Using PGP and GPG

1
Using PGP and GPG

• James Leinweber
• Wisconsin State Laboratory of Hygiene
• Badger Incident Response Team
• "There are two kinds of cryptography in this
  world
• cryptography that will stop your kid
  sister from reading your files,
• and cryptography that will stop major
  governments ...
• -- Bruce Schneier (preface to Applied
  Cryptography, 1994)

2
Outline

• Whirlwind tour of PGP and GPG use
• About PGP
• Keys and Trust
• Platforms, Future trends, URLs
• (PGP Pretty Good Privacy, GPG GNU Privacy
  Guard)

3
PGP verify a security bulletin

• major vendors and organizations sign their
  security bulletins
• Microsoft, Apple, Cisco, Redhat, US-CERT, CIAC
• push the PGP plugin icon to check the signature
• automatically downloads missing keys from
  keyservers

4
PGP sign an e-mail

• use the clearsign icon PGP added
• runs PGP after the spell checker, which is good
• beware of line wrap and funky characters
• if the e-mail client modifies the message after
  the plugin signs it, the signature wont verify
• a big culprit Microsoft word as the editor
• or use the PGP tray icon to sign the current
  window

5
GPG clear-sign a text file (inline)

• jiml_at_lidskialf jiml echo how now brown cow gt
  cow
• jiml_at_lidskialf jiml gpg --clearsign cow
• jiml_at_lidskialf jiml cat cow.asc
• -----BEGIN PGP SIGNED MESSAGE-----
• Hash SHA1
• how now brown cow
• -----BEGIN PGP SIGNATURE-----
• Version GnuPG v1.2.1 (GNU/Linux)
• iD8DBQFDVqUmQaGReVxryLkRAhOgAKDnUceWvGEe6KUMrQGhfx
  l0ZNlz9ACgsnk0
• MFSXxGnjPYSvVyafIDzstjA
• qv6M
• -----END PGP SIGNATURE-----

6
GPG sign and encrypt a file

• jiml_at_lidskialf jiml echo "how now brown cow" gt
  cow
• jiml_at_lidskialf jiml gpg -es cow
• gpg WARNING using insecure memory!
• gpg please see http//www.gnupg.org/faq.html for
  more information
• You need a passphrase to unlock the secret key
  for
• user "James E. Leinweber ltjiml_at_slh.wisc.edugt"
• 1024-bit DSA key, ID 5C6BC8B9, created 2002-10-04
• jiml_at_lidskialf jiml ls -l cow
• -rw-rw-r-- 1 jiml jiml 18 Oct 19
  1453 cow
• -rw-rw-r-- 1 jiml jiml 669 Oct 19
  1453 cow.gpg

7
GPG decode an encrypted file

• jiml_at_lidskialf jiml cat cow.asc
• -----BEGIN PGP MESSAGE-----
• Version GnuPG v1.2.1 (GNU/Linux)
• hQIOAs5POfx7DetEAf9HsrIJfj/1XcNytWvG3wr5yebO/cKv
  ot1e12sxt0ev7R
• khAwxNBdm33MHGSHaodQekPwaJg7AnlwKpRfhvgtDukCwxHUJL
  wHsqDdJDDcVdr
• XL2sEd9dfPymiHVsTCCnqXs5zzl0ed8iOs5avXpzVn9y2N30s0
  8/rmFH2NSOiuVg
• wHei21ab5QqNvzhUfjLj3lu2mNtQnh9IQijVilpu6WC8QHhiL
  ATbrBsqcoyfgCU
• sA
• WDMm
• -----END PGP MESSAGE-----
• jiml_at_lidskialf jiml gpg -d cow.asc
• You need a passphrase to unlock the secret key
  for
• user "James E. Leinweber ltjiml_at_slh.wisc.edugt"
• 2048-bit ELG-E key, ID F1EC37AD, created
  2002-10-04 (main key ID 5C6BC8B9)
• gpg encrypted with 2048-bit ELG-E key, ID
  F1EC37AD, created 2002-10-04

