Using PGP and GPG

About This Presentation

Title:

Using PGP and GPG

Description:

beware of line wrap and funky characters ... Fred Flintstone (fake) fredf_at_jellystone.park ... 20 characters of english text as passphrase = 26 bits of entropy ... – PowerPoint PPT presentation

Number of Views:1036

Avg rating:3.0/5.0

Slides: 53

Provided by: jamesele

Category:

more less

Transcript and Presenter's Notes

Title: Using PGP and GPG

1
Using PGP and GPG

James Leinweber
Wisconsin State Laboratory of Hygiene
Badger Incident Response Team
"There are two kinds of cryptography in this
world
cryptography that will stop your kid
sister from reading your files,
and cryptography that will stop major
governments ...
-- Bruce Schneier (preface to Applied
Cryptography, 1994)

2
Outline

Whirlwind tour of PGP and GPG use
About PGP
Keys and Trust
Platforms, Future trends, URLs
(PGP Pretty Good Privacy, GPG GNU Privacy
Guard)

3
PGP verify a security bulletin

major vendors and organizations sign their
security bulletins
Microsoft, Apple, Cisco, Redhat, US-CERT, CIAC
push the PGP plugin icon to check the signature
automatically downloads missing keys from
keyservers

4
PGP sign an e-mail

use the clearsign icon PGP added
runs PGP after the spell checker, which is good
beware of line wrap and funky characters
if the e-mail client modifies the message after
the plugin signs it, the signature wont verify
a big culprit Microsoft word as the editor
or use the PGP tray icon to sign the current
window

5
GPG clear-sign a text file (inline)

jiml_at_lidskialf jiml echo how now brown cow gt
cow
jiml_at_lidskialf jiml gpg --clearsign cow
jiml_at_lidskialf jiml cat cow.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash SHA1
how now brown cow
-----BEGIN PGP SIGNATURE-----
Version GnuPG v1.2.1 (GNU/Linux)
iD8DBQFDVqUmQaGReVxryLkRAhOgAKDnUceWvGEe6KUMrQGhfx
l0ZNlz9ACgsnk0
MFSXxGnjPYSvVyafIDzstjA
qv6M
-----END PGP SIGNATURE-----

6
GPG sign and encrypt a file

jiml_at_lidskialf jiml echo "how now brown cow" gt
cow
jiml_at_lidskialf jiml gpg -es cow
gpg WARNING using insecure memory!
gpg please see http//www.gnupg.org/faq.html for
more information
You need a passphrase to unlock the secret key
for
user "James E. Leinweber ltjiml_at_slh.wisc.edugt"
1024-bit DSA key, ID 5C6BC8B9, created 2002-10-04
jiml_at_lidskialf jiml ls -l cow
-rw-rw-r-- 1 jiml jiml 18 Oct 19
1453 cow
-rw-rw-r-- 1 jiml jiml 669 Oct 19
1453 cow.gpg

7
GPG decode an encrypted file

jiml_at_lidskialf jiml cat cow.asc
-----BEGIN PGP MESSAGE-----
Version GnuPG v1.2.1 (GNU/Linux)
hQIOAs5POfx7DetEAf9HsrIJfj/1XcNytWvG3wr5yebO/cKv
ot1e12sxt0ev7R
khAwxNBdm33MHGSHaodQekPwaJg7AnlwKpRfhvgtDukCwxHUJL
wHsqDdJDDcVdr
XL2sEd9dfPymiHVsTCCnqXs5zzl0ed8iOs5avXpzVn9y2N30s0
8/rmFH2NSOiuVg
wHei21ab5QqNvzhUfjLj3lu2mNtQnh9IQijVilpu6WC8QHhiL
ATbrBsqcoyfgCU
sA
WDMm
-----END PGP MESSAGE-----
jiml_at_lidskialf jiml gpg -d cow.asc
You need a passphrase to unlock the secret key
for
user "James E. Leinweber ltjiml_at_slh.wisc.edugt"
2048-bit ELG-E key, ID F1EC37AD, created
2002-10-04 (main key ID 5C6BC8B9)
gpg encrypted with 2048-bit ELG-E key, ID
F1EC37AD, created 2002-10-04

