Assuming that neither of us are suffering from the paranoid delusions sometimes attributed to the characters known as Bob and Alice, then perhaps we don't need to learn how to use command line GPG for communicating ordinary messages to go about everyday life. As most of the people who currently use email are unlikely to want to learn how to use this program why should we, (apart from my need to set an exam relevant to security systems theory and for a student of this module to pass it) ?
Situations where security professionals need this knowledge include when information about security issues needs to be communicated clearly to others. In this situation, many problems including phishing arise through end users being unable to verify the origin of security information they receive and its authenticity. Even if your end users or customers can't or don't bother to check your digital signature on a document, if it is digitally signed by you and the key is verifiable, e.g. because the key fingerprint is included on your business card, others have the option to acquire the capacity to verify what you sign.
For an end user who needs stronger privacy or to know that a signature is valid, email programs can be set up to use GPG by default, which (for someone who has an IT support person to set this up for them) is going to be a bit easier than command line use. This is not so for the IT support person, who will need to know how GPG works first. For end users who probably don't want to know how it all fits together, and for security professionals who need a less demanding user interface, using smart cards to handle cryptographic operations is recommended.
Free software products are increasingly distributed together with digital signatures of the sources and compiled binaries as packaged. Automated installation procedures of secure products are increasingly likely to check and verify the signatures. Knowledge of the technology used is essential to those wanting to build and maintain these systems. If you or the business you work for wants to participate within the free-software ecosystem ( estimated value by IDC at 2007 US$18G rising to US$40G by 2010) standards validating copyrights on contributed code require you to sign off any code you contribute.
rich@saturn:~/gpg$ gpg --gen-key
gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: keyring `/home/rich/.gnupg/secring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 52w
Key expires at Tue 29 Jan 2008 19:10:37 GMT
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and E-mail Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Richard Kay
E-mail address: rich@coppseewood.net
Comment: Experimental Purposes Only
You selected this USER-ID:
"Richard Kay (Experimental Purposes Only) <rich@coppseewood.net>"
Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
It didn't echo and I didn't repeat it correctly 1st try
passphrase not correctly repeated; try again.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.+++++++++++++++++++++++++.+++++++++++++++++++++++++++
++++++++.+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++>+++++.+++++...+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 282 more bytes)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..++++++++++++++++++++.++++++++++++++++++++++++++++++..+++++++++
+..+++++++++++++++++++++++++++++++++++.++++++++++.++++++++++++++
+..+++++.+++++++++++++++..+++++>+++++.+++++>+++++>+++++
................................................................
...+++++^^^
gpg: /home/rich/.gnupg/trustdb.gpg: trustdb created
gpg: key EBEF27FB marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2008-01-29
pub 1024D/EBEF27FB 2007-01-30 [expires: 2008-01-29]
Key fingerprint = CDA4 E092 B12A 99EA B093 689F 8AE7 E694 EBEF 27FB
uid Richard Kay (Experimental Purposes Only) <rich@copsseewood.net>
sub 2048g/9F119F7F 2007-01-30 [expires: 2008-01-29]
The above proceedure was repeated for user test resulting in the following information about the test key:
pub 1024D/357B2A4F 2007-01-30 [expires: 2008-01-29]
Key fingerprint = 1BD0 6E5E 7A7D 1D0B 24E7 9A80 F8DF 8B17 357B 2A4F
uid Test User (Im a Tester) <test@copsseewood.net>
sub 2048g/F2B63464 2007-01-30 [expires: 2008-01-29]
As rich:
rich@saturn:~/gpg$ gpg -a --export rich > richpub
As test:
test@saturn:~$ gpg -a --export test > testpub
Use of the -a flag exported the public key in ascii-armoured format, suitable for sending by email.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.3 (GNU/Linux) mQGiBEW/m4sRBADT839C4QkJuglzTFy3GZRIYZD2vXdDrOwnDwrODryqXfUO5s1I x8v2AHKtbn8YttaZtVxdg5cXr1aeFH9VyAWqXukdFuqFBMNIM1qdVKOiXl2CO9bj XPb0LGT+9X9lL7Q7pflHppnPSgcwMKvqb8OzqRLwRwnuWEVPL/ZCyJyujwCghii5 A1+JzdxWQG5yEOxdRAzlZO8D/iI7K72D3ULwPMPrIIeYxniJTvK8TyGA5g9nCbMX RtdBr5Gz9nduLY3oMmrdAccMxpkff0KNjjpId5VNZH1ypMhJ8hnKIq5iGKHa4U7o BT2g3Y5gxeU9uBFcYrVolIveVj1/ZJdAwXhlqzQ5mfTHrxExhT0Njs/kEoYUyIQ8 fDhZA/45iPtSH/QigJqJC+1MJGQCrHKIuuuizCJ6Z7xwbDuf8kKSkp8CzD6wbzXK WkOPk9zPCTjN9+WMR6H61tSRETS5BkRP43AeO1fBkg9+w+bAyHTusE50WLyoFfhs 1ri/45pXFi3m1S3lV5Jm1KLPQu5ROyyP/HopOsfU65c0SouRMbQsVGVzdCBVc2Vy IChJbSBhIFRlc3RlcikgPHRlc3RAY29wc2V3b29kLm5ldD6IZgQTEQIAJgUCRb+b iwIbAwUJAd/iAAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEPjfixc1eypPJWgA niwSSHVawesKo88dLUUBjxxPQEsaAJ4vtT0iMrR6srHjh68sEIZRPqyPP7kCDQRF v5uUEAgApzks4iF7YOmgrzJPbv2d/o+dIknVGe9E0nN8WFVM6ER4ob/Vs4+uv4Bb lJd0bErUO4D2yS1gYO24CBSBaGdzX02/01ejrqWTTC7bBo39bLaKgfzLkl1Xo7a9 GKsslanXAdTv3ACB1ZtVggCvnSp1SiJ0DlYBJd4uGvZOCU7hfKenWy+4anzjNzdF gqKb2f4NTRP14eT5BWJ0827O/uxsF2KN5RPgdKUscVJyb4TPBtI0sZkbEO9attll RBkIpfpt2sUwgb/0ZBUe1PSPNs39C9GNEsVqAjPn33h+yfzZRPs6cl53WQiiuTa0 VBB4ez3YtEe7cW1qqLlRsdekIO6rlwADBQf+Kfx2lzOva1K9AsP4BhyPuhKJP5us ps8I1My/lLuvjdBS0wHbfCOX5/kfeqmiemS4LcTPp/2bWhvphKLQGZmxC56q7CI6 ssal1m3Cfz9bV8/NN1RtdTpLrUwO397dXBa4362YUw13ULlopPKdFHtOGoatMzCq SPU1DCIGdShp+lDAidZpEP9HgrLA6PMRie5oWhuN5tc6DsPWdhAywrwkgpYrJXco NBA5r9U9e0v2+IAZ6LUXDrp4KBBlRzc5Xqn2KG2xsvcx+DPx2LB8EGYuqx1oa10l kDcsHdApaTamW2Sk+sCSzXzgUowH/cP8tZtRtliDxFGhpztEhXJT22EW24hPBBgR AgAPBQJFv5uUAhsMBQkB3+IAAAoJEPjfixc1eypPB9gAn2pI6NjFugtRWZftxX8h 4argxIQxAJ0ZH6PD+Li7yimSqCQhuiE+6AJWuA== =XY9V -----END PGP PUBLIC KEY BLOCK-----
Users test and rich sent their exported public key files to each, one as an email attachments, the other through a file copy. User rich used the the Mutt email client to read mail. Here the ? help key within the attachment menu displayed:
^K extract-keys extract supported public keys
So pressing <ctrl> <shift> and <K> together displayed:
gpg: key 357B2A4F: public key "Test User (Im a Tester) <test@coppssewood.net>" imported gpg: Total number processed: 1 gpg: imported: 1 Press any key to continue...
User test read the gpg manpage and used the following command to import rich's key as a file:
test@saturn:~$ gpg --import /tmp/richpub gpg: key EBEF27FB: public key "Richard Kay (Experimental Purposes Only) <rich@copsseewood.net>" imported gpg: Total number processed: 1 gpg: imported: 1
test@saturn:~$ gpg --edit-key rich
gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/EBEF27FB created: 2007-01-30 expires: 2008-01-29 usage: SC
trust: unknown validity: unknown
sub 2048g/9F119F7F created: 2007-01-30 expires: 2008-01-29 usage: E
[ unknown] (1). Richard Kay (Experimental Purposes Only) <rich@copsewood.net>
Command> sign
pub 1024D/EBEF27FB created: 2007-01-30 expires: 2008-01-29 usage: SC
trust: unknown validity: unknown
Primary key fingerprint: CDA4 E092 B12A 99EA B093 689F 8AE7 E694 EBEF 27FB
Richard Kay (Experimental Purposes Only) <rich@copsseewood.net>
This key is due to expire on 2008-01-29.
Are you sure that you want to sign this key with your
key "Test User (Im A Tester) <test@copsseewood.net>" (0C86136D)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "Test User (Im A Tester) <test@copsseewood.net>"
1024-bit DSA key, ID 0C86136D, created 2007-02-02
Command> q
Save changes? (y/N) y
A message was created and stored in the file: secret
rich@saturn:~/gpg$ cat secret This is a secret message.
The following GPG actions and flags were used:
rich@saturn:~/gpg$ gpg -r test -o secret.asc -sea secret You need a passphrase to unlock the secret key for user: "Richard Kay (Experimental Purposes Only) <rich@copsseewood.net>" 1024-bit DSA key, ID EBEF27FB, created 2007-01-30
rich@saturn:~/gpg$ cat secret.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.3 (GNU/Linux) hQIOAxVuAHHdtcplEAf/ZrUQpN7ClwSAa/ZX+nOd+mG2vRiCx3jp9D/Y8M3DY0jC mA2H774ZeJNl0++hefGCTbxeGCGnjsh3t1xBM1x9sxKy9Wu0eRSLOAB5PS6ivEO6 90F/VRn8oC74dtbV0Ieo3c88eBeMqOGJj93hFVEqHM41aKSY2vPiMtaDxmpZ89lU nqo9yKQVe5iYGsMFI+UiJe/8SnGbbzEueO8wAlGeLXVQsUH8nuCwpG04XO9iFi5o WAfhLHWCC3uBy7SnuNWNMywoXTFJUqHBIbVYwjK690x+rycyBXop2jmmh6Dqd1Va 5lCQP09JUiftbN+SzirngjT8uTGaZnQdRa8NEP5S6wf/WfIdKHBBfSj/o3t4AHfD 8Kk9oiOt0YaVRVpYEMYy/GG/kRFvK6VwQPn8fuofouC1yTvt4v6yfQVK4EJlnvyo sUV+A7Sgtq1isG21BcmHARNl1vTGz6N09LY1jcESJNAqWMFcAqigk1o79hAGAwoC 9qrIYnb6jQSlWTNtM4ooyWexN92uysmptAgEM+K1sXxa9CSKL1VRpxCCmKJ9S43/ 75eKnxE/bbY1jju+n6hO4yGrMDPu2XERBpdep/ayVWh3UukaS3z51J1nMQHrWcav vqztSPtyVAFM7nXRDTrJ47GZ5W76CG4iIRSJ7hK6JcfJELVur+NXtHU8mypnFtOo W9KhAZOkw33sD2eBeZqaZkETV7rkq2exx/1T8z6rrP9xArlr+EXrF7zNeHyCKNdK cYeP880shJSZMBqg/fTElSHUxJgGfTOFcKyM1DDemk0/51WhI2b1zdMcwNKV9dap spEdrBmY2qXKtvjVvBXNSVT9IHATcjoB6i2kpjqC/jc4TlXC352v1JNKwvzVDAvY T5SLsO8tbz4k3r6VjKyCyaAyi1k= =muEX -----END PGP MESSAGE-----
test@saturn:~$ gpg -o secret -d secret.asc
You need a passphrase to unlock the secret key for
user: "Test User (Im A Tester) <test@copsseewood.net>"
2048-bit ELG-E key, ID DDB5CA65, created 2007-02-02 (main key ID 0C86136D)
gpg: encrypted with 2048-bit ELG-E key, ID DDB5CA65, created 2007-02-02
"Test User (Im A Tester) <test@copsseewood.net>"
gpg: Signature made Fri 02 Feb 2007 15:33:41 GMT using DSA key ID EBEF27FB
gpg: Good signature from "Richard Kay (Experimental Purposes Only) <rich@copsewood.net>"
test@saturn:~$ cat secret
This is a secret message.
