PGP toolkit in linux


PGP toolkit in Linux


Table of Contents

  • 1 Philip R. Zimmermann
  • 2 What is digital certificate?
  • 3 X509 .VS. PGP
  • 4 PGP tools in Linux platform
    • 4.1 Generate your own self-signed Certificate
    • 4.2 encypt and decrypt by gpg
    • 4.3 Manager your Certificats
  • 5 PGP in Emacs
    • 5.1 Easy PG package in emacs
    • 5.2 encrypt/sign email in gnus
    • 5.3 epa-mail* .VS. mml-secure-message-*

1 Philip R. Zimmermann

Zimmermann is the creator of Pretty Good Privacy(PGP) which become the standard of protocol named OpenPGP. In the era before 90s century, US government held a export restrictions for cryptography software(This bullshit policy sounds like censorship in china today right? But the different is that a lot of SOB in china government.). But Zimmermann made PGP as a open source software to counterattack government's violate human right behave(The human being's nature right is to pursual for freedom and equality, especially in Internet). This made him the target of a three years of criminal investigation.

2 What is digital certificate?

Digital Certificate consist of three things:
  • A public key
  • Identity Information(Name, Orgnazation, Email Address, Company)
  • At least one digital signatures to identify the validly and integrity of this certificate.
Digital Signature is some cipher text which is encrypt the Identify Information's digital message (hash value) by secret key. When Client get this certificate, he use the public key to decrypt the cipher text to get the Digital Message. Then compute the Digital Message of the Certifcate's Identify Information. If both of the two piece of message are equality, That means he get a valid certificate, and vice versa.

There are two kinds of popular certificates – X.509 and PGP.

3 X509 .VS. PGP

In TLS protocol's handshake process, Server send its certificate to client side, Those certificate is X.509 format. GnuTLS, a TLS protocol implementation package, can support PGP format. X.509 and PGP are two kinds of certificate authorities systems which define the ways to issue the certificates. The main difference of them is the difference of trust model.

X.509's trust model is named Certificate Authority trust model which is centralized trust model, This kinds of certificate should be issued by Certificate Authorities (for example, VeriSign, DigiCert) whoes certificates are self-signed and can be trusted by others. Our browser(chrome, firefox whatever) collected many Certificate Authorities's Certificate inside, so when users access some SSL web page, he need not to be asked if it's a trust web site. The browser can trust the certificat which is issued by Certificate Authorities which inside it.

While PGP's trust model, web trust model, is decentralized, which means everyone can sign other's certificate and issued it to third people. But it's user's responsibility to decided whether to trust this certificate. Actually there are some gpg key servers(gpg.mit.edu) which is used for us to publish and receive certificate for convenience.

4 PGP tools in Linux platform

OpenPGP is a non-proprietary protocol which provided the standard for encryption, signatures and certificates for exchanging public keys(PKI – public key infrastructure).

GnuPG is the Gnu implementation of OpenPGP protocol. It provide gpg and gpg2 commands in my Linux distrubution, gpg2 just add S/MIME support.

4.1 Generate your own self-signed Certificate

gpg --gen-key

4.2 encypt and decrypt by gpg

# get User's pub-key first.(see following section)
# encrypt file by User's pub-key, After that send file.gpg to User
gpg --output file.gpg --encrypt --recipient UserID file

# User get file.gpg, and decrypt it by his private key.
gpg --output file --decrypt file.gpg

4.3 Manager your Certificats

Manager Certificates including:
  • list all pub-keys and secret-keys.
  • import another's pub-keys
  • sign another's pub-keys
  • manager trusted pub-keys
# list all pub keys (Actually certificate)
gpg --list-keys

# upload pub keys to key server (like pgp.mit.edu)
# keyID can get from above cmd
gpg --keyserver pgp.mit.edu --send-keys keyID

# import another people's pub-key from key server
gpg --keyserver pgp.mit.edu --search-keys suzp1984@gmail.com

# import another people's pub-key from local file
gpg --import pub.key

# edit pub-keys, then you can trust/sign this key.
# after that you can update this key in key-server.
gpg --edit-key keyID/email

5 PGP in Emacs

5.1 Easy PG package in emacs

EasyPG is an GnuPG interface in emacs. It provide some interactive commands prefixed with epa-*.

5.2 encrypt/sign email in gnus

PGP tools mainly used in eccrypting email messages. For example, If I want to send a encrypted email to Bob. First, I should import Bob's public key. If Bob want some boby to send a encrypted email to him, he must public his public key. After download his public key.

Then I can write the email, After that I can encrypt/sign the letter by epa-mail* or mml-secure-message-* commands.

epa-mail* serial commands encrypt the body part of email and replace the plain text to encrypted text. Those methods called inline PGP.

mml-secure-message-* serial commands encrypt the email accroding to S/MIME standards. This is the recommended method.

5.3 epa-mail* .VS. mml-secure-message-*

why recommend mml-secure-message-* cmds

Comments

Post a Comment

Popular posts from this blog

Bluedroid stack in android

Image
Bluedroid stack in android Table of Contents Bluetooth stack in android Bluedroid .VS. Bluez Porting guide of Bluedroid stack 1 Bluetooth stack in android From Android 4.2, google use Bluedroid stack as its default Bluetooth host stack, before android 4.2, its default Bluetooth host stack was Bluez, which is also the Linux distribution's default stack. So why google changed its Bluetooth stack? The reason is maybe that Bluez stack was designed for the desktop environment, so in order to port Bluez into android, android must solve some dependency issues, like porting Dbus, Linux desktop's default IPC, into android. So there are at least five processes to power Bluetooth before android 4.2, they are systems, Bluetooth APP, Bluez, hciattach, and Dbus. The damn thing is that there are bugs between them, so Bluetooth stack is the weakest part in the android system before android 4.2, yeah, it is the usual reason that android system corrupted. So, what's t
Read more

How to setup a NAT server?

Image
How to setup an NAT server? Table of Contents What is NAT? How to setup NAT host? a shell script from vbird's book 1 What is NAT? NAT stands for Network Address Transition, which is the basic function of gateway host. I try to hack Bluetooth tethering module in android this week, it include the Bluetooth Pan profile and the NAT setup process, which means in order to implement the Bluetooth tethering, first, two devices must be connected by Bluetooth Pan profile, and then the server part device acted as gateway host to supply the network forward service. In other words, after Bluetooth Pan profile connected, the server must to setup its NAT rules to forward the IP packages. So how to setup NAT rules? 2 How to setup NAT host? My memory is still fresh that at the start of my Linux journey, I setup my Linux desktop as an NAT host to provide Internet services for my lab's classmates. During the days as a programmer, I once did a job to hacking android&
Read more

Network programming in elisp

  Network API in elisp Table of Contents 1 Introduction 2 A example 3 Http server implemented by elisp 1 Introduction Emacs is not just an editor, Yes, that's true. Emacs lisp can do network connection programming by its network API. But there is something difference with other kinds of programming language. First, elisp do not support multi-thread, pretty cool, huh!! Yeh, Multi-threads programming is a horrible venture for you, right! Second, There is no socket similarly conception in elisp, and elisp provide network programming ability as processes. Elisp can open a network connection by function – open-network-stream .  It can make network connection server listen a special port by function - make-network-process . Both of those function return a process object. Then you can communicate with the process by process's API. 2 A example I write a snippet code to figure out How to use it. ( require ' cl ) ( defvar my-network-client-b
Read more