● The High-Tech How Not to be Seen, Part 3 - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: "Roy Guo" <roy@szu.edu.cn>, 信区: Linux
标  题: The High-Tech How Not to be Seen, Part 3
发信站: ShenZhen University (Sun Dec  5 19:33:45 1999)
转信站: ShenZhen-University!bbs.szu.edu.cn!not-for-mail
出  处: 210.39.3.71

The High-Tech How Not to be Seen, Part 3

                               by Marcel Gagn~{(&~} <mggagne@salmar.com>
                                           19-Nov-1999

You've got a brand new key. Now what?

Hello, everyone. Welcome back to the SysAdmin's Corner.

Well, I know it was a long time ago, but last week, we looked at setting up
GnuPG for encrypting data.

Before we can get anyone to send us encrypted information in any way, shape
or form, we need to provide that person with the
public half of our key. This key can then be imported into another GnuPG
package, or a Windows 9x client such as Pretty Good
Privacy (available at http://www.pgpi.org). To start, we'll publicly export
the key we created last week.

     # gpg --export -a  output mykey.asc mgagne

The -a flag creates an ASCII output to the file mykey.asc. This can then be
sent as an e-mail attachment. As with all things
security-related, there are items to be careful with, which I'll cover in a
moment with the concept of importing keys. In the
meantime, here are the first few lines of the ASCII output generated.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDgM4HkRBAC+Tzf9NOHx0fCOEE8zH2pSGKoz6g5ocqwu/4p3bMfJCWNDYo0Y
Pd2JWFKindbRdrerTpQYBvL+1OdgsrZgDBFxiqd10A1EkpN0NCnmCG2BCwdgygaB
jV6RSBumrABvVgcjc/1AmAkH3SHZR3xd8lPi26jqWsdOmLXZD7r+fTWEJwCg8IOl

Now I have my public key, ready for others to import.

Importing keys is a multi-step process. The reason for this is that after
importing the public keys, you want to "sign" them to verify
authenticity. What good is an encrypted message if it comes from a source
you can't be sure of? This verification can be a tricky
process, especially if you picked up the key from a key server or simply had
it e-mailed to you. It's always a good idea to contact
the individual providing the public key and arrange another method of
verification (fax, voice, etc) before you verify keys with
your digital signature. Checking over that long PGP KEY BLOCK can be quite a
job. A way to shorten this is with the
--fingerprint option.

     # gpg --fingerprint
       pub  1024D/A8C01167 1999-11-19 Natika (This is our cat's key)
<natika@salmar.com>
       Key fingerprint = E895 FCCE 76A4 1007 D890  FE30 EC9C 57EC A8C0 1167
       sub  1024g/9E7F38F7 1999-11-19

As you can see, the fingerprint is much shorter and easier to verify with a
phone call than the full PGP KEY BLOCK.

Let's say I want to send an encrypted message to a user on my system whose
login name is "natika". Natika starts by exporting
her key as described above. She then sends me the ASCII file that contains
her key, and I import it like this.

     # gpg --import natika.asc
     gpg: key A8C01167: public key imported
     gpg: Total number processed: 1
     gpg:               imported: 1

My keyring now contains two keys, the one I generated for myself and the one
belonging to Natika. To see what is currently in
your keyring, use the following command:

     # gpg --list-keys

This gives me the following output:

/root/.gnupg/pubring.gpg
------------------------
pub  1024D/0E0EF396 1999-10-19 Marcel Gagne (Marcel's personal
Key) <mggagne@salmar.com> sub  1024g/486E4725 1999-10-19

pub  1024D/A8C01167 1999-11-19 Natika (This is our cat's key)
<natika@salmar.com> sub  1024g/9E7F38F7 1999-11-19

By the way, if you want to see the contents of your secret keyring, use this
command instead:

     # gpg --list-secret-keys

The next step is to sign Natika's key in order to verify the authenticity of
the key. You do this with the --edit-key option.

     # gpg --edit-key natika

The result is a command-driven dialogue that allows you a number of
different options from a command prompt. To list the
available commands, type a question mark and you'll get a short description
of what each command does. The one we want to
take is sign. The program will ask you to confirm that you really, genuinely
want to sign this public key, then ask you to confirm
again with your pass phrase (which we covered last week). I can now send
Natika an encrypted message which only she can
decrypt.

     # cat my_message | gpg -ear natika | mail natika

Since you need both the public and the private key to decrypt the message,
even I cannot decrypt the message I just sent her.

Earlier on, I mentioned keyservers. Sometimes it makes more sense to
distribute your public key via a public keyserver, rather
than e-mailing it to each and every person you wish to communicate with. You
could post the key on your web site or ftp server if
you had one, or you could upload your key to a keyserver where others could
find it. A good place to start for this is
http://www.keyserver.net. From here, you can upload keys, search for other
public keys, and even find other keyservers.

At some point, you may wish to delete a key from your public keyring
(particularly if you start collecting vast quantities from
public keyservers). You can do that with the command gpg - -delete-key
user_id.

This may be sacrilege to some. I know that there are those who would
appreciate a nice menu-driven interface for GnuPG key
management (or PGP, for that matter). Now that you can do all this at the
command line, you are allowed to relax behind the
friendly face of a GNOME or KDE shell. Here are a couple, both of which I
have tried, and both of which are FREE!

Starting with KDE, we have Geheimnis, formerly called KPGP. While I admit to
not knowing what "Geheimnis" means, I can
tell you where to get it. Surf on over to
http://members.home.com/cdwiegand/geheimnis/ where you can get both source
and
binary files covering a variety of distributions, including Debian, Red Hat,
and SuSE.

On the GNOME side, you can try GPGP, available from
http://www.geocities.com/SiliconValley/Chip/3708/ . You can pick up a
Debian binary package as well as source. You can even get Italian and
Japanese versions. This site also offers a more
X-Window-generic alternative called TkPGP.

One or more of you may be asking some na?ve-sounding questions and
observations at this point, such as, "How can I trust a
public key?" and "Just because someone picks up my key and encrypts a
message to me, doesn't make it legitimate", or
"How am I supposed to check the validity of possibly hundreds of keys?".
These are all excellent questions that open the
door to a discussion of signing authorities and trust relationships, a whole
topic of its own and more than we can cover
today.

Until next week, run silent, run encrypted!

Copyright ? 1999 Specialized Systems Consultants, Inc.

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店