Chapter 6: Assessing Security with Knoppix

Previous page
Table of content
Next page

Security is vitally important to everything we do. Think about it: We drive well-built cars and wear seat belts, avoid unsafe areas of town, and safeguard our computer systems and networks as best we can against criminals, spammers, and miscreants. You can use Knoppix to help protect your computers, but you can also use it to learn more about security. You may even find that it's fun along the way.

Encrypting Data with GnuPG

Encryption is one of those things that can really raise the hackles of some folks, primarily those in government who want to limit the use of it by ordinary Joes like you and me. However, there is no good reason not to use encryption. We all have information that we'd like to keep secret, whether it's related to business or our personal lives, and encryption is the way to do it.

One of the best tools for encryption is GnuPG, the Gnu Privacy Guard. GnuPG uses public key cryptography, which means that you possess two keys: a private key that you use to decrypt messages sent to you, and a public key that others use to encrypt messages meant for you. This setup necessitates public keys being exchanged between people who want to send each other encrypted files, as you'll see.

Note 

Don't know what encryption is? Read http://en.wikipedia.org/wiki/Encryption, or, if you're feeling more hardcore, check out Niels Ferguson and Bruce Schneier's Practical Cryptography. Want to learn more about public key cryptography? Head over to http://en.wikipedia.org/wiki/Asymmetric_key_algorithm.

You can actually use GnuPG for a variety of tasks:

  • Encrypting and decrypting email

  • Encrypting and decrypting files on your computer

  • Signing a file with an electronic signature, or verifying the authenticity of a file by checking its digital signature

  • Verifying, or signing, other folks' public keys

To use GnuPG, you need a key pair. You can generate the keys from scratch or import an existing set of keys. The following sections show you how to do both.

Generating GnuPG Keys

To start the process of creating your own set of GnuPG keys, run this command:

 $ gpg --gen-key

Then choose what kind of key you want to use. The options are as follows (that's right — there is no 3 in the list; I don't know why):

  1. DSA and ElGamal (default)

  2. DSA (sign only)

  1. RSA (sign only)

The default of 1 is just fine, so either type 1 and press Enter, or just press Enter to accept the default. Choose the size of your key. Once again, the default, 1024, is okay, so press Enter. Next, decide the length of time the key is going to be valid. 0, the default, means that the key will never expire. This is acceptable, if you intend to keep the key and re-use it in the future, or as long as you don't publish the public key to a keyserver and then neglect to either use the key ever again or delete it, thereby cluttering up public keyservers.

If you know for certain that you're only going to use the key for a brief period of time, select a key life span corresponding to that time. For example, if you need it for one week, type 1w and press Enter. GnuPG asks you to verify the life span of the key, so make sure it's what you want, type y, and press Enter.

Create what GnuPG calls a User-ID, which is actually composed of three questions. Answer them all, pressing Enter after each one. First, you need to enter a real name, like Scott Granneman; then an email address, like scott@granneman.com; and finally, a comment, which can be anything from an organization name, to a city and state (such as St. Louis, MO), to a URL, to anything at all. If the User-ID is okay, type the letter O; if it's not, make your changes and then type O. Press Enter.

Next, and perhaps most important of all, you must type the passphrase that will be used to protect your secret key. If you lose this, or if someone else can guess your passphrase, your security is compromised, so it's imperative that you pick something strong and secure. Keep in mind that you can use a passphrase, not just a password, which should help strengthen your security. Passphrases can include spaces and other special characters.

Tip 

You may want to read the SecurityFocus article titled "Pass the Chocolate" (http://securityfocus.com/columnists/245), which has many tips for generating strong passwords. It's easy to apply its advice to passphrases.

Type in your passphrase (please make sure it's a good one!) and press Enter, and then do it again so GnuPG can make sure your passphrases match. Immediately you're going to see a lot of gibberish go by on the screen because GnuPG uses random data to generate your keys. Help GnuPG out a bit by moving your mouse, typing on the keyboard, or running a program in the background so that the disk is active. After a short time, GnuPG quits, and your new keys will have been created.

