PGP (Pretty Good Privacy) and GnuPG (GNU Privacy Guard) notes

About PGP and GnuPG

PGP software provides for highly-secure encryption and decryption of data, and for creating and verifying digital signatures.

A secure encrypted channel permits people to communicate with considerable confidence that others (including big unnamed government agencies) cannot eavesdrop, even if the encrypted traffic is intercepted (as anything that traverses the Internet can be, with the right tools, and either clandestine access or suitable privileges).

Digital signatures are useful for verifying that all parties see the same file contents, and that any tampering with those contents can be detected.

The GNU Privacy Guard (GnuPG) package is a ``complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.''

The short reading list at the end of this document leads to important comprehensive books on this subject.

E-mail encryption

Some e-mail clients implement support for sending and receiving encrypted messages. While that is certainly convenient, it leaves users in a (usually) undesirable state of ignorance about what is going on. This section tells how you can do each step yourself.

To exchange secret messages with me, proceed as follows:

Fetch my public key from my Web site. The key file looks exactly like this (all lines should be flush left):

Save it in a temporary file, say foo.pubkey.

Add it to your pgp public key ring:
```
% pgp -ka foo.pubkey 
```
You only need to do this, and the preceding, step once.
Create a file, say foo.msg, with your secret message, and encrypt it with my public key:
```
% pgp -eats foo.msg 
```
PGP will ask for your secret key in order to be able to unlock your key ring. Then it will ask for my public key's user ID to encrypt your message. It will end with:
```
Transport armor file: foo.msg.asc 
```
Mail that `transport armor' file to me:
```
Mail -s "Secret message" < foo.msg.asc beebe@math.utah.edu 
```
That is the simplest way in Unix to mail a text file to someone. However, any decent mail client supports insertion of files into outgoing messages, so you could just insert foo.msg.asc into a message that way using your favorite mail program, possibly prefixing the insertion with some explanatory comments.

If you give me a copy of your public key, which you can extract into a file that PGP will prompt you for, like this:
```
% pgp -kxa 
```
or
```
% pgp -kxa your-username@your-host 
```
then I can add it to my public key ring, and use it to encrypt messages to send back to you that only you can read.

Your ability to read such a message from me to you that was encrypted with your public key is proof that your public key was not compromised during transmission to me, such as via e-mail, or a Web connection. On the other hand, if you cannot read my message, then we'd both better duck, because someone nasty is attacking us.

E-mail decryption

When you receive a message that has been encrypted with your public key, save it in a file, say secret.asc, and then decrypt it like this:

% pgp secret.asc Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc.  Export of this software may be restricted by the U.S. government.  File is encrypted.  Secret key is required to read it.  Key for user ID: 1024-bit DSS key, Key ID 0x........, created ..../../.. Key can sign.  You need a pass phrase to unlock your secret key.  Enter pass phrase: Good signature from user "...". Signature made 2005/04/07 14:25 GMT  Plaintext filename: secret

The resulting output file secret contains the plaintext of the encrypted message.

If the plaintext is really secret, then it is a bad idea to save it in a disk file, where it could possibly be read by others, and be recorded in long-term filesystem backups. The solution is to display it on the screen with the more pager:

% pgp -m secret.asc ...as before... Enter pass phrase: Good signature from user "...". Signature made 2005/04/07 14:25 GMT ...plaintext appears on the screen here...

Here is the decryption procedure using GnuPG:

% gpg secret.asc You need a passphrase to unlock the secret key for user: "...." 2048-bit ELG-E key, ID ........, created 2003-01-30 (main key ID ........)  gpg: encrypted with 2048-bit ELG-E key, ID ...., created ....-..-..       "...." gpg: Signature made Thu Apr 07 08:38:51 2005 MDT using DSA key ID ........ gpg: Good signature from "...."

There does not appear to be a way with GnuPG to send the plaintext directly to a screen pager utility.

Digital signature creation and verification

Digital signatures can be created as part of a document, in the form of a short wrapper, or in separate files. Both forms are useful: e-mail messages would normally use the first way, while software distributions would use the second approach.

To create an integrated digital signature for a file, say, foo.msg:

% echo "This is a message." >  foo.msg  % cat foo.msg This is a message.  % pgp -sta foo.msg ... Enter pass phrase: XXXX Pass phrase is good. Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu> 1024-bit key, Key ID B85F1941, created 1998/06/12 Just a moment.... Clear signature file: foo.msg.asc

This produced a signed wrapper that I can give to someone.

% cat foo.msg.asc -----BEGIN PGP SIGNED MESSAGE-----  This is a message.  -----BEGIN PGP SIGNATURE----- Version: 2.6.2  iQCVAwUBPjlRxWfhK324XxlBAQFdhgP/bdHMqstLCvXG8pGIfc7OzgUySzjewx1T GU+zi7aJzcj4WWrOxsSqceNyroIMTXpwBOwb1OP8kbBzGr+TW9Kzb+1P/UdMmnHH qgsZbXAcf3dVUwEPhrgn5XhxXk6mPocAvL0/7VhwHClbGPAefvrcKhkAyrSfxIP2 i697b7szCeU= =5oN9 -----END PGP SIGNATURE-----

PGP makes this file readable only by its creator, but in this case, we want it to be readable by anyone:

% chmod a+r foo.msg.asc

At a remote site, the validity of the digital signature can be checked, and the wrapper removed, by someone else like this:

% pgp foo.msg.asc ... File has signature.  Public key is required to check signature. . Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:25 GMT  Plaintext filename: foo.msg

You can also use GnuPG for signature verification:

% gpg foo.msg.asc gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Thu Jan 30 09:24:37 2003 MST using RSA key ID B85F1941 gpg: Good signature from "Nelson H. F. Beebe <beebe@math.utah.edu>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg:          There is no indication that the signature belongs to the owner. Primary key fingerprint: 7C18 7199 BC82 5EAB 06EB  9B96 FD9E 0E97 A93C 57C2

Suppose someone had tampered with the message, changing, say, a message, to an altered message. We can duplicate that tampering like this:

% sed -e "s/a message/an altered message/" foo.msg.asc > foo2.msg.asc

Signature verification now fails:

% pgp foo2.msg.asc ... File has signature.  Public key is required to check signature. . WARNING: Bad signature, doesn't match file contents!  Bad signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:25 GMT  Plaintext filename: foo2.msg

To create an ASCII signature in a separate .asc file:

% pgp -stab foo.msg ... Enter pass phrase: XXXX Pass phrase is good. Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu> 1024-bit key, Key ID B85F1941, created 1998/06/12 Just a moment.... Transport armor file: foo.msg.asc

Here is what the signature file looks like:

% cat foo.msg.asc -----BEGIN PGP MESSAGE----- Version: 2.6.2  iQCVAwUBPjlTkWfhK324XxlBAQEhyAQAo5XdKEeOpClpCmiSRfc+D/SL5xg21QRy wNOXEEZKEMhDeE7CWTWJIWyh9nbI6MUF93aLcEwdAHgv0+B2fdm7Fefe1+p+P6HU Ts54zBEoMdj10NiLTRdtES37V/0wj/HXkJW3T6WU9EeULv3Mk0133Q16OsIi1xsv Cy2Ky9VtCiA= =bnlu -----END PGP MESSAGE-----

To create a binary signature in a separate .sig file:

% pgp -sb foo.msg ... Signature file: foo.xxx.sig

To verify the signature at some other site, you can specify either the base filename, or the signature filename.

% pgp foo.msg ... File 'foo.msg.asc' has signature, but with no text. Text is assumed to be in file 'foo.msg'. Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:32 GMT  Signature and text are separate.  No output file produced.

If the basename is used, and both .asc and .sig files exist, the .asc file is used for the signature.

The GNU Project archives and the ftp://ftp.math.utah.edu/pub/ archives use binary .sig signature files.

At various places in our local FTP and Web filesystems, you can find files named MD5SUM.asc. They contain MD5 checksums of files in the directory, plus an embedded signature. These were made like this:

% md5sum * > MD5SUM % pgp -sta MD5SUM ...

A line in one such file looks something like this:

f6a8f9fa5d8d9872824d929db192405e  hoc-7.0.6.beta.tar.gz

By verifying the digital signature on MD5SUM.asc with pgp MD5SUM.asc, you can be sure that the MD5SUM file matches what I created here. If you now fetch the indicated .tar.gz file, you can reproduce the checksum line at your site like this:

% md5sum hoc-7.0.6.beta.tar.gz f6a8f9fa5d8d9872824d929db192405e  hoc-7.0.6.beta.tar.gz

The checksum match verifies that the .tar.gz file was not corrupted during transmission, and your copy matches mine exactly.

Many of the archives also contain separate .sig detached signature files, such as the hoc-7.0.6.beta.tar.gz.sig file for the above example.

Key servers for public keys

How do you know that someone's public key hasn't been tampered with? An attacker who managed to do this would been able to decrypt messages sent to your intended recipient, but that person would be unable to do so.

The solution to this problem is for users who create a new public key to immediately register it with one or more neutral third parties, called public key servers, who act as (presumably incorruptible) escrow agents.

There is a small network of such servers for PGP keys distributed across several countries. Registration with just one is sufficient, since they exchange their public key archives, although it may take several days for a newly-registered key to propagate widely. Here is a short list of some public key servers:

Key servers allow you to lookup keys by email addresses and by personal name. For example, at one of them, a search for beebe@math.utah.edu produces:

Public Key Server -- Index ``beebe@math.utah.edu '' Type bits /keyID Date User ID pub 1024D/A93C57C2 2003/01/30 Nelson H. F. Beebe <beebe@math.utah.edu> pub 1024R/B85F1941 1998/06/12 Nelson H. F. Beebe <beebe@math.utah.edu>

As shown in this example, the keyID values are hyperlinked: selecting one of them leads to a page with the public key block for that person. The email addresses are also hyperlinked: they lead to a list of keys registered by the person with that address.

A search for just Beebe turns up dozens of keys registered by people with that name, along with their email addresses. A search for the more common name Nelson turns up hundreds of keys. A search for Nelson Utah turned up only three keys when this experiment was made: the above two, plus a third one. Thus, you can usually find a key, even when you don't know the person's exact name or email address, but you do know part of their name or location.

You can also search for keyIDs at some key servers, but you need to make sure that the keyID is prefixed with 0x (for hexadecimal). For example, in my case, search for 0xA93C57C2 instead of A93C57C2. Search by keyID is useful because signature verification may report just the keyID, without an associated human name or email address.

gpg can search for keys at keyservers specified in your $HOME/.gnupg/gpg.conf file:

% gpg --search 0xA93C57C2 ... gpg: searching for "0xA93C57C2" from HKP server wwwkeys.pgp.net Keys 1-1 of 1 for "0xA93C57C2" (1)     Nelson H. F. Beebe <beebe@math.utah.edu>           1024 bit DSA key A93C57C2, created 2003-01-30 Enter number(s), N)ext, or Q)uit > q

You can also specify a keyserver on the command line:

% gpg --keyserver http://pgp.mit.edu/ --search 0xA93C57C2 ... gpg: searching for "0xA93C57C2" from HKP server pgp.mit.edu Keys 1-1 of 1 for "0xA93C57C2" (1)     Nelson H. F. Beebe <beebe@math.utah.edu>           1024 bit DSA key A93C57C2, created 2003-01-30 Enter number(s), N)ext, or Q)uit > q

If you select a key by number from the displayed list, gpg automatically adds it to your GnuPG keyring (but not to your PGP keyring). PGP does not appear to have a similar key-search facility.

Once a public key is registered with a key server, it cannot be revoked without knowledge of the original passphrase that led to its construction. This makes it very hard for an attacker to delete a registered public key, and replace it with a bogus one, adding to the confidence that one can have in registered public keys. Of course, if you forget your own pass phrase, you cannot revoke your own public key either! Similarly, someone who manages to crack your computer account could impersonate you, and create and register a key whose encryptions you cannot decipher. Nothing is for certain, sigh...

Adding a public key to your keyring

Once you have found a public key for the desired user, save the public key block in a temporary file, say tempfile. This file will be 50 to 1000 lines long, and look something like this:

% cat tempfile        Public Key Server -- Get ``0xA93C57C2 ''  -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP Key Server 0.9.6  mQGiBD45JvoRBADB2wXsvcr0GkSy7ESDhND/7TSeDt/K8xGTiaZXs5weCGvdbngC 2cdjtGAJEVtNMnXfXBigKnrrN6ozpjBl7HFyOz+bXxrpCt2yQ/TGjQKpooXryaNM ...      uhbqgAAKCRD9ng6XqTxXwoz/AJ4xC9UlipWFMXEYvQco8GRA7ZgXpwCePBwSbhAw 2fkncUHdprzxMorL3dE= =Oqpu -----END PGP PUBLIC KEY BLOCK-----

