The GNU Privacy Handbook · maintainer, Mike Ashley (). Contributors to this manual also include...
Transcript of The GNU Privacy Handbook · maintainer, Mike Ashley (). Contributors to this manual also include...
The GNU Priv acy Handbook
The GNU Priv acy HandbookCopyright © 1999by TheFreeSoftwareFoundation
Pleasedirectquestions,bug reports,or suggesstionsconcerningthismanualto themaintainer, MikeAshley (<[email protected]>). Contributorsto thismanualalsoincludeMatthew Copeland,JoergenGrahn,andDavid A. Wheeler. J HoracioMG hastranslatedthemanualto Spanish.
Thismanualmayberedistributedunderthetermsof theGNU GeneralPublicLicense.
Table of Contents1. Getting Started...........................................................................................................9
1.1.Generatinga new keypair.................................................................................91.1.1.Generatinga revocationcertificate......................................................11
1.2.Exchangingkeys.............................................................................................121.2.1.Exportingapublic key.........................................................................121.2.2.Importingapublic key.........................................................................13
1.3.Encryptinganddecryptingdocuments...........................................................141.4.Makingandverifying signatures....................................................................16
1.4.1.Clearsigneddocuments........................................................................171.4.2.Detachedsignatures.............................................................................17
2. Concepts ...................................................................................................................19
2.1.Symmetricciphers..........................................................................................192.2.Public-key ciphers..........................................................................................202.3.Hybrid ciphers................................................................................................212.4.Digital signatures............................................................................................22
3. Key Management .....................................................................................................25
3.1.Managingyourown keypair...........................................................................253.1.1.Key integrity ........................................................................................263.1.2.Addinganddeletingkey components..................................................283.1.3.Revokingkey components...................................................................293.1.4.Updatingakey’sexpirationtime.........................................................31
3.2.Validatingotherkeyson yourpublic keyring.................................................313.2.1.Trustin akey’sowner..........................................................................323.2.2.Usingtrustto validatekeys..................................................................34
3.3.Distributingkeys.............................................................................................36
4. Daily use of GnuPG .................................................................................................39
4.1.Definingyour securityneeds..........................................................................394.1.1.Choosingakey size.............................................................................404.1.2.Protectingyour privatekey..................................................................404.1.3.Selectingexpirationdatesandusingsubkeys......................................42
3
4.1.4.Managingyourwebof trust.................................................................434.2.Building yourwebof trust..............................................................................444.3.UsingGnuPGlegally......................................................................................45
5. Topics ........................................................................................................................47
5.1.Writing userinterfaces....................................................................................47
I. Command Reference................................................................................................49
sign.........................................................................................................................51detach-signature.....................................................................................................51encrypt....................................................................................................................52symmetric...............................................................................................................52decrypt....................................................................................................................53clearsign.................................................................................................................54verify ......................................................................................................................54gen-key...................................................................................................................55gen-revoke..............................................................................................................56send-keys................................................................................................................56recv-keys................................................................................................................57list-keys..................................................................................................................57list-public-keys.......................................................................................................58list-secret-keys.......................................................................................................59list-sigs...................................................................................................................59check-sigs...............................................................................................................60fingerprint...............................................................................................................60import.....................................................................................................................61fast-import..............................................................................................................62export.....................................................................................................................62export-all................................................................................................................63export-secret-keys..................................................................................................63edit-key ..................................................................................................................64sign-key..................................................................................................................68lsign-key.................................................................................................................69delete-key...............................................................................................................69delete-secret-key ....................................................................................................70
4
store........................................................................................................................70export-ownertrust...................................................................................................71import-ownertrust..................................................................................................72update-trustdb........................................................................................................72print-md..................................................................................................................73gen-random............................................................................................................73gen-prime...............................................................................................................74version....................................................................................................................75warranty.................................................................................................................75help.........................................................................................................................76
II. Options Reference...................................................................................................77
keyserver................................................................................................................79output.....................................................................................................................79recipient..................................................................................................................80default-recipient.....................................................................................................80default-recipient-self..............................................................................................81no-default-recipient................................................................................................81encrypt-to...............................................................................................................82no-encrypt-to..........................................................................................................83armor......................................................................................................................83no-armor.................................................................................................................84no-greeting.............................................................................................................85no-secmem-warning...............................................................................................85batch.......................................................................................................................86no-batch..................................................................................................................86local-user................................................................................................................87default-key .............................................................................................................87completes-needed...................................................................................................88marginals-needed...................................................................................................89load-extension........................................................................................................89rfc1991...................................................................................................................90allow-non-selfsigned-uid.......................................................................................90cipher-algo.............................................................................................................91
5
compress-algo........................................................................................................92z..............................................................................................................................92verbose...................................................................................................................93no-verbose..............................................................................................................94quiet........................................................................................................................94textmode.................................................................................................................95dry-run....................................................................................................................95interactive...............................................................................................................96yes..........................................................................................................................96no............................................................................................................................97always-trust............................................................................................................97skip-verify ..............................................................................................................98keyring ...................................................................................................................99secret-keyring.........................................................................................................99no-default-keyring................................................................................................100homedir................................................................................................................100charset..................................................................................................................101no-literal...............................................................................................................102set-filesize............................................................................................................102with-fingerprint....................................................................................................103with-colons...........................................................................................................104with-key-data.......................................................................................................104lock-once..............................................................................................................105lock-multiple........................................................................................................105passphrase-fd........................................................................................................106force-mdc.............................................................................................................106force-v3-sigs........................................................................................................107openpgp................................................................................................................108utf8-strings...........................................................................................................108no-utf8-strings......................................................................................................109no-options............................................................................................................109debug....................................................................................................................110debug-all ..............................................................................................................111status-fd................................................................................................................112
6
logger-fd...............................................................................................................112no-comment.........................................................................................................113comment...............................................................................................................113default-comment..................................................................................................114no-version............................................................................................................114emit-version.........................................................................................................115notation-data........................................................................................................115set-policy-url ........................................................................................................116set-filename..........................................................................................................117use-embedded-filename.......................................................................................117max-cert-depth.....................................................................................................118digest-algo............................................................................................................118s2k-cipher-algo....................................................................................................119s2k-digest-algo.....................................................................................................120s2k-mode..............................................................................................................120disable-cipher-algo...............................................................................................121disable-pubkey-algo.............................................................................................122throw-keyid ..........................................................................................................122not-dash-escaped..................................................................................................123escape-from-lines.................................................................................................123
7
List of Figures3-1. A hypotheticalwebof trust....................................................................................35
8
Chapter 1. Getting Star tedGnuPGis a tool for securecommunication.Thischapteris aquick-startguidethatcoversthecorefunctionalityof GnuPG.This includeskeypair creation,exchangingandverifying keys,encryptinganddecryptingdocuments,andauthenticatingdocumentswith digital signatures.It doesnotexplain in detail theconceptsbehindpublic-keycryptography, encryption,anddigital signatures.This is coveredin Chapter2. It alsodoesnotexplainhow to useGnuPGwisely. This is coveredin Chapters3 and4.
GnuPGusespublic-key cryptographysothatusersmaycommunicatesecurely. In apublic-key system,eachuserhasapair of keysconsistingof aprivatekey andapublickey. A user’sprivatekey is keptsecret;it needneverberevealed.Thepublic key maybegivento anyonewith whomtheuserwantsto communicate.GnuPGusesasomewhatmoresophisticatedschemein whichauserhasaprimarykeypairandthenzeroor moreadditionalsubordinatekeypairs.Theprimaryandsubordinatekeypairsarebundledto facilitatekey managementandthebundlecanoftenbeconsideredsimplyasonekeypair.
1.1. Generating a new keypairThecommand-lineoption--gen-key is usedto createanew primarykeypair.
alice% gpg --gen-keygpg (GnuPG) 0.9.4; Copyright (C) 1999 Free Software Foundation, Inc.This program comes with ABSOLUTELY NO WARRANTY.This is free software, and you are welcome to redistribute itunder certain conditions. See the file COPYING for details.
Please select what kind of key you want:(1) DSA and ElGamal (default)(2) DSA (sign only)(4) ElGamal (sign and encrypt)
Your selection?
GnuPGis ableto createseveraldifferenttypesof keypairs,but aprimarykey mustbecapableof makingsignatures.Therearethereforeonly threeoptions.Option1 actuallycreatestwo keypairs.A DSA keypair is theprimarykeypair usableonly for making
9
Chapter1. GettingStarted
signatures.An ElGamalsubordinatekeypair is alsocreatedfor encryption.Option2 issimilar but createsonly aDSA keypair. Option41 createsasingleElGamalkeypairusablefor bothmakingsignaturesandperformingencryption.In all casesit is possibleto lateraddadditionalsubkeys for encryptionandsigning.For mostusersthedefaultoptionis fine.
Youmustalsochooseakey size.Thesizeof aDSA key mustbebetween512and1024bits,andanElGamalkey maybeof any size.GnuPG,however, requiresthatkeysbeno smallerthan768bits. Therefore,if Option1 waschosenandyou chooseakeysizelargerthan1024bits, theElGamalkey will have therequestedsize,but theDSA keywill be1024bits.
About to generate a new ELG-E keypair.minimum keysize is 768 bitsdefault keysize is 1024 bits
highest suggested keysize is 2048 bitsWhat keysize do you want? (1024)
Thelongerthekey themoresecureit is againstbrute-forceattacks,but for almostallpurposesthedefault keysizeis adequatesinceit wouldbecheaperto circumventtheencryptionthantry to breakit. Also, encryptionanddecryptionwill beslowerasthekey sizeis increased,anda largerkeysizemayaffect signaturelength.Onceselected,thekeysizecanneverbechanged.
Finally, youmustchooseanexpirationdate.If Option1 waschosen,theexpirationdatewill beusedfor boththeElGamalandDSA keypairs.
Please specify how long the key should be valid.0 = key does not expire
<n> = key expires in n days<n>w = key expires in n weeks<n>m = key expires in n months<n>y = key expires in n years
Key is valid for? (0)
For mostusersa key thatdoesnotexpire is adequate.Theexpirationtimeshouldbechosenwith care,however, sincealthoughit is possibleto changetheexpirationdateafterthekey is created,it maybedifficult to communicateachangeto userswho haveyour public key.
10
Chapter1. GettingStarted
You mustprovideauserID in additionto thekey parameters.TheuserID is usedtoassociatethekey beingcreatedwith a realperson.
You need a User-ID to identify your key; the software constructs the user idfrom Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name:
Only oneuserID is createdwhenakey is created,but it is possibleto createadditionaluserIDs if youwantto usethekey in two or morecontexts,e.g.,asanemployeeatwork andapolitical activist on theside.A userID shouldbecreatedcarefullysinceitcannotbeeditedafterit is created.
GnuPGneedsapassphraseto protecttheprimaryandsubordinateprivatekeys thatyoukeepin yourpossession.
You need a Passphrase to protect your private key.
Enter passphrase:
Thereis no limit on thelengthof apassphrase,andit shouldbecarefullychosen.Fromtheperspectiveof security, thepassphraseto unlocktheprivatekey is oneof theweakestpointsin GnuPG(andotherpublic-key encryptionsystemsaswell) sinceit istheonly protectionyouhave if anotherindividualgetsyour privatekey. Ideally, thepassphraseshouldnot usewordsfrom adictionaryandshouldmix thecaseofalphabeticcharactersaswell asusenon-alphabeticcharacters.A goodpassphraseiscrucialto thesecureuseof GnuPG.
1.1.1. Generating a revocation cer tificateAfter your keypair is createdyoushouldimmediatelygeneratea revocationcertificatefor theprimarypublic key usingtheoption--gen-revoke. If you forgetyourpassphraseor if yourprivatekey is compromisedor lost, this revocationcertificatemaybepublishedto notify othersthatthepublic key shouldno longerbeused.A revokedpublic key canstill beusedto verify signaturesmadeby you in thepast,but it cannot
11
Chapter1. GettingStarted
beusedto encryptfuturemessagesto you. It alsodoesnotaffect yourability to decryptmessagessentto you in thepastif youstill dohaveaccessto theprivatekey.
alice% gpg --output revoke.asc --gen-revoke mykey[...]
Theargumentmykey mustbeakey specifier, eitherthekey ID of yourprimarykeypairor any partof auserID thatidentifiesyourkeypair. Thegeneratedcertificatewill beleft in thefile revoke.asc. If the--outputoptionis omitted,theresultwill beplacedon standardoutput.Sincethecertificateis short,youmaywish to print ahardcopy ofthecertificateto storesomewheresafesuchasyour safedepositbox. Thecertificateshouldnotbestoredwhereotherscanaccessit sinceanybodycanpublishtherevocationcertificateandrenderthecorrespondingpublic key useless.
