Table of Contents | Previous Next |
19.6 A quick tour of GnuPG19.6.1 Installation of GnuPGGnuPG is a free software package available to everyone on the Internet. It is a standard implementation of the IETF standard RFC 2440 on public-key and hybrid cryptography. GnuPG is a complicated program offering a large number of command-line arguments. The main program is called gpg. This program contains more than 30 commands and more than 30 options. We will cover some of the most popular uses of the program from a practical point of view. Examples related to GnuPG will have the file extension .gpg in this chapter. First, you can download the software package from the official site www.gnupg.org. GnuPG has a number of versions dedicated to different platforms and operating systems. If you want to start from scratch, you may download the following source code version and compile the software yourself:
In particular, if you are using UNIX/LINUX systems, you are encouraged to compile and install the software yourself. The xxxx represents the version number of the package. At the time of writing, the latest version (that we used here) is gnupg-1.0.6.tar.gz. The compilation and installation of the software for a typical Red Hat LINUX system are summarized as the following steps:
If you want to build the software to use on Microsoft Windows systems, the details are in the readme.w32 file. It is strongly recommended that you double check whether you have unmodified software before you install it on your system. One simple way to check the integrity of the software is to use the MD5 string. According to the official GnuPG site, the MD5 string of the file gnupg-1.0.6.tar.gz is md5(gnupg-1.0.6.tar.gz)=7c319a9e5e70ad9bc3bf0d7b5008a508 You can use the MD5 utility in section 19.4.1 to verify the integrity of the software. If you don't want to start GnuPG from the source code, you can download the binary version for your machine. For Microsoft Windows systems, the binary version and MD5 string are gnupg-w321.0.6.zip md5(gnupg-w321.0.6.zip)=1dbf36a54b20026562e22a76d3ae06aa To install this binary version for Microsoft Windows is simple. All you need is to unzip the package and store everything in the directory c:\gnupg. To install GnuPG into another directory, you may need to add a string to the Windows Registry. In this case, you may want to read the readme.w32 file for more details. When you have successfully installed the software on your system, you can start to use it for data security and protection. 19.6.2 Generating and deleting public/private-key pairsIn order to use GnuPG effectively, you are advised to consult the handbook, manual, guide, and/or documentataion related to the software. The following is a quick discussion with demonstration examples on how to use GnuPG on data security. For our practical purposes, information and examples on key generation, deletion, encryption, and decryption are provided. The first thing in using public-key security software such as GnuPG is to generate some keys. For security reasons, it is recommended that you should
When you are ready, you can generate the public/private keys by opening a shell window (or DOS window) and issuing the command gpg -gen-key When you use this command, you will be asked a number of questions one by one so that the key pair (public/secret keys) can be generated successfully. For most questions, you can press the Enter key to accept the default. The questions and the information that GnuPG requires are as follows:
