Thursday, August 24, 2006

GnuPG -- Secure Communication

The ideas and examples here were obtained from GnuPG Privacy Handbook. The manual is a good in-depth paper for those hungry for knowledge and should be read.

What to do if you want to send messages containing sensitive data to a friend?
Pretty simple, hã? Just encrypt and it's done!
But how could both of you exchange the cipher secret key without exposing it to an insecure channel?

The answer is simple: public-key ciphers

Public-key ciphers

In a simple way, this method uses two keys to send messages. Others will encrypt messages using your public key and it can be read only by you using your secret key to decrypt. As you could see there is no key exchange, solving the problem discussed above.

GnuPG works this way, allowing you to generate key pairs and to encrypt/decrypt messages.

Now, let's have some fun!

Getting the key pair


$ gpg --gen-key

You will be asked between different types of the key, the default should be okay.

Now, you must specify the key size. The longer the key the more hard it will be against attacks. Be careful: too high value will slow down encrypt/decrypt procedures.

Next step is defining the expiration time, hit ENTER one more time and provide some information about you to create a user ID an so assimilating the key to you.

Finally, the important step. Now you must enter a pass-phrase that will protect your private key. Choose it carefully since this is the weakest point of the public-key encryption system. Do not follow any standard when choosing the characters and use letters, numbers and other characters like, %, $, #, etc. Also, do not use words from dictionaries.

In case your private key or pass-phrase get lost, you must issue a revocation certificate and others will not use you public key anymore. This certificate can be used to verify your old signatures.

To generate the revocation certificate type this:

$ gpg --output revoke.asc --gen-revoke mykey

Where mykey is any part of your user ID that identifies your key pair. Keep revoke.asc in a secure place so no one will publish it and screw your key pair.

Where is my public key?

$ gpg --output public.gpg --export your@mail

This will create a file public.gpg with your public key in a binary format.
To get an ASCII-armored file format, use the following command:

$ gpg --armor --export your@mail

This will print your public key in ASCII format to the standard output.

How to encrypt/decrypt a message?

After getting the other person public key file, type:

$ gpg --import person.gpg

Now you have to validate the key. This is done by verifying the key fingerprint with the owner:

$ gpg --edit-key person@mail
Command> fpr

Is everything is fine, you are ready to sign it:

Command> sign

Take care when signing you imported keys, since this is a weak point. It is possible to someone fake a file with some similar fingerprint and then cheat you. So, be careful.

Issue the command:

$ gpg --output encrypted_doc.gpg --encrypt --recipient destinatary@mail document

To decrypt a message, type:

$ gpg --output document --decrypt encrypted_doc.gpg

Remember: you must have the private key used in encryption to be able to decrypt the document as well as the pass-phrase.

How i make that mail pgp signed messages?

This is done using the --clearsign option:

$ gpg --clearsign document

This will create a document.asc file containing the signed message.

Verifying a signed message

Just use the command:

$ gpg --verify pgpsignedfile

If it is a file with a detached signature use:

$ gpg --verify sign signedfile


Now you know the basic to create your keys and sign your messages assuring its integrity.
More technical data can be found at GnuPG man page and in the GnuPG Privacy Handbook.

Suggestions and offense are welcome.

Good gpg'ing