Public Key Cryptography and GnuPG CPT 555 Network Security

Class Objectives Students will be able to understand the importance of Public Key Cryptography. Students will implement GPG Students will be able to: –Create keypair –Import and export public keys –Revoke keys –Encrypt keys –Decrypt keys –Sign keys –Encrypt keys

Using GnuPG (gpg) Objectives: Key management –Create a keypair –Import and export public keys –Revoke a keypair Encryption and decryption Signing and authentication

Preparing to Create a Keypair Choose a good passphrase –long –hard to guess –contains special characters Choose an algorithm –DSA/ElGamal (recommended) –RSA Choose a key length –use the largest practical length –I recommend 2048 bytes

Creating the Keypair Create the keypair gpg --gen-key Create the revocation certificate gpg --gen-revoke Store hard copies of the keypair and certificate in a safe place

Exporting Your Public Key Export the key gpg --export uid > pubkey.gpg Creates a binary file Use --armor to create a text-encoded file gpg --armor --export uid > pubkey.asc Note: uid is any part of user name or keyID (last 4B of fingerprint). See below.

Publishing Your Key Reminder: Never publish your secret key Be sure your exported public key is correct and you have a revocation certificate! Put it on your web site, a floppy disk, a USB memory key, etc. Put the fingerprint in your signature, on your business cards, etc. Send your public key to a public key server gpg --send-key uid

Getting Public Keys Through a secure, out-of-band channel, get your correspondent’s fingerprint Usually, the last four bytes of the fingerprint are the key ID Get the key from your correspondent’s web site, floppy disk, key server

Importing Public Keys Check the fingerprint (use check command) 1F13 06BC EDB1 4BD BC F203 3CF8 CAF9 A5E1 Import the key –from a key server gpg --recv-keys 0xCAF9A5E1 –from a file ( puts the key on your keyring? ) gpg --import pubkey.asc Confirm the fingerprint ( that key is correct ) gpg --fingerprint username

Your Keyring Holds your public keys and imported public keys List all keys in your keyring gpg --list-keys With signatures gpg --list-sigs Delete a key ( on your key ring? ) gpg --delete-key uid

Signing Keys Only sign a key if you know it’s authentic –received through a secure channel –checked credentials of sender –checked fingerprint To sign a key, you must edit it gpg --edit-key uid Interactive mode Use the sign command Export the key so its owner can re-import it, complete with signature

Assigning Ownertrust How well do you trust the key’s owner to correctly verify keys? Assign ownertrust with the trust command 1.Don’t know 2.Do not trust 3.Trust marginally 4.Trust fully 5.Trust ultimately

Encrypting Messages Make sure you have all recipients’ keys gpg --recipient user1 --recipient user encrypt filename Creates a binary file, filename.gpg Use --armor to produce a text-encoded file, filename.asc Include yourself as a recipient with - -encrypt-to-self uid

Signing Messages Sign with your private key: gpg --sign filename Creates a binary file, filename.gpg Use --clearsign instead of --sign to leave the message in plain text, surrounding it by a text-encoded signature (filename.asc) Will prompt for passphrase (enter it securely!)

Signing and Encrypting Always do both (sign first, then encrypt) Just combine the commands to sign and encrypt in one step gpg --armor --recipient user1 --recipient user encrypt --sign filename Will prompt for passphrase (enter it securely!)

Decrypting and Authenticating Decrypting is GnuPG’s default behavior: gpg filename.gpg gpg filename.asc Either will produce filename Use --verify to verify the signature, thus authenticating the sender

References and Good Sites GPG Home Mini How-to The Diceware Passphrase Home Page Modular Arithmetic