Public Key Cryptography:
http://www.wvu.edu/~lawfac/mmcdiarmid/digital%20signatures.htm - older reference, but pretty easy to understand
http://www.lugod.org/presentations/pgp/ - good introduction and beginners guide
http://www.linuxjournal.com/article.mydivision?sid=4828 GPG the Best Free Crypto You Aren't Using, Part I of II
http://www.linuxjournal.com/article.mydivision?sid=4892 GPG the Best Free Crypto You Aren't Using, Part II of II
http://computer.howstuffworks.com/question571.htm
http://computer.howstuffworks.com/encryption.htm
gpg usage: http://www.rhce2b.com/clublinux/RHCE-38.shtml
GPG notes:
http://www.gnupg.org/ - GNU Privacy Guard
If the --output option is not specified, gpg will usually write contents to stdout (the screen). You can also do file redirection to route the output to a file. The exception to this is the default decryption option:
gpg [filename]
The above syntax will decrypt the file to the original unencrypted filename. You can add other options to this command.
You encrypt with someone's public key, they decrypt with their secret key. Give your public key out to those that want to send you encrypted files/messages. Then only you (or anyone that has your secret key, which should be no one but you) can decrypt and view the file.
[name] = name, email or identifier of key. email addr is usually the best one to use because it's usually the most unique identifier.
files:
gpg.man -- man page for gpg (lists all switches)
gpg.conf -- found in c:\gnupg (see readme.w32), contains all config options
If you receive the following when decrypting a file, then there is probably a compatiblity problem with the other user's signature, usually nothing to worry about: "WARNING: message was not integrity protected". To prevent the message from appearing use the --no-mdc-warning in the gpg command line or put the following in the gpg.conf file: no-mdc-warning
On the Windows platform, be sure to include the following option in gpg.conf or on the command line:
--no-mangle-dos-filenames
The Windows version of GnuPG replaces the exten
sion of an output filename to avoid problems
with filenames containing more than one dot.
This is not necessary for newer Windows versions
and so --no-mangle-dos-filenames can be used to
switch this feature off and have GnuPG append
the new extension. This option has no effect on
non-Windows platforms.
NOTE: Any options specified in the configuration file(gpg.conf) should NOT have the double dashes at the beginning of them.
gpg.conf example file:
no-mdc-warning
no-mangle-dos-filenames
load-extension lib\idea
Generating a new key pair:
gpg --gen-key
The default way we have been creating the keys is:
kind of key you want: (1) DSA and ElGamal (default)
keysize: 2048
expiration: 0 -does not expire
"Real name": mycompany
email: mydivision-{vendor}@mycompany.com where {vendor} is the vendor's name.
comment: mydivision - mycompany (usually)
Displaying/listing keys:
list all secret keys on the system:
gpg --list-secret-keys
list all public keys on the system:
gpg --list-keys
Importing keys:
to import an exported public or secret key into the appropriate keyring on this system:
gpg --import keyfile_to_import
Exporting:
use --armor option if sending key via email or if vendor requires ASCII armored data.
to export a public key; don't specify a name if you want to export all:
gpg --output filename.key --export [name]
to export a secret key; don't specify a name if you want to export all:
gpg --output filename.key --export-secret-keys [name]
Always export any keys before using them. This keeps a backup of all keys in case you screw up (you probably will too!). You can use the following as a template, replacing {vendor} with the vendor's name, and paste the text directly to the shell.
gpg --output mydivision-{vendor}@mycompany.com-public.asc --armor --export mydivision-{vendor}@mycompany.com
gpg --output mydivision-{vendor}@mycompany.com-public.key --export mydivision-{vendor}@mycompany.com
gpg --output mydivision-{vendor}@mycompany.com-secret.asc --armor --export-secret-keys mydivision-{vendor}@mycompany.com
gpg --output mydivision-{vendor}@mycompany.com-secret.key --export-secret-keys mydivision-{vendor}@mycompany.com
NOTE: In some cases the vendor can't use certain algorithms such as AES192, AES256, etc. In these cases you will need to edit the key after generating it and export the key in order to disable or restrict use of the particular "problematic" algorithms. Instructions below:
gpg --edit-key [name]
setpref S3 S2 S1 H2 H3 Z2 Z1 (This string was used for Express-Scripts because of their requirment)
(do a setpref xx xx; or whatever algorithms/options you want included. Include all options except the ones you want to disable.)
updpref
save
List the algorithms/options on the key:
gpg --edit-key keyid showpref quit (long verbose format)
gpg --edit-key keyid pref quit (short terse format)
List of options/preferences to use on keys:
s2 = 3des
s3 = cast5
s4 = blowfish
s7 = aes
s8 = aes192
s9 = aes256
s10 = twofish
s1 = idea (if you use it, otherwise leave out)
h3 = ripemd160
h2 = sha1
h1 = md5
z2 = zlib
z1 = zip
z0 = no compression
Encryption:
When encrypting a file, you can use multiple -r (recipient) options if needed. To decrypt the file, the secret key pair that corresponds to the public key used to encrypt the file will be needed.
