GPG Tutorial. 1 Introduction. 2 Creating a signing and encryption keys. 3 Generating a revocation certicate. Andreas Hirt July 12, 2009



Similar documents
Encrypting with KMail, Mozilla Thunderbird, and Evolution LOCK AND KEY BY FRAUKE OSTER

The KGpg Handbook. Jean-Baptiste Mardelle Rolf Eike Beer

LiteCommerce Advanced Security Module. Version 2.8

How To Encrypt A Traveltrax Report On Gpg On A Pc Or Mac Or Mac (For A Free Download) On A Thumbdrive Or Ipad Or Ipa (For Free) On Pc Or Ipo (For An Ipo)

Ubuntu Open PGP IMPLEMENTATION. Dr. ENİS KARAARSLAN 2014

WiMAX Public Key Infrastructure (PKI) Users Overview

The GNU Privacy Handbook

GPG installation and configuration

Signing and Encryption with GnuPG

Signing and Encryption with GnuPG

Using Your PGP Tool to Update Your Address Settings for Encrypted Messaging

Pretty Good Privacy with GnuPG

Overview Keys. Overview

1.2 Using the GPG Gen key Command

Tutorial: Encrypted with Thunderbird and Enigmail. Author: Shashank Areguli. Published: Ed (August 9, 2014)

TABLE OF CONTENTS. Legend:

How to use PGP Encryption with iscribe

Using Entrust certificates with Microsoft Office and Windows

The Handbook V 1.8 Adaptations by Ludwig Hügelschäfer Based on Version 1 by Daniele Raffo with Patrick Brunschwig and Robert J. Hansen.

4. Click Next and then fill in your Name and address. Click Next again.

Please note that a username and password will be made available upon request. These are necessary to transfer files.

INTRODUCTION TO CRYPTOGRAPHY

SECURE USER GUIDE OUTLOOK 2000

How To Send An Encrypted In Outlook 2000 (For A Password Protected ) On A Pc Or Macintosh (For An Ipo) On Pc Or Ipo (For Pc Or For A Password Saf ) On An Iphone Or

NeoMail Guide. Neotel (Pty) Ltd

How to Setup Privacy Guard Encryption.

CLIENT DATABASE SECURITY

HW/Lab 1: Security with PGP, and Crypto CS 336/536: Computer Network Security DUE 09/28/2015 (11am)

Secure Part II Due Date: Sept 27 Points: 25 Points

THUNDERBIRD WORKBOOK

Encrypting and signing

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

gpg4o Manual Version 3.0

XCOM File Transfer. Specification

PGP Desktop Quick Start Guide version 9.6

An Introduction to Secure . Presented by: Addam Schroll IT Security & Privacy Analyst

Biography of Trainer. Education. Experience. Summary. TLS/SSL : Securing your website PGP : Secure your communication. Topic

HMRC Secure Electronic Transfer (SET)

2. To encrypt the drive for future use, click Yes (Fig 1, 2). This will start the encryption process.

Sterling Integrator. PGP Server Manager 5.1

isecur User Guide for iphone

It s easy to find the answers to your questions about PaymentNet!

COMP 3704 Computer Security

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

MS Outlook Express: Basics. Lesson Notes Author: Pamela Schmidt

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

BounceBack User Guide

Netscape Setup Instructions

How to Create and Maintain an Anonymous Identity Online

Pretty Good Privacy PGP for Personal Privacy, Version 5.0. User s Guide. PGP, Inc. For the Mac OS

Secure Message Center User Guide

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

PGP Desktop Encrypting Removable Media. May Version 1.3

PGP Zip Self-Decrypting Archive (SDA) 5/29/2012 Version 1.1

PDG Software. Keyman Encryption Guide

CGS 1550 File Transfer Project Revised 3/10/2005

Sending an Encrypted/Unencrypted Message. Let's Begin: Log In and Set Up Security Questions. Create Additional ProMailSource Accounts:

