Definition of Terms
Exercise 2-2 Use nmap and nessus
3. Export the CRL to a file using the Export dialog.
CNI USE ONLY-1 HARDCOPY PERMITTED
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. 4-35 To report suspected copying, please call 1-800-PIRATES.
Exercise 4-2 (optional) Create a Root CA and Certificates with YaST
The purpose of this exercise is to teach you how to manage a CA using YaST.
You will find this exercise in the workbook. (End of Exercise)
Objective 4
GNU Privacy Guard (GPG)
Even if you secure the transmission of the email between server and client, this has no effect on the mail message itself. The communi- cation between mail servers in the Internet is unencrypted, as is the email message while it is waiting on the mail server to be picked up. The only protection from government organizations, nosy
administrators, or criminal hackers is to encrypt the email message itself. This is not an imaginary threat. In the past there were actual instances where mail got into the wrong hands with serious impact on a business, like losing a potential contract because the competitor was then able to make a better offer.
PGP (Pretty Good Privacy) is probably the best-known program to encrypt email. SUSE Linux Enterprise Server 10 comes with the compatible open source alternative GNU Privacy Guard. Kmail has built-in GPG support. Support for GPG can be added to
Thunderbird, the email client created by the Mozilla project, using the Enigmail plug-in.
With these programs, using encryption is easy. Mail encryption should be used much more often than it is currently.
To use GPG, you have to know how to do the following: ■ Create a Key Pair
■ Export and Import Public Keys ■ Encrypt and Decrypt Files ■ Use GPG Within Kmail
Create a Key Pair
GPG uses the cryptographic principles outlined in Objective 1, “Cryptography Basics” on page 4-2. The public key of a
CNI USE ONLY-1 HARDCOPY PERMITTED
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. 4-37 To report suspected copying, please call 1-800-PIRATES.
The following shows how to generate an asymmetric key pair:
geeko@da10:~> gpg --gen-key
gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.
gpg: directory `/home/geeko/.gnupg' created
gpg: new configuration file `/home/geeko/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/geeko/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/geeko/.gnupg/secring.gpg' created gpg: keyring `/home/geeko/.gnupg/pubring.gpg' created Please select what kind of key you want:
(1) DSA and Elgamal (default) (2) DSA (sign only)
(5) RSA (sign only) Your selection?
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid. 0 = key does not expire
<n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)
Key does not expire at all Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <[email protected]>"
Real name: Geeko
Email address: [email protected] Comment: Chameleon
You selected this USER-ID:
"Geeko (Chameleon) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key.
Like a password, the passphrase should contain upper- and
lower-case characters, and numbers. Special characters can be used, but may be problematic to enter on keyboards with a layout for a different language.
GPG creates the key pair, which can take some time.
The private key is written to ~/.gnupg/secring.gpg, the public key to ~/.gnupg/pubring.gpg.
To send you an encrypted message, the sender needs your public key. And similarly, if you want to send an encrypted message to someone, you need his public key.
gpg: /home/geeko/.gnupg/trustdb.gpg: trustdb created gpg: key 15B847F3 marked as ultimately trusted public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/15B847F3 2006-04-19
Key fingerprint = 3762 FF45 8BF9 3224 49EF 4257 171A 5A58 15B8 47F3
uid Geeko (Chameleon) <[email protected]> sub 2048g/3C480751 2006-04-19
CNI USE ONLY-1 HARDCOPY PERMITTED
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. 4-39 To report suspected copying, please call 1-800-PIRATES.
Export and Import Public Keys
To export the public key just created, use the option --export. If you want to publish the key on a web page, use the ASCII format with the option -a.
The key is written to stdout. Redirect the output to a file as needed. To import keys from others, use the option --import:
To view the keys available in your key ring, use --list-keys:
To view the available options, use gpg --help or man gpg.
geeko@da10:~> gpg --export -a geeko ---BEGIN PGP PUBLIC KEY BLOCK--- Version: GnuPG v1.4.2 (GNU/Linux)
mQGiBERF+nIRBAC7hEkguu7nW8CftGr+GfZEA88A/m2KjKFvSop6qug+RuDY6u3d dQ5DokzSo8yzrvw9HpTWBN0577tgwGiKnQwbEeR4ML8bAO6rTnGb6H1uNmf+eJMY ... REX7DAIbDAAKCRAXGlpYFbhH81xTAKCYo9uk2c2FGQkdScu2F51rTwf45wCgmulE TorJ/FjPnRo/7GDBJDjFnqM= =sHTg
---END PGP PUBLIC KEY BLOCK---
geeko@da10:~> gpg --import /tmp/tux.asc
gpg: key EE82B088: public key "Tux P (The Penguin) <[email protected]>" imported
gpg: Total number processed: 1 gpg: imported: 1
geeko@da10:~> gpg --list-keys /home/geeko/.gnupg/pubring.gpg --- pub 1024D/15B847F3 2006-04-19
uid Geeko (Chameleon) <[email protected]> sub 2048g/3C480751 2006-04-19
pub 1024D/EE82B088 2006-04-19
uid Tux P (The Penguin) <[email protected]> sub 2048g/F3971E52 2006-04-19
Encrypt and Decrypt Files
Now that you have public keys, you can encrypt files. The option to use is -e:
You could specify the recipients on the command line using the option -r: gpg -r tux -e message.txt.
