prettify

baseline

Public key cryptography with GnuPG

Problem:

I want to send a document to a partner and be sure that no one else is going to read it.

I want to sign a document and send the signarure to a partner in a way he is sure that I signed it and he can prove it if need arises.

Solution:

Public key cryptography
key
Each person involved in the secure information exchange has two keys. One private key and one public key.
Both keys are just data (text) created by an application based on some information about the person (Name, email, passphrase).
Public key
A data file that you send to anybody asking. The public key can be used to
  • encrypt a document that can be decrypted only by your private key.
  • decrypt a document that was encrypted by your private key
To make the task easier there are key servers like hkp://keys.gnupg.net where you can store you public key so that anybody can find it without bothering you.
You can go to http://keys.gnupg.net/ and search for your friends (by name or email) to find if they have public keys stored there.
Private key
A data file that only you have. You can use it to:
  • Decrypt a document that was encrypted by your public key
  • Encrypt a document that can be decrypted only with your public key. Obviously anybody can decrypt the document but that way any receiptient is sure that the file was encrypted by you.
Digital Signature
A data file containing the ID (hash) of the document to be signed plus your ID (certificate),  encrypted by your private key.
Anyone can confirm that you signed the actual document (and you can not deny it) provided he has:
  • The actual document
  • The signature document
  • Your public key
Signed document
A document that is merged with your signature.
Digital Certificate
How can I be sure that the public key and the corresponding e-mail that I have is really yours?
If it is not then I will happily encrypt the document and send it to another person who can read it. Then I will find that all my nude pictures are on 4chan for everyone to enjoy (really doubt it).
The problem can be solved using certificates. Certificates are supplied by certificate servers that can confirm your identity matches your public key.
The open source solution is the certificates supported by a web of trust

Acquire a public key and a private key

  1. Go to GnuPG for Windows and download Gpg4win
  2. Install it
  3. Run GPA (GNU Privacy Assistant). It will prompt you for a new key. Go for it.
  4. It will ask for your real name and email. These are needed
    • So that is known who is signing what
    • To be registered in the public database hkp://keys.gnupg.net so that people can search and find your public key
    So be honest and give your real name and mail.
  5. It will ask for a passphrase. This is important. It is like a password but you are not supposed to change it now and then.
    So find a small phrase you will remember and intersperse with numbers or symbols (in a way you will remember).

Encrypt a document (to send to a partner).

  1. Find your partner's public key. You can ask him (better) or look at a server.
  2. Open GPA
  3. Import your partner's public key if you have not done already so. Keys⇒Import
  4. GPA⇒Toolbar⇒Files. File Manager application starts.
  5. Select the file and Encrypt it.

Sign a document

You want to send a document that there is no reason to be encrypted. The receiving party must have a way to prove that you sent the document, and it is not changed in any way.

  1. Run GPA
  2. GPA⇒Toolbar⇒Files. File Manager application starts.
Now in File Manager:
  1. File⇒Open. Select the file you want to sign.
There are a lot of stuff you can do, but most of them are trivial if you came this far:
  • Encrypt a file using a partner's public key.
  • Encrypt a file using your own public key (only you can decrypt it). Symmetric cryptography is a lot better for the task but you can do it if you insist.
  • Sign a file using your own private key.
  • Sign and encrypt a document using your own private key
  • Decrypt a document you received using your own private key
  • Verify the signature of a document you received using your partner's public key
If you don't want to use encrypted attachments for your encrypted documents you can
  • Set your mail agent format to "text only"⇒ Copy⇒Clipboard Encrypt⇒ Paste Encrypted to your mail program⇒send mail
  • If your mail agent is supported (Outlook, outlook express, thunderbird etc) then just install the addin and you can do it through your agent.
References

1 comment: