Recently, I played around with PGP keys for mail, files, and in general data encryption/verification between a sender and a recipient.
The PGP standard (stand for Pretty Good Privacy) have an open source suite implementation: GPG (GnuPG). This is quite simple to use if you want to ensure that only the person you want can read your message, and on the other side be sure that you can trust message incoming.
This post is a short one to summarize what is a PGP keys pair, what's the point with it, and how to use it thanks to GnuPG.
What is PGP keys and why is it used for?
The Principle of PGP (Pretty Good Privacy) keys
The principle is that if one key encrypt something only the second key can decrypt the encrypted blob.Starting from this fact if you share only one of your two keys (named the 'public' one) to every body, people will be able to be sure that a mail come from you(thanks to verification), and be sure that mail sent to you will only be readable by you(thanks to encryption). And simply, if they do the same (create a PGP key pair, and share only the public one) you will be able to verify that a mail come from them(thanks to verification), and ensure that a mail sent to them will only be readable by them(thanks to encryption).
Encrypt/Decrypt
Encrypt and decrypt process use the key pairs. This process insure that encrypted data cannot be decrypted if you don't own the the second key of the keys pair. So the sender will encrypt a mail with the recipient public key, ensuring that only recipient's private key can decrypt the message.An encrypted mail will look like that(if using text/ascii encryption):
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.11 (GNU/Linux) hQEMA/JIKw0Q5wdUAQf/X5yVdUn6wmBNJ0AIAqBZOoYO8Y3ax3JMVQs7H25VDk0B Ax2bpgIVpBDo8CmafskM80SSBqXFPH3mpafD4aibzv5++6/tU4aNOMWkGK+zEysk nAn9AtmEe4c52V6DtNwHUHfpW0cFT00Ehg8Z2wXrejPTqYQ4FRiJE/pRqvRWKqki jQa630t0x90yp+jbMBQ741RSZKCs4m1/NIt78Mm7LDLS1HRFyWrmJwjdlIJW0p5Z +kInY7j+DRILMkJPwoc0aMX/ommj3GUfxrxxQVHFtgzZrMjnYMd+LKmuyDuxlIh9 8pnbmlth8htsEtGNfjpsZkzyMGSHpcEQGdZ9eyMEWNLAwAF4eVkbYxyA1hz/mX4J YqNUpIH/n1Xo7iJ4s9b1rs9QIdJGfDP35K01K/6wRSGgxHU4nDdTI+kMe8j9Rx/5 UcHC05QRDeGHwIX/p6CcmECNxQNJ6G6dpfNSEMdzzGZpxSpnRDb0+y19OhsKs38Y js2nXytBqQ/kG9EZ45mUvVoWvhdBcx+p5ee9QOwLqwau/a5TUJGj/FwvCQdiV2We bUu7DPc8fM6UJthTa15QXgKYDzs1X9aRbr/3PTqqbQPimj0Iqn+r2Qe4YDziSQaJ qv+nZ0/fAE6dCLCVPGLoUQoKRcUHN/iEec0GoQp6Pe1N2+gcTtqrpp0tC6NhtA60 02JfsCSCmg2Yp7lmub+zJnPjMoGQjaSVobq8dtHVhwdVhkyJHBL/7tUI0B7yAuL+ LivSD/ZWlcDqCBvNt8r1V5dr+dAKMhryBLSwtS4WtEkproA8RQp9SxNTCk0blNsI hjXpsSXJ3UGTUAtZYosnfL7OcIBjpcio6PLmYC8zO70zBQ== =k5dF -----END PGP MESSAGE-----
Instead of that:
Hello world!!
Sign/Verify
This process is used in addition with encryption/decryption to inform that the message has been really written by somebody. The principle of signing is to add the encrypted data's hash or message digest after the data to trust. The recipient will then compute the hash of the message and compare with the decrypted signature data (the encrypted hash). If hashes are equals identity is verified.A signed email body will look like:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello world!! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJR2aMJAAoJEJiHS2C3UPmlK9UIAI8/StFsPuDvP0NCjoqe2ePl zY3cX2I4ldvPjPJcSyFSSSJkoNfR2CM5k27MksGOxSsKuePPG1U3DorxJ1U3ZLzr Al6jOffLTBT7VI7qr3pB4D4k9WwAvQGFokA+VWimJLY5Ldz9l1X3C6BJ/uBcX/iC KBSeNLcbjpYWYDFiXXwsA53i2yOWhdH9aHt3hBPnVs97DWrUbYtW8nf8/Y44m4hr ZJ2EOiwZLO8ZQnmFU21bu5JXsQsXNEvCCWEZRYtUboDWy68DibSEh7nQy/0QPo6U evL6t1CjfChiBn9Ewt+eqp6tg4YeD9f3UByg/puD7zo5fXyMRHAyCxea/hsHlbI= =W3JJ -----END PGP SIGNATURE-----
Instead of that:
Hello world!!
