Monday, October 12, 2009

Linux Securirty Notes 9: GPG Encryption

    Gnu Privacy Gard is an open source of Pretty Good Privacy and 100% compatible with PGP.It based on PKI (Public key private key encryption). GPG encrypts data / mails etc.

Steps in Encrypting Data using the GPG

Step 1:
    Genarate PKI pairs (Public/private Key)
# gpg --gen-key
     This will Prompt for options like key strength and various other details and store the key inside ~/.gnupg/.
pubring.gpg and secring.gpg are the public and private keys respectively.
Now make note of the key finger print. This is used to matching the public keys.
# gpg --list-keys
    This will show the keys that has been generated
# gpg --fingerprint
    This will show the finger print for the keys.

Step 2:
    Now we can encrypt the data using the private key
Encrypt the data:
# gpg --list-keys
    This will list the keys
# gpg --encrypt -r kiran install.log
    -r is used to define the public key ID also can use the user name(This reffers which key has to be used) and the install.log is the file that we are encrypting. As a result  a new file will be created by the name install.log.gpg. Now if we cat the content of the file install.log.gpg now we can see that the file is been encrypted (This will use the compression as well so file size will be less than the original file).

Decrypt the data:
#gpg --decrypt install.log.gpg
    Will decrypt the file and the STDOUT will be shown in the bash terminal.
# gpg -o install.log --decrypt install.log.gpg
    This will decrypt to the file install.log

Encryption Decryption using the Armor
# gpg -e --armor -r kiran install.log
    This will encrypt the data with armored (Neatly encrypts the data). Creates the file with the name install.log.asc
# gpg --decrypt install.log.asc
     this will decrypt the encryption with armor

Encryption and Decryption accross the network:
    Now in this case we have to export the publicring keys and import it on remote machine to decrypt the data.
Exporting the public Key.
In host1:
# gpg --export --armor -o
    This will export the public key to the file remotehost.asc. Now this key can be imported to any host for decryption.
In host2:
# gpg --export --armor -o
    Now both the users have exported their public keys. Now we can import the public keys to system to create "web of trust".

Now import the keys
In Host 1:
get the public key of Host2 "" securely  and import it
# gpg --import
    This will import the key of Host2 in host1 for the current user
# gpg --list-keys
    This will show all the keys.

Now import the keys
In Host 2 also:
get the public key of Host1 "" securely  and import it
# gpg --import
# gpg --list-keys

    Now we have both the pub keys installed in both systems.

Testing the encryption:
# gpg --list-keys
# gpg -e -r 89909823636 --armor -o test.txt.asc  test.txt

     While encryption make sure that the same key is used. For this instead of giving the username for the flag " -r " use the key ID in our case it is "89909823636". Now this will re-confirm the key that going to encrypt.
This will encrypt the file and send this accross the wire to host2.
In host2
# gpg --list-keys
     Find the key which has the ID 89909823636 from above command
# gpg --decrypt -r 89909823636 -o test.txt test.txt.asc
    This will decrypt the file and create the new file test.txt.
GPG - Signing & Encryption
 * Signing is different from encrypting the data. Signing is to prove the authenticity of the data send to the reciever stating that "This data belongs to the sender". Signing is independent to encryption of data. We can encrypt without signing. Sign and Encrypt to prove authenticity is recommended.

Signing a file:
     The Private key of the sender is used to sign the data. And the recipient decrypts the signature using senders public key.

Encrypt the data
# gpg -e --armor -r 80098FC8 file.txt
    This will armor and encrypt the file using the key ID 80098FC8 .
When a file is singed, when decrypting the the data the gpg will show the signature

Signing and Encrypting:

#gpg -se --armor -r 80098FC8 file.txt   
    This will encrypt as well as sign the data using the private key 80098FC8 . Now when we decrypt the data the gpg will show the signature as well as Key finger print and also about the key whether it is trusted or not in the shell output.
#gpg -d -r 80098FC8 file.txt.asc
    This will decrypt the data along with it will show the signature too. But if the trust level of the key is not set this will show you the msg that "there is no indication that this key belongs to sender"

Increasing the Trust Level of the KEY.(Certifying the key with trusted signature):

#gpg --edit-key  8177ACE
    This will give the promtp to edit the key having the ID 8177ACE.
Command> help
    Will show the help menu
Command> trust
    Now give the trust level(the each level will be explained by the interactive menu in gpg) Select from 1 to 5 class of trust.
Command>  quit
    Now the trust level is set.

So now sign, encrypt and send to remote user. Now decrypt the file in the remote machine.
Note:- Still if u see that trust need to increased in remote machine, This means in remote system also we have to increase the trust level. Now test again.

GPG - detaching the signature:
     (--detach-sign or -b) This option will detach the signature from the encrypted file and both the signature and encrypted file can be send it separately to remote system.When creating the detached signature no need to specify the recipients (-r) public key. The process of creating the signature relies upon the senders private key.

Creating the encrypted file and a separate signature for it.
# gpg -ea -r 8900DAC08 test.txt
    This will create a encrypted file called test.txt.asc. But this will not be signed.
# gpg -b test.txt.asc
    (-b will tell to create a seperate signature) The signature created by each and every file will be different.
This will create a file called test.txt.asc.sig
Now send both the file to remote system.
Testing the file with the signature in remote system.
    When verifying and decrypting the content of assosiated encrypted file follow this

1. Verify the md5sum
2. Verify the signature
3. Decrypt the encrypted file

Verify the md5sum
# Check the md5sum and compare with the sender's md5sum for both the file and signature

Verify the signature
# gpg --verify  test.text.asc.sig  test.text.asc

    This will return the signature status.

Decrypt the encrypted file
# gpg -d -o test.txt test.text.asc

Integrating the GPG with mail clients:
    The encryption is based on the email address in allmost all the MUA. It is not done by the key ID. So make sure that the matching key has been installed in both of senders and relievers MUA before encrypting and sending the msg. The GPG key has to be created and trust level has to be defined with the exact mail ID.

No comments:

Post a Comment

tag ur valuable ideas below