8
GPG verify a Redhat RPM

jiml_at_russell RPMS rpm --checksig
gnupg-1.2.1-10.i386.rpm
gnupg-1.2.1-10.i386.rpm (sha1) dsa sha1 md5 gpg
OK
validate with rpm --checksig
looks for the signing key on a system RPM keyring
older versions used the users keyring
but first, import keys with rpm --import
Redhat ships their keys in /usr/share/rhn
download 3rd party keys such as Postgres yourself
you should add your own organizational keys too
have your lead PGP users sign it, so people can
trust it
never import an untrusted key

9
GPG sign an RPM file

jiml_at_lidskialf jiml cat .rpmmacros
_signature gpg
_gpg_path /home/jiml/.gnupg
_gpg_name WSLH RPM signing key
ltlinuxadmin_at_slh.wisc.edugt
_gpg_bin /usr/bin/gpg
jiml_at_lidskialf jiml rpm --resign
slh-scram-0.1-1.noarch.rpm
Enter pass phrase
Pass phrase is good.
Reading the directions takes more time than doing
it
You have to generate a key before you sign

10
GPG investigate a key

mkdir bar
gpg --homedir bar --import SLH-RPM-GPG-KEY
gpg key D3E96E59 public key "WSLH RPM signing
key ltlinuxadmin_at_slh.wisc.edugt" imported
jiml_at_lidskialf jiml gpg --homedir bar
--fingerprint
bar/pubring.gpg
---------------
pub 1024D/D3E96E59 2005-09-08 WSLH RPM signing
key ltlinuxadmin_at_slh.wisc.edugt
Key fingerprint 0CAF AF49 E7EB 2E2D F3D6
5E66 BC30 DB7D D3E9 6E59
sub 1024g/F415E89A 2005-09-08 expires
2011-09-07
jiml_at_lidskialf jiml gpg --homedir bar
--list-sigs
---------------
pub 1024D/D3E96E59 2005-09-08 WSLH RPM signing
key ltlinuxadmin_at_slh.wisc.edugt
sig 3 D3E96E59 2005-09-08 WSLH RPM
signing key ltlinuxadmin_at_slh.wisc.edugt
sig 3 5C6BC8B9 2005-09-08 User id not
found
sub 1024g/F415E89A 2005-09-08 expires
2011-09-07

11
PGP verify a detached signature

Right-click the signature file
this one is from the Windows binary for GPG
Use the PGP context menu item for verify
If your keyring lacks the public key, PGP will
search for it
Review the PGP log results

12
GPG verify subversion source

find a project you want, say subversion
or Ubuntu, or
Download the stuff
source tarball or ISO
detached signature file
ls l subversion
-rw-rw-r-- 1 jiml jiml 6982288 Apr 25
1340 subversion-1.2.0-rc2.tar.bz2
-rw-rw-r-- 1 jiml jiml 562 Apr 25
1340 subversion-1.2.0-rc2.tar.bz2.asc

13
GPG 1rst verify try

gpg --verify subversion-1.2.0-rc2.tar.bz2.asc
gpg WARNING using insecure memory!
gpg please see http//www.gnupg.org/faq.html for
more information
gpg Signature made Thu 21 Apr 2005 064652 PM
CDT using DSA key ID 641E358B
gpg Can't check signature public key not found
gpg Signature made Fri 22 Apr 2005 123009 AM
CDT using DSA key ID F894BE12
gpg Can't check signature public key not found
gpg Signature made Fri 22 Apr 2005 051339 PM
CDT using DSA key ID EC6B5156
gpg Can't check signature public key not found

14
GPG get missing keys

gpg --recv-keys --keyserver hkp//pgp.mit.edu
641E358B F894BE12 EC6B5156
gpg WARNING using insecure memory!
gpg please see http//www.gnupg.org/faq.html for
more information
gpg key 641E358B public key "Ben Reser
ltben_at_reser.orggt" imported
gpg key F894BE12 public key "Brian W.
Fitzpatrick ltfitz_at_apache.orggt" imported
gpg key EC6B5156 public key "Ben
Collins-Sussman ltsussman_at_collab.netgt" imported
gpg Total number processed 3
gpg imported 3

15
validate keys (GPG and PGP)

check trust paths
tolerable for all 3, though not outstanding
(see next slide)
see if the project web site has the keys
in this case, no
tsk, tsk
see if the web site agrees with the key servers
cant in this case, can in others
but searching on the user names doesnt turn up
any extraneous keys either, which is good
can google the signers and see what projects they
are involved with