Putting all together
So if you accumulate the two processes first you "sign" the message with your private key so the receiver can "verify" the origin of the mail, and second you "encrypt" the whole mail with the receiver public key so you ensure that only him will be able to "decrypt" the message. The whole process ensure a complete privacy, nobody can read the communication between sender/receiver and nobody can fake one other sender's identity.Full process to send a private email |
BASICs: How to use GPG(Gnu Pretty Good Privacy) to manage your PGP keys
The following section will be more practical, giving the basics command to know to start toying with GnuPG and encrypt your messages. Obviously you need first to get gnuPG:
apt-get install gnupgThis create a folder ~/.gnupg, that will contains all information for gnupg, public keys, private keys, private keyrings, public keyrings, etc...
Following link will jumps directly to each parts
Jump to Managing your keys
Jump to Sign / Verify
Jump to Encrypt / Decrypt
Jump to Encrypt+Sign / Decrypt+Verify
Managing your keys
Create your key pair
You will have to enter your identity, name and email to create this keys pairs. You will yours keys in ~./gnupg/. You will also need a password that is a first security to use your private key to sign something or decrypt something. Each time it will be requested.The keys you generate get also an unique id (e.g. mine is B750F9A5), this id will be used to identify keys, due to multiple identities that can be added to it, you can add several names, nicknames, and several email addresses to a key pair.
gpg --gen-key
Revocation certificate
The first thing you should do is to create a revocation certificate. If your key is jeopardized the certificate is the only thing that can cancel your key for the rest of the world. The earlier you create it the better it is. You should also store it in a safe place separated from your private key.gpg --output revoke.asc --gen-revoke pub_keyid
Share your key
Roughly your key is on a binary format, so as to easily share it you should create an text(or ascii) version of your key. Once done you will be able to share it by email, by copying it from an USB drive, or by printing it(but you it means you really don't like your recipient, and its keyboard skills),gpg --armor --export sheda1805@gmail.com > sheda1805_publickey.txt
Another solution the most interesting one (and the most common) for padawan like us, is to send your key to a key server(e.g. The MIT's one).
The goal of those servers is to gather keys from every ones and allows users to query keys from name, email, or key_id researches.(e.g. mine is B750F9A5)
gpg --send-keys key_id
Obtain recipient keys
You must be aware/understand that the PGP principle states from the fact that the public key you think are somebody's key are really theirs. So ensure three times that the key really belongs to them before sending critical information to somebody's email address.The most paranoids of privacy send their key by airmail, in several shreds...
But if you don't work for the government as a secret agent you should only ask the receiver its public key by mails, USB drive, or you can get it from key server if he uploaded it...
The key trusting is the critical point of the PGP system, that's why keys servers(we will see next what is it) have a system of certificates so as to allows users to trust each others, the more users get "trust" the more their keys are reliable.
Get keys your keys by hand
gpg --import recipient_pubkey_file
Get keys from servers by command line
If you want quickly to obtain a key to write to somebody, you can get the key from a key server.
gpg --search-keys sheda
Get keys from servers by web UI
You can copy/paste in a file the text/ascii version from web/html key server interface, and next import it(useful if port are blocked except 80).
