PGP (Pretty Good Privacy) and GnuPG (GNU Privacy Guard) notes

Posted on February 13, 2008 by raywang

转自:http://www.math.utah.edu/~beebe/PGP-notes.html

还有几篇文章也很有用:
The GNU Privacy Handbook http://www.gnupg.org/gph/en/manual.html
GnuPG Gentoo User Guide   http://www.gentoo.org/doc/en/gnupg-user.xml
Gnu Privacy Guard Mini Howto http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html

About PGP and GnuPG

PGP software provides for highly-secure encryption and decryption of data, and for creating and verifying digital signatures.

A secure encrypted channel permits people to communicate with considerable confidence that others (including big unnamed government agencies) cannot eavesdrop, even if the encrypted traffic is intercepted (as anything that traverses the Internet can be, with the right tools, and either clandestine access or suitable privileges).

Digital signatures are useful for verifying that all parties see the same file contents, and that any tampering with those contents can be detected.

The GNU Privacy Guard (GnuPG) package is a “complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.”

The short reading list at the end of this document leads to important comprehensive books on this subject.

E-mail encryption

Some e-mail clients implement support for sending and receiving encrypted messages. While that is certainly convenient, it leaves users in a (usually) undesirable state of ignorance about what is going on. This section tells how you can do each step yourself.

To exchange secret messages with me, proceed as follows:

  1. Fetch my public key from my Web site. The key file looks exactly like this (all lines should be flush left):

    —–BEGIN PGP PUBLIC KEY BLOCK—–
    Version: 2.6.2

    mQCNAzWBPeIAAAEEANI3Ptvt8e0ur8iiN9u2sYTJwaLeeDU/+W2umnsWskR9COQm
    UklyxPVZF6M+EebaalqhL6VqqvWh7n0CxMD5puxxoBAPPKUM8bAks7j42QZMx8Oz
    xvzDSk4bqTasmGOBg667P9jH6AcOjKP08zfwQb5Qm3TCFdsruWfhK324XxlBAAUR
    tChOZWxzb24gSC4gRi4gQmVlYmUgPGJlZWJlQG1hdGgudXRhaC5lZHU+
    =ISkv
    —–END PGP PUBLIC KEY BLOCK—–

    Save it in a temporary file, say foo.pubkey.

  2. Add it to your pgp public key ring:

    % pgp -ka foo.pubkey

    You only need to do this, and the preceding, step once.

  3. Create a file, say foo.msg, with your secret message, and encrypt it with my public key:

    % pgp -eats foo.msg

    PGP will ask for your secret key in order to be able to unlock your key ring. Then it will ask for my public key’s user ID to encrypt your message. It will end with:

    Transport armor file: foo.msg.asc

  4. Mail that `transport armor’ file to me:

    Mail -s "Secret message" < foo.msg.asc beebe@math.utah.edu

    That is the simplest way in Unix to mail a text file to someone. However, any decent mail client supports insertion of files into outgoing messages, so you could just insert foo.msg.asc into a message that way using your favorite mail program, possibly prefixing the insertion with some explanatory comments.

    If you give me a copy of your public key, which you can extract into a file that PGP will prompt you for, like this:

    % pgp -kxa

    or

    % pgp -kxa your-username@your-host

    then I can add it to my public key ring, and use it to encrypt messages to send back to you that only you can read.

    Your ability to read such a message from me to you that was encrypted with your public key is proof that your public key was not compromised during transmission to me, such as via e-mail, or a Web connection. On the other hand, if you cannot read my message, then we’d both better duck, because someone nasty is attacking us.

E-mail decryption

When you receive a message that has been encrypted with your public key, save it in a file, say secret.asc, and then decrypt it like this:

% pgp secret.asc
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.

Export of this software may be restricted by the U.S. government.

File is encrypted. Secret key is required to read it.

Key for user ID:
1024-bit DSS key, Key ID 0x…….., created …./../..
Key can sign.

You need a pass phrase to unlock your secret key.

Enter pass phrase:
Good signature from user "…".
Signature made 2005/04/07 14:25 GMT

Plaintext filename: secret

The resulting output file secret contains the plaintext of the encrypted message.

If the plaintext is really secret, then it is a bad idea to save it in a disk file, where it could possibly be read by others, and be recorded in long-term filesystem backups. The solution is to display it on the screen with the more pager:

% pgp -m secret.asc
…as before…
Enter pass phrase:
Good signature from user "…".
Signature made 2005/04/07 14:25 GMT
…plaintext appears on the screen here…

Here is the decryption procedure using GnuPG:

% gpg secret.asc
You need a passphrase to unlock the secret key for
user: "…."
2048-bit ELG-E key, ID …….., created 2003-01-30 (main key ID ……..)

gpg: encrypted with 2048-bit ELG-E key, ID …., created ….-..-..
"…."
gpg: Signature made Thu Apr 07 08:38:51 2005 MDT using DSA key ID ……..
gpg: Good signature from "…."

There does not appear to be a way with GnuPG to send the plaintext directly to a screen pager utility.

Digital signature creation and verification

Digital signatures can be created as part of a document, in the form of a short wrapper, or in separate files. Both forms are useful: e-mail messages would normally use the first way, while software distributions would use the second approach.

To create an integrated digital signature for a file, say, foo.msg:

% echo "This is a message." > foo.msg

% cat foo.msg
This is a message.

% pgp -sta foo.msg

Enter pass phrase: XXXX
Pass phrase is good.
Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu>
1024-bit key, Key ID B85F1941, created 1998/06/12
Just a moment….
Clear signature file: foo.msg.asc

This produced a signed wrapper that I can give to someone.

% cat foo.msg.asc
—–BEGIN PGP SIGNED MESSAGE—–

This is a message.

—–BEGIN PGP SIGNATURE—–
Version: 2.6.2

iQCVAwUBPjlRxWfhK324XxlBAQFdhgP/bdHMqstLCvXG8pGIfc7OzgUySzjewx1T
GU+zi7aJzcj4WWrOxsSqceNyroIMTXpwBOwb1OP8kbBzGr+TW9Kzb+1P/UdMmnHH
qgsZbXAcf3dVUwEPhrgn5XhxXk6mPocAvL0/7VhwHClbGPAefvrcKhkAyrSfxIP2
i697b7szCeU=
=5oN9
—–END PGP SIGNATURE—–

PGP makes this file readable only by its creator, but in this case, we want it to be readable by anyone:

% chmod a+r foo.msg.asc

At a remote site, the validity of the digital signature can be checked, and the wrapper removed, by someone else like this:

% pgp foo.msg.asc

File has signature. Public key is required to check signature. .
Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>".
Signature made 2003/01/30 16:25 GMT

Plaintext filename: foo.msg

You can also use GnuPG for signature verification:

% gpg foo.msg.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Thu Jan 30 09:24:37 2003 MST using RSA key ID B85F1941
gpg: Good signature from "Nelson H. F. Beebe <beebe@math.utah.edu>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7C18 7199 BC82 5EAB 06EB 9B96 FD9E 0E97 A93C 57C2

Suppose someone had tampered with the message, changing, say, a message, to an altered message. We can duplicate that tampering like this:

% sed -e "s/a message/an altered message/" foo.msg.asc > foo2.msg.asc

Signature verification now fails:

% pgp foo2.msg.asc

File has signature. Public key is required to check signature. .
WARNING: Bad signature, doesn’t match file contents!

Bad signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>".
Signature made 2003/01/30 16:25 GMT

Plaintext filename: foo2.msg

To create an ASCII signature in a separate .asc file:

% pgp -stab foo.msg

Enter pass phrase: XXXX
Pass phrase is good.
Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu>
1024-bit key, Key ID B85F1941, created 1998/06/12
Just a moment….
Transport armor file: foo.msg.asc

Here is what the signature file looks like:

% cat foo.msg.asc
—–BEGIN PGP MESSAGE—–
Version: 2.6.2

iQCVAwUBPjlTkWfhK324XxlBAQEhyAQAo5XdKEeOpClpCmiSRfc+D/SL5xg21QRy
wNOXEEZKEMhDeE7CWTWJIWyh9nbI6MUF93aLcEwdAHgv0+B2fdm7Fefe1+p+P6HU
Ts54zBEoMdj10NiLTRdtES37V/0wj/HXkJW3T6WU9EeULv3Mk0133Q16OsIi1xsv
Cy2Ky9VtCiA=
=bnlu
—–END PGP MESSAGE—–

To create a binary signature in a separate .sig file:

% pgp -sb foo.msg

Signature file: foo.xxx.sig

To verify the signature at some other site, you can specify either the base filename, or the signature filename.

% pgp foo.msg

File ‘foo.msg.asc’ has signature, but with no text.
Text is assumed to be in file ‘foo.msg’.
Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>".
Signature made 2003/01/30 16:32 GMT

Signature and text are separate. No output file produced.

If the basename is used, and both .asc and .sig files exist, the .asc file is used for the signature.

The GNU Project archives and the ftp://ftp.math.utah.edu/pub/ archives use binary .sig signature files.

At various places in our local FTP and Web filesystems, you can find files named MD5SUM.asc. They contain MD5 checksums of files in the directory, plus an embedded signature. These were made like this:

% md5sum * > MD5SUM
% pgp -sta MD5SUM

A line in one such file looks something like this:

f6a8f9fa5d8d9872824d929db192405e hoc-7.0.6.beta.tar.gz

By verifying the digital signature on MD5SUM.asc with pgp MD5SUM.asc, you can be sure that the MD5SUM file matches what I created here. If you now fetch the indicated .tar.gz file, you can reproduce the checksum line at your site like this:

% md5sum hoc-7.0.6.beta.tar.gz
f6a8f9fa5d8d9872824d929db192405e hoc-7.0.6.beta.tar.gz

The checksum match verifies that the .tar.gz file was not corrupted during transmission, and your copy matches mine exactly.

Many of the archives also contain separate .sig detached signature files, such as the hoc-7.0.6.beta.tar.gz.sig file for the above example.

Key servers for public keys

How do you know that someone’s public key hasn’t been tampered with? An attacker who managed to do this would been able to decrypt messages sent to your intended recipient, but that person would be unable to do so.

The solution to this problem is for users who create a new public key to immediately register it with one or more neutral third parties, called public key servers, who act as (presumably incorruptible) escrow agents.

There is a small network of such servers for PGP keys distributed across several countries. Registration with just one is sufficient, since they exchange their public key archives, although it may take several days for a newly-registered key to propagate widely. Here is a short list of some public key servers:

Key servers allow you to lookup keys by email addresses and by personal name. For example, at one of them, a search for beebe@math.utah.edu produces:

Public Key Server -- Index ``beebe@math.utah.edu ''

Type bits /keyID Date User ID
pub 1024D/A93C57C2 2003/01/30 Nelson H. F. Beebe <beebe@math.utah.edu>
pub 1024R/B85F1941 1998/06/12 Nelson H. F. Beebe <beebe@math.utah.edu>

As shown in this example, the keyID values are hyperlinked: selecting one of them leads to a page with the public key block for that person. The email addresses are also hyperlinked: they lead to a list of keys registered by the person with that address.

A search for just Beebe turns up dozens of keys registered by people with that name, along with their email addresses. A search for the more common name Nelson turns up hundreds of keys. A search for Nelson Utah turned up only three keys when this experiment was made: the above two, plus a third one. Thus, you can usually find a key, even when you don’t know the person’s exact name or email address, but you do know part of their name or location.

You can also search for keyIDs at some key servers, but you need to make sure that the keyID is prefixed with 0x (for hexadecimal). For example, in my case, search for 0xA93C57C2 instead of A93C57C2. Search by keyID is useful because signature verification may report just the keyID, without an associated human name or email address.

gpg can search for keys at keyservers specified in your $HOME/.gnupg/gpg.conf file:

% gpg –search 0xA93C57C2

gpg: searching for "0xA93C57C2" from HKP server wwwkeys.pgp.net
Keys 1-1 of 1 for "0xA93C57C2"
(1) Nelson H. F. Beebe <beebe@math.utah.edu>
1024 bit DSA key A93C57C2, created 2003-01-30
Enter number(s), N)ext, or Q)uit > q

You can also specify a keyserver on the command line:

% gpg –keyserver http://pgp.mit.edu/ –search 0xA93C57C2

gpg: searching for "0xA93C57C2" from HKP server pgp.mit.edu
Keys 1-1 of 1 for "0xA93C57C2"
(1) Nelson H. F. Beebe <beebe@math.utah.edu>
1024 bit DSA key A93C57C2, created 2003-01-30
Enter number(s), N)ext, or Q)uit > q

If you select a key by number from the displayed list, gpg automatically adds it to your GnuPG keyring (but not to yo …

This entry was posted in GNU/Linux and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *