Why does PGP use both symmetric and asymmetric key cryptography?

When I first learned about PGP, I was confused as to how using both encryption methods added security. In PGP, the public keys are exchanged between two parties to encrypt a session key used to encrypt data instead of encrypting the actual data. So when the receiver gets the encrypted content, they will use their private key to decrypt the encrypted session key which can then be used to decrypt the message.

This seemed like an indirect approach to encrypting the message that only added time, not more security. Turns out, the reason both methods are primarily because the current asymmetric cryptosystem, RSA, is a very slow algorithm.

"RSA is a relatively slow algorithm, and because of this it is less commonly used to directly encrypt user data. More often, RSA passes encrypted shared keys for symmetric key cryptography which in turn can perform bulk encryption-decryption operations at much higher speed." (Wikipedia)

How PGP works in 5 minutes

To understand how PGP works at a high level, you need to understand two key methods of cryptography:

• Symmetric key cryptography
• Asymmetric key cryptography (public key cryptography)

Symmetric key cryptography is analogous to two parties using the same key to lock and unlock a box containing secret contents. It's symmetric because the keys used to lock and unlock are identical. In a an exchange using symmetric key cryptography, Bob encrypts data using key A and sends it over to Alice who decrypts it using key A. Anyone who possesses key A can decrypt the data.

Asymmetric key cryptography is when two parties use a pair of different keys to lock and unlock a box containing secret contents. One key to lock, the other one to unlock. One is known as the public key (shared with senders) and the other the private key (guarded by receiver). They're asymmetric because the locking key is not the same as the unlocking key. In an exchange using asymmetric key cryptography, Bob shares his public key with Alice and Alice uses the public key to encrypt the data. Alice sends the data to Bob and he decrypts it using his private key. Since Bob is the only person with the private key, only he can decrypt the data. The public key is like a mailbox you can give to anyone where anyone can put messages in but the only person who can take messages out is the owner of the mailbox. 

PGP combines both methods to allow for secure communication. Basically, it uses public key cryptography to encrypt a randomly generated temporary session key which is also used to encrypt data. 

Here's how it works:

1. Bob shares his public PGP key with Alice.
2. Alice wants to send a message and generates a random session key. 
3. Alice uses the session key to encrypt her message.
4. Alice encrypts the session key itself using Bob's public key so that the session key can be sent securely with the encrypted data.
5. Bob receives the encrypted data and the encrypted session key.
6. Bob decrypts the session key. 
7. Bob uses the decrypted session key to decrypt the data.

Why public key cryptography works in 150 characters

"Can the reader say what two numbers multiplied together will produce the number 8616460799? I think it unlikely that anyone but myself will ever know."

                                                                           - The Principles of Science, William Stanley Jevons

What's the difference between AWS IAM Roles and Security Groups?

What do they have in common? They're both access control methods.

IAM Roles

IAM roles can be assumed by any AWS resource or service on AWS and the policies attached to the roles determine their level of access to various other resources and services. Each role can have many policies. You can either use built in roles with default policies or create ones yourself.

For example, if you configure an ECS service to use a load balancer, the service can use a built in role called ecsServiceRole which has the policy AmazonEC2ContainerServiceRole attached which allows it to makes calls to the Elastic Load Balancer API. You can also create your own role with that policy. What grants the access is not the role, but rather the policies associated with that role. EC2 instances used for running docker containers require a role with the policy AmazonEC2ContainerServiceforEC2Role to make calls to the ECS API. Likewise, there's a default one with the policy you need called ecsInstanceRole but you can also create a new role called myRole and attach the same policy.

Security Groups

Security Groups controls network traffic to EC2 instances. An EC2 instance can have multiple security groups, and each group can have a number of rules specifying what inbound and outbound network traffic are allowed. For example, you can restrict access to port 80 for your instance to requests coming from a particular IP address range.

When you're using AWS, you're almost always using both of these access control methods. Any cloud stack you create will require you to think about the flow of traffic that you should allow to your compute instances (Security Groups) and what other AWS resources and API's those instances need to be able to talk to (IAM roles).

Setting up Amazon EC2 Container Service (ECS)

I've been experimenting with deploying containers to the AWS cloud. There's a really detailed guide on the AWS site that they provide on running containers using their container service, ECS. Yesterday I successfully deploy a couple of containers running a simple ruby Sinatra app! Here's a high level view of what you'll need to do in order to get your containers running.

1. Create an AWS account 
2. Sign up for AWS ECS
3. Create a private docker image repository on ECS
4. Build and push your docker image to your ECS image repository
5. Create a task definition using your docker image
6. Create a cluster
7. Create an EC2 instance using an ECS-optimized image and register it with your cluster
8. Create an elastic load balancer (ELB)
9. Create a container service in your cluster and configure it to use your ELB

By the end, you will be able to visit the public DNS of your ELB which will forward requests to one of the containers you have running inside an EC2 instance. Most of the work lies in the configuration and a lot of that is not fun. I'm trying to reduce the job of deploying containers down to:

1. Build and push your docker image to your ECS image repository

Everything else will be done automatically based on default configuration. I should be able to just visit a URL and see my running application. Adding more layers of the stack to it will take more work, but just running containers using a single image should be as easy as that.

Some questions I still have are:

• What's the easiest way to deploy new images for an application to ECS? Ideally I just have to hit push and then the existing containers are replaced by new containers running my new image.
• How do IAM roles and security groups work? 
• How do I know requests are actually being distributed evenly by the ELB?
• How should I stop my running containers? Do I stop it via the service level or the container level?
• What happens to my containers if I shut down my EC2 instances?
• Where are my logs located? If my app crashes, where do I look? 
• How do I connect my app running in a container to another app running in a different container? Say, a database server for instance. 

Seasoning a Cast Iron

I bought a seasoned cast iron skillet about six months ago and now it's completely rusty. So I looked up how to re-season my cast iron.

1. Preheat oven to 325 degrees.
2. Wash cast iron with stiff brush or sponge. Make sure it's dry and clean.
3. Apply a thin layer vegetable oil or shortening inside and outside of the cast iron.
4. Put aluminum in the bottom rack to catch dripping oil and place the cast iron face down in the center rack.
5. Close the oven and wait for an hour. Bake!
6. Let it cool for another hour and remove!

There's some debate over the ideal ingredient to use for step 3 to maximize the non-stick property of the cast iron. According to these two articles, flaxseed oil is king:

• http://sherylcanter.com/wordpress/2010/01/a-science-based-technique-for-seasoning-cast-iron/
• http://www.thekitchn.com/i-seasoned-my-cast-iron-pan-with-flaxseed-oil-and-heres-what-happened-224612

Since this is my first time reasoning the cast iron, I'm just going to start with whatever works. I'm going to use canola oil and if that turns out to be a bad choice, I'll look into flaxseed.