November 1, 2013: notes about email encryption and electronic signature
I have read for the first time on the topic, and generated my own key you can find on the “ABOUT AND CONTACT” page. So I am not an expert at all, there may be some misunderstandings in my explanations below. Don’t forget that this blog contain “notes” I take on various topics, that may be very interesting but not in a perfectly polished state.
Principle
The explanation is better at French Wikipedia than on the English one:
A key is a way to transform data. Starting from data understandable by anyone, we may apply an encrypting key, making it incomprehensible for everybody, except people being able to revert it to its original form with a decrypting key. Two techniques are available for encryption: symmetric and asymmetric.
In the symmetric encryption technique:
- the same key is used for encrypting and decrypting. So, to exchange information between themselves, two people have to exchange the key, in particular the decrypting key.
- and as they have to exchange the decrypting key, it is easier for someone to get a copy of it. This is annoying because they cannot send “in clear” the key on an unsecured channel: they have to meet each other without using an electronic network as in ancient times, or use a secured channel. If there is a great distance between them, a secured channel has to be found.
- Another problem is the number of keys needed (as explained in GnuPG manual here). If there are n people who need to communicate, then n(n-1)/2 keys are needed for each pair of people to communicate privately. This may be ok for a small number of people but quickly becomes unwieldly for large groups of people.
In the asymmetric technique:
- there is both an encrypting and a decrypting key.
- only the encrypting key has to be exchanged. The sender uses the encrypting key of the recipient to send a message. The encryption is done by a mathematical function very difficult to invert, except if a secret information is known: the private key.
The digital signature uses the same ideas, but things are more complicated. English Wikipedia is too complex. It is clearer in French here. Two sets of encrypting/decrypting keys are needed, in addition to a hashing function. One of the two sets is public (even the private key), so the vocabulary “private key” is not used, instead we keep the vocabulary “encrypting/decrypting function” noted
and
.
- the sender makes a checksum of the document to send with a hashing function , and uses a private key to make a signature: . He sends along with on a non-secured channel;
- the receiver uses the corresponding public key to decipher the signature: , that he compares with . If the signature is authentic, the same result must be obtained, due to properties of asymmetric encrypting: (I DON’T KNOW EXACTLY WHY WE HAVE THIS EQUALITY - more reading on these mathematical techniques has to be done).
The use of
to generate the signature is necessary to ensure that if the document is subsequently modified in any way, a verification of the signature will fail.
At this stage, I imagine that:
- is a well-known tool as md5sum or sha*sum. I am not sure of that, and I have not found the information in my introductory reading on the topic. This is not very important at this stage;
- the same key set can be used both for signing a mail and decrypting mails people are encrypting with . This is more or less confirmed by the fact that the same “key” generated with GnuPG can be used both for encryption and electronic signature. However, the term “key” has probably to be understood in a different manner in GnuPG: as , , , and can be made public, if I understand correctly how GnuPG works (see next section), in practice they are all bundled in what is called a “public key”, this public key having not the same meaning as in the explanation above. Furthermore, a private key and the corresponding public key are often seen as an entity called itself a “key”, for example in email software as KMail. And finally, the private key is protected by a password. Thus a “key” in GnuPG is much more than in the basic discussion above.
Application: GnuPG
One way to make signatures is to use GNU Privacy Guard.
GnuPG is the GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.
The corresponding ubuntu packages are named ‘gnupg‘ and ‘gnupg2‘:
$ wajig describe --verbose gnupg
gnupg: GNU privacy guard - a free PGP replacement
GnuPG is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 4880.
GnuPG 1.4 is the standalone, non-modularized series. In contrast to the version 2 series, shipped with the gnupg2 package, it comes with no support for S/MIME and some other tools useful for desktop environments, but also with less dependencies.
The gnupg package is built without libcurl. So it does not support HKPS keyservers. Install the gnupg-curl package if you want to use the keyserver helper tools built with libcurl and supporting HKPS.
$ wajig list-files gnupg | grep "/usr/bin/"
/usr/bin/gpgsplit
/usr/bin/gpg
/usr/bin/lspgpot
/usr/bin/gpg-zip
$ wajig describe --verbose gnupg-curl
gnupg-curl: GNU privacy guard - a free PGP replacement (cURL)
GnuPG is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 4880.
This package contains the keyserver helper tools built with libcurl, which replace the ones in the gnupg package built with the "curl shim" variant of gnupg. This package provides support for HKPS keyservers.
$ wajig list-files gnupg-curl
/.
/usr
/usr/lib
/usr/lib/gnupg
/usr/lib/gnupg/gpgkeys_curl
package diverts others to: /usr/lib/gnupg/gpgkeys_curl.non_curl
/usr/lib/gnupg/gpgkeys_hkp
package diverts others to: /usr/lib/gnupg/gpgkeys_hkp.non_curl
/usr/share
/usr/share/doc
/usr/share/doc/gnupg-curl
/usr/share/doc/gnupg-curl/copyright
/usr/share/doc/gnupg-curl/changelog.Debian.gz
$ wajig describe --verbose gnupg2
gnupg2: GNU privacy guard - a free PGP replacement (new v2.x)
GnuPG is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC4880.
GnuPG 2.x is the new modularized version of GnuPG supporting OpenPGP and S/MIME.
$ wajig list-files gnupg2 | grep "/usr/bin/"
/usr/bin/kbxutil
/usr/bin/watchgnupg
/usr/bin/gpg2
/usr/bin/gpgparsemail
/usr/bin/gpgconf
The manual pages of gnupg and gnupg2 are identical concerning OpenPGP and S/MIME, so the sentence above has to be understood as “the only difference between gpg2 and gpg is the fact that gpg is statically compiled”. This is confirmed by the answer here, and by the manual page of gnupg that writes:
This is the standalone version of gpg. For desktop use you should consider using gpg2 from the GnuPG-2 package ([On some platforms gpg2 is installed under the name gpg]).
whereas the one of gnupg2 says:
In contrast to the standalone command gpg from GnuPG 1.x, which is might be better suited for server and embedded platforms, the 2.x version is commonly installed under the name gpg2 and targeted to the desktop as it requires several other modules to be installed.
So in most cases we can use gpg without loss of features or security. The full documentation is available here. The GnuPG source distribution, for example, is signed so that users can verify that the source code has not been modified since it was packaged.
I follow the instructions here. I generate a key with:
$ gpg --gen-key [...] public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/1[...]D 2013-11-01 Key fingerprint = 049C 6628 A1F2 13ED C50F CA80 B482 1CFF 1ACA 8D8D uid Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr> sub 2048R/66C197C8 2013-11-01
The key is put in the file ~/.gnupg/pubring.gpg:
$ gpg --list-keys
/home/jscordia/.gnupg/pubring.gpg
---------------------------------
pub 2[...]D 2013-11-01
uid Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>
sub 2[...]8 2013-11-01
To “export the key”, i.e. make a file containing the public key, type:
$ gpg --output JulienScordia25nov1977.gpg --armor --export free
The option “–armor” is to produce ASCII output instead of arbitrary binary output, to ease publishing e.g. on web pages. The generated text is precisely what is joined to an email when we choose “Attach My Public Key” in KMail (read further on).
It may be necessary to ensure a public key is correct (I imagine because if the public key has been modified we may believe all messages sent by someone are corrupted because the signature will appear as incorrect; and also the owner of the private key will not be able to decipher messages sent to him). GnuPG has a system of “fingerprint”, when importing a public key:
$ gpg --fingerprint free
pub 2[...]D 2013-11-01
Key fingerprint = 04[...]8D
uid Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>
sub 2[...]8 2013-11-01
The fingerprint is verified with the key’s owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key’s true owner. If the fingerprint you get is the same as the fingerprint the key’s owner gets, then you can be sure that you have a correct copy of the key. To ensure the copy of the public key has not been modified since the fingerprint comparison, it is possible to sign the public key with your own signature (so we apply the signing process at several stages; the principle is very powerful). To do that, the key has to be edited:
$ gpg --edit-key free
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2[...]D created: 2013-11-01 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2[...]8 created: 2013-11-01 expires: never usage: E
[ultimate] (1). Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>
gpg> fpr
pub 2048R/1[...]D 2013-11-01 Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>
Primary key fingerprint: 04[...]8D
gpg> sign
"Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>" was already signed by key 1[...]D
Nothing to sign with key 1[...]D
Here, signing does not work (“Nothing to sign”) because I work with my own public key that has already been signed with my private key automatically by GnuPG at generation time, in a some kind of recursive process if I understand correctly. All signatures made to a key can be seen with “check”:
gpg> check uid Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr> sig!3 1[...]D 2013-11-01 [self-signature]
When encrypting or signing documents, gpg compresses them for additional security (and size gain!). When encrypting, as already said it is necessary to use the public key of the recipient. But several recipients may be specified. The –recipient option is used once for each recipient and takes an extra argument specifying the public key with which the document should be encrypted. The encrypted document can only be decrypted by someone with a private key that complements one of the recipients’ public keys: this is useful to make a document to be used by any person of a group. In particular, you cannot decrypt a document encrypted by you unless you included your own public key in the recipient list. Note that when decrypting, the password entered when creating the public/private key set is asked; this is an additional security compared to the Wikipedia explanation above (used if someone has taken access to your computer).
$ gpg --output sycomore.py.gpg --encrypt --recipient free sycomore.py $ gpg --output sycomore2.py --decrypt sycomore.py.gpg $ diff sycomore2.py sycomore.py $
Of course at least a recipient has to be indicated when encrypting.
To sign a document, use:
$ gpg --output sycomore.py.sig --sign sycomore.py You need a passphrase to unlock the secret key for user: "Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>" 2048-bit RSA key, ID 1[...]D, created 2013-11-01
And to check the signature and extract the document:
$ gpg --output sycomore3.py --decrypt sycomore.py.sig gpg: Signature made Sat 02 Nov 2013 09:57:23 AM CET using RSA key ID 1[...]D gpg: Good signature from "Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>"
The output of the signing command is in binary format (and compressed). A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it. The option –clearsign causes the document to be wrapped in an ASCII-armored signature but otherwise does not modify the document.
To sign and encrypt a document at the same time, both “–encrypt” and “–sign” options have to be used (here). It is of course not possible to use –clearsign and –encrypt at the same time.
$ gpg --output sycomore.py.sig.gpg --encrypt --sign sycomore.py You need a passphrase to unlock the secret key for user: "Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>" 2048-bit RSA key, ID 1[...]D, created 2013-11-01 You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. End with an empty line: free Current recipients: 2[...]8 2013-11-01 "Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>" Enter the user ID. End with an empty line: $
And to decrypt it, while checking the signature:
$ gpg --output sycomore4.py --decrypt sycomore.py.sig.gpg
You need a passphrase to unlock the secret key for
user: "Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>"
2048-bit RSA key, ID 6[...]8, created 2013-11-01 (main key ID 1[...]D)
gpg: encrypted with 2048-bit RSA key, ID 66C197C8, created 2013-11-01
"Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>"
gpg: Signature made Sat 02 Nov 2013 10:28:06 AM CET using RSA key ID 1[...]D
gpg: Good signature from "Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>"
$ diff sycomore4.py sycomore.py
$
To remove a key, the best way to identify it is to use its fingerprint. First write the fingerprints of all public keys:
$ gpg --fingerprint
/home/jscordia/.gnupg/pubring.gpg
---------------------------------
pub 2048R/1[...]D 2013-11-01
Key fingerprint = 0[...]D
uid Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>
sub 2048R/66C197C8 2013-11-01
pub 2048R/4AA9A670 2013-11-02
Key fingerprint = 8[...]0
uid Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>
sub 2048R/52033610 2013-11-02
and then delete one of the keys:
$ gpg --delete-secret-key "0[...]D" gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 2[...]D 2013-11-01 Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y $ gpg --delete-key "0[...]D" gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 2[...]D 2013-11-01 Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr> Delete this key from the keyring? (y/N) y $ gpg --list-keys gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/jscordia/.gnupg/pubring.gpg --------------------------------- pub 2[...]0 2013-11-02 uid Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr> sub 2[...]0 2013-11-02
Everyday use, in particular when using KMail (the mail component of Kontact)
Is it possible for someone that has not the correct public key to check that a signature is correct? Of course not, he has to have the key beforehand. We could imagine that the public key is sent with the message. This is indeed possible to do that in software as KMail or mozilla mail (here). In KMail, in the email composer window, check “Sign” and then choose “Attach -> Attach My Public Key”. To find the key, a Public/Private key pair has to be associated to the current identity in KMail preferences, for encryption and for signing: “OpenPGP signing key”, “OpenPGP encryption key” in “Configure -> Identities -> Modify -> Cryptography” (note that in KMail a key represents both a Public key and Private key, as already said above).
As we often work on at least two computers (home and work), at first sight it may be interesting to have the same key on both computers. How to transfer a key to a second computer? The best is to copy the ~/.gnupg folder on another machine, through a secured channel (here and here). But don’t forget your employer may look at your computer, or simply save its content for backup purpose (even if your private key is ultimately protected by a password). So the best is to generate another key on the work computer, with of course a password for the private key different than the one on your home computer.
Note that importing the public key is not enough: for KMail to display a green banner "Signed by ..." and not a yellow banner "The validity of the signature cannot be verified.", it is necessary to sign the key to make it clear this key is trusted (see what I have written about fingerprints above: we check at some stage that the fingerprint is correct, and we sign the key to be sure that it is not changed afterwards). It can be done by using the command line as shown above, but the simplest is probably to use a software as KGpg (package “kgpg” in Ubuntu), that makes things more intuitive.
Some various notes:
-
Suppose for example that you chose a secure passphrase but maybe after a few years with the same key something happens and someone learns your passphrase. It is then very useful to be able to change the private key password, instead of having to create a whole new key pair:\begin_inset Separator latexpar\end_inset
$ gpg --edit-key free gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2[...]0 created: 2013-11-02 expires: never usage: SC trust: ultimate validity: ultimate sub 2[...]0 created: 2013-11-02 expires: never usage: E [ultimate] (1). Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr> gpg> passwd Key is protected. You need a passphrase to unlock the secret key for user: "Julien SCORDIA (born on november 11, 1977 at Nancy, France) <julien.scordia@free.fr>" 2048-bit RSA key, ID 4AA9A670, created 2013-11-02 Enter the new passphrase for this secret key. gpg> Save changes? (y/N) y - some keys can be used for encryption, others for signature, and others for both. The default option in GnuPG 1.4.12 is RSA/RSA: one key for signature, one key for encryption, even if it is finally presented to the user as a unique “key”.
- Only one user ID is created when a key is created, but it is possible to create additional user IDs if you want to use the key in two or more contexts, e.g., as an employee at work and a political activist on the side. A user ID should be created carefully since it cannot be edited after it is created.
$ gpg --import JulienScordiaLMS_PublicKeyInTextForm.gpg gpg: key 2A3A730B: public key "Julien SCORDIA (LMS Lyon) <julien.scordia@lmsintl.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --edit-key lms gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 2048R/2A3A730B created: 2013-11-04 expires: never usage: SC trust: unknown validity: unknown sub 2048R/402D829F created: 2013-11-04 expires: never usage: E [ unknown] (1). Julien SCORDIA (LMS Lyon) <julien.scordia@lmsintl.com> gpg> sign
Some problems encountered in KMail
I have successfully used KMail to deal with my public/private key on my home machine, but I had problems on my work computer. First, I was unable to sign a message: when trying to send a signed message, I obtained a popup “Bad passphrase” without the possibility to enter any password, as reported here. The problem came from the fact I had not the following line in ~/.gnupg/gpg.conf:
use-agent
But, contrary to what is explained in the previous address, there is no need to have a file ~/.gnupg/gpg-agent.conf containing the line
pinentry-program /path/to/program
where ‘/path/to/program‘ is the path to a password entry program, as for instance:
- /usr/bin/pinentry-qt4 available in package ‘pinentry-qt4‘;
- /usr/bin/pinentry-gtk-2 available in package ‘pinentry-gtk2‘.
It seems that KMail is able to find a suitable program itself. Of course, a relevant package must be installed (personally, I use ‘pinentry-qt4‘).
A second problem I have fallen into is the impossibility to send encrypted emails readable in KMail. The email seems to be correctly sent, but when I receive it in KMail, I have something as shown below\begin_inset Separator latexpar\end_inset
So I have two files: “ATT00001” and “msg.asc”. This is probably not a KMail bug, as explained here, but rather due to the “Microsoft Exchange” server that modifies the headers of my mail before making it available to a POP client as KMail. When I try to send a message to someone not in the firm network (as on my free.fr personal address), everything works fine, so the problem is more with the “POP part” of the Exchange server than with its “SMTP part”. I have not found any workaround, and was compelled to decrypt my message (contained in “msg.asc”) with a separate tool, for instance on command line:
$ gpg --decrypt msg.asc [...]