To verify that things worked, enter the following on the command line:

 $ gpg --list-keys

You should see something like this:

 /home/knoppix/.gnupg/pubring.gpg -------------------------------- pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org> sub 2048g/113ED0F2 2003-07-11 [expires: 2033-07-03] pub 1024D/9E2BD1F2 2003-08-05 CA Cert Signing Authority (Low Security Key) <lowgpg@cacert.org> sub 2048g/456D7D4B 2003-08-05 [expires: 2033-07-28] pub 1024D/A2DE1C11 2005-04-10 Scott Granneman (St. Louis, MO) <scott@granneman.com> sub 1024g/9D7F447C 2005-04-10

The first two keys come along with GnuPG, so they're expected. After that, you should see your new key listed. Success! Now you need to actually encrypt and decrypt something. If you don't need to import any GnuPG keys that you already use, you can skip the next section and jump ahead to "Using GnuPG Keys."

Importing GnuPG Keys

If you already have a collection of GnuPG keys, which GnuPG calls a GPG keyring, you can import it easily enough. If you've booted Knoppix on a machine that contains your keyring, it's really easy. Mount the drive that holds the keyring (hda2, for example), make sure you know where the keys are stored (they should be in the ~/.gnupg directory), and then run the following command:

 $ gpg --import /mnt/hda2/rsgranne/.gnupg/pubring.gpg
Caution 

Make sure you import the pubring.gpg file, not the secring.gpg file.

You should see something like the following on your console (email addresses have been changed to preserve privacy):

 gpg: key 6503F88C: public key "Scott Granneman (http://www.granneman.com) <scott@granneman.com>" imported gpg: key E4A3CAF1: public key "eric mckinley <erickmckinley@localhost.com>" imported gpg: key 35745FEB: public key "Jans Carton <JansCarton@localhost.com>" imported gpg: key 1768928B: public key "intake <intake@locahost.org>" imported gpg: key 59B1ABA8: public key "Bryan_Consulting (http://www.bryanconsulting.com) <bryanconsulting@localhost.com>" imported gpg: key 4D95C51B: public key "Alan German <alangerman@locahost.com>" imported gpg: Total number processed: 6 gpg:               imported: 6

That was easy! What if you don't have a keyring on your machine? You can always import keys from a keyserver on the Net into your keyring. For instance, to import Klaus Knopper's GnuPG key (used to verify that you downloaded the correct ISO images, signed by Klaus Knopper himself), use the following command:

 $ gpg --keyserver keyserver.veridis.com --recv-keys 0x57E37087

How did I know that 0x57E37087 is Klaus' key? I went to http://keyserver.veridis.com, a Website that indexes public keys, clicked on the PGP KeyServer link, searched for "Klaus Knopper," and then copied the Key ID on the results page. Go ahead and search for "Scott Granneman" if you'd like. I'm there, although only the most recent key is good.

To verify that you have Klaus in your keychain, enter gpg –list-keys and see if he shows up. He's there? Good. If he's not, search http://keyserver.veridis.com (click PGP KeyServer link) yourself to see whether you can find his key, and then import it.

You can also import keys if they're made available to you as an ASCII file, usually ending with the .asc extension. For instance, head over to http://keyserver.veridis.com and search for "Linus Torvalds," which currently brings up four results. Click on the Key ID next to torvalds@transmeta.com, and you'll be prompted to download a file named pubkey.asc, which is the key for that particular ID. Save the file on your hard drive (the Desktop is always a good place to put such things), and then enter the following:

 $ gpg --import ~/Desktop/pubkey.asc

GnuPG will report that it has imported the public key for Linus Torvalds into your keyring. Success! Go ahead and delete pubkey.asc from your Desktop because you no longer need it.

Now it's time to start using your keys.

Using GnuPG Keys

Before you can use GnuPG, you have to sign the keys in your keyring. In other words, you need to assert that the keys you possess belong to the folks to whom they're supposed to belong. Ideally, you'd know this because you received the key directly from the individual. If you don't get the key personally, you'll have to verify the key's ownership in some way that satisfies you. If you're sure that a key from Klaus Knopper actually belongs to Klaus, you need to run the following command:

 $ gpg --sign-key "Klaus Knopper"
Note 

How did I know to use "Klaus Knopper" in the command? Because I ran gpg –list-keys first and verified the name associated with the key. In actuality, you can use anything unique for the key, including "Klaus," "Knopper," "knoppix@knopper.net," or "57E37087" (the User-ID).

