Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Introduction to GPG

advertisement 
Introduction to GPG
Introduction
We live in the digital age. Email correspondence is commonplace, business proposals are
stored on computer systems, financial and legal information is sent across networks.
Nobody can get this information other than the intended recipient, right?
Don't bet on it.
Just about everything you do while connected to a network can be easily watched.
System Administrators can rifle through your email, and disgruntled employees can
intercept copies of your financial and legal documents as you transfer them across your
LAN. Laptops are often stolen, and the loss is much greater if the system also contains
confidential information.
Sending sensitive information in email, transferring it around on a network, or even
leaving it on your hard drive is the digital equivalent of putting that information on a
neon billboard in Times Square.
Encryption is one of the most effective ways to ensure your information is secure.
Correctly using a good encryption package, such as GNU Privacy Guard (GnuPG), will
help insure your data remains private. Email sent encrypted with GnuPG can only be
decrypted by the person whom the message is intended. Encrypted messages which are
intercepted and stolen are worthless to anyone but the intended recipient.
GnuPG is GPL Software that follows the OpenPGP Standard. It is intended as a
replacement for the PGP encryption package, and does not use any patented encryption
algorithms. It can be downloaded from http://www.gnupg.org, and runs on Linux,
FreeBSD, many other flavors of UNIX, as well as Windows.
Privacy, do you need it?
When most people talk about privacy and strong encryption in the same sentence, they
often think the only people needing such things must be doing something wrong, illegal,
or involved with government espionage. Spies, smugglers, mobsters, and terrorists come
to mind, so you, not fitting into any of these categories and being an honorable and
upstanding citizen certainly don't need to be involved with this kind of stuff, right?
Perhaps you conduct a lot of your business via email, sending quotes, contracts, or
financial reports over the Internet to your corporation, boss, or business partners. If
you've used the Internet for any length of time, surely you know that the email containing
your documents takes multiple paths, and makes multiple 'pit stops' at various servers
before it reaches its destination. Are you sure that when your document passes through
these servers that your files and communications are not scanned, even forwarded on to a
paying competitor?
Maybe your data isn't that confidential, but you would still like to ensure that the
document or communication you're submitting reaches its final destination exactly as it
was sent... no additions, no subtractions, no modifications at all. Can you be sure of this
when sending it via standard email procedures?
Suppose you don't have any secrets, and there's not any real concern about someone
modifying your email. Do you still want your ISP's service technician with nothing better
to do snooping through your email on the server while it's sitting there waiting to be
retrieved to know all about your life? If you're in a small or rural town, your ISP may be
just a core crew that runs the show. Do you trust them fully with your account? If you
sometimes email your family traveling itineraries, information about doctor visits or what
stocks you've bought recently, do you really want your ISP to possibly know this
information, too?
Even if you're using a large corporate ISP with established privacy policies, can you be
sure that their policy is enforced all the way down, and at every level? Believe me, there's
been more than one technician discovered snooping through user's mailboxes without
their knowing. Some of these 'technicians' consider such a practice as entertaining as
others might consider soap operas! As Philip Zimmermann stated in the original PGP
User's Guide, 'It's personal. It's private. And it's no one's business but yours.' If you send
plain-text email over the Internet, it may be personal, and it may be private, but it can
easily become anyone else's business, too!
When you start thinking about it, you will no doubt find many areas in your life needing
increased privacy, encryption and digital signatures, which may include private files,
documents and email. If the need arises to share those files, documents and email with
others, you may want to seriously consider incorporating public-key security into your
routines.
Public Key Cryptography
Public Key Cryptography, also known as Asymmetric Cryptography, uses a pair of keys,
a public key and a secret key. The public key is used to encrypt a message that only the
corresponding secret key can decrypt. The public key is meant to be distributed, while the
secret key must not. While the keys are related, it is mathematically impractical to derive
one key from the other.
An example would be that Alice makes her public key available to the world by putting it
on her Website, emailing it to friends, etc. If I want to send Alice an encrypted message, I
would use GnuPG with Alice's public key to encrypt the message, turning it from
plaintext to ciphertext. Once the message has been encrypted, only the person who has
possession of Alice's secret key is able decrypt it.
Once I encrypt the message for Alice, I cannot derive the original message from the
ciphertext. Without access to Alice's secret key, the only way to decrypt the message is
by using a brute force attack. A brute force attempt would require every possible key be
tried in effort to decrypt the message. This would take the computing equivalent of
billions of mainframes trillions and trillions of years.
