RSS feed RSS   ATOM feed Atom


GPG/PGP Basics · 12 September 2005, 08:29 by Admin

Recently someone asked me for a GPG or PGP public key so that they could send some sensitive material to me by email. I understood what they meant, but inwardly I groaned because I’ve just never had any reason to use public key encryption, and had no idea how to create the key or decrypt what would be sent back to me. Looking at “man bgp” on my Linux box didn’t make me feel any better, and a Google search for gpg docs didn’t immediately turn up anything that wasn’t techno gobbledy-dee-geek. Eventually (after I had figured out the basics by trial and error), I did find GNU Privacy Guard HandBook, which probably would have gotten me up to speed a little faster, but which still was more than I needed to know at the moment. This, therefore, is a quick introduction so that you don’t have to get a headache from the man page as I did. After learning what is presented here, you can visit the GNU page for more in depth coverage.
Public key, private key

The basic concept is this: You generate a pair of matched keys. One of these is referred to as your “Public” key, and the other as “Private”. You give the Public key to anyone who asks for it; you can even publish it on your web site. You keep your Private key secret, locked up on your own computer. A document (a text or binary file) can be encrypted using either key, and is decrypted with the other. The choice of which key to use to encrypt depends upon your purpose.

For example, if you want to send me something, you’d encrypt it using my public key. No one else can decrypt it; only my private key will work. On the other hand, I might be concerned that it really is you sending me a message. In that case, you’d encrypt your message using your private key (this is called “signing”). If I can decrypt it with your public key (presumably I somehow obtained that key and trust that it really is yours), I know that the message really came from you.
An example

You can test this all out on one computer using two (or more) user accounts. I’m going to assume that user “tom” wants to send an encrypted message to user “marge”. The first thing Marge needs to do is generate her keys:

[marge@apl marge]$ gpg—gen-key
gpg (GnuPG) 1.0.6; Copyright© 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
gpg: /home/marge/.gnupg: directory created
gpg: /home/marge/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file

Because Marge has never created a key before, gpg just creates what it needs and tells her to run it again:

[marge@apl marge]$ gpg—gen-key
gpg (GnuPG) 1.0.6; Copyright© 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
gpg: /home/marge/.gnupg/secring.gpg: keyring created
gpg: /home/marge/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:

(1) DSA and ElGamal (default)

(2) DSA (sign only)

(4) ElGamal (sign and encrypt)
Your selection? 1

DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.

minimum keysize is 768 bits

default keysize is 1024 bits

highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.

0 = key does not expire

= key expires in n days

w = key expires in n weeks

m = key expires in n months

y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:

“Heinrich Heine (Der Dichter)

Real name: Marge
Email address: marge@aplawrence.com
Comment: Marge’s GPG key pair
You selected this USER-ID:
“Marge (Marge’s GPG key pair)

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter passphrase: Sbr6wh wscartBM, iscaa2d
Repeat passphrase: Sbr6wh wscartBM, iscaa2d
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++++++++++++++++++++++.+++++++++++++++..+++++++++++++++++++++++++++++++++++....++++++++++.++++++++++++++++++++++++++++++.+++++.++++++++++>++++++++++>++++++++++
public and secret key created and signed.

(See Random Numbers also)

The passphrase entered should be a tough password. It can contain spaces, there’s no limit on its length, but of course you will need to remember it. I use mnemonic aids to generate passwords and passphrases. For example, the passphrase above comes from this:

She’ll be riding six white horses when she comes around that Big Mountain, if she comes at all today

Fairly easy for me to remember, but a good, tough passphrase.

If you are working on a single-user machine, you probably will need to switch away and generate some activity to get the keys created. Once that’s done, Marge can list her keys:

[marge@apl marge]$ gpg—list-keys
gpg: Warning: using insecure memory!
/home/marge/.gnupg/pubring.gpg———————————————pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge’s GPG key pair)
sub 1024g/78681206 2001-11-17

Now she’s ready to create the public key that she will send to Tom. We assume for the moment that she has a perfectly secure way of getting it to Tom so that Tom really knows it came from her; for example, she physically hands him a CD which has the key on it. She could also publish it on her web page (there’s more information about how to do that securely at the GNU Privacy Guard page referenced above) or (more likely), she just emails to him (she could also use a Public Key Server; see the GNU page for more on that). Email is not completely unreasonable: it doesn’t matter if someone else intercepts and reads that email, because all it contains is the public key. That key is only useful for sending documents that Marge (and only Marge) can decrypt; stealing it does not let you impersonate Marge. What Tom has to be concerned about is someone forging email that pretends to be from Marge but that actually contains a forged public key: if Tom used that to encrypt his data, and the forger could intercept that transmission also, the forger could decrypt the data (and of course Marge could not!). So what Tom probably should do (if he’s really worried about this) is call Marge on the telephone and ask her to read some of her key.

Here Marge prepares her public key:

[marge@apl marge]$ gpg—armor—export marge@aplawrence.com > mypk
gpg: Warning: using insecure memory!
[marge@apl marge]$ cat mypk——BEGIN PGP PUBLIC KEY BLOCK——Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDv2vMARBACPHwe3BXmJXF5dvXxGEuxYIbYoY2naOmaArFsv1Pgl3GqhhAP7
GTGvN4A4Xo80S8i8mrSsseHE/RD7F2PS045dzP/LbDcI7EqnfU2BDoIfEmTsTupl
BKjOJUh7luhFbj2gdpbmmTUD/1BBKd42pIk/GPUcynMS9TG4kUyB6UdtRF7NydYP
o4T+0fIY8mbh5VRigoVVsukX8xuI+QaS5iB/D4j36+zk/iRy171dY43OuwCgm6rQ
a8vmmGDyCCUWFX0PVlQn5MMf97GadIAGgh1pdD7bMfB4FI84TyhNHuBDTCn0Ysff
not_a_public_key_but_other_than_this_line_it_looks_like_this_xxx
bRmMA/9E/EGJnyYWdHtTerx+H8qacP183SrRFQDqSkOM61P4iDIWcZCOqlHCv7Br
Rmf7Ug9I4RkD5qqWkpWY0ugcSbuoFx0f7AGckOOWWVq4ddQStAsOhlMQ4ahOu7mB
cmVuY2UgKExpbmRhJ3MgR1BHIGtleSBwYWlyKSA8bGluZHlAcGN1bml4LmNvbT6I
dVJeXzVTKHnMTGUqutPpmro/txW3M4Z3/0gsOGySxlob0MOQcbQ4TGluZGEgTGF3
VwQTEQIAFwUCO/a8wQULBwoDBAMVAwIDFgIBAheAAAoJEAymPu375boq1fkAniuK
EAQAj8E9riM9UUI2fc3Of/5khuEi2nbT2xD2//FUVQh4uKXd4iQXW3z55ZbJnJ1E
Nk6xIPHx0kQUEcUxdRSK0rikAJ9bB4o+oZ9wqJubKMHII1K1BunTuLkBDQQ79rzF
bZ+TGMKFOgoxEGAeIcf/XD0/zRDOvdKuLsIZjlNl3uqChXgeznCFU4kviuGdSeDK
vcx/cR7NgfAn2JUKnhcf/sf01WRM43TbSZP5+5ZXk7zZWZItp+STRHYUketXwFk/
LWn2jrjbFpcBswgXZ1Vq7Hrbi027y4×6KIhKZ0rfGsXDYxsAAwUD/jCF25xvDrU9
W5mjSmWy1f+Hn5q/RQAChIAgEEwWMpaHLXixyI+xE+kXvowDYdbmQWruJS1BGKDF
/JibHwSp15ZzGQivpX/Dul4/nks3xYy7iEYEGBECAAYFAjv2vMUACgkQDKY+7fvl
uiqY4ACcCga6MsB3DhSLEO6Fse09UujGwUMAmwY9skYtEZDAFXBlcpov1wYzFAhh——END PGP PUBLIC KEY BLOCK——[marge@apl marge]$

Using Marge’s Public Key

To use Marge’s public key, Tom first has to “import” it. Tom already has his own keys created:

