Never Ending Security

It starts all here

PGP Ubuntu

PGP Ubuntu

“GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user’s private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate.” From The GNU Privacy Handbook

GnuPG, GPG, PGP and OpenPGP

The terms “OpenPGP“, “PGP“, and “GnuPG / GPG” are often used interchangeably. This is a common mistake, since they are distinctly different.

  • OpenPGP is technically a proposed standard, although it is widely used. OpenPGP is not a program, and shouldn’t be referred to as such.
    • PGP and GnuPG are computer programs that implement the OpenPGP standard.
  • PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.
  • GnuPG is an acronym for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.

Generating an OpenPGP Key

The core package required to start using OpenPGP, gnupg, is installed by default on Ubuntu systems, as is seahorse, a GNOME application for managing keys. It is called “Passwords and Keys” in Ubuntu.

There are several programs which provide a graphical interface to the GnuPG system.

  • Enigmail, an OpenPGP plugin for Mozilla Thunderbird.
    • Enigmail was available in the “Main” repository through Intrepid, but can be found in the “Universe” repository since Jaunty.
sudo apt-get install enigmail
  • GNU Privacy Assistant is a graphical user interface for the GnuPG (GNU Privacy Guard).
    • GPA is available in the “Universe” repository. See Repositories for further information on enabling repositories.
sudo apt-get install gpa
  • Seahorse is a GNOME application for managing encryption keys. It also integrates with nautilus, gedit, and in other places for encryption operations.
    • Seahorse is available in the “Main” repository.
sudo apt-get install seahorse
  • KGPG is a simple, free, open source KDE frontend for gpg.
    • KGPG is available in the “Main” repository since Intrepid, or the “Universe” repository in earlier releases.
sudo apt-get install kgpg
  • Kleopatra is another KDE frontend for gpg that is integrated with the KDE PIM (although you need to install it separately for now).
    • Kleopatra is available in the “Universe” repository and it includes S/MIME backend:
sudo apt-get install kleopatra

Using GnuPG to generate a key

  • Open a terminal and enter:
    gpg --gen-key
    • If you are using gnupg version 1.4.10 or newer, this will lead to a selection screen with the following options:
      Please select what kind of key you want:
         (1) RSA and RSA (default)
         (2) DSA and Elgamal
         (3) DSA (sign only)
         (4) RSA (sign only)
    • Select (1), which will enable both encryption and signing.
    • If you are using an older version, the selection screen will have the following options:
      Please select what kind of key you want:
         (1) DSA and Elgamal (default)
         (2) DSA (sign only)
         (5) RSA (sign only)
    • We suggest you select (5). We will generate an encryption subkey later.
    What keysize do you want? (2048)
  • A keysize of 2048 (which is the default) is also a good choice.
    Key is valid for? (0)
  • Most people make their keys valid until infinity, which is the default option. If you do this don’t forget to revoke the key when you no longer use it (see below).
  • Hit Y and proceed.
    You need a user ID to identify your key; the software constructs the user ID
    from the Real Name, Comment and Email Address in this form:
        "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
    
    Real name: Dennis Kaarsemaker
    Email address: dennis@kaarsemaker.net
    Comment: Tutorial key
    You selected this USER-ID:
        "Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>"
  • Make sure that the name on the key is not a pseudonym, and that it matches the name in your passport, or other government issued photo-identification! You can add extra e-mail addresses to the key later.
  • Type O to create your key.
    You need a Passphrase to protect your secret key.
  • You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn’t easy to guess can be used. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user’s private key.

Forgetting your passphrase will result in your key being useless.
Carefully memorize your passphrase

  • After you type your passphrase twice, the key will be generated. Please follow the instructions on the screen till you reach a screen similar to the one below.
    gpg: key D8FC66D2 marked as ultimately trusted
    public and secret key created and signed.
    
    pub   1024D/D8FC66D2 2005-09-08
          Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
    uid                  Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>
    sub   2048g/389AA63E 2005-09-08

The key-id is D8FC66D2 (yours will be different).

