PGP guards electronic correspondence. What is pgp

Data encryption is an indispensable hacker ritual in which everyone uses their own set of utilities. While there is a large selection offered for desktop OSes, only a few applications are available on mobile operating systems. We drew attention to the new creation of the developer SJ Software - PGPTools. The first version of this program was released in April. Over the past six months, the list of supported platforms has expanded significantly. It now includes Windows 10, Windows Phone, iOS (8.0 and up), OS X (10.9 and up), and Android (4.0 and up). The latest version of PGPTools v.1.10 for Android OS was selected for testing. You can download the program by registering on the 4Pda.ru forum in this topic.

Even before installing the program, it becomes obvious that its authors adhere to minimalist views. In the installation package, PGPTools takes up one and a half megabytes, but after installation it takes up only five and a half. The good news is that the list of requested permissions consists of exactly one item - writing to a memory card. She does not require any SMS sending, access to the Internet or personal information.

The utility's interface is also extremely simple and easy to learn. On the one hand, this allows you to quickly understand it, but on the other hand, it causes a slight longing for the usual menus with long lists of settings. In the current version of PGPTools, you can only set a password and select the key length. But the program allows you to create several key pairs and manage them from a separate tab. Here you can select the current key and the desired actions with it. Export is supported (via the clipboard or the “send” function), and it is also possible to import previously created PGP keys.

It's nice that the program does not require any additional permissions.

USING PGPTOOLS

Work in the program begins with a simple step - creating a pair of keys. To do this, you need to enter your name or nickname, email address (this will be used to send encrypted and/or signed emails) and password.

In the PGP scheme, all keys are generated in pairs because they are mathematically linked by a common passphrase. It should be made long and complex, but without fanaticism - a forgotten password will not be restored. Keys in pairs are generated with different structures - asymmetric. The public key is so named because it can be freely shared with anyone. He serves
to verify the signature of its owner and provides the ability to send him an encrypted message. Such a message can only be decrypted using a secret key paired with it. That's why it's secret, so that only the creator of this key pair knows it.

Simply put, a letter is encrypted with a public key before sending, and decrypted with a secret key after receipt. This is like a digital implementation of a lock with a latch: anyone can slam the door with it, but only the owner of the key can open it. We made two pairs of keys for testing: the minimum (1024 bits) and the maximum (4096 bits) possible length.

The main panel in PGPTools has the same name. It switches between two modes: encryption and decryption. Its appearance depends on which key was previously selected in the key list panel - public or secret. You can encrypt any text using PGPTools in a couple of clicks. To do this, just paste it into the field with the Enter source prompt from any source and click the Encrypt button. Encryption will be performed using the previously selected public key.

It's a little more difficult to decipher. You need to select a secret key (paired with the public one used for encryption) and enter the password specified when they were jointly generated. The ciphertext block is also pasted into the source field and the decryption result is displayed below after clicking the Decrypt button. The main purpose of PGPTools as a program with an asymmetric encryption scheme is to protect correspondence (in particular, mail) with the ability to transfer the key to the interlocutor over an unreliable channel. If only one
and the same key was used to encrypt/decrypt messages, then its interception would compromise the entire correspondence. Intercepting public keys is practically useless. After exchanging them, you can immediately begin exchanging encrypted messages. Once created, they cannot be opened even by the sender. This can only be done by the recipient - with his secret key and after entering the passphrase.

When transmitting encrypted messages, make sure that the ciphertext block is inserted as is - without breaks or breaks. Otherwise, it will not be possible to decipher it due to distortion.

A PAIR (THOUSAND) WORDS ABOUT THE ALGORITHM

In the classic Zimmerman implementation, the PGP scheme uses one hash function and two cryptographic algorithms: one with a symmetric key and one with an asymmetric key. It also uses a session key created using a pseudo-random number generator. Such a complex process provides more reliable data protection, that is, the mathematical complexity of recovering a secret key from a public key.

The choice of algorithms now available is very wide. It is this that greatly influences the quality of a particular PGP implementation. Typically, AES and RSA are used, and from the hash functions one is chosen that, according to modern concepts, is least susceptible to collisions (RIPEMD-160, SHA-256). PGPTools uses the IDEA algorithm for data encryption and RSA for key management and digital signatures. Hashing occurs using the MD5 function.

The multi-stage process of (de)encrypting data for any program is implemented in one
from sets of publicly available cryptographic libraries. All keys created by PGPTools contain BCPG versions in the name, which indirectly indicates the use of Bouncy Castle OpenPGP API. When testing this assumption, a direct reference to the Bouncy Castle libraries was found in the com.safetyjabber.pgptools.apk file.

They implement the OpenPGP scheme according to RFC 4880, but have their own characteristics. One is that (depending on the version chosen) they may not use an encryption subkey. Also, these libraries have limitations on the effective key length. This means that above a certain limit (typically 1024 bits), attempting to create a key of greater length will not make practical sense. The algorithm will not be able to provide high quality keys because there will be too many matching blocks in the pairs.

To test, we exported the public and private PGP key of each pair to a text file and compared them. A key pair with a length of 1024 bits has no repeating fragments, as it should be in a high-quality implementation.

Repeating blocks in keys

With four-kilobit keys the situation looks different. There are too few different fragments in the pair (they are highlighted in red), and too many matching ones.

Strictly speaking, they have even fewer differences than can be seen in the screenshots. It’s just that the comparison program used does not know how to ignore block offsets, but checks it line by line. The first thirteen lines coincide almost completely, and the ending is seventy percent identical. If you have generated a key pair with a large number of matches, then simply delete it and create another one.

CONSOLIATING CONCLUSION

The deficiencies identified during testing are of a general nature. They are typical for many programs, since they concern the code not of the application itself, but of the popular libraries used in it. The cryptography community recommends that developers avoid OpenPGP's Bouncy Castle. We hope that in future versions the PGPTools authors will use more advanced implementations as a basis.

In its current form, the program is already capable of providing a basic level of privacy and can be recommended as a utility that adds PGP functionality to mobile devices. It will help you create or read encrypted texts on almost any modern smartphone, as well as hide secret correspondence from prying eyes. Any protection can be considered strong only as long as the costs of overcoming it are significantly higher than the expected cost of the protected data.

According to NIST, PGP keys with a length of 1024 bits or less were considered unreliable just a few years ago. Then they were opened in an acceptable time on powerful servers, and today they are cracked like seeds in distributed computing networks. In addition to the choice of key length, the level of protection is also determined by the complexity of the passphrase and the PGP implementation mechanism itself.

Last updated by at November 18, 2016.

BASICS OF WORKING WITH THE PGP CRYPTOGRAPHIC PROGRAM

The purpose of the work is to study the functionality of the PGP cryptographic program and acquire practical skills in encrypting information.

1. Basic concepts of a cryptographic program

1.1. General information

PGP (Pretty Good Privacy - pretty good privacy ) is a highly secure cryptographic (encryption) program that allows users to exchange information electronically in complete confidentiality.

PGP uses the principle of using two interrelated keys: public key And private key. These are very large numbers, randomly generated (1024 bits, 2048 bits, etc.). Only the sender of the message has access to the private key, and the public key is published or distributed through communication networks among its correspondents. In this case, the information is encrypted with the public key, and decrypted with the private key.

Public keys can be published on a public key server or distributed through communication networks to correspondents. They are stored on the computer in a directory pubring. pkr in the form of "public key certificates", which include:

1) user ID of the key owner (usually the user name);

2) a timestamp that indicates the time of generation of the key pair;

3) the actual keys.

Private (secret) keys are similarly stored as "private key certificates" in the directory secret. skr. In this case, each secret key is encrypted with a separate password.

Main functions of PGP:

Generating a private-public key pair;

Encrypt a file using a public key;

Decrypting a file using a private key;

Digital signature using a private key;

Verifying an electronic signature using a public key.

The PGP program has a user-friendly interface and a relatively high speed of message encryption and decryption. Its latest version (PGP 8.0) is Russified, which predetermined the widespread use of PGP among users.

1.2. How PGP works

The process of encrypting a message using PGP consists of a number of steps (Figure 1). First, the program compresses the text. This reduces the time it takes to send a message via modem and increases the security of encryption.

Note : Most cryptanalysis techniques (breaking encrypted messages) are based on examining the “patterns” inherent in text files, which helps crack the key. Compression eliminates these “drawings”.

To ensure the authenticity of a message, it can be “signed”. This is done by adding to the message electronic (digital) signature, which the recipient can verify using the sender's public key to decrypt.

A digital signature is a block of data generated using a secret key. The program does this as follows:

1) From the document is generated message digest(this is a 160 or 128 bit “squeeze” or checksum of the message file), information about who signs the document and a time stamp are added to it.

2) The sender's private key is used to encrypt the message digest, thus "signing" it.

3) The message digest is transmitted along with the message itself in encrypted form. When identifying a signature, a new digest is created and compared with the transmitted digest; if they match, then the signature is considered confirmed. If the message undergoes any modification, another digest will correspond to it, i.e., it will be detected that the message has been modified.

Electronic signature recognition shows that the sender was indeed the originator of the message and that the message was not subsequently modified.

The next step is to generate the so-called sessional(temporary) key, which is a random number of a significantly smaller size than the public and private keys (128 bits, 168 bits), which ensures high-speed encryption-decryption. The temporary key is generated automatically using strictly random events, the source of which is the parameters of keystrokes and mouse movements.

The message is encrypted with this session key, and the session key is encrypted using the public key of the message recipient and sent to the recipient along with the ciphertext (Fig. 1.1).

Recipient's public key

Decryption occurs in reverse order. The message recipient's PGP program uses the recipient's private key to extract a temporary session key, which the program then uses to decrypt the ciphertext (Figure 1.2).

Fig.1.2. Process of decrypting a message

2. Basics of working with a cryptographic program

2.1. Starting PGP

!! Run Start/Programs/PGP/ PGP Desktop and check out the menu.

Note . In the future, instructions for completing tasks will be marked with !! and appear in italics.

2.2. Application BasicsPGP Desktop

Window PGPDesktop contains all the standard elements inherent in a Windows application window (header, window menu, toolbars, program workspace, status bar).

The window menu consists of the following items:

􀂃 File

New PGP Key (new PGP key)

New à PGP Zip (compressed secure archive).

à PGP Disk (protected disk. Keys needed!!!).

à Encrypted Whole Disk (encrypt the entire disk).

à PGP NetShare Folder (data encryption on the server).

Open (open)

Import Personal Certificate(s).

Exit

􀂃 Edit (editing)

Copy

Paste

Delete

Select All

􀂃 View) - determines the state of the program’s working field, where you can see:

----------------Keys

2. Creating new key directories

!! Run the program PGP Desktop .

