toucheatout  2006-05-19 19:09  Linux  

Cryptography, encryption, digital signatures...

Nowadays encryption and digital signature are two cryptographic applications that are bound to be more and more widely used as a replacement of safes and signatures for digital content. While the principles are used since quite some time in protocols like SSH or other VPNs for network trafic and PGP for emails, their use is not as widespread as it "should". We'll show here how to create and use a pair of keys suitable for the use with GnuPG, the open implementation of PGP.

A word on security

The keys that we will be generating can be used under certain legislation as a proof as strong as physical evidence, given the robustness of the algorithm. Given the time/computing power needed to break a GPG keypair, only governemental agencies can afford, so... Pay good attention to keep the private key absolutely secured. Indeed if compromised, the keypair becomes useless for encryption and anyone with it can digitally sign documents with your signature (and it will just look as good as if you made it...).

Creating the keypair and getting the cryptographic infrastructure right

Creation of the keypair

This is simply made with gpg --gen-key. This will ask you various questions about the keypair itself (key size, algorithm, expiration info), and personal info associated with the key. The defaults are usually sensible for the keypair parameters/.
Once created, the keys have to be somewhat exported so that people can sue them. It also would be good that the keys get signed by well-known persons (at least those that you intend to communicate with). Likewise, keys from your peers have to get known to the system (i.e. import them).

Exporting your (public, of course) key

gpg --export [keyID].

Exports all keys if keyId not present. Redirect the output or use the -o switch to indicate an output file.

Importing your peers' keys

When you want to add public keys from your peers, as you could have guessed, use the command:
gpg --import < key_file

Build your web of trust

So we can sign things now... put a mark that you in person approve of digital stuff. The other way, people can use you public key to encrypt messages only issued for you.

Why couldn't the key itself get signed ? If I sign Alice's key, it will appear to anyone knowing me (via my public key) that I signed this key, in a way vouching for Alice to really be a human who really is named Alice. Generally, a key gets signed by good friends, people who know you from a long time, or generally people fairly certain that you are who you claim to be. In signing parties or for friends' friends, an ID is (should be) asked. This is the process of building a web of trust.

To sign a key:
gpg --edit-key [keyID], then use the sign command once (the key must have been imported into the keyring). Do use gpg --list-keys to have the list with IDs of the keys.

Using the public keyservers

There is a network of servers keeping the public keys available. One can submit his own, for instance at MIT keyserver web interface.

Be aware though that you cannot erase a key from the server if you submitted it. You have to issuie a revocation certificate that you upload to the same server. If you lost the private key, you have no mean of generating it, so it is a good precaution to generate one before submitting the key, and keep it somewhere it can be found in case you key gets compromised or lost.

Using GnuPG for encryption/decryption

You MUST have the public key of the intended recipient in case you want to encrypt.
gpg --encrypt [--armor] myFileToEncrypt

The other way around, decryption:
gpg --decrypt myFileToDecrypt

Using GnuPG for signing

There are different ways of signing. Note that best practices recommend to sign any encrypted message.
Simplest:
gpg --sign fileToSign
alternatively, not to compress the signature:
gpg --clearsign fileToSign
Very often, a separate file for signature is neat:
gpg -b fileToSign
For sending email, think that the --armor switch is often what you are looking for (ascii-armors the signature).