San Francisco

dave spink toolset




GnuPG:

INFO CREATE KEYS PUBLIC KEYS ENCRYPT


THE PROJECT

I worked for a company that used Mercator for EDI interfaces. The business required an encryption method for sending documents to a Bank. The bank agreed to use Open Source gnuPG, hence we installed and configured the software. The Mercator team added the required functionality into their maps for calling the "gpg" program. The information below contains documentation on what is needed to install, configure, exchange keys, sign keys and encrypt documents.


INFO

Shared key encryption involves encrypting a message with a key and then giving the key to the person you want to communicate with. The potential problem is that anyone who intercepted the key could read the message.

Public key encryption involves two keys, one you hand out and one you guard. The sender encrypts message using your public key and you unlock the message with your private key (secret key).

A digital signature is used to verify that a message was really sent by the sender. For example, you could get someones public key, encrypt message and send as someone else - hence signing adds that extra security. If you use a digital signature it is difficult to say the document did not come from you - otherwise you admitting your primary key has been compromised. Digital signature certifies and timestamps the document. A digital signature is created using your private key. The person receving the messages verifies the signature using your public key.

If you forget your passphase (password) and or key becomes comprised you send out a revocation certificate. From that point old messages can still be read but new encryption cannot occur i.e. your public key is rendered useless.

How do you authenticate someone's public key when you receive it? The concept is to validate this key after you have verified the key itself either by phone or key signing party. For encryption to work you don't need to validate the public key, it's just another precaution. Validating the key avoids the software prompting you when using encryption.



CREATE KEYS

Download from http://www.gnupg.org/ and install GnuPG.

# gunzip gnupg-1.4.5.tar.gz
# tar xvf gnupg-1.4.5.tar
# ./configure
# make
# make install

Create your public and private keys. Below we plan to exchange encrypted documents between a Linux and Solaris host.

linux% gpg --gen-key
Select DSA and ElGamal (default - ensure signing and encryption)
Select keysize of 2048 bits
Select "key does not expire"
Eenter your user id and email address, "spi0004 david.spink@cpships.com"
Enter passphase, your password (to protect primary and subordinate keys pairs)
solar% gpg --gen-key
Select DSA and ElGamal (default - ensure signing and encryption)
Select keysize of 2048 bits
Select "key does not expire"
Eenter your user id and email address, "userabc4 userabc@cpships.com"
Enter passphase, your password (to protect primary and subordinate keys pairs)

Verify key created by checking the directory of the user you created the keys for.

linux% cd .gnupg
linux% ls
gpg.conf      pubring.gpg   secring.gpg
pubring.gpg~  random_seed   trustdb.gpg

How to generate a revocation certificate if needed.

linux% gpg --output revoke.asc --gen-revoke spi0004


PUBLIC KEYS

Export the public keys into a file. This allows the public key to be imported.

linux% gpg -a --export spi0004 > spipubkey.txt
solar% gpg -a --export userabc > abcpubkey.txt

Import the public keys which now provides you with the basics to encrypt a document using your customers public key.

linux% gpg --import abcpubkey.txt
solar% gpg --import spipubkey.txt

See the list of keys installed.

linux% gpg --list-keys
/home/spi0004/.gnupg/pubring.gpg
--------------------------------
pub   1024D/98A73684 2006-08-26
uid                  spi0004 david.spink@cpships.com
sub   2048g/2926B69E 2006-08-26

pub   1024D/C0137239 2006-08-26
uid                  userabc userabc@cpships.com
sub   2048g/F39A021D 2006-08-26

What do you see with the list key option? The 1st column indicates type of key pub (public), sub (subordinate). The 2nd column indicates keys bit length 1024, type D (DSA), g (EIGamal encrypt and sign) and ID 4A2641B7. The 3rd & 4th column for creation and expire date.

solar% gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   1024D/C0137239 2006-08-26
uid                  userabc userabc@cpships.com
sub   2048g/F39A021D 2006-08-26

pub   1024D/98A73684 2006-08-26
uid                  spi0004 david.spink@cpships.com
sub   2048g/2926B69E 2006-08-26

Sign the public key (optional) ensures you never receive the prompt "public key not trusted". Basically your signing the public key with your signature (private key) and saying "yep I've verified this public key belongs to joe bloggs".

linux% gpg --edit-key userabc
Command> sign
Command> check
uid  userabc userabc@cpships.com
sig!3        C0137239 2006-08-26  [self-signature]
sig!         98A73684 2006-08-26  spi0004 david.spink@cpships.com

solar% gpg --edit-key spi0004
Command> sign
Command> check
uid  spi0004 david.spink@cpships.com
sig!3        98A73684 2006-08-26  [self-signature]
sig!         C0137239 2006-08-26  userabc userabc@cpships.com


ENCRYPT

See an example for encrypting and decrypting a message.

linux% gpg --output mydoc.gpg --encrypt -r userabc mydoc.txt
solar% gpg --decrypt mydoc.gpg
solar% gpg --output mydoc.txt --decrypt mydoc.gpg

See an example of applying a digital signature.

linux% gpg --output mydoc.sig --sign mydoc.txt
solar% gpg --verify mydoc.sig
solar% gpg --output mydoc.txt --decrypt mydoc.sig

Combine the encrypt & sign into one command, and then decrypt the message.

linux% gpg --output mydoc.gpg --encrypt -r userabc --sign mydoc.txt
solar% gpg --output mydoc.txt --decrypt mydoc.gpg

By default signing a document compresses it. To sign without compression use clearsign option.

linux% gpg --clearsign mydoc.txt
linux% cat mydoc.txt.asc
solar% gpg --verify mydoc.txt.asc

Add a detached signatures.

linux% gpg --output mydoc.sig --detach-sig mydoc.txt
solar% gpg --verify mydoc.sig mydoc.txt

More administrative commands.

linux% gpg --list-secret-keys
linux% gpg --list-keys
linux% gpg --list-sigs
linux% gpg --delete-key UID
linux% gpg --delete-secret-keys UID