Making sure Alice's secret key isn't compromised is essential in keeping her messages
secure.
Creating and Managing Keys
Once GNU Privacy Guard is compiled and installed, you must create your keys with the
command `gpg --gen-key` as following:
[alice:~]$ gpg --gen-key
gpg (GnuPG) 1.0.6; Copyright (C) 1999 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: /home/alice/.gnupg: directory created
gpg: /home/alice/.gnupg/options: new options file created
gpg: /home/alice/.gnupg/secring.gpg: keyring created
gpg: /home/alice/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1
You must select the type of key you would like to use. For most users the default, DSA
and ElGamal, is sufficient.
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)
In this example, Alice doesn't want her keys to expire, so she accepts the default.
You need a User-ID to identify your key;
the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "
Real name: Alice Q. Public
Email address: alice@bigblue.com
Comment: Cybergirl
You selected this USER-ID:
"Alice Q. Public (Cybergirl) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...
[alice:~]$
Alice is prompted for her name, email address, comment, and passphrase. GNU Privacy
Guard then starts generating the keys.
Once a pair of keys is generated, Alice needs to make her public key available so others
can send encrypted messages to her. This is done with the "--export" option to the gpg
command. The key is exported as a binary file, which isn't suitable for emailing, so the "-armor" command will ASCII armor the key. The key is also sent to stdout, to send the
output to a file, use the "--output" option as follows:
[alice:~]$ gpg --armor --output pubkey.asc --export alice@bigblue.com
Now that alice has exported and distributed her key, I'll send her my key (named bob.asc)
so she can send me encrypted messages.
[alice:~]$ cat bob.asc
-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDfYgxcRBAClzpK+9KxwE4Njl2B4z3yTyiFXwEGFteJu3FM4u//CQwQAnXvk
gVRy0gmHUnkxFj2yK+BFkcjaNmRZbSKcTZXsO27cv63TAQw8oNKWYzDThiFKvpB2
Srsh3ipp+qOcmk1IQXu5hmL80Xx2F0Wwl95p8uLeCkepBVC8gr4awpRHswCgz3YR
EfUAhjYPgklzGdqkKxUD23MEAJAF5GYXwVxfzPZcgxOs1jpUel60wLXXQaDRmJ7i
mlhBwU/j6DmDeI0tASWrtgt8mS90/PYBj1sSRzH7SqcWtUySMjypX/BEIQHNWZTn
I/TXSC8Wn+SPXcqTPIEEZnJJuZTWFujoHzZgu3ARqtDFMi7Rt3SPCFRBrTwoykZX
ztXMA/9kGAmQkdO9wpxRR9uXI5Stx3BMRipbI/msK3pxCXO2A5EaQADsVB/83joW
3rpApg/9HL6HwGMO6Qbh55rjbpBkaH0q0VK52aTt259PqtbE86jiPNxo3XR62UH2
bhWfAnm6IPBQ+EE7vQmglTo5WbIljykKx+Q5FvY9o7vBJSYeJ7QkUmljaCBKYW5r
b3dza2kgPHJpY2hAc2F0dXJubGluay5jb20+iFUEExECABUFAjfYgxcDCwoDAxUD
AgMWAgECF4AACgkQhSdZBHa/b61NXACgnfDwwAg3Oc/pFTFLajsJETx52K4AoK1f
+iZCCmhkGD3nQHCqxRH5dIEfuQENBDfYgyAQBAD6luCMMwlrefFkHaRD2svnFNWG
g48Zu5q4Ef1w03R+NlwbBOcxoCSthyhNY1pqxwaWZSB3yAhmgGHY8qHLcKovCMSe
Qp8IjFzykt+dWzyOwRcxa9Kpo3KxD2pFzU8feQzW9F7LVv+j5SxJsPijrxjeeE0X
nsR9q8myTLRd7E8/4wADBgP/V+gwREI9uds/IO2vDve6h9P7m1MYu8nEGVjOoFEO
IEVJoZgu+wuaJ+m3IhABzcS8ZlDZ481hwjBT9RmLB0pyNqHQyamvGsZVvAdzNIll
JMjhCxOTBNWI5A1dI2C9y4lBz/7En97k0JswsLSHsTS2+4RkdfVjHW2jjP0Kl7AF
8uGIRgQYEQIABgUCN9iDIAAKCRCFJ1kEdr9vrVNeAKC4fcHmplnjr+DXV6WLdAY+
uD4OtgCgnIR2Jq2FFLmU/u63BWTk6PMmn2c=
=Unun
-----END PGP PUBLIC KEY BLOCK-----
The "--import" option will allow you to import a public key into your keyring as follows:
[alice:~]$ gpg --import bob.asc
gpg: key 76BF6FAD: public key imported
gpg: /home/alice/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg:
imported: 1
To list the keys in a keyring, use the "--list-keys" option:
[alice:~]$ gpg --list-keys
/home/alice/.gnupg/pubring.gpg
-----------------------------pub 1024D/533F200F 2000-03-07 Alice Q. Public (Cybergirl)
sub 1024g/C8F2C0F7 2002-10-07
pub
sub
1024D/76BF6FAD 2001-09-10 Bob Blather
1024g/61A19A5E 2001-09-10
Encryption and Decryption
Alice just changed the router password and wants to notify me of the change through
email. Because of the sensitive nature of this message, she doesn't want to send it as
plaintext. She'll then create a file called doc.txt with the following content:
The new router password is "ro0t3r4dm!n"
To encrypt the message using my public key she would use:
[alice:~]$ gpg --armor --output doc.asc --encrypt --recipient \
bob@macroshaft.com doc.txt
This will create an ASCII armored file called doc.asc:
[alice:~]$ cat doc.asc
-----BEGIN PGP MESSAGE----Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
hQEOA/Kp2qNhoZpeEAQA1ZzhxsnFN36nOqGwxugDr90IryX5gOCDLzXXPXmG/erD
c+LdOIrJrt0evCUo8Oj+sWEWfg2kP8NE6yHDNnFcARvPFw/uS9HhsLefdt7A3Ylf
CGCJs/C258MVK8qw0dUTOiF/x5uq3hR76YIeUWgGICNoE6V+Vmiopu5B6vBHcPYD
/15grvtrvTdP2MQ5/nGYN5HQG82ZmUkAg+Aq50GQOt+w/Bwe5FhHEYI+AYenqdYC
7GN+GeG4BfraCvlcczkf/FngPCi+9wISR7V8lmzNdyh7NrWSG+ncsEPMTA9zwsi4
hLQhBgQKmUIbHlh40dQKhRA+nxaCCJ2Dlv9mTAMvg2jjyUxwSNAl82xUBSWMuOL6
94ldlXEeqI7HeGQH4jl9IZDlXImellhKtcTfIAfmy2FSMfkr3cX5lfiWntapC8ow
vmyIldiKcGr9tLr4SaX9
=592O
-----END PGP MESSAGE-----
After getting this message, I can decrypt it with the following:
[bob:~]$ gpg --output doc.txt --decrypt doc.asc
You need a passphrase to unlock the secret key for
user: "Bob Blather "
1024-bit ELG-E key, ID 61A19A5E, created 2001-09-10
(main key ID 76BF6FAD)
Enter passphrase:
[bob:~]$
After entering the correct passphrase for my secret key, GNU Privacy Guard decrypts the
file as doc.txt as demonstrated:
[bob:~]$ cat doc.txt
The new router password is "ro0t3r4dm!n"
GNU Privacy Guard also uses symmetric ciphers, which will enable you to use the same
key for both encryption and decryption. This is useful if you want to encrypt important
files on your system. When encrypting a file with a symmetric cipher, you are prompted
for a passphrase. Others who know that passphrase are able to decrypt that file.
Here's an example of using a symmetric cipher to encrypt a file called sales.txt:
[alice:~]$ gpg --symmetric sales.txt
Enter passphrase: A hard to guess passphrase
Repeat passphrase: A hard to guess passphrase
[alice:~]$
Now, someone using `gpg --decrypt` will be prompted for a passphrase, only someone
who knows the passphrase Alice used will be able to decrypt her document.
Signing and Signature Verification
Being able to verify who sent a message is as important as the message itself. GNU
Privacy Guard allows users to place a digital signature on both plaintext and ciphertext to
validate their origin. In signing a file, GNU Privacy Guard uses the secret key to sign,
and the public key is used to validate the signature. Therefore, signed files can be verified
by anyone who has access to the sender's public key.