Create your key directories by naming the public key directory mykey. pkr, directory of secret keys mykey. skr, following further instructions.

In the window PGPDesktop execute command File/NewPGP Key…

Enter your username and email...

Drawing. 2.2.2. Indication of full name and email address.

Explore the capabilities of the “Advanced” function (describe in the report!)

Drawing. 2.2.3. Specify additional key parameters.

Configure key compression, the key is valid until 05/01/2014.

The private key is usually protected by a password, which prevents unauthorized use. To enhance protection against unauthorized access by unauthorized persons to the private key, the latter should be stored only on your own computer or on a floppy disk, using it only while signing or decrypting email messages. In the window that opens Passphrase enter a passphrase of at least 8 characters that is easy to remember, and the inscription Hide Typing must not be checked in order for the entered password to be displayed in the line. In the lower window, confirm the entered password.

Note: Passphrase used to protect the private key in case of unauthorized access. It is advisable that it consist of several words or any symbols (this is more reliable). The phrase is case-sensitive and should not be too short or so simple that it can be assumed. It should not be left written down anywhere where anyone can see it or stored on a computer.

Drawing. 2.2.3. Specify a password to protect the secret key.

The program will begin to generate a key pair. Upon completion of the key pair generation, the indicator in the field Overall progress will be completely filled. This will inform the program that the key generation process is complete.

After this, you will be prompted to add the key to the global key directory.

As a result, in the window PGPDesktop A new key pair consisting of three lines will be displayed:

key pair;

user ID;

electronic signature.

Sets of private and public keys are stored in separate files, which can be copied like any other files to another folder on your hard drive or other storage medium. By default, files with private key rings (secring. pkr) and public key rings (pubring. pkr) are stored in the PGP program folder ( C:\My Documents\PGP), along with other files of this program, but backup copies can be saved anywhere.

2.2.4. Removing keys

To remove a key from a keychain (key directory), select it in the window PGPDesktop, and then use one of the following methods:

1. Press the key Delete.

2. In the menu item Edit select a team delete.

2.2.5. Public Key Exchange

Export key

Typically a public key is a file no larger than 2 KB. An example of a public key is shown in Fig. 2.4. It can be sent to your correspondents by attaching it to an email message created in an email program, placed on a server, or copied to disk.

In order to export your public key to a file, you must perform the following steps:

1) Run the program PGPDesktop.

2) Select the key pair in the window.

3) Go to the menu File , select team Export and choose Key .

4) In the window that appears Export key to file check that the inscription Include Private Key(s) was not checked (meaning only the public key is sent).

Figure 3. Public key file

6) Click OK .

!! In folder My Documents create a folder calling it your last name.

!! Export your public key by saving it in the folder you created.

!! Open the program Notepad (Start/Programs/Accessories/Notepad). In a programme Notebook open the file with the public key by setting the display to window file type- all files *.*.

Importing a key

To encrypt email messages sent to correspondents, their public keys should be added to your directory.

The public key can be imported:

1) From the public key server,

2) From the body of the mail message

3) From a public key file.

You can import the resulting key from a file into the link in several ways:

1) Run the key file by double-clicking on it in the window that appears Select key(s) Import .

2) From the menu Keys window PGPkeys select item Import, in the window Select File Containing Key find the file with the key and select it, click on the button Open, in the window that appears Select key(s) select the key and execute the command Import by clicking on the corresponding button .

3) Open the folder containing the file with the key and drag it with the left mouse button into the window PGPkeys .

4) Open the text file in which the key is stored using a text editor Notebook , select text Edit/Select All, copy the selected text to the clipboard Edit/Copy. Go to window PGPkeys and run the command Edit/Paste

Key authentication.

After receiving the public key, you should verify its reliability, i.e., that it is really the correspondent’s public key. This can be done by contacting the correspondent from whom the key was received and asking him to read out the unique identification number of his public key over the phone.

Note: Keys are referenced by a unique key identification number (Fingerprint), which is an abbreviation of the public key (the lower 160 bits of the public key). When this key identifier is displayed, only the low 32 bits are shown for brevity. Key identifiers are used by PGP to determine the key when decoding a message and determining its authenticity.

The key identification number can be seen by right-clicking on the key and selecting Properties .

And then - Show Singing Key Properties.

Fingerprint- full identification number;

Click in Subkeys and define the short key number (ID).

!! View the full and short ID numbers for your key and compare them.

2.2.6. Adding Keys

You can add new created keys to keychains, or import the public keys of your correspondents.

!! Add a key to the keychain by creating a new key pair, use your name as the key name, write your email address in the format<имя>@mail. ru.

2.3. Message encryption

There are three main ways to encrypt information:

1. Encrypt a message directly in a supported email program PGP Desktop .

2. Encryption by copying the message text to the clipboard Windows.

3. Encrypting a text file and then attaching it to an email message.

We will encrypt messages in the program Outlook .

Message– this is data of a certain format intended for transmission over communication networks. It is created in special email programs and can include not only text, but also files of various types, including graphics and audio.

To create and send encrypted messages, you can use various email programs that are supported by PGP: Outlook Express, The Bat!, Exchange, Eudora etc. The easiest way to do this is in a Russified program Outlook Express.

Encryption and signing of messages in this program is carried out as follows .

1) Launch Outlook Express through the main menu by selecting Programs/Outlook Express.

