Ken Felix Security Blog: A quick look at PGP and encryption

In this post we will look at how easily it is to use Public Key and encryption. 1st what is it ?

Simple PKI is a means to secure and to send data with the sender not having the recipient key. What this means; we need a way to quickly and effectively send secure data, while being immune to prying eyes like a intruder, man-in-the-middle ( MiTM ) or from a higher authority ( i.e US gov ). And to do this all, with no key-exchange process between parties. PGP provide all of this & more.

In my example, I 'm using GNUpg for this demo. Your choice of PGP or GNUpg, will depends on what major camp/crowd that you like. But GNUpg is not restricted, as in PGP and uses the open licensed CAST128 encryption.

Typically I don't publish my keys to any key-servers, but the use of a public key-server is highly recommended. This allow for ANYbody to find if you have a published PGP key, & to send you encrypted data. This save them from the hassle of calling, or emailing you just to ask for your public-key or to see if you even have one.

Most advance mail clients, also has hooks into using PGP or GNUpg or some means to build profile to encrypt data to certain receiptients. Even firefox has a plugin to use gpg within the browser.

Now let's get to business

1st to use gpg ( GNU answer to legacy PGP ) we need to craft a keypair. Keep in mind the following;

a bigger key is more secured
the public key is just that, public that anybody you give it to ca encrypt data
the private key is, well you guess it ..................."Private"

Just like you bank PIN is private, the private-key has to be secured. And what we mean by that;

file permission read/write access
storage/location should be scured
and any controls to who can access it

Without all of the above, then your level of security is removed or greatly reduce.

Just like you don't let a stranger have access to your bank accounts, social media accounts, or access to your PIN. You don't let just anybody have access to your private-key. Very simple put,   "guard this key ". If you feel the key is compromised, than easy, revocate the key and/or just stop using it.

To craft the keypair, it's a quite simple process. For the 1st timer, it's intimidating at 1st but in reality; it's quick and painless.

GNUpg

gpg --gen-key

i.e

admin@ip-10-253-84-200:~$ gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

And pick one or use the default. Since I have a gpg key for testing, I'm making a 2nd key for socpuppets and using the default type of #1.

The process is guided and you will need to do a few things; set the name, keysize, and phassphrase

admin@ip-10-253-84-200:~$ gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits

Please specify how long the key should be valid.
         0 = key does not expire
      <n> = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y

Key expires at Thu May 1 21:56:12 2014 UTC
Is this correct? (y/N) Y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: "SocPuppets(Soc Puppets) kfelix@socpuppets.com"
Email address: kfelix@socpuppets.com
Comment: Here's my key that I will push to public key-servers for GPG
You selected this USER-ID:
    ""SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to public key-servers for GPG) <kfelix@socpuppets.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 277 more bytes)

After all of the above, you will need to generate some random data. GPG is slick and will tell you how much more is need;

....+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 92 more bytes)

When it's all satisfied , we will have a final key-pair that we can now distribute and use.

.+++++
gpg: key 65648519 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid:   2 signed:   0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2013-05-11
pub   2048R/65648519 2013-05-01 [expires: 2014-05-01]
      Key fingerprint = 5074 42E8 9832 4E1B 4B9F 2364 DBCC 9FB2 6564 8519
uid                  "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to public key-servers for GPG) <kfelix@socpuppets.com>
sub   2048R/47FE2C38 2013-05-01 [expires: 2014-05-01]

The above step took me approx 12mins, and most of that was with; building the random data that GPG requires to build the keypair.

NOTE: It should be noted, please save the passphrase that you set for the key, and a large key size, will result in a longer time with creating the key-pair, so be patient. The passphrase is just as important as the private-key. As matter of fact, if the private-key was stolen, without the passphrase the intruder could not decrypt the data unless he/she conducts a massive brute force or dictionary attack against the passphrase. Also I should explain, you don't save the passphrase with the private-key in the same area. It would be like locking your file cabinet with a combo lock and writting the combination on the back of the lock.

To validate the key we look at local our key-ring;

gpg --list-key
/home/admin/.gnupg/pubring.gpg
------------------------------
pub   1024R/1C900594 2013-05-01 [expires: 2013-05-11]
uid                  "Ken Felix ( Ken felix ) kfelix@hyperfeed.com" (testing12345677890) <kfelix@hyperfeed.com>
sub   1024R/C55EF19F 2013-05-01 [expires: 2013-05-11]

pub   2048R/65648519 2013-05-01 [expires: 2014-05-01]
uid                  "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to public key-servers for GPG) <kfelix@socpuppets.com>
sub   2048R/47FE2C38 2013-05-01 [expires: 2014-05-01]

Once you have the key crafted, you now have the choice of reviewing, and it would be added to your user local key-ring. This key ring is stored in your user directory. This key-ring would be used when you import keys from all of the contacts that you will send encrypted data to.

Up to this point; " you are mostly done & now we move on with securing your data or using the key".

To recap the 1st steps are;

Select a key size
Build a key, specifying the key-owner
set a phass-phrase ( save it you will need )
generate random data ( entropy )
review the key
export the "public-key" to a key-server ( optional) or distribute by whatever means

Okay so now you have a key-pair built, and let's say you don't publish on a key-server. Now what can you do?

Will easily, we can export the pub key and send it to whoever you want to have it. Maybe you have a small selective audience, and you want them only to have the key. So you distribute the key amongst your inner-circle so to speak.

Okay to export the key with GPG is quite simple, watch and learn;

admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$ gpg --output mykeyfordistribution --export kfelix@socpuppets.com
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$ ls -l mykey*
-rw-r--r-- 1 admin admin 1298 May 1 22:25 mykeyfordistribution
admin@ip-10-253-84-200:~$

Okay see how easy that was ?

