[ISN] File and email encryption with GnuPG (PGP) part four

From: InfoSec News (isn@private)
Date: Thu Mar 11 2004 - 22:56:33 PST

  • Next message: InfoSec News: "[ISN] Israeli spy chief's phone theft raises fears for secrets"

    +------------------------------------------------------------------+
    |  Linux Security: Tips, Tricks, and Hackery                       |
    |  Published by Onsight, Inc.                                      |
    |                                                                  |
    |  11-March-2004                                                   |
    |  http://www.hackinglinuxexposed.com/articles/20040311.html       |
    +------------------------------------------------------------------+
    
    This issue sponsored by Open Source Web Development with LAMP
    
    OSWD w/ LAMP by James Lee and Brent Ware presents a comprehensive
    overview of LAMP technologies - Linux, Apache, MySQL, Perl, PHP, WML,
    Embperl, and Mason - and allows the reader to decide which tool may
    be appropriate for the particular task at hand. It focuses on the
    most important core material necessary so that developers can "hit
    the ground running" and begin buliding applications right away, while
    improving reliability and dramatically cutting costs.
    
    For reviews, sample chapters, or to order, go to
    www.opensourcewebbook.com
    
    --------------------------------------------------------------------
    
    File and email encryption with GnuPG (PGP) part four
    By Brian Hatch
    
    Summary: Importing and Exporting public keys.
                                   ------
    
    GnuPG and other PGP implementations allow you to encrypt (scramble
    the data so only intended recipients can read it) and/or sign
    (provide proof that the data has been unaltered in transit). As you
    should remember, PGP keys are made up of two parts, a public key and
    a private key. The public key can (and in most cases should) be
    available to anyone - there's no harm in allowing it out to the
    entire world. The private key should be kept somewhere secure,
    protected with a strong passphrase.
    
    So, in order to communicate with other parties, we'll need to be able
    to get a copy of their public key. When encrypting a file, you
    encrypt it to their public key. When verifying an electronic
    signature, you verify it by decrypting the pgp signature with their
    public key.[1] Without their public key, you can't encrypt or verify,
    it's as simple as that.
    
    In order to be sure you're talking with the correct party, you need
    to do two things: first, get a copy of their public key, and second,
    verify the key. This week we'll cover the former.
    
    The easiest way to get a key is if they've put it up on a PGP key
    server. For example if you know their keyid is D5D3BDA6, you can
    retrieve it as follows:
    
      $ gpg --recv-key D5D3BDA6
      gpg: key D5D3BDA6: public key "John Doe ... jdoe@private>" imported
      gpg: Total number processed: 1
      gpg:               imported: 1  (DSA: 1)
    
    In order for --recv-key to work, you need a line like the following
    in your ~/.gnupg/gpg.conf or ~/.gnupg/options file:
    
       # Use the US PGP keyserver
       keyserver wwwkeys.us.pgp.net
    
    Most PGP keyservers synchronise with each other, so pick one close to
    you.
    
    To put your key on a keyserver, use --send-key:
    
      $ gpg --send-key mykeyid
      gpg: success sending to `wwwkeys.us.pgp.net' (status=200)
    
    If you've received a signed file or email from someone, then you
    already have access to their keyid. For example Mutt[2] can be
    configured to attempt to verify the signatures on every email by
    default. If you don't have the other party's public key installed,
    it'll tell you it can't verify it, but will let you know the public
    key that was used:
    
      [-- PGP output follows (current time: Wed Feb 25 07:06:06 2004) --]
      gpg: Signature made Wed Feb 25 04:30:51 2004 PDT using DSA key ID D5D3BDA6
      gpg: Can't check signature: public key not found
    
      [-- End of PGP output --]
    
    In the above output, you can glean that the user's keyid is D5D3BDA6.
    
    Alternatively, you can get the public key in a file. Perhaps the
    other party sent it to you in email, or maybe they have it available
    on their website. In this case, you need to import the key using
    --import:
    
      $ gpg --import /path/to/john_pgp_public_key.asc
      gpg: key D5D3BDA6: public key "John Doe  ... jdoe@private>" imported
      gpg: Total number processed: 1
      gpg:               imported: 1  (DSA: 1)
    
    If you want to extract an ascii-armoured copy of your key to be able
    to email to people, put on your website, etc, then use --export:
    
      $ gpg -a --export mykeyid > my_pgp_public_key.asc
      $ more my_pgp_public_key.asc
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      Version: GnuPG v1.2.1 (GNU/Linux)
      ...
      -----END PGP PUBLIC KEY BLOCK-----
    
    An ascii-armoured version is preferred to the binary version, because
    it won't get goofed up in 7-bit protocols like email, or have trouble
    with CR/LF translations in FTP.
    
    Once you've imported the key, you should be able to see that it's
    there using -kv:
    
      # Show key D5D3BDA6
      $ gpg -kv D5D3BDA6
      pub  1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@private>
      sub  1024g/26F8D783 2003-12-14
    
      # Show the key, and all the signatures too
      $ gpg -kvv D5D3BDA6
      pub  1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@private>
      sig 3       D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@private>
      sub  1024g/26F8D783 2003-12-14
      sig         D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@private>
    
    So, we've learned how to exchange keys with other people. Next time
    we'll discuss a crucial component - verifying the keys.
    
    NOTES:
    
    [1] Sorry for the hand-waving, but I'm trying to avoid hurting
    people's brain with the math. This is the "trust me, for more details
    go read the PGP documentation" explanation.
    
    [2] The greatest mail program in the world.
    
                                -------------
    Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
    Linux Exposed and Building Linux VPNs. How can one be up from 5:30 am
    to 2:30am and still not have time to send out a newsletter that he
    wrote a week ago? I know the answer - twins! Brian can be reached at
    brian@private
    
    --------------------------------------------------------------------
    This newsletter is distributed by Onsight, Inc.
    
    The list is managed with MailMan (http://www.list.org). You can
    subscribe, unsubscribe, or change your password by visiting
    http://lists.onsight.com/ or by sending email to
    linux_security-request@private
    
    Archives of this and previous newsletters are available at
    http://www.hackinglinuxexposed.com/articles/
    
    --------------------------------------------------------------------
    
    Copyright 2004, Brian Hatch.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Mar 12 2004 - 01:10:54 PST