Friday, February 12, 2010

How to use GnuPG/GPG to encrypt and sign your files

GNU Privacy Guard (GnuPG or GPG) is a free software alternative to the PGP suite of cryptographic software.GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys can be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.

This tutorial is for linux users.
1.Open a shell and type :

gpg --gen-key

This will produce a menu asking you what type of algorithm you want.

   Please select what kind of key you want:

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Your selection?

DSA, aka Digital Signature Algorithm, is an algorithm which is used for signing messages, whereas ElGamal useable for encryption as well as signatures. (A good discussion of the encryption options available is located here).The default should be fine, although any key length longer than 2048 will be ignored for the DSA algorithm (ie: your ElGamal key will be 2048 bits, but the DSA one will still be 1024). This is because DSA keys cannot be larger than 1024 bits, although they can be as small as 512 bits (but this would not be useful in a real world setting).

Next, you choose the length of your key.

SA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits



The problem with larger keys is that they will empty the entropy pool quickly during generation. You can get around this by having several people log in and do their work, which seeds the entropy pool on Linux (and other) systems. For this example key, I'll leave it at the default of 2048 bits.
Note: an entropy pool is used by the random number function on most operating systems. It is important to keep it random because keys generated from non-random numbers can be cracked much more easily. Linux (and other systems such as OpenBSD) keep the entropy pool fed by monitoring the input of the random device in a computer system: the human.
Please specify how long the key should be valid.
        0 = key does not expire
       d = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 16 Feb 2011 04:58:53 PM EET
Is this correct? (y/N) y

If you don't think you'll use your key much, but do want to be able to use it at any time, don't set your key to expire. If you are paranoid about security, you might want to set your keys to expire after a period (1 year to 3 years depending on key usage). Remember that you can always manually expire keys at a later time through key revocation.
Regardless of what expiry setting you choose, GnuPG will ask you to confirm it.

Key does not expire at all
Is this correct (y/n)?

Next you enter your user ID for the key.

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:

"John Lock "
Real name:
Email address:
Comment:

If you entered the data as follows:

Real name:       John Lock
Email address: john_lock@yahoo.com
Comment:       just beleve
You selected this USER-ID:    "John Lock (just beleve) "

Your ID would be: My name (me). GnuPG will then allow you to correct any mistakes, generate the key, or abort.

Next will be your passphrase. It is very, very important that you choose a strong one you can remember. Without this passphrase, anyone who can copy your PGP keys will be able to impersonate you (such as your local sysadmin on a shared system). If your system is cracked, a passphrase on your key ring might be the only thing stopping the cracker from impersonating you. The caveat is that if you forget your passphrase, you will not be able to use your own keys.
After this, GnuPG will generate your keys. You should see a message like this:

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.

You will see some characters scroll by. If GnuPG can't get enough random characters, you'll see a message like this:

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need NN more bytes)

Don't panic! Just run some programs,type some random characters in the shell, etc. If you have installed egd (the entropy gathering daemon [scroll down page for egd info and files]), play some music into the microphone. Once GnuPG is done, you should see this message:

public and secret key created and signed.

Congratulations. You now have a pair of keys. One is private, and one is public. Think of them as a birth certificate, library card, and drivers' licence rolled into one.

2.Generate a revocation certificate

After your key pair is created you should immediately generate a revocation certificate for the primary public key using the option -gen-revoke.If you forget your passphrase or if your private key is compromised or lost,this revocation certificate may be published to notify others that the public key should nolonger be used.A revoked public key can still be used to verify signatures made by you in the past, but it cannot be used to encrypt future messages to you.It also does not affect your ability todecrypt messages sent to you in the past if you still do have access to the private key.

gpg --output revoke.asc --gen-revoke  key_id(you can put the user id and it will work )

Example: 
gpg --output revoke.asc --gen-revoke 915E0CF3
 
3.Exchange keys with your friends

 
To communicate with others you must exchange public keys.To list the keys on your public keyring use the command-line option -list-keys.The number 915E0CF3 in the example below is your public key's id number.

gpg  --list-keys


pub  2048R/915E0CF3  2010-02-16 [expires: 2011-02-16]
uid  John Lock (just beleve)
sub   2048R/597A4582  2010-02-16 [expires: 2011-02-16]

Now to export the key in armored format(is better to be armored if you email the key or if you publish it on the web) :

gpg --output johnlock.asc --armor --export key_id


Now you must give this key(johnlock.asc) which is in your home folder to your friend.If you send it by mail then you should call him/her and tell her the fingerprint.If the fingerprint is ok then the certificate is realy from that person.How to see the fingerprint of a key:

gpg --edit-key john_lock (you can use the id like this or gpg --edit-key  915E0CF3 )
Command> fpr (this will list the keysfingerprint)

4.Importing a friends public key

 Let's presume that your friend gave you his public key named jack.asc.pub.

gpg --import  jack.asc.pub

After checking the fingerprint, you may sign the key to validate it.Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key’s fingerprint with the owner before signing the key.

 gpg --edit-key jack_shepard (or key_id)

Command> sign jack_shepard (or_key_id) 


Once signed you can check the key to list the signatures on it and see the signature that you have added.Every user ID on the key will have one or more self-signatures as well as a signature for each user that has validated the key.

Command> check

Then you can set a trust level for your friends key:

Command>trust jack_shepard(or key_id)

After that save and exit.

 Command> save

Note . It is a good practice to sign and trust someone else's public key then to export that persons key and send it back to them.That is how you rase the credibility of your public key by letting other people sign it and send it back to you.



5.Encrypt/Decrypt documents


 a.Encrypt a document
If you want to encrypt a document for someone else use his public key you just imported in the previous exercise.If you want to encrypt a document for yourself use your public key.
Note if you encrypt the document using someone else's public key only that person can decrypt that document.

gpg  --output doc_name.gpg  --encrypt --armor --recipient key_id  doc_name

b.Decrypt a document

gpg --output doc_name --decrypt doc_name.gpg

6.Symmetric encription

If you do not need to send the document to anyone and is your private document you can use symmetric encryption.

gpg  --output doc_name.gpg  --armor --symmetric   doc_name
Enter Passphrase:type_the_password_you_want(it is a new password don't use youre public key password)

To decrypt type:
gpg  --output doc_name  --decrypt   doc_name.gpg
Enter Passphrase:

7.Making and verifying signatures

A digital signature certifies and time stamps a document. If the document is subsequently modified in any way,a verification of the signature will fail.A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper resistant. The GnuPG source distribution,for example,is signed so that users can verify that the source code has not been modified since it was packaged.
Creating and verifying signatures uses the public/private key pair in an operation different from encryption and decryption.A signature is created using the private key of the signer.The signature is verified using the corresponding public key.
How to create a signature file:

gpg --output doc_name.sig --armored  --sign doc_name

The document is compressed before being signed, and the output is in binary format.
Given a signed document, you can either check the signature or check the signature and recover the original document.To check the signature use the -verify option. To verify the signature and extract the document use the -decrypt option.The signed document to verify and recover is input and the recovered document is output.
 To verify signature type:

 gpg  --verify doc_name.sig

To decrypt the document type:

gpg  --output doc_name  --decrypt   doc_name.sig

A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it.The option -clearsign causes the document to be wrapped in anASCII-armored signature but otherwise does not modify the document.

gpg   --clearsign doc_name (this will create a signed document named doc_name.asc)

Detached signatures

A signed document has limited usefulness.Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature, which is a separate file.A detached signature is created using the -detach-sig option.

gpg --output doc_name.sig  --detach-sig doc_name

Both the document and detached signature are needed to verify the signature.The -verify option can be used to check the signature:
gpg  --verify doc_name.sig doc_name

8.Exporting a key from a key server 


 Exporting a key:


gpg --send-keys --keyserver keyserver.ubuntu.com

Importing a key:

gpg --recv-keys --keyserver keyserver.ubuntu.com  


9.Key Management and examples

gpg --edit-key key_id     Present a menu which enables you to do all key related tasks:

sign     Make a signature on key of user name If the key is not yet signed by the default user (or the users given with -u), the program displays the information of the key again   together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with -u.
lsign     Same as --sign but the signature is marked as non-exportable and will therefore never be used by others. This may be used to make keys valid only in the local environment.
nrsign     Same as --sign but the signature is marked as non-revocable and can therefore never be revoked.
nrlsign     Combines the functionality of nrsign and lsign to make a signature that is both non-revocable and non-exportable.
revsig     Revoke a signature. For every signature which has been generated by one of the secret keys, GnuPG asks whether a revocation certificate should be generated.
trust     Change the owner trust value. This updates the trust-db immediately and no save is required.
disable   
enable     Disable or enable an entire key. A disabled key can not normally be used for encryption.
adduid     Create an alternate user id.
addphoto     Create a photographic user id. This will prompt for a JPEG file that will be embedded into the user ID. Note that a very large JPEG will make for a very large key.
deluid     Delete a user id.
delsig      Delete a signature.
revuid       Revoke a user id.
addkey       Add a subkey to this key.
delkey     Remove a subkey.
addrevoker [sensitive]     Add a designated revoker. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options).
revkey     Revoke a subkey.
expire     Change the key expiration time. If a subkey is selected, the expiration time of this subkey will be changed. With no selection, the key expiration of the primary key is changed.
passwd     Change the passphrase of the secret key.
primary     Flag the current user id as the primary one, removes the primary user id flag from all other user ids and sets the timestamp of all affected self-signatures one second ahead. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs.
uid n     Toggle selection of user id with index n. Use 0 to deselect all.
key n     Toggle selection of subkey with index n. Use 0 to deselect all.
check     Check all selected user ids.
showphoto     Display the selected photographic user id.
pref     List preferences from the selected user ID. This shows the actual preferences, without including any implied preferences.
showpref     More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list.
setpref string     Set the list of user ID preferences to string, this should be a string similar to the one printed by "pref". Using an empty string will set the default preference string, using "none" will set the preferences to nil. Use "gpg -v --version" to get a list of available algorithms. This command just initializes an internal list and does not change anything unless another command (such as "updpref") which changes the self-signatures is used.
updpref     Change the preferences of all user IDs (or just of the selected ones to the current list of preferences. The timestamp of all affected self-signatures will be advanced by one second. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG.
toggle     Toggle between public and secret key listing.
save     Save all changes to the key rings and quit.
quit     Quit the program without updating the key rings.
    The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids are indicated by an asterisk. The trust value is displayed with the primary key: the first is the assigned owner trust and the second is the calculated trust value. Letters are used for the values:
-     No ownertrust assigned / not yet calculated.
e     Trust calculation has failed; probably due to an expired key.
q     Not enough information for calculation.
n     Never trust this key.
m     Marginally trusted.
f     Fully trusted.
u     Ultimately trusted.

gpg --delete-key  key_id  (deletes a public key you don't need)


For mor information check this out is the online man page:
http://www.squarebox.co.uk/cgi-squarebox/manServer/gpg.1

For windows users there is gpg4win if they want to use gnupg.

1 comment: