Tuesday, May 1, 2012

gpg

This post is about the Gnu Privacy Guard (gpg). A link from the main page leads to a download of an installer for OS X here.

I followed the Quick start tutorial here, and sent an encrypted email between two of my accounts using Mail after just a few minutes. Nice!

The lock and signature icons in the lower right-hand corner are only active if the recipient's public key is available.


Let's explore a bit in Terminal
generate a new key with a spectacularly weak passphrase: abc

> gpg --gen-key
gpg (GnuPG/MacGPG2) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)   
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 4y
Key expires at Thu Apr 28 10:11:26 2016 EDT
Is this correct? (y/N) y
                        
GnuPG needs to construct a user ID to identify your key.

Real name: Alice
Email address: alice@email.com
Comment:                      
You selected this USER-ID:
    "Alice "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.    

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 6CC18DC3 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2015-08-18
pub   2048R/6CC18DC3 2012-04-29 [expires: 2016-04-28]
      Key fingerprint = A84B 4F1D A439 849F 47F1  55F9 BF7C FB80 6CC1 8DC3
uid                  Alice 
sub   2048R/DC9C92B3 2012-04-29 [expires: 2016-04-28]

I have a feeling that this fake user's data may have been sent to the key server, and that's not nice. But I expected to get a prompt related to that and I didn't get one.

Let's take a quick look at what we have:

> gpg -k Alice
pub   2048R/6CC18DC3 2012-04-29 [expires: 2016-04-28]
uid                  Alice 
sub   2048R/DC9C92B3 2012-04-29 [expires: 2016-04-28]

> gpg -k --fingerprint Alice
pub   2048R/6CC18DC3 2012-04-29 [expires: 2016-04-28]
      Key fingerprint = A84B 4F1D A439 849F 47F1  55F9 BF7C FB80 6CC1 8DC3
uid                  Alice 
sub   2048R/DC9C92B3 2012-04-29 [expires: 2016-04-28]

>

-a is "ascii armored" base64 output:

> gpg -a --export 6CC18DC3
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

mQENBE+dTEUBCADWaa0ikPdHmp7OONsuhUJeIIr..
..
-----END PGP PUBLIC KEY BLOCK-----
>
> gpg -a --export-secret-key 6CC18DC3
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

lQO+BE+dTEUBCADWaa0ikPdHmp7OONsuhUJeIIr..
..
-----END PGP PRIVATE KEY BLOCK-----


While this looks quite similar to RSA (my posts), the Python rsa module won't handle it as is. I didn't dissect it by hand yet. There's something called pgpdump that is recommended on the web.

It builds easily and then I can do:

gpg --export 6CC18DC3 | pgpdump -i
gpg --export 6CC18DC3-secret-key | pgpdump -i

but I didn't find the output all that useful yet. It shows multiple values for n and e but doesn't show d or p and q.


Try some encryption:

> gpg -e -r 6CC18DC3 m.txt
> hexdump -C m.txt
00000000  68 65 6c 6c 6f 2c 20 77  6f 72 6c 64 21 0a        |hello, world!.|
0000000e
> hexdump -C m.txt.gpg
00000000  85 01 0c 03 a9 47 9a 63  dc 9c 92 b3 01 07 ff 57  |.....G.c.......W|
00000010  86 9b 5d a0 40 d1 f0 ef  5a 6f dc eb 19 a9 eb 8c  |..].@...Zo......|
00000020  ee 66 a7 34 84 e4 47 5b  6c 48 9f 9e 89 13 4c 2a  |.f.4..G[lH....L*|
00000030  71 6a 31 b7 27 23 9d 56  a7 c2 ad fd db 47 57 68  |qj1.'#.V.....GWh|
00000040  da 75 9a 2d 2f f6 46 60  16 84 b6 17 bf e7 b7 5c  |.u.-/.F`.......\|
00000050  36 fd d1 e2 22 ee 93 dc  ad 82 f5 f1 46 99 12 f3  |6...".......F...|
00000060  fe 25 a1 b3 01 8c 37 a0  59 da ac 39 90 a4 1c ba  |.%....7.Y..9....|
00000070  a0 4f 1e b6 da d5 36 55  b1 17 d6 c4 5a 28 de b4  |.O....6U....Z(..|
00000080  47 b2 af 8a c8 9c 58 85  44 f8 08 fe a1 47 c3 8f  |G.....X.D....G..|
00000090  4d b1 78 50 87 dc a7 7f  55 89 f2 6e 7f 75 ae a0  |M.xP....U..n.u..|
000000a0  69 68 46 5a 64 1e b4 6e  c7 ee 84 77 8d a4 ce 14  |ihFZd..n...w....|
000000b0  72 45 13 be d0 33 5c d6  23 6f 2d b2 84 2f d9 55  |rE...3\.#o-../.U|
000000c0  f7 de d2 8f b6 20 5b 71  4e 31 ae b8 d7 1b 09 bf  |..... [qN1......|
000000d0  80 9e e0 1f 47 cb 73 a1  59 42 81 24 1f 2b de 4b  |....G.s.YB.$.+.K|
000000e0  0d 23 fc c6 a2 83 5e c2  b3 e5 9f 1f 32 ae 75 07  |.#....^.....2.u.|
000000f0  79 7f 51 49 02 80 a8 47  c4 5c b6 6f aa ac d4 5c  |y.QI...G.\.o...\|
00000100  e7 c9 b6 1f d2 c1 7e 03  45 34 59 85 d1 63 01 d2  |......~.E4Y..c..|
00000110  4e 01 27 2e e9 09 aa 82  5d 77 56 82 22 4e 2e 67  |N.'.....]wV."N.g|
00000120  1c 4a bc ba c1 43 d6 f0  86 02 5d e7 b3 58 74 79  |.J...C....]..Xty|
00000130  bc 15 69 d4 44 ba f6 76  0c a7 a1 d5 9b 1b e0 8b  |..i.D..v........|
00000140  b6 7b df db b0 5f e6 34  0b 36 14 0b fd c6 62 f3  |.{..._.4.6....b.|
00000150  16 a8 97 ad 92 e7 4e a4  ee ab 59 53 91 c6 52     |......N...YS..R|
0000015f

> gpg -d -o p.txt m.txt.gpg

You need a passphrase to unlock the secret key for
user: "Alice "
2048-bit RSA key, ID DC9C92B3, created 2012-04-29 (main key ID 6CC18DC3)

gpg: encrypted with 2048-bit RSA key, ID DC9C92B3, created 2012-04-29
      "Alice "

> cat p.txt
hello, world!

I found what looks to be an excellent tutorial on the web. I still need to work through it.