Basics of PGP encryption.
Symmetric ciphers, public-key ciphers, and one-way hashing
Products
a) Open source and commercial implementation
b) Platforms supported.
c) Compiling GnuPG system on Unix and Windows platforms.
Key Management
a) Generating public and private keys.
b) Pass phrases.
c) Securing private keys. Key servers.
d) Key expiration and revocation.
Examples of using PGP.
a) Perl script for encrypting/decrypting a file.
b) Email-clients support
Case study
a) Notification email.
b) Encrypted FTP.
c) Private VPN.
d) Super-secure system for "house" data.
References:
An Introduction to Cryptography
GnuPG
PGP Corporation
Network
Associates
The International PGP Home Page
The very nice overview of cryptography concepts is here.
GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair.
GPG makes uses of several cryptographic concepts including symmetric ciphers, public-key ciphers, and one-way hashing.
A symmetric cipher is a cipher that uses the same key for both encryption and decryption. Two parties communicating using a symmetric cipher must agree on the key beforehand. Once they agree, the sender encrypts a message using the key, sends it to the receiver, and the receiver decrypts the message using the key. As an example, the German Enigma is a symmetric cipher, and daily keys were distributed as code books. Each day, a sending or receiving radio operator would consult his copy of the code book to find the day's key. Radio traffic for that day was then encrypted and decrypted using the day's key. Modern examples of symmetric ciphers include 3DES, Blowfish, and IDEA.
A good cipher puts all the security in the key and none in the algorithm. In other words, it should be no help to an attacker if he knows which cipher is being used. Only if he obtains the key would knowledge of the algorithm be needed. The ciphers used in GnuPG have this property.
Since all the security is in the key, then it is important that it be very difficult to guess the key. In other words, the set of possible keys, i.e., the key space, needs to be large. While at Los Alamos, Richard Feynman was famous for his ability to crack safes. To encourage the mystique he even carried around a set of tools including an old stethoscope. In reality, he used a variety of tricks to reduce the number of combinations he had to try to a small number and then simply guessed until he found the right combination. In other words, he reduced the size of the key space.
Britain used machines to guess keys during World War 2. The German Enigma had a very large key space, but the British built specialized computing engines, the Bombes, to mechanically try keys until the day's key was found. This meant that sometimes they found the day's key within hours of the new key's use, but it also meant that on some days they never did find the right key. The Bombes were not general-purpose computers but were precursors to modern-day computers.
Today, computers can guess keys very quickly, and this is why key size is important in modern cryptosystems. The cipher DES uses a 56-bit key, which means that there are 256 possible keys. 256 is 72,057,594,037,927,936 keys. This is a lot of keys, but a general-purpose computer can check the entire key space in a matter of days. A specialized computer can check it in hours. On the other hand, more recently designed ciphers such as 3DES, Blowfish, and IDEA all use 128-bit keys, which means there are 2128 possible keys. This is many, many more keys, and even if all the computers on the planet cooperated, it could still take more time than the age of the universe to find the key.
The primary problem with symmetric ciphers is not their security but with key exchange. Once the sender and receiver have exchanged keys, that key can be used to securely communicate, but what secure communication channel was used to communicate the key itself? In particular, it would probably be much easier for an attacker to work to intercept the key than it is to try all the keys in the key space. Another problem is the number of keys needed. If there are n people who need to communicate, then n(n-1)/2 keys are needed for each pair of people to communicate privately. This may be OK for a small number of people but quickly becomes unwieldy for large groups of people.
Public-key ciphers were invented to avoid the key-exchange problem entirely. A public-key cipher uses a pair of keys for sending messages. The two keys belong to the person receiving the message. One key is a public key and may be given to anybody. The other key is a private key and is kept secret by the owner. A sender encrypts a message using the public key and once encrypted, only the private key may be used to decrypt it.
This protocol solves the key-exchange problem inherent with symmetric ciphers. There is no need for the sender and receiver to agree upon a key. All that is required is that some time before secret communication the sender gets a copy of the receiver's public key. Furthermore, the one public key can be used by anybody wishing to communicate with the receiver. So only n keypairs are needed for n people to communicate secretly with one another.