To add that key to your keyring, do this:

% pgp -ka tempfile Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.   Looking for new keys... DSS  2048/1024 0xA93C57C2 2003/01/30 Nelson H. F. Beebe <beebe@math.utah.edu> sig?           0xA93C57C2             (Unknown signator, can't be checked)  keyfile contains 1 new keys. Add these keys to keyring ? (Y/n) y   New userid: "Nelson H. F. Beebe <beebe@math.utah.edu>". New signature from keyID 0xA93C57C2 on userid Nelson H. F. Beebe <beebe@math.utah.edu>  Keyfile contains:    1 new key(s)    1 new signatures(s)    1 new user ID(s)   Summary of changes :  New userid: "Nelson H. F. Beebe <beebe@math.utah.edu>". New signature from keyID 0xA93C57C2 on userid Nelson H. F. Beebe <beebe@math.utah.edu>  Added :    1 new key(s)    1 new signatures(s)    1 new user ID(s)

During the key addition, pgp will update about five files in your $HOME/.pgp directory.

You can also use the same key file to add the key to the separate keyring maintained gpg:

% gpg --import tempfile gpg: /u/class/b/c-bnhf/.gnupg/trustdb.gpg: trustdb created gpg: key A93C57C2: public key "Nelson H. F. Beebe <beebe@math.utah.edu>" imported gpg: Total number processed: 1 gpg:               imported: 1

GnuPG also has a PGP-like interface that takes the same command-line options as pgp; use it like this:

% pgpgpg -ka tempfile gpg: key A93C57C2: "Nelson H. F. Beebe <beebe@math.utah.edu>" not changed gpg: Total number processed: 1 gpg:              unchanged: 1

Either of these key additions will cause GnuPG to update two files in your $HOME/.gnupg directory.

Although GnuPG has an option to automatically import a key from a keyserver, PGP does not:

% gpg --recv-keys 0xE707FDA5 gpg: key E707FDA5: public key "Werner Lemberg <wl@gnu.org>" imported gpg: Total number processed: 1 gpg:               imported: 1

If you wish to use both GnuPG and PGP, then it is better to fetch keys into temporary files, and then import them manually. The Unix shell script getpubkey.sh provides a convenient way to do this:

% getpubkey.sh 0xE707FDA5 -rw-rw-r--  1 jones devel 1439 Sep 24 11:38 /tmp/pgp-0xE707FDA5.tmp.13306 Try:    pgp -ka /tmp/pgp-0xE707FDA5.tmp.13306         pgpgpg -ka /tmp/pgp-0xE707FDA5.tmp.13306         rm -f /tmp/pgp-0xE707FDA5.tmp.13306

Verifying a file signature

Besides their use for decrypting messages, public keys can be used to verify digital signatures on files. To allow detection of tampering, some Internet file archives provide digital signature files. For example, at the GnuPG archive, you might find, and fetch, files like this:

% ncftp ftp://ftp.gnupg.org/GnuPG/gnupg/ ncftp /GnuPG/gnupg > dir gnupg-1.2.2* -rw-r--r--   1 103      65534      2225034 May  3 11:58 gnupg-1.2.2.tar.bz2 -rw-r--r--   1 103      65534           65 May  3 11:58 gnupg-1.2.2.tar.bz2.sig -rw-r--r--   1 103      65534      3183869 May  1 18:00 gnupg-1.2.2.tar.gz -rw-r--r--   1 103      65534           65 May  1 18:00 gnupg-1.2.2.tar.gz.sig ncftp /GnuPG/gnupg > get gnupg-1.2.2.tar.gz* gnupg-1.2.2.tar.gz.sig:                                 65.00 B  714.05 B/s gnupg-1.2.2.tar.gz:                                      3.04 MB  160.10 kB/s ncftp /GnuPG/gnupg > quit

You can then verify the integrity of the archive file with PGP like this:

% pgp gnupg-1.2.2.tar.gz.sig Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.  File 'gnupg-1.2.2.tar.gz.sig' has signature, but with no text. Text is assumed to be in file 'gnupg-1.2.2.tar.gz'. signature not checked. Signature made 2003/05/01 15:10 GMT key does not meet validity threshold.  WARNING:  Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "(KeyID: 0x57548DCD)".

