You are on page 1of 15

4LNX2

openGPG

openGPG
Concepts
(Source: http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html)

Public Key Encryption


Classic methods for encryption only use one key for encryption. The sender encrypts the message with this key. To be able to decrypt this, the receiver needs to have this very same key. This key must have been given to the receiver in a way, that others won't have had the opportunity to obtain this key. If somebody else does have the key, this method of encryption is useless. The use of so-called Public Keys can solve this problem. Public Keys is a concept where two keys are involved. One key is a Public Key that can be spread through all sorts of media and may be obtained by anyone. The other key is the Private Key. This key is secret and cannot be spread. This key is only available to the owner. When the system is well implemented the secret key cannot be derived from the public key. Now the sender will crypt the message with the public key belonging to the receiver. Then decryption will be done with the secret key of the receiver. Crucial in this concept is that the secret key remains a secret and should not be given away or become available to anyone else but the owner of this key. YOU CANNOT SEND THIS KEY OVER THE INTERNET. Also it is very unwise to use GnuPG over telnet (you might consider never to use telnet based on the high security risks).

Digital Signatures
In order to prove that a message was really sent by the alleged sender the concept of Digital Signatures was invented. As the name says a message is digitally signed by the sender. By using this signature you can check the authenticity of a message. Using this will reduce the risk for Trojan horses (a message that claims to be a patch to a certain problem but actually contains a virus or does something bad with data on your computer). Also information or data can be verified as coming from a legitimate source and thus be regarded as real. A digital signature is made through a combination of the secret key and the text. Using the senders public key the message can be verified. Not only will be checked if the correct sender is involved, also the content will be checked. So you know that the message comes from the sender and has not been changed during the transportation process.

Web of trust
A weak point of the Public key algorithms is the spreading of the public keys. A user could bring a public key with false user ID in circulation. If with this particular key messages are made, the intruder can decode and read the messages. If the intruder passes it on then still with a genuine public key coded to the actual recipient, this attack is not noticeable.

147699146.doc

4LNX2

openGPG

The PGP solution (and because of that automatically the GnuPG solution) exists in signing codes. A public key can be signed by other people. This signature acknowledges that the key used by the UID (User Identification) actually belongs to the person it claims to be. It is then up to the user of GnuPG how far the trust in the signature goes. You can consider a key as trustworthy when you trust the sender of the key and you know for sure that the key really belongs to that person. Only when you can trust the key of the signer, you can trust the signature. To be absolutely positive that the key is correct you have to compare the finger print over reliable channels before giving absolute trust.

Commands
gpg help options
To find out what options are available type the following; gpg --help

Creating keys
When you create a key with gpg it creates 2 keys public key secret/private key (need passphrase, and entropy)

You are asked during this process to select the type of key, the default is to use DSA and Elgamal. DSA is used for signing, it operates on message hash and uses public keys to decrypt signatures and compare. Elgamal is used for encryption and uses the public key system or asymmetric

Keys are located in the users home directory in /home/user/.gnupg/ secret key is kept in the file secring.gpg public keys are kept in the file pubring.gpg

To create your key type the following;


gpg --gen-key (use defaults for all) [fred@mail .gnupg]$ gpg --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) 147699146.doc 2

4LNX2 Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days

openGPG

<n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Fred Derf Email address: fred@networking.pdn Comment: 4LNX2 You selected this USER-ID: "Fred Derf (4LNX2) <fred@networking.pdn>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot perform some other action utilize the disks) during random number generator a of random bytes. It is a good idea to (type on the keyboard, move the mouse, the prime generation; this gives the better chance to gain enough entropy.

...++++++++++++++++++++.+++++.++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++...++ +++>++++++++++..................................+++++ 147699146.doc 3

4LNX2 We need to generate a lot perform some other action utilize the disks) during random number generator a

openGPG of random bytes. It is a good idea to (type on the keyboard, move the mouse, the prime generation; this gives the better chance to gain enough entropy.