The encrypted file in this example is message.txt.gpg. If you use the option -a, it would be an ASCII text file and the extension would be .asc instead of .gpg.
Because you do not have the private key corresponding to the recipients public key, you are not able to decrypt the file you just encrypted. If you want to prevent an attacker from reading the clear
geeko@da10:~> gpg -e message.txt
You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line: tux
gpg: F3971E52: There is no assurance this key belongs to the named user
pub 2048g/F3971E52 2006-04-19 Tux P (The Penguin) <[email protected]>
Primary key fingerprint: 53CE 1FF9 5568 EA63 BC3E 57F8 A283 907F EE82 B088
Subkey fingerprint: 297D 148D FE9C 961D 7E74 EC1B A480 8828 F397 1E52
It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes.
Use this key anyway? (y/N) y
Current recipients:
2048g/F3971E52 2006-04-19 "Tux P (The Penguin) <[email protected]>"
CNI USE ONLY-1 HARDCOPY PERMITTED
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. 4-41 To report suspected copying, please call 1-800-PIRATES.
gpg -r tux -r geeko -e message.txt
Then delete the cleartext file using a utility like shred that overwrites the file before it deletes it. (Note that shred and other such utilities have limitations on journaling file systems; see man shred for details.)
You have to confirm using the key because there is no CA
certifying that this key belongs to the ID tux (in the above example). You have to certify that yourself or rely on other users to do so. Each key has a so-called key fingerprint. You can view the fingerprint using the option --fingerprint username:
To ensure that a certain key belongs to a certain person, you cab view the fingerprint of the key you have in your possession with the command shown above, and then find out from the person if that matches the fingerprint of the key in their possession. Some users print the fingerprint on their business card or publish it on their web site. You could also contact the person personally or by phone to find out. What is acceptable to you as a proof depends on your personal security needs and policies.
da10:~ # gpg --fingerprint geeko pub 1024D/15B847F3 2006-04-19
Key fingerprint = 3762 FF45 8BF9 3224 49EF 4257 171A 5A58 15B8 47F3 uid Geeko (Chameleon) <[email protected]>
Once you are convinced the key belongs to the person named in the user ID, you can sign the key:
Once you have signed the key, it is used for encryption without having to confirm its use.
Using the option --edit, you have several commands at your disposal to administer your key rings. See the gpg man page for details.
geeko@da10:~> gpg --edit tux
gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.
pub 1024D/EE82B088 created: 2006-04-19 expires: never usage: CS trust: unknown validity: unknown
sub 2048g/F3971E52 created: 2006-04-19 expires: never usage: E [ unknown] (1). Tux P (The Penguin) <[email protected]>
Command> sign
pub 1024D/EE82B088 created: 2006-04-19 expires: never usage: CS trust: unknown validity: unknown
Primary key fingerprint: 53CE 1FF9 5568 EA63 BC3E 57F8 A283 907F EE82 B088
Tux P (The Penguin) <[email protected]>
Are you sure that you want to sign this key with your
key "Geeko (Chameleon) <[email protected]>" (15B847F3)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for user: "Geeko (Chameleon) <[email protected]>" 1024-bit DSA key, ID 15B847F3, created 2006-04-19
gpg: gpg-agent is not available in this session
Command> quit
CNI USE ONLY-1 HARDCOPY PERMITTED
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. 4-43 To report suspected copying, please call 1-800-PIRATES.
A network of key servers exists to facilitate the exchange of keys. You can publish your key there, and also retrieve keys from others. http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html lists available servers.
Use GPG Within Kmail
With the commands covered so far, you could encrypt files that you could then send as attachments to emails. For day-to-day emailing this is far too complicated, because hardly anyone would write an email message to a file, encrypt it, and then attach the encrypted file to an otherwise empty email.
Kmail supports encryption of emails and attachments with the click of a mouse, making encryption very easy.
To configure GPG for use within Kmail, select Settings >
Configure Kmail > Modify. In the dialog, select Identities, mark the identity you want to configure, and then select Modify. In the dialog that opens, click on the Cryptography tab and then select Change next to OpenPGP signing key. Choose the key you want to use for this identity.
Figure 4-21
Also choose an OpenPGP encryption key that is used to encrypt messages to yourself so that you are able to read encrypted messages you sent to others.
CNI USE ONLY-1 HARDCOPY PERMITTED
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. 4-45 To report suspected copying, please call 1-800-PIRATES.
Once you have done that, all it takes to encrypt and sign messages is to select the respective buttons when you write an email.
Fi g ur e 422-
Once you are finished writing your email and send it, a dialog asks you to confirm the selection of keys:
Fi g ur e 423-
You can change the selected keys as needed. When done, select OK.
When receiving an encrypted mail, you are prompted for the passphrase of your private key:
Figure 4-24
Kmail shows the decrypted email, as well as information on any signature.