Receiving Secure from Citi For External Customers and Business Partners

TCS-CA. Outlook Express Configuration [VERSION 1.0] U S E R G U I D E

SOS SO S O n O lin n e lin e Bac Ba kup cku ck p u USER MANUAL

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

Creating Digital Signatures

User Guide May Using Certificates in Outlook Express

ProjectWise Explorer V8i User Manual for Subconsultants & Team Members

Transition from Pegasus Mail To Exchange/Outlook 2003

msigna Getting Started

Internet Programming. Security

User Guide. Please visit the Helpdesk website for more information:

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Symantec Encryption Desktop for Windows

Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

WebApp S/MIME Manual. Release Zarafa BV

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

4cast Client Specification and Installation

Set up Outlook for your new student e mail with IMAP/POP3 settings

Table of Contents. WinPT Documentation. Important notice...1 About the file release numbering conventions What is WinPT?...

PDG Software. PDG Key Manager User Guide

Implementing Secure Sockets Layer on iseries

SPS ELECTRONIC HELP DESK Navigational Manual

Symantec Encryption Desktop for Mac OS X

Digital Signatures on iqmis User Access Request Form

Business Objects InfoView Quick-start Guide

JPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0

Using Entrust certificates with Adobe PDF files and forms

Published : License : None

Telstra Wholesale Digital Certificates

Instructions for Configuring Your Browser Settings and Online Security FAQ s. ios8 Settings for iphone and ipad app

1. Open the Account Settings window by clicking on Account Settings from the Entourage menu.

Parallels Panel. Parallels Small Business Panel 10.2: User's Guide. Revision 1.0

Configuring the NetBackup 7.7 Cloud Connector for use with StorReduce

Using Websense Data Endpoint Client Software

Internet Explorer Settings for use with Privia

Outlook Start Outlook, and click on mserver.wlu.ca. 2. From the Tools menu, choose Options

TrustKey Tool User Manual

Last modified: November 22, 2013 This manual was updated for the TeamDrive Android client version

Exostar LDAP Proxy / Secure Setup Guide. This document provides information on the following topics:

Domino Certification Authority and SSL Certificates

Transcription:

GPG Tutorial Andreas Hirt July 12, 2009 1 Introduction The purpose of this document is to give a brief introduction on how to set up and use GPG, the GNU implementation of PGP. The reader must rst generate keys, a revocation certicate, set trust levels, and exchange keys as described in Section 2 to 5. Then the user can integrate GPG into Evolution to perform signing/encryption and verication/decryption of email as described in Section 6. Lastly, Section 7 describes methods to distribute keys. It is strongly encouraged that [1] be read rst before using this document. 2 Creating a signing and encryption keys To generate a new primary key-pair the command is: gpg --gen-key Do this command twice: the rst time it creates the.gnupg and the options directories. You are then prompted to select the kind of key you want. The default option of 1 creates both a DSA key-pair and ElGamal key-pair for signing and encryption, respectively. However, this is not recommended because you are then forced to impose the same expiration date on both keys. The roles of the two keys are dierent. The DSA master signing key should not expire whereas the encryption key should (see Selecting expiration dates and using subkeys in [1] for justication). You should rst create your master signing key (DSA) and then the encryption key (ElGamal) using gpg --edit-key mykey where mykey is any part of the user ID you just entered. Once you've chosen the type of key to create, you are then prompted to enter the keysize, expiration date, user ID, and passphrase, and to ensure that you chose an encrypt-only ElGamal key. For the DSA key, ensure that the keysize is the maximum (1024 bits) due to the lifetime of the master signing key and the vulnerability of DSA. For the ElGamal key at least 1024 bits are recommended. The user ID cannot be edited, so it should be created carefully (you can only add new user ID's). Lastly, the passphrase should be carefully chosen: it should not use words from a dictionary and should be a mix of both cases of alphabetic characters and non-alphabetic characters (numbers, punctuation, et cetera). The passphrase is used to unlock your private key and is the easiest method for an adversary to break your private key. Once you are done, exit via the command quit. 3 Generating a revocation certicate You should immediately generate a revocation certicate for your primary public key using the option --gen-revoke, for example: gpg --output revoke.asc --gen-revoke mykey where mykey is any part of the user ID that identies your key pair. This allows you to publish the revocation in the event that you forget your passphrase and cannot use your private key, or if your private key is lost or compromised. Ensure that the certicate is not stored where others can use it, otherwise an adversary could publish it and cause others to revoke your key-pair. 1

