Original version:
Thu Jan 30 08:04:28 2003
Last updates:
Sat May 22 09:41:49 2004
Fri Sep 24 11:44:50 2004
Thu Apr 7 08:26:13 2005
Thu Jun 23 09:05:11 2005
Thu Mar 23 14:12:24 2017
Sat Mar 24 09:28:54 2018
PGP and GnuPG software provide for highly secure encryption and decryption of data, and for creating and verifying digital signatures. Development of PGP has largely stagnated. Only a few O/S distributions now include it, and we have it only on our older systems. By contrast, GnuPG contains to receive active development, and is likely to be available on many local machines as gpg and gpg2, corresponding to the 1.x and 2.x development streams. Both support a common subset of options, so either can be invoked for most simple uses.
A secure encrypted channel permits people to communicate with considerable confidence that others (including big unnamed government agencies) cannot eavesdrop, even if the encrypted traffic is intercepted (as anything that traverses the Internet can be, with the right tools, and either clandestine access or suitable privileges).
Digital signatures are useful for verifying that all parties see the same file contents, and that any tampering with those contents can be detected.
The GNU Privacy Guard (GnuPG) package is a ``complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.''
The short reading list at the end of this document leads to important comprehensive books on this subject.
Some e-mail clients implement support for sending and receiving encrypted messages. While that is certainly convenient, it leaves users in a (usually) undesirable state of ignorance about what is going on. This section tells how you can do each step yourself.
The tutorial below shows the command syntax for PGP commands. The corresponding ones for GnuPG are quite different, but fortunately, you can use a translation utility, and if your system lacks a pgp executable, just use pgpgpg instead.
To exchange secret messages with me, proceed as follows:
Fetch my public key from my Web site. The key file looks exactly like this (all lines should be flush left):
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzWBPeIAAAEEANI3Ptvt8e0ur8iiN9u2sYTJwaLeeDU/+W2umnsWskR9COQm UklyxPVZF6M+EebaalqhL6VqqvWh7n0CxMD5puxxoBAPPKUM8bAks7j42QZMx8Oz xvzDSk4bqTasmGOBg667P9jH6AcOjKP08zfwQb5Qm3TCFdsruWfhK324XxlBAAUR tChOZWxzb24gSC4gRi4gQmVlYmUgPGJlZWJlQG1hdGgudXRhaC5lZHU+ =ISkv -----END PGP PUBLIC KEY BLOCK-----
Save it in a temporary file, say foo.pubkey.
Add it to your pgp public key ring:
% pgp -ka foo.pubkey
You only need to do this, and the preceding, step once.
Create a file, say foo.msg, with your secret message, and encrypt it with my public key:
% pgp -eats foo.msg
PGP will ask for your secret key in order to be able to unlock your key ring. Then it will ask for my public key's user ID to encrypt your message. It will end with:
Transport armor file: foo.msg.asc
Mail that `transport armor' file to me:
Mail -s "Secret message" < foo.msg.asc beebe@math.utah.edu
That is the simplest way in Unix to mail a text file to someone. However, any decent mail client supports insertion of files into outgoing messages, so you could just insert foo.msg.asc into a message that way using your favorite mail program, possibly prefixing the insertion with some explanatory comments.
If you give me a copy of your public key, which you can extract into a file that PGP will prompt you for, like this:
% pgp -kxa
or
% pgp -kxa your-username@your-host
then I can add it to my public key ring, and use it to encrypt messages to send back to you that only you can read.
Your ability to read such a message from me to you that was encrypted with your public key is proof that your public key was not compromised during transmission to me, such as via e-mail, or a Web connection. On the other hand, if you cannot read my message, then we'd both better duck, because someone nasty is attacking us.
When you receive a message that has been encrypted with your public key, save it in a file, say secret.asc, and then decrypt it like this:
% pgp secret.asc Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Export of this software may be restricted by the U.S. government. File is encrypted. Secret key is required to read it. Key for user ID: 1024-bit DSS key, Key ID 0x........, created ..../../.. Key can sign. You need a pass phrase to unlock your secret key. Enter pass phrase: Good signature from user "...". Signature made 2005/04/07 14:25 GMT Plaintext filename: secret
The resulting output file secret contains the plaintext of the encrypted message.
If the plaintext is really secret, then it is a bad idea to save it in a disk file, where it could possibly be read by others, and be recorded in long-term filesystem backups. The solution is to display it on the screen with the more pager:
% pgp -m secret.asc ...as before... Enter pass phrase: Good signature from user "...". Signature made 2005/04/07 14:25 GMT ...plaintext appears on the screen here...
