Thursday, May 2, 2013

A quick look at PGP and encryption

In this post we will look at how easily it is to use Public Key  and encryption. 1st what  is it ?

Simple PKI is a means to secure and to send data with the sender not having the recipient key. What this means; we need a way to quickly and effectively send secure data,  while being  immune to prying eyes like a intruder, man-in-the-middle ( MiTM ) or from a higher authority ( i.e US gov ). And to do this all,  with no key-exchange process between parties.  PGP provide all of this & more.

In my example, I 'm using  GNUpg for this demo.  Your choice of PGP or GNUpg,  will depends on what major camp/crowd that you like. But GNUpg is not restricted, as in PGP and uses the open licensed  CAST128 encryption.

Typically I don't publish my keys to  any key-servers, but the use of a public key-server is highly recommended. This allow for ANYbody to find if you have a published PGP key, & to send you  encrypted data.  This save them from the hassle of calling, or emailing you just to ask for your public-key or to see if you even have one.

Most advance mail clients, also has hooks into  using  PGP or GNUpg or some means to build profile to encrypt data to certain  receiptients.  Even firefox has a plugin to use gpg within the browser.

Now let's get to business

1st to use gpg ( GNU answer to legacy PGP ) we need to craft a keypair. Keep in mind the following;
  • a bigger key is more secured
  • the public key is just that, public that anybody you give it to ca encrypt data
  • the private key is,  well you guess it ..................."Private"

Just like you bank PIN is private, the private-key has to be secured. And what we mean by that;

  •  file permission read/write access
  •  storage/location should be scured
  •  and any controls to who can access it
Without  all of the above,  then your level of security is removed or greatly reduce.

Just like you don't let a stranger  have access to your bank accounts, social media accounts,  or access to your PIN. You don't let just anybody have access to your private-key. Very simple put,   "guard this key ". If you feel the key is compromised, than easy, revocate the key and/or just stop using it.

To craft the keypair, it's a quite simple process. For the 1st timer, it's  intimidating at 1st  but in reality; it's quick and painless.

GNUpg

gpg --gen-key

i.e

admin@ip-10-253-84-200:~$ gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?


And pick one or use the default. Since I have a gpg key for testing, I'm making a 2nd key for socpuppets and using the default type of #1.

The process is guided and you will need to do a few things; set the name, keysize, and phassphrase


 admin@ip-10-253-84-200:~$ gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1


RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
 

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
 

Key expires at Thu May  1 21:56:12 2014 UTC
Is this correct? (y/N) Y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: "SocPuppets(Soc Puppets) kfelix@socpuppets.com"
Email address: kfelix@socpuppets.com
Comment: Here's my key that I will push to  public key-servers for GPG
You selected this USER-ID:
    ""SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to  public key-servers for GPG) <kfelix@socpuppets.com>"


Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 277 more bytes)


After all of the above, you will need to generate some random data. GPG is slick and will tell you how much more is need;

....+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 92 more bytes)


When it's  all satisfied , we will have a final  key-pair that we can now distribute and use.


.+++++
gpg: key 65648519 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2013-05-11
pub   2048R/65648519 2013-05-01 [expires: 2014-05-01]
      Key fingerprint = 5074 42E8 9832 4E1B 4B9F  2364 DBCC 9FB2 6564 8519
uid                  "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to  public key-servers for GPG) <kfelix@socpuppets.com>
sub   2048R/47FE2C38 2013-05-01 [expires: 2014-05-01]





The above step took me approx 12mins, and most of that was with;  building the random data that GPG requires to build the keypair.


NOTE: It should be noted, please save the passphrase that you set for the key, and a large key size, will result in a longer time with creating the  key-pair, so be patient. The passphrase is just as important as the private-key. As matter of fact, if the private-key was stolen, without the passphrase the  intruder could not decrypt the data unless he/she conducts a massive  brute force or dictionary attack against the passphrase. Also I should explain, you don't save the passphrase with the private-key in the same area. It would be like locking your file cabinet with a combo lock and writting the combination on the back of the lock.