4 Exchanging Keys To exchange keys, use the commands: gpg --list keys gpg --armor --output keyfile.gpg --export mykey where mykey is any part of the user ID (listed in list-keys) for the key-pair that you want to exchange. It creates a le keyfile.gpg that contains the public key, et cetera in ASCII-armor so that it can be easily exchanged (default is binary). 5 Importing a public key, signing it, and setting trust A public key (along with any signatures that have been added to it) can be imported with the command: gpg --import keyfile.gpg Importing a key does not sign it, but before you sign it you should check its ngerprint as follows. Here keyid is any part of the user ID of the key; if you don't know it, use the gpg --list keys command. gpg --edit-key thekeyid fpr Because you do not want the web of trust to be corrupted, it is essential that you check the ngerprint to ensure that it is a valid key (i.e., the binding of the user's identity to the key is correct). The ngerprint should be checked with the person who owns the key, as along as you can guarantee that you are communicating with the key's true owner. Once your are condent in the user/key binding, to sign the key, use the command: sign assuming that you are still in the --edit-key thekeyid dialog. Once you've signed the key, to list the signatures on it and see the signature you've added use the commands: check exit assuming that you are still in the --edit-key thekeyid dialog (note that exit exits the --edit-key dialog). Recall that there are two dierent types of trusts (slightly dierent terminology in GPG and PGP): 1. Owner trust how much you trust the owner to correctly sign another person's key. 2. Validity calculated trust value using web of trust (based path length, number of fully trusted keys, and number of marginally trusted keys). The path length indicates how long the path length of signed keys leading from K back to your own key. To set your validity parameters, there appears to be no simple interface (please let me know if you gure it out). The best method is to edit the options le (default location is /.gnupg/options) and change the parameters as necessary, for example: #honor-http-proxy keyserver-options honor-http-proxy #Trust options completes-needed 1 2

marginals-needed 2 max-cert-depth 4 #Keyserver option keyserver pgpkeys.mit.edu Note that while you are there, you can comment out honor-http-proxy (at end of default options le) which is deprecated and replace it with keyserver-options honor-http-proxy. You can also set your keyserver option to the keyserver of your choice (see Section 7 for details on keyservers). To change owner trust in a key, use: gpg --edit-key userid trust and follow the prompts accordingly to enter the appropriate trust. To see the trust level for a key: gpg --edit-key userid The listing shows you the key with its secondary keys and all user IDs. Selected keys or user IDs are indicated by an asterisk. The trust value is displayed with the primary key: the rst is the assigned owner trust and the second is the calculated trust value. Letters are used for the values: 1. - no owner trust assigned / not yet calculated, 2. e trust calculation has failed; probably due to an expired key, 3. q not enough information for calculation, 4. n never trust this key, 5. m marginally trusted, 6. f fully trusted, 7. u ultimately trusted. 6 Incorporating GPG with Evolution 6.1 Setup To run evolution, just type evolution& in a terminal. If you have not ran it before, it will ask you if you want to import information from Pine or Netscape Mail, it will then proceed to ask you for your e-mail information. After you enter your identication, it will ask for the e-mail server information for receiving mail, please see the following URL for the required information: http://www.cpsc.ucalgary.ca/help/internet/email/emailsystinfo.php In addition, make sure that you change your server type for receiving mail to POP (IMAP will not work). Then it will ask you for your e-mail server information for sending mail, please see the following URL for the required information: http://www.cpsc.ucalgary.ca/help/internet/email/emailsystinfo.php After you are done entering this information, Evolution will start. changes: You then need to make a few more 3