[tom@apl tom]$ gpg—list-keys
gpg: Warning: using insecure memory!
/home/tom/.gnupg/pubring.gpg——————————————pub 1024D/16B478D3 2001-11-17 Tommy (Tommy Boy)
sub 1024g/1E5CDE3C 2001-11-17

To add Marges public key, Tom does this (he’s saved the file as “margepk”):

[tom@apl tom]$ gpg—import margepk
gpg: Warning: using insecure memory!
gpg: key FBE5BA2A: public key imported
gpg: /home/tom/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg: imported: 1

Now when he lists keys, he has Marge’s:

[tom@apl tom]$ gpg—list-keys
gpg: Warning: using insecure memory!
/home/tom/.gnupg/pubring.gpg——————————————pub 1024D/16B478D3 2001-11-17 Tommy (Tommy Boy)
sub 1024g/1E5CDE3C 2001-11-17

pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge’s GPG key pair)
sub 1024g/78681206 2001-11-17

Tom has done all that he really needs to do. The next step is recommended but not strictly necessary:

[tom@apl tom]$ gpg—edit-key marge@aplawrence.com
gpg (GnuPG) 1.0.6; Copyright© 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!

pub 1024D/FBE5BA2A created: 2001-11-17 expires: never trust: -/q
sub 1024g/78681206 created: 2001-11-17 expires: never
(1). Marge (Marge’s GPG key pair)

Command> fpr

pub 1024D/FBE5BA2A 2001-11-17 Marge (Marge’s GPG key pair)

Fingerprint: C294 A900 C769 2AEF C951 2434 0CA6 3EED FBE5 BA2A

Command> sign

pub 1024D/FBE5BA2A created: 2001-11-17 expires: never trust: -/q

Fingerprint: C294 A900 C769 2AEF C951 2434 0CA6 3EED FBE5 BA2A

Marge (Marge’s GPG key pair)

Are you really sure that you want to sign this key
with your key: “Tommy (Tommy Boy)

Really sign? y

You need a passphrase to unlock the secret key for
user: “Tommy (Tommy Boy)
1024-bit DSA key, ID 16B478D3, created 2001-11-17

Enter passphrase: (Tom enters his passphrase here)
Command> quit
Save changes? y

What Tom did was add Marge to his “trusted” keys- keys that he is sure came from who they were supposed to. As I said, it’s not absolutely necessary, and you can read more about it at the GNU Privacy Guard Page.

Now Tom is ready to encrypt his data:

[tom@apl tom]$ gpg—out secrets_to_marge—encrypt secrets
gpg: Warning: using insecure memory!
You did not specify a user ID. (you may use ”-r”)

Enter the user ID: marge@aplawrence.com
[tom@apl tom]$ ls -l sec*
rw-r-r— 1 root root 5940 Nov 17 15:21 secrets
rw-rw-r- 1 tom tom 2738 Nov 17 15:22 secrets_to_marge
[tom@apl tom]$

Tom can now send “secrets_to_marge” with safety: only Marge can decrypt the data.

When Marge gets it, she’ll decrypt it like this:

[marge@apl marge]$ gpg—output secrets_from_tom—decrypt secrets_to_marge
gpg: Warning: using insecure memory!

You need a passphrase to unlock the secret key for
user: “Marge (Marge’s GPG key pair)
1024-bit ELG-E key, ID 78681206, created 2001-11-17 (main key ID FBE5BA2A)

Enter passphrase: Sbr6wh wscartBM, iscaa2d
gpg: encrypted with 1024-bit ELG-E key, ID 78681206, created 2001-11-17

“Marge (Marge’s GPG key pair)
[marge@apl marge]$ ls -l sec*
rw-rw-r- 1 marge marge 5940 Nov 17 16:09 secrets_from_tom
rw-rw-r- 1 marge marge 2738 Nov 17 16:09 secrets_to_marge
[marge@apl marge]$

That’s it. GPG is actually pretty simple, and nothing to get a headache over. Please do read the GNU Privacy Guard HandBook for a far more complete treatment of this subject.

Taken from http://aplawrence.com

Previous Article :: Understanding PAM Previous Article :: Understanding PAM
Next Article :: Controlling core files (Linux) Next Article :: Controlling core files (Linux)