1.2. Exchanging keysTo communicatewith othersyoumustexchangepublic keys. To list thekeysonyourpublic keyring usethecommand-lineoption--list-keys.
alice% gpg --list-keys/users/alice/.gnupg/pubring.gpg--------------------------pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <[email protected]>sub 1024g/78E9A8FA 1999-06-04
1.2.1. Expor ting a pub lic keyTo sendyour public key to acorrespondentyoumustfirst export it. Thecommand-lineoption--export is usedto do this. It takesanadditionalargumentidentifying thepublickey to export. As with the--gen-revokeoption,eitherthekey ID or any partof theuserID maybeusedto identify thekey to export.
alice% gpg --output alice.gpg --export [email protected]
12
Chapter1. GettingStarted
Thekey is exportedin abinaryformat,but this canbeinconvenientwhenthekey is tobesentthoughemailor publishedonawebpage.GnuPGthereforesupportsacommand-lineoption--armor2 thatthatcausesoutputto begeneratedin anASCII-armoredformatsimilar to uuencodeddocuments.In general,any outputfromGnuPG,e.g.,keys,encrypteddocuments,andsignatures,canbeASCII-armoredbyaddingthe--armoroption.
alice% gpg --armor --export [email protected] PGP PUBLIC KEY BLOCK---Version: GnuPG v0.9.7 (GNU/Linux)Comment: For info see http://www.gnupg.org
[...]---END PGP PUBLIC KEY BLOCK---
1.2.2. Impor ting a pub lic keyA public key maybeaddedto your publickeyring with the--import option.
alice% gpg --import blake.gpggpg: key 9E98BC16: public key importedgpg: Total number processed: 1gpg: imported: 1alice% gpg --list-keys/users/alice/.gnupg/pubring.gpg--------------------------pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <[email protected]>sub 1024g/78E9A8FA 1999-06-04
pub 1024D/9E98BC16 1999-06-04 Blake (Executioner) <[email protected]>sub 1024g/5C8CBD41 1999-06-04
Onceakey is importedit shouldbevalidated.GnuPGusesapowerful andflexible trustmodelthatdoesnot requireyou to personallyvalidateeachkey you import. Somekeysmayneedto bepersonallyvalidated,however. A key is validatedby verifying thekey’sfingerprintandthensigningthekey to certify it asavalid key. A key’sfingerprintcanbequickly viewedwith the--fingerprintcommand-lineoption,but in orderto certifythekey you mustedit it.
alice% gpg --edit-key [email protected]
pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/q
13
Chapter1. GettingStarted
sub 1024g/5C8CBD41 created: 1999-06-04 expires: never(1) Blake (Executioner) <[email protected]>
Command> fprpub 1024D/9E98BC16 1999-06-04 Blake (Executioner) <[email protected]>
Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16
A key’sfingerprintis verifiedwith thekey’sowner. Thismaybedonein personor overthephoneor throughany othermeansaslongasyou canguaranteethatyou arecommunicatingwith thekey’s trueowner. If thefingerprintyou getis thesameasthefingerprintthekey’sownergets,thenyou canbesurethatyouhaveacorrectcopy ofthekey.
After checkingthefingerprint,youmaysignthekey to validateit. Sincekeyverificationis aweakpoint in public-key cryptography, youshouldbeextremelycarefulandalwayschecka key’sfingerprintwith theownerbeforesigningthekey.
Command> sign
pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/qFingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16
Blake (Executioner) <[email protected]>
Are you really sure that you want to sign this keywith your key: "Alice (Judge) <[email protected]>"
Really sign?
Oncesignedyou cancheckthekey to list thesignatureson it andseethesignaturethatyou haveadded.EveryuserID on thekey will haveoneor moreself-signaturesaswellasasignaturefor eachuserthathasvalidatedthekey.
Command> checkuid Blake (Executioner) <[email protected]>sig! 9E98BC16 1999-06-04 [self-signature]sig! BB7576AC 1999-06-04 Alice (Judge) <[email protected]>
1.3. Encr ypting and decr ypting documents
14
Chapter1. GettingStarted
A publicandprivatekey eachhaveaspecificrole whenencryptinganddecryptingdocuments.A public key maybethoughtof asanopensafe.Whenacorrespondentencryptsadocumentusinga public key, thatdocumentis put in thesafe,thesafeshut,andthecombinationlock spunseveraltimes.Thecorrespondingprivatekey is thecombinationthatcanreopenthesafeandretrieve thedocument.In otherwords,onlythepersonwho holdstheprivatekey canrecoveradocumentencryptedusingtheassociatedpublic key.
Theprocedurefor encryptinganddecryptingdocumentsis straightforwardwith thismentalmodel.If you wantto encrypta messageto Alice, youencryptit usingAlice’spublic key, andshedecryptsit with herprivatekey. If Alice wantsto sendyouamessage,sheencryptsit usingyourpublic key, andyoudecryptit with your key.
To encryptadocumenttheoption--encryptis used.Youmusthave thepublic keysoftheintendedrecipients.Thesoftwareexpectsthenameof thedocumentto encryptasinput or, if omitted,onstandardinput. Theencryptedresultis placedonstandardoutputor asspecifiedusingtheoption--output.Thedocumentis compressedforadditionalsecurityin additionto encryptingit.
alice% gpg --output doc.gpg --encrypt --recipient [email protected] doc
The--recipientoptionis usedoncefor eachrecipientandtakesanextraargumentspecifyingthepublic key to which thedocumentshouldbeencrypted.Theencrypteddocumentcanonly bedecryptedby someonewith aprivatekey thatcomplementsoneof therecipients’public keys. In particular, youcannotdecryptadocumentencryptedby youunlessyou includedyour own public key in therecipientlist.
To decryptamessagetheoption--decryptis used.You needtheprivatekey to whichthemessagewasencrypted.Similar to theencryptionprocess,thedocumentto decryptis input,andthedecryptedresultis output.
blake% gpg --output doc --decrypt doc.gpg
You need a passphrase to unlock the secret key foruser: "Blake (Executioner) <[email protected]>"1024-bit ELG-E key, ID 5C8CBD41, created 1999-06-04 (main key ID 9E98BC16)
Enter passphrase:
15
Chapter1. GettingStarted
Documentsmayalsobeencryptedwithoutusingpublic-key cryptography. Instead,only asymmetriccipheris usedto encryptthedocument.Thekey usedto drive thesymmetriccipheris derivedfrom apassphrasesuppliedwhenthedocumentisencrypted,andfor goodsecurity, it shouldnotbethesamepassphrasethatyouusetoprotectyourprivatekey. Symmetricencryptionis usefulfor securingdocumentswhenthepassphrasedoesnotneedto becommunicatedto others.A documentcanbeencryptedwith asymmetriccipherby usingthe--symmetricoption.
alice% gpg --output doc.gpg --symmetric docEnter passphrase:
1.4. Making and verifying signaturesA digital signaturecertifiesandtimestampsadocument.If thedocumentissubsequentlymodifiedin any way, averificationof thesignaturewill fail. A digitalsignaturecanserve thesamepurposeasahand-writtensignaturewith theadditionalbenefitof beingtamper-resistant.TheGnuPGsourcedistribution,for example,issignedsothatuserscanverify thatthesourcecodehasnotbeenmodifiedsinceit waspackaged.
Creatingandverifying signaturesusesthepublic/privatekeypair in anoperationdifferentfrom encryptionanddecryption.A signatureis createdusingtheprivatekeyof thesigner. Thesignatureis verifiedusingthecorrespondingpublic key. Forexample,Alice woulduseherown privatekey to digitally signherlatestsubmissiontotheJournalof InorganicChemistry. TheassociateeditorhandlinghersubmissionwoulduseAlice’spublickey to checkthesignatureto verify thatthesubmissionindeedcamefrom Alice andthatit hadnotbeenmodifiedsinceAlice sentit. A consequenceof usingdigital signaturesis thatit is difficult to deny thatyoumadeadigital signaturesincethatwould imply yourprivatekey hadbeencompromised.
Thecommand-lineoption--signis usedto makea digital signature.Thedocumenttosignis input,andthesigneddocumentis output.
alice% gpg --output doc.sig --sign doc
16
Chapter1. GettingStarted
You need a passphrase to unlock the private key foruser: "Alice (Judge) <[email protected]>"1024-bit DSA key, ID BB7576AC, created 1999-06-04
Enter passphrase:
Thedocumentis compressedbeforesigned,andtheoutputis in binaryformat.
Givenasigneddocument,youcaneithercheckthesignatureor checkthesignatureandrecover theoriginaldocument.To checkthesignatureusethe--verify option.To verifythesignatureandextractthedocumentusethe--decryptoption.Thesigneddocumentto verify andrecover is inputandtherecovereddocumentis output.
blake% gpg --output doc --decrypt doc.siggpg: Signature made Fri Jun 4 12:02:38 1999 CDT using DSA key ID BB7576ACgpg: Good signature from "Alice (Judge) <[email protected]>"
1.4.1. Clearsigned documentsA commonuseof digital signaturesis to signusenetpostingsor emailmessages.Insuchsituationsit is undesirableto compressthedocumentwhile signingit. Theoption--clearsigncausesthedocumentto bewrappedin anASCII-armoredsignaturebutotherwisedoesnotmodify thedocument.
alice% gpg --clearsign doc
You need a passphrase to unlock the secret key foruser: "Alice (Judge) <[email protected]>"1024-bit DSA key, ID BB7576AC, created 1999-06-04
---BEGIN PGP SIGNED MESSAGE---Hash: SHA1
[...]---BEGIN PGP SIGNATURE---Version: GnuPG v0.9.7 (GNU/Linux)Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjdYCQoACgkQJ9S6ULt1dqz6IwCfQ7wP6i/i8HhbcOSKF4ELyQB1oCoAoOuqpRqEzr4kOkQqHRLE/b8/Rw2k=y6kj---END PGP SIGNATURE---
17
Chapter1. GettingStarted
1.4.2. Detached signaturesA signeddocumenthaslimited usefulness.Otherusersmustrecover theoriginaldocumentfrom thesignedversion,andevenwith clearsigneddocuments,thesigneddocumentmustbeeditedto recover theoriginal. Therefore,thereis a third methodforsigningadocumentthatcreatesadetachedsignature.A detachedsignatureis createdusingthe--detach-sigoption.
alice% gpg --output doc.sig --detach-sig doc
You need a passphrase to unlock the secret key foruser: "Alice (Judge) <[email protected]>"1024-bit DSA key, ID BB7576AC, created 1999-06-04
Enter passphrase:
Both thedocumentanddetachedsignatureareneededto verify thesignature.The--verify optioncanbeto checkthesignature.
blake% gpg --verify doc.sig docgpg: Signature made Fri Jun 4 12:38:46 1999 CDT using DSA key ID BB7576ACgpg: Good signature from "Alice (Judge) <[email protected]>"
Notes1. Option3 is to generateanElGamalkeypair thatis notusablefor makingsignatures.
2. Many command-lineoptionsthatarefrequentlyusedcanalsobesetin aconfigurationfile.
18
Chapter 2. ConceptsGnuPGmakesusesof severalcryptographicconceptsincludingsymmetricciphers,public-key ciphers, andone-wayhashing. YoucanmakebasicuseGnuPGwithout fullyunderstandingtheseconcepts,but in orderto useit wiselysomeunderstandingof themis necessary.
Thischapterintroducesthebasiccryptographicconceptsusedin GnuPG.Otherbookscover thesetopicsin muchmoredetail.A goodbookwith which to pursuefurtherstudyis BruceSchneier’s “AppliedCryptography”.
2.1. Symmetric cipher sA symmetriccipheris acipherthatusesthesamekey for bothencryptionanddecryption.Two partiescommunicatingusingasymmetricciphermustagreeon thekey beforehand.Oncethey agree,thesenderencryptsamessageusingthekey, sendsitto thereceiver, andthereceiverdecryptsthemessageusingthekey. As anexample,theGermanEnigmais asymmetriccipher, anddaily keysweredistributedascodebooks.Eachday, asendingor receiving radiooperatorwouldconsulthiscopy of thecodebookto find theday’s key. Radiotraffic for thatdaywasthenencryptedanddecryptedusingtheday’skey. Modernexamplesof symmetricciphersinclude3DES,Blowfish,andIDEA.
A goodcipherputsall thesecurityin thekey andnonein thealgorithm.In otherwords,it shouldbeno helpto anattacker if heknowswhichcipheris beingused.Only if heobtainsthekey wouldknowledgeof thealgorithmbeneeded.TheciphersusedinGnuPGhave thisproperty.
Sinceall thesecurityis in thekey, thenit is importantthatit beverydifficult to guessthekey. In otherwords,thesetof possiblekeys, i.e., thekey space, needsto belarge.While atLos Alamos,RichardFeynmanwasfamousfor hisability to cracksafes.Toencouragethemystiqueheevencarriedarounda setof toolsincludinganoldstethoscope.In reality, heusedavarietyof tricks to reducethenumberof combinationshehadto try to a smallnumberandthensimplyguesseduntil hefoundtheright
19
Chapter2. Concepts
combination.In otherwords,hereducedthesizeof thekey space.
Britain usedmachinesto guesskeysduringWorld War2. TheGermanEnigmahadavery largekey space,but theBritish built speciailzedcomputingengines,theBombes,to mechanicallytry keysuntil theday’skey wasfound.Thismeantthatsometimestheyfoundtheday’skey within hoursof thenew key’suse,but it alsomeantthatonsomedaysthey neverdid find theright key. TheBombeswerenot general-purposecomputersbut wereprecursorsto modern-daycomputers.
Today, computerscanguesskeysveryquickly, andthis is why key sizeis importantinmoderncryptosystems.ThecipherDESusesa56-bit key, which meansthatthereare256 possiblekeys. 256 is 72,057,594,037,927,936keys. This is a lot of keys,but ageneral-purposecomputercanchecktheentirekey spacein amatterof days.Aspecializedcomputercancheckit in hours.On theotherhand,morerecentlydesignedcipherssuchas3DES,Blowfish,andIDEA all use128-bitkeys,whichmeansthereare2128 possiblekeys. This is many, many morekeys,andevenif all thecomputerson theplanetcooperated,it couldstill takemoretime thantheageof theuniverseto find thekey.
2.2. Public-ke y cipher sTheprimaryproblemwith symmetricciphersis not their securitybut with keyexchange.Oncethesenderandreceiverhaveexchangedkeys, thatkey canbeusedtosecurelycommunicate,but whatsecurecommunicationchannelwasusedtocommunicatethekey itself? In particular, it wouldprobablybemucheasierfor anattacker to work to interceptthekey thanit is to try all thekeys in thekey space.Anotherproblemis thenumberof keysneeded.If therearen peoplewhoneedtocommunicate,thenn(n-1)/2keysareneededfor eachpair of peopleto communicateprivately. Thismaybeok for asmallnumberof peoplebut quickly becomesunwieldlyfor largegroupsof people.
Public-key cipherswereinventedto avoid thekey-exchangeproblementirely. Apublic-key cipherusesapair of keys for sendingmessages.Thetwo keysbelongto thepersonreceiving themessage.Onekey is a publickey andmaybegivento anybody.
20
Chapter2. Concepts
Theotherkey is aprivatekey andis keptsecretby theowner. A senderencryptsamessageusingthepublic key andonceencrypted,only theprivatekey maybeusedtodecryptit.