1. Left click tools 2. Left click mail settings 3. Left click the account you just created to highlight it, and then left click edit. 4. Left click the tab receiving options. 5. Left click the button leave messages on server. 6. Left click the tab security. 7. Enter your PGP Key user ID. 8. Left click the bullet \Always Encrypt to myself when sending encrypted messages." This is essential to maintain a record of the session key (encrypted with your public key) used to encrypt an email, in case you want to read an encrypted email that you sent previously. 9. Optionally, left click the bullet \Always sign outgoing messages when using this account." You are now done the set up and can use Evolution to send/receive encrypted mail. 6.2 Sending signed and/or encrypted e-mail To send a message, choose new message from the top tool bar on the left hand side. Write your message and then left click \Security" on the top right hand side. Choose \PGP sign" and \PGP encrypt" as needed. When you send the mail, it will ask you for your secret pass-phrase to unlock your private key. 6.3 Receiving signed and/or encrypted e-mail When receiving an e-mail that is only signed, there will be a lock icon on the bottom of your screen. You can left click it to see the signature information. When receiving an e-mail that is signed and encrypted or just encrypted you will be prompted for your secret pass-phrase to unlock your private key in order to perform decryption. 6.4 Maintaining your key ring Unfortunately, there is no GUI in Evolution for maintaining your keyring, and this must be done in a terminal as described in Section 2 to 5. 7 Distributing keys In order to send someone an e-mail with PGP, they must also be using PGP and you must know their keys. Common methods are to publish keys on personal websites, include them in one's.plan le, exchange them via e-mail, exchange them in person, or store/retrieve them on a GPG keyserver. However, one MUST validate the ngerprint on the key as described in Section 5. Another reason to distribute keys is to collect signatures on your key. Have the other user send you your updated and newly signed key, update your key by importing it and checking the signatures, and then re-publish it on a key server. There are server popular keyservers around the world, and they synchronize themselves. Just pick a keyserver that is close to you on the Internet. Note that these keyservers can also be used to look up keys. For a list of keyservers see For example, you can go to: http://openpksd.org/kslist.html 4

http://www.keyserver.net/en/ and nd my key by searching for hirt@cpsc.ucalgary.ca. Another method to send and receive keys eciently is: gpg --send-keys --keyserver pgpkeys.mit.edu IDs gpg --recv-keys --keyserver pgpkeys.mit.edu IDs 8 Common Questions Key IDs are found in the second column output by --list-keys. For example, in the short sample output: ----------------------------------- pub 1024D/E05E7378 2004-03-02 Andreas Hirt (Student) <hirt@cpsc.ucalgary.ca> sub 1024g/9C685721 2004-03-02... the key IDs are E05E7378 and 9C685721. Note that ID is not the same as user ID. One question will certainly come up is: \Why do I get the error gpg: Warning: using insecure memory!?" The reason you get this is because the executable (to nd it use whereis gpg) does not have locked memory pages (instead of executable x permission you want s permission). Locked memory pages prevent the OS from writing them to disk, i.e., you don't want the gpg executable to page information temporarily such as your unencrypted secret key to disk. To change this requires root permission and can have a negative impact upon performance. If you think that the gpg executable permissions should be changed to use locked memory pages, please e-mail bugzilla@cpsc.ucalgary.ca and let them know. It is possible to supress this warning in the options le, but this is not recommended, lest your forget about the vulnerability. For more information see [1]. In addition, an excellent FAQ for GPG can be found at http://www.gnupg.org/documentation References [1] M. Copeland, J. Grahn, and D. Wheeler. \The GNU Privacy Handbook", http://www.gnupg,orf/gph/en/manual.html, 1999. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information