At this point, you will be offered a chance to change the information before the key pair is generated. If you enter OK, the key pair will be generated. Since key pair generating is an important process, we will walk through the process together in the next example. A computer dialog is generated and shown in ex19-09.gpg. In the example, the user input corresponding to the questions is illustrated in a bold face. Example: ex19-09.gpg - Generating Public/Secret - Key Pair Dialog 1: shell> gpg -gen-key 2: gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. 3: This program comes with ABSOLUTELY NO WARRANTY. 4: This is free software, and you are welcome to redistribute it 5: under certain conditions. See the file COPYING for details. 6: 7: Please select what kind of key you want: 8: (1) DSA and ElGamal (default) 9: (2) DSA (sign only) 10: (4) ElGamal (sign and encrypt) 11: Your selection? (Just Press Enter Key Here) 12: 13: DSA keypair will have 1024 bits. 14: About to generate a new ELG-E keypair. 15: minimum keysize is 768 bits 16: default keysize is 1024 bits 17: highest suggested keysize is 2048 bits 18: What keysize do you want? (1024) (Just Press Enter Key Here) 19: 20: Requested keysize is 1024 bits 21: Please specify how long the key should be valid. 22: 0 = key does not expire 23: <n> = key expires in n days 24: <n>w = key expires in n weeks 25: <n>m = key expires in n months 26: <n>y = key expires in n years 27: Key is valid for? (0) (Just Press Enter Key Here) 28: 29: Key does not expire at all 30: 31: Is this correct (y/n)? y 32: 33: You need a User-ID to identify your key; the software constructs the user id 34: from Real Name, Comment and Email Address in this form: 35: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" 36: 37: Real name: johnsmith 38: 39: Email address: johnsmith@pwt-ex.com 40: 41: Comment: gnupg 42: 43: You selected this USER-ID: 44: "johnsmith (gnupg) <johnsmith@pwt-ex.com>" 45: 46: Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O 47: 48: You need a Passphrase to protect your secret key. 49: 50: Enter passphrase: have a nice day (You cannot see this string) 51: Repeat passphrase: have a nice day (You cannot see this string) 52: 53: We need to generate a lot of random bytes. It is a good idea to perform 54: some other action (type on the keyboard, move the mouse, utilize the 55: disks) during the prime generation; this gives the random number 56: generator a better chance to gain enough entropy. 57: ++++++++++++++++++++.+++++.+++++.++++++++++..+++++..++++ 58: ++++++..++++++++++++++++++++.+++++++++++++++++++++++++.++ 59: ++++++++++++++++++++++++++++>+++++..+++++.>.+++++.. 60: +++.....>+++++.......................................+++++ 61: Not enough random bytes available. Please do some other work to give 62: the OS a chance to collect more entropy! (Need 245 more bytes) 63: We need to generate a lot of random bytes. It is a good idea to perform 64: some other action (type on the keyboard, move the mouse, utilize the 65: disks) during the prime generation; this gives the random number 66: generator a better chance to gain enough entropy. 67: +++++.++++++++++.+++++.+++++++++++++++.++++++++ 68: +++++++++++++++++.++++++++++++++++++++++++++++++....+++ 69: ++.++++++++++++++++++++++++++++++..+++++>+++++................ 70: ..............+++++^^^ 71: 72: public and secret key created and signed. In this example, suppose you want to generate the keys using the name johnsmith (line 37) and email address johnsmith@pwt-ex.com (line 39). A public and a secret key for johnsmith@pwt-ex.com (email address) are generated. In fact, GnuPG has two key rings: one is called the public-key ring containing all public keys in the system; the other is called the secret-key ring. Key rings are used to maintain and/or perform administration on keys. For example, if you want to delete the key pair of johnsmith, you need to delete the secret key from the secret-key ring first and then delete the public key from the public-key ring. The commands to delete the key pair are gpg --delete-secret-key johnsmith@pwt-ex.com gpg --delete-key johnsmith@pwt-ex.com The email address is often used to identify the user in GnuPG. A processing dialog is shown in the following example listing: Example: ex19-10.gpg - Deleting Secret And Public Keys 1: shell> gpg --delete-secret-key johnsmith@pwt-ex.com 2: gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. 