It is probably a good idea to set this key as default in your .bashrc.
Doing this will allow applications using GPG to automatically use your key

  • Set your key as the default key by entering this line in your ~/.bashrc.
    export GPGKEY=D8FC66D2
    • Please note that will be sourced only during your next session, unless you source it manually.
  • Now restart the gpg-agent and source your .bashrc again:
    killall -q gpg-agent
    eval $(gpg-agent --daemon)
    source ~/.bashrc

Encryption

  • If you created an “RSA (sign only)” earlier, you will probably want to add encryption capabilities. Assuming you edited ~/.bashrc as above, open a terminal again and enter:
    gpg --cert-digest-algo=SHA256 --edit-key $GPGKEY
  • This will present a dialog like the following:
    Secret key is available.
    
    pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC  
                         trust: ultimate      validity: ultimate
    [ultimate] (1). Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>
    
    Command>
  • To create a subkey, enter ‘addkey’. You will have to enter your key’s passphrase, and then you’ll see a somewhat familiar series of dialogues:
    Please select what kind of key you want:
       (2) DSA (sign only)
       (4) Elgamal (encrypt only)
       (5) RSA (sign only)
       (6) RSA (encrypt only)
  • Choose 6.
    What keysize do you want? (2048)
  • Again, 2048 is a sensible default.
    Key is valid for? (0)
  • Choose whether this encryption subkey is set to expire (default: it doesn’t). Then confirm that you want to make this subkey.
    pub   2048R/D8FC66D2  created: 2005-09-08  expires: never       usage: SC  
                         trust: ultimate      validity: ultimate
    sub   2048R/389AA63E created: 2005-09-08  expires: never       usage: E   
    [ultimate] (1). Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>
    Command>
  • Enter ‘save’, then ‘quit.’ Your key is now capable of encryption.

Creating a revocation key/certificate

  • A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way.
  • It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.
  • You can create a revocation certificate by :
    gpg --output revoke.asc --gen-revoke $GPGKEY
  • The revocation key may be printed and/or stored as a file. Take care to safeguard your revocation key.

Anybody having access to your revocation certificate can revoke your key, rendering it useless

Making an ASCII armored version your public key

There are several sites out there that also allow you to paste an ASCII armored version your public key to import it. This method is often preferred, because the key comes directly from the user. The reasoning behind this preference is that a key on a keyserver may be corrupted, or the keyserver unavailable.

  • Create an ASCII armored version of your public key using GnuPG by using this command:
gpg --output mykey.asc --export -a $GPGKEY

This is the command using our example:

gpg --output mykey.asc --export -a D8FC66D2

Getting your key signed

The whole point of all this is to create a web of trust. By signing someone’s public key, you state that you have checked that the person that uses a certain keypair, is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the Strongly connected set. Information about it can be found at http://pgp.cs.uu.nl/

In summary,

  1. Locate someone that lives near you and can meet with you to verify your ID.
  2. Arrange for a meeting. Bring at least one ID with photo and printed fingerprint of your OpenPGP key, ask the same from the person you will be meeting with.
  3. Print copies of your public key
    • get the last eight digits of your fingerprint: 0995 ECD6 3843 CBB3 C050 28CA E103 6EED 0123 4567
    • terminal: gpg –fingerprint 01234567 >> key.txt
    • print the resulting key.txt file and bring as many copies to the meeting as you expect to have people sign
  4. Meet, verify your IDs and exchange OpenPGP key fingerprints
  5. Sign the key of the person you’ve just met. Send him/her the key you’ve just signed.
  6. Update your keys on the keyserver, the signature you’ve just created will be uploaded.

Keysigning Guidelines

Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:

During the Event

  1. Keysigning is always done after meeting in person
  2. During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID with a photograph. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party)
  3. You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is.

After the Event

You now have the printed public key information from the other participants.

