Protect your Privacy with GnuPG |
Contents
1 Introduction
GnuPG (Gnu Privacy Guard)[1] is the Gnu implementation of PGP (Pretty Good Privacy)
[2]. PGP is a software developped by Phil Zimmermann at the beginning of the 90s that
allows to protect your information easily by encrypting and signing it, using
strong cryptographic algorithms.
Before starting using GnuPG it can be
good to understand what is Public Key Cryptography. The Wikipedia’s
article [3] is a good start. But if you are really in a hurry
here is how basically it works:
-
Every user has got a pair of keys. A private one and a public one.
- The public key is used to encrypt: if I want to
send an encrypted message to Bob, I have to look for Bob’s public key
and use it to obtain the encrypted message.
- The private key is used to decrypt: Bob, when
receiving my encrypted message will be able to recover the initial (plain-text)
message using his private key. Of course only Bob should know his private key.
This tutorial shows how to use GnuPG to encrypt/sign your sensible information
or to send confidential e-mails.
1.2 Download
You can download the source or the windows precompiled binaries at the download
page of GnuPG: http://gnupg.org/download.
2 Key Generation
Once you have installed GnuPG, you need to create your pair of public/private key.
To do so, GnuPG will ask for:
-
The type of key you want to use: DSA and Elgamal, DSA (sign only) and RSA (sign only).
By default DSA and Elgamal are selected.
- The length of the key: larger keys give you more security but implies
larger time to perform cryptographic operations.
- Time of validity of the key: you can define the date
of expiration of your key pair. That means that after
this date you will have to generate a new key pair.
- Name, email and comment: it is important to
link the public key with the owner’s identity.
- Password: your private key will be stored
in a file. This file should be put in a secure place but
in all cases it is more secure to encrypt this file using
a password. You will be asked for this password
for decryption and signing operations.
- Move the mouse! Key generation is made
by picking a random value. Randomness is produced directly from
your computer (memory, time between two reads, I/O signals) ...
So move the mouse, use the keyboard, open and close files and so on
as to produce a really random key pair.
> gpg --gen-key
gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Philippe Camacho
Email address: philippe.camacho@gmail.com
Comment: www.littlecryptographer.org
You selected this USER-ID:
"Philippe Camacho (www.littlecryptographer.org) <philippe.camacho@gmail.com>
"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.+++++++++++++++++++++++++++++++++++++++++++++.+++++++++++++++++++++++
+++++++++++++++++++++++++++.+++++++++++++++.+++++++++++++++..>+++++............+
++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++.+++++.++++++++++.++++++++++++++++++++...+++++++++++++++++++++++++++++++++
+++++++.+++++++++++++++.++++++++++.+++++.+++++++++++++++++++++++++.+++++..+++++>
++++++++++....>+++++................+++++^^^
gpg: /home/philippe/gnupg/trustdb.gpg: trustdb created
gpg: key 959F30D7 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/959F30D7 2008-01-20
Key fingerprint = A156 BEB3 C163 653A FB41 6FB0 4268 1860 959F 30D7
uid Philippe Camacho (www.littlecryptographer.org) <mymail@gmail.com>
sub 2048g/161087B4 2008-01-20
|
Now you have generated you key pair it is a good idea to extract your
public key as to publish it on your web site for example. Doing this
everyone will be able to send you encrypted messages.
> gpg --export --armor > pubkey.asc
> cat pubkey.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.8 (MingW32)
mQGiBEeTHmoRBADuVzPvsMf7qR9DY1ahyXt0OHCm+WZKCGXOZqin1FoORhdWCwnu
MTXTolSsISklsqfixXmcU/BNEsliw/8y7tfyXAloMmoxbjoMZxOcpNpx6tYJ88T9
EYmi0Z6tuAtBGHDDs0rT+emYWZXKiSECztRJGAXOjf9BkJ8ceyHq28cnVwCgtaec
tDobrV6rEqeISqO6cciygZ0D/3bXFPRrrOuO9MwOIeszjCTCRnDHHz060D7124Wi
i5UUoDEH0s5/C2eG13B/GBtn/rsv2WvphXEPmf8I+4nWSl3Lb6QtOpWmS8nYoCJG
j8nbmCYACRDCv6SvxSZuGzseGhjJlAXqDMQ4snEKf+nq8I3+S73G+b6N8NWWlhND
KZgjA/9jzcu1MHctFIv+iecoyptv2oTZJW9gvtP6exFigUyDv3bEuM9HbZxCQrzw
D1i1m6NtQt/h4DszoRmxD/HHCDXdOMHgbr8uVhVmHnk/9k6xbOIyeHLP0FPHpFdM
kV/qX/5lFnwSqK0lN6XBD1h8QwDtElB1+B6pAUmsF0/SHjN5h7RLUGhpbGlwcGUg