3: This program comes with ABSOLUTELY NO WARRANTY. 4: This is free software, and you are welcome to redistribute it 5: under certain conditions. See the file COPYING for details. 6: 7: sec 1024D/40158CCA 20020121 johnsmith (gnupg) <johnsmith@pwt-ex.com> 8: 9: Delete this key from the keyring? y 10: This is a secret key! - really delete? y 11: 12: shell> gpg --delete-key johnsmith@pwt-ex.com 13: gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. 14: This program comes with ABSOLUTELY NO WARRANTY. 15: This is free software, and you are welcome to redistribute it 16: under certain conditions. See the file COPYING for details. 17: 18: pub 1024D/40158CCA 20020121 johnsmith (gnupg) <johnsmith@pwt-ex.com> 19: 20: Delete this key from the keyring? y 21: shell> To help safeguard the private keys, the software saves the private key in an encrypted format protected by a symmetric (or conventional) encryption. The key for this symmetric encryption is the passphrase that you supply (see lines 5051 of ex19-09.gpg). You will need this passphrase every time you want to use your private key. In order for someone to be able to use the public key, you need to export and send your public key to him or her. 19.6.3 Exporting and importing public keysSuppose you (johnsmith) have a business partner called Mary Anderson. You can export your public key with the command: gpg -armor -output johnsmith_key -export johnsmith@pwt-ex.com where the command arguments have the following meanings:
This command has no returned message on the screen. In this case, the public key of johnsmith is output to the file johnsmith_key in ASCII code. The 1,024-bit public key is shown in example ex19-11.gpg. Example: ex19-11.gpg - The Public-Key Of johnsmith (file: johnsmith_key) 1: -----BEGIN PGP PUBLIC KEY BLOCK----- 2: Version: GnuPG v1.0.6 (MingW32) 3: Comment: For info see http://www.gnupg.org 4: 5: mQGiBDxM9lwRBADzsn+FPdjXVc91L3+6UkZRVlyW58tmRvueQMGwPjXOEM5JwgBd 6: Nw6sRM+cNYhQQBgL0jgvAr9/2lmekt4PO85c7AkdI2kNnHnOYNiBs5fk30B5V67m 7: RKPQkd5XsTf1RqlSAxsbj4S9GSfk/lxQQZ8vFHxi6P/0yEZV7R3rUbZLnwCg7wH8 8: /Bf4cUVtFYXuaBf/PWsDdgkEAMffDDQ97zFzduefkAli7awpIaYHt4l2MaRQI/w/ 9: 1PgCs5enfXzaMF4GLnWX1qOfuP2uBqZdNH21IMLV7kvDYwfgsLsKuDoLTvS0CXpq 10: Ul+lrmFlqS6N2TQxn1panptDtBfzuI/oj7IyWXTL0YBomvZgXb30wPcdcnZWDDyt 11: Ffm6A/4//wHsF2G6ofYRXuVOO+nENeCgjXqvTBRdxtxK+0drSCRK44gvwFJljjjx 12: KCAd/WbjTiJMNuvECGwydRbqYg43wy69x9o863Q8D8XTVTsDMvSs9phbieiujamV 13: n4THaFd/VBYx6lfDBOI13ycKF3eOQmgm31DhbqMlgUfXnGgDcrQlam9obnNtaXRo 14: IChnbnVwZykgPGpvaG5zbWl0aEBpc3AuY29tPohXBBMRAgAXBQI8TPZcBQsHCgME 15: AxUDAgMWAgECF4AACgkQhZgOLDGFvG8jsQCgyXipE6ptHzxlBIqsVaqP1FGtjsoA 16: n2UVNBmkZlKLgN7yIcMmq4GyJpS0uQENBDxM9l8QBAD9HrpogezBIeBZDdVxAHcd 17: Q5QBcvEaz/HivzYtrnV1g/LNAVVzSZcm8ZisZRKM2r6vHlp+mWQK+8h64in664k+ 18: MPhEEqYgbelmR0BxKxtpQkbSksgAD39ABZoNMgc+W66lu7vkMwoDCxu6U89HWwPC 19: +Ofgr3jV3Z1hfmzoTbA2xwADBQP/feWgpn4WZ02Ywf6BRBv0EDZwOmHmF4R5Lhnd 20: aOkdtYlGgmrdR9AC5ZN6MaUwBHLLfkw4sC4l3Ygb72tfn+NlKdS38j3I36pFCu0I 21: bVMjF1HGCF3x5BOi8jYJcpZAcryYD4oiG3K+2Iehat4o3JscPtl5LIUn3rkOUzAl 22: kFWnJVGIRgQYEQIABgUCPEz2XwAKCRCFmA4sMYW8bx9TAKCuk+UeV7tGhNSF/8as 23: QZ+4rECOUQCg3/I0PTR16r4kVS1NgUhRmkYzyMo= 24: =dOU0 25: -----END PGP PUBLIC KEY BLOCK----- You can then send the public-key file johnsmith_key to Mary by email so that she can send you encrypted messages. Similarly, Mary can email her public key to you. Suppose Mary's public-key file is called mary_key. You can import Mary's public key into your key ring by gpg --import mary_key A process dialog is shown in example ex19-12.gpg.
Example: ex19-12.gpg - Importing A Public Key
1: shell> gpg --import mary_key
2: gpg: key 94E6A35F: public key imported
3: gpg: Total number processed: 1
4: gpg: imported: 1
You can see all your public keys in your key ring by gpg list-keys As an example, all public keys of johnsmith are shown in ex19-13.gpg.