+++++.+++++++++++++++.++++++++++++++++++++...+++++..++++++++++.+++++ +++++..+++++++++++++++++++++++++++++++++++.++++++++++.+++++.++++++++ +++++++.+++++.++++++++++>..++++++++++>+++++..>.++++ +..................................+++++^^^ gpg: key 078BBFEE marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 1u pub valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f,

1024D/078BBFEE 2009-04-08 1504 A499 8E14

Key fingerprint = A523 3623 55D8 B530 C852 078B BFEE uid sub

Fred Derf (4LNX2) <fred@networking.pdn> 2048g/4EDE3EF6 2009-04-08

[fred@mail .gnupg]$

List keys
To list your public keys type the following command; gpg --list-keys [fred@mail .gnupg]$ gpg --list-keys /home/fred/.gnupg/pubring.gpg ----------------------------pub uid sub 1024D/078BBFEE 2009-04-08 Fred Derf (4LNX2) <fred@networking.pdn> 2048g/4EDE3EF6 2009-04-08

To list your private key, type the following command;


147699146.doc 4

4LNX2

openGPG

[fred@mail .gnupg]$ gpg --list-secret-keys /home/fred/.gnupg/secring.gpg ----------------------------sec uid ssb 1024D/078BBFEE 2009-04-08 Fred Derf (4LNX2) <fred@networking.pdn> 2048g/4EDE3EF6 2009-04-08

The fingerprint is used to validate the key you have received from another user, this may be done over the phone or through some other means as long as you can guarantee that you are communicating with the keys owner. TRUST To list your fingerprint, type the following command; [fred@mail .gnupg]$ gpg --fingerprint /home/fred/.gnupg/pubring.gpg ----------------------------pub 1024D/078BBFEE 2009-04-08 1504 A499

Key fingerprint = A523 3623 55D8 B530 C852 8E14 078B BFEE uid sub

Fred Derf (4LNX2) <fred@networking.pdn> 2048g/4EDE3EF6 2009-04-08

Exporting key
You need to export your public key so that other users may add you to their keyring. To export your public key type the following command; gpg --export Notice how the key is send to STDOUT and that it is a binary file. We need to convert this file to ASCII so that it can be sent through email or published on a web page. To export your public key in ASCII format to STDOUT, type the following commad; gpg --export --armor To export your key as ASCII and to save to a text file type the following command;
147699146.doc 5

4LNX2

openGPG

gpg --export --armor >> freds.key cat freds.key

Importing keys
A public key may be added to your public keyring with the import option. Type the following commands to import another users public key and then confirm it has been added to your public keyring; [greg@mail ~]$ gpg --import freds.key gpg: key 078BBFEE: public key "Fred Derf (4LNX2) <fred@networking.pdn>" imported gpg: Total number processed: 1 gpg: imported: 1

[greg@mail ~]$ gpg --list-keys /home/greg/.gnupg/pubring.gpg ----------------------------pub uid sub 1024D/F708B71D 2009-04-08 Greg Lynch (4LNX2) <greg@networking.pdn> 2048g/54954A6A 2009-04-08

pub

1024D/BEDF6EB5 2009-04-08

uid Lecturer (4LNX2) <lecturer@networking.pdn> sub 2048g/3A88FFA9 2009-04-08

pub uid sub

1024D/078BBFEE 2009-04-08 Fred Derf (4LNX2) <fred@networking.pdn> 2048g/4EDE3EF6 2009-04-08

147699146.doc

4LNX2

openGPG

Validating keys
Once you have confirmed the fingerprint for a users public key you will want to validate this key to stop warning messages. Type the following command to validate a users public key;
[greg@mail ~]$ gpg --edit-key fred@networking.pdn pub 1024D/078BBFEE usage: SC created: 2009-04-08 trust: unknown sub 2048g/4EDE3EF6 usage: E created: 2009-04-08 expires: never validity: unknown expires: never

[ unknown] (1). Fred Derf (4LNX2) <fred@networking.pdn> Command> trust pub 1024D/078BBFEE usage: SC created: 2009-04-08 trust: unknown sub 2048g/4EDE3EF6 usage: E created: 2009-04-08 expires: never validity: unknown expires: never

[ unknown] (1). Fred Derf (4LNX2) <fred@networking.pdn> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 1024D/078BBFEE usage: SC created: 2009-04-08 trust: ultimate 147699146.doc expires: never validity: unknown 7

