38. Encryption (GPG & OpenSSL)
1. Why use it?
o Prevent password and data sniffing.
o Maintain integrity of data.
o Prevents authentication manipulation.
o OpenSSL – Provides crypto-graphic libraries used by other programs which communicate via the network.
o gnupg – Used to insure integrity and encrypt files (e.g. data, e-mail, etc.)
o OpenSSH – A secure replacement for ftp, telnet, rsh, rlogin, etc. Covered elsewhere.
o stunnel – Provides network encryption services for those applications which don’t already have it. Covered elsewhere.
38.2 Encryption Types and Requirements
1. Random Numbers
o In order for encryption to be effective, it needs a good source of entropy to create random numbers.
o Entropy is usually created based on several things. For example: keyboard events, mouse events, and block device interrupts.
o The Linux Kernel provides 2 sources of entropy:
1. /dev/random – Best source of entropy. If the entropy pool runs out, it blocks until more entropy is gathered.
2. /dev/urandom – Uses entropy pool until it’s exhausted, and then falls back to pseudorandom generation.
2. One-Way Hashes
o One-Way hashes take input of any length and created a fixed length output string known as a fingerprint.
o If any part of the input data changes, it will create a different fingerprint.
o “One-way” means you can’t recreate the original data from the fingerprint.
o Examples include: md5, rmd160, sha, sha1, haval, and crc-32.
3. Symmetric Encryption
o The same key is used to both encrypt and decrypt the data.
o Examples of symmetric algorithms: DES, 3DES, Blowfish, RC2, RC4, RC5, and AES.
o Utilities that use symmetric encryption: passwd (traditional unix), gpg, and openssl.
o Minimum recommended key size: 128 bits.
4. Asymmetric Encryption
o a.k.a. Public Key Encryption
o One key is used to encrypt and another key is used to decrypt.
o Standard Operation
1. Recipient generates a private/public key pair: S & P.
2. The Recipient then publishes public key P and keeps private key S a secret.
3. Sender uses Recipient’s public key P to encrypt a message for the Recipient.
4. Recipient uses private key S to decrypt the message from the sender.
o Digital Signatures
1. Provide a way to verify authenticity.
2. Sender encrypts message with private key S.
3. Recipient then decrypts message with Sender’s public key P. As long as the sender’s private key S hasn’t been compromised, this guarantee’s that it’s from the Sender.
4. Detached Signatures
* Similar to above operation, only Sender creates a one-way hash of the message and encrypts the one-way hash instead. The encrypted one-way hash is known as the “detached signature”.
* The Recipient then uses the Sender’s public key P to decrypt the detached signature.
* The Recipient then performs their own one-way hash on the message and compares it to the one-way hash sent by the Sender. If the two match, it guarantees the document hasn’t been tampered with.
o Combining Standard Operation with Digital Signatures
1. This can be used so that only the Recipient can decrypt a message, while at the same time verifying that it was sent by the Sender.
* Sender encrypts the message with the Sender’s private key S.
* Sender then encrypts the message with the Recipients public key P.
* The Recipient will then decrypt the message with the Recipient’s private key S.
* The Recipient then decrypts the message with the Sender’s public key P.
5. Digital Certificates
o Commonly used by on-line merchants(as well as others) to verify their identity to someone else, typically a customer.
o Issued by a certificate authority (CA).
o Standard Certificate Format is X.509, and consists of the following information:
2. Province or State
3. Organization Name
4. Common Name
o Certificate Creation Process
1. The merchant generates a private/public key pair.
2. The merchant must then prove their identity to a CA and provide their public key to the CA.
3. The CA then creates a one-way hash of the following information:
* The CA’s identity.
* The merchant’s identity.
* The merchant’s public key.
* Period of validity.
4. The one-way has is then encrypted with the CA’s private key creating a detached digital signature.
5. The digital certificate is made up of the combined information above and the detached digital signature.
6. The CA then issues this to the merchant.
38.3 Using GPG
1. Key Generation
2. gpg # Initialize GPG for this user (e.g. create ~/.gnupg). Only have to run once.
3. gpg –gen-key # Start key generation process. Follow prompts.
4. Viewing Keys
5. gpg –list-keys # View public keys
6. gpg –list-secret-keys # View private keys
7. Exporting Public Keys
8. gpg –export
9. gpg –export –armor
10. Importing Public Keys
11. gpg –import /path/to/public/key/file
12. Encrypting a Message
13. gpg –encrypt –armor –recipient
14. # an ASCII format
15. Decrypting a Message
16. gpg encrypted_message_file
You will be prompted for the filename to use for the output of the decryption process.
17. Encrypting with a Symmetric Key
18. gpg –symmetric –armor message_file
19. Signing and Encrypting a Message
20. gpg –sign –encrypt –armor –recipient
21. Creating a Detached Signature
22. gpg –detach-sign –armor message_file # Sender
23. gpg –verify message_file.asc message_file # Recipient
24. Signing Another’s Public Key
Alice is going to sign Bob’s key.
# First, Alice must do:
gpg –sign-key bob
gpg –export –armor bob > bob.key
# Then, Bob must do:
gpg –import bob.key
38.4 Using OpenSSL
1. Generating a Certificate & Key in the PEM Format
o Long Way
o openssl req -new -newkey rsa:1024 -nodes -x509 -keyout ~/key -out ~/cert
o echo >> ~/key
o cat ~/cert >> ~/key
o echo >> ~/key
o mv ~/key /usr/share/ssl/certs/give_me_a_name.pem
o rm ~/cert
o Short Way
o cd /usr/share/ssl/certs
o make give_me_a_name.pem