● High-Tech How Not to be Seen, Part 2 - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: "Roy Guo" <roy@szu.edu.cn>, 信区: Linux
标  题: High-Tech How Not to be Seen, Part 2
发信站: ShenZhen University (Sun Dec  5 19:33:15 1999)
转信站: ShenZhen-University!bbs.szu.edu.cn!not-for-mail
出  处: 210.39.3.71

High-Tech How Not to be Seen, Part 2

                               by Marcel Gagn~{(&~} <mggagne@salmar.com>
                                           12-Nov-1999

Secret Codes for Grown-Ups.

Welcome back, everyone. Nice to see you again for your weekly dose of Linux
system administration.

Last week, I touched on the concept of an encrypted session: in that case,
using ssh, or the secure shell. What I did not mention
was the means by which secure sessions and encrypted data are managed and
how to decrypt that information. You've probably
heard the terms "public key encryption" and "DSA" bandied about. You've
probably received messages with a "PGP signature"
attached to the message. What does that mean?

When you were a kid, you probably played with secret codes. Heck, you may
even have invented your own. One of the earliest
secret codes I remember being shown involved reversing the alphabet and
using that as my encryption key, like this:

     abcdefghijklmnopqrstuvwxyz
     zyxwvutsrqponmlkjihgfedcba

If I wanted to write the words "secret message" using this encryption
method, I would wind up with "hvxivg nvhhztv". That's not
particularly difficult to crack, I realize. Consequently, over the years,
people have created increasingly complex forms of
encryption, particularly during wartime. So historically, all encryption
methods worked on the premise of a shared key file. You
would give the person with whom you wanted to communicate the same key by
which the message was encoded. That meant
getting the key to your co-conspirator (or whatever) through a channel
separate from the message. The catch is that anyone
intercepting the key could then decipher all your messages.

Enter public key encryption, a popular form being PGP, or Pretty Good
Privacy (much more than just pretty good, I assure you).
My messages are encrypted with two keys. One is my private key, which I
guard jealously and never hand out to anyone. I will
take a copy of this key, print it out, save it to a diskette, and store both
in a safe-deposit box. Anyone knowing the whereabouts of
this key would have to be ... well, that's a bit dramatic, but you get the
idea. Now, when I encode a message, I do so by combining
my key with a public key. This is not my public key, but one supplied to me
by the person I want to communicate with. Both keys
are required for the encryption/decryption process, but anyone having just
one half of the key pair has nothing, and you never hand
out your private key to anyone.

The official release of PGP is available from http://www.pgpi.org . Another
option (the one I decided to adopt) is the open-source
alternative, GnuPG. To get the latest GnuPG, surf on over to
http://www.gnupg.org. You'll also need the gmp or GNU MP
libraries in order to compile. You can get this from the GNU web site or one
of its mirrors. Click on
http://www.gnu.org/order/ftp.html and look for one of the many mirrors. For
the impatient, the GnuPG site also provides a link for
an RPM version.

Obviously, the first thing you need to do is make the package. Here's a
quick refresher. The format for the build of gmp is pretty
much the same, so I will show you only one of the builds.

   # tar -xzvf gnupg-1.0.0.tar.gz
   # cd gnupg-1.0.0
   # ./configure
   # make
   # make install

Once you've got GnuPG built and installed, you will need to generate your
personal key before anything else can happen. Before I
explain the various commands, I should tell you that this will create a "key
pair", meaning both your private (and jealously guarded)
key and your public key (the one you hand out to all your friends). Here is
the command:

     # gpg --gen-key

You will now be prompted to answer a number of questions. The first has to
do with the encryption algorithm, or cipher. The
default is "DSA and ElGamal". I chose the default.

The next question concerns key length. You have a choice among 768, 1024 and
2048 bytes. Since the DSA standard is 1024, I
chose that. Granted, 2048 bytes is more secure, but it takes much longer to
generate. Question-and-answer continues with the
expiration date of your key. The default here is to not expire the key, but
you can define days, weeks, months, and even years.
Choose the default and confirm your choice. You will then be asked to supply
the name of the key user, e-mail address, and a
comment.

Now comes the fun part. You will be asked to enter a pass phrase. All this
information will be used to create the key, and more
information is better than too little. The catch, of course, is that more
words means more typing when it comes to deciphering your
encrypted messages. For my test, I will use "I f33l v3ry s3cure n0w" as my
pass phrase. Now, GPG runs off and generates your
secure key pair. This can take awhile, depending on your processing power,
and you may have to help the system along by doing
some other kind of work in order to create "entropy" for random number
generation. The program suggests moving the mouse. I
started a find / -print and waited.

When you're done, you have a bright, shiny new key pair. You'll also notice
a new entry in your $HOME directory. It is called
".gnupg". If I list the contents of the directory, I see this:

   $ cd /home/marcel/.gnupg
   $ ls
   options     pubring.gpg    secring.gpg    trustdb.gpg

The options file contains a list of default flags on the gpg command. You
can add your command-line options here (without the
double dashes) and they will be automatically added. Also notice the
pubring.gpg and secring.gpg files. It is a good idea to make
backups of these files immediately and store them somewhere other than your
computer. This is particularly true for the
secring.gpg file, since it contains your personal secret key. The last file
is your database of trust. It defines the level of trust that
you assign to the public keys you collect.

More on this later. Right now, let's take our GnuPG package out for a spin.

Every day, I run the fortune program and have it generate a new message of
the day, like this:

    /usr/games/fortune -l > /etc/motd

I'll use that file as my encryption test. Here's the basic command:

   # gpg -ear marcel --output /tmp/fish /etc/motd

The dash-e option means "encrypt". The dash-a means that gpg should create
"armored" ASCII output. You've seen it in e-mail
messages, usually starting with "BEGIN PGP MESSAGE" and then a bunch of
letters, numbers, and various other characters.
The next part of the command is the user for whom I am encrypting the
message; in this case, myself. The dash-dash-output tells
the command where to write this output. You can see I am sending my output
to /tmp/fish, but it could be anywhere, including
standard output (your screen) by using --output -. The last part of the
command is the file I wish to encrypt. Here's the output
of that command (the contents of the fish file):

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

hQEOAzlo5+tIbkclEAQA5Pj0CRm5eXfHouFEiTGQA5YKKVhLaoo2zGFuWnuugfBq
kDALlUI1a7oNAUff4n2hca6N5ff0erKjOnXGj/GTnEUZpZbWfDJTjZgOg5lS0IQ2
VNlLFKN5WuM2mSNstxs/uezSIdv0s5zmQ+rbW+aKM4NETUil9IOGNUEvEf3clLoD
/AsvIAk+ucMzGxYVXNUVCfqEelViK5YnDoDE1rdX8hgTgZxCelg/YcaNS1dVRaOr
/orTP2eMCO91krhy2RohMNvxWxJ7FRj8LELztEIGqiqYnjwIKaJae2bxRB/KOB7l
aeT+MuUR8qCpdyL5mzv6vaOx/LTWtfTKBAVA3HH6g1b3ycDw3Ys25w6N6EOq1IRn
XflKhEt6Ix4zvmB7v1rMORE+R8luyiVPsbweG+P4TZuqBp2uetx8VhFgRF/2RPMc
el7NM01tHISIVPaX5w/P+SKtxx70DnLW1cQEx8O9YUokLC9qw7oHFOp/ETIE+tXr
bl+ZeUtoBIHZd8EPEKzh919R4z5Rh3+FGJZjFM66KwCFxjRfwX7hgdVG35+N+CpK
t4vHg4izT5yjZyTL9ZJfdapV6XH9yvp8Y1nOToylOFxwb26YZsoq6UeLCW5da1vD
SWW3HwvXx/lew/yVnLQhKdfmMpdgJN4oQAfkn2lmPwJJJQcImQh6sm8B9xIzC+vJ
4R0Fq5RwU3osZ6hIk1KpCMAvF9RUOEYldZSEle3Fu7pDczt7nH0EgAkaKdrg6FmQ
Hmp9wFSqTzBy55x+I+pVFSu8F/J2J/9Z3UjxnpWNMip0Vt+3w2DP1RR9/JKo1uko
+1mIWpisB6WSEajBTZot05CzgmPn3Y2I8n4cJVV9Dx35FRy3Ih7xUKrrB8FC9YBC
ZDHsas9qLplseVZHB9LEbIyEUfCEOVpoQo0dU4qKd9470PFk
=h47B
-----END PGP MESSAGE-----

Difficult to read, even on one's most clever of days. It's also one of the
hardest things to crack ever devised. No wonder the
military is upset by the idea of civilians having this kind of technology at
their disposal. To decode the message, simply use this
command:

   # gpg -d /tmp/fish

You will then be able to read your message of the day in plain English (or
whatever language it was originally written in). Here it
is:

    My boss has pointy hair just like ...

Hmm ... maybe stuff like that is better left encrypted.

I'm sorry to say this, but that's all the time we have for this week. Before
I go, I would like to briefly get back to last week's
discussion of ssh and mention yet another source of secure shell development
(brought to my attention by a couple of readers;
thank you). This is a Linux port of OpenBSD's OpenSSH product, and (if I may
quote the page), "based on the last free version
of Tatu Ylonen's ssh with all patent-encumbered algorithms removed, all
known security bugs fixed, new features reintroduced
and many other clean-ups." You can check out OpenSSH by pointing your
browser to http://violet.ibs.com.au/openssh/.

Next week, we will talk more about key rings, key management, and all sorts
of other fun things.

Until then, run silent, run encrypted!

Copyright ? 1999 Specialized Systems Consultants, Inc.

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店