16
wotsap picture jiml -gt ben
17
GPG verify with known and trusted keys

gpg --verify subversion-1.2.0-rc2.tar.bz2.asc
gpg Signature made Thu 21 Apr 2005 064652 PM
CDT using DSA key ID 641E358B
gpg Good signature from "Ben Reser
ltben_at_reser.orggt"
gpg aka "Ben Reser
ltbreser_at_siaer.netgt"
gpg aka "Ben Reser
ltbreser_at_vecdev.comgt"
gpg aka "Ben Reser
ltben_at_reser.orggt"
gpg aka "Ben Reser
ltbreser_at_siaer.netgt"
gpg aka "Ben Reser
ltbreser_at_vecdev.comgt"
gpg WARNING This key is not certified with a
trusted signature!

18
PGP generating a key
19
PGP signing a key
20
GPG generating a key

gpg --gen-key
Please select what kind of key you want
(5) RSA (sign only)
Your selection? 5
What keysize do you want? (1024) 2048
Key is valid for? (0)
Real name Bucky Badger
Email address bbadger_at_wisc.edu
Comment another fake
You selected this USER-ID
"Bucky Badger (another fake)
ltbbadger_at_wisc.edugt"
Change (N)ame, (C)omment, (E)mail or
(O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
public and secret key created and signed.
key marked as ultimately trusted.

21
GPG signing a key

gpg --default-key bucky --edit-key fred
...
pub 2048R/5B9494F3 created 2005-10-17 expires
never trust u/u
sub 2048R/9E0F38DB created 2005-10-17 expires
never
(1). Fred Flintstone (fake) ltfredf_at_jellystone.park
gt
Commandgt sign
pub 2048R/5B9494F3 created 2005-10-17 expires
never trust u/u
Primary key fingerprint D002 A4EE A00E 4E30
55D1 E9A7 DD96 CCC6 5B94 94F3
Fred Flintstone (fake) ltfredf_at_jellystone.park
gt
How carefully have you verified the key you are
about to sign actually belongs
to the person named above? If you don't know
what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? 3
...
You need a passphrase to unlock the secret key
for

22
PGP keyring tool
23
PGP looking at a key

right click and pick properties
implicit trust when you have the private key
main tab is the signing key subkey tab is for
encryption keys
valid means how much you believe the key
trust means how much you believe keys signed by
this key

24
PGP searching wisc.edu
25
kgpg KDE frontend to gpg search settings
26
web interface to MIT key server
27
web interface to PGP, inc Keyserver
28
Recap what is PGP (GPG) used for?

verifying code integrity
source, binary
verifying message integrity
e.g. security bulletins
Encrypting things
files (especially password escrow)
e-mail (rarely!)
Signing things
to provide file/object integrity
to prevent spoofing (avoiding joe jobs)

29
Outline

Whirlwind tour of PGP and GPG use
About PGP
Keys and Trust
Platforms, Future trends, URLs

30
A (very) short timeline of PGP

1976 Diffie Hellmans New Directions
paper (NSA upset)
1977 - Rivest, Shamir, Adelman patent RSA in US
1991 - Phil R. Zimmerman decides to create PGP
1.0 has bad homebrew crypto
1993 US government files an ITAR export
violation case against PRZ
1994 incompatible PGP 2.6.2 resolves an RSA
patent squabble
1996 US government gives up on case against PRZ
1998 RFC 2440, OpenPGP message format, version
4 keys
2000 - RSA patent expires GPG adds RSA key
signing support
2011 - IDEA block cipher patent expires, GPG
will catch up to PGP 2.0

31
The role of Cryptography

Confidentiality
symmetric block ciphers
AES, CAST, Twofish, 3DES, Serpent
fast, strong (only attack is random key guessing)
needs randomness to generate keys and
initialization vectors
Integrity
message digests, signed by private keys
digests SHA-256 (soon), SHA1 (breaking), MD5
(already deprecated)
digital signatures by RSA, DSA, Elliptic
weak, slow, and vulnerable to algorithmic and
known plaintext attacks
so, use really big keys on tiny, random objects
(hash, block key)
Key exchange the 1 cryptographic problem
(solved)
public key encryption by RSA, ElGamal, Elliptic
pragmatics get public keys from keyservers, web
sites, or e-mail
Authentication the 2 cryptographic problem
(still annoying)
PGP trust model distributed (cheap! anyone can
work at it!)

32
PGP uses the Digital Envelope Technique

as do 100 of other hybrid cryptosystems such as
IPSEC, TLS/SSL, S/MIME, Microsoft encrypting file
system,
compress the plaintext to remove redundancy
makes cryptanalysis harder and compensates for
crypto overhead
on-line crypto such as TLS or IPSEC cant
usefully do this
encrypt the plaintext using a symmetric key block
cipher
using a new, random key with a new, random
initialization vector
Hash the plaintext sign that with your private
key
encrypt the block key to each recipients public
key
dont forget to include yourself as a recipient
and your organizations additional data recovery
key
Recipient
uses his private key to recover his copy of the
block key
uses the block key to recover the plaintext
uses your public key to validate the message hash

33
If the crypto is excellent, why isnt the privacy?

rootkits, keystroke loggers, and other intrusions
FBI bugged Philadelphia mafia figure Nicodemo
Scarfo in 1999
rubber hose cryptography attack
civilian version police serve a court order
why your signing key is different from your
encryption key
how careful is the private key handling?
20 characters of english text as passphrase 26
bits of entropy
Secret Service uses grid computing for cracking
passphrases
how trustworthy is the user?
can you believe his signature?
some people are sloppy about key signing
some people are sloppy about host security
non repudiation can you also believe his clock?
any backdoors in the software or hardware?
NSA, Clipper chips, skipjack, and key-escrow

34
key lengths state of the (public) break
35
Decisions, decisions

RSA versus DH/DSA?
the 1024 bit signing key for DH/DSA is getting
too short
legacy/version 3 versus new/version 4?
you want the encryption subkey to be separate
expiration date? (none, or 1-5 years)
depends on the purpose
if it doesnt expire, you have to revoke it
impossible if you lost the private key or the
passphrase
if it does expire, you have to get new signatures
default, preferred block algorithm? (CAST-128)
older clients lack AES, while GPG lacks IDEA
how many bits in the keys?
1024 public / 128 symmetric OK for now (RSA or
DH/DSA)
2048 public / 256 symmetric better through 2015
(RSA only)
gt2048 breaks older clients, and imposes excessive
overhead

36
how not to bootstrap

C\install\gnupggt"C\Program Files\gnu\GnuPG\gpg.e
xe" --verify gnupg-w32cli-1.4.2.exe.sig
gpg keyring C/Documents and Settings/jiml/Appli
cation Data/gnupg\pubring.gpg' created
gpg Signature made 07/26/05 144428 using DSA
key ID 57548DCD
gpg Can't check signature public key not found
GPG is available for windows
default locations may not be what you want
bootstrap process
(so-so) get PGP or GPG from a trusted source and
verify the SHA1 checksum
(good) use an existing PGP or GPG and known key
to validate it
Knoppix live Linux includes GPG, so any PC can
help do this

37
Outline

Whirlwind tour of PGP and GPG use
About PGP
Keys and Trust
Platforms, Future trends, URLs

38
about the web of trust

PGP authentication is based on chains of personal
acquaintance
Alice signs Bobs key, who signs Charlies, who
signs Deborahs,
keyservers merge signature chains when keys are
repeatedly uploaded
how much faith do you put in signatures from
people you dont know?
some UW folk are cavalier about what keys they
sign
statistics this month
about 2 million keys on the keyservers
mostly abandoned
about 200,000 with a 3rd party signature
about 29,000 in the largest clique (strong set)
average trust path length is about 5 signatures
wikipedia has some good links

39
web of trust beware!

this search screenshot shows one real key, and
many fake ones
the expanded fake has signatures from other fake
keys
you really do have to know the signers before you
can trust them

40
exploring the web of trust

extremely tedious by hand, so use a tool
see http//en.wikipedia.org/wiki/Web_of_trust
who does what where changes over time
Two current examples (Fall 2005)
text paths from
http//www.cs.uu.nl/people/henkp/henkp/pgp/
graphical paths from
http//www.lysator.liu.se/jc/wotsap/index.html

