INICOM,
INCORPORATED
Technology Consulting
Language Translation
|
INICOM, |
Business
Development Technology Consulting Language Translation |
Basic use of PGP
PGP is a system for encrypting, decrypting, and verifying messages. It provides a high level of security that helps protect sensitive data. It uses two keys
The pgpk command is used to create a key, as demonstrated below:
$ pgpk -g Choose the type of your public key: 1) DSS/Diffie-Hellman - New algorithm for 5.0 (default) 2) RSA Choose 1 or 2: 1 DSS is the newer, more secure algorithm Pick your public/private keypair key size: (Sizes are Diffie-Hellman/DSS; Read the user's guide for more information) 1) 768/768 bits- Commercial grade, probably not currently breakable 2) 1024/1024 bits- High commercial grade, secure for many years 3) 2048/1024 bits- "Military" grade, secure for forseeable future(default) 4) 3072/1024 bits- Archival grade, slow, highest security Choose 1, 2, 3 or 4, or enter desired number of Diffie-Hellman bits (768 - 4096): 2048-bit keys are recommended (Producing a 1024 bit DSS and a 2048 bit Diffie-Hellman key) You need a user ID for your public key. The desired form for this user ID is your FULL name, followed by your E-mail address enclosed in <angle brackets>, if you have an E-mail address. For example: Joe Smith <user@domain.com> If you violate this standard, you will lose much of the benefits of PGP 5.0's keyserver and email integration. Enter a user ID for your public key: Andrew Mossberg <aem@inicom.com> Enter the validity period of your key in days from 0 - 999 0 is forever (and the default): 0 You need a pass phrase to protect your private key(s). Your pass phrase can be any sentence or phrase and may have many words, spaces, punctuation, or any other printable characters. Enter pass phrase: Secret Phrase Enter again, for confirmation: Enter pass phrase: Secret Phrase Collecting randomness for key... We need to generate 333 random bits. This is done by measuring the time intervals between your keystrokes. Please enter some random text on your keyboard until you hear the beep: 0 * -Enough, thank you. .....******* ..........................******* . Keypair created successfully. If you wish to send this new key to a server, enter the URL of the server, below. If not, enter nothing.and there you have it. In this example, I created a public and private key pair identified by
In order to receive encrypted messages, other people must have a copy of your
public key. In the above example, we created a key pair. PGP puts new keys on
your keyring. In order to make your public key available, you need to extract
it from your keyring and provide it to the other person. Remember that your
public key is only used by others to encrypt data intended for you, and to
verify the authenticity of messages from you. It can not be used to decrypt
messages intended for you.
To extract your public key in a form that it can be provided to someone else,
you use the pgpk command again, like this:
pgpk -xa "Andrew Mossberg <aem@inicom.com>" > filename
which creates a file containing a "readable" version of your key, looking something like this:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP for Personal Privacy 5.0 mQGiBDeHr2wRBADCT38uG6aQqMNNgxe10MBi+qonw10AYxjK3HU/qXXA8mm5hJMM dIASIUREwTSSxu6BJNnLjJGFX0t+OVW6ElnPdvT628FoAUBCrWjeS2I1R8mlyXL1 . . . (stuff deleted) cjtSn0OJAD8DBRg3h69tKchouox1Ck8RAr8JAJ9VeDFH7Q16dsBSxR0LSiG9sNJL vwCfcB60AKLf1tUJoq/ASpnsy8zLJUE= =xEz1 -----END PGP PUBLIC KEY BLOCK-----
This file should be provided to people you want to send or receive encrypted messages with. You can e-mail it, provide it on a diskette, or read it to them over the phone. E-mail is usually the best way.
When someone sends you a public key, you need to add it to your keyring for it to be useful. Again, the pgpk command is used:
$ pgpk -a filename Adding keys: Key ring: 'filename' Type Bits KeyID Created Expires Algorithm Use pub+ 1024 0x8C750A4F 1999-07-10 ---------- DSS Sign & Encrypt sub 2048 0x7F63D8D7 1999-07-10 ---------- Diffie-Hellman uid Andrew Mossberg <aem@inicom.com> 1 matching key found Add these keys to your keyring? [Y/n] Y Keys added successfully.
Now you have your own key pair, and you’ve got the recipients public key. The simplest task with PGP is just to add a digital signature to a message. This allows the recipient to verify that it was, in fact, you that sent them the message. The message does not get encrypted, this only adds a digital signature to it. You can use the same command as would use for encrypting a message, with the –s option (pgpe -s), or you can use the pgps command, like this:
$ pgps filename A private key is required to make a signature. Need a pass phrase to decrypt private key: 2048 bits, Key ID 71C8E5F9, Created 1999-05-14 "Andrew Mossberg <aem@inicom.com>" Enter pass phrase: Secret Phrase Pass phrase is good. Creating output file filename.pgp
Note that by default, PGP will create a compressed file. The file just created is a binary file. If you wanted a file that was readable, with the message in plaintext and a PGP signature at the end, you must specify the -a option, like pgps -a filename but check the manual for the version of pgp you are using to be sure. To verify a signature you would use the pgpv command.
Here is the more typical use, encrypting a file with a recipient’s public key so that only they will be able to read it. In order to do this, you need to have their public key added to your keyring.
$ pgpe -r "Wolfgang Ley, DFN-CERT <ley@cert.dfn.de>" filename 1024 bits, Key ID 8E0A49D1, Created 1994-10-19 "Wolfgang Ley, DFN-CERT <ley@cert.dfn.de>" WARNING: The above key is not trusted to belong to: Wolfgang Ley, DFN-CERT <ley@cert.dfn.de> Do you want to use the key with this name? [y/N] y Creating output file filename.pgp
To encrypt the message and add a digital signature so the recipient knows you sent it, add the -s option like so:
$ pgpe -r "Wolfgang Ley, DFN-CERT <ley@cert.dfn.de>" -s filename A private key is required to make a signature. Need a pass phrase to decrypt private key: 2048 bits, Key ID 71C8E5F9, Created 1999-05-14 "Andrew E. Mossberg <aem@inicom.com>" Enter pass phrase: Secret Phrase Pass phrase is good. 1024 bits, Key ID 8E0A49D1, Created 1994-10-19 "Wolfgang Ley, DFN-CERT <ley@cert.dfn.de>" WARNING: The above key is not trusted to belong to: Wolfgang Ley, DFN-CERT <ley@cert.dfn.de> But you previously approved using the key with this name. Creating output file filename.pgp
The opposite of sending is receiving, and the opposite of encrypting is decrypting. Now you are the recipient and have received a file from someone who has used your public key to encrypt a message. To decrypt it, use the pgpv command. You would also use the pgpv command if you were just verifying a signature on a file.
$ pgpv filename.pgp Message is encrypted. Need a pass phrase to decrypt private key: 2048 bits, Key ID 86C89B1D, Created 1999-05-13 Enter pass phrase: Secret Phrase Pass phrase is good. Opening file "filename" type binary.
| Encrypt a message | pgpe -r Recipient address filename pgpe -r Recipient address -s filename |
Encrypts a file for a recipient Encrypts a file for a recipient and digitally signs your ID |
| Sign a message |
pgps filename pgps -a filename |
Digitally signs a file with your ID Digitally signs a file & leaves the message readable |
| Verify or Decrypt a message | pgpv filename pgpv filename |
Decrypts a file. Verifies a digital signature. You must have the senders public key on your keyring. |
| Key management | pgpk -g pgpk -xa Key ID pgpk -a filename |
Create a PGP key pair Extract a key from your keyring Add the key in file filename to your keyring |