Alternatively, you can use GnuPG like this:

% gpg gnupg-1.2.2.tar.gz.sig gpg: Signature made Thu 01 May 2003 09:10:15 AM MDT using DSA key ID 57548DCD gpg: Can't check signature: public key not found

Both programs complained that they could not verify the signature because the signer's key was not found on the keyring.

To remedy that problem, fetch the signer's public key from a trusted key server as described earlier, and add it to your PGP and GnuPG keyrings:

% pgp -ka tempkoch Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.   Looking for new keys... DSS  1024      0x57548DCD 1998/07/07 Werner Koch (gnupg sig) <dd9jn@gnu.org> ...  % gpg --import tempkoch gpg: key 57548DCD: public key "Werner Koch (gnupg sig) <dd9jn@gnu.org>" imported gpg: Total number processed: 1 gpg:               imported: 1

Now verify the file signatures again:

% pgp gnupg-1.2.2.tar.gz.sig Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government.  File 'gnupg-1.2.2.tar.gz.sig' has signature, but with no text. Text is assumed to be in file 'gnupg-1.2.2.tar.gz'. Good signature from user "Werner Koch (gnupg sig) <dd9jn@gnu.org>". Signature made 2003/05/01 15:10 GMT  WARNING:  Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Werner Koch (gnupg sig) <dd9jn@gnu.org>".   % gpg gnupg-1.2.2.tar.gz.sig gpg: Signature made Thu 01 May 2003 09:10:15 AM MDT using DSA key ID 57548DCD gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg:          There is no indication that the signature belongs to the owner. Primary key fingerprint: 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD

Both PGP and GnuPG confirm that the digital signature on the file is good, so we can be confident that the archive file gnupg-1.2.2.tar.gz has contents that are identical with the file that Werner Koch signed at his site.

Both programs warn that Werner Koch's public key is not certified by a trusted authority; consult their documentation to find out more about how to key certification works. In practice, you may be satisfied to know just that the digital signature was verified, and that it matches the expected user's public key that you downloaded from a public key server. The next section describes how you might increase trust in a public key.

Verifying a public key

Once you have someone's public key, perhaps obtained from a keyserver or an FTP or Web site, you still don't know that the key is genuine: you have to trust the source.

If you can contact the key owner by FAX, telephone, or e-mail, you can request a key fingerprint, which is a sequence of hexadecimal characters that represent a checksum of the public key. You can then compare it with the fingerprint extracted from the purportedly-identical public key on your keyring with either PGP or GnuPG:

% pgp -kvc 0xA93C57C2 ... Looking for user ID "0xA93C57C2". Type bits      keyID      Date       User ID DSS  2048/1024 0xA93C57C2 2003/01/30 expires 2102/01/05                                       Nelson H. F. Beebe <beebe@math.utah.edu>           Key fingerprint =  7C 18 71 99 BC 82 5E AB  06 EB 9B 96 FD 9E 0E 97  A9 3C 57 C2 1 matching key found.  % pgpgpg -kvc 0xA93C57C2 pub  1024D/A93C57C2 2003-01-30 Nelson H. F. Beebe <beebe@math.utah.edu>      Key fingerprint = 7C18 7199 BC82 5EAB 06EB  9B96 FD9E 0E97 A93C 57C2 sub  2048g/88DE0889 2003-01-30 [expires: ????-??-??]  % gpg --fingerprint 0xA93C57C2 pub  1024D/A93C57C2 2003-01-30 Nelson H. F. Beebe <beebe@math.utah.edu>      Key fingerprint = 7C18 7199 BC82 5EAB 06EB  9B96 FD9E 0E97 A93C 57C2 sub  2048g/88DE0889 2003-01-30 [expires: ????-??-??]

If they match, and if you have reason to believe that the person who sent you the key was indeed the key owner, then the public key has more trust that it had before.

Unix Tech Tips & Tricks

Monday, November 27, 2006

PGP and GnuPG Notes

PGP (Pretty Good Privacy) and GnuPG (GNU Privacy Guard) notes

Table of contents

About PGP and GnuPG

E-mail encryption

E-mail decryption

Digital signature creation and verification

Key servers for public keys

Adding a public key to your keyring

Verifying a file signature

Verifying a public key

2 comments:

Tech Links

Tips & Tricks

Blog Archive