In this example, Alice has a simple plaintext message, called email.txt, which contains:
Lunch meeting at 1 o'clock
She's going to sign the message with "--clearsign", and then email it to me:
[alice:~]$ gpg --clearsign email.txt
You need a passphrase to unlock the secret key for
user: "Alice Q. Public (Cybergirl) "
1024-bit DSA key, ID 533F200F, created 2002-10-07
Enter passphrase:
GNU Privacy Guard creates a signed file called email.txt.asc, that can be emailed:
[alice:~]$ cat email.txt.asc
-----BEGIN PGP SIGNED MESSAGE----Hash: SHA1
Lunch meeting at 1 o'clock
-----BEGIN PGP SIGNATURE----Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4zZTK5cg0BlM/IA8RAvF6AJ9mCL9LtPiB1sXvIjx02UAR3LsewwCdGVWg
HwNh4zVRIP+dBRI3XD17O4w=
=yHv6
-----END PGP SIGNATURE----[alice:~]$ mail bob@macroshaft.com < email.txt.asc
Upon reciept of this message, I can check to see if the signature is good by using the "-verify" option:
[bob:~]$ gpg --verify email.txt.asc
gpg: Signature made Mon Mar 13 20:24:26 2000 EST using DSA key ID
533F200F
gpg: Good signature from "Alice Q. Public (Cybergirl) "
The same message could also be encrypted and signed at the same time as:
[alice:~]$ gpg --armor --sign --output email.txt.asc \
--encrypt --recipient bob@macroshaft.com email.txt
You need a passphrase to unlock the secret key for
user: "Alice Q. Public (Cybergirl) "
1024-bit DSA key, ID 533F200F, created 2002-10-07
Enter passphrase:
Encrypted files that are also signed are verified during the decryption:
[bob:~]$ gpg --decrypt email.txt.asc
You need a passphrase to unlock the secret key for
user: "Bob Blather "
1024-bit ELG-E key, ID 61A19A5E, created 2001-09-10 (main key ID
76BF6FAD)
Enter passphrase:
Lunch meeting at 1 o'clock
gpg: Signature made Mon Mar 13 20:38:24 2000 EST using DSA key ID
533F200F
gpg: Good signature from "Alice Q. Public (Cybergirl) "
Note how when "--output" is not specified, the decrypted contents go to stdout.
Putting it all Together
To better illustrate the examples, I used the long options in this article. Most of the
options don't need to be written out in the long format. Here's a few of the more common
options, and their corresponding long and short option flag:
Option
Armor
Encrypt
Decrypt
Sign
Verify
Symmetric
Long Flag
--armor
--encrypt
--decrypt
--sign
--verify
--symmetric
Short Flag
-a
-e
-d
-s
-v
-c
This makes it a lot easier to type, as:
gpg --sign --encrypt --armor --recipient bob@macroshaft.com crypt.txt
is more easily invoked as:
gpg -sear bob@macroshaft.com crypt.txt
Graphical interfaces
GPA
GPA, the GNU Privacy Assistant is a graphical user interface for the GNU Privacy Guard
(GnuPG). This is the standard graphical front end, provided by the GnuPG project. With
GPA, you can view your keyring, import and export keys, generate keys, edit key
properties and encrypt, sign or decrypt documents. Installing GPA is easy. Download the
tarball, unpack and do the usual
./configure; make; make install
Start the program by typing
gpa
Seahorse
Seahorse is a GNOME front-end for GnuPG. It can be used for sign, encrypt, verify and
decrypt text and files. The text can be taken from the clipboard, or written directly in the
little editor it has. Seahorse is also a key manager, which can be used to edit almost all
the properties of the keys stored in your key rings. You can install Seahorse from a
Debian package (RPMs are not available at this time) or from the source tarball.
Installing from source is like any other package. Download, untar, configure and make
install. The installation puts seahorse in /usr/local and puts a menu item in the Gnome
'Applications' menu.
TkPGP
A nice graphical front-end is TkPGP, and might make GNU Privacy Guard easier to use.
Conclusion
GNU Privacy Guard allows you to take control of your confidential information and
ensures that your privacy is not violated. After all, the only ones who probably care about
your privacy are the ones trying to invade it.
URLs
GPG - http://www.gnupg.org
GPA - http://www.gnupg.org/(en)/related_software/gpa/index.html
Seahorse - http://seahorse.sourceforge.net/
TkPGP - http://www.geocities.com/tftp/tkpgp/tkpgp.htm
Related documents
Public key encryption, crypto hashes, and key management
Public key encryption, crypto hashes, and key management
Career-Lesson
Career-Lesson
GPG Encryption
GPG Encryption
RSA implementation by Tom Chiari
RSA implementation by Tom Chiari
HW9
HW9
Homework
Homework
Download
advertisement