4LNX2 sub 2048g/4EDE3EF6 usage: E created: 2009-04-08 expires: never

openGPG

[ unknown] (1). Fred Derf (4LNX2) <fred@networking.pdn> Please note that the shown key validity is not necessarily correct unless you restart the program. Command> quit [greg@mail ~]$

Encrypting documents
To convert a plain text file to an encrypted file so that only a certain user may decrypt it, type the following commands; First create a text file to encrypt
[greg@mail ~]$ cat >> plain.txt Welcome to 4LNX2 I hope you have a good time See you after the holidays

Confirm the contents of this file


[greg@mail ~]$ cat plain.txt Welcome to 4LNX2 I hope you have a good time See you after the holidays

Encrypt the text file for the user fred derf


[greg@mail ~]$ gpg --encrypt --armor plain.txt You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. Current recipients: 147699146.doc 8 End with an empty line: fred derf

4LNX2

openGPG

2048g/4EDE3EF6 2009-04-08 "Fred Derf (4LNX2) <fred@networking.pdn>" Enter the user ID. End with an empty line:

Notice now that we have two files, one plain text, one cipher text.
[greg@mail ~]$ ls freds.key plain.txt plain.txt.asc

View the contents of the cipher text file


[greg@mail ~]$ cat plain.txt.asc -----BEGIN PGP MESSAGE----Version: GnuPG v1.4.5 (GNU/Linux) hQIOAzsni5VO3j72EAf9HQ6MB0hpQOqCd9jBMEBVPWsi+xjjjYM9BYyJCAl760Of hQE+hPtiUSqrRUwMCCbm2TcdlPnNRa2m60pBHN4P0rjeGDjhs5ZfYskIHaEWyRH1 mCNWqHkxPpPHEl1CmVHZ463IG52d0pHHpeNTFHTmbohM/8sNVpnF4WQbEDLcyvSK nkpMbfIxzSJTDx5YwDM9cO8NZihYsQ8epz4xbK8lgwO/YHqfjk5iBvq9tHGUf3/d R6FmkRtn+sELk3vUhkfOHIGCH00VRy3Xv47XWogTDk+pIMwEtRV8qWlsUsY+Ld9b YkdQjRjC/f+rz5g1E8uHCetONgCgHC0VOBpbRXksgAf9GhxHeGFFFPmSQJuvPKL4 CJLpHUOFnec+4RceRKp/ZAASeSL2s9Izn9KpXWXw7vlEETs0kVCQL8PRGoi/UOoT 4XFnjeIP5Dv2BrQDWBpR2Anf9huJZA0Xj7O2SiRYac4nwMP99gXItar+QNDa4jog nWh0e6O/uo6xx7MfITp8I3WvfwdvcCVVFm6wZPut6kstnsuxIEmHMNg7g4lfWV+3 PwPcAHtd6MnoZ10s97KarSmnJBn7fLnyPFdXVw3AnejgdVKUeMNOl2J/b9hK/rDv 0brgGZ7zdWD3cb0/BatH0ZDONzUho6Rriwuj62EoyPysKWpPlEtYwjUF88EXL/0d IdKHAezSEAwpYk4hhX31rTTCLK4AIuJDfx2n4vJXT2WbLJIGkQKjgxpWj4bQ97eU d3uMT98Xm0pu6gAMmYr+hj+TdO9VUkUYpCPtYssOJejjmLpgx6NXZFtXJuUQ7fkP zGs+2Fj8mYc3kxlKYffv0M6ioVVCGql8pmrT+yd/WY9SmPCGaQb6q6Xf =eJFc -----END PGP MESSAGE----[greg@mail ~]$

147699146.doc

4LNX2

openGPG

Email this file to the user fred. Since this file has been encrypted with freds public key he will be able to use his private key to decrypt the plain.txt.asc (ciphertext file) back to plain text. Enter the following commands to decrypt the file;
[fred@mail ~]$ ll -rw-rw-r-- 1 fred fred 2094 Apr 9 01:26 plain.txt.asc