To validate the key we look at local our key-ring;

gpg --list-key
/home/admin/.gnupg/pubring.gpg
------------------------------
pub   1024R/1C900594 2013-05-01 [expires: 2013-05-11]
uid                  "Ken Felix ( Ken felix ) kfelix@hyperfeed.com" (testing12345677890) <kfelix@hyperfeed.com>
sub   1024R/C55EF19F 2013-05-01 [expires: 2013-05-11]

pub   2048R/65648519 2013-05-01 [expires: 2014-05-01]
uid                  "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to  public key-servers for GPG) <kfelix@socpuppets.com>
sub   2048R/47FE2C38 2013-05-01 [expires: 2014-05-01]




Once you have the key crafted, you now have the choice of reviewing, and it would be added to your user local key-ring. This key ring is stored in your user directory. This key-ring would be used when you import keys from all of the contacts that you will send encrypted data to.

Up to this point; " you are mostly done & now we move on with securing your data or using the key".

To recap  the 1st steps are;
  • Select a key size
  • Build a key,  specifying the key-owner
  • set a phass-phrase ( save it you will need )
  • generate random data ( entropy )
  • review the key 
  • export the "public-key"  to a key-server ( optional)  or distribute by whatever means

Okay so now you have a key-pair built,  and let's say you don't publish on a key-server. Now what can you do?

Will easily,  we can export the pub key and send it to whoever you want to have it. Maybe you have a small selective audience,   and you want them only to have the key. So  you distribute the key amongst your inner-circle so to speak.

Okay to export the key with GPG is quite simple, watch and learn;

admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$ gpg --output mykeyfordistribution --export kfelix@socpuppets.com
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$ 

admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$
admin@ip-10-253-84-200:~$ ls -l mykey*
-rw-r--r-- 1 admin admin 1298 May  1 22:25 mykeyfordistribution
admin@ip-10-253-84-200:~$



Okay see how easy that was ?


If you don't publish via key-server ,  you will make your key available for download or distributed by others means. When I was 1st big into PGP , I had those mini-CDs that came out in the mid-to-late 90s,  and I would push my resume, business cards, and just as important;  my PGP keys to that device and hand them out at conventions or events.

Okay what next now ?

Will we have a key so how do I use it ? Will that depends on what you are going to do and what application your doing it with. I will show you "  how to statically  encrypt data " . I will make a simple text file,  and send it thru a media/method for the "owner" of the private-key to decrypt. While all of this is done with the public-key only.

But 1st, I'm going to send this key to a public key server. But 1st let's see some of my existing keys, by searching for my user name/email on a public key-server.





Take note of the unique key-id.


So when we send a key, this id is what we later could use to  import into our key ring. Remember not  all creators publishs to a key server.

Be patience during publishing to a key-server. These key-server are slow with distributing amongst other key server, but it will be freely distributed. From the time I published this key,  it took me a little over 22 mins for this specific key-server to show it.


And if you click that ID  would be expand to ;


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0

mQENBFGBj98BCACcxHQwpu6t1bu1w+Xu7P/tVznBMJqoapLQv33Xj7ELuwfaeqOVfhvzsvQd
UXKrfB1+2mxE0dE9R1S5SNP4UvzQhQBuhug3hA2U5gmViJCw04TzETiVjrbBE3CngLo0qYV6
5z1EB3xphKoXKkZEHIIEprzVlgAb9kO2evg3ZqC0kjOYP/RNlbZaJCnLghcwsb0kWF8PJPZb
w7aIdCHSAX6mrhYwLRz3fxSDPykKANOYqUVsYos20vquqxL2HF6zFNCwFkYXAFh3fF2B6YH2
utc86FUBNwHSQ+dIDXORGc0WRE8E2n0/lt/m1o3oG3OcPACrYTWiU6dprhlTUOnM4NcnABEB
AAG0hyJTb2NQdXBwZXRzKFNvYyBQdXBwZXRzKSBrZmVsaXhAc29jcHVwcGV0cy5jb20iIChI
ZXJlJ3MgbXkga2V5IHRoYXQgSSB3aWxsIHB1c2ggdG8gIHB1YmxpYyBrZXktc2VydmVycyBm
b3IgR1BHKSA8a2ZlbGl4QHNvY3B1cHBldHMuY29tPokBPgQTAQIAKAUCUYGP3wIbAwUJAeEz
gAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ28yfsmVkhRmwFwf9Er2aq3/YnGMK4L2Q
g16rg+wPVu7JKvcZVQU7po/FPG7LUkoMxgrH1MznSw1tPw7p5oOdqS5mUfNj25/jeqHxqQW8
xvww2DpYYnCLmoiiV98+vyL0lULbnNBagzAkvJLmfLzCi3W8QlgKRZvdDZBYLWs8TMXD8spJ
Xuf50UF/iJaOxfJoLKkjPgSkJGZbEHZumXzem4vAB4WQl9xzoHKiKmApzU9nQyAC9CTNo7pB
cfq9+6z01+2v+LinKMJox4dfYfD7mmX6PVXbu20F2riAkUy+h+Q4dvf8vuk/xkMqRHTUWR/D
nvyXqgp1bszpgq8VO+j5t9Fd9X6YIsTeVG/Y8LkBDQRRgY/fAQgAyIYgPGFXT1Kd5hbQ6jls
1IGRTZfWMA1dVGB7l/C49a+6riBwgxzyjQl0QDhhsK7P4g3Wt6P0Uz+Ri43htmaa3hQFkG3/
BUHybju3J5v3QFf6ClFnjTH1K0Jh/hj2vcEvVpcNRPxzvYAnbaFimCoCn7OQ75YYNhTY+9iz
p6PTQsAlFMPYwFrMM6UYJ0tElmQl3aRPTszlrUOFQjaIXh7tOKR5kePxhmf9b3eHgvAoGHFP
pcM99hdg7oiY3pzyf1V+qvuWq+YwSdR4LcAakRhjUUAEhWxdD/SenTIb4L5Dd/hiHwNyt9J3
KBlKPxpSf1SCcqfBPKuY0NAJ8AcH+GcdbQARAQABiQElBBgBAgAPBQJRgY/fAhsMBQkB4TOA
AAoJENvMn7JlZIUZdgEH/j9qy9S925Fz4wH7reyFF5jfTlnFZApvdv4purFTeESeXl6jV24N
x4FCniUg6FVMb9KhICFEeo8AKSpcl+eevOz/vlv8Hs5VtKxwhXb3KIICFkffWutS3MNH1nnD
NQ5hToEukbduT4eqsJUS9ktBTVwin72g670gIXGF1cnbC7ERz9ICClTkITpx1/nKZxq9B+iV
Kwf2M/EtOvpmZ2EF2oqMq6b1chRfJhs1D0CqT8+fFID9dRdf1cYM/9uT95QICjIJ/3VUNHLd
d8x70I3z3VfFdjgyOwjvXaGGwB/fuPzGkmARPWRTCSAYa7SQRqliRweE0RaOOO60CRThJSnr
0nU=
=wWNX
-----END PGP PUBLIC KEY BLOCK-----
 
                  ^   ^ 
Yeap that's me  =( @ @ )=
                    o
                    ~ 
 
 
Okay now with this newly key populated, anybody can retrieve that key and actually used it to send secured data to me,  and only me. If they mistakenly send it to someone else,   no-problem; " they don't have my "private-key",  so they can't decrypted it". Trust me when I say; "  this is  secured".


Okay next,

We will now look at how a person who downs load that key actually  encrypted data. The process is simple as the  key-pair generation. One thing I want to add here, sometime when you have numerous keys, it get's very hard to track them and management of keypairs becomes harder than managing one keypair.

One tip;  when sending data and the recipient is confused,  provide him or her the key-ID used during the encryption. At one time I was  very very bad with key management, and had a few keys out in the wild. It's best to just publish one public key imho,  and to  make it a 2K bits or bigger in key-size and good for  2+ years.

Okay to encrypt data, the sender of the data must get your public-key. So he/she would  download the key from a public key-server or receive the key via some other means ( remember my miniCDs ) . This process does NOT have to be secured btw.

Using gpg we could ask for the public-key via the Key-ID;

i.e

sh-3.2$ gpg --recv-key 65648519
gpg: requesting key 65648519 from hkp server keys.gnupg.net
gpg: key 65648519: public key ""SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to  public key-servers for GPG) <kfelix@socpuppets.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
sh-3.2$
sh-3.2$ 



and  we list our key-ring out, it would show the key installed.

sh-3.2$ gpg --list-key kfelix
pub   1024R/1C900594 2013-05-01 [expires: 2013-05-11]
uid                  "Ken Felix ( Ken felix ) kfelix@hyperfeed.com" (testing12345677890) <kfelix@hyperfeed.com>
sub   1024R/C55EF19F 2013-05-01 [expires: 2013-05-11]

pub   2048R/65648519 2013-05-01 [expires: 2014-05-01]
uid                  "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to  public key-servers for GPG) <kfelix@socpuppets.com>
sub   2048R/47FE2C38 2013-05-01 [expires: 2014-05-01]

sh-3.2$ 


See how easy that was? We installed key-Id  65648519 into our key-ring.

Okay now with the key on our key-ring, we can encrypt data using that public-key or any key on our key-ring.

I'm going to build a simple text file and encrypted that file using gpg.

sh-3.2$ cat myfile
 this is my secret that I want to send to  my inner-circle; Ken Felix is one of the best network & security guy!
sh-3.2$


Okay now let's encrypt this;






sh-3.2$ gpg --encrypt myfile
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: kfelix@socpuppets.com
gpg: 47FE2C38: There is no assurance this key belongs to the named user

pub  2048R/47FE2C38 2013-05-01 "SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to  public key-servers for GPG) <kfelix@socpuppets.com>
 Primary key fingerprint: 5074 42E8 9832 4E1B 4B9F  2364 DBCC 9FB2 6564 8519
      Subkey fingerprint: 34E4 1A2F 68CB B514 D1F0  3C63 31E5 8EE1 47FE 2C38

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) Y
                           
Current recipients:
2048R/47FE2C38 2013-05-01 ""SocPuppets(Soc Puppets) kfelix@socpuppets.com" (Here's my key that I will push to  public key-servers for GPG) <kfelix@socpuppets.com>"

Enter the user ID.  End with an empty line:
sh-3.2$ 
 

Once again, did you see how easy that was. Yes, really... it was that easy.


Now we would send the data  via whatever application/means and only kfelix @ socpuppets can decrypt the data if he has the private-key. So this process took unsecured  data and  encrypted  the  data.


sh-3.2$ ls -l myfile*
-rw-r--r--  1 kfelix   Users  114 May  1 19:10 myfile
-rw-r--r--  1 kfelix   Users  436 May  1 19:11 myfile.gpg
 


sh-3.2$ md5 myfile*gpg
MD5 (myfile.gpg) = 2f1fcfd53038d1817d6eb7db275c5bb8
 

sh-3.2$ file myfile*
myfile:     ASCII English text
myfile.gpg: data



This is what the gov is all up in arms about, simple effective military grade encryption in the hands of  civilians.




The US has been the leader in digital cryptology for decades,  and we as in the general population, have access to strong encryption, and just with using a basic  computer.  This is a big step up from my days in the military and using STUIII or KG48A.

Almost every OSes systems has some hooks or means into  PGP, including my  MACOSX.



I hope you found this post useful and  will start securing your data. In the upcoming weeks, I will start a post of fs/volume encryption on macosx.

Ken Felix
Freelance Network/Security Engineer
kfelix -----at----- hyperfeed ------dot----com

1 comment:

  1. This save them from the hassle of calling, or emailing you just to ask for your public-key or to see if you even have one.

    Pgp

    ReplyDelete