Thisprotocolsolvesthekey-exchangeprobleminherentwith symmetricciphers.Thereis noneedfor thesenderandreceiver to agreeupona key. All thatis requiredis thatsometime beforesecretcommunicationthesendergetsacopy of thereceiver’spublickey. Furthermore,theonepublic key canbeusedby anybodywishingto communicatewith thereceiver. Soonly n keypairsareneededfor n peopleto communicatesecretlywith oneanother,
Public-key ciphersarebasedon one-way trapdoorfunctions.A one-way functionis afunctionthatis easyto compute,but theinverseis hardto compute.For example,it iseasyto multiply two primenumberstogetherto geta composite,but it is difficult tofactoracompositeinto its primecomponents.aA one-way trapdoorfunctionis similar,but it hasa trapdoor. Thatis, if somepieceof informationis known, it becomeseasytocomputetheinverse.For example,if you haveanumbermadeof two primefactors,thenknowing oneof thefactorsmakesit easyto computethesecond.Givenapublic-key cipherbasedon primefactorization,thepublic key containsa compositenumbermadefrom two largeprimefactors,andtheencryptionalgorithmusesthatcompositeto encryptthemessage.Thealgorithmto decryptthemessagerequiresknowing theprimefactors,sodecryptionis easyif youhave theprivatekey containingoneof thefactorsbut extremelydifficult if you donothave it.
As with goodsymmetricciphers,with agoodpublic-key cipherall of thesecurityrestswith thekey. Therefore,key sizeis ameasureof thesystem’ssecurity, but onecannotcomparethesizeof asymmetriccipherkey andapublic-key cipherkey asameasureoftheir relativesecurity. In abrute-forceattackon asymmetriccipherwith akey sizeof80 bits, theattackermustenumerateup to 281-1 keys to find theright key. In abrute-forceattackonapublic-key cipherwith akey sizeof 512bits, theattackermustfactoracompositenumberencodedin 512bits (up to 155decimaldigits). Theworkloadfor theattacker is fundamentallydifferentdependingon thecipherheisattacking.While 128bits is sufficient for symmetricciphers,giventoday’s factoringtechnologypublic keyswith 1024bits arerecommendedfor mostpurposes.
21
Chapter2. Concepts
2.3. Hybrid cipher sPublic-key ciphersarenopanacea.Many symmetricciphersarestrongerfrom asecuritystandpoint,andpublic-key encryptionanddecryptionaremoreexpensive thanthecorrespondingoperationsin symmetricsystems.Public-key ciphersareneverthelessaneffective tool for distributingsymmetriccipherkeys,andthatis howthey areusedin hybridciphersystems.
A hybridcipherusesbothasymmetriccipherandapublic-key cipher. It worksbyusingapublic-key cipherto shareakey for thesymmetriccipher. Theactualmessagebeingsentis thenencryptedusingthekey andsentto therecipient.Sincesymmetrickey sharingis secure,thesymmetrickey usedis differentfor eachmessagesent.Henceit is sometimescalledasessionkey.
Both PGPandGnuPGusehybridciphers.Thesessionkey, encryptedusingthepublic-key cipher, andthemessagebeingsent,encryptedwith thesymmetriccipher,areautomaticallycombinedin onepackage.Therecipientuseshisprivate-key todecryptthesessionkey andthesessionkey is thenusedto decryptthemessage.
A hybridcipheris nostrongerthanthepublic-key cipheror symmetriccipherit uses,whichever is weaker. In PGPandGnuPG,thepublic-key cipheris probablytheweakerof thepair. Fortunately, however, if anattacker coulddecryptasessionkey it wouldonly beusefulfor readingtheonemessageencryptedwith thatsessionkey. Theattackerwouldhave to startoveranddecryptanothersessionkey in orderto readanyothermessage.
2.4. Digital signaturesA hashfunctionis amany-to-onefunctionthatmapsits input to avaluein afinite set.Typically this setis a rangeof naturalnumbers.A simplehashfunctionis f (x) = 0 forall integersx. A moreinterestinghashfunctionis f (x) = x mod37,whichmapsx to theremainderof dividing x by 37.
A document’sdigital signatureis theresultof applyingahashfunctionto thedocument.To beuseful,however, thehashfunctionneedsto satisfytwo important
22
Chapter2. Concepts
properties.First, it shouldbehardto find two documentsthathashto thesamevalue.Second,givenahashvalueit shouldbehardto recover thedocumentthatproducedthatvalue.
Somepublic-key ciphers1 couldbeusedto signdocuments.Thesignerencryptsthedocumentwith hisprivatekey. Anybodywishingto checkthesignatureandseethedocumentsimplyusesthesigner’spublic key to decryptthedocument.Thisalgorithmdoessatisfythetwo propertiesneededfrom agoodhashfunction,but in practice,thisalgorithmis tooslow to beuseful.
An alternative is to usehashfunctionsdesignedto satisfythesetwo importantproperties.SHA andMD5 areexamplesof suchalgorithms.Usingsuchanalgorithm,adocumentis signedby hashingit, andthehashvalueis thesignature.Anotherpersoncancheckthesignatureby alsohashingtheir copy of thedocumentandcomparingthehashvaluethey getwith thehashvalueof theoriginaldocument.If they match,it isalmostcertainthatthedocumentsareidentical.
Of course,theproblemnow is usingahashfunctionfor digital signatureswithoutpermittinganattacker to interferewith signaturechecking.If thedocumentandsignaturearesentunencrypted,anattackercouldmodify thedocumentandgenerateacorrespondingsignaturewithout therecipient’sknowledge.If only thedocumentisencrypted,anattackercouldtamperwith thesignatureandcauseasignaturechecktofail. A third optionis to useahybridpublic-key encryptionto encryptboththesignatureanddocument.Thesigneruseshisprivatekey, andanybodycanusehispublic key to checkthesignatureanddocument.Thissoundsgoodbut is actuallynonsense.If thisalgorithmtruly securedthedocumentit wouldalsosecureit fromtamperingandtherewouldbenoneedfor thesignature.Themoreseriousproblem,however, is thatthis doesnotprotecteitherthesignatureor documentfrom tampering.With this algorithm,only thesessionkey for thesymmetriccipheris encryptedusingthesigner’sprivatekey. Anybodycanusethepublic key to recover thesessionkey.Therefore,it is straightforwardfor anattacker to recover thesessionkey anduseit toencryptsubstitutedocumentsandsignaturesto sendto othersin thesender’sname.
An algorithmthatdoeswork is to useapublic key algorithmto encryptonly thesignature.In particular, thehashvalueis encryptedusingthesigner’sprivatekey, andanbodycancheckthesignatureusingthepublic key. Thesigneddocumentcanbesent
23
Chapter2. Concepts
usingany otherencryptionalgorithmincludingnoneif it is apublicdocument.If thedocumentis modifiedthesignaturecheckwill fail, but this is preciselywhatthesignaturecheckis supposedto catch.TheDigital SignatureStandard(DSA) is apublickey signaturealgorithmthatworksasjust described.DSA is theprimarysigningalgorithmusedin GnuPG.
Notes1. Theciphermusthave thepropertythattheactualpublic key or privatekey couldbe
usedby theencryptionalgorithmasthepublic key. RSA is anexampleof suchanalgorithmwhile ElGamalis notanexample.
24
Chapter 3. Key ManagementKey tamperingis a majorsecurityweaknesswith public-key cryptography. Aneavesdroppermaytamperwith auser’skeyringsor forgeauser’s public key andpostitfor othersto downloadanduse.For example,supposeChloewantsto monitorthemessagesthatAlice sendsto Blake. Shecouldmountwhatis calledamanin themiddleattack.In this attack,Chloecreatesanew public/privatekeypair. ShereplacesAlice’scopy of Blake’s public key with thenew public key. ShetheninterceptsthemessagesthatAlice sendsto Blake. For eachintercept,shedecryptsit usingthenewprivatekey, reencryptsit usingBlake’s truepublic key, andforwardsthereencryptedmessageto Blake. All messagessentfrom Alice to Blakecannow bereadby Chloe.
Goodkey managementis crucialin orderto ensurenot just theintegrity of yourkeyringsbut theintegrity of otherusers’keyringsaswell. Thecoreof key managementin GnuPGis thenotionof signingkeys. Key signinghastwo mainpurposes:it permitsyou to detecttamperingonyour keyring, andit allowsyou to certify thatakey trulybelongsto thepersonnamedby auserID on thekey. Key signaturesarealsousedin aschemeknown asthewebof trust to extendcertificationto keysnotdirectlysignedbyyou but signedby othersyou trust.Responsibleuserswhopracticegoodkeymanagementcandefeatkey tamperingasapracticalattackonsecurecommunicationwith GnuPG.
3.1. Managing your own keypairA keypairhasapublic key andaprivatekey. A public key consistsof thepublicportionof themastersigningkey, thepublicportionsof thesubordinatesigningandencryptionsubkeys,andasetof userIDs usedto associatethepublic key with a realperson.Eachpiecehasdataaboutitself. For akey, this dataincludesits ID, whenitwascreated,whenit will expire,etc.For a userID, this dataincludesthenameof therealpersonit identifies,anoptionalcomment,andanemailaddress.Thestructureoftheprivatekey is similar, exceptthatit containsonly theprivateportionsof thekeys,andthereis no userID information.
25
Chapter3. Key Management
Thecommand-lineoption--edit-key maybeusedto view akeypair. For example,
chloe% gpg --edit-key [email protected] key is available.
pub 1024D/26B6AAE1 created: 1999-06-15 expires: never trust: -/usub 2048g/0CF8CB7A created: 1999-06-15 expires: neversub 1792G/08224617 created: 1999-06-15 expires: 2002-06-14sub 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>Command>
Thepublic key is displayedalongwith anindicationof whetheror not theprivatekey isavailable.Informationabouteachcomponentof thepublic key is thenlisted.Thefirstcolumnindicatesthetypeof thekey. Thekeywordpub identifiesthepublicmastersigningkey, andthekeywordsub identifiesapublic subordinatekey. Thesecondcolumnindicatesthekey’sbit length,type,andID. Thetypeis D for aDSA key, g foranencryption-onlyElGamalkey, andG for anElGamalkey thatmaybeusedfor bothencryptionandsigning.Thecreationdateandexpirationdatearegivenin columnsthreeandfour. TheuserIDs arelistedfollowing thekeys.
More informationaboutthekey canbeobtainedwith interactivecommands.Thecommandtoggle switchesbetweenthepublicandprivatecomponentsof akeypair ifindeedbothcomponentsareavailable.
Command> toggle
sec 1024D/26B6AAE1 created: 1999-06-15 expires: neversbb 2048g/0CF8CB7A created: 1999-06-15 expires: neversbb 1792G/08224617 created: 1999-06-15 expires: 2002-06-14sbb 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>
Theinformationprovidedis similar to thelisting for thepublic-key component.Thekeywordsec identifiestheprivatemastersigningkey, andthekeywordsbb identifiestheprivatesubordinateskeys. TheuserIDs from thepublic key arealsolistedforconvenience.
26
Chapter3. Key Management
3.1.1. Key integrityWhenyoudistributeyourpublic key, youaredistributing thepublic componentsofyour masterandsubordinatekeysaswell astheuserIDs. Distributing this materialalone,however, is asecurityrisk sinceit is possiblefor anattacker to tamperwith thekey. Thepublic key canbemodifiedby addingor substitutingkeys,or by addingorchanginguserIDs. By tamperingwith auserID, theattackercouldchangetheuserID’semailaddressto haveemailredirectedto himself.By changingoneof theencryptionkeys, theattackerwouldalsobeableto decryptthemessagesredirectedto him.
Usingdigital signaturesis asolutionto thisproblem.Whendatais signedby aprivatekey, thecorrespondingpublic key is boundto thesigneddata.In otherwords,only thecorrespondingpublic key canbeusedto verify thesignatureandensurethatthedatahasnotbeenmodified.A public key canbeprotectedfrom tamperingby usingitscorrespondingprivatemasterkey to signthepublic key componentsanduserIDs, thusbindingthecomponentsto thepublicmasterkey. Signingpublic key componentswiththecorrespondingprivatemastersigningkey is calledself-signing, andapublic keythathasself-signeduserIDs boundto it is calledacertificate.
As anexample,Chloehastwo userIDs andthreesubkeys. Thesignatureson theuserIDs canbecheckedwith thecommandcheck from thekey editmenu.
chloe% gpg --edit-key chloeSecret key is available.
pub 1024D/26B6AAE1 created: 1999-06-15 expires: never trust: -/usub 2048g/0CF8CB7A created: 1999-06-15 expires: neversub 1792G/08224617 created: 1999-06-15 expires: 2002-06-14sub 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>
Command> checkuid Chloe (Jester) <[email protected]>sig! 26B6AAE1 1999-06-15 [self-signature]uid Chloe (Plebian) <[email protected]>sig! 26B6AAE1 1999-06-15 [self-signature]
As expected,thesigningkey for eachsignatureis themastersigningkey with key ID0x26B6AAE1. Theself-signatureson thesubkeysarepresentin thepublic key, but theyarenotshown by theGnuPGinterface.
27
Chapter3. Key Management
3.1.2. Adding and deleting key componentsBoth new subkeysandnew userIDs maybeaddedto your keypairafterit hasbeencreated.A userID is addedusingthecommandadduid. Youarepromptedfor a realname,emailaddress,andcommentjust aswhenyoucreateaninitial keypair. A subkeyis addedusingthecommandaddkey. Theinterfaceis similar to theinterfaceusedwhencreatinganinitial keypair. Thesubkey maybeaDSA signingkey, andencrypt-onlyElGamalkey, or asign-and-encryptElGamalkey. Whenasubkey or userID is generatedit is self-signedusingyour mastersigningkey, which is why youmustsupplyyourpassphrasewhenthekey is generated.
AdditionaluserIDs areusefulwhenyouneedmultiple identities.For example,youmayhaveanidentity for your job andanidentity for yourwork asapolitical activist.Coworkerswill know youby your work userID. Coactivistswill know you by youractivist userID. Sincethosegroupsof peoplemaynotoverlap,though,eachgroupmaynot trusttheotheruserID. BothuserIDs arethereforenecessary.