For example get mine on MIT's server
List all key available in your key ring
gpg --list-keys /home/sheda/.gnupg/pubring.gpg ------------------------------ pub 2048R/B750F9A5 2013-06-28 uid Shedasub 2048R/10E70754 2013-06-28 pub 2048R/2911EE59 2012-04-20 uid Philippe LUC uid Philippe LUC sub 2048R/1B91C66D 2012-04-20
Sign/Verify an email
Sign an email
gpg --clearsign << EOF > hello world! > EOF
And you will get your message + signature:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello world! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJR2fs1AAoJEJiHS2C3UPmlAQMH/3T7O6pwb3cIyg1QTpP+Lv81 y7Tu/yH7pvJ8nSDa/vPgQkkl5S/XfZxmih/jtbN8xkf3HWgsr6dT4fGi6FhHL7oh SX4UTRs7VvXWwZYCpTG7dQzwBrWjGHGfYkYWeKukjXlt0nleBkrarXbyXHlJrasx G06Snee1S9NTtsug+R7uOkxtW6h8AidfDCmReKYsAtCu3KehLYlco18U+f2YEFDA yY+2z7RBIicf2FXXZ16vHEtNga4t3cwU1nS3A6C/VTTFtBEsnJ1iun8I88ov3t+z XLszOibSm15u8C2T40bCZaXsjmzV8cpD0r/E61un0ucflzAKCkGqRCGUdqdZY1M= =T802 -----END PGP SIGNATURE-----
Verify an email
cat << EOF | gpg --verify > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hello world! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEcBAEBAgAGBQJR2fs1AAoJEJiHS2C3UPmlAQMH/3T7O6pwb3cIyg1QTpP+Lv81 > y7Tu/yH7pvJ8nSDa/vPgQkkl5S/XfZxmih/jtbN8xkf3HWgsr6dT4fGi6FhHL7oh > SX4UTRs7VvXWwZYCpTG7dQzwBrWjGHGfYkYWeKukjXlt0nleBkrarXbyXHlJrasx > G06Snee1S9NTtsug+R7uOkxtW6h8AidfDCmReKYsAtCu3KehLYlco18U+f2YEFDA > yY+2z7RBIicf2FXXZ16vHEtNga4t3cwU1nS3A6C/VTTFtBEsnJ1iun8I88ov3t+z > XLszOibSm15u8C2T40bCZaXsjmzV8cpD0r/E61un0ucflzAKCkGqRCGUdqdZY1M= > =T802 > -----END PGP SIGNATURE----- > EOF
And you will get the verification:
gpg: Signature made Mon 08 Jul 2013 01:35:17 AM CEST using RSA key ID B750F9A5 gpg: Good signature from "Sheda"
Encrypt/Decrypt an email
Encrypt
gpg -ea -r sheda << EOF > hello world! > EOF
And you will get the encrypted mail:
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.11 (GNU/Linux) hQEMA/JIKw0Q5wdUAQf/a0rcfBaui2eoJC2fTITgzNuFE24cBO6AcEbw23NHtcjb epPGp7pUgNQt6IUGJBsC5PXaykJ9yWxs4rXeRRA8Y+19npQOpXrokVaZP8wLqUUi +JrJ1ojCyuxUA25nYXUnrFU4lHKQEiDHolvRDc8I8Ws7RQuhQ98Yxn6TEoVm1VVl L4dcKOohaa4MaBPnbsEaCakR/nnwIuwv+WKyDs/6A+0K+PZebyyNIeCCT0thgSul qnOy2VnUSZYmCj/KJuwTMgqe0Po1KplLM+49ZaNLtH63GTpLXnvOWfeZuLWf/TEc rNqrTJBd5staYYncnx7uViZLczqp5FMyxPH7O8EgCNJIAb2FiieoTDZ4HmD+bF36 gYug/2OusZr6BlYhREIUW5fwWOneK3jpnWq3Z2OU1+OK2G24/7piWINGcXyuk50n AFHDieZ/L+GO =JN9i -----END PGP MESSAGE-----
Decrypt an email
gpg --decrypt << EOF -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.11 (GNU/Linux) hQEMA/JIKw0Q5wdUAQf/a0rcfBaui2eoJC2fTITgzNuFE24cBO6AcEbw23NHtcjb epPGp7pUgNQt6IUGJBsC5PXaykJ9yWxs4rXeRRA8Y+19npQOpXrokVaZP8wLqUUi +JrJ1ojCyuxUA25nYXUnrFU4lHKQEiDHolvRDc8I8Ws7RQuhQ98Yxn6TEoVm1VVl L4dcKOohaa4MaBPnbsEaCakR/nnwIuwv+WKyDs/6A+0K+PZebyyNIeCCT0thgSul qnOy2VnUSZYmCj/KJuwTMgqe0Po1KplLM+49ZaNLtH63GTpLXnvOWfeZuLWf/TEc rNqrTJBd5staYYncnx7uViZLczqp5FMyxPH7O8EgCNJIAb2FiieoTDZ4HmD+bF36 gYug/2OusZr6BlYhREIUW5fwWOneK3jpnWq3Z2OU1+OK2G24/7piWINGcXyuk50n AFHDieZ/L+GO =JN9i -----END PGP MESSAGE-----And you will get the clear mail:
gpg: encrypted with 2048-bit RSA key, ID 10E70754, created 2013-06-28 "Sheda" hello world!
Encrypt/Decrypt and sign an email
Encrypt and sign
gpg -esa -r sheda << EOF > hello world! > EOFAnd you will get the encrypted mail:
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.11 (GNU/Linux) hQEMA/JIKw0Q5wdUAQf/Zehz3ja+3c/CsHsYaUJZigRgkb3zwwoy0QtM5fdwacpW epx3mmEjAaUn1FD0YzVdZUBm2LV+FwXuQ3xEpya1KJwsA0Us+UZTYDtVpaDe51nn 8NvaHGT38q9ME9q1FiPJcMTK7Nq6IzFWazD4UuD8rHPGzh0zrvwF31V1gmY83EGg YAiCN+XFKpxXjlAEKLyIUwW5GGcQ078jS2HIVEuoB8R4u4jiwhMRD7hofTCq6jjw z5S5xVzvCCU87WTGS2FEY/L/R1QdF8uNfQhnQXQFMfj5daWnk4sBTu1J/jZ4x+fG mK2G/twNkZFu3JaoYGI1h2Gi5T+frM2EIku8ldrqsNLAuQFMtElwjWL+bKbfqiIy DGON12Cml0gR2qonZxn51fu7BDPlOkKNekhIuNgxQ3f+amWekJtazFoOu0G9kEkm ZU4rdvjxM/JC0fies+Vej041k8aUDga4mYlzqkNcDnfZAsRBEpct750ra/8LnAK5 aW/QsyB6xga6G8eBuSc4x0c7SwolsHw0SyQlM6s09fTGox3nB33qcwfTqbzUXPMT Iy5wmUpUMzn4f18Y4+yoDKiSEpS1c/llfpJP+bkfGxFNpzGlmXj3/FTmA8BU5tm7 B3rDunKiv+03MYKEWbyf3Vrept/Vf5XoP0Vk2bIZQoFmMvYalQKDvd/tlzziNIHq yGi2LFsHvavNoMbe+4imEIdBNoHOBdXOtkSPOVhNLHZejc8TA3F+JJHq1NDj9TlA /lxP9jQ7n6FLsXPSV84mP4VrdLQUqm8i3Sry0oP//MNcav0d/3XbkeyHxNAl0d90 SVSHG2yy6Q/V+b2qa/twIx4UkK4Bpsqzbo81 =o6q6 -----END PGP MESSAGE-----
Decrypt and verify
gpg --decrypt << EOF > -----BEGIN PGP MESSAGE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > hQEMA/JIKw0Q5wdUAQf/Zehz3ja+3c/CsHsYaUJZigRgkb3zwwoy0QtM5fdwacpW > epx3mmEjAaUn1FD0YzVdZUBm2LV+FwXuQ3xEpya1KJwsA0Us+UZTYDtVpaDe51nn > 8NvaHGT38q9ME9q1FiPJcMTK7Nq6IzFWazD4UuD8rHPGzh0zrvwF31V1gmY83EGg > YAiCN+XFKpxXjlAEKLyIUwW5GGcQ078jS2HIVEuoB8R4u4jiwhMRD7hofTCq6jjw > z5S5xVzvCCU87WTGS2FEY/L/R1QdF8uNfQhnQXQFMfj5daWnk4sBTu1J/jZ4x+fG > mK2G/twNkZFu3JaoYGI1h2Gi5T+frM2EIku8ldrqsNLAuQFMtElwjWL+bKbfqiIy > DGON12Cml0gR2qonZxn51fu7BDPlOkKNekhIuNgxQ3f+amWekJtazFoOu0G9kEkm > ZU4rdvjxM/JC0fies+Vej041k8aUDga4mYlzqkNcDnfZAsRBEpct750ra/8LnAK5 > aW/QsyB6xga6G8eBuSc4x0c7SwolsHw0SyQlM6s09fTGox3nB33qcwfTqbzUXPMT > Iy5wmUpUMzn4f18Y4+yoDKiSEpS1c/llfpJP+bkfGxFNpzGlmXj3/FTmA8BU5tm7 > B3rDunKiv+03MYKEWbyf3Vrept/Vf5XoP0Vk2bIZQoFmMvYalQKDvd/tlzziNIHq > yGi2LFsHvavNoMbe+4imEIdBNoHOBdXOtkSPOVhNLHZejc8TA3F+JJHq1NDj9TlA > /lxP9jQ7n6FLsXPSV84mP4VrdLQUqm8i3Sry0oP//MNcav0d/3XbkeyHxNAl0d90 > SVSHG2yy6Q/V+b2qa/twIx4UkK4Bpsqzbo81 > =o6q6 > -----END PGP MESSAGE----- > EOFAnd you will get the decrypted mail:
gpg: encrypted with 2048-bit RSA key, ID 10E70754, created 2013-06-28 "Sheda" hello world! gpg: Signature made Mon 08 Jul 2013 01:41:56 AM CEST using RSA key ID B750F9A5 gpg: Good signature from "Sheda "
To go Further
Here are listed some interesting link on the subjects:Complete intro on PGP
Cookbook GNUPG
Hashes or Message digest
Send me an encrypted email
Enjoy,
Sheda
Hello,
ReplyDeleteI just wanted to take a minute to tell you that you have a great site! Keep up the good work.
Cheers!
ReplyDelete