By Bri Hatch.
Summary: Importing and Exporting public keys.
GnuPG and other PGP implementations allow you to encrypt (scramble the data so only intended recipients can read it) and/or sign (provide proof that the data has been unaltered in transit). As you should remember, PGP keys are made up of two parts, a public key and a private key. The public key can (and in most cases should) be available to anyone - there's no harm in allowing it out to the entire world. The private key should be kept somewhere secure, protected with a strong passphrase.
So, in order to communicate with other parties, we'll need to be able to get a copy of their public key. When encrypting a file, you encrypt it to their public key. When verifying an electronic signature, you verify it by decrypting the pgp signature with their public key. Without their public key, you can't encrypt or verify, it's as simple as that.
In order to be sure you're talking with the correct party, you need to do two things: first, get a copy of their public key, and second, verify the key. This week we'll cover the former.
The easiest way to get a key is if they've
put it up on a PGP key server. For example if you know
their keyid is
$ gpg --recv-key D5D3BDA6 gpg: key D5D3BDA6: public key "John Doe ... firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (DSA: 1)
In order for
# Use the US PGP keyserver keyserver wwwkeys.us.pgp.net
Most PGP keyservers synchronise with each other, so pick one close to you.
To put your key on a keyserver, use
$ gpg --send-key mykeyid gpg: success sending to `wwwkeys.us.pgp.net' (status=200)
If you've received a signed file or email from someone, then you already have access to their keyid. For example Mutt can be configured to attempt to verify the signatures on every email by default. If you don't have the other party's public key installed, it'll tell you it can't verify it, but will let you know the public key that was used:
[-- PGP output follows (current time: Wed Feb 25 07:06:06 2004) --] gpg: Signature made Wed Feb 25 04:30:51 2004 PDT using DSA key ID D5D3BDA6 gpg: Can't check signature: public key not found [-- End of PGP output --]
In the above output, you can glean that the user's keyid is D5D3BDA6.
Alternatively, you can get the public key in a file. Perhaps
the other party sent it to you in email, or maybe they have it
available on their website. In this case, you need to import
the key using
$ gpg --import /path/to/john_pgp_public_key.asc gpg: key D5D3BDA6: public key "John Doe ... email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (DSA: 1)
If you want to extract an ascii-armoured copy of your key to
be able to email to people, put on your website, etc, then
$ gpg -a --export mykeyid > my_pgp_public_key.asc $ more my_pgp_public_key.asc -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux) ... -----END PGP PUBLIC KEY BLOCK-----
An ascii-armoured version is preferred to the binary version, because it won't get goofed up in 7-bit protocols like email, or have trouble with CR/LF translations in FTP.
Once you've imported the key, you should be able to see that it's there
# Show key D5D3BDA6 $ gpg -kv D5D3BDA6 pub 1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <firstname.lastname@example.org> sub 1024g/26F8D783 2003-12-14 # Show the key, and all the signatures too $ gpg -kvv D5D3BDA6 pub 1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <email@example.com> sig 3 D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <firstname.lastname@example.org> sub 1024g/26F8D783 2003-12-14 sig D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <email@example.com>
So, we've learned how to exchange keys with other people. Next time we'll discuss a crucial component - verifying the keys.
 Sorry for the hand-waving, but I'm trying to avoid hurting people's brain with the math. This is the "trust me, for more details go read the PGP documentation" explanation.
 The greatest mail program in the world.
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. How can one be up from 5:30 am to 2:30am and still not have time to send out a newsletter that he wrote a week ago? I know the answer - twins! Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2004
This is the March 11, 2004 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityemail@example.com.