Additional subkeysarealsouseful.TheuserIDs associatedwith yourpublicmasterkey arevalidatedby thepeoplewith whomyou communicate,andchangingthemasterkey thereforerequiresrecertification.Thismaybedifficult andtimeconsumingif youcommunicatewith many people.On theotherhand,it is goodto periodicallychangeencryptionsubkeys. If akey is broken,all thedataencryptedwith thatkey will bevulnerable.By changingkeys,however, only thedataencryptedwith theonebrokenkey will berevealed.
SubkeysanduserIDs mayalsobedeleted.To deletea subkey or userID youmustfirstselectit usingthekey or uid commandsrespectively. Thesecommandsaretoggles.Forexample,thecommandkey 2 selectsthesecondsubkey, andinvokingkey 2 againdeselectsit. If no extraargumentis given,all subkeysor userIDs aredeselected.OncetheuserIDs to bedeletedareselected,thecommanddeluid actuallydeletestheuserIDs from yourkey. Similarly, thecommanddelkey deletesall selectedsubkeys frombothyour publicandprivatekeys.
For local keyring management,deletingkey componentsis agoodway to trim otherpeople’spublic keysof unnecessarymaterial.DeletinguserIDs andsubkeyson yourown key, however, is notalwayswisesinceit complicateskey distribution. By default,
28
Chapter3. Key Management
whenauserimportsyour updatedpublic key it will bemergedwith theold copy ofyourpublickey onhis ring if it exists.Thecomponentsfrom bothkeysarecombinedinthemerge,andthis effectively restoresany componentsyou deleted.To properlyupdatethekey, theusermustfirst deletetheold versionof yourkey andthenimport thenew version.Thisputsanextra burdenon thepeoplewith whomyoucommunicate.Furthermore,if yousendyourkey to akeyserver, themergewill happenregardless,andanybodywhodownloadsyour key from akeyserverwill neverseeyour key withcomponentsdeleted.Consequently, for updatingyour own key it is betterto revokekeycomponentsinsteadof deletingthem.
3.1.3. Revoking key componentsTo revokea subkey it mustbeselected.Onceselectedit mayberevokedwith therevkey command.Thekey is revokedby addinga revocationself-signatureto thekey.Unlike thecommand-lineoption--gen-revoke, theeffect of revokingasubkey isimmediate.
Command> revkeyDo you really want to revoke this key? y
You need a passphrase to unlock the secret key foruser: "Chloe (Jester) <[email protected]>"1024-bit DSA key, ID B87DBA93, created 1999-06-28
pub 1024D/B87DBA93 created: 1999-06-28 expires: never trust: -/usub 2048g/B7934539 created: 1999-06-28 expires: neversub 1792G/4E3160AD created: 1999-06-29 expires: 2000-06-28rev! subkey has been revoked: 1999-06-29sub 960D/E1F56448 created: 1999-06-29 expires: 2000-06-28(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>
A userID is revokeddifferently. Normally, auserID collectssignaturesthatattestthattheuserID describesthepersonwhoactuallyownstheassociatedkey. In theory, auserID describesapersonforever, sincethatpersonwill neverchange.In practice,though,elementsof theuserID suchastheemailaddressandcommentmaychangeover time,thusinvalidatingtheuserID.
29
Chapter3. Key Management
TheOpenPGPspecificationdoesnot supportuserID revocation,but a userID caneffectively berevokedby revoking theself-signatureon theuserID. For thesecurityreasonsdescribedpreviously,correspondentswill not trustauserID with novalidself-signature.
A signatureis revokedby usingthecommandrevsig. Sinceyoumayhavesignedanynumberof userIDs, theuserinterfacepromptsyou to decidefor eachsignaturewhetheror not to revoke it.
Command> revsigYou have signed these user IDs:
Chloe (Jester) <[email protected]>signed by B87DBA93 at 1999-06-28
Chloe (Plebian) <[email protected]>signed by B87DBA93 at 1999-06-28
user ID: "Chloe (Jester) <[email protected]>"signed with your key B87DBA93 at 1999-06-28Create a revocation certificate for this signature? (y/N)nuser ID: "Chloe (Plebian) <[email protected]>"signed with your key B87DBA93 at 1999-06-28Create a revocation certificate for this signature? (y/N)yYou are about to revoke these signatures:
Chloe (Plebian) <[email protected]>signed by B87DBA93 at 1999-06-28
Really create the revocation certificates? (y/N)y
You need a passphrase to unlock the secret key foruser: "Chloe (Jester) <[email protected]>"1024-bit DSA key, ID B87DBA93, created 1999-06-28
pub 1024D/B87DBA93 created: 1999-06-28 expires: never trust: -/usub 2048g/B7934539 created: 1999-06-28 expires: neversub 1792G/4E3160AD created: 1999-06-29 expires: 2000-06-28rev! subkey has been revoked: 1999-06-29sub 960D/E1F56448 created: 1999-06-29 expires: 2000-06-28(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>
A revokeduserID is indicatedby therevocationsignatureon theID whenthesignatureson thekey’suserIDs arelisted.
Command> checkuid Chloe (Jester) <[email protected]>sig! B87DBA93 1999-06-28 [self-signature]uid Chloe (Plebian) <[email protected]>rev! B87DBA93 1999-06-29 [revocation]sig! B87DBA93 1999-06-28 [self-signature]
30
Chapter3. Key Management
Revokingbothsubkeysandself-signatureson userIDs addsrevocationself-signaturesto thekey. Sincesignaturesarebeingaddedandnomaterialis deleted,a revocationwill alwaysbevisible to otherswhenyourupdatedpublickey is distributedandmergedwith oldercopiesof it. Revocationthereforeguaranteesthateverybodyhasaconsistentcopy of yourpublic key.
3.1.4. Updating a key’s expiration timeTheexpirationtime of a key maybeupdatedwith thecommandexpire from thekeyedit menu.If no key is selectedtheexpirationtimeof theprimarykey is updated.Otherwisetheexpirationtimeof theselectedsubordinatekey is updated.
A key’sexpirationtime is associatedwith thekey’sself-signature.Theexpirationtimeis updatedby deletingtheold self-signatureandaddinganew self-signature.Sincecorrespondentswill nothavedeletedtheold self-signature,they will seeanadditionalself-signatureon thekey whenthey updatetheir copy of your key. Thelatestself-signaturetakesprecedence,however, soall correspondentswill unambiguouslyknow theexpirationtimesof yourkeys.
3.2. Validating other keys on your pub lickeyring
In Chapter1 aprocedurewasgivento validateyourcorrespondents’public keys: acorrespondent’skey is validatedby personallycheckinghiskey’sfingerprintandthensigninghispublic key with your privatekey. By personallycheckingthefingerprintyou canbesurethatthekey really doesbelongto him, andsinceyouhavesignedtheykey, youcanbesureto detectany tamperingwith it in thefuture.Unfortunately, thisprocedureis awkwardwheneitheryoumustvalidatea largenumberof keysorcommunicatewith peoplewhomyou donot know personally.
GnuPGaddressesthis problemwith amechanismpopularlyknown asthewebof trust.
31
Chapter3. Key Management
In thewebof trustmodel,responsibilityfor validatingpublic keys is delegatedtopeopleyou trust.For example,suppose
• Alice hassignedBlake’s key, and• BlakehassignedChloe’skey andDharma’s key.
If Alice trustsBlake to properlyvalidatekeys thathesigns,thenAlice caninfer thatChloe’s andDharma’s keysarevalid withouthaving to personallycheckthem.Shesimplyuseshervalidatedcopy of Blake’spublickey to checkthatBlake’ssignaturesonChloe’s andDharma’s aregood.In general,assumingthatAlice fully trustseverybodyto properlyvalidatekeys they sign,thenany key signedby a valid key is alsoconsideredvalid. Theroot is Alice’skey, which is axiomaticallyassumedto bevalid.
3.2.1. Trust in a key’s ownerIn practicetrustis subjective. For example,Blake’s key is valid to Alice sinceshesignedit, but shemaynot trustBlake to properlyvalidatekeys thathesigns.In thatcase,shewouldnot takeChloe’s andDharma’s key asvalid basedon Blake’ssignaturesalone.Thewebof trustmodelaccountsfor this by associatingwith eachpublic key onyour keyring anindicationof how muchyou trustthekey’sowner. Therearefour trustlevels.
unknown
Nothingis known abouttheowner’s judgementin key signing.Keysonyourpublickeyring thatyoudonot own initially have this trustlevel.
none
Theowneris known to improperlysignotherkeys.
marginal
Theownerunderstandstheimplicationsof key signingandproperlyvalidateskeysbeforesigningthem.
32
Chapter3. Key Management
full
Theownerhasanexcellentunderstandingof key signing,andhissignatureon akey wouldbeasgoodasyourown.
A key’s trustlevel is somethingthatyou aloneassignto thekey, andit is consideredprivateinformation.It is notpackagedwith thekey whenit is exported;it is evenstoredseparatelyfrom your keyringsin a separatedatabase.
TheGnuPGkey editormaybeusedto adjustyour trustin akey’sowner. Thecommandis trust. In this exampleAlice editshertrustin Blake andthenupdatesthetrustdatabaseto recomputewhichkeysarevalid basedon hernew trust in Blake.
alice% gpg --edit-key blake
pub 1024D/8B927C8A created: 1999-07-02 expires: never trust: q/fsub 1024g/C19EA233 created: 1999-07-02 expires: never(1) Blake (Executioner) <[email protected]>
Command> trustpub 1024D/8B927C8A created: 1999-07-02 expires: never trust: q/fsub 1024g/C19EA233 created: 1999-07-02 expires: never(1) Blake (Executioner) <[email protected]>
Please decide how far you trust this user to correctlyverify other users’ keys (by looking at passports,checking fingerprints from different sources...)?
1 = Don’t know2 = I do NOT trust3 = I trust marginally4 = I trust fullys = please show me more informationm = back to the main menu
Your decision? 3
pub 1024D/8B927C8A created: 1999-07-02 expires: never trust: m/fsub 1024g/C19EA233 created: 1999-07-02 expires: never(1) Blake (Executioner) <[email protected]>
Command> quit[...]
Trustin thekey’sownerandthekey’svalidity areindicatedto theright whenthekey isdisplayed.Trustin theowneris displayedfirst andthekey’svalidity is second1. Thefour trust/validity levelsareabbreviated:unknown (q), none(n), marginal (m), andfull
33
Chapter3. Key Management
(f). In this case,Blake’skey is fully valid sinceAlice signedit herself.Sheinitially hasanunknown trustin Blake to properlysignotherkeysbut decidesto trusthimmarginally.
3.2.2. Using trust to validate keysThewebof trustallowsa moreelaboratealgorithmto beusedto validateakey.Formerly, akey wasconsideredvalid only if yousignedit personally. A moreflexiblealgorithmcannow beused:akey K is consideredvalid if it meetstwo conditions:
1. it is signedby enoughvalid keys,meaning
• you havesignedit personally,• it hasbeensignedby onefully trustedkey, or• it hasbeensignedby threemarginally trustedkeys;and
2. thepathof signedkeys leadingfrom K backto yourown key is fivestepsorshorter.
Thepathlength,numberof marginally trustedkeys required,andnumberof fullytrustedkeys requiredmaybeadjusted.Thenumbersgivenabovearethedefault valuesusedby GnuPG.
Figure3-1 showsa webof trustrootedat Alice. Thegraphillustrateswho hassignedwho’skeys. ThetableshowswhichkeysAlice considersvalid basedonhertrustin theothermembersof theweb. Thisexampleassumesthattwo marginally-trustedkeysoronefully-trustedkey is neededto validateanotherkey. Themaximumpathlengthisthree.
Whencomputingvalid keys in theexample,BlakeandDharma’sarealwaysconsideredfully valid sincethey weresigneddirectlyby Alice. Thevalidity of theotherkeysdependson trust. In thefirst case,Dharmais trustedfully, which impliesthatChloe’sandFrancis’s keyswill beconsideredvalid. In thesecondexample,BlakeandDharmaaretrustedmarginally. Sincetwo marginally trustedkeysareneededto fully validatea
34
Chapter3. Key Management
key, Chloe’skey will beconsideredfully valid, but Francis’s key will beconsideredonly marginally valid. In thecasewhereChloeandDharmaaremarginally trusted,Chloe’s key will bemarginally valid sinceDharma’skey is fully valid. Francis’s key,however, will alsobeconsideredmarginally valid sinceonly a fully valid key canbeusedto validateotherkeys,andDharma’s key is theonly fully valid key thathasbeenusedto signFrancis’s key. Whenmarginal trustin Blake is added,Chloe’s keybecomesfully valid andcanthenbeusedto fully validateFrancis’skey andmarginallyvalidateElena’skey. Lastly, whenBlake,Chloe,andElenaarefully trusted,this is stillinsufficient to validateGeoff ’s key sincethemaximumcertificationpathis three,butthepathlengthfrom Geoff backto Alice is four.
Thewebof trustmodelis aflexible approachto theproblemof safepublic keyexchange.It permitsyou to tuneGnuPGto reflecthow youuseit. At oneextremeyoumayinsiston multiple,shortpathsfrom your key to anotherkey K in orderto trustit.On theotherhand,youmaybesatisfiedwith longerpathsandperhapsaslittle asonepathfrom your key to theotherkey K. Requiringmultiple,shortpathsis astrongguaranteethatK belongsto whomyour think it does.Theprice,of course,is thatit ismoredifficult to validatekeyssinceyoumustpersonallysignmorekeys thanif youacceptedfewerandlongerpaths.
Figure 3-1. A hypothetical web of trust
trust validity
35
Chapter3. Key Management
marginal full marginal full
Dharma Blake,Chloe,Dharma,Francis
Blake,Dharma Francis Blake,Chloe,Dharma
Chloe,Dharma Chloe,Francis Blake,Dharma
Blake,Chloe,Dharma
Elena Blake,Chloe,Dharma,Francis
Blake,Chloe,Elena Blake,Chloe,Elena,Francis
3.3. Distrib uting keysIdeally, you distributeyourkey by personallygiving it to yourcorrespondents.Inpractice,however, keysareoftendistributedby emailor someotherelectroniccommunicationmedium.Distributionby email is goodpracticewhenyouhaveonly afew correspondents,andevenif youhavemany correspondents,youcanuseanalternativemeanssuchaspostingyourpublic key onyour World Wide Webhomepage.This is unacceptable,however, if peoplewho needyourpublic key do notknow whereto find it on theWeb.
