How to apply GPG encryption to keep your information safe and secure (1)
Source: Internet
Author: User
KeywordsSecurity
As an important means of protecting information confidentiality, integrity and non-repudiation, encryption and digital signature are widely used in various information and communication situations. At present, there are many commercial encryption and digital signature products, such as commercial software PGP (pretty good Privacy). In addition, there are free encryption and digital signature software in the open source repository, the most recognized being GPG (GNU Privacy Guard). GPG is a completely free, source-code-compliant software product that is completely compatible with PGP. Today, GPG has many businesses and individual users. In our country, because the information security and the privacy protection consciousness is still relatively weak, PGP or GPG is not common in the commercial and the individual user's use. With the increase in information security and privacy issues and even lawsuits, more businesses and individuals are turning their sights on security issues. However, due to the fear of the concepts such as signature and encryption, the application of GPG is limited to it technicians. This article will explain how to apply GPG in Linux environment, and provide help for enterprise and individual users to apply GPG. Create GPG environment GPG software as open source tools for encryption and digital signatures, and many Linux distributions bring the software. With the default installation, GPG will be installed as a basic command beforehand. If you choose a Linux distribution that does not have GPG installed by default, you can install it from the Tar pack or the RPM package, and you can download the installation package from http://www.gnupg.org/download/. The installation process is relatively simple, here omitted. It is also easy to determine if a GPG is installed. Enter the "gpg-h" command directly below the command line and display information about GPG usage if the system has GPG installed. After you have identified the GPG in your Linux system, you can start the following encryption and signature work. To generate a key user application GPG, you must first have a pair of your own keys. So the first step is to create a pair of keys. The GPG command provides almost all of the required operations with a large number of parameters. Where the parameter "-gen-key" is used to generate a pair of keys. You can run the following command on a Linux system with GPG installed: #gpg--gen-key If you want to personalize the operation that generated the key, you can add additional parameters. For example, to specify where the key is stored, you can run the following command: #gpg--gen-key--homedir/mygnupg command starts running, you will first see the version and path information as follows: GPG (GnuPG) 1.2.1; Copyright (C) 2002 free Software Foundation, inc.this program comes with ABsolutely NO WARRANTY. This is the free software, and your are welcome to redistribute itunder certain. The file COPYING for DETAILS.GPG:/home/terry/.gnupg:directory createdgpg:new revisit file '/home/terry/.gnupg /gpg.conf ' Createdgpg:keyblock resource '/home/terry/.gnupg/secring.gpg ': File Open errorgpg:keyring '/home/terry/. GNUPG/PUBRING.GPG ' created then needs to answer a series of questions to help produce a pair of keys. The first problem you encounter is the algorithm that requires you to select a key: Please select what kind of key to want: (1) DSA and ElGamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1, DSA is a digital signature algorithm, RSA and ElGamal are two different principles of asymmetric key algorithm. You can usually choose "1" so that the generated key can be used both for both signature and encryption purposes. Next, you'll be asked to select the length of the key: DSA KeyPair will have 1024 bits. About to generate a new ELG-E keypair.minimum keysize are 768 bitsdefault keysize is 1024 bitshighest suggested KeySize 2048 bitswhat keysize do you want? (1024) 2048Requested KeySize is 2048 bits The key length here is 768, 1024, and 2048 bits three. Obviously, the longer the key is, the safer it is, but the longer it will affect the speed at which it is used. Therefore, you can choose the appropriate length according to different needs. The author's application attaches more importance to security, so the longest 2048-bit key is chosen. Also, you need to set the time when the key expires: Please specify how long the Key should is valid.0 = key does not expire = key expires in n DAYSW = key expires in n WEEKSM = key expires in n Monthsy = key expires in n Yearskey are valid for? (0) 1yKey expires at Sat Sep-01:48:07 PM cstis This correct (y)? Y in principle, the higher the frequency of the key usage, the longer the key is valid, and the greater the likelihood of being attacked. Therefore, according to the actual situation of the application of comprehensive consideration, to determine an appropriate length of time. It should be noted that the key should be periodically replaced, it is recommended never use the same pair of keys forever. Finally, you need to enter some personal information, including the real name, e-mail address, etc., used to identify the key, preferably truthfully fill out. For example: Real Name:terry yuemail address:terry@mykms.orgcomment:for testyou selected this user-id: "Terry Yu (for test)" Chan GE (N) Ame, (C) omment, (E) mail or (O) kay/(Q) uit? o Then, you must enter a password. The password is used to protect the key, and no one can see the contents of the key itself without this password. A password is the only secret measure after a key file is compromised, and its biggest enemy is brute force cracking and dictionary attacks. Therefore, be sure to choose a strong password to effectively combat these attacks. After the password is determined, the system begins operation: We need to generate a lot of random bytes. It is a perform some other action (type on the keyboard, move the mouse, utilize the workloads) during the prime G Eneration; This gives the random number generator a decoupled chance to gain enough. ++++++++++.