public key cryptography and gnupg cpt 555 network security
TRANSCRIPT
![Page 1: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/1.jpg)
Public Key Cryptography and GnuPG
CPT 555
Network Security
![Page 2: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/2.jpg)
Class Objectives
• Students will be able to understand the importance of Public Key Cryptography.
• Students will implement GPG• Students will be able to:
– Create keypair– Import and export public keys– Revoke keys– Encrypt keys– Decrypt keys– Sign keys– Encrypt keys
![Page 3: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/3.jpg)
Using GnuPG (gpg)
Objectives:
• Key management– Create a keypair– Import and export public keys– Revoke a keypair
• Encryption and decryption
• Signing and authentication
![Page 4: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/4.jpg)
Preparing to Create a Keypair
• Choose a good passphrase– long– hard to guess– contains special characters
• Choose an algorithm– DSA/ElGamal (recommended)– RSA
• Choose a key length– use the largest practical length– I recommend 2048 bytes
![Page 5: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/5.jpg)
Creating the Keypair
• Create the keypairgpg --gen-key
• Create the revocation certificategpg --gen-revoke
• Store hard copies of the keypair and certificate in a safe place
![Page 6: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/6.jpg)
Exporting Your Public Key
• Export the keygpg --export uid > pubkey.gpg
• Creates a binary file
• Use --armor to create a text-encoded filegpg --armor --export uid > pubkey.asc
Note: uid is any part of user name or keyID (last 4B of fingerprint). See below.
![Page 7: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/7.jpg)
Publishing Your Key
• Reminder: Never publish your secret key• Be sure your exported public key is correct and
you have a revocation certificate!• Put it on your web site, a floppy disk, a USB
memory key, etc.• Put the fingerprint in your e-mail signature, on
your business cards, etc.• Send your public key to a public key server
gpg --send-key uid
![Page 8: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/8.jpg)
Getting Public Keys
• Through a secure, out-of-band channel, get your correspondent’s fingerprint
• Usually, the last four bytes of the fingerprint are the key ID
• Get the key from your correspondent’s web site, floppy disk, key server
![Page 9: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/9.jpg)
Importing Public Keys
• Check the fingerprint (use check command)1F13 06BC EDB1 4BD1 4952 51BC F203 3CF8 CAF9 A5E1
• Import the key – from a key server
gpg --recv-keys 0xCAF9A5E1
– from a file (puts the key on your keyring?)gpg --import pubkey.asc
• Confirm the fingerprint (that key is correct)gpg --fingerprint username
![Page 10: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/10.jpg)
Your Keyring
• Holds your public keys and imported public keys
• List all keys in your keyringgpg --list-keys
• With signaturesgpg --list-sigs
• Delete a key (on your key ring?)gpg --delete-key uid
![Page 11: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/11.jpg)
Signing Keys
• Only sign a key if you know it’s authentic– received through a secure channel– checked credentials of sender– checked fingerprint
• To sign a key, you must edit itgpg --edit-key uid
• Interactive mode• Use the sign command• Export the key so its owner can re-import it,
complete with signature
![Page 12: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/12.jpg)
Assigning Ownertrust
• How well do you trust the key’s owner to correctly verify keys?
• Assign ownertrust with the trust command
1. Don’t know2. Do not trust3. Trust marginally4. Trust fully5. Trust ultimately
![Page 13: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/13.jpg)
Encrypting Messages
• Make sure you have all recipients’ keysgpg --recipient user1 --recipient user2 ... --encrypt filename
• Creates a binary file, filename.gpg• Use --armor to produce a text-encoded
file, filename.asc• Include yourself as a recipient with --encrypt-to-self uid
![Page 14: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/14.jpg)
Signing Messages
• Sign with your private key:gpg --sign filename
• Creates a binary file, filename.gpg• Use --clearsign instead of --sign to
leave the message in plain text, surrounding it by a text-encoded signature (filename.asc)
• Will prompt for passphrase (enter it securely!)
![Page 15: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/15.jpg)
Signing and Encrypting
• Always do both (sign first, then encrypt)
• Just combine the commands to sign and encrypt in one stepgpg --armor --recipient user1 --recipient user2 ... --encrypt --sign filename
• Will prompt for passphrase (enter it securely!)
![Page 16: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/16.jpg)
Decrypting and Authenticating
• Decrypting is GnuPG’s default behavior:gpg filename.gpg
gpg filename.asc
• Either will produce filename
• Use --verify to verify the signature, thus authenticating the sender
![Page 17: Public Key Cryptography and GnuPG CPT 555 Network Security](https://reader036.vdocuments.us/reader036/viewer/2022071806/56649cf05503460f949be9f9/html5/thumbnails/17.jpg)
References and Good Sites
• GPG Home
• Mini How-to
• The Diceware Passphrase Home Page
• Modular Arithmetic