!! Run the program Outlook Express. Create a message containing a greeting to your best friend (use the computer address as the sender's email address, and use the recipient's email address as<фамилия>@mail. ru).

6) Run the command File/New/Message or press the button Create a message on the toolbar. Expand the window to full screen.

7) In the window that appears Create a message(Fig.2.5) write the text of the message on the work field. In line To whom - write the correspondent's email address, and in the line Subject - indicate the subject of the message (you may not specify it). You can attach any file to a message by running the command Inserting/Attaching a File, indicating in the browse window the file to be attached and clicking Invest.

https://pandia.ru/text/80/365/images/image014_31.jpg" width="619" height="294 id=">

Rice. 2.6. Outlook Express window with signed message 19

Rice. 2.7. Outlook Express window with an encrypted message

!! Close the program Outlook Express.

2.3.2. Encrypt the entire file

Using the PGP program, you can encrypt an entire text file. To do this proceed as follows:

1) Write the text of the message in any text editor (for example, in a text editor Notebook) and save it to a file.

!! In a text editor Notebook write a message containing your home address. Save the text to a file text. txt in folder My Documents.

!! Encrypt and sign the entire file (its name will now be text. txt. pgp).

2) Go to the program Conductor, Select the created file and click on the right mouse button.

3) Another command called PGP will appear in the context menu that opens. If you place the mouse on a menu item PGP - a menu will open consisting of several commands:

􀂃 Secure with key(encryption without digital signature with a key);

􀂃 Secure with passphrase(encryption without a digital signature with a password - without a key);

􀂃 signas(sign with a digital signature);

􀂃 PGP Shred– destroy the file (through several overwrites with random or specific data).

!! Open the files with the original and encrypted messages and compare them.

!! Attach the encrypted file to an email message and send it along with it.

!! Destroy the original text file .

2.4. Decryption of messages

According to message encryption, there are two main ways to decrypt them.

2.4.1. Decrypting messages in Outlook Express

1) Open the received encrypted message in the program Outlook Express.

2) In the menu PGP, drop-down with Taskbars(sign - barn lock) execute the command Current Windows/Decrypt & Verify (Fig. 2.10).

3) In the PGP program window that appears, you must enter a password that protects the secret key of the message recipient and click on OK . A window will appear on the screen Text Viewer , containing the decrypted message. It can be copied to the clipboard by clicking the button Copy to clipboard and then paste it into a text editor.

!! Run the program Outlook Express. Open the folder Outbox. Double-click to open the message you created and decrypt it. Check the user ID and key ID.

2.4.2. Decryption of a file containing

encrypted message

1. Place the resulting file with encrypted text on Desktop (file with extension .pgp ).

2. Right-click on the selected file.

3. In the context menu that appears, select PGP/ Decrypt&Verify.

4. In the window that appears PGPshall Enter Passphrase you must enter a password that protects the secret key of the message recipient and click on OK . As a result, the decrypted text of the message will be saved in a file with the same name without the extension .pgp.

!! Decrypt the message stored in the file text. txt. pgp. Then delete this file.

2.6. PGPdisk Application Basics

PGP disk is a convenient application that allows you to set aside some part of your hard drive for storing confidential information. This reserved space is used to create a file called PGPdisk. It acts similar to a hard drive in that it serves as a storage facility for files and executable programs.

Application menu PGP disk contains the following items:

􀂃 NewVirtual Disk…(create a virtual new disk)

􀂃 Encrypt WholeDisk…(encrypt whole disk)

􀂃 Shred free space… (clear free space)

2.6.1. Creating a PGP disk

1) Run the program PGPdisk.

!! On disk WITH: create your own PGP disk, naming the file corresponding to the disk with your name. Determine the disk size from 500 KB to 1 MB.

2) Execute the command NewVirtualDisk, after which the PGP disk creation wizard will appear on the screen.

https://pandia.ru/text/80/365/images/image018_23.jpg" width="621" height="372">

Once the new drive is created, PGP will automatically mount it so it can be used.

!! Open the window My computer and determine whether the PGP disk is connected.

2.6.2. Working with PGP disk

A PGP disk can be connected to work with it (in this case it will be displayed in the window My computer along with other drives) and disconnect when finished.

Connecting a drive

1. In the menu PGP execute command Mount Disk (connect disk).

2. In the browsing window, find the file corresponding to your PGP disk and left-click on it. Click Enter.

3. Enter a passphrase.

As a result of these actions in the window My computer The PGP disk will be displayed with the name you assigned to it. You can work with it like a regular disk: create files, directories, move and copy files or directories, or delete them. After working with confidential information is completed, you need to disconnect the disk. Once the drive is disconnected, its contents will be encrypted in a file.

!! From folder Getting to Know Windows 98 copy any three files to the created PGP disk.

Disconnecting a drive

1) Close all programs and files on the PGP disk, since it is impossible to disconnect the disk if the files on this disk are still open.

2) Go to My computer, Select the PGP disk with the mouse.

3) Click on the right mouse button or expand the menu PGP.

4) Run the command Unmount PGP disk in the menu that appears.

As soon as the disk is disconnected, it will no longer appear in the window My computer.

A PGP disk can be configured to automatically shut down if it is not accessed for a certain period of time (see above).

Right-click on the disk and select PGP Desktop.

– Unmount Disk – unmount (disconnect the disk),

– Edit Disk Properties – edit disk parameters.

Using Edit Disk Properties, add another disk user.

1. Carefully study all sections of the guidelines and complete tasks marked with !! .

2. After the teacher’s permission, begin completing the additional task.

3. Additional task.

3.1. Create on Desktop folder, giving it the computer number as its name. It will serve to store sent text files with messages.

3.2. Using the app PGPkeys create a key pair (public and private key) using your last name. Take the email address in the following format <фамилия>@<номер компьютера>.mail. ru(For example: *****@***ru). Write down your key ID number.

3.3. Export your public key to the folder with your computer number located on your Desktop.

3.4. Create a text file in the folder with the computer number on the Desktop with the name <номер компьютера>.txt using a text editor Notebook and write down the identification number of the exported public key.

3.5. Send your public key and identification number file to all computers: copy the corresponding files into folders Network environment/<номер компьютера>/C:/Windows/Desktop/folder with computer number .

3.6. Import the public keys sent to you using the various import methods described in the section Import key.

3.7. Write a message in the folder with the computer number on the Desktop using a text editor Notebook , containing your last name, address and any quatrain. Encrypt the message using a copy to the clipboard and the correspondent's public key, adding an electronic signature. Save the file under the name Address_<номер компьютера>.txt and send (copy) it to your correspondent on a nearby computer in a folder with the computer number located on his Desktop.

Try to decrypt the message you created.

3.8. Write a message containing the name of your major and your purpose for attending college. Save the file under the name special _<номер компьютера>. txt. Encrypt a file containing a message through the program Conductor, using the correspondent’s public key and placing an electronic signature. Send the created file to your correspondent on a nearby computer in the folder with the computer number located on his Desktop.

3.9. Open the folder with your computer number. Expand the file address _<номер компьютера>. txt, print the encrypted text of the message to the printer , decrypt its contents by copying to the clipboard, compare the key identification numbers and the electronic signature of the correspondent and the decrypted message. Output the decrypted text of the message to the printer.

3.10. Open the folder with your computer number. Decrypt the file with the extension special _<номер компьютера>. txt.pgp, decrypt it using the program Conductor, compare the key identification numbers and the electronic signature of your correspondent and the decrypted message.

3.11. With the permission of the teacher, remove your key pair from the catalog of keys and imported keys of correspondents.

3.12. Delete the folder with the computer number

2. Public key listing.

3. Listings of encrypted and decrypted messages.

4. Analysis of various methods of message encryption.

5. Brief conclusions about the work done.

Control questions

1. What are the main functions of the PGP program?

2. What is a key?

3. Explain the purpose of public and private keys.

4. Explain the principle of encryption and decryption of information using PGP.

5. How is an electronic signature applied?

6. How can you exchange public keys with your correspondents?

7. Where can I see the key ID and user ID?

8. Name the main ways to encrypt messages using PGP.

9. Name the main ways to decrypt messages using PGP.

10. What key is used to encrypt a message, and what is used to create an electronic signature?

11. Who can decrypt a message encrypted with a public key?

12. Why do you need an electronic signature?

13. What is a PGP disk?

14. How can you work with a PGP disk?

15. Explain the procedure for disconnecting a PGP disk.

• Translation

If you write code that goes into public repositories, you may find PGP useful. This series of articles, the translation of the first of which we are publishing today, will examine the use of PGP to ensure software code integrity. These materials are primarily aimed at free software developers, although the principles outlined here apply in any situation where development is carried out by distributed teams of programmers.

The following topics will be covered here:

• PGP basics and recommendations for working with related software.
• Using PGP with Git.
• Developer account protection.

About the structure of materials

Each section of this series of materials is divided into two parts:

1. A checklist that can be tailored to the needs of a specific project.
2. Explanations explaining the elements of the checklist, as well as instructions for working with the programs.

Checklist Features

The items in each checklist include information about the priority level of the item. We hope this will help you as you make decisions about how to use these recommendations.

• Items assigned the "important" priority should be given special attention. If the recommendations from the "important" points are not implemented, this will mean a high risk of problems with the code included in the project.
• Items with a priority of "recommended" contain recommendations that are useful to implement to improve your overall security level. Their implementation may affect the programmer's interaction with his work environment, which may require the acquisition of new habits or the abandonment of old ones.

Please remember that all lists given here are recommendations only. If you feel that the priority levels given do not reflect the security needs of your project, you should adapt them to suit your needs.

Basic PGP Concepts and Tools

▍Checklist

Here are the topics you need to navigate after successfully mastering the material in this section:

1. The role of PGP in free software development (Important).
2. Basics of public key cryptography (Important).
3. Differences between encrypting and signing materials (Important).
4. PGP Key Identity (Important).
5. Validity of PGP keys (Important).
6. Installing GnuPG utilities (version 2.x) (Important).

▍Explanations

The open source community has long relied on PGP to ensure the authenticity and integrity of software products developed. You may not know it, but whether you're on Linux, Mac, or Windows, you've already used PGP to help ensure the integrity of your computing environment.

• Linux distributions use PGP to ensure that binary or source packages remain unchanged from the time they are created until the end user installs them.
• Free software projects typically offer separate PGP signatures for released software archives, so projects relying on them can verify the integrity of downloaded releases before integrating them into their own distributions.
• Free software projects typically rely on PGP signatures in the code itself to track the provenance and ensure the integrity of the code contributed to the project by its developers.

This is very similar to the developer certificate and code signing mechanisms used by programmers working on closed source platforms. In fact, the basic concepts underlying these two technologies are largely the same. They differ mainly in technical implementation details, and in how they delegate trust. PGP does not rely on a centralized certificate authority; instead, the system allows users to independently assign a trust level to each certificate.

Our goal is to help you control the origin of the code entering your project and monitor its integrity using PGP. You can do this by following the best practices for working with PGP and understanding basic security rules.

▍Overview of how PGP works

You don't need to know all the details about how PGP works. To successfully use this technology, it is enough to understand its basic concepts. PGP uses public key cryptography. Using cryptographic methods, for example, plain text can be converted into cipher text. This process requires two different keys:

• A public key that is known to everyone.
• A private key that is known only to the owner.

▍Encryption

To encrypt, PGP uses the public key of the person for whom the encrypted material is intended. Encryption creates a message that can only be decrypted using the corresponding private key belonging to the recipient of the message.

The encryption process looks like this:

1. The sender creates a random encryption key (session key).
2. The sender encrypts the contents of the message using this session key (using a symmetric cipher).
3. The sender encrypts the session key using the recipient's PGP public key.
4. The sender sends encrypted data and an encrypted session key to the recipient.

To decrypt an encrypted message, perform the following steps:

1. The recipient decrypts the session key using their PGP private key.
2. The recipient uses the session key to decrypt the contents of the message.

▍Signing

To sign data, PGP public and private keys are used in reverse:

1. The signer generates a checksum hash of some data.
2. The signer uses his own private key to encrypt this checksum.
3. The signer provides an encrypted checksum along with the data.

To verify the signature, perform the following steps:

1. The verifier generates its own checksum of the data.
2. The verifier uses the signer's public key to decrypt the provided checksum.
3. If the checksums match, then the integrity of the content is verified.

▍Combining encryption and signing

Often encrypted messages are also signed using the data sender’s own PGP key. This approach should be used whenever encrypted messages are exchanged, since encryption without authentication does not make much sense (perhaps anonymity in such things is needed only by secret agents and those who make certain sensitive information public domain).

▍Key identification data

Each PGP key must have the key owner's identity associated with it. Typically this is the person's full name and email address in the following format:

Alice Engineer
Sometimes the identity data also contains comments in parentheses that are intended to tell the end user details about a particular key:

Bob Designer (obsolete 1024-bit key)
Since human key holders can play multiple professional and personal roles, multiple sets of identities can be present in the same key:

Alice Engineer Alice Engineer Alice Engineer
When multiple identity sets are used, one of them is marked as the primary one to make it easier to find the key.

▍Key reliability

In order to be able to use someone's public key for encryption or verification, you need to make sure that it actually belongs to that person (Alice in this case) and not to a fraudster (let the fraudster's name be Eve). In PGP this is called key validity:

• Full key validity means that there is a very high level of confidence that the key belongs to Alice.
• Borderline confidence in a key means that we are somewhat confident that the key belongs to Alice.
• The unknown validity of a key means that we have absolutely no confidence that the key belongs to Alice.

▍Network of trust and “trust at first use” mechanism

PGP includes a trust delegation mechanism known as the Web of Trust (WOT). At its core, it is an attempt to replace the need for centralized certificate services like those used in HTTPS/TLS. With this approach, the user independently makes decisions about who can be trusted.

Unfortunately, very few people understand how the web of trust works, and even fewer people care about this technology. Although trust networks remain an important aspect of the OpenPGP specification, existing versions of GnuPG (2.2 and later) have implemented an alternative approach represented by the Trust on First Use (TOFU) mechanism.

TOFU can be compared to SSH. The first time you connect to a remote system using SSH, your system remembers its key fingerprint. If the key changes, the SSH client will notify you and reject the connection, prompting you to make a decision about whether you trust the changed key or not.

The TOFU mechanism works in a similar way. The first time you import someone's PGP key, it is considered trustworthy. If GnuPG then encounters a new key with the same credentials, then both keys will be marked as invalid and you will have to make your own decision about which one to keep.

In this tutorial, we will use the TOFU trust model.

▍About terminology

Here we would like to point out the importance of understanding the differences between terms such as PGP, OpenPGP, GnuPG and gpg:

• PGP (Pretty Good Privacy) is the name of a commercial program released in 1991.
• OpenPGP is an IETF standard compatible with PGP.
• GnuPG (Gnu Privacy Guard) is free software that implements the OpenPGP standard.
• The command line tool for GnuPG is called gpg.

Today, the term PGP is almost universally used in the sense of "the OpenPGP standard" rather than as a program name, and thus PGP and OpenPGP are used interchangeably. The terms GnuPG and gpg should only be used when referring to specific tools, and not to standards and other concepts with which we operate. For example:

• PGP key (not GnuPG or GPG)
• PGP signing (not GnuPG or GPG)
• PGP keyserver (not GnuPG or GPG)

Understanding these differences should help you communicate with other PGP users.

▍Installing GnuPG

If you are using Linux, this means that GnuPG software is already installed on your system. On Mac you need to install GPG-Suite, or use the command brew install gnupg2. If you're a Windows user, then GPG4Win is the way to go, and you'll probably need to modify some of the commands in this guide. If you use a Unix-like environment on Windows, then you don’t have to change the commands. If you use any other platforms, you will need to find the appropriate GnuPG implementation yourself.

▍GnuPG versions 1 and 2

Both GnuPG v.1 and GnuPG v.2 implement the same standard, but they provide incompatible libraries and command line tools, resulting in many distributions shipping with both the outdated version 1 and the newer version 2. You need to make sure that you always use GnuPG v.2.

First, to find out which version of GnuPG is hiding on your system under the name gpg, run the following command:

$ gpg --version | head -n1
If you see something like gpg (GnuPG) 1.4.x , that means the gpg command is calling GnuPG v.1. In this case, try the gpg2 command:

$gpg2 --version | head -n1
If you see something like gpg (GnuPG) 2.x.x then everything is fine. Here we assume that you have GnuPG version 2.2 or later. If you are using version 2.0 of GnuPG, some of the commands given here will not work, so you should consider installing the latest version 2.2 of GnuPG.

▍An alias for GnuPG v.2

If your system has both a gpg command and a gpg2 command, it would be a good idea to configure everything so that the gpg command calls GnuPG v.2, and not the old version of the software. You can do this by creating an alias:

$ alias gpg=gpg2
This command can be placed in .bashrc to make GnuPG v.2 respond to the gpg command.

Results

Here we talked about the basics of PGP that you need to know to successfully use PGP in code protection. Next time we will talk about creating and protecting PGP keys.

Dear readers! Do you use PGP to protect the code of your software projects?

Tags: Add tags

Everything about investments and blockchain is clear to the average consumer, but why does PGP encryption work here? The name itself is not too clear for the average user, who is far from software gadgets. The technical sound can even be intimidating. But in vain! Understanding the simplest principles of cryptography provides a certain basis for further understanding of currently popular technologies.

Simply put, PGP encryption is a way to protect your information. So that no one else can view or change it. This is working with keys and digital signatures that allow you to confirm ownership of data or protect it from prying eyes.

In the article we will look at how it works, where you can use a cryptographic tool, and how to use it with PGP applications.

Pretty Good Privacy, also known as PGP, is a cryptographic program that allows you to encrypt information so that no one else can read or change the data. Essentially, it is a secure way to transfer files that guarantees complete and complete secrecy. If you are conducting private correspondence that is not intended for the eyes of friends, employees, the government, or evil spies (underline as appropriate), this solution will help protect every letter in the message.

Another tasty feature of cryptography is proof of ownership. Let's say you have made a document available to the public, but you want to be sure that no one will take credit for your work. PGP will work for this too.

To understand exactly how this happens, let’s break down the complex into simple components.

And the box just opened: keys for secret locks

How to make sure that information from character A gets to character B, but not to other letters of the alphabet? Everything is quite simple: you need to pack the message in a safe, the code to which two people know. The function of such code in PGP is performed by keys.

The key is a large number. This is a VERY large number that takes up 1024 bits. The more symbols it contains, the more difficult it is to find an analogue, that is, to hack it.

The scheme is simple: you create a message that is displayed to outsiders as a string of incomprehensible characters. But the one who has the key can decipher the data and understand what exactly you wanted to say with a set of numbers. Another question: if your correspondence can be intercepted, where is the guarantee that the transferred key will not be intercepted?

And this is the right question, allowing us to move further and consider the types and uses of keys. So, our “secret password” when encrypted with PGP can take two forms:

1. public key - one that falls into (you won’t believe it) public access and can be downloaded by anyone;
2. a private key is one that only the owner has and is never disclosed.

How does this juggling of keys happen? Technically it is difficult, but in essence it is elementary. Let's say a public key is posted online, and you want to send a message to its creator. Using an encoding program, you send an encrypted message. Only someone who has the private key can decrypt it. Everyone else, who, like you, only owns the open one, will see the same indistinct set of signs.

Digital signature: ironclad proof

Now let's talk about authentication, which also involves keys. The main thing to understand is this:

What is encrypted with a public key can only be decrypted by the owner of the private key, and vice versa - what is encoded with the private key is available to the owners of the public keys.

Therefore, if character A writes, for example, a cool market research and shares it with the owners of public keys, everyone will know exactly who owns the text.

This is exactly how a digital signature works in the real world (at least they try to use it, for example, in digital tax returns). It confirms authorship and protects the document (material) from reuse in someone else’s name, editing and appropriation.

The signature, as you understand, is tied to the private key. And if the person checking/studying the material wants to verify the authorship, he can verify the authenticity of the document using the public key.

Key Pair: What Could Go Wrong

The main rule you need to learn to use PGP securely is: KEEP YOUR PRIVATE KEY IN A SAFE PLACE. This, as you understand, is not any third party, cloud storage or anything that does not belong to you. If the key exists in one copy - on your PC - no one will be able to take it away without confiscating the computer itself (although, of course, do not forget about the likelihood of hacking). So, if you want to use cryptographic programs and be confident in your security, transfer the key to a physical medium, for example, a notepad that is stored in the top drawer of your desk.

Entering keys over and over again in order to read a message is an incredibly boring process, but that is the price of security. Agree, it’s not too high to refuse to pay.

Okay, actually it can be simpler. The private key is protected by an additional passphrase. This is a set of words that you enter to confirm the right to use the key. The longer your phrase, the better, and ideally, use different registers and punctuation marks. Such a code is easy to remember (for example, if you use a favorite quote or line from a song) and difficult to crack.

But what to do if the key is “stolen”? PGP programs allow you to revoke a key and indicate that it can no longer be trusted. But this is little consolation for those who use digital signatures and are constantly in contact with the audience.

Why is the wonderful PGP not used by everyone?

If PGP encoding is so wonderful and useful, why doesn't everyone use it? - you ask. In fact, the answer is obvious. In order to encrypt something, you need to install the application, understand how to use it, find people who will do approximately the same thing and will be able to decrypt this information.

Today, cool technology remains somewhere in the geek zone, if only because the interface cannot be called user-friendly. Commands are given manually, written on the command line, they need to be remembered or the guide must always be kept before your eyes. Writing scripts is necessary for:

• creating private and public keys (there is also a difference in generation);
• adding/removing/selecting a key;
• creating a secure space on your hard drive to store keys;
• encoding messages for one or more recipients;
• placing a signature in a message;
• decryption of the received data.

A little different from what a Windows or MacOS user is used to.

By the way, something like this keeps many “ordinary” users from using cryptocurrency. There you need to understand something about numbers, letters and commands. It’s great if the crypto wallet offers a clear interface and any process is automated. And if not? Few people will climb into these jungles. It’s the same with PGP - if you had to press the “encrypt” button before sending the message, and “decode” at the time of receipt, the application (and all its analogues) would gain much more popularity.

Where encryption is used today and where it will be used in the future

As already mentioned, PGP encryption today is used mainly by individuals familiar with programming and corporations to save information within the company. But given the increasing relevance of the issue of digital security, cryptography will soon be used more widely and, probably, automated.

Already, some email services (for example, Mozilla Thunderbird) use additional message protection. True, for this you still have to install applications and configure them in every possible way. But with further optimization, we simply will not notice how the encoding occurs.

Yes, yes, we are all spoiled users who don’t bother too much with questions of “how and why this or that thing works.” What's really important to us is that it just works - efficiently and safely.

With the spread of crypto technologies and the expansion of the geography of their adoption, the likelihood of obtaining new security standards on the Internet increases significantly. This is worth remembering when capturing the essence hidden behind modern crypto-hype.

Crypto is not only about . This is about functionality, security, proof of ownership, freedom from intermediaries and much more.

Protection ensures that only the recipient of the information can use it. Once in the wrong hands, it will be completely useless, since it cannot be decoded.

Authentication ensures that if some information was created by you and posted for public access, then it really came from you and was not falsified or changed by anyone in transit.

PGP is based on a cryptographic system known as public key, which can be used on untrusted channels. This makes it ideal for protecting information transmitted over networks such as the Internet.

In public key systems, each of the participants in the information exchange has two keys that complement each other; one is the public key and the other is the private key. The public key can and should be freely available, since it is the key that the sender uses to encrypt the information transmitted to you. The private key must not be distributed under any circumstances. It is he who guarantees the security of transmitted data.

Key allocation

After saving your friends' keys in a file, you need to send them your public key. First of all, it must be extracted from its own public key file:

pgp -kx identifier file [key file]

For example: "pgp -kx alex mykey" extracts the public key identified by the substring "alex" in the file mykey.

The generated mykey.pgp file will not be in ASCII format. However, if you need to create a key file in ASCII format to send, for example, by e-mail or add additional information to a database, you will need to use the command:

pgp -kxa identifier file [key file]

For example: "pgp -kxa alex mykey" extracts the public key identified by the substring "alex" into the file "mykey.asc".

Along with the key, all certificates that confirm it are also highlighted.

To view the keys contained in the file, type the command:

pgp -kv [identifier] [key file]

Note again that the default file is pubring.pgp. If the identifier is not specified explicitly, then all keys from the file are shown. To view all certificates for each key, you need to type:

pgp -kvv [identifier] [ring]

Message encryption

Now let's try to encrypt the file. You can do this with the command:

pgp -e file id

This command creates a file called file.pgp containing the original file, encrypted so that only the recipient can decrypt it using their private key.

Remember that the generated file is not an ASCII file, so to send it via E-Mail you may need to add another -a option to ensure that the output encoded file is in ASCII format, like this:

pgp -ea file identifier

Encoding a message for multiple recipients

Let's say you need to encrypt and send a letter to several recipients. In this case, we will do this:

pgp -ea file id1 id2 id3

How a message is signed

Signing a document allows the recipient to verify that the text was actually written by the sender and that the message has not been altered. To sign a document, you must use a private key:

pgp -s file id

If we have multiple private keys in our secring.pgp, we can select one of them using the ID. This command creates a file that is not ASCII text because PGP is trying to compress the file. If, on the other hand, you want to sign the file, leaving the text readable and with a signature at the end, then the procedure would look like this:

pgp -sta file

This last command is very useful when signing emails that can continue to be read without using PGP. Also, such a message will be able to be read by those who do not need to check the signature.

Alternatively, you can sign a document and then encrypt it using the following command:

pgp -es file recipient_id my_id

To encode the file, a public key is used, identified by the substring "recipient_identifier", so only this key can decode the file. Then we identify the private key with the string “my_id”, since there are several keys in our set. Even in this case, it is possible to create the file in ASCII format using the -a option.

Decoding

To decrypt a file and/or verify its signature, use the command:

pgp input_file [-o output_file]

By default, the input file is assumed to have a .pgp extension. The name of the file resulting from decoding is an optional parameter. If no output file is specified, the decrypted file will be saved in the input_file file without the .pgp extension.

You can also simply view the decrypted file without saving.