If you don't publish via key-server , you will make your key available for download or distributed by others means. When I was 1st big into PGP , I had those mini-CDs that came out in the mid-to-late 90s, and I would push my resume, business cards, and just as important; my PGP keys to that device and hand them out at conventions or events.

Okay what next now ?

Will we have a key so how do I use it ? Will that depends on what you are going to do and what application your doing it with. I will show you " how to statically encrypt data " . I will make a simple text file, and send it thru a media/method for the "owner" of the private-key to decrypt. While all of this is done with the public-key only.

But 1st, I'm going to send this key to a public key server. But 1st let's see some of my existing keys, by searching for my user name/email on a public key-server.

Take note of the unique key-id.

So when we send a key, this id is what we later could use to import into our key ring. Remember not all creators publishs to a key server.

Be patience during publishing to a key-server. These key-server are slow with distributing amongst other key server, but it will be freely distributed. From the time I published this key, it took me a little over 22 mins for this specific key-server to show it.

And if you click that ID would be expand to ;

                  ^   ^

Yeap that's me  =( @ @ )=

Okay now with this newly key populated, anybody can retrieve that key and actually used it to send secured data to me, and only me. If they mistakenly send it to someone else, no-problem; " they don't have my "private-key", so they can't decrypted it". Trust me when I say; " this is secured".

Okay next,

We will now look at how a person who downs load that key actually encrypted data. The process is simple as the key-pair generation. One thing I want to add here, sometime when you have numerous keys, it get's very hard to track them and management of keypairs becomes harder than managing one keypair.

One tip; when sending data and the recipient is confused, provide him or her the key-ID used during the encryption. At one time I was very very bad with key management, and had a few keys out in the wild. It's best to just publish one public key imho, and to make it a 2K bits or bigger in key-size and good for 2+ years.

Okay to encrypt data, the sender of the data must get your public-key. So he/she would download the key from a public key-server or receive the key via some other means ( remember my miniCDs ) . This process does NOT have to be secured btw.

Using gpg we could ask for the public-key via the Key-ID;

i.e

sh-3.2$ gpg --recv-key 65648519
gpg: requesting key 65648519 from hkp server keys.gnupg.net
gpg: key 65648519: public key ""SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to public key-servers for GPG) <kfelix@socpuppets.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1 (RSA: 1)
sh-3.2$
sh-3.2$

and we list our key-ring out, it would show the key installed.

sh-3.2$ gpg --list-key kfelix
pub   1024R/1C900594 2013-05-01 [expires: 2013-05-11]
uid                  "Ken Felix ( Ken felix ) kfelix@hyperfeed.com" (testing12345677890) <kfelix@hyperfeed.com>
sub   1024R/C55EF19F 2013-05-01 [expires: 2013-05-11]

pub   2048R/65648519 2013-05-01 [expires: 2014-05-01]
uid                  "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to public key-servers for GPG) <kfelix@socpuppets.com>
sub   2048R/47FE2C38 2013-05-01 [expires: 2014-05-01]

sh-3.2$

See how easy that was? We installed key-Id 65648519 into our key-ring.

Okay now with the key on our key-ring, we can encrypt data using that public-key or any key on our key-ring.

I'm going to build a simple text file and encrypted that file using gpg.

sh-3.2$ cat myfile
this is my secret that I want to send to my inner-circle; Ken Felix is one of the best network & security guy!
sh-3.2$

Okay now let's encrypt this;

sh-3.2$ gpg --encrypt myfile
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID. End with an empty line: kfelix@socpuppets.com
gpg: 47FE2C38: There is no assurance this key belongs to the named user

pub 2048R/47FE2C38 2013-05-01 "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to public key-servers for GPG) <kfelix@socpuppets.com>
Primary key fingerprint: 5074 42E8 9832 4E1B 4B9F 2364 DBCC 9FB2 6564 8519
      Subkey fingerprint: 34E4 1A2F 68CB B514 D1F0 3C63 31E5 8EE1 47FE 2C38

It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) Y

Current recipients:
2048R/47FE2C38 2013-05-01 ""SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to public key-servers for GPG) <kfelix@socpuppets.com>"

Enter the user ID. End with an empty line:
sh-3.2$

Once again, did you see how easy that was. Yes, really... it was that easy.

Now we would send the data via whatever application/means and only kfelix @ socpuppets can decrypt the data if he has the private-key. So this process took unsecured data and encrypted the data.

sh-3.2$ ls -l myfile*
-rw-r--r-- 1 kfelix   Users 114 May 1 19:10 myfile
-rw-r--r-- 1 kfelix   Users 436 May 1 19:11 myfile.gpg

sh-3.2$ md5 myfile*gpg
MD5 (myfile.gpg) = 2f1fcfd53038d1817d6eb7db275c5bb8

sh-3.2$ file myfile*
myfile:     ASCII English text
myfile.gpg: data

This is what the gov is all up in arms about, simple effective military grade encryption in the hands of civilians.

The US has been the leader in digital cryptology for decades, and we as in the general population, have access to strong encryption, and just with using a basic computer. This is a big step up from my days in the military and using STUIII or KG48A.

Almost every OSes systems has some hooks or means into PGP, including my MACOSX.

I hope you found this post useful and will start securing your data. In the upcoming weeks, I will start a post of fs/volume encryption on macosx.

Ken Felix
Freelance Network/Security Engineer
kfelix -----at----- hyperfeed ------dot----com

Ken Felix Security Blog

Thursday, May 2, 2013

A quick look at PGP and encryption

1 comment: