dave spink toolset
|INFO||CREATE KEYS||PUBLIC KEYS||ENCRYPT|
I worked for a company that used Mercator for EDI interfaces. The business required an encryption method for sending documents to a Bank. The bank agreed to use Open Source gnuPG, hence we installed and configured the software. The Mercator team added the required functionality into their maps for calling the "gpg" program. The information below contains documentation on what is needed to install, configure, exchange keys, sign keys and encrypt documents.
Shared key encryption involves encrypting a message with a key and then giving the key to the person you want to communicate with. The potential problem is that anyone who intercepted the key could read the message.
Public key encryption involves two keys, one you hand out and one you guard. The sender encrypts message using your public key and you unlock the message with your private key (secret key).
A digital signature is used to verify that a message was really sent by the sender. For example, you could get someones public key, encrypt message and send as someone else - hence signing adds that extra security. If you use a digital signature it is difficult to say the document did not come from you - otherwise you admitting your primary key has been compromised. Digital signature certifies and timestamps the document. A digital signature is created using your private key. The person receving the messages verifies the signature using your public key.
If you forget your passphase (password) and or key becomes comprised you send out a revocation certificate. From that point old messages can still be read but new encryption cannot occur i.e. your public key is rendered useless.
How do you authenticate someone's public key when you receive it? The concept is to validate this key after you have verified the key itself either by phone or key signing party. For encryption to work you don't need to validate the public key, it's just another precaution. Validating the key avoids the software prompting you when using encryption.
Download from http://www.gnupg.org/ and install GnuPG.
# gunzip gnupg-1.4.5.tar.gz # tar xvf gnupg-1.4.5.tar # ./configure # make # make install
Create your public and private keys. Below we plan to exchange encrypted documents between a Linux and Solaris host.
linux% gpg --gen-key Select DSA and ElGamal (default - ensure signing and encryption) Select keysize of 2048 bits Select "key does not expire" Eenter your user id and email address, "spi0004 email@example.com" Enter passphase, your password (to protect primary and subordinate keys pairs)
solar% gpg --gen-key Select DSA and ElGamal (default - ensure signing and encryption) Select keysize of 2048 bits Select "key does not expire" Eenter your user id and email address, "userabc4 firstname.lastname@example.org" Enter passphase, your password (to protect primary and subordinate keys pairs)
Verify key created by checking the directory of the user you created the keys for.
linux% cd .gnupg linux% ls gpg.conf pubring.gpg secring.gpg pubring.gpg~ random_seed trustdb.gpg
How to generate a revocation certificate if needed.
linux% gpg --output revoke.asc --gen-revoke spi0004
Export the public keys into a file. This allows the public key to be imported.
linux% gpg -a --export spi0004 > spipubkey.txt solar% gpg -a --export userabc > abcpubkey.txt
Import the public keys which now provides you with the basics to encrypt a document using your customers public key.
linux% gpg --import abcpubkey.txt solar% gpg --import spipubkey.txt
See the list of keys installed.
linux% gpg --list-keys /home/spi0004/.gnupg/pubring.gpg -------------------------------- pub 1024D/98A73684 2006-08-26 uid spi0004 email@example.com sub 2048g/2926B69E 2006-08-26 pub 1024D/C0137239 2006-08-26 uid userabc firstname.lastname@example.org sub 2048g/F39A021D 2006-08-26
What do you see with the list key option? The 1st column indicates type of key pub (public), sub (subordinate). The 2nd column indicates keys bit length 1024, type D (DSA), g (EIGamal encrypt and sign) and ID 4A2641B7. The 3rd & 4th column for creation and expire date.
solar% gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 1024D/C0137239 2006-08-26 uid userabc email@example.com sub 2048g/F39A021D 2006-08-26 pub 1024D/98A73684 2006-08-26 uid spi0004 firstname.lastname@example.org sub 2048g/2926B69E 2006-08-26
Sign the public key (optional) ensures you never receive the prompt "public key not trusted". Basically your signing the public key with your signature (private key) and saying "yep I've verified this public key belongs to joe bloggs".
linux% gpg --edit-key userabc Command> sign Command> check uid userabc email@example.com sig!3 C0137239 2006-08-26 [self-signature] sig! 98A73684 2006-08-26 spi0004 firstname.lastname@example.org solar% gpg --edit-key spi0004 Command> sign Command> check uid spi0004 email@example.com sig!3 98A73684 2006-08-26 [self-signature] sig! C0137239 2006-08-26 userabc firstname.lastname@example.org
See an example for encrypting and decrypting a message.
linux% gpg --output mydoc.gpg --encrypt -r userabc mydoc.txt solar% gpg --decrypt mydoc.gpg solar% gpg --output mydoc.txt --decrypt mydoc.gpg
See an example of applying a digital signature.
linux% gpg --output mydoc.sig --sign mydoc.txt solar% gpg --verify mydoc.sig solar% gpg --output mydoc.txt --decrypt mydoc.sig
Combine the encrypt & sign into one command, and then decrypt the message.
linux% gpg --output mydoc.gpg --encrypt -r userabc --sign mydoc.txt solar% gpg --output mydoc.txt --decrypt mydoc.gpg
By default signing a document compresses it. To sign without compression use clearsign option.
linux% gpg --clearsign mydoc.txt linux% cat mydoc.txt.asc solar% gpg --verify mydoc.txt.asc
Add a detached signatures.
linux% gpg --output mydoc.sig --detach-sig mydoc.txt solar% gpg --verify mydoc.sig mydoc.txt
More administrative commands.
linux% gpg --list-secret-keys linux% gpg --list-keys linux% gpg --list-sigs linux% gpg --delete-key UID linux% gpg --delete-secret-keys UID