[fred@mail ~]$ gpg plain.txt.asc (note with the --decrypt option the file will be decrypted to STDOUT) You need a passphrase to unlock the secret key for user: "Fred Derf (4LNX2) <fred@networking.pdn>" 2048-bit ELG-E key, ID 4EDE3EF6, created 2009-04-08 (main key ID 078BBFEE)

gpg: encrypted with 2048-bit ELG-E key, ID 4EDE3EF6, created 200904-08 "Fred Derf (4LNX2) <fred@networking.pdn>" [fred@mail ~]$ cat plain.txt Welcome to 4LNX2 I hope you have a good time See you after the holidays [fred@mail ~]$

Digital Signatures
A digital signature certifies and timestamps a document. If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can server the same purpose as a hand-written signature with the additional benefit of being tamperresistant. This will encompass message with itself with signature Type the following command
[greg@mail ~]$ ls plain.txt 147699146.doc 10

4LNX2 [greg@mail ~]$ gpg --encrypt --armor --sign plain.txt You need a passphrase to unlock the secret key for user: "Greg Lynch (4LNX2) <greg@networking.pdn>" 1024-bit DSA key, ID F708B71D, created 2009-04-08 You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. Current recipients: End with an empty line: fred derf

openGPG

2048g/4EDE3EF6 2009-04-08 "Fred Derf (4LNX2) <fred@networking.pdn>" Enter the user ID. End with an empty line:

Check to see the created file


[greg@mail ~]$ ls plain.txt plain.txt.asc

Output the file to STDOUT


[greg@mail ~]$ cat plain.txt.asc -----BEGIN PGP MESSAGE----Version: GnuPG v1.4.5 (GNU/Linux)

hQIOAzsni5VO3j72EAf+Pd2g7MgapbtLoKNPO5Uo9RM+xpoOppium1LJXIQDmHhf z+aqaEUCBImK3N5ke1oQYJKsQDTjeBJIXgCsS/eYAKAQT4L+AJZgwef0/8GxTg0G Z4ihUxkMaMlnW/LGWgm520DO7j5a+CR5vsdWMi0Tq8VYBrYw+kW+GfhyIOdDqCCq 0UMFSMa4noY1rE6X9IPmf8p3tLRmavHA7ppiPEUfWr4NWJUgQntsfUtnFhFKRGs0 oIJ6Zmo6t8y5ITkDlYl/V0dqD1LA6UsEmbWuPhsaRveMmTRU9iFGgdRCQExeHgZk 9sxblln1ImxvS5oen2bgCHbGYAVcb04L0PtMNo0iKwf/Rn4i/PaMQgPlm6O+VC50 DDFxVpQ8gr137XTjvTAj+hZIfRDe4hFhiT2thyofHSIRgmVhseP3SA6JXj1g+uT+ mVhVLYDFI39fp8sluTfRd1uDQpwLm055+DoUCzaGOi1+yeh5G/1+mlzUmG3b1nRo RF+jigD5j1rB10urHxf/zL61x12CmDB73AZstGSNPWAoFq4rjnv7XTDXCdRmqCKp 147699146.doc 11

4LNX2

openGPG

089XXAzxAAK3wIil5wPYM9V1Tl6ZLA2BbtBgVYvY0RymE+lEIFelR2zZjCSKk9Gu jIgJ0uU/P5pkEdd7bLMae3EIgr/oUbGR+y8B3r0k3H+HwZnTlSQoz0i/BKAzrt4H O9LqAbQ4tjcA+whU9HzVqkEDN7nwkxPAj9yM3DQj3jHRBGSXJ8aYQr1YQqU/srKS auK5xKNmqtxEW2KeDoDVt9iYroQSSgd6ka2PZlfwcsn21EHq3EdUFKu1DyEYTQ93 v5BG1FNbCXP3h8Vp7x7CHrp5ZB+28PVUYugUlBn69sRhg/AMx6gfkvveogAQTfLN G91MGO5Wiv+hsyZ4sY2wHM/q/ho9d92n31ixBxUjRwL7tK2KNjgOD2EVEgFJCX48 QT1AKFn1yhxQ05rd6SqAtNBIYNcgYNjC/lzUIjopCAC23eNqgdfvS/9CYgz/aH9F f2EmTCA8L8hUv7IxGimdb4L/dPIS6UoNPBrCMkPfEPDLFV801fg2sXwizf28QN8W smNCVzeSSZ0qlpTC5ksqtnRNElcJx1DNt4CVbiOd5M5oWq9B/aWhYZ8DHZ9p7XPu YRI2dSkyn8/DrlSsz8c8WLkCNficv6aSyz7wTU2EDVSNr9JMvXdMguknhagpK05F v4WJm68j3SS2BhVA7ZdLKD8RrFWGMzdHuUJNIK1/RNgkEPy1oHCH1maGouyXchSl CA4SQIjQWYKp9fpsUfnrm06WThKz58xD3WH2+512Lh2f10e1ibvqoMgdwO+1KA/N HU99jASDSpGzl/iScuPkmcxwySBrMxEJGkWSBr6OAAQBO4LTlRMwr1m7i+NyyGvU lgiuZox7EH/iCIC01WpJ2wZXJFUvX6HKSHSd/+XuSBWy1a/T95Fwo/Z53gbD7VsL c6p4u7iYR6pUTc2Q4N8zKU8iwI0eq/EcbyFDgxGwyo1sax7iAB8QwCd9G60klMO2 QwQO922w9vtZiMNV8AuEDgq6gbE0Zb9VdaUMia3mYRCZq63RKgu1uNHjD1tvJXl3 f3QjDqe0cllma/Z1joCPELR5ET7JXfzXhjEA0eru44UKv+1UgoEIdvPxYLveaCGJ 9CcepxT/DTzMtejgd2IhVC6l13J8x1jOubcuvdQ9fvhZ22niCisfVpgVkdBs/ylC M7vwozhEMT8IJ15nMvFl92XOCUnz3JCZtOE+KQv3T/Xo5LJgEFWj0givg56+Tt+6 EWu86yyjTlBS9aAR4tyLKzrQrKFFSNBVzWTumHcNLTFp8QCyJ2rg3TOA0v8zeyWE i791yXp/zF78lk35aHBcQ3QNZeHA2Wo0vWXIclWv1FmcLMpY13KN8UPhiAcvz24Y s1JhofxgA8AZ2pFtK2icrDeuJAhYXpYhe67Ky2JH6Ra2uZl1K2YjDGZ8RM/k2foe +IaVyQ3TByMh2cJwU3kaVU3FQeDrzPxvYYDY34HXxQtQlMzskZPfTqL8rhY2xaaw 3+IHx+v3XVN1tAh/37+XPv4Tsic/VeCq5LQP8DiL20vMrbY5vUV3mwa81F2s5cvc UiRZDG3QJRGQDRY= =jPS8 -----END PGP MESSAGE----[greg@mail ~]$

147699146.doc

12

4LNX2

openGPG

Email this file to the user

Evolution
To get evolution to automatically sign your emails every time you send an email do the following steps. First obtain your key ID by typing the following command; gpg --list-keys

Start Evolution 1. Click Edit > Preferences, then click Mail Accounts 2. Select the account you want to use securely, then click Edit 3. Click the Security Tab 4. Specify your key ID in the PGP/GPG Key ID field (eight character string) 5. Click OK 6. Click Close Send an email to someone.

147699146.doc

13

4LNX2

openGPG

Class Activity
1. On you computer create a user provided by you lecturer (note this account should match the user account created on the MTA (mail server) useradd greg passwd greg

2. Install evolution if it is not already installed yum install evolution

3. Change your network to P and restart your network interfaces service network restart ifconfig (confirm you have a IP address with on the 10.70.0. network

4. Logout of root 5. Login as the user you created in step 1 6. Open terminal and make gpg keys for your user (use email account from mail server of <user>@networking.pdn) 7. Export your public key as a text file 8. Configure evolution to connect to the mail server email account <user>@networking.pdn Receiving email Server type: POP Server: mail.networking.pdn Sending email Server type: SMTP Server: mail.networking.pdn Uncheck: Server requires authentication Finish

9. Send an email to yourself to test sending and receiving email. 10.Send an email to the lecturer with your public key, also asking them for their public key 11.Import the lecturers public key and trust it.

147699146.doc

14

4LNX2

openGPG

12.Encrypt a text file for the lecturers then email the cipher text to the lecturers email account asking for confirmation that he was able to decrypt the message. 13.Configure evolution to sign all outgoing email messages. 14.Do the above steps 10 - 12 with a user next to you.

147699146.doc

15