++++++++++++++ need to tap the keyboard or move the mouse casually,To generate some random numbers to help the key to build smoothly. Note that without the above action, it is likely that the key will not eventually be generated. After the system operation completes, a message similar to the following appears: GPG:/home/terry/.gnupg/trustdb.gpg:trustdb createdpublic and secret key created and Signed.key Marked as ultimately trusted.pub 1024d/6ae573b5 2004-09-29 Terry Yu (for test) Key fingerprint = 0d58 408E 344F bb7b AB95 D000 82b7 8324 6ae5 73b5sub 2048g/94bf182c 2004-09-29 [expires:2005-09-29]pub 1024d/7234e374 2004-09-10 Terry Yu (for TES T) Key fingerprint = a58f d71a 28BA 499D 805B 588E 82FB cd0f 7234 e374sub 2048g/4907ea0a 2004-09-10 [expires:2005-09-10] The information indicates that a pair of keys has been successfully generated and signed for "Terry Yu" with the key expiration of "2005-09-10". The GPG configuration and key storage files associated with this user are also stored in the. GnuPG directory of the default user directory while generating the key. These files control the user's GPG environment, and users cannot modify these files directly, and all changes will be implemented through the "GPG" command. After viewing the key key generation, you can view it at any time with the following command. View all keys: #gpg-list-key View all public keys: Gpg-list-public-key View all private keys: Gpg-list-secret-key list all signatures: GPG-LIST-SIG export public key in an asymmetric encryption system, The private key is kept by the user, and the public key is externally disclosed. After the user generates the key pair, it needs to export the public key to a file and distribute it to other users. The method for exporting the public key is simple and can be accomplished by the "-export" parameter of the GPG command. For the export file to be Ascⅱ encoded, you also need to add the parameter '-a '. For example, to export a Terry YU Ascⅱ encoded public key file, you can use the following command: #gpg--export-a terry@mykms.org> TERRY.ASC This command eventually generates a Ascⅱ encoded public key file Terry.asc as shown in Figure 1. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' src= ' http://images.51cto.com/files/uploadimg/ 20051219/1123080.jpg "> Figure 1 Public key file TERRY.ASC distribute public key This file that contains public key information needs to be distributed externally, and you can distribute Terry.acs files to all users who have information communication needs in various ways. The simplest way to distribute the file is to put it on the Internet for download. The problem with this approach is that the Web site that publishes the public key file must be a trusted site. Similar practices are common in practical applications. For example, Red Hat's public key is posted on its official web site and can be downloaded by anyone, and used to verify the correctness of the signature of the software released by Red Hat. Importing a public key as a user also receives a GPG public key, which may come from a Web site, e-mail, FTP, and directory service, and can be imported into its own GPG environment as long as you trust its source, before you can use a variety of GPG based applications with the appropriate people. The process of importing public keys can be divided into the following three steps: 1. Import For example, Terry received a friend Brian's public key file BRIAN.GPG, you can import files using the following command: #gpg--import terry.gpg2. Check the "Fingerprint" public key can be forged. James could forge a Brian's public key and find a way to get Terry to get it. If Terry does not validate the received public key, the encrypted message he sent to Brian could be decrypted by James. GPG's architecture does not have a certificate management system such as PKI, GPG public-key trusts are implemented through the "Truth Web." Generate the "fingerprint" of the Terry Public key: #gpg--fingerprint terry@mykms.orgpub 1024d/7234e374 2004-09-10 Terry (for test) key fingerprint = a58f d71a 28BA 499D 805B 588E 82FB cd0f 7234 e374sub 2048g/4907ea0a 2004-09-10 [expires:2005-09-10] This "fingerprint" is unique. It is possible to determine whether the public key is trustworthy and legitimate by checking with the other to see if the "fingerprint" is consistent. 3. SignatureAfter the import is successful and the public key is determined to be available, sign the public key immediately. This way, you can verify the authenticity of the message from the other side. To sign a public key, you can use the following command: #gpg--sing-key brian@mykms.org or #gpg--edit-key name#command > sign Check each other's emails, such as Brian's signature: #gpg Check-sigs brian@mykms.org now, with Brian's signed public key, this public key can be used to communicate asymmetric encryption with brain. Using the asymmetric key system used by GPGGPG, the user has a pair of keys, including a public key and a private key. The public key is publicly disclosed and the private key is saved by itself. Data encrypted with a public key can be decrypted with the private key, and data encrypted with the private key can be decrypted with the public key. Asymmetric keys can be used to encrypt and digitally sign. When users care about the confidentiality of information, use the encryption function, when users pay attention to information integrity and non-repudiation, the use of digital signature function, when users need to pay attention to the confidentiality of information, integrity and non-repudiation, you can mix encryption and mathematical signature. With a simple understanding of these cryptography concepts, it is possible to begin real application practice. 1 2 Next page >> content navigation to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: How to apply GPG encryption to keep your information safe and secure (1) Return to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.