Sunday, December 20, 2009

GnuPG

GnuPG ( GNU Privacy Guard ) is the GNU project's complete and free implementation of the OpenPGP standard. GnuPG allows to encrypt and sign your data and communication.

PGP use asymmetrics cryptography. It mean, that PGP use two keys.
  • private key
  • public key
Public key use to verification sign of private key. With public key you can also encrypt text. Decryption is possibly only with private key.
After generate your keys you must protect your private key and import your public key to Key server in Internet. Key server is repository of public PGP keys. You can search and take public keys of other people there.
If you want use GnuPG in comfortable way, you use Firefox plug-in FireGPG.

Create keys

$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
  = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue 20 Dec 2011 07:02:09 PM CET
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "

Real name: Tomas Jurman
Email address: your@email.com
Comment:
You selected this USER-ID:
"Tomas Jurman "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++++++++++++.++++++++++.+++++.++++++++++++++++++++.+++++..+++++++++++++++++++++++++.++++++++++.+++++++++++++++.+++++++++++++++.++++++++++>++++++++++.........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++..+++++.++++++++++.++++++++++++++++++++.++++++++++.+++++..++++++++++..+++++.+++++...+++++.++++++++++++++++++++++++++++++++++++++++.+++++.+++++....+++++++++++++++>.++++++++++>...+++++...>+++++........................................................................................................................+++++^^^^^^^^^^^
gpg: key 1DA0400B marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2011-12-19
pub   1024D/1DA0400B 2009-12-20 [expires: 2011-12-20]
Key fingerprint = 30DA B2F5 67B6 52D5 CEFE  B8F3 3500 2542 1DA0 400B
uid                  Tomas Jurman 
sub   2048g/8273984F 2009-12-20 [expires: 2011-12-20]

List keys

$ gpg --list-keys
pub   1024D/09CEB475 2009-12-19 [expires: 2011-12-19]
uid                  Tomáš Jurman 
sub   2048g/4288E83B 2009-12-19 [expires: 2011-12-19]
You can see your ID (hexadecimal number after slash - 09CEB475), identity (name and email address), expiration time and other.

Create revocation key

If You want to revoke your keys for reason If has been your keys compromised. (your private key become public known), you must prepare revocation keys.

It is good idea, prepare your revocation keys immediately after generate your keys. Because if you for example by mistake delete your private key, you can not generate your revocation keys. You can prepare revocation keys in advance, save revocation key to file and use in future if it you need.
$ gpg --gen-revoke 4CA09BBE
sec  1024D/4CA09BBE 2009-12-20 tomas jurman 

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> Key has been compromised
> My women bought my private notebook with my private keys.
>
Reason for revocation: Key has been compromised
Key has been compromised
My women bought my private notebook with my private keys.
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "tomas jurman "
1024-bit DSA key, ID 4CA09BBE, created 2009-12-20

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: A revocation certificate should follow

iJsEIBECAFsFAksufFxUHQJLZXkgaGFzIGJlZW4gY29tcHJvbWlzZWQKTXkgd29t
ZW4gYm91Z2h0IG15IHByaXZhdGUgbm90ZWJvb2sgd2l0aCBteSBwcml2YXRlIGtl
eXMuAAoJEK4w30tMoJu+5GEAoJ7gDvekN3DHDj/fg97N6Wx3aM1yAKCrW/EBaVnf
A0AzEx5BoJ01raygyg==
=5ln0
-----END PGP PUBLIC KEY BLOCK-----
Last part of statement you copy and paste to file with name for example "revok.key" and retain in secret place.

Revocation keys

$ gpg --import revok.key

Delete keys

$ gpg --delete-secret-keys 1DA0400B
$ gpg --delete-keys 1DA0400B
First you must delete private key and then public key.

Import your public key to Key server

For sending your public key to Key server you must determine your key ID.
$ gpg --send-keys 09CEB475
gpg: sending key 09CEB475 to hkp server keys.gnupg.net

Search public keys in Key server

$ gpg --search-key yourFriend@email.com
gpg: searching for "yourFriend@email.com" from hkp server keys.gnupg.net
(1) Tomáš Jurman 
1024 bit DSA key 05CEA475, created: 2009-12-19
Keys 1-1 of 1 for "yourFriend@email.com".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 05CEA475 from hkp server keys.gnupg.net
gpgkeys: key 05CEA475 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
The key will bee find and GPG offer you to import key in your keys store.

Export public key to file

$ gpg -a --export your@email.com > my.key

Export secret key to file

gpg --export-secret-keys -a [id] > /home/tomas/mySecrKey.txt
Value Id is optional. If you dont use id, gpg export all yours secret keys

Import public key from file

$ gpg --import my.key

Encrypt file

$ gpg -ear 09CEB475 sourcerPlainText.txt
-e = encryt, -r = recipient, -o = output, -a = armor (to ascii)

Decrypt file

$ gpg -d encryptOutputFile.txt

Encrypt and Sign

gpg -esr 09CEB475 -u 16582121 sourcerPlainText.txt
This create .pgp file decript of recipient with ID 09CEB475 and sign of user with ID 16582121
-e = encrypt; -s - sign; -r = recipient; -u = user

Sign

  • $ gpg -s sourcerPlainText.txt
    Create .pgp file. Use compression and Contain source file data.
  • gpg --clearsign sourcerPlainText.txt
    Create .asc file. Dont use compression. Contain source file data.
  • gpg -b sourcerPlainText.txt
    Create .asc file. Create only sign, not contains data from file.
optional: -a = armor (to ascii); -u = user
gpg -bau 16582121 sourcerPlainText.txt

Fingerprint

gpg --fingerprint [ID | email]


Verify sign

You need 2 files. First file is Sign and second file contains some data for verify.
gpg --verify test.txt.sig test.txt

Create encrypt and sign file for SIMS

Every quarter of year we have to send encrypt and sign file to SIMS.
As -r (recipient) use ID or email address of Matrika studentu - sber dat
As -u (user) use your ID or your email address.
Don´t forget use switch --pgp6.
  1. gpg -easr sims@ics.muni.cz -u yourSchool@emailAddress.cz --pgp6 -o sims.pgp sims.xml
  2. gpg -easr 8E4E1C1C -u 16582121 --pgp6 -o sims.pgp sims.xml
-e = encrypt; -s - sign; -r = recipient; -u = user; -o = output, -a = armor (to ascii)
Posted by at
Labels:

1 comment:

  1. AnonymousApril 22, 2010 at 8:40 PM

    dokonaly zpusob :) na ten SIMS jsem nemohl prijit ...

    dekuji :)

    Michal Princ

    ReplyDelete

Subscribe to: Post Comments (Atom)