conversations are “off-the-record” 49 | - There is Legal support for having casual conversations. 50 | - Illegal to record conversations without notification 51 | - We can have them over the phone 52 | - Illegal to tap phone lines 53 | 54 | # Perfect Forward Secrecy 55 | 56 | - Future key compromises should not reveal past communication. 57 | - Like when Bob's laptop was stolen. 58 | - Use a short-lived encryption key 59 | - Discard it after use 60 | - Securely erase from memory 61 | - Use long-term keys to help distribute & authenticate the short-lived key 62 | 63 | # Repudiable Authentication 64 | 65 | - You are assured the correspondent is who you think it is. 66 | - Can’t maintain privacy if attackers can impersonate friends 67 | - But we do not want digital signatures 68 | - Non-repudiation in digital security means that there is proof of the integrity and origin of data. 69 | - Use Message Authentication Codes (MACs) 70 | 71 | # Encryption 72 | 73 | - No one else can read your instant messages, not even the server 74 | 75 | # Deniability 76 | 77 | - Shared key authentication. 78 | - Alice and Bob have same MK. 79 | - MK required to compute MAC. 80 | - Bob cannot prove that Alice generated the MAC, he could have done it, too. 81 | - Anyone who can verify can also forge messages after a conversation to make them look like they came from you. 82 | - So messages you send do not have digital signatures that are checkable by a third party. (Doesn't work in court) 83 | - However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified. 84 | 85 | # What you need 86 | 87 | - Windows / Linux - pidgin with OTR plug-in. Download pidgin first from pidgin.im and then the plug in from cypherpunks.ca/otr 88 | 89 | - Mac OS - download adium from adium.im (you don't need an additional plug in). 90 | 91 | There are also OTR enabled smartphone apps 92 | 93 | - Android (Gibberbot). 94 | - iOS (Chatsecure). 95 | 96 | # Then what do I do? 97 | 98 | - Set up an address for people to reach you at. 99 | 100 | - Find the person you want to speak to. Make contact. 101 | 102 | - Go off the record. 103 | 104 | - Manually verify fingerprints to be sure it is who you think it is and to enable encryption. 105 | 106 | - Make sure logging is disabled in your chat client's settings! 107 | 108 | - Make sure to also ask the person you want to speak to do the same! 109 | 110 | - Discuss a shared secret to authenticate your conversation partner with. 111 | 112 | - That's it! Remember to end the chat session and close any open windows when you are done chatting. 113 | 114 | # What OTR can do and what it can't 115 | 116 | Pros: 117 | 118 | - Secure 119 | - Works on a number of devices. 120 | - Once you've set it up, it's pretty easy to use. 121 | 122 | Cons: 123 | 124 | - You both have to be online. 125 | - And it is both. You can only have two in a secure chat. 126 | - The conversation is only secure while its happening. If you keep logs, they won't be encrypted. 127 | 128 | # Over to you :) 129 | 130 | - Now let's install Pidgin, Adium, or Bitlbee on your PC, Mac or Linux machine. 131 | 132 | - Gibberbot on Android or Chatsecure on iOS. 133 | 134 | Things to do once program is intalled: 135 | 136 | - Ensure you know what a fingerprint is and how to find yours. 137 | - Ensure you know how to verify someone elses fingerprint. 138 | - Ensure you know how to turn your chat client's logging setting off. 139 | - Test by having an encrypted chat with a new friend at the Cryptoparty. 140 | 141 | # Howto: install pidgin and pidgin-otr on Ubuntu/Debian 142 | ![](images/pidgin.png) 143 | 144 | as root: 145 | 146 | - apt-get install pidgin pidgin-otr 147 | 148 | # Howto: install Pidgin + OTR plugin on Windows 149 | 150 | ![](images/pidgin.png) 151 | 152 | - Goto http://www.pidgin.im/download/windows 153 | - Click the Download Pidgin for Windows link 154 | - Save the installation file, then navigate to it and double click it. Install it. 155 | - Goto http://www.cypherpunks.ca/otr 156 | - Click the Win32 installer for pidgin link in the OTR plugin for Pidgin section 157 | - Save the installer, then navigate to it and double click it. Install it. 158 | - After you have successfully installed Pidgin and OTR you may delete the installation programs from your computer. 159 | - Run Pidgin. Enable the OTR plugin: OTR: Tools -> Plugins. Check the Box "off the record messaging" to enable the plugin. 160 | 161 | # Howto: install Adium on Mac 162 | ![](images/adium.jpg) 163 | 164 | - Goto http://adium.im/ and download Adium. 165 | - Adium comes with otr preinstalled. 166 | - Save the installation file, then navigate to it and install it. 167 | - After you have successfully installed Adium you may delete the installation files from your computer. 168 | - Run Adium. 169 | 170 | # Getting a jabber account with jabber.ccc.de 171 | 172 | - Run Pidgin. 173 | - Setup your chat account. (Accounts > Manage Account > Add) 174 | - Protocol: XMPP 175 | - Username: [whatever you like!] 176 | - Domain: jabber.ccc.de 177 | - Password: [whatever you like!] 178 | - Check 'create this new account on the server' 179 | 180 | # Starting An Encrypted Chat 181 | 182 | - Add a Buddy 183 | - Start Chatting with a buddy. 184 | - Click on "Not Verified" 185 | - Use Manual Fingerprint Verification. 186 | - Get your buddy to send you their fingerprint or show you in person. 187 | - Let them do the same for you. 188 | 189 | # Links 190 | - http://www.pidgin.im/ 191 | - http://adium.im/ 192 | - http://bitlbee.org/ 193 | - http://www.cypherpunks.ca/otr/ 194 | - https://en.wikipedia.org/wiki/Off-the-Record_Messaging 195 | 196 | # Questions? 197 | 198 | -------------------------------------------------------------------------------- /risk/en/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cryptoparty/slides/b8adbb1c6b9b7f2a0473339e418ed50fc3cd603d/risk/en/images/logo.png -------------------------------------------------------------------------------- /risk/en/risk.html: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Cryptoparty - Risk Management 11 | 13 | 15 | 16 | 17 |

18 |

Cryptoparty - Risk Management

19 |

20 | {{Speaker Name}} 21 |

22 |

{{Month}} {{Date}}, {{Year}}

23 |

24 |

25 |

Cryptoparty

26 |

27 |

28 |

29 |

30 |

31 |

Security Means Making Trade-Offs to Manage Risks

32 |

Security isn't having the strongest lock or the best anti-virus software — security is about making trade-offs to manage risk, something we do in many contexts throughout the day.
When you consider crossing the street in the middle of the block rather than at a cross-walk, you are making a security trade-off: you consider the threat of getting run over versus the trouble of walking to the corner, and assess the risk of that threat happening by looking for oncoming cars.
Your bodily safety is the asset you're trying to protect.
How high is the risk of getting run over and are you in such a rush that you're willing to tolerate it, even though the threat is to your most valuable asset?
That's a security decision. Not so hard, is it? It's just the language that takes getting used to.
Security professionals use four distinct but interrelated concepts when considering security decisions: assets, threats, risks and adversaries.

40 |

41 |

42 |

Assets

43 |

What You Are Protecting
An asset is something you value and want to protect.
Anything of value can be an asset, but in the context of this discussion most of the assets in question are information.
Examples are you or your organization's emails, instant messages, data files and web site, as well as the computers holding all of that information.

49 |

50 |

51 |

Threats

52 |

What You Are Protecting Against
A threat is something bad that can happen to an asset.
Security professionals divide the various ways threats can hurt your data assets into six sub-areas that must be balanced against each other:
1. Confidentiality - is keeping assets or knowledge about assets away from unauthorized parties.
1. Integrity - is keeping assets undamaged and unaltered.
1. Availability - is the assurance that assets are available to parties authorized to use them.
1. Consistency - is when assets behave and work as expected, all the time.
1. Control - is the regulation of access to assets.
1. Audit - is the ability to verify that assets are secure.

75 |

76 |

77 |

Threat Classification

78 |

Threats can be classified based on which types of security they threaten.
For example, someone trying to read your email (the asset) without permission threatens its confidentiality and your control over it.
If, on the other hand, an adversary wants to destroy your email or prevent you from getting it, the adversary is threatening the email's integrity and availability.
Using encryption, as described later in this guide, you can protect against several of these threats.
Encryption not only protects the confidentiality of your email by scrambling it into a form that only you or your intended recipient can descramble, but also allows you to audit the emails — that is, check and see that the person claiming to be the sender is actually that person, or confirm that the email wasn't changed between the sender and you to ensure that you've maintained the email's integrity and your control over it.

85 |

86 |

87 |

Risks - The Likelihood of a Threat Actually Occuring

88 |

Risk is the likelihood that a particular threat against a particular asset will actually come to pass, and how damaged the asset would be.
There is a crucial distinction between threats and risks: threats are the bad things that can happen to assets, but risk is the likelihood that specific threats will occur.
What assets are you trying to protect?
What are the risks to those assets?
How well does the security solution mitigate those risks?
What other risks does the security solution cause?
What costs and trade-offs does the security solution impose?
Security is the art of balancing the value of the asset you are trying to protect against the costs of providing protection against particular risks.
Practical security requires you to realistically judge the actual risk of a threat in order to decide which security precautions may be worth using to protect an asset, and which precautions are absolutely necessary.

99 |

100 |

101 |

Adversaries

102 |

Who Poses a Threat?
A critical part of assessing risk and deciding on security solutions is knowing who or what your adversary is.
An adversary, in security-speak, is any person or entity that poses a threat against an asset.
Different adversaries pose different threats to different assets with different risks; different adversaries will demand different solutions.
For example, if you want to protect your house from a random burglar, your lock just needs to be better than your neighbors', or your porch better lit, so that the burglar will choose the other house.
If your adversary is the government, though, money spent on a better lock than your neighbors' would be wasted — if the government is investigating you and wants to search your house, it won't matter how well your security compares to your neighbors.
You would instead be better off spending your time and money on other security measures, like encrypting your valuable information so that if it's seized, the government can't read it.

111 |

112 |

113 |

Examples of Adversaries that Pose a Threat to Digital Privacy and Security

114 |

Here are some examples of the kinds of adversaries that may pose a threat to your digital privacy and security:

115 |

U.S. government agents that follow laws which limit their activities
U.S. government agents that are willing and able to operate without legal restrictions
Foreign governments
Civil litigants who have filed or intend to file a lawsuit against you
Companies that store or otherwise have access to your data
Individual employees who work for those companies
Hackers or organized criminals who randomly break into your computer, or the computers of companies that store your data
Hackers or organized criminals that specifically target your computer or the computers of the companies that store your data
Stalkers, private investigators or other private parties who want to eavesdrop on your communications or obtain access to your machines

126 |

127 |

128 |

Which Threats from Which Adversaries Pose the Highest Risk to Your Assets?

129 |

Putting these concepts together, you need to evaluate which threats to your assets from which adversaries pose the most risk, and then decide how to manage the risk.
Intelligently trading off risks and costs is the essence of security.
How much is it worth to you to manage the risk?
For example, you may recognize that government adversaries pose a threat to your webmail account, because of their ability to secretly subpoena its contents.
If you consider that threat from that adversary to be a high risk, you may choose not to store your email messages with the webmail company, and instead store it on your own computer.
If you consider it a low risk, you may decide to leave your email with the webmail company — trading security for the convenience of being able to access your email from any internet-connected computer.
Or, if you think it’s an intermediate risk, you may leave your email with the webmail company but tolerate the inconvenience of using encryption to protect the confidentiality of your most sensitive emails.
In the end, it’s up to you to decide which trade-offs you are willing to make to help secure your assets.

