Sunday, April 20, 2008

ESSENTIAL ENCRYPTION PART I -PGP

-=[ About It ]=-

PGP is a popular public/private key encryption system used primarily in email. Its long key length and brilliant architecture make it perfect for hiding data you don't want read by third parties, and for establishing a secure mode of communication between two or more people.

PGP has a long and troubled history, which you can read about on its Wikipedia article [1]. Suffice it to say that it was the first consumer encryption program, and helped break down the absurd US encryption exportation laws in the mid-90s.

-=[ Getting It ]=-

The most popular implementation of PGP these days is GPG, the GNU Privacy Guard. It's free, so you can get it from their website [2]. It runs on every major platform, and also bsd :P I'm going to be covering Linux exclusively, as that's all I know, but just about everything is the same regardless of your OS.

It should either come with your distro or be available in the package repository. It's in Debian and Ubuntu apt, Portage, and comes with Slackware.

-=[Setting It Up ]=-

First thing after installing, you need to generate a public/private keypair:

$ gpg --gen-key

This should ask you some questions and then deposit a key in your private keystore (usually ~/.gpg/secring.gpg on nix). Make sure you generated a key correctly by listing your keys like this:

$ gpg --list-keys

You need to generate a revocation certificate now, in case your key is compromised or you (god forbid) lose it, or someone steals your usb key which you unwisely had your private key stored on (*cough**cough*) Really. You need to do this:

$ gpg --gen-revoke y3rk3y1d --output revocation-cert.asc

Replace 'y3rk3y1d' with your key ID, visible in --list-keys as follows:

pub 1024D/C1F5E7CE 2004-12-14
uid Someone
sub 1024g/07AACA92 2004-12-14

In this case, 'C1F5E7CE' is your public key ID. You probably want to export your ascii-armored public key so people can decrypt your messages and files, and also so you can email it to all your geek friends to show off:

$ gpg --armor --output PublicKey.asc --export y3rk3y1d


You should probably send it to a keyserver so anyone in the world can download it, should they need it. There is really no reason at all to not do this:

$ gpg --keyserver pgp.mit.edu --send-key y3rk3y1d

-=[ Using PGP for Local Encryption ]=-
-==[ Encryption ]==-

PGP uses public/private key cryptography, so things are usually encrypted in such a way that they can only be decrypted with a specific key. If you want to encrypt something so that only you can read it, simply encrypt it to yourself:

$ gpg --encrypt --recipient 'Kapitan' --output test.gpg test.txt

Of course replace 'Kapitan' with your name or your key ID. To encrypt a file to someone else, you first need to import their public key:

To download it from the MIT keyserver:

$ gpg --keyserver pgp.mit.edu --search-keys 'Their Name'

To import it from a file:


$ gpg --import theirkey.asc

Then encrypt it like before:

$ gpg --encrypt --recipient 'Their Name' --ouput test.gpg test.txt

You should end up with a file full of binary gibberish. To sign a file, use this command:

$ gpg --sign --clearsign test.txt

Signing is useful in that, theoretically, only the owner or the private key it is signed with can generate a valid signature for any one file, and changing that file in any way invalidates the signature.

-==[ Decryption ]==-

To decrypt a message, import their public key, and then use the --decrypt option:

$ gpg --decrypt ./test.gpg

If your friend encrypted their file correctly, you should now have the decrypted message in your working directory. To verify a signature, use the --verify option of gpg:

$ gpg --verify ./test.asc

It will either report a good signature or a bad signature. If it's a bad one, contact your friend over a secure medium.

-=[ Setting up your Email Client ]=-


Using PGP for local encryption is fine, but it was designed with the brilliant public/private key system it uses so that people could verify their identity one Usenet. Today, its most widespread use is in email signing and encryption.

-==[ mutt ]==-

One of the major reasons I use mutt is because of the excellent pgp support built into it. To get pgp to work on mutt, add this to your .muttrc:

set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor
--detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor
--textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output -
--encrypt --textmode --armor --always-trust --encrypt-to 0xC1F5E7CE -- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose
--textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to
0xC1F5E7CE -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
set pgp_autosign=yes
set pgp_sign_as=0xC1F5E7CE
set pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"

Be sure to replace all the '0xC1F5E7CE's with your key identifier. mutt should now be able to encrypt, sign, or encrypt and sign any message that you send, with 'sign' being the default.

-==[ Thunderbird ]==-

To set Mozilla Thunderbird up to sign your messages, you'll have to use the Enigmail extention. Download it from their website [5], and then use the extention manager in Thunderbird to install it. The wizard is very straightforward, and should recognize all the keys we have already generated with the gpg command line client. Set it to sign your mail by default, and you should be ready to go.

No comments:

Post a Comment