Here is the decryption procedure using GnuPG:
% gpg secret.asc You need a passphrase to unlock the secret key for user: "...." 2048-bit ELG-E key, ID ........, created 2003-01-30 (main key ID ........) gpg: encrypted with 2048-bit ELG-E key, ID ...., created ....-..-.. "...." gpg: Signature made Thu Apr 07 08:38:51 2005 MDT using DSA key ID ........ gpg: Good signature from "...."
There does not appear to be a way with GnuPG to send the plaintext directly to a screen pager utility.
For those of you who prefer to process e-mail in graphical user interfaces (GUIs), there is an extensive tutorial elsewhere on the Web entitled How to encrypt and protect your email . It includes coverage of encrypted e-mail with popular e-mail clients, including those on mobile devices, and how to get a temporary address when you need to hide your identity from exposure in e-mail headers.
Digital signatures can be created as part of a document, in the form of a short wrapper, or in separate files. Both forms are useful: e-mail messages would normally use the first way, while software distributions would use the second approach.
To create an integrated digital signature for a file, say, foo.msg:
% echo "This is a message." > foo.msg % cat foo.msg This is a message. % pgp -sta foo.msg ... Enter pass phrase: XXXX Pass phrase is good. Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu> 1024-bit key, Key ID B85F1941, created 1998/06/12 Just a moment.... Clear signature file: foo.msg.asc
That produced a signed wrapper that I can give to someone.
% cat foo.msg.asc -----BEGIN PGP SIGNED MESSAGE----- This is a message. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPjlRxWfhK324XxlBAQFdhgP/bdHMqstLCvXG8pGIfc7OzgUySzjewx1T GU+zi7aJzcj4WWrOxsSqceNyroIMTXpwBOwb1OP8kbBzGr+TW9Kzb+1P/UdMmnHH qgsZbXAcf3dVUwEPhrgn5XhxXk6mPocAvL0/7VhwHClbGPAefvrcKhkAyrSfxIP2 i697b7szCeU= =5oN9 -----END PGP SIGNATURE-----
PGP makes this file readable only by its creator, but in this case, we want it to be readable by anyone:
% chmod a+r foo.msg.asc
At a remote site, the validity of the digital signature can be checked, and the wrapper removed, by someone else like this:
% pgp foo.msg.asc ... File has signature. Public key is required to check signature. . Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:25 GMT Plaintext filename: foo.msg
You can also use GnuPG for signature verification:
% gpg foo.msg.asc gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Thu Jan 30 09:24:37 2003 MST using RSA key ID B85F1941 gpg: Good signature from "Nelson H. F. Beebe <beebe@math.utah.edu>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7C18 7199 BC82 5EAB 06EB 9B96 FD9E 0E97 A93C 57C2
Suppose someone had tampered with the message, changing, say, a message, to an altered message. We can duplicate that tampering like this:
% sed -e "s/a message/an altered message/" foo.msg.asc > foo2.msg.asc
Signature verification now fails:
% pgp foo2.msg.asc ... File has signature. Public key is required to check signature. . WARNING: Bad signature, doesn't match file contents! Bad signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:25 GMT Plaintext filename: foo2.msg
To create an ASCII signature in a separate .asc file:
% pgp -stab foo.msg ... Enter pass phrase: XXXX Pass phrase is good. Key for user ID: Nelson H. F. Beebe <beebe@math.utah.edu> 1024-bit key, Key ID B85F1941, created 1998/06/12 Just a moment.... Transport armor file: foo.msg.asc
Here is what the signature file looks like:
% cat foo.msg.asc -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBPjlTkWfhK324XxlBAQEhyAQAo5XdKEeOpClpCmiSRfc+D/SL5xg21QRy wNOXEEZKEMhDeE7CWTWJIWyh9nbI6MUF93aLcEwdAHgv0+B2fdm7Fefe1+p+P6HU Ts54zBEoMdj10NiLTRdtES37V/0wj/HXkJW3T6WU9EeULv3Mk0133Q16OsIi1xsv Cy2Ky9VtCiA= =bnlu -----END PGP MESSAGE-----
To create a binary signature in a separate .sig file:
% pgp -sb foo.msg ... Signature file: foo.xxx.sig
To verify the signature at some other site, you can specify either the base filename, or the signature filename.
% pgp foo.msg ... File 'foo.msg.asc' has signature, but with no text. Text is assumed to be in file 'foo.msg'. Good signature from user "Nelson H. F. Beebe <beebe@math.utah.edu>". Signature made 2003/01/30 16:32 GMT Signature and text are separate. No output file produced.
If the basename is used, and both .asc and .sig files exist, the .asc file is used for the signature.
The GNU Project archives and the ftp://ftp.math.utah.edu/pub/ archives use binary .sig signature files.
At various places in our local FTP and Web filesystems, you can find files named MD5SUM.asc. They contain MD5 checksums of files in the directory, plus an embedded signature. These were made like this:
% md5sum * > MD5SUM % pgp -sta MD5SUM ...
A line in one such file looks something like this:
f6a8f9fa5d8d9872824d929db192405e hoc-7.0.6.beta.tar.gz
By verifying the digital signature on MD5SUM.asc with pgp MD5SUM.asc, you can be sure that the MD5SUM file matches what I created here. If you now fetch the indicated .tar.gz file, you can reproduce the checksum line at your site like this:
% md5sum hoc-7.0.6.beta.tar.gz f6a8f9fa5d8d9872824d929db192405e hoc-7.0.6.beta.tar.gz
The checksum match verifies that the .tar.gz file was not corrupted during transmission, and your copy matches mine exactly.
Many of the archives also contain separate .sig detached signature files, such as the hoc-7.0.6.beta.tar.gz.sig file for the above example.
How do you know that someone's public key hasn't been tampered with? An attacker who managed to do this would have been able to decrypt messages sent to your intended recipient, but that person would be unable to do so.
The solution to this problem is for users who create a new public key to immediately register it with one or more neutral third parties, called public key servers, who act as (presumably incorruptible) escrow agents.
There is a small network of such servers for PGP keys distributed across several countries. Registration with just one is sufficient, since they exchange their public key archives, although it may take several days for a newly registered key to propagate widely. Here is a short list of some public key servers:
Key servers allow you to lookup keys by email addresses and by personal name. For example, at one of them, a search for beebe@math.utah.edu produces:
Public Key Server -- Index ``beebe@math.utah.edu ''
Type bits /keyID Date User ID
pub 1024D/A93C57C2 2003/01/30 Nelson H. F. Beebe <beebe@math.utah.edu>
pub 1024R/B85F1941 1998/06/12 Nelson H. F. Beebe <beebe@math.utah.edu>
As shown in this example, the keyID values are hyperlinked: selecting one of them leads to a page with the public key block for that person. The email addresses are also hyperlinked: they lead to a list of keys registered by the person with that address.
A search for just Beebe turns up dozens of keys registered by people with that name, along with their email addresses. A search for the more common name Nelson turns up hundreds of keys. A search for Nelson Utah turned up only three keys when this experiment was made: the above two, plus a third one. Thus, you can usually find a key, even when you don't know the person's exact name or email address, but you do know part of their name or location.
You can also search for keyIDs at some key servers, but you need to make sure that the keyID is prefixed with 0x (for hexadecimal). For example, in my case, search for 0xA93C57C2 instead of A93C57C2. Search by keyID is useful because signature verification may report just the keyID, without an associated human name or email address.
gpg can search for keys at keyservers specified in your $HOME/.gnupg/gpg.conf file:
% gpg --search 0xA93C57C2 ... gpg: searching for "0xA93C57C2" from HKP server wwwkeys.pgp.net Keys 1-1 of 1 for "0xA93C57C2" (1) Nelson H. F. Beebe <beebe@math.utah.edu> 1024 bit DSA key A93C57C2, created 2003-01-30 Enter number(s), N)ext, or Q)uit > q
You can also specify a keyserver on the command line:
% gpg --keyserver http://pgp.mit.edu/ --search 0xA93C57C2 ... gpg: searching for "0xA93C57C2" from HKP server pgp.mit.edu Keys 1-1 of 1 for "0xA93C57C2" (1) Nelson H. F. Beebe <beebe@math.utah.edu> 1024 bit DSA key A93C57C2, created 2003-01-30 Enter number(s), N)ext, or Q)uit > q
If you select a key by number from the displayed list, gpg automatically adds it to your GnuPG keyring (but not to your PGP keyring). PGP does not appear to have a similar key-search facility.
Once a public key is registered with a key server, it cannot be revoked without knowledge of the original passphrase that led to its construction. This makes it very hard for an attacker to delete a registered public key, and replace it with a bogus one, adding to the confidence that one can have in registered public keys. Of course, if you forget your own pass phrase, you cannot revoke your own public key either! Similarly, someone who manages to crack your computer account could impersonate you, and create and register a key whose encryptions you cannot decipher. Nothing is for certain, sigh...
Once you have found a public key for the desired user, save the public key block in a temporary file, say tempfile. This file will be 50 to 1000 lines long, and look something like this:
% cat tempfile Public Key Server -- Get ``0xA93C57C2 '' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP Key Server 0.9.6 mQGiBD45JvoRBADB2wXsvcr0GkSy7ESDhND/7TSeDt/K8xGTiaZXs5weCGvdbngC 2cdjtGAJEVtNMnXfXBigKnrrN6ozpjBl7HFyOz+bXxrpCt2yQ/TGjQKpooXryaNM ... uhbqgAAKCRD9ng6XqTxXwoz/AJ4xC9UlipWFMXEYvQco8GRA7ZgXpwCePBwSbhAw 2fkncUHdprzxMorL3dE= =Oqpu -----END PGP PUBLIC KEY BLOCK-----
To add that key to your keyring, do this:
% pgp -ka tempfile Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. Looking for new keys... DSS 2048/1024 0xA93C57C2 2003/01/30 Nelson H. F. Beebe <beebe@math.utah.edu> sig? 0xA93C57C2 (Unknown signator, can't be checked) keyfile contains 1 new keys. Add these keys to keyring ? (Y/n) y New userid: "Nelson H. F. Beebe <beebe@math.utah.edu>". New signature from keyID 0xA93C57C2 on userid Nelson H. F. Beebe <beebe@math.utah.edu> Keyfile contains: 1 new key(s) 1 new signatures(s) 1 new user ID(s) Summary of changes : New userid: "Nelson H. F. Beebe <beebe@math.utah.edu>". New signature from keyID 0xA93C57C2 on userid Nelson H. F. Beebe <beebe@math.utah.edu> Added : 1 new key(s) 1 new signatures(s) 1 new user ID(s)
During the key addition, pgp will update about five files in your $HOME/.pgp directory.
You can also use the same key file to add the key to the separate keyring maintained gpg:
% gpg --import tempfile gpg: /u/class/b/c-bnhf/.gnupg/trustdb.gpg: trustdb created gpg: key A93C57C2: public key "Nelson H. F. Beebe <beebe@math.utah.edu>" imported gpg: Total number processed: 1 gpg: imported: 1
GnuPG also has a PGP-like interface that takes the same command-line options as pgp; use it like this:
% pgpgpg -ka tempfile gpg: key A93C57C2: "Nelson H. F. Beebe <beebe@math.utah.edu>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Either of these key additions will cause GnuPG to update two files in your $HOME/.gnupg directory.
Although GnuPG has an option to automatically import a key from a keyserver, PGP does not:
% gpg --recv-keys 0xE707FDA5 gpg: key E707FDA5: public key "Werner Lemberg <wl@gnu.org>" imported gpg: Total number processed: 1 gpg: imported: 1
If you wish to use both GnuPG and PGP, then it is better to fetch keys into temporary files, and then import them manually. The Unix shell script getpubkey.sh provides a convenient way to do this:
% getpubkey.sh 0xE707FDA5 -rw-rw-r-- 1 jones devel 1439 Sep 24 11:38 /tmp/pgp-0xE707FDA5.tmp.13306 Try: pgp -ka /tmp/pgp-0xE707FDA5.tmp.13306 pgpgpg -ka /tmp/pgp-0xE707FDA5.tmp.13306 rm -f /tmp/pgp-0xE707FDA5.tmp.13306
Besides their use for decrypting messages, public keys can be used to verify digital signatures on files. To allow detection of tampering, some Internet file archives provide digital signature files. For example, at the GnuPG archive, you might find, and fetch, files like this:
% ncftp ftp://ftp.gnupg.org/GnuPG/gnupg/ ncftp /GnuPG/gnupg > dir gnupg-1.2.2* -rw-r--r-- 1 103 65534 2225034 May 3 11:58 gnupg-1.2.2.tar.bz2 -rw-r--r-- 1 103 65534 65 May 3 11:58 gnupg-1.2.2.tar.bz2.sig -rw-r--r-- 1 103 65534 3183869 May 1 18:00 gnupg-1.2.2.tar.gz -rw-r--r-- 1 103 65534 65 May 1 18:00 gnupg-1.2.2.tar.gz.sig ncftp /GnuPG/gnupg > get gnupg-1.2.2.tar.gz* gnupg-1.2.2.tar.gz.sig: 65.00 B 714.05 B/s gnupg-1.2.2.tar.gz: 3.04 MB 160.10 kB/s ncftp /GnuPG/gnupg > quit
You can then verify the integrity of the archive file with PGP like this:
% pgp gnupg-1.2.2.tar.gz.sig Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. File 'gnupg-1.2.2.tar.gz.sig' has signature, but with no text. Text is assumed to be in file 'gnupg-1.2.2.tar.gz'. signature not checked. Signature made 2003/05/01 15:10 GMT key does not meet validity threshold. WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "(KeyID: 0x57548DCD)".
Alternatively, you can use GnuPG like this:
% gpg gnupg-1.2.2.tar.gz.sig gpg: Signature made Thu 01 May 2003 09:10:15 AM MDT using DSA key ID 57548DCD gpg: Can't check signature: public key not found
Both programs complained that they could not verify the signature because the signer's key was not found on the keyring.
To remedy that problem, fetch the signer's public key from a trusted key server as described earlier, and add it to your PGP and GnuPG keyrings:
% pgp -ka tempkoch Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. Looking for new keys... DSS 1024 0x57548DCD 1998/07/07 Werner Koch (gnupg sig) <dd9jn@gnu.org> ... % gpg --import tempkoch gpg: key 57548DCD: public key "Werner Koch (gnupg sig) <dd9jn@gnu.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Now verify the file signatures again:
% pgp gnupg-1.2.2.tar.gz.sig Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. File 'gnupg-1.2.2.tar.gz.sig' has signature, but with no text. Text is assumed to be in file 'gnupg-1.2.2.tar.gz'. Good signature from user "Werner Koch (gnupg sig) <dd9jn@gnu.org>". Signature made 2003/05/01 15:10 GMT WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Werner Koch (gnupg sig) <dd9jn@gnu.org>". % gpg gnupg-1.2.2.tar.gz.sig gpg: Signature made Thu 01 May 2003 09:10:15 AM MDT using DSA key ID 57548DCD gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD
Both PGP and GnuPG confirm that the digital signature on the file is good, so we can be confident that the archive file gnupg-1.2.2.tar.gz has contents that are identical with the file that Werner Koch signed at his site.
Both programs warn that Werner Koch's public key is not certified by a trusted authority; consult their documentation to find out more about how to key certification works. In practice, you may be satisfied to know just that the digital signature was verified, and that it matches the expected user's public key that you downloaded from a public key server. The next section describes how you might increase trust in a public key.
Once you have someone's public key, perhaps obtained from a keyserver or an FTP or Web site, you still don't know that the key is genuine: you have to trust the source.
If you can contact the key owner by FAX, telephone, or e-mail, you can request a key fingerprint, which is a sequence of hexadecimal characters that represent a checksum of the public key. You can then compare it with the fingerprint extracted from the purportedly identical public key on your keyring with either PGP or GnuPG:
% pgp -kvc 0xA93C57C2 ... Looking for user ID "0xA93C57C2". Type bits keyID Date User ID DSS 2048/1024 0xA93C57C2 2003/01/30 expires 2102/01/05 Nelson H. F. Beebe <beebe@math.utah.edu> Key fingerprint = 7C 18 71 99 BC 82 5E AB 06 EB 9B 96 FD 9E 0E 97 A9 3C 57 C2 1 matching key found. % pgpgpg -kvc 0xA93C57C2 pub 1024D/A93C57C2 2003-01-30 Nelson H. F. Beebe <beebe@math.utah.edu> Key fingerprint = 7C18 7199 BC82 5EAB 06EB 9B96 FD9E 0E97 A93C 57C2 sub 2048g/88DE0889 2003-01-30 [expires: ????-??-??] % gpg --fingerprint 0xA93C57C2 pub 1024D/A93C57C2 2003-01-30 Nelson H. F. Beebe <beebe@math.utah.edu> Key fingerprint = 7C18 7199 BC82 5EAB 06EB 9B96 FD9E 0E97 A93C 57C2 sub 2048g/88DE0889 2003-01-30 [expires: ????-??-??]
If they match, and if you have reason to believe that the person who sent you the key was indeed the key owner, then the public key has more trust that it had before.
Cryptography and cryptanalysis are active research areas, with a huge surge in activity since the invention of public-key cryptography by Diffie and Hellman in 1976, and independently, and in a different way, by Rivest, Shamir, and Adleman (RSA) in 1978. For coverage of much of the important literature in these fields, visit the TUG bibliography archives. The coverage of cryptography starts with a book published in 1404, almost 600 years before this Web page was created.