1 Notes

2 Installation and use.

We're going to use PGP to perform encryption. First we need to install the software, then generate a public/private key pair, as we learned about during lectures.

2.1 Install GnuPG (aka PGP/GPG)

This is heavily platform dependent. Download from any of the following sources depending on your operating system:

If you are using Linux then use your package manager. e.g for ubuntu:

$ sudo apt-get install gnupg
$ sudo apt-get install rng-tools
$ sudo sed -i -e 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/urandom|' /etc/default/rng-tools
$ sudo service rng-tools start

Note that the last two steps in the Ubuntu installation notes above allow you to generate some randomness required to generate a key which is what we're going to do next.

Depending on your choices while installing you may get a GUI installed, we shall use the command line which should get installed with all options. Feel free to click around the GUIs for the equivalent actions. For windows the Kleopatra GUI seems to be more intuitive but that's the opinion of the (non windows based) author.

2.2 Generate a public/private key pair

For this step I highly recommend that you use the GUI if you installed one and figure out what to put in the various prompts as most users will generate keys this way.

Run the command:

$ gpg --gen-key

you should get a menu (after some text saying:)

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

Press '1' and return.

You will then be prompted to pick a key size:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Press return to accept the default of 2048

Requested keysize is 2048 bits

You will then have to decide if the key will expire in time, or remain active until explicitly revoked

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Press '0' and return.

Key does not expire at all
Is this correct? (y/N)

Answer 'y', then return.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Here, enter your name, email, and an optional comment about this key:

Real name: Bob Bobson       <-- use your name ...
Email address: bob@bob.com  <-- ... and email address here!
Comment: sanog key          <-- you can leave this blank

You will be asked to confirm:

You selected this USER-ID:
    "Bob Bobson (sanog key) <bob@bob.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Type 'O' then return.

You are then asked to enter a passphrase to protect your key:

You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
Enter passphrase:

Pick a passphrase that is short enough to be typed without too much difficulty, but not too short that it can be guessed. The passphrase will not be shown.

You will be asked to enter the passphrase twice.

Repeat passphrase:

You can also use the following command to list the keys in your keyrings:

$ gpg --list-keys

This will show you a list of keys. You will notice that you have not only one public/private key pair, but also have a so-called "sub" keys.

/home/sanog/.gnupg/secring.gpg
-------------------------------
sec   2048R/C9FBE546 2013-07-30
uid                  Bob Bobson (sanog key) <bob@bob.com>
ssb   2048R/3BE8FE75 2013-07-30

One interesting feature of PGP is the ability to sign keys. This means that you can ask a third party you trust, and more importantly, who trusts you, to use their private key to "sign" your public key. This is a way for them to say "I believe this person really is who they say they are, and here's my proof".

Sometimes, you will find that it is necessary to get rid of "old" keys, and make some new ones. But what if many people have signed your key ?

Not to worry! People who have signed your key actually sign your "Master key".

Master keys are used to sign sub keys. Which means, that you can replace those, and still benefit from the "trust" of those who have signed your master key..

2.3 Encrypt with GPG using public key

It's time to encrypt files with GPG.

Create a plain text file called "my-secrets-myname.txt" using your favourite text editor. On windows use notepad rather than microsoft word. On Linux (and OS X) you can use "vi" from the terminal or a GUI text editor with the following contents. Remember that for windows you're better off creating a directory say c:where you'll put this file and "cd" to it before running the gpg commands bellow.

My name is "My Name"

My credit card number is 1234-5678-9012-3456

The password for my phone is 42

Once that is done, let's encrypt the file:

gpg -e my-secrets-myname.txt

GPG is going to tell you you didn't include a recipient / user ID.

You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line:

Here, you can just write your own email (userid) you chose earlier, for example: bob@bob.com if that is your email:

Current recipients:
2048R/3BE8FE75 2013-07-30 "Bob Bobson (sanog key) <bob@bob.com>"

It then asks you if there are other recipients. Just press RETURN to continue without adding more recipients.

Normally, GPG should finish quietly and leave you back at the shell.

Verify that you now have encrypted files present in your directory:

$ ls -l my-secrets-myname.txt*
-rw-rw-r-- 1 sanog sanog 102 Jul 30 12:45 my-secrets-myname.txt
-rw-rw-r-- 1 sanog sanog 441 Jul 30 14:30 my-secrets-myname.txt.gpg

or on windows:

C:\exercise>dir
 Volume in drive C has no label.
 Volume Serial Number is 0CB2-23B5

 Directory of C:\exercise

01/18/2014  05:04 AM    <DIR>          .
01/18/2014  05:04 AM    <DIR>          ..
01/18/2014  05:03 AM               105 my-secrets-myname.txt
01/18/2014  05:04 AM               443 my-secrets-myname.txt.gpg
               2 File(s)            548 bytes
               2 Dir(s)  47,657,218,048 bytes free

C:\exercise>

if you try to view the contents of this file you'll find that it's a binary blob. e.g. on linux:

$ cat my-secrets-myname.txt.gpg

or on windows:

C:\exercise>type my-secrets-myname.txt.gpg

Let's encrypt with an ASCII encoding - and this time we'll save time and specify the recipient directly with the '-r' flag:

$ gpg -a -e -r bob@bob.com my-secrets-myname.txt

By the way, do you notice anything ?

Hint: Did you have to specify the passphrase at any point to ENCRYPT ?

Check the contents of the directory again:

$ ls -l my-secrets-myname.txt*
-rw-rw-r-- 1 sanog sanog 102 Jul 30 12:45 my-secrets-myname.txt
-rw-rw-r-- 1 sanog sanog 441 Jul 30 14:30 my-secrets-myname.txt.gpg
-rw-rw-r-- 1 sanog sanog 694 Jul 30 14:40 my-secrets-myname.txt.asc

You should see an ".asc" file present.

Look at its contents!

Now, you can delete the original .txt file.

$ rm my-secrets-myname.txt

2.4 Decrypting files

To decrypt a file with GnuPG/PGP, all you have to do is type:

$ gpg my-secrets-myname.txt.asc

GnuPG/GPG automatically figures out who the file is encrypted for, and checks to see if you are in possession of the private key (you are), and you are prompted for your passphrase:

You need a passphrase to unlock the secret key for
user: "Bob Bobson (sanog key) <bob@bob.com>"
2048-bit RSA key, ID 3BE8FE75, created 2013-07-30 (main key ID C9FBE546)

gpg: gpg-agent is not available in this session
Enter passphrase:

If the file original file still exists, then gpg will ask you before it overwrites it:

File `my-secrets-myname.txt' exists. Overwrite? (y/N) y

If you answer 'y', it will overwrite as indicated.

Look at the contents of the file 'my-secrets-myname.txt' and confirm that they are correctly decrypted!

2.5 Encrypting email

The tools you downloaded also include plugins for the various mail user agents that are commonly used on the relevant platform. E.g if you use mail.app on OS X you already have a GNU PG plugin installed and for windows GpgOL will have installed an Outlook plugin.

If you use Thunderbird, you have to download and install enigmail using your Add-ons manager. The most important configuration item you'll have to specify is the location of the gpg binary. On OS X that is /usr/local/bin/gpg which will be a symlink to /usr/local/MacGPG2/bin/gpg2. On windows "C:Files.exe".

In either case you end up with a compose window that includes an "OpenPGP" selection that allows you to pick a key and encrypt the email to that person.

Question: How do you get the public key of the person you want to send the email to? And how do you ensure that the key that you've received is in fact for the person you want to send the mail to?

For now you should be able to send yourself an encrypted email and receive it and decrypt it in your mailer. Try that now.

3 Distributing and trusting keys.

3.1 Exporting your public key with GPG

The first step is to export your public key in a form that can be copied and imported by your colleagues.

Remember, to see which keys you have in your key ring, use the following command:

$ gpg --list-keys

The output will be a list of the keys contained in your keyring:

/home/sysadmY/.gnupg/pubring.gpg
-------------------------------
pub   2048R/C9FBE546 2013-07-30
uid                  Bob Bobson (sanog key) <bob@bob.com>
sub   2048R/3BE8FE75 2013-07-30

Let's make a copy of our public key, and place it in a text file, ready to be sent to our friends and colleagues.

Note: a key can be addressed in one of several ways:

We'll use the email address:

$ gpg --export -a --output myname-key.asc my@email.address

... of course, replace myname with your name (no spaces!) and replace me@email.address with the email address you entered when you created your key in the previous exercise. That is the email address you see when running "gpg --list-keys".

This will produce a file "myname-key.asc". You can view its contents using the "less" or "more" command:

$ less myname-key.asc

You will see something similar:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFH3yPkBCAC2DHRIk6FXiovejBXlNgZdnapHqq7OwascfluD+qX7wDk93etX
4Y+GfSLC2vlC4tNlB9VEYgMAY61sQC31ZoY9vr5MfJnZPcN+3Byzx2G0d8lwnH0g
[...]
t1CdT+UawL0dWu4bkNHjC8qwBgOPedS/VBJqlJl4TWg832CXRYI=
-----END PGP PUBLIC KEY BLOCK-----

3.2 Exchanging keys

Let's stop for a second and think:

This is a three step approach:

  1. Import the key of the person you wish to send encrypted files/messages to

  2. Encrypt the message/file using the public key of that person (recipient)

  3. Communicate (copy) the message to the recipient

NOTE NOTE NOTE: You don't have to send your key to the same person/group you received a key from. You can pick another group.

Once you've agreed who you will send messages to, and which other person you will receive messages from, proceed with the steps below:

3.2.1 mailing keys.

For now we shall mail each other the public key that we've just created. Ensure that you do not send anyone your private key. Note that this is very insecure. If anyone intercepts this email they can easily replace the attachment.

Open your mail client and attach the key you just exported as a file. (Some PGP plugins for mail clients allow you to do both the export and exchange step within the mailer)

3.2.2 Receiving (and importing) the key of another group (so you can encrypt

When you receive the email, save the attachment and either use your GUI to add it to your keyring (look for an "import" option) or do this from the command line:

$ gpg --import theirname-key.asc

You will see:

gpg: key E24ACC69: public key "Alice (Alice) <alice@eve.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

At this point, the key of your correspondent is now imported into your keyring.

Verify this:

$ gpg --list-keys

The output should be similar to this:

/home/sysadmY/.gnupg/pubring.gpg
-------------------------------
pub   2048R/C9FBE546 2013-07-30
uid                  Bob Bobson (sanog key) <bob@bob.com>
sub   2048R/3BE8FE75 2013-07-30

pub   2048R/E24ACC69 2013-07-31
uid                  Alice (Alice) <alice@eve.com>
sub   2048R/438E172B 2013-07-31

... note that your public keyring now contains two keys!

Note: you can verify that you still only have your own SECRET key in your SECRET keyring - verify this with the command:

$ gpg --list-secret-keys

... you should only see your own key. This is expected: you only imported the PUBLIC key of your colleague.

3.3 encrypting files for your colleague to read (optional).

You could opt to encrypt the text file we had earlier and chose your collegue's key instead of yours as follows: (don't do this for now)

$ gpg -a -e -r alice@eve.com my-secrets-myname.txt

You will see output similar to this:

gpg: 438E172B: There is no assurance this key belongs to the named user

pub  2048R/438E172B 2013-07-31 Alice (Alice) <alice@eve.com>
 Primary key fingerprint: 23F5 A6B0 98CC C571 B8DE  9B29 9EDB 8FBE E24A CC69
      Subkey fingerprint: 7062 E046 C0B6 993A 6C62  5E57 657D 4930 438E 172B

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Notice how you are being informed that you have no proof that this key really belongs to this person...

Think about the implications!

Note: you might be told the file already exists and you should overwrite it:

File `my-secrets-myname.txt.asc' exists. Overwrite? (y/N)

You should end up with a new file that is only decryptable by alice@eve.com. You then have to figure out how to send it to them say by putting it on a flash disk or similar.

3.4 encrypted email.

We shall skip to sending email. Open your mail client and send an email to alice@eve.com (replace this with a colleague for whom you have a key). Before clicking send, find the openPGP prompt and select "encrypt" and it should generate an email that will be sent to your colleague and they'll need to decrypt it to read it.