pub 1024D/57E0F876 2007-02-16 [expires: 2008-02-15]
Key fingerprint = ACF5 7915 4C5E 6F1D 26E0 8662 6637 B994 57E0 F876
uid Dave Trusted (TTP keysigning key) <dave@copsseewood.net>
sub 2048g/A6BFD1FD 2007-02-16 [expires: 2008-02-15]
pub 1024D/D224BF4D 2007-02-16 [expires: 2008-02-15]
Key fingerprint = 28D5 9340 3329 2ABD F853 3524 1A88 D35B D224 BF4D
uid Rich Kay (Demo use of ttp key) <rich@copsseewood.net>
sub 2048g/401D9F40 2007-02-16 [expires: 2008-02-15]
pub 1024D/12D2BFBA 2007-02-16 [expires: 2008-02-15]
Key fingerprint = C4D9 2D11 FFE9 6B73 3824 64E7 D02F E07B 12D2 BFBA
uid Test Person (Test TTP process) <test@copsseewood.net>
sub 2048g/10C076AE 2007-02-16 [expires: 2008-02-15]
dave@saturn:~$ gpg -a --export dave > /tmp/davepub test@saturn:~$ gpg -a --export test > /tmp/testpub rich@saturn:~$ gpg -a --export rich > /tmp/richpub test@saturn:~$ ls -l /tmp/*pub -rw-r--r-- 1 dave dave 1730 2007-02-16 17:47 /tmp/davepub -rw-r--r-- 1 rich rich 1726 2007-02-16 17:49 /tmp/richpub -rw-r--r-- 1 test test 1726 2007-02-16 17:48 /tmp/testpub dave@saturn:~$ gpg --import /tmp/richpub gpg: key D224BF4D: public key "Rich Kay (Demo use of ttp key) <rich@copsseewood.net>" imported gpg: Total number processed: 1 gpg: imported: 1 dave@saturn:~$ gpg --import /tmp/testpub gpg: key 12D2BFBA: public key "Test Person (Test TTP process) <test@copsseewood.net>" imported gpg: Total number processed: 1 gpg: imported: 1
dave@saturn:~$ gpg --edit-key rich
gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/D224BF4D created: 2007-02-16 expires: 2008-02-15 usage: SC
trust: unknown validity: unknown
sub 2048g/401D9F40 created: 2007-02-16 expires: 2008-02-15 usage: E
[ unknown] (1). Rich Kay (Demo use of ttp key) <rich@copsseewood.net>
Command> sign
pub 1024D/D224BF4D created: 2007-02-16 expires: 2008-02-15 usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 28D5 9340 3329 2ABD F853 3524 1A88 D35B D224 BF4D
Rich Kay (Demo use of ttp key) <rich@copsseewood.net>
This key is due to expire on 2008-02-15.
Are you sure that you want to sign this key with your
key "Dave Trusted (TTP keysigning key) <dave@copsseewood.net>" (57E0F876)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "Dave Trusted (TTP keysigning key) <dave@copsseewood.net>"
1024-bit DSA key, ID 57E0F876, created 2007-02-16
dave@saturn:~$ gpg -a --export rich > /tmp/richspub dave@saturn:~$ gpg -a --export test > /tmp/testspub
rich@saturn:~$ gpg --import /tmp/richspub gpg: key D224BF4D: "Rich Kay (Demo use of ttp key) <rich@copsseewood.net>" 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2008-02-15 rich@saturn:~$ gpg --import /tmp/testspub gpg: key 12D2BFBA: "Test Person (Test TTP process) <test@copsseewood.net>" 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2008-02-15
Imports of signed keys by test not shown
Note that test has to sign dave's key as well as trust it. Signing it means that test believes dave's key belongs to dave. Trusting it means that test trusts dave to identify the owners of other keys before signing them.
test@saturn:~$ gpg --edit-key dave
gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/57E0F876 created: 2007-02-16 expires: 2008-02-15 usage: SC
trust: unknown validity: unknown
sub 2048g/A6BFD1FD created: 2007-02-16 expires: 2008-02-15 usage: E
[ unknown] (1). Dave Trusted (TTP keysigning key) <dave@copsseewood.net>
Command> help sign
quit quit this menu
save save and quit
help show this help
fpr show key fingerprint
list list key and user IDs
uid select user ID N
key select subkey N
check check signatures
sign sign selected user IDs [* see below for related commands]
lsign sign selected user IDs locally
tsign sign selected user IDs with a trust signature
nrsign sign selected user IDs with a non-revocable signature
deluid delete selected user IDs
delkey delete selected subkeys
delsig delete signatures from the selected user IDs
pref list preferences (expert)
showpref list preferences (verbose)
trust change the ownertrust
revsig revoke signatures on the selected user IDs
enable enable key
disable disable key
showphoto show selected photo IDs
clean compact unusable user IDs and remove unusable signatures from key
minimize compact unusable user IDs and remove all signatures from key
* The `sign' command may be prefixed with an `l' for local signatures (lsign),
a `t' for trust signatures (tsign), an `nr' for non-revocable signatures
(nrsign), or any combination thereof (ltsign, tnrsign, etc.).
Command> trust
pub 1024D/57E0F876 created: 2007-02-16 expires: 2008-02-15 usage: SC
trust: unknown validity: unknown
sub 2048g/A6BFD1FD created: 2007-02-16 expires: 2008-02-15 usage: E
[ unknown] (1). Dave Trusted (TTP keysigning key) <dave@copsseewood.net>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 4
pub 1024D/57E0F876 created: 2007-02-16 expires: 2008-02-15 usage: SC
trust: full validity: unknown
sub 2048g/A6BFD1FD created: 2007-02-16 expires: 2008-02-15 usage: E
[ unknown] (1). Dave Trusted (TTP keysigning key) <dave@copsseewood.net>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> sign
pub 1024D/57E0F876 created: 2007-02-16 expires: 2008-02-15 usage: SC
trust: full validity: unknown
Primary key fingerprint: ACF5 7915 4C5E 6F1D 26E0 8662 6637 B994 57E0 F876
Dave Trusted (TTP keysigning key) <dave@copsseewood.net>
This key is due to expire on 2008-02-15.
Are you sure that you want to sign this key with your
key "Test Person (Test TTP process) <test@copsseewood.net>" (12D2BFBA)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "Test Person (Test TTP process) <test@copsseewood.net>"
1024-bit DSA key, ID 12D2BFBA, created 2007-02-16
Command> quit
Save changes? (y/N) y
test@saturn:~$
rich does the same with dave's key
rich@saturn:~/gpg$ cat secret This is a secret message sent by rich to test, after both rich and test have trusted dave to sign each others keys. rich@saturn:~/gpg$ gpg -r test -o secret.asc -sea secret You need a passphrase to unlock the secret key for user: "Rich Kay (Demo use of ttp key) <rich@copsseewood.net>" 1024-bit DSA key, ID D224BF4D, created 2007-02-16 gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 1f, 0u gpg: depth: 2 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2008-02-15 rich@saturn:~/gpg$ cat secret.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.3 (GNU/Linux) hQIOA9q1jWgQwHauEAf7Bi+tmiHzER7Cj24VXKyCEXcUm1cofXBaeAttqaeyCgb1 Jof2bAX4isK3ETUYk0H6VA639Y8R8rbXf105dHB4myf34rnNWz/1SKQaHPfYSp2F pjI+t4DLdY/9NZfs+KfRfL01zXlz28I1PTEv+96tKMUXpZ88ZzjsHq+jZZL8Q5IL 8S9124iTlr3X4KFRuhuOodlT5N0ZfTNsPVh3OwfJYnuAqs/bWtAXpJiPbJEMZe1s RQv34IJgx3oXSXBhhyoTfQmKhAhCD/750VfvLSn1BK2rAkrQsEcBZgmcwG9Shg1O N67DfjwhOP6AgHyY2ZBzkeb/vJScttya9Ge2td4iDwf+O2kUgzZtbVBrXDTvQdsu i0EN+Kd2Z6ZyU7bevSLQvegAQFCWthjpUKe5Ke/Z0wnJT4hKjcJ4V2m4DAD4aa8f zXoZtDxBGhS78V9loDhe/c5SZZXBKGLxZQKFdvJEmHEtfK3ZuagY5hHns7p1LGjx y8EaUwZzXapLXH5hstzsgjeDfT00kVtqrLCe9CS3vFrCwdZyKlgaaQfJ0qRjte8f UrncQ8XEuITUTEoH1vZxS0iH9Dn6ShbXn2BoaxoGd9ZSEmulEcO8omXCXsq4vxXT A5DOjs0NTImFnILgxOU47vFiCrYbAdrBoBU0V1a2oiP6cF7ONzGYEwKSsbQiqNn7 Y9LALgGxIf2h2FidgEJ3sc1PowvzmHh1yBsP4vrACL4CeHSCvUNYN8/rJezMLwLA Pcrf4b4Bpxcej4xicS8HAjETix70jGnmuF3LbdMCcmUokG0gGQEZdzhJIGbiQTLC ycRnx2Ic3ajMr+Ryq23Sm2IGqzwIUske1oKFWwNT+sgFAYjgUTmOjb3OsZOnDePE FtAajf0gMme0kX9E+qgONDnjX6z9/WyF3IhEDdWupMyxicYftrfB78LMAjji8I51 zSSBeLdxkLFR4N60ve82rpTMF4fcjIZN01WiiwP+hwN98rl3hHcI1tpzmP6IITp1 Kog= =e9uW -----END PGP MESSAGE-----
Rich sends test the message. Test receives the message and decrypts and displays it.
test@saturn:~$ gpg -o secret -d secret.asc
You need a passphrase to unlock the secret key for
user: "Test Person (Test TTP process) <test@copsseewood.net>"
2048-bit ELG-E key, ID 10C076AE, created 2007-02-16 (main key ID 12D2BFBA)
gpg: encrypted with 2048-bit ELG-E key, ID 10C076AE, created 2007-02-16
"Test Person (Test TTP process) <test@copsseewood.net>"
gpg: Signature made Sat 17 Feb 2007 16:04:24 GMT using DSA key ID D224BF4D
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: depth: 2 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2008-02-15
gpg: Good signature from "Rich Kay (Demo use of ttp key) <rich@copsseewood.net>"
test@saturn:~$ cat secret
This is a secret message sent by rich to test, after both
rich and test have trusted dave to sign each others keys.
rich@saturn:~/gpg$ gpg -o secret.asc -ca secret rich@saturn:~/gpg$ ls richpub secret secret.asc secret.gpg rich@saturn:~/gpg$ ls -l total 16 -rw-r--r-- 1 rich rich 1734 2007-01-30 19:44 richpub -rw-r--r-- 1 rich rich 26 2007-01-30 19:41 secret -rw-r--r-- 1 rich rich 185 2007-02-06 19:31 secret.asc -rw-r--r-- 1 rich rich 66 2007-02-06 19:28 secret.gpg rich@saturn:~/gpg$ cat secret.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.3 (GNU/Linux) jA0EAwMC5xVjg4/8UtRgyTDYJAmJer3Q5bJ/SIHrs5eMNa2TpxQ5cuwyXmMay+L/ 8CPJ2IOQOoHnCOdHQO7APi8= =MEvq -----END PGP MESSAGE-----
Here the c option involves use of the default symmetric encryption algorithm CAST5, the a option involves ASCII armouring the output. Any passphrase can be input, but the same will be needed to decrypt the file.
rich@saturn:~/gpg$ gpg -d secret.asc gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase This is a secret message. gpg: WARNING: message was not integrity protected
The message was successfully decrypted. The warning message was investigated. The reasons for this were answered here: http://lists.gnupg.org/pipermail/gnupg-users/2004-October/023500.html and here: http://lwn.net/Articles/7688/
It turned out that in order to obtain backwards compatibility with older versions of PGP and GPG that the CAST5 algorithm is used by default. GPG will always use a MDC (Manipulation Detection Code) with newer algorithms.
rich@saturn:~/gpg$ gpg --version gpg (GnuPG) 1.4.3 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cypher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 rich@saturn:~/gpg$ gpg --cipher-algo AES256 -o secret.asc -ca secret File `secret.asc' exists. Overwrite? (y/N) y rich@saturn:~/gpg$ gpg -d secret.asc gpg: AES256 encrypted data gpg: encrypted with 1 passphrase This is a secret message. rich@saturn:~/gpg$
Passphrases are used whenever a security-sensitive event occurs. A copy of the secret key would be difficult or impossible to unlock without knowledge of the passphrase. These events include encryption, decryption and confirming the authenticity of an imported key. GPG has many other design features to improve the security of the processing, e.g. forcing memory used to not be written out to extended memory (swap file or partition).
A practical system design involving messages sent between automated systems is likely to have to involve compromising this security to an extent, because all secrets needed to secure communications will need to be stored locally on the relevant systems.
PGP stands for Pretty Good Privacy, which is a program designed by Phil Zimmerman and which became available in 1991. At this time cryptographic software was controlled under the same US export restrictions as munitions. By posting this program on the Internet its author was suspected of illegally exporting it and was investigated based on this suspicion. However, Phil was never charged, probably due to the degree of support his cause attracted, and eventually the investigation against him was dropped.
PGP later became the basis of the RFC 2440 OpenPGP Message Format standard.
GPG stands for "GNU Privacy Guard". It was engineered based on RFC2440 in order to be interoperable with PGP. At the time, while PGP was distributed in source available form without requiring payment, this was not released based on a software license considered by the Free Software Foundation as constituting free software. In practical terms the licensing restrictions on PGP made it difficult freely and internationally to distribute and maintain it as part of larger packages, e.g. operating system distributions.
GPG has been ported to Windows and MacOS X. Plugins for various email programs exist. Modules enabling GPG program provided functions and facilities to be integrated within Python and Perl programs are also available
.