Example key IDs for the other participants will be E4758D1D, C27659A2, and 09026E7B. Replace these IDs with the key IDs you received from the other participants.

  1. retrieve the keys:
    • gpg –recv-keys E4758D1D C27659A2 09026E7B
  2. sign the keys:
    • gpg –sign-key E4758D1D
    • gpg –sign-key C27659A2
    • gpg –sign-key 09026E7B
  3. export the keys
    • gpg –armor –export E4758D1D –output E4758D1D.signed-by.01234567.asc
    • gpg –armor –export C27659A2 –output C27659A2.signed-by.01234567.asc
    • gpg –armor –export 09026E7B –output 09026E7B.signed-by.01234567.asc
  4. Email the key users (use the email address that was part of the key’s user ID) and attach the corresponding signature file – or – send their signed key to the key server:
    • gpg –send-keys –keyserver keyserver.ubuntu.com E4758D1D
  5. Once you receive your signed key import them to your keyring:
    • gpg –import 01234567.signed-by.E4758D1D.asc
    • gpg –import 01234567.signed-by.C27659A2.asc
    • gpg –import 01234567.signed-by.09026E7B.asc
  6. You should see your keys:
    • gpg –list-sigs 01234567
  7. Send your keys to the keyserver:
    • gpg –send-keys 01234567

Congrats you have now entered a web of trust or enlarged an existing one.

Backing up and restoring your key pair

Why should you back up your key pair? If you lose your key pair:

  • Any files encrypted with the lost key pair will be unrecoverable.
  • You will not be able to decrypt mails sent to you.
    • Decrypting emails sent to you requires your private key, this key is not stored on the keyservers.

If you lose your keypair you should revoke your key. This cannot be done without a revocation key.

Backing up your public key

  • List your public keys:
    gpg --list-keys
  • Look for the line that starts something like “pub 1024D/”. The part after the 1024D is the key_id. To export the key:
    gpg -ao _something_-public.key --export key_id

Backing up your private key

  • List your secret keys:
    gpg --list-secret-keys
  • Look for the line that starts something like “sec 1024D/”. The part after the 1024D is the key_id. To export the secret key:
    gpg -ao _something_-private.key --export-secret-keys key_id

Restoring your keys

  • To restore your keys – copy the two files created above to the machine and type:
    gpg --import _something_-public.key
    gpg --import _something_-private.key

Make sure you protect these files!

Revoking a keypair

In the event your keys are lost or compromised, you should revoke your keypair. This tells other users that your key is no longer reliable.

 For security purposes, there is no mechanism in place to revoke a key without a revocation key. As much as you might want to revoke a key, the revocation key prevents malicious revocations. Guard your revocation key with the same care you would use for your private key.
  • To revoke your key you need to first create a revocation key with the command:
gpg --gen-revoke
  • Import your revocation key, which would be stored to the file revoke.asc by default:
gpg --import revoke.asc
  • Upload the revocation key to your keyserver of choice, in the following example the key will be send to ubuntus keyserver:
gpg --keyserver keyserver.ubuntu.com --send-key 6382285E

Un-revoking a keypair

If you unintentionally revoke a key, or find that your key has in fact not been lost or compromised, it is possible to un-revoke your key. First and foremost, ensure that you do not distribute the key, or send it to the keyserver.

  • Export the key
gpg --export <key> > key.gpg
  • Split the key into multiple parts. This breaks the key down into multiple parts.
gpgsplit key.gpg
  • Find which file contains the revocation key. In most cases, it is 000002-002.sig, however you should make sure by using the following. If the sigclass is 0x20, you have the right file. Delete it.
gpg --list-packets 000002-002.sig
  • Put the key back together
cat 0000* > fixedkey.gpg
  • Remove the old key
gpg --expert --delete-key <key>
  • Import the new key
gpg --import fixedkey.gpg

GPG 2.0

GPG 2.0 is not installed as a default application on Ubuntu.

GPG 2.0 is the new kid on the block. GPG 2.0 is aimed or done for the desktops rather than embedded or server applications.

  • GnuPG2 is available in the “Main” repository since Intrepid, or in the “Universe” repository in earlier releases.
    • If you want to use gnupg2 with the firegpg firefox extension, you need to install gnupg2 first.
  • More information of GnuPG2 can be found here
  • If you are going to use gpg2 for the same purposes as outlined above then you just need to add 2 to the gpg command.
    gpg2 --gen-key

Using GPG To Sign SSH Keys

Often to access a remote server by SSH the administrator of the server will ask for your public ssh_rsa key so that he knows it is really your computer that is trying to access his server. The administrator may ask you to first sign the ssh_rsa key using GPG so that he knows the ssh_rsa key comes from you and has not been intercepted. This guide will show you how to generate your SSH and GPG keys and then how to use them to perform a secure transaction between two parties.

Ubuntu Releases

This guide should work on any Gnu/Linux operating system. This guide assumes you have already installed openssh-client and gnupg.

Generate The SSH RSA Keys

Run all commands as a regular user.

# ssh-keygen -t rsa

This will create your public and private SSH-RSA keys. The public key that the administraitor needs should be located here: ~/.ssh/id_rsa.pub.

Generate The GPG Keys

This is the output from generating a new key.

# gpg --cert-digest-algo SHA256 --default-preference-list "h10 h8 h9 h11 s9 s8 s7 s3 z2 z3 z1 z0" --gen-key
gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: mr bo jangles
Email address: bo@jangles.com
Comment: comment
You selected this USER-ID:
   "mr bo jangles (comment) <bo@jangles.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

#-> passphrase:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++++++++++++.+++++++++++++++.+++++.++++++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++.++++++++++..+++++++++++++
public and secret key created and signed.
key marked as ultimately trusted.

pub  2048R/5F6D1662 2009-05-10 mr bo jangles (comment) <bo@jangles.com>
    Key fingerprint = D1BC 6822 0ACB 0025 8902  6DE7 87EA 4324 5F6D 1662

Your public and private GPG keys should now be located in your ~/.gnupg directory.

Put your private key on a cd-rom or a floppy disc or somewhere very safe. Do not lose it or you will be unable to sign any documents. Never give it to anyone under any circumstances. If you have given anyone your private key then you must revoke the key immediately and generate a new set.

Exchange Public Keys

It is good practice to put your public GPG key on a public key server where others can access it easily. Biglumber.com is a public key server. In order to put your public key on Biglumber you will first need to go though a verification process.

Go to Biglumber.com and put your public key on their server.

While you are at Biglumber you will need to find the public key of the administrator to whom you are planning to send your digitally signed and encrypted message. Once you have done that, you must then import the pubic key of that administrators into your keyring.

# gpg --import Administrator.pub

Now get the Administrator’s key ID, and your key ID as well:

# gpg --list-keys
pub  1024D/ABCABCAB 2005-03-26 Administrator_Email <admin@secure.ca>
pub  2048R/XYZXYZXY 2009-05-10 Your_Email_Address <user@user.ca>

Aministrator ID: ABCABCAB

Your ID: XYZXYZXY

Make a Secure Transaction

GPG will use your secret key (~/.gnupg/secring.gpg) to sign and encrypt your public ssh key (~/.ssh/id_rsa.pub).

Only the administrator will be able to decrypt the file because you are also using his public key to encrypt it.

In turn, he will only be able to decrypt it if he has your public key on his key ring.

Sign the key:

# gpg -u XYZXYZXY -r ABCABCAB --armor --sign --encrypt ~/.ssh/id_rsa.pub

Send the result (id_rsa.pub.gpg) to the administrator along with a link to where you keep your public key on Biglumber. He will verify the your information and then allow you to access his system by SSH.

In an ideal world you are only supposed to exchange public keys directly and in person. This way you know 100% that the public key truly belongs to the correct person.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s