41
handling your key

generate it on the console of a secure machine
if you do it remotely the entropy usually sucks
protect the private key with a strong passphrase
dont use the passphrase in public
possible exception machine to machine
application communication, e.g. ssh pubkey
avoid exposing the private key to the world
keep your secret keyring off multiuser hosts, and
behind a firewall
if you need to transport it, encrypt it first
encrypted filesystems are good
USB fobs are better than laptop hard disks
(physical security matters)
keep medium security keys on physically isolated
hosts
e.g. a UW certificate-signing certificate, or
CERT ns-master
never connected to a network signing is by
sneakernet only
high security keys add splitting protocols
e.g. verisigns root keys

42
using multiple keyrings

both PGP and GPG let you change keyrings
created automatically on first use
two files, private and public
useful for RD, keysigning parties, etc.
gpg has many ways
on the command line
by environment variable
via the config file
examples
gpg homedir XXX
GNUPGHOMEXXX
export GNUPGHOME

43
key signing responsibilities

Dont sign a key locally until
you have evidence the fingerprint and owner are
right
nothing bad happens if you have a good signature
from an untrusted key
typical methods of building trust
signed by people you trust as introducers
phone the owner
find it on his web site plus the keyservers
without extraneous keys
observe it signing e-mail without repudiation for
a few months
Never sign a key for export until
you have personally verified the fingerprint with
the owner
and you have verified the identity of the owner
this can be by phone if you already know them
well
normally in person, with 2 forms of good picture
ID
e.g. passport
hence the popularity of PGP key-signing parties

44
key signing parties

a group of people get together to improve the web
of trust
often a conference BOF (especially Debian )
there are FAQs and SOPs on various methods
simplest has participants bring namefingerprint
exchange these, verify identity, each participant
reads his fingerprint
business cards work well for this
too slow for large parties
prep those with a pre-party keyring and xeroxed
copies of a signed hash of all the key
fingerprints
some protocols can handle participants without
keys
based on secret phrases exchanged at the party
the party is about identity and fingerprints
signing the keys is a usually later, private
operation
too slow and too insecure to do it during the
party
try to turn them around in less than a week

45
key signing mechanics (post-party)

obtain the public key
from keyserver, e-mail, web site,
verify the fingerprint from the key signing party
add your signature
PGP right click, pick sign / gpg --edit-key
sign
export the updated key
PGP select, right click, export / gpg export
encrypt it to itself, ascii-armored
e-mail the resulting .ASC file back to the owner
the owner decrypts it, imports it, and uploads to
his favorite keyservers

46
key servers

keyserver.pgp.com is an island
doesnt share with other keyservers
as of v9, adds machine-generated e-mail
validation signatures
these are not part of the web of trust
they do mean a key owner responded at that e-mail
address
web of trust servers communicate
hkp// (Horowitz Keyserver Protocol on port
11371)
wwwkeys.pgp.net
pgp.mit.edu
supports various protocols (http, hkp, )
runs older code (no pictures, no deletion, )
can do it by hand via various web interfaces
pgp, mit, or google pgp keyserver

47
key upload advice

keyservers have lots of junk keys
deleting keys is hard to impossible
two main problems
lost passphrase, cant recover private key
lost the entire private key (e.g. sole hard drive
crashed)
dont upload a key for about 4 months
it may take a few tries generating keys before
you like the results
you may not turn out to send lots of stuff to
large mailing lists
for a handful of correspondents, just e-mail them
your public key
for never expires keys, you should
generate an (ASCII) revocation first
print that out, and stick that in your safety
deposit box
PGP and GPG can both send via hkp//
another way is ASCII export to a file, then web
upload

48
Outline

Whirlwind tour of PGP and GPG use
About PGP
Keys and Trust
Platforms, Future trends, URLs

49
PGP versus GPG

commercial PGP
pro
capabilities PGP (with IDEA cipher), S/MIME
GUI interfaces
commercial client plugins
Microsoft Outlook, Lotus Notes, Mozilla
Thunderbird, Mac mail.app, various IM clients
con
limited platforms 32-bit windows, recent Mac
OS X
hard core users hate the lack of control in the
v9 interface
expensive to distribute widely
what heavy e-mail users and CSIRT teams need
both for plug-in ease of use and for legacy PGP
interoperability
GnuPG
pro
many platforms windows, Mac OS X, most Unix
(bundled with Linux and BSD)
free source can be audited
con
GUI interfaces are still in beta
lacks IDEA S/MIME still experimental