To solve thisproblempublic key serversareusedto collectanddistributepublic keys.A public key receivedby theserver is eitheraddedto theserver’sdatabaseor mergedwith theexistingkey if alreadypresent.Whenakey requestcomesto theserver, theserverconsultsits databaseandreturnstherequestedpublic key if found.
A keyserver is alsovaluablewhenmany peoplearefrequentlysigningotherpeople’skeys. Without akeyserver, whenBlakesign’sAlice’s key thenBlake wouldsendAliceacopy of herpublic key signedby him sothatAlice couldaddtheupdatedkey to her
36
Chapter3. Key Management
ring aswell asdistributeit to all of hercorrespondents.Goingthroughthis effortfulfills Alice’s andBlake’s responsibilityto thecommunityat largein building tightwebsof trustandthusimproving thesecurityof PGP. It is neverthelessanuisanceifkey signingis frequent.
Usingakeyservermakestheprocesssomewhateasier. WhenBlakesignsAlice’skeyhesendsthesignedkey to thekey server. Thekey serveraddsBlake’s signatureto itscopy of Alice’skey. Individualsinterestedin updatingtheir copy of Alice’skey thenconsultthekeyserveron their own initiativeto retrieve theupdatedkey. Alice needneverbeinvolvedwith distributionandcanretrievesignatureson herkey simplybyqueryingakeyserver.
Oneor morekeysmaybesentto akeyserverusingthecommand-lineoption--send-keys. Theoptiontakesoneor morekey specifiersandsendsthespecifiedkeysto thekey server. Thekey server to which to sendthekeys is specifiedwith thecommand-lineoption--keyserver. Similarly, theoption--recv-keys is usedto retrievekeys from akeyserver, but theoption--recv-keys requiresakey ID beusedto specifythekey. In thefollowing exampleAlice updatesherpublic key with new signaturesfrom thekeyservercertserver.pgp.com andthensendshercopy of Blake’spublic key to thesamekeyserver to contributeany new signaturesshemayhaveadded.
alice% gpg --keyserver certserver.pgp.com --recv-key 0xBB7576ACgpg: requesting key BB7576AC from certserver.pgp.com ...gpg: key BB7576AC: 1 new signature
gpg: Total number processed: 1gpg: new signatures: 1alice% gpg --keyserver certserver.pgp.com --send-key [email protected]: success sending to ’certserver.pgp.com’ (status=200)
Thereareseveralpopularkeyserversin usearoundtheworld. Themajorkeyserverssynchronizethemselves,soit is fine to pick akeyservercloseto youon theInternetandthenuseit regularly for sendingandreceiving keys.
Notes1. GnuPGoverloadstheword “trust” by usingit to meantrustin anownerandtrustin
akey. This canbeconfusing.Sometimestrustin anowneris referredto as
37
Chapter3. Key Management
owner-trust to distinguishit from trustin akey. Throughoutthis manual,however,“trust” is usedto meantrustin akey’sowner, and“validity” is usedto meantrustthatakey belongsto thehumanassociatedwith thekey ID.
38
Chapter 4. Daily use of GnuPGGnuPGis a complex tool with technical,social,andlegal issuessurroundingit.Technically, it hasbeendesignedto beusedin situationshaving drasticallydifferentsecurityneeds.Thiscomplicateskey management.Socially, usingGnuPGis notstrictly apersonaldecision.To useGnuPGeffectively bothpartiescommunicatingmustuseit. Finally, asof 1999,laws regardingdigital encryption,andin particularwhetheror notusingGnuPGis legal,vary from countryto countryandis currentlybeingdebatedby many nationalgovernments.
Thischapteraddressestheseissues.It givespracticaladviceon how to useGnuPGtomeetyoursecurityneeds.It alsosuggestswaysto promotetheuseof GnuPGforsecurecommunicationbetweenyourselfandyour colleagueswhenyour colleaguesarenotcurrentlyusingGnuPG.Finally, thelegalstatusof GnuPGis outlinedgiventhecurrentstatusof encryptionlaws in theworld.
4.1. Defining your security needsGnuPGis a tool you useto protectyourprivacy. Yourprivacy is protectedif you cancorrespondwith otherswithout eavesdroppersreadingthosemessages.
How youshoulduseGnuPGdependson thedeterminationandresourcefulnessof thosewho mightwantto readyourencryptedmessages.An eavesdroppermaybeanunscrupuloussystemadministratorcasuallyscanningyourmail, it mightbeanindustrialspy trying to collectyourcompany’ssecrets,or it might bea lawenforcementagency trying to prosecuteyou. UsingGnuPGto protectagainstcasualeavesdroppingis goingto bedifferentthanusingGnuPGto protectagainstadeterminedadversary. Your goal,ultimately, is to make it moreexpensive to recovertheunencrypteddatathanthatdatais worth.
Customizingyour useof GnuPGrevolvesaroundfour issues:
• choosingthekey sizeof your public/privatekeypair,
39
Chapter4. Daily useof GnuPG
• protectingyourprivatekey,• selectingexpirationdatesandusingsubkeys,and• managingyourwebof trust.
A well-chosenkey sizeprotectsyouagainstbrute-forceattacksonencryptedmessages.Protectingyourprivatekey preventsanattacker from simply usingyour privatekey todecryptencryptedmessagesandsignmessagesin your name.Correctlymanagingyourwebof trustpreventsattackersfrom masquaradingaspeoplewith whomyoucommunicate.Ultimately, addressingtheseissueswith respectto your own securityneedsis how you balancetheextrawork requiredto useGnuPGwith theprivacy itgivesyou.
4.1.1. Choosing a key sizeSelectingakey sizedependson thekey. In OpenPGP, apublic/privatekeypairusuallyhasmultiplekeys. At theleastit hasamastersigningkey, andit probablyhasoneormoreadditionalsubkeys for encryption.Usingdefault key generationparameterswithGnuPG,themasterkey will beaDSA key, andthesubkeyswill beElGamalkeys.
DSA allowsakey sizeup to 1024bits. This is not especiallygoodgiventoday’sfactoringtechnology, but thatis whatthestandardspecifies.Without question,youshoulduse1024bit DSA keys.
ElGamalkeys,on theotherhand,maybeof any size.SinceGnuPGis ahybridpublic-key system,thepublic key is usedto encrypta128-bitsessionkey, andtheprivatekey is usedto decryptit. Key sizeneverthelessaffectsencryptionanddecryptionspeedsincethecostof thesealgorithmsis exponentialin thesizeof thekey.Largerkeysalsotakemoretime to generateandtakemorespaceto store.Ultimately,therearediminishingreturnson theextrasecuritya largekey providesyou. After all, ifthekey is largeenoughto resistabrute-forceattack,aneavesdropperwill merelyswitchto someothermethodfor obtainingyourplaintext data.Examplesof othermethodsincluderobbingyourhomeor officeandmuggingyou. 1024bits is thustherecommendedkey size.If yougenuinelyneeda largerkey sizethenyouprobablyalreadyknow this andshouldbeconsultinganexpertin datasecurity.
40
Chapter4. Daily useof GnuPG
4.1.2. Protecting your priv ate keyProtectingyourprivatekey is themostimportantjob you have to useGnuPGcorrectly.If someoneobtainsyour privatekey, thenall dataencryptedto theprivatekey canbedecryptedandsignaturescanbemadein yourname.If you loseyour privatekey, thenyouwill no longerbeableto decryptdocumentsencryptedto you in thefutureor in thepast,andyou will notbeableto makesignatures.Losingsolepossessionof yourprivatekey is catastrophic.
Regardlessof how you useGnuPGyoushouldstorethepublic key’s revocationcertificateandabackupof your privatekey onwrite-protectedmediain asafeplace.For example,youcouldburn themon aCD-ROM andstorethemin your safedepositbox at thebankin asealedenvelope.Alternatively, youcouldstorethemon afloppyandhideit in your house.Whateveryoudo, they shouldbeput onmediathatis safetostorefor aslongasyouexpectto keepthekey, andyoushouldstorethemmorecarefullythanthecopy of yourprivatekey you usedaily.
To helpsafeguardyour key, GnuPGdoesnotstoreyour raw privatekey on disk.Insteadit encryptsit usingasymmetricencryptionalgorithm.Thatis why you needapassphraseto accessthekey. Thustherearetwo barriersanattackermustcrosstoaccessyourprivatekey: (1) hemustactuallyacquirethekey, and(2) hemustgetpasttheencryption.
Safelystoringyour privatekey is important,but thereis acost.Ideally, you wouldkeeptheprivatekey ona removable,write-protecteddisksuchasafloppy disk,andyouwoulduseit on asingle-usermachinenot connectedto anetwork. Thismaybeinconvenientor impossiblefor you to do. For example,youmaynotown yourownmachineandmustuseacomputerat work or school,or it maymeanyouhave tophysicallydisconnectyour computerfrom yourcablemodemevery timeyou wanttouseGnuPG
Thisdoesnotmeanyoucannotor shouldnotuseGnuPG.It meansonly thatyou havedecidedthatthedatayouareprotectingis importantenoughto encryptbut not soimportantasto takeextrastepsto make thefirst barrierstronger. It is yourchoice.
A goodpassphraseis absolutelycritical whenusingGnuPG.Any attacker whogainsaccessto your privatekey mustbypasstheencryptionon theprivatekey. Insteadof
41
Chapter4. Daily useof GnuPG
brute-forceguessingthekey, anattackerwill almostcertainlyinsteadtry to guessthepassphrase.
Themotivationfor trying passphrasesis thatmostpeoplechoosea passphrasethatiseasierto guessthana random128-bitkey. If thepassphraseis aword, it is muchcheaperto try all thewordsin thedictionariesof theworld’s languages.Evenif theword is permuted,e.g.,k3wldood,it is still easierto try dictionarywordswith acatalogof permutations.Thesameproblemappliesto quotations.In general,passphrasesbasedon natural-languageutterancesarepoorpassphrasessincethereis littlerandomnessandlots of redundancy in naturallanguage.You shouldavoid naturallanguagepassphrasesif youcan.
A goodpassphraseis onethatyou canrememberbut is hardfor someoneto guess.Itshouldincludecharactersfrom thewholerangeof printablecharacterson yourkeyboard.This includesuppercasealphabeticscharacters,numbers,andspecialcharacterssuchas} and|. Be creativeandspenda little timeconsideringyourpassphrase;a goodchoiceis importantto ensureyourprivacy.
4.1.3. Selecting expiration dates and using subke ysBy default,aDSA mastersigningkey andanElGamalencryptionsubkey aregeneratedwhenyoucreateanew keypair. This is convenient,becausetherolesof thetwo keysaredifferent,andyoumaythereforewantthekeys to havedifferentlifetimes.Themastersigningkey is usedto makedigital signatures,andit alsocollectsthesignaturesof otherswhohaveconfirmedyour identity. Theencryptionkey is usedonly fordecryptingencrypteddocumentssentto you. Typically, adigital signaturehasa longlifetime, e.g.,forever, andyoualsodonotwantto losethesignatureson yourkey thatyou workedhardto collect.On theotherhand,theencryptionsubkey maybechangedperiodicallyfor extra security, sinceif anencryptionkey is broken,theattackercanreadall documentsencryptedto thatkey bothin thefutureandfrom thepast.
It is almostalwaysthecasethatyouwill notwantthemasterkey to expire. Therearetwo reasonswhy you maychooseanexpirationdate.First,you mayintendfor thekeyto havea limited lifetime. For example,it is beingusedfor aneventsuchasapoliticalcampaignandwill no longerbeusefulafterthecampaignis over. Anotherreasonis
42
Chapter4. Daily useof GnuPG
thatif you losecontrolof thekey anddonot havea revocationcertificatewith which torevoke thekey, having anexpirationdateon themasterkey ensuresthatthekey willeventuallyfall into disuse.
Changingencryptionsubkeys is straightforwardbut canbeinconvenient.If yougenerateanew keypairwith anexpirationdateon thesubkey, thatsubkey willeventuallyexpire. Shortlybeforetheexpirationyou will addanew subkey andpublishyour updatedpublic key. Oncethesubkey expires,thosewho wish to correspondwithyou mustfind your updatedkey sincethey will no longerbeableto encryptto theexpiredkey. Thismaybeinconvenientdependingonhow youdistributethekey.Fortunately, however, noextra signaturesarenecessarysincethenew subkey will havebeensignedwith your mastersigningkey, which presumablyhasalreadybeenvalidatedby your correspondents.
Theinconveniencemayor maynotbeworth theextra security. Justasyoucan,anattackercanstill readall documentsencryptedto anexpiredsubkey. Changingsubkeysonly protectsfuturedocuments.In orderto readdocumentsencryptedto thenewsubkey, theattackerwouldneedto mountanew attackusingwhatever techniquesheusedagainstyou thefirst time.
Finally, it only makessenseto haveonevalid encryptionsubkey on akeyring. Thereisno additionalsecuritygainedby having two or moreactivesubkeys. Theremayofcoursebeany numberof expiredkeysonakeyring sothatdocumentsencryptedin thepastmaystill bedecrypted,but only onesubkey needsto beactiveat any giventime.
4.1.4. Managing your web of trustAs with protectingyourprivatekey, managingyour webof trustis anotheraspectofusingGnuPGthatrequiresbalancingsecurityagainsteaseof use.If you areusingGnuPGto protectagainstcasualeavesdroppingandforgeriesthenyou canafford to berelatively trustingof otherpeople’ssignatures.On theotherhand,if you areconcernedthattheremaybeadeterminedattacker interestedin invadingyour privacy, thenyoushouldbemuchlesstrustingof othersignaturesandspendmoretimepersonallyverifying signatures.
43
Chapter4. Daily useof GnuPG
Regardlessof your own securityneeds,through,you shouldalwaysbecareful whensigningotherkeys. It is selfishto signakey with just enoughconfidencein thekey’svalidity to satisfyyourown securityneeds.Others,with morestringentsecurityneeds,maywantto dependon yoursignature.If they cannotdependonyou thenthatweakensthewebof trustandmakesit moredifficult for all GnuPGusersto communicate.Usethesamecarein signingkeys thatyou would likeothersto usewhenyou dependontheir signatures.
In practice,managingyour webof trustreducesto assigningtrustto othersandtuningtheoptions--marginals-neededand--completes-needed.Any key you personallysignwill beconsideredvalid, but exceptfor smallgroups,it will notbepracticaltopersonallysignthekey of everypersonwith whomyoucommunicate.Youwillthereforehave to assigntrustto others.
It is probablywiseto beaccuratewhenassigningtrustandthenusetheoptionsto tunehow carefulGnuPGis with key validation.As aconcreteexample,youmayfully trusta few closefriendsthatyouknow arecarefulwith key signingandthenmarginally trustall otherson yourkeyring. Fromthere,youmayset--completes-neededto 1 and--marginals-neededto 2. If you aremoreconcernedwith securityyou mightchoosevaluesof 1 and3 or 2 and3 respectively. If you arelessconcernedwith privacy attacksandjust wantsomereasonableconfidenceaboutvalidity, setthevaluesto 1 and1. Ingeneral,highernumbersfor theseoptionsimply thatmorepeoplewouldbeneededtoconspireagainstyou in orderto haveakey validatedthatdoesnotactuallybelongtothepersonwhomyou think it does.
4.2. Building your web of trustWantingto useGnuPGyourselfis notenough.In orderto useto communicatesecurelywith othersyoumusthaveawebof trust.At first glance,however, building aweboftrustis adauntingtask.Thepeoplewith whomyoucommunicateneedto useGnuPG1,andthereneedsto beenoughkey signingsothatkeyscanbeconsideredvalid. Thesearenot technicalproblems;they aresocialproblems.Nevertheless,youmustovercometheseproblemsif you wantto useGnuPG.
44
Chapter4. Daily useof GnuPG
WhengettingstartedusingGnuPGit is importantto realizethatyouneednot securelycommunicatewith everyoneof yourcorrespondents.Startwith a smallcircle ofpeople,perhapsjust yourselfandoneor two otherswhoalsowantto exercisetheirright to privacy. Generateyourkeysandsigneachother’spublic keys. This is yourinitial webof trust.By doingthis you will appreciatethevalueof asmall,robustwebof trustandwill bemorecautiousasyou grow yourwebin thefuture.
In additionto thosein your initial webof trust,you maywantto communicatesecurelywith otherswhoarealsousingGnuPG.Doingso,however, canbeawkwardfor tworeasons:(1) youdo notalwaysknow whensomeoneusesor is willing to useGnuPG,and(2) if youdo know of someonewhousesit, youmaystill have troublevalidatingtheir key. Thefirst reasonoccursbecausepeopledonot alwaysadvertisethatthey useGnuPG.Theway to changethis behavior is to settheexampleandadvertisethatyouuseGnuPG.Thereareat leastthreewaysto do this: youcansignmessagesyoumail toothersor postto messageboards,youcanput yourpublic key on yourwebpage,or, ifyou putyourkey onakeyserver, you canputyour key ID in your emailsignature.Ifyou advertiseyourkey thenyoumake it thatmuchmoreacceptablefor otherstoadvertisetheir keys. Furthermore,youmake it easierfor othersto startcommunicatingwith you securelysinceyouhave takentheinitiativeandmadeit clearthatyouuseGnuPG.
Key validationis moredifficult. If youdo notpersonallyknow thepersonwhosekeyyou wantto sign,thenit is notpossibleto signthekey yourself.Youmustrely on thesignaturesof othersandhopeto find achainof signaturesleadingfrom thekey inquestionbackto your own. To haveany chanceof finding achain,you musttake theintitiveandgetyourkey signedby othersoutsideof your intitial webof trust.Aneffectiveway to accomplishthis is to participatein key signingparties.If youaregoingto aconferencelook aheadof time for akey signingparty, andif you donotseeonebeingheld,offer to holdone.You canalsobemorepassiveandcarryyour fingerprintwith you for impromptukey exchanges.In sucha situationthepersonto whomyougave thefingerprintwouldverify it andsignyourpublic key oncehereturnedhome.
Keepin mind, though,thatthis is optional.You haveno obligationto eitherpublicallyadvertiseyourkey or signotherpeople’skeys. Thepowerof GnuPGis thatit is flexibleenoughto adaptto your securityneedswhatever they maybe.Thesocialreality,however, is thatyou will needto take theinitiative if youwantto grow your webof
45
Chapter4. Daily useof GnuPG
trustanduseGnuPGfor asmuchof yourcommunicationaspossible.
4.3. Using GnuPG legall yThelegalstatusof encryptionsoftwarevariesfrom countryto country, andlawregardingencryptionsoftwareis rapidlyevolving. Bert-JappKoopshasanexcellentCryptoLaw Survey to whichyou shouldreferfor thelegalstatusof encryptionsoftwarein yourcountry.
Notes1. In thissection,GnuPGrefersto theGnuPGimplementationof OpenPGPaswell as
otherimplementationssuchasNAI’ sPGPproduct.
46
Chapter 5. TopicsThischaptercoversmiscellaneoustopicsthatdo notfit elsewherein theusermanual.As topicsareadded,they maybecollectedandfactoredinto chaptersthatstandon theirown. If you would like to seeaparticulartopic covered,pleasesuggestit. Evenbetter,volunteerto write afirst draft coveringyour suggestedtopic!
5.1. Writing user interfacesAlma WhittenandDougTygarhavedoneastudyonNAI’ sPGP5.0userinterfaceandcameto theconclusionthatnoviceusersfind PGPconfusingandfrustrating.In theirhumanfactorsstudy, only four out of twelve testsubjectsmanagedto correctlysendencryptedemailto their teammembers,andthreeoutof twelveemailedthesecretwithout encryption.Furthermore,half of thetestsubjectshada technicalbackground.
Theseresultsarenotsurprising.PGP5.0hasaniceuserinterfacethatis excellentifyou alreadyunderstandhow public-key encryptionworksandarefamiliarwith theweb-of-trustkey managementmodelspecifiedby OpenPGP. Unfortunately, noviceusersunderstandneitherpublic-key encryptionnor key management,andtheuserinterfacedoeslittle to help.
YoushouldcertainlyreadWhittenandTygar’s reportif youarewriting auserinterface.It givesspecificcommentsfrom eachof thetestsubjects,andthosedetailsareenlightening.For example,it wouldappearthatmany of subjectsbelievedthatamessagebeingsentto otherpeopleshouldbeencryptedto thetestsubject’sown publickey. Considerit for aminute,andyou will seethatit is aneasymistake to make. Ingeneral,noviceusershavedifficulty understandingthedifferentrolesof thepublic keyandprivatekey whenusingGnuPG.As auserinterfacedesigner, you shouldtry tomake it clearat all timeswhenoneof thetwo keys is beingused.You couldalsousewizardsor othercommonGUI techniquesfor guidingtheuserthroughcommontaskssuchaskey generationwhereextrastepssuchasgeneratingakey revocationcertificationandmakingabackupareall but essentialfor usingGnuPGcorrectly.Othercommentsfrom thepaperincludethefollowing.
47
Chapter5. Topics
• Securityis usuallyasecondarygoal;peoplewantto sendemail,browse,andsoon.Do notassumeuserswill bemotivatedto readmanualsor go looking for securitycontrols.
• Thesecurityof anetworkedcomputeris only asstrongasits weakestcomponent.Usersneedto beguidedto attendto all aspectsof their security, not left to proceedthroughrandomexplorationasthey mightwith awordprocessoror aspreadsheet.
• Consistentlyusethesametermsfor thesameactions.Do not alternatebetweensynonymslike “encrypt” and“encipher”.
• For inexperiencedusers,simplify thedisplay. Too muchinformationhidestheimportantinformation.An initial displayconfigurationcouldconcentrateongivingtheuserthecorrectmodelof therelationshipbetweenpublicandprivatekeysandaclearunderstandingof thefunctionsfor acquiringanddistributingkeys.
Designinganeffectiveuserinterfacefor key managementis evenmoredifficult. TheOpenPGPweb-of-trustmodelis unfortunatelyquiteobtuse.For example,thespecificationimposesthreearbitrarytrustlevelsontotheuser:none,marginal,andcomplete.All degreesof trustfelt by theusermustbefit into oneof thosethreecubbyholes.Thekey validationalgorithmis alsodifficult for non-computerscientiststounderstand,particularlythenotionsof “marginalsneeded”and“completesneeded”.Sincetheweb-of-trustmodelis well-specifiedandcannotbechanged,youwill have todo yourbestanddesignauserinterfacethathelpsto clarify it for theuser. A definiteimprovement,for example,wouldbeto generateadiagramof how a key wasvalidatedwhenrequestedby theuser. Relevantcommentsfrom thepaperincludethefollowing.
• Usersarelikely to beuncertainon how andwhento grantaccesses.
• Placeahighpriority onmakingsureusersunderstandtheir securitywell enoughtopreventthemfrom makingpotentiallyhigh-costmistakes.Suchmistakesincludeaccidentallydeletingtheprivatekey, accidentallypublicizingakey, accidentallyrevokinga key, forgettingthepassphrase,andfailing to backup thekey rings.
48
I. Command Reference
1. Key specifier sMany commandsandoptionsrequireakey specifier. A key specifieris thekey ID orany portionof theruserID of akey. Considerthefollowing example.
alice% gpg --list-keys chloepub 1024D/B87DBA93 1999-06-28 Chloe (Jester) <[email protected]>uid Chloe (Plebian) <[email protected]>sub 2048g/B7934539 1999-06-28
For this key, 0xB87DBA93, Chloe, Plebian, andoe@tel areall examplesof keyspecifiersthatmatchtheabovekey.
Command Reference
sign
Namesign — signadocument
sign filename
DescriptionThiscommandsignsthedocumentfilename. If theparameterfilename isomitted,thenthedocumentto signis takenfrom standardinput. If theoptionoutputisused,gpgwill outputthesignedinformationto thespecifiedfile.
detac h-signature
Namedetach-signature — makeadetachedsignature
detach-signature filename
51
CommandReference
DescriptionThiscommandcreatesasignaturefile thatcanbeusedto verify thattheorginal filefilename hasnotbeenchanged.Verificationof thefile usinga detachedsignatureisdoneusingthecommandverify.
encr ypt
Nameencrypt — encryptadocument
encrypt filename
DescriptionThiscommandencryptsthedocumentfilename to recipientsspecifiedusingtheoptionrecipient.If theparameterfilename is omitted,thenthedocumentto encryptis takenfrom standardinput. If theoptionrecipientis omitted,gpgwill promptfor arecipient.If theoptionoutputis used,gpgwill outputtheencryptedinformationto thespecifiedfile.
52
CommandReference
symmetric
Namesymmetric — encrypta documentusingonly asymmetricencryptionalgorithm
symmetric filename
DescriptionThiscommandencryptsadocumentusingasymmetricalgorithmwith a key derivedfrom apassphrasesuppliedby youduringexecution.Thekey shouldbeselectedtomake it difficult to randomlyguessthekey. To decryptadocumentencryptedin thismannerusethecommand.decrypt.
decr ypt
Namedecrypt — decryptanencrypteddocument
decrypt filename
53
CommandReference
DescriptionThiscommanddecryptsfilename andputstheresulton standardoutput.If theparameterfilename is omitted,thenthedocumentto decryptis takenfrom standardinput. Usetheoptionoutputto outputthedecryptedmessageto afile instead.
clearsign
Nameclearsign — makea cleartext signature
clearsign filename
DescriptionThiscommandsignsamessagethatcanbeverifiedto ensurethattheoriginalmessagehasnotbeenchanged.Verificationof thesignedmessageis doneusingthecommandverify.
54
CommandReference
verify
Nameverify — verify asigneddocument
verify signature document
DescriptionThiscommandverifiesadocumentagainsta signatureto ensurethatthedocumenthasnotbeenalteredsincethesignaturewascreated.If signature is omitted,gpgwilllook in document for aclearsignsignature.
gen-key
Namegen-key — generatea new keypair
gen-key
55
CommandReference
DescriptionThiscommandgeneratesaprivate/publickey pair for usein encrypting,decrypting,andsigningof messages.You will br promptedfor thekind of key you wish to create,thekey size,andthekey’sexpirationdate.
gen-revoke
Namegen-revoke — generatea revocationcertificatefor apublic/privatekeypair
gen-revoke key
DescriptionThiscommandgeneratesa revocationcertificatefor apublic/privatekey pair. Theparameterkey is akey specifier.
send-ke ys
Namesend-keys — sendkeys to akey server
56
CommandReference
send-keys key
DescriptionThiscommandsendsa public key to akeyserver. Theparameterkey specifiesthepublic key thatshouldbeuploaded.Thecommandrequirestheoptionkeyserver tospecifyto which keyservergpgshouldsendthekeys.
recv-ke ys
Namerecv-keys — retrievekeys from a key server
recv-keys key-id key-id ...
DescriptionThiscommanddownloadsoneor morepublickeys from akeyserver. Eachkey-id isakey ID. Thecommandrequirestheoptionkeyserver to specifyfrom whichkeyservergpgshoulddownloadthekeys.
57
CommandReference
list-ke ys
Namelist-keys — list informationaboutkeys
list-keys key ...
DescriptionThiscommandlists thepublic keysspecifiedby thekey specifierson thecommandline. If nokey specifieris given,gpgwill list all of thepublic keys.
list-pub lic-ke ys
Namelist-public-keys — list keysonpublic keyrings
list-public-keys name ...
Description
58
CommandReference
List all keys from public keyringsor just thekeysspecifiedwith name ....
list-secret-ke ys
Namelist-secret-keys — list keysonsecretkeyrings
list-secret-keys name ...
DescriptionList all keys from secretkeyringsor just thekeys specifiedwith name ....
list-sigs
Namelist-sigs — list informationaboutkeys includingsignatures
list-sigs name ...
59
CommandReference
DescriptionThiscommandlists thepublic keysspecifiedby thekey specifierson thecommandline. Signatureson thekeysarelistedaswell. If no key specifieris given,gpgwill listall of public keys.
check-sigs
Namecheck-sigs — list informationaboutkeys includingvalidatedsignatures
check-sigs name ...
DescriptionThiscommandlists thepublic keysspecifiedby thekey specifierson thecommandline. Signatureson thekeysarelistedaswell, andeachsignatureis validated.If no keyspecifieris given,gpgwill list all of public keys.
60
CommandReference
fing erprint
Namefingerprint — displaykey fingerprints
fingerprint name ...
DescriptionThiscommandprintsthefingerprintsof thespecifiedpublickeys. Theparameternameis akey specifier. If no parametername is provided,gpgwill print thefingerprintsofall thekeyson your publickeyring.
impor t
Nameimport — import keys to a local keyring
import filename
61
CommandReference
DescriptionThiscommandimportsoneor morepublic keysontotheuser’s public keyring from thefile filename.
fast-impor t
Namefast-import — import/mergekeys
fast-import file ...
DescriptionThis is thesameasthecommandimport,but thekeysarenot addedto thetrustdatabase.Thiscanbedonelaterusingthecommandupdate-trustdb,
expor t
Nameexport — export keys from a local keyring
62
CommandReference
export key ...
DescriptionThiscommandexportsthepublic keyscomponentsof thekeysspecifiedby thekeyspecifierskey .... Theexport commandby default sendsits outputto standardoutput.Thiskey file canlaterbeimportedinto anotherkeyring usingthecommandimport.
expor t-all
Nameexport-all — exportall public keys
export-all name ...
DescriptionThis is thesameasthecommandexport,but keys thatarenot OpenPGP-compliantarealsoexported.
63
CommandReference
expor t-secret-ke ys
Nameexport-secret-keys — export secretkeys
export-secret-keys name ...
DescriptionThis is thesameasthecommandexport,but privatekeysareexportedinsteadof publickeys. This is normallynot veryusefulandis a securityrisk sinceprivatekeysareleftunprotected.
edit-ke y
Nameedit-key — presentsamenufor operatingonkeys
edit-key key
64
CommandReference
DescriptionThiscommandpresentsamenuwhichenablesyou to performkey-relatedtaskes.Thekey specifierkey specifiesthekey pair to beedited.If thespecifiermatchesmorethanonekey pair, gpgissuesanerrorandexits.
Key listingsdisplayedduringkey editingshow thekey with its secondarykeysandalluserids. Selectedkeysor userids areindicatedby anasterisk.Thetrustandvalidityvaluesaredisplayedwith theprimarykey: thefirst is theassignedtrustandthesecondis thecalculatedvalidity. Lettersareusedfor thevalues:
Letter Meaning
- No ownertrustassigned/ not yetcalculated.
e Trustcalculationhasfailed.
q Not enoughinformationfor calculation.
n Never trustthiskey.
m Marginally trusted.
f Fully trusted.
u Ultimately trusted.
Thefollowing listseachkey editingcommandanda descriptionof its behavior.
sign
Makesasignatureon thecurrentkey. If th key is not yet signedby thedefault userortheusergivenwith theoptionlocal-user,theprogramdisplaystheinformationof thekey again,togetherwith its fingerprintandaskswhetherit shouldbesigned.Thisquestionis repeatedfor all usersspecifiedwith theoptionlocal-user.
lsign
65
CommandReference
Sameassign,but thesignatureis markedasnon-exportableandwill thereforeneverbeusedby others.Thismaybeusedto makekeysvalid only in thelocal environment.
revsig
Revokeasignature.Asksfor eachsignaturemakdeby aoneof theprivatekeyswhethera revocationcertificateshouldbegenerated.
trust
Changetheownertrustvalue.Thisupdatesthetrustdatabaseimmediatelyandno saveis required.
disab le
Disablethekey. A disabledkey cannotnormallybeusedfor encryption.
enable
Enableakey thathasbeenpreviouslydisabled.
adduid
Add anew userid to thecurrentkey.
deluid
Deleteauserid from thecurrentkey.
66
CommandReference
addkey
Add anew subkey to thecurrentkey.
delkey
Deleteasubkey from thecurrentkey.
revkey
Revokeasubkey of thecurrentkey.
expire
Changeakey expirationtime. If asubkey is selected,thetimeof thatkey will bechanged.With no selectiontheexpirationtimeof thecurrentprimarykey is changed.
key n
Toggleselectionof subkey with index n. Use0 to deselectall.
uid n
Toggleselectionof userid with index n. Use0 to deselectall.
tog gle
Changethepassphraseof theprivatekey of theselectedkey pair.
67
CommandReference
tog gle
Togglebetweenpublicandprivatekey listings.
check
Checkall selecteduserids.
pref
List preferences.
save
Saveall changesto thecurrentkey andquit.
save
Quit without updatingthecurrentkey.
sign-ke y
Namesign-key — signapublic key with aprivatekey
68
CommandReference
sign-key name
DescriptionThis is ashortcutfor thesubcommandsign.within thecommandedit-key.
lsign-ke y
Namelsign-key — locally signapublic key with aprivatekey
lsign-key name
DescriptionThis is ashortcutfor thesubcommandlsign. within thecommandedit-key.
69
CommandReference
delete-ke y
Namedelete-key — removeapublic key
delete-key name
DescriptionRemove thepublic key specifiedby name.
delete-secret-ke y
Namedelete-secret-key — removeapublicandprivatekey
delete-secret-key name
DescriptionRemove thekeypair (boththepublicandprivatekeys)specifiedby name.
70
CommandReference
store
Namestore — makeonly simplerfc1991packets
help
DescriptionElaborate.
expor t-owner trust
Nameexport-ownertrust — exportassignedowner-trustvalues
export-ownertrust file ...
Description
71
CommandReference
Theowner-trustvaluesareexportedin ASCII format.This is usefulfor makingabackupof thetrustvaluesassignedto key owners.
impor t-owner trust
Nameimport-ownertrust — importowner-trustvalues
import-ownertrust file ...
DescriptionThetrustdatabaseis updatedwith thetrustvaluestake from thefilesfile .... If nofilesarelisted,theinput is takenfrom standardinput.
update-trustdb
Nameupdate-trustdb — updatethetrustdatabase
72
CommandReference
update-trustdb
DescriptionEnoughsaid.
print-md
Nameprint-md — displaymessagedigests
print-md algo file ...
DescriptionDisplaysamessagedigestusingalgorithmalgo for eachof thefilesfile .... Ifno filesarelisted,theinput is takenfrom standardinput. If thealgorithmspecifiedis“*”, thendigestsusingall availablealgorithmsaredisplayed.
73
CommandReference
gen-random
Namegen-random — generaterandomdata
gen-random level n
DescriptionThiscommandemitsn bytesof randomdatawith qualitylevel. If theparametern isomittedthenanendlesssequenceof randombyteswill beemitted.Thiscommandshouldnotbefrivolouslysinceit takesentropy from thesystem.
gen-prime
Namegen-prime — ?
gen-prime mode bits qbits
74
CommandReference
DescriptionThisprobablygeneratesa primenumber. Readthesourcefor detailsif youarecurious.
version
Nameversion — displayversioninformation
version
DescriptionPrint versioninformationalongwith a list of supportedalgorithms.
warranty
Namewarranty — displaywarrantyinformation
75
CommandReference
warranty
DescriptionEnoughsaid.
help
Namehelp — displayusageinformation
help
DescriptionDisplaysusageinformationincludea list of commandsandoptions.Theoptionslistmaybeincomplete.
76
II. Options Reference
1. Setting optionsOptionsmaybespecifiedon thecommandline or in anoptionsfile. Thedefaultlocationof theoptionsfile is ~/.gnupg/options. Whenspecifyingoptionsin theoptionsfile, omit theleadingtwo dashesandinsteadusesimply theoptionnamefollowedby any arguments.Linesin thefile with ahash(#) asthefirst non-white-spacecharacterareignored.
77
Options Reference
keyser ver
Namekeyserver — specifythekeyserver to useto locatekeys
keyserver server-name
DescriptionThisoptionis usedin conjunctionwith eitherrecv-keys or send-keys to specifyakeyserver to managepublic key distribution.
output
Nameoutput — specifythefile in which to placeoutput
output file-name
Description
79
OptionsReference
Thisoptiontakestheoutputfrom commandsandprintsit to thefilenamegivento it asaparameter
recipient
Namerecipient — specifytherecipientof apublic-key encrypteddocument
recipient name
DescriptionThisoptionis usedin conjunctionwith thecommandencrypt.It mustappearbeforeencrypton thecommandline. Theparametername is eitherthenameof theindividualor thee-mailaddressof theindividual to whomyou aresendingthemessage.
default-recipient
Namedefault-recipient — specifythedefault recipientof apublic-key encrypteddocument
80
OptionsReference
default-recipient name
DescriptionTheuserID name is usedasthedefault recipientif a recipientis nototherwisespecified.
default-recipient-self
Namedefault-recipient-self — usethedefault key userID asthedefault recipientof apublic-key encrypteddocument
default-recipient-self
DescriptionTheuserID of thedefault key is usedasthedefault recipient.gpgdoesnotqueryfor arecipientif thisspecifiesa valid key. Thedefault key is thefirst key on theprivatekeyring or thekey specifiedwith theoptiondefault-key.
81
OptionsReference
no-default-recipient
Nameno-default-recipient — ignoretheoptionsdefault-recipientanddefault-recipient-self
no-default-recipient
DescriptionThis is usefulif thedefault recipientis usuallysetin theoptionsfile but mustbeignoredfor aparticularrun of gpg.
encr ypt-to
Nameencrypt-to — specifyanadditionalrecipientof apublic-key encrypteddocument
encrypt-to name
82
OptionsReference
DescriptionThisoptionis similar to recipientbut is intendedfor usein theoptionsfile. It maybeusedwith one’sown file userID to yield an“encrypt-to-self” option.Thekey specifiedby name is usedonly whenthereareotherrecipientsgivenby theuseror by useof theoptionrecipient.No trustcheckingis performedon thekey specifiedby name andevendisabledkeysmaybeused.
no-encr ypt-to
Nameno-encrypt-to — ignoretheoptionencrypt-to
no-encrypt-to
DescriptionThis is usefulif messagesarenormallyencryptedto oneor morekeysby default butmustnotbefor aparticularrun of gpg.
83
OptionsReference
armor
Namearmor — ASCII-armorencryptedor signedoutput
armor
DescriptionThisoptiontakesoutputfrom commandsandprintsit in formatthatcanbesafelye-mailed.
no-armor
Nameno-armor — assumeinput datais notASCII armored
no-armor
Description
84
OptionsReference
Enoughsaid.
no-greeting
Nameno-greeting — suppresstheopeningcopyright noticebut do notenterbatchmode
no-greeting
DescriptionEnoughsaid.
no-secmem-warning
Nameno-secmem-warning — suppresswarningsif insecurememoryis used
no-secmem-warning
85
OptionsReference
DescriptionEnoughsaid.
batc h
Namebatch — usebatchmode
batch
Descriptiongpgwill neveraskquestionsandwill not allow interactivecommands.
no-batc h
Nameno-batch — disablebatchmode
86
OptionsReference
no-batch
DescriptionUsefulif theoptionbatchis setin theoptionsfile.
local-user
Namelocal-user — specifiesa userid to usefor signing
local-user name
DescriptionUsename astheuserID to sign.Thisoptionis silently ignoredfor thelist commands,sothatit canbeusedin anoptionsfile.
87
OptionsReference
default-ke y
Namedefault-key — specifiesauserID asadefault userID for signatures
default-user name
DescriptionUsename astheuserID to sign. If this optionis notusedthefirst userID foundon theprivatekeyring is thedefault userID.
completes-needed
Namecompletes-needed — specifiesthenumberof fully-trustedpeopleneededtovalidateanew key.
completes-needed n
88
OptionsReference
DescriptionA public key on yourkeyring is validatedusingthosesignatureson thekey thatweremadeby othervalid keysonyour keyring. Theoptionspecifiesthenumberofsignaturesneededif you fully trusttheownersof thekeys thatmadethesignatures.Your trustin a key’sowneris setwith thecommandedit-key.
marginals-needed
Namemarginals-needed — specifiesthenumberof marginally-trustedpeopleneededtovalidateanew key.
marginals-needed n
DescriptionA public key on yourkeyring is validatedusingthosesignatureson thekey thatweremadeby othervalid keysonyour keyring. Theoptionspecifiesthenumberofsignaturesneededif youmarginally trusttheownersof thekeys thatmadethesignatures.Your trustin akey’sowneris setwith thecommandedit-key.
89
OptionsReference
load-e xtension
Nameload-extension — specifiesanextensionto load.
load-extension object-file
DescriptionElaborate.
rfc1991
Namerfc1991 — try to bemoreRFC1991(PGP2.x) compliant
rfc1991
DescriptionElaborate?
90
OptionsReference
allo w-non-selfsigned-uid
Nameallow-non-selfsigned-uid — allow theimportof keyswith userIDs whicharenotself-signed
allow-non-selfsigned-uid
DescriptionThisonly allows theimport - key validationwill fail andyouhave to checkthevalidityof thekey my othermeans.Thishackis neededfor someGermankeysgeneratedwithpgp2.6.3in.You shouldreally avoid usingit, becauseOpenPGPhasbettermechanicsto doseparatesigningandencryptionkeys.
cipher -algo
Namecipher-algo — useaspecifiedalgorithmasthesymmetriccipher
cipher-algo name
91
OptionsReference
DescriptionUsename asthesymmetriccipheralgorithm.Runningthegpgwith thecommandversionyieldsa list of supportedalgorithms.If this is notused,thecipheralgorithmisselectedfrom thepreferencesstoredwith thedefault keypair. For symmetricencryption,thedefault is Blowfish.
compress-algo
Namecompress-algo — usea specifiedcompressionalgorithm
compress-algo n
DescriptionDefault is 2, which is RFC1950compression.Youmayuse1 to usetheold zlib versionwhich is usedby PGP. Thedefault algorithmmaygivebetterresultsbecausethewindow sizeis not limited to 8K. If this is notusedtheOpenPGPbehavior is used,i.e.,thecompressionalgorithmis selectedfrom thepreferences;note,thatthiscan’t bedoneif youdonot encryptthedata.
92
OptionsReference
z
Namez — setcompressionlevel
z n
DescriptionSettingn to 0 disablescompression.Thedefault is to usethedefault compressionlevelfor zlib (6). Unlikeall otheroptions,this optionmayonly beusedfrom thecommandline andis precededwith asingleleadingdashinsteadof two dashes.
verbose
Nameverbose — provideadditionalinformationduringprocessing
verbose
93
OptionsReference
DescriptionIf usedonceprovidesextra informationduringprocessing.If usedtwice, theinput datais listedin detail.
no-verbose
Nameno-verbose — resetsverbosityto none
no-verbose
DescriptionThiscausesprevioususesof theoptionverboseto beignored.
quiet
Namequiet — supressinformationaloutput
94
OptionsReference
quiet
DescriptionAs little extra outputaspossibleis displayed.
textmode
Nametextmode — usecanonicaltext mode
textmode
DescriptionWhatgoodis this option?
95
OptionsReference
dry-run
Namedry-run — do notmakechanges
dry-run
DescriptionThis is not completelyimplemented.Usewith care.
interactive
Nameinteractive — promptbeforeoverwritingfiles
interactive
DescriptionEnoughsaid.
96
OptionsReference
yes
Nameyes — assume“yes” to mostquestions
yes
DescriptionEnoughsaid.
no
Nameno — assume“no” to mostquestions
yes
DescriptionEnoughsaid.
97
OptionsReference
always-trust
Namealways-trust — skipkey validation
always-trust
DescriptionThisassumesthatusedkey arefully trusted.Thisoptionshouldnotbeusedunlesssomeexternalschemeis usedto validateusedkeys.
skip-verify
Nameskip-verify — skipsignatureverification
skip-verify
Description
98
OptionsReference
Thiscausessignatureverificationstepsto beskipped.This leadsto fasterdecryptiontimesif signedmessagesarebeingdecrypted.
keyring
Namekeyring — addakeyring to thelist of keyrings
keyring file
DescriptionAddsfile to thelist of keyringsusedduringprocessings.If file beginswith a tildeandaslash,thesearereplacedby theHOME directory. If thefilenamedoesnotcontainaslash,it is assumedto bein thehomedirectory. Thehomedirectoryis “~/.gnupg” iftheoptionhomediris notused.
Thefilenamefile mayalsobeprefixedwith ascheme.Thescheme“gnupg-ring:”makesthespecifiedfile thedefault keyring. Thescheme“gnupg-gdbm:”makesthespecifiedfile theGDBM ring. It maybeusefulto usetheseschemestogetherwith theoptionno-default-keyring.
99
OptionsReference
secret-ke yring
Namesecret-keyring — addasecretkeyring
secret-keyring file
DescriptionThis is thesameastheoptionkeyring but for secretkeyrings.
no-default-ke yring
Nameno-default-keyring — donotaddthedefault keyringsto thelist of keyrings
no-default-keyring
DescriptionThedefault keyringstakenfrom thehomedirectoryarenot usedduringprocessing.
100
OptionsReference
homedir
Namehomedir — setthehomedirectory
homedir directory
DescriptionIf thisoptionis not used,thehomedirectorydefaultsto “~/.gnupg”. ThisoverridestheenvironmentvariableGNUPGHOME.It doesnotmakesenseto usethis in anoptionsfile.
charset
Namecharset — setthenameof thenativecharacterset.
charset name
101
OptionsReference
DescriptionThis is usedto convertsomestringsto UTF-8encoding.Valid valuesfor name are
Name Character set
iso-8859-1 Thedefault Latin 1 set
iso-8859-2 TheLatin 2 set
koi8-r TheusualRussianset(rfc1489)
no-literal
Nameno-literal — ?
no-literal
DescriptionThis is not for normaluse.Usethesourcecodeto seehow it mightbeuseful.
102
OptionsReference
set-filesiz e
Nameset-filesize — ?
set-filesize size
DescriptionThis is not for normaluse.Usethesourcecodeto seehow it mightbeuseful.
with-fing erprint
Namewith-fingerprint — modifieskey listing output
with-fingerprint
Description
103
OptionsReference
This is similar to thecommandfingerprintbut is anoption.Thisappearsto befor usewith thecommandlist-keys.
with-colons
Namewith-colons — modifieskey listing output
with-colons
DescriptionThiscauseskeysdisplayedwith thecommandlist-keys to bedelimitedby colons.
with-ke y-data
Namewith-key-data — modifieskey listing output
with-key-data
104
OptionsReference
DescriptionThiscausesthecommandlist-keys to print keysdelimitedby colonsaswell asthepublic key datafor eachkey.
loc k-once
Namelock-once — locksthedatabasesonce
lock-once
DescriptionThisoptionlocksthedatabasesthefirst timea lock is requestedanddoesnot releasethelock until theprocessterminates.
loc k-multiple
Namelock-multiple — locksthedatabaseseachtime they areused
105
OptionsReference
lock-multiple
DescriptionThisoptionlocksthedatabaseeachtime it is neededandreleasesthelock whendone.Thisoptionmaybeusedto overridetheuseof lock-oncefrom theoptionsfile.
passphrase-fd
Namepassphrase-fd — readthepassphrasefrom adifferentinput stream
passphrase-fd n
DescriptionIf theparametern is 0, thepassphrasewill bereadfrom standardinput. Thiscanbeusedif only onepassphrasemustbesupplied.Do notusethisoptionif youcanavoid it.
106
OptionsReference
force-mdc
Nameforce-mdc — forcetheuseof encryptionwith appendedmanipulationcode
force-mdc
DescriptionThisoptionis alwaysusedwith newercipherswith ablocksizeof greaterthan64bits.Thisoptionmaynot yetbeimplemented.
force-v3-sigs
Nameforce-v3-sigs — forcetheuseof v3 signatureson data
force-v3-sigs
Description
107
OptionsReference
OpenPGPstatesthatanimplementationshouldgeneratev4 signatures,but PGP5.xrecognizesv4 signaturesonly onkey material.Thisoptionforcesv3 signatureson dataaswell.
openpgp
Nameopenpgp — resetall packet,cipher, anddigestoptionsto theOpenPGPspecification
openpgp
DescriptionThisoptionresetsall previousoptionssuchaslock-once,lock-once,cipher-algo,digest-algo,compress-algo,s2k-cipher-algo,s2k-digest-algo,ands2k-modetoOpenPGPcompliantvalues.
utf8-strings
Nameutf8-strings — assumethatargumentsareprovidedasUTF8 strings
108
OptionsReference
utf8-strings
DescriptionOptionargumentsfollowing this optionareassumedto beencodedasUTF8 strings.
no-utf8-strings
Nameno-utf8-strings — assumethatargumentsarenotprovidedasUTF8 strings
no-utf8-strings
DescriptionOptionargumentsfollowing this optionareassumedto beencodedencodedin thecharactersetspecifiedwith theoptioncharset.This is thedefault behavior for gpg.
109
OptionsReference
no-options
Nameno-options — useno optionsfile
no-options
DescriptionThisoptionsis processedbeforeanattemptis madeto openanoptionsfile.
debug
Namedebug — setdebug flags
debug flags
Description
110
OptionsReference
Theparameterflags is built by applyinga logicalOR on individualflags.Theparametermaybegivenin C syntax,e.g.,0x0042.Theflagsare
Flag Meaning
1 Packet readingandwriting details
2 MPI details
4 cipherandprimenumberdetails(mayrevealsensitivedata)
8 Iobuf filter functions
16 Iobuf details
32 Memoryallocationdetails
64 Caching
128 Show memorystatisticsonexit
256 Trustverificationdetails
debug-all
Namedebug-all — setall usefuldebuggingflags
debug-all
111
OptionsReference
DescriptionSeealsotheoptiondebug.
status-fd
Namestatus-fd — write statusmessagesto analternativeoutputstream
status-fd n
DescriptionThisoptioncausesstatusmessagesto beredirectedto file descriptorn. SeethefileDETAILS in thedistribution for a listing of themessages.
log ger-fd
Namelogger-fd — write log messagesto analternativeoutputstream
112
OptionsReference
logger-fd n
DescriptionThisoptioncauseslog messagesto beredirectedto file descriptorn insteadof tostandarderror.
no-comment
Nameno-comment — do notwrite commentpackets
no-comment
DescriptionThisoptionaffectsonly thegenerationof secretkeysOutputof option(comment?)packetsis disabledsinceversion0.4.2of GnuPG.
113
OptionsReference
comment
Namecomment — setthecommentstringto usein cleartext signatures
comment string
DescriptionEnoughsaid.
default-comment
Namedefault-comment — usethestandardcommentstringin cleartext signatures
default-comment
DescriptionThisoptionoverridesprevioususesof theoptioncomment.
114
OptionsReference
no-ver sion
Nameno-version — omit theversionstringin cleartext signatures
no-version
DescriptionEnoughsaid.
emit-ver sion
Nameemit-version — emit theversionstringin cleartext signatures
emit-version
DescriptionThisoptionoverridesprevioususesof theoptionno-version.
115
OptionsReference
notation-data
Namenotation-data — adddatato asignatureasnotationdata
notation-data name=value
DescriptionThisaddsthename/value pair to asignature.Theparametername mustconsistofanalphabeticcharacterfollowedby any numberof alphanumericor underscorecharacters.Theparametervalue maybeany printablestring. It will beencodedinUTF8,soit is importantthattheoptioncharsetis usedto setthecharactersetproperly.If theparametername is prefixedwith anexclamationmark,thenotationdatawill beflaggedascritical (seerfc2440:5.2.3.15).
set-polic y-url
Nameset-policy-url — setthepolicy URL for signatures
set-policy-url string
116
OptionsReference
DescriptionTheparameterstring is usedasthepolicy URL for signatures(seerfc2440:5.2.3.19).If thestringis prefixedwith anexclamationmark,thepolicy URLpacket will beflaggedascritical.
set-filename
Nameset-filename — setsthefilenamestoredin encryptedor signedmessages
set-filename string
DescriptionTheparameterstring is usedasthefilenamestoredin messages.Doesthis specifytheoutputfile whena messageis verifiedor decrypted?
use-embed ded-filename
Nameuse-embedded-filename — usethefilenameembeddedin amessagefor storing
117
OptionsReference
its plaintext or verifiedversion
use-embedded-filename
DescriptionThisoptionshouldbeusedwith caresinceit mayoverwritefiles.
max-cer t-depth
Namemax-cert-depth — setthemaximumdepthof acertificationchain
max-cert-depth n
DescriptionTheparametern setsthemaximumlengthof achainof certifiedkeys leadingfrom anultimatelytrustedkey to akey beingvalidated.Thedefault is 5
118
OptionsReference
dig est-algo
Namedigest-algo — setthemessagedigestalgorithm
digest-algo name
DescriptionTheparametername specifiesthenameof thedigestalgorithmto beused.Runninggpgwith thecommandversiongivesa list of supporteddigestalgorithms.Notethatthis optionmayviolatetheOpenPGPrequirementthata160-bitdigestalgorithmbeusedfor DSA. For symmetricencryption,thedefault algorithmis RIPEMD-160
s2k-cipher -algo
Names2k-cipher-algo — useaspecifiedalgorithmasthesymmetriccipherforencryptingprivatekeys
s2k-cipher-algo name
119
OptionsReference
DescriptionUsename asthesymmetriccipheralgorithmto protectprivatekeys. Runningthegpgwith thecommandversionyieldsa list of supportedalgorithms.Thedefault cipherisBlowfish.
s2k-dig est-algo
Names2k-digest-algo — setthemessagedigestalgorithmfor manglingpassphrasesprotectingprivatekeys
s2k-digest-algo name
DescriptionTheparametername specifiesthenameof thedigestalgorithmto beusedfor manglingpassphrasesThedefault algorithmis RIPEMD-160.
120
OptionsReference
s2k-mode
Names2k-mode — setshow passphrasesaremangled
s2k-mode n
DescriptionTheparametern specifiesthenumberof timesto whicha saltis addedto passphrases.If n is 0 aplain passphrasewill beused.Oneiterationis thedefault. Unlesstheoptionrfc1991is used,this modeis alsousedfor thepassphrasefor symmetricencryption.
disab le-cipher -algo
Namedisable-cipher-algo — preventsasymmetriccipherfrom beingused
disable-cipher-algo name
121
OptionsReference
DescriptionTheparametername specifiesthenameof asymmetriccipheralgorithmto bedisabled.If thenamedcipheris loadedafterthis optionis processedit will notbedisabled.
disab le-pubke y-algo
Namedisable-pubkey-algo — preventsapublic key cipherfrom beingused
disable-pubkey-algo name
DescriptionTheparametername specifiesthenameof apublickey cipheralgorithmto bedisabled.If thenamedcipheris loadedafterthis optionis processedit will notbedisabled.
thr ow-keyid
Namethrow-keyid — do notput key IDs into encryptedpackets
122
OptionsReference
throw-keyid
DescriptionThisoptionhidesthereceiverof theencrypteddataasa countermeasureagainsttrafficanalysis.It slowsdecryption,however, sincein theworstcaseall thekeyson areceiver’sprivatekeyring mustbetried to find thedecryptionkey.
not-dash-escaped
Namenot-dash-escaped — changestheformatof cleartext signatures
not-dash-escaped
DescriptionThisoptionis usefulfor cleartext signatureson patchfiles. Messagessignedthis wayshouldnotbesentvia emailbecauseall spacesandline endingsarehashedtoo. Thisoptioncannotbeusedfor datawhichwhichhasfivedashesat thebeginningof a line. Aspecialheaderline is usedto tell GnuPGthatthis optionhasbeenused.
123
OptionsReference
escape-fr om-lines
Nameescape-from-lines — modifiesmessagesbeginningwith “From” whencleartextsigning
escape-from-lines
DescriptionBecausesomemailerschangelinesstartingwith “From” to “<From” thisoptionisusefulfor instructinggpgto handlesuchlinesspeciallywhencreatingcleartextsignatures.All otherPGPversionsdo it this way too. Thisoptionis notenabledbydefault becauseit wouldviolaterfc2440.
124