Cryptography and how to use OpenGPG to encrypt data
PGP is a hybrid cryptosystem which means that it uses both symmetric as well as asymmetric encryption. Let me explain
There are two types of encryption
Symmetric encryption
If I send a you a secret letter about which we have agreed that every alphabet needs to be replaced by the previous 3rd one, then when I write SECRET , I would make S V, E H, C F and so on resulting in VHFUHW. When you get the letter, you would reverse each alphabet with previous 3rd one giving you the word SECRET. You see, the same key is used for both encrypting and decrypting. If the letter gets into some wrong hands, it will make no sense to him unless he knows the key that we have agreed upon.
Asymmetric encryption
Asymmetric key has two keys private and public. Anyone possessing private key can decrypt data encrypted with its corresponding public key.
How GPG works
GPG makes use both encryption methods. It encrypts a text with a key generated with mouse movements and keyboard strokes and attaches the key with the message so the receiver can use it to decrypt the text. But isn’t stupid to attach the secret key with text which is like writing the agreed upon key 3 inside the letter in the symmetric encryption example above. No, it is not. Because the key is also encrypted with the public key. When the receiver receives the text, he decrypted the key with private key and then use that key to decrypt the actual message.
In this tutorial, I am going to show you how to protect your sensitive data by encrypting using openGPG.
GPG maintains three files beneath each user’s home directory under ~/.gnupg. They are:
1. secring.gpg contains secret key
2. pubring.gpg contains public key
3. trustdb.gpg maintains trust-levels i.e. web of trust of keys in public key ring
Creating Keys
The following command is used to generate the keys. It prompts us for a couple of questions.
Listing Keys
pub means its the master public signing key
1024 is length of the keys
D tells us that it is DSA (Digital Signature Algorithm), used for siging
6A62309F is unique key ID
2009-08-19 is the date when the signing master key was created
uid shows an identity tied to the master public and sub-keys
sub indicates that the key is subordinate key. It’s used for encryption
2048 is number of bits in the encryption
g – ElGamal used for encryption
7CB6CABD is unique key ID
2005-08-21 is the date when the encryption key was created
To list secret key
Importing and Exporting Keys
To output armored or ASCII of public key to the screen
To confirm the fingerprints of the keys
Encryption
GPG supports both symmetric and asymmetric encryption. In the following example, we will encrypt some text and then send to our partner who will decrypt it with the key we will share with him
echo “This is a very secret message” > secret_file.txt
Now we need to encrypt secret_file.txt. It will ask me for a passphrase we need to put in twice
To decrypt it, he will be asked for passphrase
There are two types of encryption
Symmetric encryption
If I send a you a secret letter about which we have agreed that every alphabet needs to be replaced by the previous 3rd one, then when I write SECRET , I would make S V, E H, C F and so on resulting in VHFUHW. When you get the letter, you would reverse each alphabet with previous 3rd one giving you the word SECRET. You see, the same key is used for both encrypting and decrypting. If the letter gets into some wrong hands, it will make no sense to him unless he knows the key that we have agreed upon.
Asymmetric encryption
Asymmetric key has two keys private and public. Anyone possessing private key can decrypt data encrypted with its corresponding public key.
How GPG works
GPG makes use both encryption methods. It encrypts a text with a key generated with mouse movements and keyboard strokes and attaches the key with the message so the receiver can use it to decrypt the text. But isn’t stupid to attach the secret key with text which is like writing the agreed upon key 3 inside the letter in the symmetric encryption example above. No, it is not. Because the key is also encrypted with the public key. When the receiver receives the text, he decrypted the key with private key and then use that key to decrypt the actual message.
In this tutorial, I am going to show you how to protect your sensitive data by encrypting using openGPG.
GPG maintains three files beneath each user’s home directory under ~/.gnupg. They are:
1. secring.gpg contains secret key
2. pubring.gpg contains public key
3. trustdb.gpg maintains trust-levels i.e. web of trust of keys in public key ring
Creating Keys
The following command is used to generate the keys. It prompts us for a couple of questions.
gpg --gen-key gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Test User Email address: testuser@linuxgravity.com Comment: This is a test key generation process You selected this USER-ID: "Test User (This is a test key generation process) <testuser@linuxgravity.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. You don't want a passphrase - this is probably a *bad* idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++++++++++++.++++++++++ ++++++++++++++++++++++++++++++.+++++ +++++++++++++++.++++++++++..++++++++++ +++++++++++++++++++++++++>++++++++++ .............................+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..++++++++++.++++++++++++++++++++...+++++ .+++++++++++++++++++++++++.++++++++++++ ++++++++.++++++++++..+++++.+++++++++++++++ .++++++++++....++++++++++.+++++..+++++.+++++>. ++++++++++>.+++++.>+++++.............................................. .............................................................................................................. ...+++++^^^ gpg: /home/testuser/.gnupg/trustdb.gpg: trustdb created gpg: key 6A62309F marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/6A62309F 2009-08-19 Key fingerprint = FB4D 4DC7 B093 3714 B507 CD9F F1C0 27B5 6A62 309F uid Test User (This is a test key generation process) <testuser@linuxgravity.com> sub 2048g/7CB6CABD 2009-08-19
Listing Keys
gpg --list-keys /home/testuser/.gnupg/pubring.gpg -------------------------------- pub 1024D/6A62309F 2009-08-19 uid Test User (This is a test key generation process) <testuser@linuxgravity.com> sub 2048g/7CB6CABD 2009-08-19Let’s explore the output we previous command
pub means its the master public signing key
1024 is length of the keys
D tells us that it is DSA (Digital Signature Algorithm), used for siging
6A62309F is unique key ID
2009-08-19 is the date when the signing master key was created
uid shows an identity tied to the master public and sub-keys
sub indicates that the key is subordinate key. It’s used for encryption
2048 is number of bits in the encryption
g – ElGamal used for encryption
7CB6CABD is unique key ID
2005-08-21 is the date when the encryption key was created
To list secret key
gpg --list-secret-keys /home/testuser/.gnupg/secring.gpg -------------------------------- sec 1024D/6A62309F 2009-08-19 uid Test User (This is a test key generation process) <testuser@linuxgravity.com> ssb 2048g/7CB6CABD 2009-08-19
Importing and Exporting Keys
To output armored or ASCII of public key to the screen
gpg -a --exportTo dump the ASCII of public key to a file, use -o
gpg -o filename -a --exportNote: After import/export have been performed, encrypts/decrypts/signings/verifications can take place
To confirm the fingerprints of the keys
gpg --fingerprint keyIDFor example
gpg --fingerprint 7CB6CABD
Encryption
GPG supports both symmetric and asymmetric encryption. In the following example, we will encrypt some text and then send to our partner who will decrypt it with the key we will share with him
echo “This is a very secret message” > secret_file.txt
Now we need to encrypt secret_file.txt. It will ask me for a passphrase we need to put in twice
gpg -c secret_file.txt Enter passphrase:This is will result secret_file.txt.gpg. If I cat this file, I will see gibberish
cat secret_file.txt.gpg <?wI?G?`?>:??? ??P?G:?=B<Z*n\?I??Q?@??D??<???]o??Ep&G?3_yE?Now we will send this encrypted file to Jane and tell her the passphrase (secret key) by telephone or some other means
To decrypt it, he will be asked for passphrase
gpg -d secret_file.txt.gpg gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase This is a very secret message gpg: WARNING: message was not integrity protected
No comments:
Post a Comment