Greetings.
Bash on Ubuntu on Windows (Windows 10, Ubuntu Bash)
Use command below to see all parameter for gpg:
gpg --help
Use command:
gpg --gen-key
Detailed instruction will be given in ternimal, including types of encrypt methods, expiring period, email address and etc. Random keyboard input will be required to guarantee randomness in generation process.
After the key pair is generated, a private key and corresponding public key has been added to the key ring. The public key, functioning just as its name, can be sent to others and be used to encrypt a message that can (not only) be decrypted and read by us. The private key is mostly used for decrypting the message that is encrypted with corresponding public key, and for signing messages, so that everyone has our public key can examine if a message signed by us is unchanged.
The reason for using a pair of keys is that according to mathematics a message encrypted with the public key can only be decrypted in rational time by the corresponding private key. By publishing the public key, everyone can encrypt the message using the key but only who has the private key can decrypt the message, thus confidentiality is guaranteed.
Fingerprint is useful when checking the public key sent to someone is original and unchanged, simply by telling the receiver our fingerprint (in a safe way). Using the same fingerprinting/hashing algorithm, the fingerprint for the same public key should be exact the same. Use commands below to see the key generated and its fingerprint.
gpg --fingerprint
Before exporting public keys, we want to check if there are no keys in our keyring that we do not want to export, as the command would export all the public keys in our keyring. Also, we can export all keys in our keyring and import them again after the required key is exported.
Check the keys we have using command:
gpg --list-keys
If there is any keys we do not want to export, use the command below to remove those keys, where key-id is the email address showed in last step:
gpg --delete-key key-id
Use the command below to export the public key to stardard output:
gpg --export
It is usually convenient to export the public key in ASCII armor format, and redirect the exported content to the file pub-key-filename. We can use the command below alternatively:
gpg --armor --export > pub-key-filename
To import public key:
gpg --import pub-key-filename
After public key imported, it is important to check the fingerprint. To see fingerprints of all keys (including the one generated by ourselves):
gpg --fingerprint
After comparison with the original fingerprint, we can sign this key using command, where <key-id> is the email address showed in last step:
gpg --sign-key key-id
Use command below to enter GPG command line and edit our key:
gpg --edit-key key-id
Then type adduid and hit enter to add an identity to the key. Similar to the part Generate Key Pairs, detailed instruction will be given.
To clear-sign a message, use command:
gpg --clearsign message-file
Then the password of our private key will be required. After inputing the password and the message file signed, a file named “message-file.asc” will be created. Signed message and its signature had been output into this file.
Use command below to verify if there is a valid signature:
gpg --verify signed-message-file
After using this command, the signature of the message and its validity should be shown on screen.
To encrypt a message and output in ASCII armor format, use command:
gpg --armor -r receiver-key-id --encrypt message-file
Then the message file will be encrypted using provided key-id. Normally we would like to encrypt a file using the public key provided by the receivers. If we want to verify if the file is correctly encrypted, just append our key into the receiver list:
gpg --armor -r our-key-id -r receiver-key-id --encrypt message-file
After the message file encrypted, a file named “message-file.asc” will be created. Encrypted message had been output into this file.
Use command below to verify if the file is correctly encrypted:
gpg --decrypt encrypted-message-file
After using this command, the original message file without .asc suffix will be overwritten, so maybe it is necessary to keep a copy of the original message file.
If we want to encrypt and sign a message at the same time, use command below:
gpg --armor --sign -r receiver-key-id --encrypt message-file
Then the password of our private key will be required to sign the message, and the public key receiver-key-id will be used for encryption.
After the message file encrypted and signed, a file named “message-file.asc” will be created. We may also use the smae command to verify encryption and validity of signature:
gpg --decrypt encrypted-signed-message-file
Both encryption and signature info will be shown on screen.
Refer to: Generate Key Pairs
Refer to: Import and Sign Public Keys
Note that it’s better to export our generated key first for the next part, then import the course key, for convenience.
Refer to: Export Keys
After the key is exported to the file, we simply copy the content into the email and send it to gpg-key@dasak.csc.kth.se.
Refer to: Add Identity to Our Key
Refer to: Import and Sign Public Keys
Refer to: Export Keys
Before submitting the key this time, maybe we want to check if the key has multiple signatures. Use command below to check the signatures:
gpg --list-sig key-id
If we succeeded in submitting the triple-signed key to the server, we should have received three emails containing several messages seperated by seperator lines ============= separator =============.
We can use a C++ program to split the message file into seperated files.
#include <iostream>
#include <fstream>
#include <string>
using namespace std;
int main(int argc, char** argv) {
if (argc < 2) {
cout << "Message splitting tool for DD2395" << endl;
cout << "Usage:" << endl;
cout << "\tsplit filename" << endl;
return 0;
}
ifstream fin(argv[1]);
ofstream fout("key.pub");
string line;
int index_file = 0;
while (getline(fin, line)) {
if (line == "============= separator =============") {
fout.close();
fout.open(to_string(++index_file) + string(".txt"));
continue;
}
fout << line << endl;
}
cout << index_file;
return 0;
}
Then we can automatically check all of the message files. Example bash script for 3.3 Message Signing and Encryption is below:
for i in `seq 15`
do
echo "======== decrypt log for $i.txt ========" >> log.txt
echo "decrypted $i.txt:" >> out.txt
gpg --passphrase `cat pw.txt` -d "$i.txt" >> out.txt 2>> log.txt
echo "" >>out.txt
done
In this script, few parameters can be changed for different uses.
`seq 15` in the first line can be changed to any length of sequence, to operate on different files.pw.txt is used to store the password of our private key. This is to avoid inputing the password for every message file.>> out.txt and remove >> out.txt from the gpg line. -d should be changed to --verify to function correctly.After the operations, the output and the log should be investigated carefully.
Copy all messages with a proper signature from gpg-sign@dasak.csc.kth.se. Also don’t forget to check the fingerprints of signatures of copied messages.
For me, the result before signing is below:
778421a92ada3bdb9127743bfcb9985e182e7090
ec3f90d3cdf88c6409834580449a381c8e0660eb
cf89d32b881ba0aa146e809521d3ade0efa4c349
Then we should sign the copied message using command in part Sign Messages and Verify the Signature.
After signing, the result in the signed file with suffix .asc should looks like this:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
778421a92ada3bdb9127743bfcb9985e182e7090
ec3f90d3cdf88c6409834580449a381c8e0660eb
cf89d32b881ba0aa146e809521d3ade0efa4c349
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
<the signature>
-----END PGP SIGNATURE-----
Carefully check the log file and note down the message files excrypted with only our key and perhaps additionally the course key.
Log of a proper encrypted message may looks like this (in Chinese):
gpg: 由 2048 位的 RSA 密钥加密,钥匙号为 3810D17A、生成于 2012-09-11
“gpg-both <gpg-both@dasak.csc.kth.se>”
gpg: 由 2048 位的 RSA 密钥加密,钥匙号为 XXXXXXXX、生成于 2017-11-09
“My Name (DD2395) <name@kth.se>”
Collect into a result file the decrypted messages that were properly encrypted, and encrypt the result file with key gpg-crypt <gpg-crypt@dasak.csc.kth.se> using command from Encrypt Messages and Decrypt the Message.
After operations, the encrypted file should looks like this:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
<encrypted content>
-----END PGP MESSAGE-----
Also we can decrypt the result file to make sure the file is correctly encrypted.
Carefully check the log file and note down the message files excrypted with only our key and perhaps additionally the course key, and also signed with gpg-both key. (not the course key!)
Log of a proper message may looks like this (in Chinese):
gpg: 由 2048 位的 RSA 密钥加密,钥匙号为 3810D17A、生成于 2012-09-11
“gpg-both <gpg-both@dasak.csc.kth.se>”
gpg: 由 2048 位的 RSA 密钥加密,钥匙号为 XXXXXXXX、生成于 2017-11-09
“My Name (DD2395) <name@kth.se>”
gpg: 于 2017年11月13日 星期一 23时36分59秒 STD 创建的签名,使用 RSA,钥匙号 E0438FE3
gpg: 完好的签名,来自于“gpg-both <gpg-both@dasak.csc.kth.se>”
gpg: 亦即“Computer Security (course key) <gpg@dasak.csc.kth.se>”
gpg: 亦即“gpg-sign <gpg-sign@dasak.csc.kth.se>”
gpg: 亦即“gpg-crypt <gpg-crypt@dasak.csc.kth.se>”
gpg: 亦即“gpg-key <gpg-key@dasak.csc.kth.se>”
主钥指纹: 9314 F2F3 6834 8CD4 0045 F8ED 4A37 69F6 E043 8FE3
Log of an unproper message may looks like this:
gpg: 由 RSA 密钥加密、钥匙号为 F43B87A1
gpg: 由 2048 位的 RSA 密钥加密,钥匙号为 XXXXXXXX、生成于 2017-11-09
“My Name (DD2395) <name@kth.se>”
...
Or this:
...
gpg: 于 2017年11月13日 星期一 23时36分59秒 STD 创建的签名,使用 RSA,钥匙号 CA0EC350
gpg: 完好的签名,来自于“Computer Security (course key) <gpg@dasak.csc.kth.se>”
Collect into a result file the decrypted messages that were properly encrypted, and encrypt the result file with key gpg-both <gpg-both@dasak.csc.kth.se> using command from Encrypt and Sign Messages.
After operations, we may decrypt the result file to see if the file is correctly encrypted and proper signature is appended.
DD2395 Lab G Canvas Page https://kth.instructure.com/courses/3497/pages/lab-g?module_item_id=41923