/[gentoo]/xml/htdocs/doc/en/gnupg-user.xml
Gentoo

Contents of /xml/htdocs/doc/en/gnupg-user.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.19 - (hide annotations) (download) (as text)
Sun Apr 11 10:52:16 2004 UTC (10 years ago) by cam
Branch: MAIN
Changes since 1.18: +2 -2 lines
File MIME type: application/xml
Fixed coding style due to the forthcoming DTD enforcement.
Sorry for all the translators :) (including me, argh)

1 zhen 1.1 <?xml version='1.0' encoding="UTF-8"?>
2 swift 1.15 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
3    
4 cam 1.19 <!-- $Header: /home/cvsroot/gentoo/xml/htdocs/doc/en/gnupg-user.xml,v 1.18 2004/02/19 15:05:31 swift Exp $ -->
5 swift 1.15
6 bennyc 1.13 <guide link = "/doc/en/gnupg-user.xml">
7     <title>GnuPG Gentoo user guide</title>
8     <author title="Author">
9 swift 1.15 <mail link="gustavo@felisberto.net">Gustavo Felisberto</mail>
10 bennyc 1.13 </author>
11 swift 1.15 <author title="Editor">
12     <mail link="zhen@gentoo.org">John P. Davis</mail>
13 bennyc 1.13 </author>
14     <author title="Editor">
15 swift 1.15 <mail link="swift@gentoo.org">Sven Vermeulen</mail>
16 bennyc 1.13 </author>
17    
18     <abstract>
19 swift 1.15 This small guide will teach you the basics of using GnuPG, a tool for secure
20     communication.
21 bennyc 1.13 </abstract>
22 swift 1.11
23 swift 1.18 <license/>
24    
25 swift 1.17 <version>1.0.5</version>
26     <date>January 18, 2004</date>
27 swift 1.10
28 zhen 1.1
29     <chapter>
30 bennyc 1.13 <title>Introduction</title>
31     <section>
32     <title>What you will get in this guide</title>
33     <body>
34    
35     <p>
36 swift 1.15 This guide assumes that you are familiar with public-key cryptography,
37     encryption, and digital signatures. If this is not the case jump to <uri
38     link="#doc_chap6">Public Key Cryptography</uri> or take a look at the
39     <uri link="http://www.gnupg.org/(en)/documentation/guides.html">GnuPG
40     handbook</uri>, chapter 2, and then come back.
41 bennyc 1.13 </p>
42    
43     <p>
44 swift 1.15 This guide will teach you how to install GnuPG, how to create your key pair, how
45     to add keys to your keyring, how to submit your public key to a key server and
46     how to sign,encrypt,verify or decode messages you send or receive. You will also
47     learn how to encrypt files on your local computer to prevent people from reading
48     their contents.
49 bennyc 1.13 </p>
50    
51     </body>
52     </section>
53     <section>
54     <title>Installation of required software</title>
55     <body>
56    
57     <p>
58 swift 1.15 At a very basic level you need to <c>emerge gnupg</c>. Many aplications today
59     have some sort of support for gpg, so having gpg in your USE variable is
60     probably a good idea. If you wish to have an email client capable of using
61     gnupg you can use pine (<c>emerge pinepgp</c>), mutt (<c>emerge mutt</c>),
62     Mozilla/Netscape Mail, evolution (evolution is a GNOME Microsoft Outlook work
63     alike) and KDE's own KMail (KMail is part of the kdenetwork package).
64 bennyc 1.13 </p>
65    
66     <p>
67 swift 1.15 <c>Kgpg</c> might interest you if you use KDE. This small program allows you to
68     generate key pairs, import keys from ASCII files, sign imported keys, export
69     keys and a few more features.
70 bennyc 1.13 </p>
71    
72     </body>
73     </section>
74 zhen 1.1 </chapter>
75 swift 1.15
76 zhen 1.1 <chapter>
77 bennyc 1.13 <title>Generating your key and adding keys to your public keyring</title>
78     <section>
79     <title>Creating your key</title>
80     <body>
81    
82     <p>
83 swift 1.15 To create your key, just run <c>gpg --gen-key</c>. The first time you run it,
84 bennyc 1.13 it will create some directories; run it again to create the keys:
85     </p>
86    
87 swift 1.15 <pre caption = "key generation process" >
88 bennyc 1.13 # <i>gpg --gen-key</i>
89 zhen 1.1 gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
90     This program comes with ABSOLUTELY NO WARRANTY.
91     This is free software, and you are welcome to redistribute it
92     under certain conditions. See the file COPYING for details.
93    
94     Please select what kind of key you want:
95 swift 1.15 (1) DSA and ElGamal (default)
96     (2) DSA (sign only)
97     (4) ElGamal (sign and encrypt)
98     (5) RSA (sign only)
99     Your selection? <i>1</i>
100 bennyc 1.13 </pre>
101    
102     <p>
103 swift 1.15 Here you can choose the type of key you want to use. Most users will go for the
104     default DSA and ElGamal. Next is the key size - remember that bigger is better
105     but don't use a size larger than 2048 with DSA/ElGamal keys. Generally 1024 is
106     more than enough for normal email.
107 bennyc 1.13 </p>
108    
109     <p>
110 swift 1.15 After size comes the expiration date. Here smaller is better, but most users can
111     go for a key that never expires or to something like 2 or 3 years.
112 bennyc 1.13 </p>
113    
114 swift 1.15 <pre caption = "Choosing key size" >
115 zhen 1.1 DSA keypair will have 1024 bits.
116     About to generate a new ELG-E keypair.
117 swift 1.15 minimum keysize is 768 bits
118     default keysize is 1024 bits
119     highest suggested keysize is 2048 bits
120     What keysize do you want? (1024) <i>2048</i>
121 zhen 1.1 Requested keysize is 2048 bits
122     Please specify how long the key should be valid.
123 swift 1.15 0 = key does not expire
124     &lt;n&gt;= key expires in n days
125     &lt;n&gt;w = key expires in n weeks
126     &lt;n&gt;m = key expires in n months
127     &lt;n&gt;y = key expires in n years
128     Key is valid for? (0) <i>0</i>
129 zhen 1.1 Key does not expire at all
130     </pre>
131 bennyc 1.13
132     <p>
133 swift 1.15 Now it is time to enter some personal information about yourself. If you are
134     going to send your public key to other people you have to use your real email
135 bennyc 1.13 address here.
136     </p>
137    
138 swift 1.15 <pre caption = "Entering user information" >
139 bennyc 1.13 Is this correct (y/n)? <i>y</i>
140 swift 1.15
141 zhen 1.1 You need a User-ID to identify your key; the software constructs the user id
142     from Real Name, Comment and Email Address in this form:
143     "Heinrich Heine (Der Dichter) &lt;heinrichh@duesseldorf.de&gt;"
144    
145 bennyc 1.13 Real name: <i>John Doe</i>
146     Email address: <i>john@nowhere.someplace.flick</i>
147     Comment: <i>The Real John Doe</i>
148 zhen 1.1 You selected this USER-ID:
149     "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
150    
151 bennyc 1.13 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <i>O</i>
152 zhen 1.1 You need a Passphrase to protect your secret key.
153    
154     Enter passphrase:
155     </pre>
156 bennyc 1.13
157     <p>
158 dertobi123 1.16 Now enter your key passphrase twice. It is a good idea to use a strong password.
159 swift 1.15 If someone ever gets hold of your private key and cracks your password, he will
160     be able to send messages signed by "you" making everyone believe the mails were
161     sent by you.
162 bennyc 1.13 </p>
163    
164     <p>
165 swift 1.15 Then, GnuPG will generate your key. Moving the mouse or having a mp3 playing in
166     the background will help speed up the process because it generates random data.
167 bennyc 1.13 </p>
168    
169     </body>
170     </section>
171     <section>
172     <title>Generating a revocation certificate</title>
173     <body>
174    
175 swift 1.15 <impo>
176     This part is very important and you must do it <e>NOW</e>.
177     </impo>
178 bennyc 1.13
179     <p>
180 swift 1.15 After creating your keys you should create a revocation certificate. Doing this
181     allows you to revoke your key in case something nasty happens to your key
182     (someone gets hold of your key/passphrase).
183 bennyc 1.13 </p>
184    
185 swift 1.15 <pre caption = "Generating revoke certificate">
186 bennyc 1.13 # <i>gpg --list-keys</i>
187 zhen 1.1 /home/humpback/.gnupg/pubring.gpg
188     ---------------------------------
189     pub 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
190     sub 2048g/96D6CDAD 2002-12-08
191    
192 cam 1.19 # <i>gpg --output revoke.asc --gen-revoke 75447B14</i>
193 zhen 1.1
194     sec 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
195    
196 bennyc 1.13 Create a revocation certificate for this key? <i>y</i>
197 zhen 1.1 Please select the reason for the revocation:
198 swift 1.15 0 = No reason specified
199     1 = Key has been compromised
200     2 = Key is superseded
201     3 = Key is no longer used
202     Q = Cancel
203 zhen 1.1 (Probably you want to select 1 here)
204 bennyc 1.13 Your decision? <i>1</i>
205 zhen 1.1 Enter an optional description; end it with an empty line:
206 swift 1.15 &gt; <i>Someone cracked me and got my key and passphrase</i>
207     &gt;
208 zhen 1.1 Reason for revocation: Key has been compromised
209     Someone cracked me and got my key and passphrase
210 bennyc 1.13 Is this okay? <i>y</i>
211 vapier 1.9
212 zhen 1.1 You need a passphrase to unlock the secret key for
213     user: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
214     1024-bit DSA key, ID 75447B14, created 2002-12-08
215    
216     ASCII armored output forced.
217     Revocation certificate created.
218    
219     Please move it to a medium which you can hide away; if Mallory gets
220     access to this certificate he can use it to make your key unusable.
221     It is smart to print this certificate and store it away, just in case
222     your media become unreadable. But have some caution: The print system of
223     your machine might store the data and make it available to others!
224     </pre>
225 bennyc 1.13
226     <p>
227 swift 1.15 The <c>gpg --list-keys</c> command lists keys in your public keyring. You may
228     use it to see the ID of your key so that you can create the revocation
229 bennyc 1.13 certificate. Now it is a good idea to copy all the .gnupg directory and the
230 swift 1.15 revocation certificate (in ASCII armor - <path>revoke.asc</path>) to some
231     secure medium (two floppy's or a CD-R you store in safe location). Remember
232     that <path>revoke.asc</path> can be used to revoke your keys and make them
233     unusable in the future.
234 bennyc 1.13 </p>
235    
236     <note>
237 swift 1.15 If you have several email addresses that you would like to use with this
238 bennyc 1.13 key, you can run <c>gpg --edit-key YOUR_ID</c> and then use the <c>adduid</c>
239     command. It will ask you for the name, email and comment of the second ID you
240 swift 1.15 will be using.
241 bennyc 1.13 </note>
242    
243     </body>
244     </section>
245     <section>
246     <title>Exporting keys</title>
247     <body>
248    
249     <p>
250 swift 1.15 To export your key, you type <c>gpg --armor --output john.asc --export
251     john@nowhere.someplace.flick</c>. You can almost always use the key ID or
252     something that identifies the key (here we used an email address). John now has
253     a <path>john.asc</path> that he can send his friends, or place on his web page
254     so that people can communicate safely with him.
255 bennyc 1.13 </p>
256    
257     </body>
258     </section>
259     <section>
260     <title>Importing keys</title>
261     <body>
262    
263     <p>
264     To add files to your public keyring, you must first import it, then check the
265 swift 1.15 key fingerprint. After you have verified the fingerprint you should validate it.
266 bennyc 1.13 </p>
267    
268     <note>
269 swift 1.15 You should be careful when verifying keys. This is one of the weak points of
270 bennyc 1.13 public key cryptography.
271     </note>
272    
273     <p>
274 swift 1.15 Now we will be adding Luis Pinto's (a friend of mine) public key to our public
275     keyring. After giving him a call and asking him for his key fingerprint, I
276     compare the fingerprint with the output of the <c>fpr</c> command. As the key is
277     authentic, I add it to the public keyring. In this particular case, Luis's key
278     will expire in 2003-12-01 so I am asked if I want my signature on his key to
279     expire at the same time.
280 bennyc 1.13 </p>
281    
282 swift 1.15 <pre caption = "Importing and signing keys">
283 bennyc 1.13 # <i>gpg --import luis.asc</i>
284 zhen 1.1 gpg: key 462405BB: public key imported
285     gpg: Total number processed: 1
286     gpg: imported: 1
287 bennyc 1.13 # <i>gpg --list-keys</i>
288 zhen 1.1 /home/humpback/.gnupg/pubring.gpg
289     ---------------------------------
290     pub 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
291     sub 2048g/96D6CDAD 2002-12-08
292    
293     pub 1024D/462405BB 2002-12-01 Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
294 swift 1.15 uid Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
295 zhen 1.1 sub 4096g/922175B3 2002-12-01 [expires: 2003-12-01]
296    
297 bennyc 1.13 # <i>gpg --edit-key lmpinto@dei.uc.pt</i>
298 zhen 1.1 gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
299     This program comes with ABSOLUTELY NO WARRANTY.
300     This is free software, and you are welcome to redistribute it
301     under certain conditions. See the file COPYING for details.
302    
303    
304     gpg: checking the trustdb
305     gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
306     pub 1024D/462405BB created: 2002-12-01 expires: 2003-12-01 trust: -/-
307     sub 4096g/922175B3 created: 2002-12-01 expires: 2003-12-01
308     (1) Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
309     (2). Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
310    
311 bennyc 1.13 Command> <i>fpr</i>
312 zhen 1.1 pub 1024D/462405BB 2002-12-01 Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
313 swift 1.15 Fingerprint: F056 3697 ADE3 CF98 B80B 8494 0AD3 E57B 4624 05BB
314    
315 bennyc 1.13 Command> <i>sign</i>
316     Really sign all user IDs? <i>y</i>
317 swift 1.15
318 zhen 1.1 pub 1024D/462405BB created: 2002-12-01 expires: 2003-12-01 trust: -/-
319 swift 1.15 Fingerprint: F056 3697 ADE3 CF98 B80B 8494 0AD3 E57B 4624 05BB
320 zhen 1.1
321 swift 1.15 Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
322     Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
323 zhen 1.1
324     This key is due to expire on 2003-12-01.
325 bennyc 1.13 Do you want your signature to expire at the same time? (Y/n) <i>Y</i>
326 zhen 1.1 How carefully have you verified the key you are about to sign actually belongs
327     to the person named above? If you don't know what to answer, enter "0".
328    
329 swift 1.15 (0) I will not answer. (default)
330     (1) I have not checked at all.
331     (2) I have done casual checking.
332     (3) I have done very careful checking.
333 zhen 1.1
334 swift 1.15 Your selection? <i>3</i>
335 zhen 1.1 Are you really sure that you want to sign this key
336     with your key: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
337    
338     I have checked this key very carefully.
339    
340 bennyc 1.13 Really sign? <i>y</i>
341 swift 1.15
342 zhen 1.1 You need a passphrase to unlock the secret key for
343     user: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
344     1024-bit DSA key, ID 75447B14, created 2002-12-08
345    
346 bennyc 1.13 Command> <i>check</i>
347 zhen 1.1 uid Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
348     sig!3 462405BB 2002-12-01 [self-signature]
349     sig!3 75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhe
350     uid Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
351     sig!3 462405BB 2002-12-01 [self-signature]
352     sig!3 75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhe
353 swift 1.15 </pre>
354 zhen 1.1
355 bennyc 1.13 </body>
356 swift 1.15 </section>
357 bennyc 1.13 </chapter>
358    
359     <chapter>
360     <title>Exchanging keys with keyservers</title>
361     <section>
362     <title>Sending keys to keyservers</title>
363     <body>
364    
365     <p>
366 swift 1.15 Now that you have your key, it is probably a good idea to send it to the world
367     key server. There are a lot of keyservers in the world and most of them exchange
368     keys between them. Here we are going to send Luis's key to the pgp.mit.edu
369     server. This uses HTTP, so if you need to use a proxy for HTTP traffic don't
370     forget to set it (<c>export http_proxy=http://proxy_host:port/</c>). The command
371     for sending the key is: <c>gpg --keyserver pgp.mit.edu --keyserver-options
372     honor-http-proxy --send-key john@nowhere.someplace.flick</c> . If you don't need
373     a HTTP proxy you can remove the <e>--keyserver-options honor-http-proxy</e>.
374 bennyc 1.13 </p>
375    
376     <p>
377 swift 1.15 You can also send other people's keys that you have signed to the keyserver. We
378     could send Luis Pinto's key to the keyserver. This way someone who trusts
379     your key can use the signature that you have placed there to trust Luis' key.
380 zhen 1.1 </p>
381    
382 bennyc 1.13 </body>
383     </section>
384     <section>
385     <title>Getting Keys from keyservers</title>
386     <body>
387    
388     <p>
389 swift 1.15 Now we are going to search for Gustavo Felisberto's key and add it to the
390     keyring of John Doe (just in case you did not notice Gustavo Felisberto is the
391     author this guide :) ).
392 bennyc 1.13 </p>
393 zhen 1.1
394 swift 1.15 <pre caption = "Searching keys from keyservers">
395 bennyc 1.13 # <i>gpg --keyserver pgp.mit.edu --keyserver-options honor-http-proxy --search-keys humpback@felisberto.net</i>
396 zhen 1.1 gpg: searching for "humpback@felisberto.net" from HKP server pgp.mit.edu
397     Keys 1-5 of 5 for "humpback@felisberto.net"
398 swift 1.15 (1)Gustavo Felisberto (apt-get install anarchy) &lt;humpback@felisberto.net&gt; 1024
399     created 2002-12-06, key B9F2D52A
400     (2)Gustavo Felisberto &lt;humpback@altavista.net&gt; 1024
401     created 1999-08-03, key E97E0B46
402     (3)Gustavo A.S.R. Felisberto &lt;humpback@altavista.net&gt; 1024
403     created 1998-12-10, key B59AB043
404     (4)Gustavo Adolfo Silva Ribeiro Felisberto &lt;humpback@altavista.net&gt; 1024
405     created 1998-08-26, key 39EB133D
406     (5)Gustavo Adolfo Silva Ribeiro Felisberto &lt;humpback@altavista.net&gt; 1024
407     created 1998-06-14, key AE02AF87
408     Enter number(s), N)ext, or Q)uit &gt;<i>1</i>
409 zhen 1.1 gpg: requesting key B9F2D52A from HKP keyserver pgp.mit.edu
410     gpg: key B9F2D52A: public key imported
411     gpg: Total number processed: 1
412     gpg: imported: 1
413 bennyc 1.13 </pre>
414    
415     <p>
416 swift 1.15 As you can see from the server response I have a few keys submitted to the key
417     server, but I currently only use <e>B9F2D52A</e>. Now John Doe can get it and
418     sign it if he trusts it.
419 bennyc 1.13 </p>
420    
421     </body>
422     </section>
423 zhen 1.1 </chapter>
424 swift 1.15
425 zhen 1.1 <chapter>
426 bennyc 1.13 <title>Working with documents</title>
427     <section>
428     <title>Encrypting and signing</title>
429     <body>
430    
431     <p>
432 swift 1.15 Let's say that you have a file that you wish to send Luis. You can encrypt
433     it, sign it, or encrypt it and sign it. Encrypting means that only Luis will be
434     able to open it. The signature tells Luis that it was really you who created the
435     file.
436     </p>
437    
438     <p>
439     The next three commands will do just that, encrypt, sign and encrypt/sign.
440 bennyc 1.13 </p>
441    
442 swift 1.15 <pre caption="Encrypting and Signing files">
443 bennyc 1.13 # <i>gpg --output doc.gpg --encrypt --recipient lmpinto@dei.uc.pt doc_to_encrypt</i>
444     # <i>gpg --output doc.gpg --sign --recipient lmpinto@dei.uc.pt doc_to_sign</i>
445     # <i>gpg --output doc.gpg --encrypt --sign --recipient lmpinto@dei.uc.pt doc_to_encrypt_and_sign</i>
446 zhen 1.1 </pre>
447    
448 bennyc 1.13 <p>
449 swift 1.15 This will create binary files. If you wish to create ASCII files, just add a
450     <c>--clearsign</c> to the beginning of the command.
451 bennyc 1.13 </p>
452    
453     </body>
454     </section>
455     <section>
456     <title>Decrypting and verifying signatures</title>
457     <body>
458    
459     <p>
460 swift 1.15 Suppose that you have received a file which is encrypted to you. The command
461     to decrypt it is <c>gpg --output document --decrypt encrypted_doc.gpg</c>. This
462     will decrypt the document and verify the signature (if there is one).
463     </p>
464    
465     </body>
466     </section>
467     <section>
468     <title>Advanced Features</title>
469     <body>
470    
471     <p>
472     There are some nice advanced features in GnuPG. To find them, open the
473     <path>~/.gnupg/options</path> file.
474     </p>
475    
476     <pre caption="~/.gnupg/options">
477     #keyserver x-hkp://pgp.mit.edu
478     #keyserver-options auto-key-retrieve include-disabled include-revoked
479     </pre>
480    
481     <p>
482     Search for the above two lines and uncomment them. With this any time GnuPG
483     needs to check a signature and it does not find the public key on the local
484     keyring it will contact the key server at <uri
485     link="http://pgp.mit.edu">pgp.mit.edu</uri> and will try to fetch it
486     from there.
487     </p>
488    
489     <p>
490     Another nice command is <c>gpg --refresh-keys</c>. This will contact the
491     keyserver defined in the options file and refresh public keys in your local key
492     ring from there, searching for revoked keys, new id's, new signatures on keys.
493     You should probably run this once or twice a month so that if someone revokes
494     his key you will be notified.
495 bennyc 1.13 </p>
496 zhen 1.1
497 bennyc 1.13 </body>
498     </section>
499 zhen 1.1 </chapter>
500 swift 1.15
501 zhen 1.1 <chapter>
502 bennyc 1.13 <title>GnuPG interfaces</title>
503     <section>
504 swift 1.15 <title>About email signatures</title>
505 bennyc 1.13 <body>
506    
507     <p>
508 swift 1.15 95% of the time you will use GnuPG with email, signing/encripting your outgoing
509     messages and reading signed/encripted messages. So it is only fair that i talk
510     about that first.
511     </p>
512    
513     <p>
514     There are two ways two sign/encript a email with GnuPG, the old way and the new
515     way :). In the old way messages would appear in plain text, with no possible
516     formatting and attached files would be unsigned/unencripted, here is an example
517     of a message signed the old way:
518     </p>
519    
520     <pre>
521     -----BEGIN PGP SIGNED MESSAGE-----
522     Hash: SHA1
523    
524     Test message
525    
526     -----BEGIN PGP SIGNATURE-----
527     Version: PGPfreeware 6.5.8 for non-commercial use
528    
529     iQA/AwUBP8461jMX0745gR7AEQIEOwCg011GbufXO3ED3FkLWXmfzg7xm1cAoJD0
530     0EU3Kd2EKNCqataEqM5qjpPs
531     =LchZ
532     -----END PGP SIGNATURE-----
533     </pre>
534    
535     <p>
536     Messages this way are no good in todays world, where we have nice GUI's and
537     email readers that understand html.
538     </p>
539    
540     <p>
541     To solve this an addition to the MIME (Multipurpose Internet Mail Extensions)
542     was created. This adds a field to the email that tells the mail reader that the
543     full content of the message is signed and/or encripted. The problem with this
544     is that not all mail readers support this. And some even mess the content,
545     Microsoft's Outlook is famous for not working with this.
546     </p>
547    
548     </body>
549     </section>
550     <section>
551     <title>Kgpg</title>
552     <body>
553    
554     <p>
555     Kgpg is a nice GUI for GnuPG. In the main screen you can paste the text that
556     you wish to sign or encrypt, and you can also paste the ASCII armored text that
557     you which to decrypt.
558 bennyc 1.13 </p>
559    
560     <figure link="http://www.ibiblio.org/web-gentoo/images/kgpg1.png" short="kgpg main window"/>
561    
562     <p>
563 swift 1.15 In this image you can see the Kgpg main window with ASCII armored and encrypted
564     text pasted into it. From here you can decrypt it (you will have to provide your
565     password), encrypt other files, paste new text to sign....
566 bennyc 1.13 </p>
567    
568     <figure link="http://www.ibiblio.org/web-gentoo/images/kgpg2.png" short="kgpg key manage window"/>
569    
570     <p>
571 swift 1.15 Now you can see the key managing window. From here we see our good key for John
572     Doe. The two trusted keys for Gustavo and Luis, and the untrusted key for Daniel
573     Robbins ( I still have not given him a call to check his fingerprint :) ).
574 bennyc 1.13 </p>
575    
576 swift 1.15 </body>
577     </section>
578     <section>
579     <title>Seahorse</title>
580     <body>
581 bennyc 1.13
582 swift 1.15 <p>
583     Seahorse aims to be a GnuPG GUI interface for the Gnome desktop. The software
584     has been evolving fast, but it still lacks many important features that can be
585     found in Kgpg or the command line version.
586     </p>
587 bennyc 1.13
588     </body>
589     </section>
590     <section>
591     <title>Mozilla Enigmail</title>
592     <body>
593    
594     <p>
595 swift 1.15 Mozilla's version from 1.0 or above comes with Enigmail, a plug-in for the
596     email client that is pretty simple to configure. You just go to Preferences
597     -&gt; Privacy &amp; Security -&gt; Enigmail. There you enter your key email and
598     thats it.
599 bennyc 1.13 </p>
600    
601     <p>
602 swift 1.15 Mails that come with an untrusted pgp or gpg signature will be marked with a
603 bennyc 1.13 broken pen. Others that have good signatures will appear with a nice straight
604 swift 1.15 pen. Enigmail even comes with the ability to get keys from keyservers, but if it
605     has problems it will print some very weird messages (but you still remember how
606     to use the command line, right?).
607 bennyc 1.13 </p>
608    
609     </body>
610     </section>
611     <section>
612     <title>KMail</title>
613     <body>
614    
615     <p>
616     Kmail is also pretty easy to setup. I will just post a few pictures on how to
617 swift 1.15 set it up. Basically you have to tell KMail to use GPG and then which key to
618 bennyc 1.13 sign with.
619     </p>
620    
621 swift 1.17 <figure link="http://www.gentoo.org/images/kmail_identity.png" caption="kmail identity options OpenGPG key"/>
622     <figure link="http://www.gentoo.org/images/kmail_security_openpgp.png" caption="kmail security options OpenPGP"/>
623     <figure link="http://www.gentoo.org/images/kmail_security_plugins.png" caption="kmail security options Crypto Plugins"/>
624 swift 1.15
625     </body>
626     </section>
627     <section>
628     <title>Sylpheed-Claws</title>
629     <body>
630    
631     <p>
632     This is my email reader of choice. It is <e>very</e> fast with big mailboxes,
633     has all the nice features one wants in mail readers and works pretty well with
634     gpg. The only problem is that it does not work with the old PGP signatures, so
635     when you receive those kind of mails you have to hand check the signatures.
636     </p>
637    
638     <p>
639     To use your gpg key with Sylpheed-Claws just go to the acount configuration and
640     select the privacy tab. Once there just choose which key to use, probably most
641     users will go with the default key.
642     </p>
643    
644 bennyc 1.13 </body>
645 zhen 1.1 </section>
646     </chapter>
647 swift 1.15
648 zhen 1.1 <chapter>
649 swift 1.15 <title>Public Key Cryptography</title>
650 bennyc 1.13 <section>
651 swift 1.15 <title>Basic Public Key Cryptography</title>
652     <body>
653    
654     <p>
655     The concept of public key cryptography was originally devised by Whitfield
656     Diffie and Martin Hellman in 1976. When I first heard the words "public key" and
657     "cryptography" in the same sentence back in '93 I tought to myself that it would
658     be impossible to do such a thing. In those days there was no Internet (well
659     there was, but not for me) so I went to the public library and asked for books
660     on Cryptography. I must say that I was 16 at the time so the clerk there looked
661     to me in astonishment and brought me a book for children on substitution cyphers
662     (those where you change a letter for another like the famous Caesar Cypher or
663     ROT-13 (Tragbb Ebpxf, naq lbh xabj vg vf tbbq orpnhfr lbh ner ernqvat guvf
664     qbp.), (emerge rotix if you cannot read the preceding text)). I was very upset
665     with this and started to search for more info. It is good to have mathematicians
666     in the family, because as soon as I talked to one of them I was introduced to a
667     new world.
668     </p>
669    
670     <p>
671     And now a bit of mathematics:
672     </p>
673    
674     <pre caption="Mathematical Concepts">
675     Definitions:
676    
677     1- A prime number is a positive integer number that is only divisible by 1 and
678     itself (the reminder of the division is 0).
679     The first 8 prime numbers are 1,2,3,5,7,11,13,17
680    
681     Theorem (No proof here)
682     1- For any non prime positive integer it is possible to break it as the product
683     of prime numbers, and that product is unique.
684     4=2*2
685     6=2*3
686     8=2*4=2*2*2
687     10=2*5
688     12=2*6=2*2*3
689    
690     "Facts":
691     1- It is mathematically easy to multiply two large integers
692     2- It is hard to find the prime factors of a given positive integer.
693     </pre>
694    
695     <p>
696     If I give you the number 35 and I tell you that this number is the product of
697     two prime numbers it is easy to find that it was 5 and 7. But if I tell you the
698     same for 1588522601 you will spend alot of time (or CPU cycles) to find it was
699     49811*31891. And if this number is really really big this task becomes
700     "impossible". So now if I give the world my large number that is the product of
701     two primes I know something about that number that no one else knows.
702     </p>
703    
704     <p>
705     This is the basis for Public Key Cryptography (PKC) implementations today. As an
706     (unrealistic) example, I give anyone my number and that someone will use if for
707     cyphering a message to me. Anyone can see the cyphered message, because I am
708     the only one who knows a shortcut to read it, anyone else will first have to
709     "split" that big number to be able to read the message, and it is a "fact"
710     that it is impossible to do that in a short amount of time (todays methods and
711     the fastest computers in the world would take thousands of years to do that).
712     In this setup the two large prime numbers would be called the PRIVATE KEY, and
713     the large non prime number is the PUBLIC KEY.
714     </p>
715    
716     <p>
717     In practice this is not 100% accurate with reality, but will give a good idea to
718     the newcomer. For more information check hack.gr on the <uri
719     link="http://www.hack.gr/users/dij/crypto/overview/diffie.html">Diffie-Hellman</uri>
720     protocol. For even more info go to the public library and grab a copy of the
721     <uri link="http://www.cacr.math.uwaterloo.ca/hac/">"Handbook of Applied
722     Cryptography"</uri> by Alfred J. Menezes, Paul C. van Oorschot and Scott A.
723     Vanstone, also this book is available online for free at the above site.
724     </p>
725    
726     <p>
727     One consequence of the above is that if you cypher a message to me, and you
728     loose the original uncypherd message you will no longer be able to retrieve it
729     from the cyphered version.
730     </p>
731    
732     </body>
733     </section>
734     <section>
735     <title>Signatures</title>
736 bennyc 1.13 <body>
737    
738     <p>
739 swift 1.15 We already saw how someone can send us a cyphered message if they have our
740     public key. But how do we know that the author of the message is really who he
741     claims to be? Or in other words: If I receive an email from you how do I really
742     know it was you and not someone else claiming to be you?
743     </p>
744    
745     <p>
746     Remember me saying that PKC was not as simple as I had said? The idea is that
747     when you cypher a message to me you sign it with your private key so that, when
748     I receive it, I can first use your public key to check your signature and then
749     use my private key to decypher the message. As you can see we could not do
750     that in the setup i described before.
751     </p>
752    
753     <p>
754     Also very important, to sign messages you don't have to cypher them before. So
755     like that you can create messages that can be read by anyone, but that come with
756     your "branding". And if any single character is changed in the message it can
757     (and will) be detected.
758 bennyc 1.13 </p>
759    
760     </body>
761     </section>
762     <section>
763 swift 1.15 <title>Key Servers and Signed Keys</title>
764 bennyc 1.13 <body>
765    
766     <p>
767 swift 1.15 But lets say that I have no previous contact with you until you send me a
768     message, how do I get your public key, and how do I really know it is yours?
769     </p>
770    
771     <p>
772     To solve this problem public Key Servers were created. When you create your key
773     pair (Public and Private key) you send your public key to the key server. After
774     this everyone can retrieve your key from there. This solves the problem of
775     finding the key. But how do I really know that that key is the author's key? For
776     this another concept must be introduced, and that is key signing:
777     </p>
778    
779     <p>
780     Key signing means that, if I have the public key of another person, and I know
781     <e>for sure</e> that it is really that persons key (it is my personal friend,
782     someone I know in real life, etc.) I can sign that public key and send it to
783     keyservers, that way I am telling the world: "This key really belongs to the
784     person it claims to belong.". That way persons that have my public key and
785     trust me can use that trust to trust other keys.
786     </p>
787    
788     <p>
789     This can sometimes be confusing so lets see a real world situation
790     </p>
791    
792     <p>
793     Let's imagine a 3 person situation: John, Mary, and Lisa. John is a good
794     friend of Mary but does not know Lisa; Lisa is a good friend of Mary but
795     does not know John. One day Lisa sends John a signed email. John will fetch
796     Lisa's Public Key from the keyserver and test the message, if all went ok he
797     will see that whoever wrote that message also created that key. But how do I
798     know it was really the person it claims to be?
799     </p>
800    
801     <p>
802     He then see's that it is signed by Mary, which he can check because he already
803     has Mary's key and he trusts that key. With this ring of trust he continues to
804     conclude that the email he received was really written by Lisa.
805 bennyc 1.13 </p>
806 zhen 1.1
807 bennyc 1.13 <p>
808 swift 1.15 You are now ready to use this guide, you can go back to chapter 1 and learn how
809     to use gpg.
810 bennyc 1.13 </p>
811    
812     </body>
813     </section>
814 swift 1.15 </chapter>
815    
816     <chapter>
817     <title>Final thoughts and Credits</title>
818 bennyc 1.13 <section>
819 swift 1.15 <title>Some problems</title>
820 bennyc 1.13 <body>
821    
822     <p>
823 swift 1.15 I had some problems with photos in keys. Check the version you are using. If
824     you have GnuPG 1.2.1-r1 and up you are probably OK, older versions may have
825     problems. Also most keyservers don't like keys with photos, so you are better
826     if you dont add photos.
827 bennyc 1.13 </p>
828    
829 swift 1.15 <p>
830     The latest versions of gnupg don't seem to work with the <c>gpg
831     --send-keys</c> that was used so send all keys in your keyring to the public
832     server.
833     </p>
834 bennyc 1.13
835 swift 1.15 </body>
836     </section>
837     <section>
838     <title>What is not here</title>
839     <body>
840    
841     <p>
842     <c>gpg</c> is a very complex tool, it lets you do much more than what I have
843     covered here. This document is for the user who is new to GnuPG. For more
844     information, you should check the <uri link="http://www.gnupg.org">GnuPG
845     Website</uri>.
846     </p>
847    
848     <p>
849     I did not write about other tools like <c>pgp4pine</c>, <c>gpgpine</c>,
850     <c>evolution</c> and maybe Windows tools, but I will probably extend this
851     document in the future.
852     </p>
853 bennyc 1.13
854     </body>
855     </section>
856     <section>
857 swift 1.15 <title>Credits</title>
858 bennyc 1.13 <body>
859    
860     <p>
861 swift 1.15 John Michael Ashley's <uri link="http://www.gnupg.org">GnuPG Handbook</uri>
862     it is a very good book for beginners.
863     </p>
864    
865     <p>
866     Swift (Sven Vermeulen) for pushing me to re-write this.
867     </p>
868    
869     <p>
870     Everyone in the #gentoo-doc team you guys rock.
871     </p>
872    
873     <p>
874     Tiago Serra for getting me back to the privacy track.
875 bennyc 1.13 </p>
876    
877     </body>
878     </section>
879 zhen 1.1 </chapter>
880     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20