When you run the –sign-key command, you're asked several questions:

  • Do you want to sign all the user IDs associated with the key? Answer y and press Enter.

  • How carefully have you performed the verification? It really doesn't matter what your answer is because the process continues regardless, but it does force you to think about what you're doing, and that's never a bad thing when it comes to security. Do your best to at least be able to truthfully answer that you have done casual checking. Make your choice, and press Enter.

  • Do you really want to sign the key? Yes, you really want to sign the key, so type y and press Enter.

Type your secret passphrase, to prove that it's really you who's trying to sign the key in your keyring, and press Enter. You're back at the command prompt. (In the best UNIX tradition, success is quiet; in other words, if things work, UNIX just continues trucking along. Only problems merit feedback.)

You need to repeat this process for every key in your keyring. If you sign a new key immediately whenever you add it to your keyring, you get it over with and can start using the key right away.

With Klaus' key signed, create and encrypt a file as if you were going to send it to him. From the K menu select Editors KWrite, and type This is a file I'm going to encrypt bwahahahahaha! Save the file on your Desktop as secret.txt, minimize KWrite, and go to your shell (Konsole on the panel, if it's not already open). cd to your Desktop, and run the following command:

 $ gpg -r "Klaus Knopper" --encrypt secret.txt
Note 

Please don't inundate Klaus with encrypted files. He's too busy working on Knoppix to mess around with a bunch of test encryptions sent to him by every yahoo reading this book.

After a few seconds, you're back on the command line (again, silence means success). Enter ls, and you'll see that in addition to the original secret.txt file, there's now a secret.txt. gpg file next to it. The file is encrypted, but it's in a binary format. If you wanted to email it to Klaus (and, again, please do not!), you'd need to actually attach secret.txt.gpg to your email message.

To generate ASCII text output, do this instead:

 $ gpg -r "Klaus Knopper" --armor --encrypt secret.txt

Again, ls informs you that there's a new file in this directory: secret.txt.asc. It can be viewed by using the command cat secret.txt.asc and looks something like this:

 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (GNU/Linux) hQEOA4SWCtGmm0R2EAP+MRP7e4SJW8vddpbCv+RTw8kMrqp8MdJ1KTirWVQJ6+2b qg9ktjkXIurX9Ce33FRMtiKX1SUgBYfE8M08JXAMgS6bDPLWfIatHFLTyEGYp2Dx s23EQ7c8XK16yjOcLKgJihq11KrBcCru8QsapcOLVlhdqFcXt9K8eRoXehb+kXcE AMVwFkL+MaLjJX+r4BC1oXerfFljE+SjgheUHY82weEgLppUvKezcWAdfyNCZQMV 7HkLBrGnISqaxMTtkafk/cNT6/kYfzoNjpxXjrbTap3D3qSnffD4Wo7/czeSyLko +VHOhe86ZK0eyxYuE7cg1okvVZdAVgo6dYH0/rDcQwDG0nIBvcZ5LfP4xGS1oG/M N884O7xl2qxoTST4TcFHLlUS7O6KXHoifxAt/nRcRctkrkkJyorUnWL2RXVrE21f 5LeFVrM+Y8R89rhcShlG44NsAn2m0GkzjXNV1QBcbzhfFq95D/cq7TriP5tHlBFV Djs5Cv0= =fm66 -----END PGP MESSAGE-----

You can attach the ASCII file to an email, or you can copy and paste the text — all of it, even the BEGIN and END lines! — into an email message directly.

You can go even further. Beyond simply encrypting the file, you may want to digitally sign it, so that the recipient can ensure that the file really came from you. To encrypt and sign the file, use this command (leave off –armor if you want to generate a binary file instead of an ASCII file):

 $ gpg -r "Klaus Knopper" --armor --sign --encrypt secret.txt

When you run that command, you're asked for your passphrase, which makes sense because you have to verify your signature. When the process is complete, you once again end up with a file named secret.txt.asc, but this time cat secret.txt.asc shows it to be a bit longer because it contains your digital signature as well:

 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (GNU/Linux) hQEOA4SWCtGmm0R2EAP/XDgpwXRT7O2LEcbKvGb3ufIhWz52b8TpXkurSN1C25IR zWX60G437Q+piTnU13PxlkiFsPqsOJgxfRC4UwzAr7M5+78HSQ7C0Udhljm0dASn OgSqsl5ApdiRVNgEPlYfpsy/Te+cV8QBfGnkFrbw27SkpfO9M8+MryzbSRnDZ4wD /1zy2zUSxtSd/wymaXKhhnH/J4zAAI9k5QP3N/AH3R4UbEOpohmcozl/Zmdr5FUT z+M6R9jixndRyAS65SEIDRa5/hq+HBslRvgcbKY2sbE6G+4wYLJgLKTB/dLhtaUd F134PEQLPt7fYl/7KaKpyPFb+L3JOaElGwr0cbUX93z50r0BbHDhr8BaUh3AclUb cCmb9adys14Kz+pQbzu0XsRityzAE6dm83RZXX0GtAb/MWLjbJ3D/kUAz6BL2hbd iIXW+t09G+YJcK4gTyib9MtujQTmZRiRTaQSpL7bJuGLVZyNvNjXnOMdtufNIQy9 IaW55RQqyZw4p1Ey31IXp2P+mQNTtCskyuIoV4dT/kugF8q1Fn4KVZylu9iwTA/P GJqcCeqeQ2s97YsCs7ppE9o5MTwpwY2sDjqW3uL0ZQU= =UBSD -----END PGP MESSAGE-----

Of course, you may not want to include both your original document and your signature in one file, so instead you might want to use this command:

 $ gpg --detach-sign secret.txt

The output is a file named secret.txt.sig, which is a binary file containing your digital signature. If you want to create an ASCII equivalent, suitable for pasting into email messages or posting on a Website, do the following:

 $ gpg --output digitalsig.sig --armor --detach-sign secret.txt

This uses the –output option, which enables you to specify the name of the ASCII file you're creating. You don't need to use it per se, but if you left it out, the resulting digital signature file would be named secret.txt.asc, the same as the output of the gpg -r "Klaus Knopper" –armor –sign –encrypt secret.txt command you used previously. In other words, you would overwrite your encryption with your signature (or vice versa, depending on the order in which you ran the commands)!

You can combine the commands and do everything at once:

 $ gpg -r "Klaus Knopper" --armor --encrypt secret.txt ; image from book    gpg --output digitalsig.sig --armor --detach-sign secret.txt

The result? Two files (in addition to the original secret.txt file, which remains untouched): digitalsig.sig and secret.txt.asc, suitable for pasting into email messages or attaching.

Tip 

You can always specify yourself as the recipient, thus protecting your important files from prying eyes.

So you send Klaus your encrypted file and your digital signature. What does he do with them? First he verifies your signature — and this assumes, of course, that he's already imported your public key into his keyring. To verify your signature file, he runs the following:

 $ gpg --verify digitalsig.sig secret.txt.asc

Klaus can either decrypt the attachment, once it has been saved, or copy and paste the text into a new file and then decrypt that. To perform the decryption, he simply enters one of the following on the command line:

 $ gpg --output secret.txt --decrypt secret.txt.gpg $ gpg --output secret.txt --decrypt secret.txt.asc

When Klaus presses Enter, he's prompted to enter the password for his secret key; after he does so, GnuPG does its work and the file is decrypted, so that secret.txt appears and Klaus can now read your message. If Klaus didn't use the –output option, GnuPG would simply place the output of the decrypted file on the console. Another way around that would be to use this command:

 $ gpg --decrypt secret.txt.gpg > secret.txt

With GnuPG in your arsenal, you have industrial-strength encryption available to protect your secrets. It's a shame that more people don't know about GnuPG and encryption, but you can help spread the word and educate folks with Knoppix. Go forth and proselytize!

Note 

man gpg has a lot of great information if you want to learn more. The GnuPG Website is an excellent resource, at http://gnupg.org, containing HOWTOs, FAQs, guides, and more.


Previous page
Table of content
Next page
Hacking Knoppix
Hacking Knoppix (ExtremeTech)
ISBN: 0764597841
EAN: 2147483647
Year: 2007
Pages: 118
Authors: Scott Granneman
BUY ON AMAZON
Strategies for Information Technology Governance
A+ Fast Pass
Adobe After Effects 7.0 Studio Techniques
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
PMP Practice Questions Exam Cram 2
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy