hello friends! new(ish)!
PGP: Difference between revisions
>God (New page) |
>Mrsnooze |
||
Line 48: | Line 48: | ||
ElGammal keys should be used in preference to RSA due to security concerns around RSA. Due to backwards compatibility, many defaults are weak, and should be changed. | ElGammal keys should be used in preference to RSA due to security concerns around RSA. Due to backwards compatibility, many defaults are weak, and should be changed. | ||
==Issues== | |||
===Web of Trust=== | |||
PGP public keys work on a [https://en.wikipedia.org/wiki/Web_of_trust Web of Trust] model which means that in order for you to trust that the key you have actually belongs to your contact, you must establish an unbroken chain of trust between them and yourself. | |||
For example, if you want to talk to Bob but haven't exchanged keys with him in person, you need a chain of people between you and Bob who have all signed each others keys. Bob knows Jane, Jane knows Fred, Fred knows Arthur, Arthur knows Sally, Sally knows Claire, and you know Claire. | |||
Without this chain of trust, you can't be sure that you have Bob's true key. | |||
===Metadata=== | |||
Email encrypted with PGP does nothing to stop metadata being collected about who you contacted, when and how often. A journalist using PGP to talk to a source is not hiding their source. | |||
==Useful Links== | ==Useful Links== | ||
[[http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html|Phil Zimmerman: Why I wrote PGP]] | [[http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html|Phil Zimmerman: Why I wrote PGP]] |
Revision as of 10:41, 17 March 2015
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991.
PGP, GPG, and similar software follow the OpenPGP standard (4880) for encrypting and decrypting data.
Operation
PGP relies on asymmetric encryption, and also can work with symmetric encryption. There are two main modes of operation: signing and encrypting. They may be (should be) combined. If used properly, PGP is one of the strongest and most versatile forms of encryption on the market, however it is extremely complex.
Signing
A user uses their private key to create a cryptographic signature, which can be verified by anyone who has their public key. This cryptographically proves that the message came from the holder of the key.
Encryption
A user can encrypt a file in one of two ways, either with another user's public key, or with a symmetric key. By signing with the public key of a user, it can only be decrypted by their private key, which only they should have. Signing with a symmetric key (a password) is stronger and less CPU-intensive, but has the issue of sending the password to another person.
Proper and safe Usage
Use [[1]].
Start by reading the documentation, there are many good tutorials out there.
Proper Usage
gpg --gen-key generates a new keypair
gpg --list-keys shows the keys on your system
gpg --import < file.pub will import someones public key from a file
gpg -a --clearsign file will make a signed file named file.asc in ascii format, signed with the default private key
gpg --encrypt -r admin@8chan.co file will make a file named file.gpg that can only be decrypted by hotwheels (if you have his public key)
gpg --encrypt -o file2 -r admin@8chan.co file Same, but the output file is specified as file2
gpg --sign --encrypt -r admin@8chan.co file Signs and encrypts the file, outputs file.gpg
Safe Usage
Do not ever lose your private key. Safest practice is to use a master key and use it to sign sub keys, then use the sub keys. Keep the master key on an air-gapped computer, and mainly use the subkeys for proper Compartmentalization. Have revocation certificates handy in case your keys are lost.
Make sure you have a password on your keys. This is not enough to stop a determined attacker, so when you are transporting them in an easily seized form, like a flash drive, you should pack your keys into a tarball with some padding (the ~/.gnupg directory works nicely) and encrypt it with AES 256 and a strong password.
ElGammal keys should be used in preference to RSA due to security concerns around RSA. Due to backwards compatibility, many defaults are weak, and should be changed.
Issues
Web of Trust
PGP public keys work on a Web of Trust model which means that in order for you to trust that the key you have actually belongs to your contact, you must establish an unbroken chain of trust between them and yourself.
For example, if you want to talk to Bob but haven't exchanged keys with him in person, you need a chain of people between you and Bob who have all signed each others keys. Bob knows Jane, Jane knows Fred, Fred knows Arthur, Arthur knows Sally, Sally knows Claire, and you know Claire.
Without this chain of trust, you can't be sure that you have Bob's true key.
Metadata
Email encrypted with PGP does nothing to stop metadata being collected about who you contacted, when and how often. A journalist using PGP to talk to a source is not hiding their source.