OpenPGP/GnuPG

By
Ahmed Rawi

Agenda

What is Cryptography?

GnuPG History.

What is PGP/GnuPG?

What can PGP/GnuPG do?

GnuPG Configuration

What is Cryptography?

Cryptography
The science of using mathematics to encrypt and decrypt data.
A method of securely sending data over an insecure communication
medium.

Cryptanalysis
The science of analyzing and breaking secure communications.

Cryptology is the combination of the two.

What is Cryptography? (Contd)

Two main types of cryptography

Symmetric
-Same key encrypts/decrypts
-DES, AES, IDEA

Asymmetric
-Different keys for encryption/decryption
-Also called public key cryptography
-RSA, Diffie-Hellman, ElGamal

GnuPG History
Pretty Good Privacy
Encryption program written by Phill Zimmerman in 1991.
Zimmerman released it on the Internet.
OpenPGP
A standard for encrypted/signed messages.
RFC 2440, November 1998
Gnu Privacy Guard
An implementation of OpenPGP.

PGP/GnuPG

GPG, or GNU Privacy Guard, is a public key cryptography

implementation.

This allows for the secure transmission of information

between parties.

It can be used to
Ensure That Only the Intended Party Can Read
Validate the Identity of the Sender

Cross Platform (Mac, PC, Linux)

What can PGP/GnuPG do?

Encrypt / Decrypt

Messages
Files
Digital Signatures
Key management

Create secret and public keys

Manage a list of keys
Certify keys
Revoke or disable keys

Key Generation

you need to create a key pair. You can do this by issuing

the following command:

$gpg --gen-key

Each key will be mapped with a user id and password.

It asks for your name, E-Mail and passphrase

Key Maintenance

To list your available GPG keys that you have from other
people, you can issue this command:
$gpg -k
pub 4096R/311B1F84 2013-10-04
uid
Test User <test.user@address.com>
sub 4096R/8822A56A 2013-10-04

Note:
The highlighted portion is your key ID. It is a short way
to reference the key to the internal software.

Specify a keyserver

To upload your key to a certain key server, you can then

use this syntax:
$gpg --keyserver pgp.mit.edu --send-keys 311B1F84

Receive
$gpg --keyserver [keyserver] --recv-key [UID]

Encrypt Messages

You can encrypt messages using the "--encrypt" flag for

GPG. The basic syntax would be:
$gpg --encrypt --sign --armor -r pern@em.com file

The parameters basically encrypt the email, sign it with

your private key to guarantee that it is coming from you,
and generates the message in a text format instead of
raw bytes.

You should also include a second "-r" recipient with your

own email address if you want to be able to read the
message ever.

Symmetric Encryption

You can encrypt files using symmetric encryption (as opposed

to public key encryption) with the --symmetric command. You
will be prompted for a passphrase to protect the key used to
encrypt the file
$gpg --symmetric <file name>

Symmetric encryption is useful if you don't plan to deliver or

distribute the files to other people. For example, you may
simply want to protect sensitive files on your own hard drive
(not distribute them to other people).

You can combine the --symmetric command with the -output or --armor options, just like the --encrypt command.

Decrypt Messages

When you receive a message, simply call GPG on the

message file:
$gpg file_name

Refresh Key

Your key information can become outdated if you are

relying on information pulled from public key servers.
You do not want to be relying on revoked keys.

You can update the key information by issuing:

$gpg --refresh-keys
This will fetch new information from the key servers.
You can pull information from a specific key server by
using:
$gpg --keyserver pgp.mit.edu --refresh-keys

Key signing

ONLY SIGN A KEY WHEN YOU ARE ABSOLUTELY SURE IT IS

AUTHENTIC!!!
$gpg--lsign-key<keyID>

or you can switch to interactive mode like this:

$gpg--edit-key<keyID>
Command>sign
Command>quit

Make sure you send the newly signed key to a key server.

Public key fingerprints

It is a short sequence of bytes used to authenticate or

look up a longer public key.

Fingerprints are created by applying a cryptographic

hash function to a public key. Since fingerprints are
shorter than the keys they refer to, they can be used to
simplify certain key management tasks.

The recipient often wishes to authenticate the public key.

Fingerprints can help accomplish this, since their small
size allows them to be passed over trusted channels
where public keys won't easily fit.

Public key fingerprints (Contd)

For example, if Alice wishes to authenticate a public key

as belonging to Bob, she can contact Bob over the phone
or in person and ask him to read his fingerprint to her,
or give her a scrap of paper with the fingerprint written
down
$gpg --fingerprint <uid>

Key revocation

Always generate a revocation certificate after generating

a key.

If you lose your pass phrase, you can generate

revocation key
$gpg --output <file name> --gen-revoke [UID]

Key revocation

if your key ever becomes compromised you can revoke it

by first importing the revocation certificate into your
keying:
$ gpg --import <revoke file>

You must guard your revocation certificate. Copy it to a

CD or USB stick and lock it up, and delete it from your
computer.

Conclusion

GPG is a tool you can use to improve communication

security.

It is integrated into a few packages, but the interface

could be better/Barrier to use

Better when used all the time.