We talked about Cryptography Theory before, now let's put that in practice and see some widely used cryptography tool.
GPG, GNU Privacy Guard, is an open source tool allows you to encrypt and sign your data and communications. To recap, encrypt is to ensure confidentiality, and sign is to ensure integrity and nonrepudiation.
Create key pair and share the public key
Create a key pair
Fingerprints, KeyId, User ID
Some of the gpg commands expect keyId and some expect user id.
Fingerprintsis used to uniquely identify a key pair;
keyIdis the last 8 or 16 characters of the fingerprints, and are called short keyId and long keyId respectively. For example, in the key pair we just created,
FC55 55E3 7C49 FE30 1A5D E8E9 D9EC 1FB5 E9F6 6E1Fis the fingerprint, and
E9F66E1Fis a (short) keyId. When the gpg command expects key Id, both fingerprints and short/long keyId can be used. For technical details, check here for the rfc spec
User Idtakes the format of "Real Name (Comment)
--exportexpects User ID, all the following are valid:
To make things easier to remember, key fingerprints always works.
Export your public key
You will need to share your public key with others so that they can 1) encrypt the message for you 2) verify the message if from you.
ssh-keygen, you will export your public key explicitly. The output is an ASCII version of your public key and you can share it through email.
Import your public Key
Once the others get your public key, they will need to import your key. Again, to repeat, so that they can use it to encrypt the message for you, or to verify the message is from you.
Encrypt & Decrypt
There are two user cases for Encryption, 1) you want to encrypt the message so no others can read, 2) you want others encrypt the message so that only you can read it.
In either case, the message will be encrypted with your public key and decrypt with the private key. You already have both keys so no extra steps needed regarding key; For the second case, the user first needs to import your key, and we have discussed how to do that.
docwith some confidential content that she wants to share with me.
It will generate an encrypted file called
doc.gpg. If you dump it, it looks like this, which is great.
After receiving it, you will decrypt it using your private key, and you will be asked for passphrase you specified when initially creating the key to unlock your private key. This is an extra security measure to ensure even when people managed to get your security key there still more work to do.
And, we have the clear text:
Sign & Verify
If someone managed to modify the signed message, say adding "oh no" after "This is a confidential doc".
The verification will fail and the receiver will know the message can't be trusted.
Sending your public key to Key Server and let the whole world know
Sending public key using email doesn't sound quite cool in the modern age. You can publish your public key in GPG key servers so others can search and import your public key from the server.
We typed Q)uit here, so we just search the key without importing it. If we had typed the
1, which is the key number, the key E9F66E1F would have been imported.
You can also import the key using keyId (not user id) directly.
With GPG, you'll be able to encrypt and sign your data and communications, improving security and protecting privacy. Plus, it makes you look cool or "geeky" by showing a GPG public key fingerprints in your name card or twitter intro, even you have never ever used it.
FC55 55E3 7C49 FE30 1A5D E8E9 D9EC 1FB5 E9F6 6E1F