Beruflich Dokumente
Kultur Dokumente
openGPG
openGPG
Concepts
(Source: http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html)
Digital Signatures
In order to prove that a message was really sent by the alleged sender the concept of Digital Signatures was invented. As the name says a message is digitally signed by the sender. By using this signature you can check the authenticity of a message. Using this will reduce the risk for Trojan horses (a message that claims to be a patch to a certain problem but actually contains a virus or does something bad with data on your computer). Also information or data can be verified as coming from a legitimate source and thus be regarded as real. A digital signature is made through a combination of the secret key and the text. Using the senders public key the message can be verified. Not only will be checked if the correct sender is involved, also the content will be checked. So you know that the message comes from the sender and has not been changed during the transportation process.
Web of trust
A weak point of the Public key algorithms is the spreading of the public keys. A user could bring a public key with false user ID in circulation. If with this particular key messages are made, the intruder can decode and read the messages. If the intruder passes it on then still with a genuine public key coded to the actual recipient, this attack is not noticeable.
147699146.doc
4LNX2
openGPG
The PGP solution (and because of that automatically the GnuPG solution) exists in signing codes. A public key can be signed by other people. This signature acknowledges that the key used by the UID (User Identification) actually belongs to the person it claims to be. It is then up to the user of GnuPG how far the trust in the signature goes. You can consider a key as trustworthy when you trust the sender of the key and you know for sure that the key really belongs to that person. Only when you can trust the key of the signer, you can trust the signature. To be absolutely positive that the key is correct you have to compare the finger print over reliable channels before giving absolute trust.
Commands
gpg help options
To find out what options are available type the following; gpg --help
Creating keys
When you create a key with gpg it creates 2 keys public key secret/private key (need passphrase, and entropy)
You are asked during this process to select the type of key, the default is to use DSA and Elgamal. DSA is used for signing, it operates on message hash and uses public keys to decrypt signatures and compare. Elgamal is used for encryption and uses the public key system or asymmetric
Keys are located in the users home directory in /home/user/.gnupg/ secret key is kept in the file secring.gpg public keys are kept in the file pubring.gpg
4LNX2 Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days
openGPG
<n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Fred Derf Email address: fred@networking.pdn Comment: 4LNX2 You selected this USER-ID: "Fred Derf (4LNX2) <fred@networking.pdn>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot perform some other action utilize the disks) during random number generator a of random bytes. It is a good idea to (type on the keyboard, move the mouse, the prime generation; this gives the better chance to gain enough entropy.
4LNX2 We need to generate a lot perform some other action utilize the disks) during random number generator a
openGPG of random bytes. It is a good idea to (type on the keyboard, move the mouse, the prime generation; this gives the better chance to gain enough entropy.
+++++.+++++++++++++++.++++++++++++++++++++...+++++..++++++++++.+++++ +++++..+++++++++++++++++++++++++++++++++++.++++++++++.+++++.++++++++ +++++++.+++++.++++++++++>..++++++++++>+++++..>.++++ +..................................+++++^^^ gpg: key 078BBFEE marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 1u pub valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f,
Key fingerprint = A523 3623 55D8 B530 C852 078B BFEE uid sub
[fred@mail .gnupg]$
List keys
To list your public keys type the following command; gpg --list-keys [fred@mail .gnupg]$ gpg --list-keys /home/fred/.gnupg/pubring.gpg ----------------------------pub uid sub 1024D/078BBFEE 2009-04-08 Fred Derf (4LNX2) <fred@networking.pdn> 2048g/4EDE3EF6 2009-04-08
4LNX2
openGPG
[fred@mail .gnupg]$ gpg --list-secret-keys /home/fred/.gnupg/secring.gpg ----------------------------sec uid ssb 1024D/078BBFEE 2009-04-08 Fred Derf (4LNX2) <fred@networking.pdn> 2048g/4EDE3EF6 2009-04-08
The fingerprint is used to validate the key you have received from another user, this may be done over the phone or through some other means as long as you can guarantee that you are communicating with the keys owner. TRUST To list your fingerprint, type the following command; [fred@mail .gnupg]$ gpg --fingerprint /home/fred/.gnupg/pubring.gpg ----------------------------pub 1024D/078BBFEE 2009-04-08 1504 A499
Key fingerprint = A523 3623 55D8 B530 C852 8E14 078B BFEE uid sub
Exporting key
You need to export your public key so that other users may add you to their keyring. To export your public key type the following command; gpg --export Notice how the key is send to STDOUT and that it is a binary file. We need to convert this file to ASCII so that it can be sent through email or published on a web page. To export your public key in ASCII format to STDOUT, type the following commad; gpg --export --armor To export your key as ASCII and to save to a text file type the following command;
147699146.doc 5
4LNX2
openGPG
Importing keys
A public key may be added to your public keyring with the import option. Type the following commands to import another users public key and then confirm it has been added to your public keyring; [greg@mail ~]$ gpg --import freds.key gpg: key 078BBFEE: public key "Fred Derf (4LNX2) <fred@networking.pdn>" imported gpg: Total number processed: 1 gpg: imported: 1
[greg@mail ~]$ gpg --list-keys /home/greg/.gnupg/pubring.gpg ----------------------------pub uid sub 1024D/F708B71D 2009-04-08 Greg Lynch (4LNX2) <greg@networking.pdn> 2048g/54954A6A 2009-04-08
pub
1024D/BEDF6EB5 2009-04-08
147699146.doc
4LNX2
openGPG
Validating keys
Once you have confirmed the fingerprint for a users public key you will want to validate this key to stop warning messages. Type the following command to validate a users public key;
[greg@mail ~]$ gpg --edit-key fred@networking.pdn pub 1024D/078BBFEE usage: SC created: 2009-04-08 trust: unknown sub 2048g/4EDE3EF6 usage: E created: 2009-04-08 expires: never validity: unknown expires: never
[ unknown] (1). Fred Derf (4LNX2) <fred@networking.pdn> Command> trust pub 1024D/078BBFEE usage: SC created: 2009-04-08 trust: unknown sub 2048g/4EDE3EF6 usage: E created: 2009-04-08 expires: never validity: unknown expires: never
[ unknown] (1). Fred Derf (4LNX2) <fred@networking.pdn> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 1024D/078BBFEE usage: SC created: 2009-04-08 trust: ultimate 147699146.doc expires: never validity: unknown 7
openGPG
[ unknown] (1). Fred Derf (4LNX2) <fred@networking.pdn> Please note that the shown key validity is not necessarily correct unless you restart the program. Command> quit [greg@mail ~]$
Encrypting documents
To convert a plain text file to an encrypted file so that only a certain user may decrypt it, type the following commands; First create a text file to encrypt
[greg@mail ~]$ cat >> plain.txt Welcome to 4LNX2 I hope you have a good time See you after the holidays
4LNX2
openGPG
2048g/4EDE3EF6 2009-04-08 "Fred Derf (4LNX2) <fred@networking.pdn>" Enter the user ID. End with an empty line:
Notice now that we have two files, one plain text, one cipher text.
[greg@mail ~]$ ls freds.key plain.txt plain.txt.asc
147699146.doc
4LNX2
openGPG
Email this file to the user fred. Since this file has been encrypted with freds public key he will be able to use his private key to decrypt the plain.txt.asc (ciphertext file) back to plain text. Enter the following commands to decrypt the file;
[fred@mail ~]$ ll -rw-rw-r-- 1 fred fred 2094 Apr 9 01:26 plain.txt.asc
[fred@mail ~]$ gpg plain.txt.asc (note with the --decrypt option the file will be decrypted to STDOUT) You need a passphrase to unlock the secret key for user: "Fred Derf (4LNX2) <fred@networking.pdn>" 2048-bit ELG-E key, ID 4EDE3EF6, created 2009-04-08 (main key ID 078BBFEE)
gpg: encrypted with 2048-bit ELG-E key, ID 4EDE3EF6, created 200904-08 "Fred Derf (4LNX2) <fred@networking.pdn>" [fred@mail ~]$ cat plain.txt Welcome to 4LNX2 I hope you have a good time See you after the holidays [fred@mail ~]$
Digital Signatures
A digital signature certifies and timestamps a document. If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can server the same purpose as a hand-written signature with the additional benefit of being tamperresistant. This will encompass message with itself with signature Type the following command
[greg@mail ~]$ ls plain.txt 147699146.doc 10
4LNX2 [greg@mail ~]$ gpg --encrypt --armor --sign plain.txt You need a passphrase to unlock the secret key for user: "Greg Lynch (4LNX2) <greg@networking.pdn>" 1024-bit DSA key, ID F708B71D, created 2009-04-08 You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. Current recipients: End with an empty line: fred derf
openGPG
2048g/4EDE3EF6 2009-04-08 "Fred Derf (4LNX2) <fred@networking.pdn>" Enter the user ID. End with an empty line:
hQIOAzsni5VO3j72EAf+Pd2g7MgapbtLoKNPO5Uo9RM+xpoOppium1LJXIQDmHhf z+aqaEUCBImK3N5ke1oQYJKsQDTjeBJIXgCsS/eYAKAQT4L+AJZgwef0/8GxTg0G Z4ihUxkMaMlnW/LGWgm520DO7j5a+CR5vsdWMi0Tq8VYBrYw+kW+GfhyIOdDqCCq 0UMFSMa4noY1rE6X9IPmf8p3tLRmavHA7ppiPEUfWr4NWJUgQntsfUtnFhFKRGs0 oIJ6Zmo6t8y5ITkDlYl/V0dqD1LA6UsEmbWuPhsaRveMmTRU9iFGgdRCQExeHgZk 9sxblln1ImxvS5oen2bgCHbGYAVcb04L0PtMNo0iKwf/Rn4i/PaMQgPlm6O+VC50 DDFxVpQ8gr137XTjvTAj+hZIfRDe4hFhiT2thyofHSIRgmVhseP3SA6JXj1g+uT+ mVhVLYDFI39fp8sluTfRd1uDQpwLm055+DoUCzaGOi1+yeh5G/1+mlzUmG3b1nRo RF+jigD5j1rB10urHxf/zL61x12CmDB73AZstGSNPWAoFq4rjnv7XTDXCdRmqCKp 147699146.doc 11
4LNX2
openGPG
089XXAzxAAK3wIil5wPYM9V1Tl6ZLA2BbtBgVYvY0RymE+lEIFelR2zZjCSKk9Gu jIgJ0uU/P5pkEdd7bLMae3EIgr/oUbGR+y8B3r0k3H+HwZnTlSQoz0i/BKAzrt4H O9LqAbQ4tjcA+whU9HzVqkEDN7nwkxPAj9yM3DQj3jHRBGSXJ8aYQr1YQqU/srKS auK5xKNmqtxEW2KeDoDVt9iYroQSSgd6ka2PZlfwcsn21EHq3EdUFKu1DyEYTQ93 v5BG1FNbCXP3h8Vp7x7CHrp5ZB+28PVUYugUlBn69sRhg/AMx6gfkvveogAQTfLN G91MGO5Wiv+hsyZ4sY2wHM/q/ho9d92n31ixBxUjRwL7tK2KNjgOD2EVEgFJCX48 QT1AKFn1yhxQ05rd6SqAtNBIYNcgYNjC/lzUIjopCAC23eNqgdfvS/9CYgz/aH9F f2EmTCA8L8hUv7IxGimdb4L/dPIS6UoNPBrCMkPfEPDLFV801fg2sXwizf28QN8W smNCVzeSSZ0qlpTC5ksqtnRNElcJx1DNt4CVbiOd5M5oWq9B/aWhYZ8DHZ9p7XPu