Example: ex19-13.gpg - List All Public Keys
1: shell> gpg --list-keys
2: /gnupg/pubring.gpg
3: ------------------
4: pub 1024D/3185BC6F 20030122 johnsmith (gnupg) <johnsmith@pwt-ex.com>
5: sub 1024g/BA36A672 20030122
6:
7: pub 1024D/94E6A35F 20030119 mary <mary@pwt-ex.com>
8: sub 1024g/29E0ACFD 20030119
All newly imported keys should be validated before use. This process can be done by extracting the fingerprint of the public key. For example, you can extract the fingerprint of Mary's public key and telephone her to verify the key. To extract the fingerprint, you can use the following edit-key command: gpg -edit-key mary@pwt-ex.com This command will show the public key of mary@pwt-ex.com and display a command prompt command> waiting for further input. If you put the subcommand frp, the program will display a fingerprint of Mary's key. The fingerprint of Mary's public key is a numeric string in hexadecimal values similar to a message digest string (see line 14 of ex19-14.gpg). In fact, sometimes the MD string is called the fingerprint. This fingerprint can be verified with Mary for consistency by telephone or other means. After the verification process, you can validate the key by signing it with the subcommand sign. A processing dialog is shown in ex19-14.gpg below: Example: ex19-14.gpg - Validate And Signing An Imported Key 1: shell>gpg --edit-key mary@pwt-ex.com 2: gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. 3: This program comes with ABSOLUTELY NO WARRANTY. 4: This is free software, and you are welcome to redistribute it 5: under certain conditions. See the file COPYING for details. 6: 7: 8: pub 1024D/94E6A35F created: 20020119 expires: never trust: -/q 9: sub 1024g/29E0ACFD created: 20020119 expires: never 10: (1). mary <mary@pwt-ex.com> 11: 12: Command> fpr 13: pub 1024D/94E6A35F 20020119 mary <mary@pwt-ex.com> 14: Fingerprint: BD6E 8F98 0423 B31F B4F6 3E7A 75B8 A3A9 94E6 A35F 15: 16: Command> sign 17: 18: pub 1024D/94E6A35F created: 20020119 expires: never trust: -/q 19: Fingerprint: BD6E 8F98 0423 B31F B4F6 3E7A 75B8 A3A9 94E6 A35F 20: 21: mary <mary@pwt-ex.com> 22: 23: Are you really sure that you want to sign this key 24: with your key: "johnsmith (gnupg) <johnsmith@pwt-ex.com>" 25: 26: Really sign? y 27: 28: You need a passphrase to unlock the secret key for 29: user: "johnsmith (gnupg) <johnsmith@pwt-ex.com>" 30: 1024-bit DSA key, ID 3185BC6F, created 20020122 31: 32: Enter passphrase: have a nice day 33: Command> quit 34: Save Changes? y 35: shell> Now we have everything ready for some encryption and decryption actions using GnuPG. 19.6.4 Encryption and decryption using GnuPGCompared to other activities, encryption and decryption are relatively easy. For example, you (or johnsmith) can use GnuPG to encrypt and send the following important message to Mary: Listing: ex19-10.txt - Sample Important File: mymesg.txt 1: Dear Mary 2: 3: The company board would like to invite 4: you to take part in the take over 5: meeting at 2:pm this Friday. 