Public Key Cryptography and GnuPG

CPT 555

Network Security

Class Objectives

• Students will be able to understand the importance of Public Key Cryptography.

• Students will implement GPG• Students will be able to:

– Create keypair– Import and export public keys– Revoke keys– Encrypt keys– Decrypt keys– Sign keys– Encrypt keys

Using GnuPG (gpg)

Objectives:

• Key management– Create a keypair– Import and export public keys– Revoke a keypair

• Encryption and decryption

• Signing and authentication

Preparing to Create a Keypair

• Choose a good passphrase– long– hard to guess– contains special characters

• Choose an algorithm– DSA/ElGamal (recommended)– RSA

• Choose a key length– use the largest practical length– I recommend 2048 bytes

Creating the Keypair

• Create the keypairgpg --gen-key

• Create the revocation certificategpg --gen-revoke

• Store hard copies of the keypair and certificate in a safe place

Exporting Your Public Key

• Export the keygpg --export uid > pubkey.gpg

• Creates a binary file

• Use --armor to create a text-encoded filegpg --armor --export uid > pubkey.asc

Note: uid is any part of user name or keyID (last 4B of fingerprint). See below.

Publishing Your Key

• Reminder: Never publish your secret key• Be sure your exported public key is correct and

you have a revocation certificate!• Put it on your web site, a floppy disk, a USB

memory key, etc.• Put the fingerprint in your e-mail signature, on

your business cards, etc.• Send your public key to a public key server

gpg --send-key uid

Getting Public Keys

• Through a secure, out-of-band channel, get your correspondent’s fingerprint

• Usually, the last four bytes of the fingerprint are the key ID

• Get the key from your correspondent’s web site, floppy disk, key server

Importing Public Keys

• Check the fingerprint (use check command)1F13 06BC EDB1 4BD1 4952 51BC F203 3CF8 CAF9 A5E1

• Import the key – from a key server

gpg --recv-keys 0xCAF9A5E1

– from a file (puts the key on your keyring?)gpg --import pubkey.asc

• Confirm the fingerprint (that key is correct)gpg --fingerprint username

Your Keyring

• Holds your public keys and imported public keys

• List all keys in your keyringgpg --list-keys

• With signaturesgpg --list-sigs

• Delete a key (on your key ring?)gpg --delete-key uid

Signing Keys

• Only sign a key if you know it’s authentic– received through a secure channel– checked credentials of sender– checked fingerprint

• To sign a key, you must edit itgpg --edit-key uid

• Interactive mode• Use the sign command• Export the key so its owner can re-import it,

complete with signature

Assigning Ownertrust

• How well do you trust the key’s owner to correctly verify keys?

• Assign ownertrust with the trust command

1. Don’t know2. Do not trust3. Trust marginally4. Trust fully5. Trust ultimately

Encrypting Messages

• Make sure you have all recipients’ keysgpg --recipient user1 --recipient user2 ... --encrypt filename

• Creates a binary file, filename.gpg• Use --armor to produce a text-encoded

file, filename.asc• Include yourself as a recipient with --encrypt-to-self uid

Signing Messages

• Sign with your private key:gpg --sign filename

• Creates a binary file, filename.gpg• Use --clearsign instead of --sign to

leave the message in plain text, surrounding it by a text-encoded signature (filename.asc)

• Will prompt for passphrase (enter it securely!)

Signing and Encrypting

• Always do both (sign first, then encrypt)

• Just combine the commands to sign and encrypt in one stepgpg --armor --recipient user1 --recipient user2 ... --encrypt --sign filename

• Will prompt for passphrase (enter it securely!)

Decrypting and Authenticating

• Decrypting is GnuPG’s default behavior:gpg filename.gpg

gpg filename.asc

• Either will produce filename

• Use --verify to verify the signature, thus authenticating the sender

References and Good Sites

• GPG Home

• Mini How-to

• The Diceware Passphrase Home Page

• Modular Arithmetic