Public-key ciphers are based on one-way trapdoor functions. A one-way function is a function that is easy to compute, but the inverse is hard to compute. For example, it is easy to multiply two prime numbers together to get a composite, but it is difficult to factor a composite into its prime components. A one-way trapdoor function is similar, but it has a trapdoor. That is, if some piece of information is known, it becomes easy to compute the inverse. For example, if you have a number made of two prime factors, then knowing one of the factors makes it easy to compute the second. Given a public-key cipher based on prime factorization, the public key contains a composite number made from two large prime factors, and the encryption algorithm uses that composite to encrypt the message. The algorithm to decrypt the message requires knowing the prime factors, so decryption is easy if you have the private key containing one of the factors but extremely difficult if you do not have it.
As with good symmetric ciphers, with a good public-key cipher all of the security rests with the key. Therefore, key size is a measure of the system's security, but one cannot compare the size of a symmetric cipher key and a public-key cipher key as a measure of their relative security. In a brute-force attack on a symmetric cipher with a key size of 80 bits, the attacker must enumerate up to 280 keys to find the right key. In a brute-force attack on a public-key cipher with a key size of 512 bits, the attacker must factor a composite number encoded in 512 bits (up to 155 decimal digits). The workload for the attacker is fundamentally different depending on the cipher he is attacking. While 128 bits is sufficient for symmetric ciphers, given today's factoring technology public keys with 1024 bits are recommended for most purposes.
Public-key ciphers are no panacea. Many symmetric ciphers are stronger from a security standpoint, and public-key encryption and decryption are more expensive than the corresponding operations in symmetric systems. Public-key ciphers are nevertheless an effective tool for distributing symmetric cipher keys, and that is how they are used in hybrid cipher systems.
A hybrid cipher uses both a symmetric cipher and a public-key cipher. It works by using a public-key cipher to share a key for the symmetric cipher. The actual message being sent is then encrypted using the key and sent to the recipient. Since symmetric key sharing is secure, the symmetric key used is different for each message sent. Hence it is sometimes called a session key.
Both PGP and GnuPG use hybrid ciphers. The session key, encrypted using the public-key cipher, and the message being sent, encrypted with the symmetric cipher, are automatically combined in one package. The recipient uses his private-key to decrypt the session key and the session key is then used to decrypt the message.
A hybrid cipher is no stronger than the public-key cipher or symmetric cipher it uses, whichever is weaker. In PGP and GnuPG, the public-key cipher is probably the weaker of the pair. Fortunately, however, if an attacker could decrypt a session key it would only be useful for reading the one message encrypted with that session key. The attacker would have to start over and decrypt another session key in order to read any other message.
A hash function is a many-to-one function that maps its input to a value in a finite set. Typically this set is a range of natural numbers. A simple hash function is f(x) = 0 for all integers x. A more interesting hash function is f(x) = x mod 37, which maps x to the remainder of dividing x by 37.
A document's digital signature is the result of applying a hash function to the document. To be useful, however, the hash function needs to satisfy two important properties. First, it should be hard to find two documents that hash to the same value. Second, given a hash value it should be hard to recover the document that produced that value.
Some public-key ciphers could be used to sign documents. The signer encrypts the document with his private key. Anybody wishing to check the signature and see the document simply uses the signer's public key to decrypt the document. This algorithm does satisfy the two properties needed from a good hash function, but in practice, this algorithm is too slow to be useful.
An alternative is to use hash functions designed to satisfy these two important properties. SHA and MD5 are examples of such algorithms. Using such an algorithm, a document is signed by hashing it, and the hash value is the signature. Another person can check the signature by also hashing their copy of the document and comparing the hash value they get with the hash value of the original document. If they match, it is almost certain that the documents are identical.
Of course, the problem now is using a hash function for digital signatures without permitting an attacker to interfere with signature checking. If the document and signature are sent unencrypted, an attacker could modify the document and generate a corresponding signature without the recipient's knowledge. If only the document is encrypted, an attacker could tamper with the signature and cause a signature check to fail. A third option is to use a hybrid public-key encryption to encrypt both the signature and document. The signer uses his private key, and anybody can use his public key to check the signature and document. This sounds good but is actually nonsense. If this algorithm truly secured the document it would also secure it from tampering and there would be no need for the signature. The more serious problem, however, is that this does not protect either the signature or document from tampering. With this algorithm, only the session key for the symmetric cipher is encrypted using the signer's private key. Anybody can use the public key to recover the session key. Therefore, it is straightforward for an attacker to recover the session key and use it to encrypt substitute documents and signatures to send to others in the sender's name.
An algorithm that does work is to use a public key algorithm to encrypt only the signature. In particular, the hash value is encrypted using the signer's private key, and anybody can check the signature using the public key. The signed document can be sent using any other encryption algorithm including none if it is a public document. If the document is modified the signature check will fail, but this is precisely what the signature check is supposed to catch. The Digital Signature Standard (DSA) is a public key signature algorithm that works as just described. DSA is the primary signing algorithm used in GnuPG.
PGP Corporation offers a limited-capability version of PGP Mail for
individual, non-commercial use.
PGP Freeware product capabilities/limitations:
The following is excerpt from description of one of their products - PGP Corporate Desktop
PGP Corporate Desktop includes the PGP Admin and PGP Keyserver tools, allowing IT administrators to create and manage each seat as well as centrally control desktop security. PGP Corporate Desktop enables consistent, cohesive IT management of key and desktop client policies throughout the enterprise.
PGP Corporate Desktop integrates enterprise versions of PGP Mail for secure messaging and PGP Disk for secure information storage, ensuring that a company's confidential information is protected by strong security no matter where it resides-in transit from senders' to recipients' computers, stored on the desktop, and all points in between. It integrates with mainstream email applications (Outlook, Outlook Express, Eudora, Entourage, and Apple Mail) and popular mail servers (Microsoft Exchange, Lotus Notes, and Novell GroupWise) and interoperates with traditional X.509-based certificates and existing PKIs.
| Sample screen-shot: |
|
McAfee E-Business Server protects sensitive data with 128-bit PGP encryption and data authentication, while allowing IT administrators and developers to embed automatic encryption, decryption, digital signing and verification into countless applications. McAfee E-Business Server runs on a variety of Windows and UNIX platforms, as well as IBM mainframes. E-Business Server is ideal for securing batch processes and transferring information between desktops for secure storage, or between applications for secure processing. Using optional native APIs for Java, Perl and Com, E-Business Server makes it easy for administrators and developers to integrate confidentiality into applications and processes that would otherwise be open to attack or theft by hackers and disgruntled employees.
| Microsoft® Windows® NT and Windows® 2000. |
| AIX, HP-UX, Linux, SuSE Linux 2, 2.16+ and zSeries, Solaris and OS/390. |
| Intel® Pentium® III chipset RNG [Random Number Generator] feature. |
The official open source site is: GnuPG Homepage . The site contains download links that include source files as well as compiled binaries. There are a lot of documentation on that site, including HowTos, Manuals, and examples.
GnuPG compiles and runs on many more systems. There are positive reports on these systems:
It is possible to download GNUPG from
GNUPG Homepage. It is possible to download either binaries or source code
and compile it. The process is quite simple:
The latest releaze is 1.2.3 . Notice that it is recommended to download file
from FTP site. Do not forget to set Binary option.
URL
.
Unpack the package:
gunzip gnupg-1.2.3.tar.gz | tar xvzf gnupg-1.2.3.tar.gz
After the unpack, please step into the directory containing the source code. Then type
./configure
to prepare compilation options.
Compile:
make
Now type:
make install
to actually copy the program and the man-pages into the installation
directory. If you didn't change the installation directory when you did
./configure the usr/local/share/gnupg/ will be the installation
directory. You can find this directory in the file options.skel.
When you change this options.skel. If you copy this to ~/.gnupg/options
the appropriate adjustments will be used as standard. Copying should occur
automatically when creating ~/.gnupg/. All possible options are
well documented.
################################################################
sub GPGEncryptFile($$$)
{
my ($publicKey, $fileIn, $fileOut ) = @_;
my $tempLogFile = UniqueTempFileName(__LINE__);
my $cmd = "gpg.exe" .
" --batch" . # batch mode, no prompts, ever !
" --yes" . # answer yes to overwrite file prompt
" --textmode" . # use canonical text mode
" --logger-fd 1" . # redirect stderr into stdout
" -o $fileOut" . # output file
" -r $publicKey" . # user name
" -e $fileIn" . # file to encrypt
" > $tempLogFile"; # catch stdout and stderr
my $ret_code = system($cmd) / 256;
open ( PGPERRLOG, "$tempLogFile");
my @txt = ;
close PGPERRLOG;
unlink $tempLogFile;
unless ( $ret_code == 0 ) {
return die("Failed to encrypt $fileIn.\nReturn Code = $ret_code\n@txt");
}
return 1;
}
################################################################
sub GPGUnencrypt($$$)
{
my ( $encryptedFileName, $decryptedFileName, $passphrase ) = @_;
my $tempLogFile = UniqueTempFileName(__LINE__);
my $cmd = "gpg " .
"--batch -q " .
"--passphrase-fd 0 " .
"--logger-fd 1 " .
"-o $decryptedFileName " .
"-d $encryptedFileName " .
"> $tempLogFile";
local $SIG{PIPE} = sub {
die( "[$cmd] raised a Signal exception.");
};
open ( FH, "|$cmd ") or die " Failed to start GnuPG process $!";
print FH $passphrase;
my $closeCode = close(FH);
my $retCode = $? / 256;
open ( PGPERRLOG, "$tempLogFile");
my @txt = ;
close PGPERRLOG;
unlink $tempLogFile;
unless ( $closeCode and 0 == $retCode ) {
die( "Failed to decrypt $encryptedFileName.\nReturn Code = $retCode\n@txt");
}
}
Using GnuPG to encrypt email is one of the most popular uses. Several mail clients or mail user agents (MUAs) support GnuPG to varying degrees. Simplifying a bit, there are two ways mail can be encrypted with GnuPG: the "old style" ASCII armor (i.e. cleartext encryption), and RFC 2015 style (previously PGP/MIME, now OpenPGP). The latter has full MIME support. Some MUAs support only one of them, so whichever you actually use depends on your needs as well as the capabilities of your addressee. As well, support may be native to the MUA, or provided via "plug-ins" or external tools.
The following list is not exhaustive:
MUA OpenPGP ASCII How? (N,P,T) ------------------------------------------------------------- Calypso N Y P (Unixmail) Elm N Y T (mailpgp,morepgp) Elm ME+ N Y N Emacs/Gnus Y Y T (Mailcrypt,gpg.el) Emacs/Mew Y Y N Emacs/VM N Y T (Mailcrypt) Evolution Y Y N Exmh Y Y N GNUMail.app Y Y P (PGPBundle) GPGMail Y Y N KMail (<=1.4.x) N Y N KMail (1.5.x) Y(P) Y(N) P/N Mozilla Y Y P (Enigmail) Mulberry Y Y P Mutt Y Y N Sylpheed Y Y N Sylpheed-claws Y Y N TkRat Y Y N XEmacs/Gnus Y Y T (Mailcrypt) XEmacs/Mew Y Y N XEmacs/VM N Y T (Mailcrypt) XFmail Y Y N N - Native, P - Plug-in, T - External Tool
The following table lists proprietary MUAs. The GNU Project suggests against the use of these programs, but they are listed for interoperability reasons for your convenience.
MUA OpenPGP ASCII How? (N,P,T) ------------------------------------------------------------- Apple Mail Y Y P (GPGMail) Becky2 Y Y P (BkGnuPG) Eudora Y Y P (EuroraGPG) Eudora Pro Y Y P (EudoraGPG) Lotus Notes N Y P Netscape 4.x N Y P Netscape 7.x Y Y P (Enigmail) Novell Groupwise N Y P Outlook N Y P (G-Data) Outlook Express N Y P (GPGOE) Pegasus N Y P (QDPGP,PM-PGP) Pine N Y T (pgpenvelope,(gpg|pgp)4pine) Postme N Y P (GPGPPL) The Bat! N Y P (Ritlabs)
Good overviews of OpenPGP-support can be found at:
<http://www.openpgp.fr.st/courrier_en.html>
and
<http://www.bretschneidernet.de/tips/secmua.html>
.
Users of Win32 MUAs that lack OpenPGP support may look into using GPGrelay <http://gpgrelay.sourceforge.net> , a small email-relaying server that uses GnuPG to enable many email clients to send and receive emails that conform to PGP-MIME (RFC 2015).
The TALX Corporation has several lines of business. Only two of them are covered in this case study - The Work Number and ePayroll. The Work Number maintains a database of employment records. Currently database contains more than 80 million records on file. The database size is about terabyte. In order to keep database up to date, the clients regularly send updates. Since the amount of data is huge, the process of loading the data is automated as much as possible. Unfortunately, not everything could be automated. Some clients, for example, still use outdated technology, and the company has to accomodate them. Another interesting fact is that for some clients load time is approaching 24 hours.
As you can understand, the problems of privacy and security is of paramount importance. Security breach might well lead to law suits, broken client trust, and business failure.
So, any data transfer process is scrutinized thoroughly and only industry standard methods are used. The following methods are employed for mass data transfer:
No data is ever sent outside the itranet using plain e-mail.! eMail is used only for notification that the data received or processed. In case there were client errors in the data, eMail only notifies of the fact. Error log is encrypted and, once again, put on FTP server for the client to retrieve.
Physical security. All processing computers are located in data center, with restricted list of people who may access them. Data center is always locked using magnetic card lock. Operator is present in data center 24 by 7 by 365.
Login security. Only very resticted list of people have accounts on processing boxes. Even less have access to production database. Password policy requires password change every three months. Every time member of operations, database, or development department leaves the job, passwords are immediately changed.
Firewall. Datacenter is located behind special firewall ( DMZ ). Outside access to any computer in DMZ requires secure card login.
PGP pass phrases used for automated file processing are stored in special database. No data in plain text is present at any time on processing machine.
Special case. TALX uses it's own product - ePayroll - for paperless payroll distribution. The system that contains payroll information for TALX employees is protected in a special way. Only two persons from accounting have login information to that computer. They were trained to load data themself. Database is loaded on the same machine. The only time when somebody else has access is during code promotion, and even in this case one of "responsible accountants" is physically present.
Reminder: Public keys are distributed to your correspondents. They use it to encrypt data that is sent to you. Corresponding Private key is used to decrypt the data you receive.
Copy gpg.exe into Winnt directory or add directory where gpg.exe is located into the PATH environment variable.
Execute gpg.exe once. It will create c:\gnupg directory for configuration files.
From command line execute command:
gpg --gen-key<ENTER>
1<ENTER> - To select
DSA and ElGamal (default) key type
<ENTER> - to select 1024 bits key size
Specify how long the key should be valid.
Specify User ID
Specify passphrase
See 4.2.1.11 for a sample session.
Gpg --list-keys
Gpg --list-secret-keys
Revocation certificate is needed in case someone gets knowledge of your secret key or you forgot your passphrase
gpg --gen-revoke your_user_id
Sample : gpg --gen-revoke tester
Run this command and store the revocation certificate away. The output is always ASCII armored, so that you can print it and (hopefully never) re-create it if your electronic media fails.
Public keys are exchanged between TALX and Customers.
To export public key for a user "Tester" into file "output.file":
gpg -o output.file --export tester
To export public key for a user "Tester" into file "output.file" in format suetable for transmition by email:
gpg -o output.file --armor --export tester
Private key should be exported from the key server and imported on each application server that is supposed to be able to decrypt data sent to TALX.
To export private key for a user "Tester" into file "output.file":
Gpg -o output.file --export-secret-keys tester
Note. Corresponding public key should also be imported on the target system before gpg is able to decrypt. As a result, you may want to execute the following 2 commands as a batch:
gpg -o output.file --export tester
Gpg --export-secret-keys tester >> output.file
gpg --import [filenames]
Note that GnuPG does not import keys that are not self-signed.
Set the trust value of the key:
Gpg -edit-key [PublicKey] <ENTER>
"trust"<ENTER>
4<ENTER> // to trust ultimately. Other value as appropriate.
Quit<ENTER> // "trust" option updates immediately and no save is required.
The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids are indicated by an asterisk. The trust value is displayed with the primary key: the first is the assigned owner trust and the second is the calculated trust value.
Letters are used for the values:
- No ownertrust assigned / not yet calculated.
e Trust calculation has failed; probably due to an expired key.
q Not enough information for calculation.
n Never trust this key.
m Marginally trusted.
f Fully trusted.
u
Ultimately trusted.
gpg --allow-secret-key-import --import [filenames]
To encrypt a file "FileName.ext" into file "NewFileName.NewExt" using public key of the user "Tester"
gpg -e -o NewFileName.NewExt -r tester FileName.ext
To mail a public key or put it on a web page you have to create the key in ASCII armored format:
gpg -ea -o NewFileName.NewExt -r tester FileName.ext
To decrypt a file EncryptedFile.gpg that was encrypted using public key of the user TalxUser. Corresponding pass phrase - "secure passphrase". Outputfile - DecryptedFile.xml.
Interactively from command line:
gpg -o DecryptedFile.xml -d EncryptedFile.gpg
Non interactively from the batch file
echo secure passphrase| gpg --batch --passphrase-fd 0 -o DecryptedFile.xml -d EncryptedFile.gpg
Note. There is one space separating echo command and the start of the passphrase and there is no spaces between last character of the passphrase and the pipe symbol |.
Non interactively from the Perl script:
$cmd = "gpg --batch -q --passphrase-fd 0 -o DecryptedFile.xml -d EncryptedFile.gpg";
open ( FH, "|$cmd ") or die " Failed to start GnuPG process $!";
local $SIG{PIPE} = sub { die "GnuPG process failed to execute." };
print FH " secure passphrase";
close FH or die "Bad command $! $?";
$returnCode = $? / 256;
Note. User input values are underlined and have blue background.
D:\GPG>gpg --gen-key
gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software
Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute
it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1_
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048
bits
What keysize do you want? (1024)
_
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 =
key does not expire
<n> = key expires in n
days
<n>w = key
expires in n weeks
<n>m = key
expires in n months
<n>y = key
expires in n years
Key is valid for? (0) 45_
Key expires at
Is this correct (y/n)? y_
You need a User-ID to identify your key; the software
constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)
<heinrichh@duesseldorf.de>"
Real name: Tester
Email address: tester@dummy.com
Comment: _
You selected this USER-ID:
"Tester <tester@dummy.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
*********
gpg:
NOTE: you should run 'diskperf -y' to enable the disk statistics
We
need to generate a lot of random bytes. It is a good idea to perform
some
other action (type on the keyboard, move the mouse, utilize the
disks)
during the prime generation; this gives the random number
generator
a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++..++++++++++.++++++++++++++++++++.+++++...+++
++++++++++++.++++++++++++++++++++.++++++++++++++++++++++++++++++..........+++++
gpg:
NOTE: you should run 'diskperf -y' to enable the disk statistics
We
need to generate a lot of random bytes. It is a good idea to perform
some
other action (type on the keyboard, move the mouse, utilize the
disks)
during the prime generation; this gives the random number
generator
a better chance to gain enough entropy.
.+++++++++++++++.+++++++++++++++.+++++++++++++++.+++++.++++++++++++++++++++.++++
++++++++++++++++++++++++++++++++++++..++++++++++.+++++.+++++>+++++.............+
++++^^^
public
and secret key created and signed.
D:\GPG>