8
GPG verify a Redhat RPM

• jiml_at_russell RPMS rpm --checksig
  gnupg-1.2.1-10.i386.rpm
• gnupg-1.2.1-10.i386.rpm (sha1) dsa sha1 md5 gpg
  OK
• validate with rpm --checksig
• looks for the signing key on a system RPM keyring
• older versions used the users keyring
• but first, import keys with rpm --import
• Redhat ships their keys in /usr/share/rhn
• download 3rd party keys such as Postgres yourself
• you should add your own organizational keys too
• have your lead PGP users sign it, so people can
  trust it
• never import an untrusted key

9
GPG sign an RPM file

• jiml_at_lidskialf jiml cat .rpmmacros
• _signature gpg
• _gpg_path /home/jiml/.gnupg
• _gpg_name WSLH RPM signing key
  ltlinuxadmin_at_slh.wisc.edugt
• _gpg_bin /usr/bin/gpg
• jiml_at_lidskialf jiml rpm --resign
  slh-scram-0.1-1.noarch.rpm
• Enter pass phrase
• Pass phrase is good.
• Reading the directions takes more time than doing
  it
• You have to generate a key before you sign

10
GPG investigate a key

• mkdir bar
• gpg --homedir bar --import SLH-RPM-GPG-KEY
• gpg key D3E96E59 public key "WSLH RPM signing
  key ltlinuxadmin_at_slh.wisc.edugt" imported
• jiml_at_lidskialf jiml gpg --homedir bar
  --fingerprint
• bar/pubring.gpg
• ---------------
• pub 1024D/D3E96E59 2005-09-08 WSLH RPM signing
  key ltlinuxadmin_at_slh.wisc.edugt
• Key fingerprint 0CAF AF49 E7EB 2E2D F3D6
  5E66 BC30 DB7D D3E9 6E59
• sub 1024g/F415E89A 2005-09-08 expires
  2011-09-07
• jiml_at_lidskialf jiml gpg --homedir bar
  --list-sigs
• ---------------
• pub 1024D/D3E96E59 2005-09-08 WSLH RPM signing
  key ltlinuxadmin_at_slh.wisc.edugt
• sig 3 D3E96E59 2005-09-08 WSLH RPM
  signing key ltlinuxadmin_at_slh.wisc.edugt
• sig 3 5C6BC8B9 2005-09-08 User id not
  found
• sub 1024g/F415E89A 2005-09-08 expires
  2011-09-07

11
PGP verify a detached signature

• Right-click the signature file
• this one is from the Windows binary for GPG
• Use the PGP context menu item for verify
• If your keyring lacks the public key, PGP will
  search for it
• Review the PGP log results

12
GPG verify subversion source

• find a project you want, say subversion
• or Ubuntu, or
• Download the stuff
• source tarball or ISO
• detached signature file
• ls l subversion
• -rw-rw-r-- 1 jiml jiml 6982288 Apr 25
  1340 subversion-1.2.0-rc2.tar.bz2
• -rw-rw-r-- 1 jiml jiml 562 Apr 25
  1340 subversion-1.2.0-rc2.tar.bz2.asc

13
GPG 1rst verify try

• gpg --verify subversion-1.2.0-rc2.tar.bz2.asc
• gpg WARNING using insecure memory!
• gpg please see http//www.gnupg.org/faq.html for
  more information
• gpg Signature made Thu 21 Apr 2005 064652 PM
  CDT using DSA key ID 641E358B
• gpg Can't check signature public key not found
• gpg Signature made Fri 22 Apr 2005 123009 AM
  CDT using DSA key ID F894BE12
• gpg Can't check signature public key not found
• gpg Signature made Fri 22 Apr 2005 051339 PM
  CDT using DSA key ID EC6B5156
• gpg Can't check signature public key not found

14
GPG get missing keys

• gpg --recv-keys --keyserver hkp//pgp.mit.edu
  641E358B F894BE12 EC6B5156
• gpg WARNING using insecure memory!
• gpg please see http//www.gnupg.org/faq.html for
  more information
• gpg key 641E358B public key "Ben Reser
  ltben_at_reser.orggt" imported
• gpg key F894BE12 public key "Brian W.
  Fitzpatrick ltfitz_at_apache.orggt" imported
• gpg key EC6B5156 public key "Ben
  Collins-Sussman ltsussman_at_collab.netgt" imported
• gpg Total number processed 3
• gpg imported 3

15
validate keys (GPG and PGP)

• check trust paths
• tolerable for all 3, though not outstanding
• (see next slide)
• see if the project web site has the keys
• in this case, no
• tsk, tsk
• see if the web site agrees with the key servers
• cant in this case, can in others
• but searching on the user names doesnt turn up
  any extraneous keys either, which is good
• can google the signers and see what projects they
  are involved with

16
wotsap picture jiml -gt ben
17
GPG verify with known and trusted keys

• gpg --verify subversion-1.2.0-rc2.tar.bz2.asc
• gpg Signature made Thu 21 Apr 2005 064652 PM
  CDT using DSA key ID 641E358B
• gpg Good signature from "Ben Reser
  ltben_at_reser.orggt"
• gpg aka "Ben Reser
  ltbreser_at_siaer.netgt"
• gpg aka "Ben Reser
  ltbreser_at_vecdev.comgt"
• gpg aka "Ben Reser
  ltben_at_reser.orggt"
• gpg aka "Ben Reser
  ltbreser_at_siaer.netgt"
• gpg aka "Ben Reser
  ltbreser_at_vecdev.comgt"
• gpg WARNING This key is not certified with a
  trusted signature!

18
PGP generating a key
19
PGP signing a key
20
GPG generating a key

• gpg --gen-key
• Please select what kind of key you want
• (5) RSA (sign only)
• Your selection? 5
• What keysize do you want? (1024) 2048
• Key is valid for? (0)
• Real name Bucky Badger
• Email address bbadger_at_wisc.edu
• Comment another fake
• You selected this USER-ID
• "Bucky Badger (another fake)
  ltbbadger_at_wisc.edugt"
• Change (N)ame, (C)omment, (E)mail or
  (O)kay/(Q)uit? O
• You need a Passphrase to protect your secret key.
  
• public and secret key created and signed.
• key marked as ultimately trusted.

21
GPG signing a key

• gpg --default-key bucky --edit-key fred
• ...
• pub 2048R/5B9494F3 created 2005-10-17 expires
  never trust u/u
• sub 2048R/9E0F38DB created 2005-10-17 expires
  never
• (1). Fred Flintstone (fake) ltfredf_at_jellystone.park
  gt
• Commandgt sign
• pub 2048R/5B9494F3 created 2005-10-17 expires
  never trust u/u
• Primary key fingerprint D002 A4EE A00E 4E30
  55D1 E9A7 DD96 CCC6 5B94 94F3
• Fred Flintstone (fake) ltfredf_at_jellystone.park
  gt
• How carefully have you verified the key you are
  about to sign actually belongs
• to the person named above? If you don't know
  what to answer, enter "0".
• (0) I will not answer. (default)
• (1) I have not checked at all.
• (2) I have done casual checking.
• (3) I have done very careful checking.
• Your selection? 3
• ...
• You need a passphrase to unlock the secret key
  for

22
PGP keyring tool
23
PGP looking at a key

• right click and pick properties
• implicit trust when you have the private key
• main tab is the signing key subkey tab is for
  encryption keys
• valid means how much you believe the key
• trust means how much you believe keys signed by
  this key

24
PGP searching wisc.edu
25
kgpg KDE frontend to gpg search settings
26
web interface to MIT key server
27
web interface to PGP, inc Keyserver
28
Recap what is PGP (GPG) used for?

• verifying code integrity
• source, binary
• verifying message integrity
• e.g. security bulletins
• Encrypting things
• files (especially password escrow)
• e-mail (rarely!)
• Signing things
• to provide file/object integrity
• to prevent spoofing (avoiding joe jobs)

29
Outline

• Whirlwind tour of PGP and GPG use
• About PGP
• Keys and Trust
• Platforms, Future trends, URLs

30
A (very) short timeline of PGP

• 1976 Diffie Hellmans New Directions
  paper (NSA upset)
• 1977 - Rivest, Shamir, Adelman patent RSA in US
• 1991 - Phil R. Zimmerman decides to create PGP
• 1.0 has bad homebrew crypto
• 1993 US government files an ITAR export
  violation case against PRZ
• 1994 incompatible PGP 2.6.2 resolves an RSA
  patent squabble
• 1996 US government gives up on case against PRZ
• 1998 RFC 2440, OpenPGP message format, version
  4 keys
• 2000 - RSA patent expires GPG adds RSA key
  signing support
• 2011 - IDEA block cipher patent expires, GPG
  will catch up to PGP 2.0

31
The role of Cryptography

• Confidentiality
• symmetric block ciphers
• AES, CAST, Twofish, 3DES, Serpent
• fast, strong (only attack is random key guessing)
• needs randomness to generate keys and
  initialization vectors
• Integrity
• message digests, signed by private keys
• digests SHA-256 (soon), SHA1 (breaking), MD5
  (already deprecated)
• digital signatures by RSA, DSA, Elliptic
• weak, slow, and vulnerable to algorithmic and
  known plaintext attacks
• so, use really big keys on tiny, random objects
  (hash, block key)
• Key exchange the 1 cryptographic problem
  (solved)
• public key encryption by RSA, ElGamal, Elliptic
• pragmatics get public keys from keyservers, web
  sites, or e-mail
• Authentication the 2 cryptographic problem
  (still annoying)
• PGP trust model distributed (cheap! anyone can
  work at it!)

32
PGP uses the Digital Envelope Technique

• as do 100 of other hybrid cryptosystems such as
  IPSEC, TLS/SSL, S/MIME, Microsoft encrypting file
  system,
• compress the plaintext to remove redundancy
• makes cryptanalysis harder and compensates for
  crypto overhead
• on-line crypto such as TLS or IPSEC cant
  usefully do this
• encrypt the plaintext using a symmetric key block
  cipher
• using a new, random key with a new, random
  initialization vector
• Hash the plaintext sign that with your private
  key
• encrypt the block key to each recipients public
  key
• dont forget to include yourself as a recipient
• and your organizations additional data recovery
  key
• Recipient
• uses his private key to recover his copy of the
  block key
• uses the block key to recover the plaintext
• uses your public key to validate the message hash

33
If the crypto is excellent, why isnt the privacy?

• rootkits, keystroke loggers, and other intrusions
• FBI bugged Philadelphia mafia figure Nicodemo
  Scarfo in 1999
• rubber hose cryptography attack
• civilian version police serve a court order
• why your signing key is different from your
  encryption key
• how careful is the private key handling?
• 20 characters of english text as passphrase 26
  bits of entropy
• Secret Service uses grid computing for cracking
  passphrases
• how trustworthy is the user?
• can you believe his signature?
• some people are sloppy about key signing
• some people are sloppy about host security
• non repudiation can you also believe his clock?
• any backdoors in the software or hardware?
• NSA, Clipper chips, skipjack, and key-escrow

34
key lengths state of the (public) break
35
Decisions, decisions

• RSA versus DH/DSA?
• the 1024 bit signing key for DH/DSA is getting
  too short
• legacy/version 3 versus new/version 4?
• you want the encryption subkey to be separate
• expiration date? (none, or 1-5 years)
• depends on the purpose
• if it doesnt expire, you have to revoke it
• impossible if you lost the private key or the
  passphrase
• if it does expire, you have to get new signatures
• default, preferred block algorithm? (CAST-128)
• older clients lack AES, while GPG lacks IDEA
• how many bits in the keys?
• 1024 public / 128 symmetric OK for now (RSA or
  DH/DSA)
• 2048 public / 256 symmetric better through 2015
  (RSA only)
• gt2048 breaks older clients, and imposes excessive
  overhead

36
how not to bootstrap

• C\install\gnupggt"C\Program Files\gnu\GnuPG\gpg.e
  xe" --verify gnupg-w32cli-1.4.2.exe.sig
• gpg keyring C/Documents and Settings/jiml/Appli
  cation Data/gnupg\pubring.gpg' created
• gpg Signature made 07/26/05 144428 using DSA
  key ID 57548DCD
• gpg Can't check signature public key not found
• GPG is available for windows
• default locations may not be what you want
• bootstrap process
• (so-so) get PGP or GPG from a trusted source and
  verify the SHA1 checksum
• (good) use an existing PGP or GPG and known key
  to validate it
• Knoppix live Linux includes GPG, so any PC can
  help do this

37
Outline

• Whirlwind tour of PGP and GPG use
• About PGP
• Keys and Trust
• Platforms, Future trends, URLs

38
about the web of trust

• PGP authentication is based on chains of personal
  acquaintance
• Alice signs Bobs key, who signs Charlies, who
  signs Deborahs,
• keyservers merge signature chains when keys are
  repeatedly uploaded
• how much faith do you put in signatures from
  people you dont know?
• some UW folk are cavalier about what keys they
  sign
• statistics this month
• about 2 million keys on the keyservers
• mostly abandoned
• about 200,000 with a 3rd party signature
• about 29,000 in the largest clique (strong set)
• average trust path length is about 5 signatures
• wikipedia has some good links

39
web of trust beware!

• this search screenshot shows one real key, and
  many fake ones
• the expanded fake has signatures from other fake
  keys
• you really do have to know the signers before you
  can trust them

40
exploring the web of trust

• extremely tedious by hand, so use a tool
• see http//en.wikipedia.org/wiki/Web_of_trust
• who does what where changes over time
• Two current examples (Fall 2005)
• text paths from
• http//www.cs.uu.nl/people/henkp/henkp/pgp/
• graphical paths from
• http//www.lysator.liu.se/jc/wotsap/index.html

41
handling your key

• generate it on the console of a secure machine
• if you do it remotely the entropy usually sucks
• protect the private key with a strong passphrase
• dont use the passphrase in public
• possible exception machine to machine
  application communication, e.g. ssh pubkey
• avoid exposing the private key to the world
• keep your secret keyring off multiuser hosts, and
  behind a firewall
• if you need to transport it, encrypt it first
• encrypted filesystems are good
• USB fobs are better than laptop hard disks
  (physical security matters)
• keep medium security keys on physically isolated
  hosts
• e.g. a UW certificate-signing certificate, or
  CERT ns-master
• never connected to a network signing is by
  sneakernet only
• high security keys add splitting protocols
• e.g. verisigns root keys

42
using multiple keyrings

• both PGP and GPG let you change keyrings
• created automatically on first use
• two files, private and public
• useful for RD, keysigning parties, etc.
• gpg has many ways
• on the command line
• by environment variable
• via the config file
• examples
• gpg homedir XXX
• GNUPGHOMEXXX
• export GNUPGHOME

43
key signing responsibilities

• Dont sign a key locally until
• you have evidence the fingerprint and owner are
  right
• nothing bad happens if you have a good signature
  from an untrusted key
• typical methods of building trust
• signed by people you trust as introducers
• phone the owner
• find it on his web site plus the keyservers
• without extraneous keys
• observe it signing e-mail without repudiation for
  a few months
• Never sign a key for export until
• you have personally verified the fingerprint with
  the owner
• and you have verified the identity of the owner
• this can be by phone if you already know them
  well
• normally in person, with 2 forms of good picture
  ID
• e.g. passport
• hence the popularity of PGP key-signing parties

44
key signing parties

• a group of people get together to improve the web
  of trust
• often a conference BOF (especially Debian )
• there are FAQs and SOPs on various methods
• simplest has participants bring namefingerprint
• exchange these, verify identity, each participant
  reads his fingerprint
• business cards work well for this
• too slow for large parties
• prep those with a pre-party keyring and xeroxed
  copies of a signed hash of all the key
  fingerprints
• some protocols can handle participants without
  keys
• based on secret phrases exchanged at the party
• the party is about identity and fingerprints
• signing the keys is a usually later, private
  operation
• too slow and too insecure to do it during the
  party
• try to turn them around in less than a week

45
key signing mechanics (post-party)

• obtain the public key
• from keyserver, e-mail, web site,
• verify the fingerprint from the key signing party
• add your signature
• PGP right click, pick sign / gpg --edit-key
  sign
• export the updated key
• PGP select, right click, export / gpg export
  
• encrypt it to itself, ascii-armored
• e-mail the resulting .ASC file back to the owner
• the owner decrypts it, imports it, and uploads to
  his favorite keyservers