6: 7: Regards 8: 9: John Smith To encrypt this text file with Mary's public key, all you have to do is to activate the command shell>gpg --output mymesg.gpg --armor --encrypt --recipient mary@pwt-ex.com mymesg.txt This command will encrypt the file mymesg.txt using the public key of mary@pwt-ex.com and produce an ASCII output file called mymesg.gpg. This encrypted file is similar to the listing below: Example: ex19-15.gpg - The Encrypted Message File: mymesg.gpg 1: -----BEGIN PGP MESSAGE----- 2: Version: GnuPG v1.0.6 (MingW32) 3: Comment: For info see http://www.gnupg.org 4: 5: hQEOA6/tk02bPMnrEAP/UG512Mzu+e0HTkbi8JNroH8pkj3gBiXZR4PapT5e2zr9 6: x5+9FpSWgxrq4ojeOiML1dI74r9QdwB1tAig10uqC81tm9fWgNxsJ77cmfMUExgm 7: CtmxG7GESUZ3KprbSWMSzObClmSIlVkJOz9Kkz8eqBTVO3UgFsrXpYqyEFNyNEME 8: AJy5LnMCeWHPvKUrqT+09d52Vmonuj5kTyLkbH+3OwHCmqP/GZOeDOTtI7rC0kRy 9: NJxgoeqnkgDRCPB+FppJBrgUJ4TQKEKeMvAIPqdCxTpHkNiXQQUeXwWY65XRE/f2 10: VfnoGEwxE1xEDWsqGaSfuKqglfqj3KsNBz4bODEYLLdY0rkB1Yh3TWOzFp3IZaAO 11: Ub9J4zvRH8qU0yjU7nEqj/b5jyEwoeFxWHWxOXlVLRGkUQ9v/F+D0GlbCxpen37w 12: hJNFcNquA2HynPk1JOHlZFclxQVm4KsW8ciYcbIE1A6LOxyrBSxnUvi5q0TisNTm 13: BmCAuq5cUTrCdJuUSPW11YQOrt9exyoc2lxJehBsVDz8qZQFVXCYQuy3oKtWcGit 14: CA/7DGcnNXAT4Opu2v6xT7bnDBYUAMCyBjyelA== 15: =a15z 16: -----END PGP MESSAGE----- 17: You can then email this file as an attachment to Mary and only Mary or the owner of Mary's private key can decrypt it. When Mary receives the file, she can decrypt it using her private key as: shell> gpg -output message -decrypt mymesg.gpg In this case, the encrypted file mymesg.gpg is going to be decrypted by Mary's private key and the result output to a file called message. Since private keys in GnuPG are protected by passphrases, Mary may need to provide her passphrase to complete the decryption. A typical processing dialog is shown below: Example: ex19-16.gpg - Decryption Using GnuPG 1: shell>gpg --output message --decrypt mymesg.gpg 2: 3: You need a passphrase to unlock the secret key for 4: user: "mary Anderson (business partner) <mary@pwt-ex.com>" 5: 1024-bit ELG-E key, ID 9B3CC9EB,created 20020122 (main key ID 1D5BBD53) 6: 7: Enter passphrase: have a nice day 8: 9: gpg: encrypted with 1024-bit ELG-E key, ID 9B3CC9EB, created 20020122 10: "mary Anderson (business partner) <mary@pwt-ex.com>" 11: 12: shell> In addition to public-key cryptography, GnuPG can also offer symmetric encryption/decryption as well. For example, you can activate symmetric encryption on GnuPG by gpg output en_mesg.gpg armor symmetric mymesg.txt This command uses a symmetric method to encrypt the message file mymesg.txt and produce the encrypted result in en_mesg.gpg. Since you are using a symmetric method, GnuPG in this case would ask you to input a key (i.e., passphrase) for encryption. You also need the same key for decryption, when you activate the decryption command gpg output message --decrypt en_mesg.gpg A typical processing dialog is shown in ex19-17.gpg below: Example: ex19-17.gpg - Symmetric Encryption And Decryption Using GnuPG 1: shell> gpg -output en_mesg.gpg -symmetric mymesg.txt 2: 3: Enter passphrase: see you later 4: Repeat passphrase: see you later 5: shell> 6: 7: shell> gpg -output message -decrypt en_mesg.gpg 8: Enter passphrase: see you later 9: shell> In many practical cases, the passphrase is an MD5 string generated by the MD utility such as MD5 ("see you later") = a3e6d94880ba5f0d09b0dce37e65439f to provide more protection against brute-force attack. In this case, the attacker has to crack the MD5 string instead of a nice phrase. All commands and options related to GnuPG can be displayed on your screen if you activate the program with the help option: gpg --help Finally, there are a number of user interfaces for GnuPG on different platforms and operating systems available on the Internet. Some of them are integrated with email systems such as Outlook Express and some of them are embedded into Windows systems. Once again, a good reference can be found on the official GnuPG site: www.gnupg.org. |
Table of Contents | Previous Next |