Introduzione a OpenPGP

25 anni fa ogni tipo di crittografia si basava su qualche forma di segreto condiviso (shared secret) - dato che tutte le entit\xE0 che usano la cifratura devono avere la medesima chiave per la decodifica, il codice pu\xF2 venire infranto facilmente se qualcuno viene in possesso di una di queste chiavi.

Quindi si \xE8 andati verso il concetto di cifratura con la coppia chiave pubblica e privata (public key-secret key encryption). In breve, una chiave pubblica \xE8 qualcosa che puoi dare a chiunque dato che permette ai destinatari soltanto di cifrare un contenuto che pu\xF2 poi venire decifrato solo con la tua chiave privata. La chiave pubblica cifra, la chiave privata decifra.

Puoi anche "firmare" i documenti con la tua chiave privata, permettendoti di creare un checksum criptato del documento che gli altri possono controllare per assicurarsi che tu abbia effettivamente creato tale documento e che questo non sia stato modificato.

Una panoramica dettagliata della cifratura basata sulla coppia di chiavi la trovi in GnuPGIntroduction.

Questioni riguardanti la sicurezza

Il metodo pi\xF9 semplice (e il pi\xF9 usato) per "forzare" questo metodo di cifratura viene chiamato "Man In the Middle", ovvero, se il tizio A sta provando a mandare un documento criptato alla persona B una terza persona, diciamo C, pu\xF2 stare nel mezzo e far credere alla persona A che lui (C) sia la persona B e viceversa. E' un semplice accrocchio, ma pu\xF2 funzionare bene se le persone non prestano la dovuta attenzone.

Ci sono un po' di metodi per combattere questi attacchi di impersonificazione. Il primo, e il pi\xF9 diretto, \xE8 quello di dare alla gente il proprio fingerprint. Per le chiavi di tipo DSA create con GnuPG c'\xE8 un numero di 40 cifre esadecimali (base 16), le ultime 8 appartangono al tuo keyid. E' vero che diverse chiavi possono potenzialmente avere lo stesso fingerprint (impronta), per\xF2 il numero di chiavi che uno dovrebbe generare per trovarne una che sia uguale a un'altra \xE8 semplicemente una astronomico.

The second way, which is often used when you're contacting the person for the first time, is to verify their public key's signatures. Just like the signatures on files, friends can use their secret keys to sign your public key. Unlike signing documents, however, signing keys doesn't indicate ownership- it indicates first-hand face to face knowledge that the key is in fact owned by the person it claims to be owned by. If you get a key for the first time and you find a friend's signature on it, hopefully you can trust that friend's judgement enough to trust in the new person's key as well. If you don't recogise any signatures on a key you could even go the next step and check all the signatures of the new key's signers. This is called a web of trust. By the fact that most IMC'ers know eachother through one or two people we should be able to verify someone new through contacts with their local IMC or someone involved with another IMC who may have met them.

Every time you add a bit you double the amount of possible key combinations. Considering that computer speed doubles every 18 months, it would take several times your lifetime to break a 1024bit key. It would be far easier for them to break into your home when you're away and get a copy of your secret key from your hard drive. This is why we use a passphrase to encrypt/decrypt our secret keys only when we use them. If you feel the need to be really secure, use a long, non-word, alphanumeric with both lowercase and caps, random passphrase and keep your keyrings on a carefully hidden floppy instead of your hard drive.

Getting Started

If you haven't done so already, go to http://www.gnupg.org/ and download the software. From a shell (Windows Users: shell = DOS) run the following line twice:

gpg --gen-key

The first time it should tell you it's created your keyrings, the second time it'll enter the key generation menu. Use the defaults except for Real Name, Email, and Passphrase. You could toss in an expiration time of 1y since this is your first key, don't enter a comment unless you're making more than one key for yourself (ie, seperate home/work keys). Move the mouse around, type random garble on the keyboard, etc while it's trying to generate entropy - if it doesn't get enough keep going.

At this point you should have finished generating it, so try this:

gpg --fingerprint

It should show you your key along with it's fingerprint and possibly some other data such as a subkey, etc. Now, very important, before you do anything else get a NEW FLOPPY and copy the *.gpg files onto it for backup purposes. With your secret key you always have the power to sign a new key for yourself and generate a revocation certificate for the old, or simply add a new email address to it (and delete old ones), but without the secret key you loose all power over it until it expires.

Now it's time to send your key to an IMC keyserver. It really doesn't matter which one, since they're all networked together, just pick one thats close to you and use it. If it stops working use another one. Type this to send your key to the keys.indymedia.org server, for example:

gpg --keyserver keys.indymedia.org --send-key <your keyid>

When you pulled up your fingerprint you got your keyid, it's listed after 1024D/ and is also the last 8 digits of your fingerprint. Once you've completed this step, you're key is out there for others to start using. You can receive friend's keys or get an updated copy of your own that a friend has signed with the following command:

gpg --keyserver keys.indymedia.org --recv-key <keyid>

To assign a trust level and sign a friend's key (friend as in someone you've met in person and have verified that their key is legit):

gpg --edit-key <keyid>

Then use the menu to "trust" and "sign", then "save". One final tip before usage, to prevent having to type --keyserver all the time you can edit the GnuPG options file and put keyserver in it.

Using It

The most common place to use GnuPG is with your mail client. Look under Frontends on http://www.gnupg.org/ to see how to get your client to work. Of course if you're using standard web-based mail you'll have to do it the hard way, or you could just get yourself a real email service.

To encrypt something "manually" save it as a text file and type:

gpg --armor --encrypt <filename> -r <keyid>

an alternative, shorthand, way of doing this is to do:

 
gpg -ea <filename> -r <keyid>

[ -e = --encrypt ; -a = --armor ; -r = recipient ]

This will make a new encrypted file .asc - to decrypt something encrypted to your key (encrypt something to your own key for testing purposes) type this:

gpg --decrypt <filename>

or, alternatively,

gpg -d <filename>

[ here: -d = --decrypt ]

You can use a > redirect (or --output) to put the decrypted data in a file vs scrolling it out to your shell.

There's thousands of other uses, but I'll let you read the manual that came with GnuPG to figure them out. Have fun, and please, don't let all my technobabble discourage you. It really is quite easy to use and the benefits in using it are well worth the time to learn.

Misc

For more information, see the KeyServer working group page.

Source: http://lists.indymedia.org/mailman/public/keyservers/2002-March/000001.html

-- SilvioRhatto - 28 Mar 2006 - added link to GnuPGIntroduction.