139 |

140 |

141 |

Questions

149 |

150 | 151 | 152 | -------------------------------------------------------------------------------- /risk/en/risk.md: -------------------------------------------------------------------------------- 1 | % Cryptoparty - Risk Management 2 | % {{Speaker Name}} 3 | % {{Month}} {{Date}}, {{Year}} 4 | 5 | # Cryptoparty 6 | ![](images/logo.png) 7 | 8 | # Security Means Making Trade-Offs to Manage Risks 9 | 10 | - Security isn't having the strongest lock or the best anti-virus software — security is about making trade-offs to manage risk, something we do in many contexts throughout the day. 11 | - When you consider crossing the street in the middle of the block rather than at a cross-walk, you are making a security trade-off: you consider the *threat* of getting run over versus the trouble of walking to the corner, and assess the *risk* of that *threat* happening by looking for oncoming cars. 12 | - Your bodily safety is the *asset* you're trying to protect. 13 | - How high is the *risk* of getting run over and are you in such a rush that you're willing to tolerate it, even though the *threat* is to your most valuable *asset*? 14 | - That's a security decision. Not so hard, is it? It's just the language that takes getting used to. 15 | - Security professionals use four distinct but interrelated concepts when considering security decisions: *assets*, *threats*, *risks* and *adversaries*. 16 | 17 | # Assets 18 | 19 | - What You Are Protecting 20 | - An asset is something you value and want to protect. 21 | - Anything of value can be an asset, but in the context of this discussion most of the assets in question are information. 22 | - Examples are you or your organization's emails, instant messages, data files and web site, as well as the computers holding all of that information. 23 | 24 | # Threats 25 | 26 | - What You Are Protecting Against 27 | - A threat is something bad that can happen to an asset. 28 | - Security professionals divide the various ways threats can hurt your data assets into six sub-areas that must be balanced against each other: 29 | 30 | - 1. Confidentiality - is keeping assets or knowledge about assets away from unauthorized parties. 31 | - 2. Integrity - is keeping assets undamaged and unaltered. 32 | - 3. Availability - is the assurance that assets are available to parties authorized to use them. 33 | - 4. Consistency - is when assets behave and work as expected, all the time. 34 | - 5. Control - is the regulation of access to assets. 35 | - 6. Audit - is the ability to verify that assets are secure. 36 | 37 | # Threat Classification 38 | - Threats can be classified based on which types of security they threaten. 39 | - For example, someone trying to read your email (the asset) without permission threatens its *confidentiality* and your *control* over it. 40 | - If, on the other hand, an adversary wants to destroy your email or prevent you from getting it, the adversary is threatening the email's integrity and *availability*. 41 | - Using encryption, as described later in this guide, you can protect against several of these threats. 42 | - Encryption not only protects the *confidentiality* of your email by scrambling it into a form that only you or your intended recipient can descramble, but also allows you to *audit* the emails — that is, check and see that the person claiming to be the sender is actually that person, or confirm that the email wasn't changed between the sender and you to ensure that you've maintained the email's integrity and your *control* over it. 43 | 44 | # Risks - The Likelihood of a Threat Actually Occuring 45 | 46 | - Risk is the likelihood that a particular threat against a particular asset will actually come to pass, and how damaged the asset would be. 47 | - There is a crucial distinction between threats and risks: threats are the bad things that can happen to assets, but risk is the likelihood that specific threats will occur. 48 | - What assets are you trying to protect? 49 | - What are the risks to those assets? 50 | - How well does the security solution mitigate those risks? 51 | - What other risks does the security solution cause? 52 | - What costs and trade-offs does the security solution impose? 53 | - Security is the art of balancing the value of the asset you are trying to protect against the costs of providing protection against particular risks. 54 | - Practical security requires you to realistically judge the actual risk of a threat in order to decide which security precautions may be worth using to protect an asset, and which precautions are absolutely necessary. 55 | 56 | # Adversaries 57 | 58 | - Who Poses a Threat? 59 | - A critical part of assessing risk and deciding on security solutions is knowing who or what your adversary is. 60 | - An adversary, in security-speak, is any person or entity that poses a threat against an asset. 61 | - Different adversaries pose different threats to different assets with different risks; different adversaries will demand different solutions. 62 | - For example, if you want to protect your house from a random burglar, your lock just needs to be better than your neighbors', or your porch better lit, so that the burglar will choose the other house. 63 | - If your adversary is the government, though, money spent on a better lock than your neighbors' would be wasted — if the government is investigating you and wants to search your house, it won't matter how well your security compares to your neighbors. 64 | - You would instead be better off spending your time and money on other security measures, like encrypting your valuable information so that if it's seized, the government can't read it. 65 | 66 | # Examples of Adversaries that Pose a Threat to Digital Privacy and Security 67 | Here are some examples of the kinds of adversaries that may pose a threat to your digital privacy and security: 68 | 69 | - U.S. government agents that follow laws which limit their activities 70 | - U.S. government agents that are willing and able to operate without legal restrictions 71 | - Foreign governments 72 | - Civil litigants who have filed or intend to file a lawsuit against you 73 | - Companies that store or otherwise have access to your data 74 | - Individual employees who work for those companies 75 | - Hackers or organized criminals who randomly break into your computer, or the computers of companies that store your data 76 | - Hackers or organized criminals that specifically target your computer or the computers of the companies that store your data 77 | - Stalkers, private investigators or other private parties who want to eavesdrop on your communications or obtain access to your machines 78 | 79 | # Which Threats from Which Adversaries Pose the Highest Risk to Your Assets? 80 | - Putting these concepts together, you need to evaluate which threats to your assets from which adversaries pose the most risk, and then decide how to manage the risk. 81 | - Intelligently trading off risks and costs is the essence of security. 82 | - How much is it worth to you to manage the risk? 83 | - For example, you may recognize that government adversaries pose a threat to your webmail account, because of their ability to secretly subpoena its contents. 84 | - If you consider that threat from that adversary to be a high risk, you may choose not to store your email messages with the webmail company, and instead store it on your own computer. 85 | - If you consider it a low risk, you may decide to leave your email with the webmail company — trading security for the convenience of being able to access your email from any internet-connected computer. 86 | - Or, if you think it’s an intermediate risk, you may leave your email with the webmail company but tolerate the inconvenience of using encryption to protect the confidentiality of your most sensitive emails. 87 | - In the end, it’s up to you to decide which trade-offs you are willing to make to help secure your assets. 88 | 89 | # Links 90 | - https://ssd.eff.org/risk 91 | - https://www.schneier.com/book-beyondfear.html 92 | 93 | # Questions 94 | 95 | --------------------------------------------------------------------------------

60 \| Email 61 \|	62 \| Thunderbird, Enigmail, GnuPG 63 \|
65 \| Chat 66 \|	67 \| Pidgin, OTR-Plugin 68 \|
70 \| Anonymes Internet 71 \|	72 \| TorBrowserBundle 73 \|
75 \| Datenspeicher 76 \|	77 \| Truecrypt 78 \|
80 \| Schlüsselverwaltung 81 \|	82 \| Seamonked 83 \|
85 \| VPN 86 \|	87 \| (…erst mal nicht) 88 \|