Q2FtYWNobyAod3d3LmxpdHRsZWNyeXB0b2dyYXBoZXIub3JnKSA8cGhpbGlwcGUu
Y2FtYWNob0BnbWFpbC5jb20+iGAEExECACAFAkeTHmoCGwMGCwkIBwMCBBUCCAME
FgIDAQIeAQIXgAAKCRBCaBhglZ8w166cAKCQS12iXpUTzJh7wLC3f5mYba4fMACa
AoAguRCBDQF0aL1NMGsMynO6b7y5Ag0ER5MeahAIAPWEjSBygoJ0/IoPlcvBpbEu
SloQxbfagMkGf7WzTkFi5dg1h5Y+axO55VWMbAMET6Vf8M/9ihlTKFSHfawPueSs
rh2eAQEQlfjthddtsZb4fiI7KCU9Grt46TywP+IizwvC24qu9+VfY5A9Qd/RVDwB
+sDWhBKEAKZlPHm6l0+GstJRPW1Yyd6Pxixvc/GxjQUizaNmnXOHLo1lZixEu2Pn
quob99dOFj4xTAqZhSq6r4epwwU+HutgAZZZWHpgucByxZdvQBaayw+F8aXN4+rA
hJsOJUcIxJIJG1ds08W/14d2AMqz7k6lLx0WNBeKd49x4SUq3gxjaiEIPEY9EycA
AwUH/RSksjgmk8xaFkgRGihk/f1ZoO/bon8XkJCgdVKAfyzMk6qcVliBkP+TpzIm
yM5DVf1RHmCfAqGoKJHerfr43Ycnlpu30eMorHTvOJgC+e4XTmca3VvdLjYojwcj
1wnnF3D3nkNRwLLFGYoDvaStkGiknf6/2Ieo6s7kfRMv1R4yjOtwgX44IYOdkkV3
eNg9ahJ1ZrnIOZ7wNudhhGlsHl5HaH5ZayNj2/Qtq7vo+p/+o5xrQ64qcYbv9XPP
vAmaH8+vdKMXXZF2B9gfII4De1BSdJ1AfWbIqlIA1dbLOqTCwuj5ruqA4l5nLmwq
/BAfsxoBOQpQFfPPE4Mx4FhQaduISQQYEQIACQUCR5MeagIbDAAKCRBCaBhglZ8w
1wB5AKCOMsa3jLeKyAy3zNTDwhuOOU8XmwCePEA1NZU3TAv52YAZ+BVojOwgO8E=
=5ye4
-----END PGP PUBLIC KEY BLOCK-----
|
The file pubkey.asc contains your public key. As a way
to check the integrity of your public key it is good to publish
also the fingerprint of it.
> gpg --fingerprint
/home/philippe/gnupg/pubring.gpg
----------------------------------------------------------------------
pub 1024D/959F30D7 2008-01-20
Key fingerprint = A156 BEB3 C163 653A FB41 6FB0 4268 1860 959F 30D7
uid Philippe Camacho (www.littlecryptographer.org) <mymail@gmail.com>
sub 2048g/161087B4 2008-01-20
|
3 Web of Trust
One problem that arises from Public Key Cryptography is that
there is no way to be sure that a certain public key belongs
to a given person. So we need a way to link a person’s identity
to his public key as to avoid a well known problem called
"Man in the Middle Attack".
One solution proposed by PGP is to build a Web of Trust.
In a Web of Trust every person sign the keys that are trusted,
in the sense that the identity of the person corresponds
really to his/her public key. As the trust is transitive
("the friends of my friends are my friends") and as
in practice people are highly linked one to each other,
it is almost always possible to know if a given public
key corresponds to a given identity. More subtil
mechanisms as vote and counting allow to estimate the
trust more precisely. Example: if I have two contacts
that are 50% trusted and if these two contacts have
signed the same key, then I can trust this key.
Before signing a key we must import it (publickey.asc can be a key found
for example on a web page like
Philippe Camacho’s public key.)
> gpg --import publickey.asc
|
Then it is important to check the fingerprint of the key:
This command lists all the imported keys with their respective fingerprint.
If the fingerprint matches with the one published on the key owner’s web site
and if I trust this person I can sign this key:
> gpg --sign-key key-name
|
key-name is the name that identifies the key. Example,
if when listing the keys we have:
> gpg --list-keys
...
pub 1024D/E69A7474 2008-01-23
uid John Smith (Philippe's friend) <jsmith@mail.us>
...
|
The name of the key is "John Smith".
4 Encryption and Digital Signatures
Now let’s see how to send secure encrypted (and possibly signed) messages.
4.1 Send an encrypted (and signed) message
Once you have imported and signed the public key of
the receiver of your message you can encrypt and sign it:
> gpg --encrypt --sign --armor --recipient key-name < message > \
encrypted-message.asc
|
Where:
-
key-name is the name of the key (like "John Smith" for example).
message is the file that contains the plain-text or clear message.
encrypted-message.asc is the file with the encrypted message.
Using the --sign option allows to sign the message using your private key.
4.2 Receive an encrypted (and signed) message
To recover the plain-text (and possibly verify the signature):
> gpg --decrypt encrypted-message.asc
|
If the message has been signed the verification will be automatical
(no need to use the --verify option).
References
-
[1]
-
Gnu Privacy Guard
http://gnupg.org/
- [2]
-
The International PGP Homepage
http://www.pgpi.org/
- [3]
-
Wikipedia: article on Public Key Cryptography
http://en.wikipedia.org/wiki/Public-key_cryptography
This document was translated from LATEX by
HEVEA.