The following example will create an encrypted file with a .gpg extension.
gpg -r info@claimsnet.com --encrypt-files encrypt-test.txt (preferred method)
gpg --ouput ouput_filename -r [name] --encrypt filename_to_encrypt
for interactive prompt asking which key to use to encrypt:
gpg --ouput ouput_filename --encrypt filename_to_encrypt
When using a key to encrypt for the very first time, you will see text similar to the following:
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/7
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/0
Decryption:
to decrypt a file: (must have secret key that matches the public key that was used to encrypt the file
gpg filename_to_decrypt -- decrypt file and write to original filename (preferred method)
or
gpg --ouput output_filename --decrypt filename_to_decrypt
if you don't have the secret key for an encrypted file you'll get the error: "gpg: decryption failed: secret key not available"
signing a key:
gpg --local-user mydivision-claimsnet@mycompany.com --sign-key info@claimsnet.com
-- it will ask for level of trust. Choose the highest level of trust. (3)
after you receive someone's public key (whom you trust) you can sign it. If you don't you'll get the following message every time you try to encrypt something with their public key:
gpg --output encrypt-test.pgp -r info@claimsnet.com --encrypt encrypt-test.txt
gpg: C458F397: There is no indication that this key really belongs to the owner
1024g/C458F397 2001-02-28 "Claimsnet.com Inc. <info@claimsnet.com>"
Primary key fingerprint: 1254 FD28 5BF7 DF69 CD02 9072 4155 8840 575F 950E
Subkey fingerprint: 0164 29BF CEB1 96B6 91AC FF76 CE41 BAAA C458 F397
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes
Use this key anyway? n
gpg: encrypt-test.txt: encryption failed: unusable public key
After you sign the recipient's key when encrypting a file you won't get the error message.
marking keys as trusted (need to do this when we import our keys into new keyring file):
gpg --edit-key mydivision-esi@mycompany.com
Command> trust
Your decision? 5
Do you really want to set this key to ultimate trust? y
Command> quit
Changing the passphrase of the secret key (in case of lost/stolen key):
gpg --editkey mydivision-esi@mycompany.com
Command> passwd
Enter passphrase: ****
Enter the new passphrase for this secret key.
Enter passphrase: *******
Repeat passphrase:*******
Command> save
Deleting/removing keys no longer needed:
Recommend exporting the keys first before deleting them.
delete secret key:
gpg --delete-secret-keys [name]
delete a public key:
gpg --delete-keys [name]
delete both secret and public key pair:
gpg --delete-secret-and-public-key [name]
--delete-secret-and-public-key name
Same as --delete-key, but if a secret key
exists, it will be removed first. In batch mode
the key must be specified by fingerprint.
AUTOMATION:
to automate/batch decrypt files use the following options. MAKE SURE that the gnupg directory is secured well and keep the "passphrase-file" in the same directory or another secure directory.:
--passphrase-fd n
Read the passphrase from file descriptor n. If
you use 0 for n, the passphrase will be read
from stdin. This can only be used if only
one passphrase is supplied. Don't use this
option if you can avoid it.
ex:
type passphrase-file | gpg --passphrase-fd 0 [filename_to_decrypt]
Signatures:
Signatures are basically good for verifying the authenticity of message/file/whatever.
clearsign (good for emailing), example:
hp.txt contents (in courier new font) before signing:
This is a test file...
gpg --local-user mydivision-abf@mycompany.com --clearsign hp.txt
after signing it will create a file named: hp.txt.asc:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a test file...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFAfUxLl6vRH9ZI4QMRAtgiAKCLxmq7CTTsgmpd1EiZgpxgubwBTwCeO3+A
cFMS25BXJHSobsWcLql+sR8=
=BFyt
-----END PGP SIGNATURE-----:
verify signature (must have public key in keyring to do this):
gpg --verify hp.txt
in the case of a detached signature, by putting the signature file first:
gpg --verify file.sig file
Log of session running of gen-key (bold ours):
C:\>gpg --gen-key
gpg (GnuPG) 1.2.4; Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: mycompany
Email address: mydivision-mckession@mycompany.com
Comment: mydivision - mycompany
You selected this USER-ID:
"mycompany (mydivision - mycompany ) <mydivision-mckession@mycompany.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? e
Email address: mydivision-othercorp@mycompany.com
You selected this USER-ID:
"mycompany (mydivision - mycompany ) <mydivision-othercorp@mycompany.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.++++++++++.+++++++++++++++++++++++++++++++++++..++++++++++.+++++...++
+++.+++++.++++++++++.+++++.+++++..+++++....+++++++++++++++++++++++++.+++++......
.........>+++++......>+++++............<+++++.................>+++++.<+++++.....
................................................................................
................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++++++++++++...++++++++++++++++++++.+++++.+++++..+++++++++++++
++.+++++++++++++++.+++++++++++++++.+++++.+++++++++++++++.++++++++++.....+++++.++
+++>.+++++.+++++>+++++..........................................................
...................................+++++^^^
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/51CF3CC5 2004-04-23 mycompany (mydivision - mycompany ) <mydivision-othercorp@p
Key fingerprint = 9982 34EB 114A 6A4D 8EC5 9FB8 98A8 F30F 51CF 3CC5
sub 2048g/DF7989E4 2004-04-23
getting a public key from a keyserver:
gpg --keyserver http://pgp.mit.edu --search-keys dd9jn@gnu.org
No comments:
Post a Comment