46
key servers

• keyserver.pgp.com is an island
• doesnt share with other keyservers
• as of v9, adds machine-generated e-mail
  validation signatures
• these are not part of the web of trust
• they do mean a key owner responded at that e-mail
  address
• web of trust servers communicate
• hkp// (Horowitz Keyserver Protocol on port
  11371)
• wwwkeys.pgp.net
• pgp.mit.edu
• supports various protocols (http, hkp, )
• runs older code (no pictures, no deletion, )
• can do it by hand via various web interfaces
• pgp, mit, or google pgp keyserver

47
key upload advice

• keyservers have lots of junk keys
• deleting keys is hard to impossible
• two main problems
• lost passphrase, cant recover private key
• lost the entire private key (e.g. sole hard drive
  crashed)
• dont upload a key for about 4 months
• it may take a few tries generating keys before
  you like the results
• you may not turn out to send lots of stuff to
  large mailing lists
• for a handful of correspondents, just e-mail them
  your public key
• for never expires keys, you should
• generate an (ASCII) revocation first
• print that out, and stick that in your safety
  deposit box
• PGP and GPG can both send via hkp//
• another way is ASCII export to a file, then web
  upload

48
Outline

• Whirlwind tour of PGP and GPG use
• About PGP
• Keys and Trust
• Platforms, Future trends, URLs

49
PGP versus GPG

• commercial PGP
• pro
• capabilities PGP (with IDEA cipher), S/MIME
• GUI interfaces
• commercial client plugins
• Microsoft Outlook, Lotus Notes, Mozilla
  Thunderbird, Mac mail.app, various IM clients
• con
• limited platforms 32-bit windows, recent Mac
  OS X
• hard core users hate the lack of control in the
  v9 interface
• expensive to distribute widely
• what heavy e-mail users and CSIRT teams need
• both for plug-in ease of use and for legacy PGP
  interoperability
• GnuPG
• pro
• many platforms windows, Mac OS X, most Unix
  (bundled with Linux and BSD)
• free source can be audited
• con
• GUI interfaces are still in beta
• lacks IDEA S/MIME still experimental

50
PGP and GPG version interoperability

• Interoperability is good with recent versions
• GPG gt 1.2 (1.4 is current)
• PGP gt 7 (9 is current)
• for older versions, your mileage will vary
• verifying signatures usually works
• especially from older signers to newer verifiers
• decryption often works (but IDEA is a problem for
  GPG)
• there are many potential incompatibilities even
  within PGP
• many versions changed message formats or key
  formats
• older clients have key size and cipher
  limitations
• archaic clients choke if a v3 key bears a DSA
  signature
• but why are you trusting crypto code over two
  years old?
• sharing keys works
• importing PGP private keys into GPG works well
• the other direction may be harder
• import/export of public keys back and forth is
  easy

51
future developments

• eventually GnuPG 2.0 will include S/MIME support
• NIST will
• convene a conference next month on better hash
  functions
• update DSS to allow SHA-256 (PGP and GPG will rev
  to match)
• Everyone will add elliptic curve support by 2010
  (patents permitting)
• crypto hardware is becoming common
• US banks have to move to 2-factor authentication
  by 2007
• crypto acceleration becoming common in CPUs
• private keys may be stored in a trusted module
• beware of vendors offering treacherous computing
  DMCA etc.
• PKI may finally arrive
• Web of trust is too hard for ordinary mortals?
• Wisconsin DOA will deploy S/MIME to state
  agencies
• standardizing on outlook client, oracle mail and
  calendar server
• via a Secure Message Gateway appliance
  (Tumbleweed)
• UW-Madison is piloting S/MIME now

52
sites and sources

• www.pgp.com
• commericial PGP
• www.gnupg.org
• GPG handbook
• note macgpg.sourceforge.net
• http//en.wikipedia.org/wiki/Web_of_trust
• has good links to path finding tools and strong
  set analysis
• http//csrc.nist.gov/crytpval/
• FIPS 180-2 secure hash standard
• sha-1, sha-224, sha-256, sha-384, sha-512
• FIPS 186-2 Digital Signature Standard
• (DSA, RSA, ECDSA algorithms)
• FIPS 197, Advanced Encryption Standard
• http//www.rsasecurity.com/rsalabs/
• excellent background information on cryptography
• RFCs
• 2015 OpenPGP-MIME (but client support is still
  dicey)
• 2440 OpenPGP
• Books