YRI2dSkyn8/DrlSsz8c8WLkCNficv6aSyz7wTU2EDVSNr9JMvXdMguknhagpK05F v4WJm68j3SS2BhVA7ZdLKD8RrFWGMzdHuUJNIK1/RNgkEPy1oHCH1maGouyXchSl CA4SQIjQWYKp9fpsUfnrm06WThKz58xD3WH2+512Lh2f10e1ibvqoMgdwO+1KA/N HU99jASDSpGzl/iScuPkmcxwySBrMxEJGkWSBr6OAAQBO4LTlRMwr1m7i+NyyGvU lgiuZox7EH/iCIC01WpJ2wZXJFUvX6HKSHSd/+XuSBWy1a/T95Fwo/Z53gbD7VsL c6p4u7iYR6pUTc2Q4N8zKU8iwI0eq/EcbyFDgxGwyo1sax7iAB8QwCd9G60klMO2 QwQO922w9vtZiMNV8AuEDgq6gbE0Zb9VdaUMia3mYRCZq63RKgu1uNHjD1tvJXl3 f3QjDqe0cllma/Z1joCPELR5ET7JXfzXhjEA0eru44UKv+1UgoEIdvPxYLveaCGJ 9CcepxT/DTzMtejgd2IhVC6l13J8x1jOubcuvdQ9fvhZ22niCisfVpgVkdBs/ylC M7vwozhEMT8IJ15nMvFl92XOCUnz3JCZtOE+KQv3T/Xo5LJgEFWj0givg56+Tt+6 EWu86yyjTlBS9aAR4tyLKzrQrKFFSNBVzWTumHcNLTFp8QCyJ2rg3TOA0v8zeyWE i791yXp/zF78lk35aHBcQ3QNZeHA2Wo0vWXIclWv1FmcLMpY13KN8UPhiAcvz24Y s1JhofxgA8AZ2pFtK2icrDeuJAhYXpYhe67Ky2JH6Ra2uZl1K2YjDGZ8RM/k2foe +IaVyQ3TByMh2cJwU3kaVU3FQeDrzPxvYYDY34HXxQtQlMzskZPfTqL8rhY2xaaw 3+IHx+v3XVN1tAh/37+XPv4Tsic/VeCq5LQP8DiL20vMrbY5vUV3mwa81F2s5cvc UiRZDG3QJRGQDRY= =jPS8 -----END PGP MESSAGE----[greg@mail ~]$
147699146.doc
12
4LNX2
openGPG
Evolution
To get evolution to automatically sign your emails every time you send an email do the following steps. First obtain your key ID by typing the following command; gpg --list-keys
Start Evolution 1. Click Edit > Preferences, then click Mail Accounts 2. Select the account you want to use securely, then click Edit 3. Click the Security Tab 4. Specify your key ID in the PGP/GPG Key ID field (eight character string) 5. Click OK 6. Click Close Send an email to someone.
147699146.doc
13
4LNX2
openGPG
Class Activity
1. On you computer create a user provided by you lecturer (note this account should match the user account created on the MTA (mail server) useradd greg passwd greg
3. Change your network to P and restart your network interfaces service network restart ifconfig (confirm you have a IP address with on the 10.70.0. network
4. Logout of root 5. Login as the user you created in step 1 6. Open terminal and make gpg keys for your user (use email account from mail server of <user>@networking.pdn) 7. Export your public key as a text file 8. Configure evolution to connect to the mail server email account <user>@networking.pdn Receiving email Server type: POP Server: mail.networking.pdn Sending email Server type: SMTP Server: mail.networking.pdn Uncheck: Server requires authentication Finish
9. Send an email to yourself to test sending and receiving email. 10.Send an email to the lecturer with your public key, also asking them for their public key 11.Import the lecturers public key and trust it.
147699146.doc
14
4LNX2
openGPG
12.Encrypt a text file for the lecturers then email the cipher text to the lecturers email account asking for confirmation that he was able to decrypt the message. 13.Configure evolution to sign all outgoing email messages. 14.Do the above steps 10 - 12 with a user next to you.
147699146.doc
15