1 / 17

Public Key Cryptography and GnuPG

CPT 555 Network Security. Public Key Cryptography and GnuPG. Class Objectives. Students will be able to understand the importance of Public Key Cryptography. Students will implement GPG Students will be able to: Create keypair Import and export public keys Revoke keys Encrypt keys

conlan
Download Presentation

Public Key Cryptography and GnuPG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CPT 555 Network Security Public Key Cryptography and GnuPG

  2. Class Objectives • Students will be able to understand the importance of Public Key Cryptography. • Students will implement GPG • Students will be able to: • Create keypair • Import and export public keys • Revoke keys • Encrypt keys • Decrypt keys • Sign keys • Encrypt keys

  3. Using GnuPG (gpg) Objectives: • Key management • Create a keypair • Import and export public keys • Revoke a keypair • Encryption and decryption • Signing and authentication

  4. Preparing to Create a Keypair • Choose a good passphrase • long • hard to guess • contains special characters • Choose an algorithm • DSA/ElGamal (recommended) • RSA • Choose a key length • use the largest practical length • I recommend 2048 bytes

  5. Creating the Keypair • Create the keypair gpg --gen-key • Create the revocation certificate gpg --gen-revoke • Store hard copies of the keypair and certificate in a safe place

  6. Exporting Your Public Key • Export the key gpg --export uid > pubkey.gpg • Creates a binary file • Use --armor to create a text-encoded file gpg --armor --export uid > pubkey.asc Note: uid is any part of user name or keyID (last 4B of fingerprint). See below.

  7. Publishing Your Key • Reminder: Never publish your secret key • Be sure your exported public key is correct and you have a revocation certificate! • Put it on your web site, a floppy disk, a USB memory key, etc. • Put the fingerprint in your e-mail signature, on your business cards, etc. • Send your public key to a public key server gpg --send-key uid

  8. Getting Public Keys • Through a secure, out-of-band channel, get your correspondent’s fingerprint • Usually, the last four bytes of the fingerprint are the key ID • Get the key from your correspondent’s web site, floppy disk, key server

  9. Importing Public Keys • Check the fingerprint (use check command) 1F13 06BC EDB1 4BD1 4952 51BC F203 3CF8 CAF9 A5E1 • Import the key • from a key server gpg --recv-keys 0xCAF9A5E1 • from a file (puts the key on your keyring?) gpg --import pubkey.asc • Confirm the fingerprint (that key is correct) gpg --fingerprint username

  10. Your Keyring • Holds your public keys and imported public keys • List all keys in your keyring gpg --list-keys • With signatures gpg --list-sigs • Delete a key (on your key ring?) gpg --delete-key uid

  11. Signing Keys • Only sign a key if you know it’s authentic • received through a secure channel • checked credentials of sender • checked fingerprint • To sign a key, you must edit it gpg --edit-key uid • Interactive mode • Use the sign command • Export the key so its owner can re-import it, complete with signature

  12. Assigning Ownertrust • How well do you trust the key’s owner to correctly verify keys? • Assign ownertrust with the trust command • Don’t know • Do not trust • Trust marginally • Trust fully • Trust ultimately

  13. Encrypting Messages • Make sure you have all recipients’ keys gpg --recipient user1 --recipient user2 ... --encrypt filename • Creates a binary file, filename.gpg • Use --armor to produce a text-encoded file, filename.asc • Include yourself as a recipient with --encrypt-to-self uid

  14. Signing Messages • Sign with your private key: gpg --sign filename • Creates a binary file, filename.gpg • Use --clearsign instead of --sign to leave the message in plain text, surrounding it by a text-encoded signature (filename.asc) • Will prompt for passphrase (enter it securely!)

  15. Signing and Encrypting • Always do both (sign first, then encrypt) • Just combine the commands to sign and encrypt in one step gpg --armor --recipient user1 --recipient user2 ... --encrypt --sign filename • Will prompt for passphrase (enter it securely!)

  16. Decrypting and Authenticating • Decrypting is GnuPG’s default behavior: gpg filename.gpg gpg filename.asc • Either will produce filename • Use --verify to verify the signature, thus authenticating the sender

  17. References and Good Sites • GPG Home • Mini How-to • The Diceware Passphrase Home Page • Modular Arithmetic

More Related