"be consistent" | |
PerlMonks |
In symmetric encryption the key is shared by both the sender and the receiver. DES is the most widely used symmetric encryption algorithm. While better that storing/sending in plaintext, symmetric has one big problem - how do you share the key? Anyway you think about it, that key is one big Achille's heel. You either have to pass it out of band (can be difficult and time consuming) or you have to wrap it in another encryption which really just pushes the issues to the wrapper.
In asymmetric encryption (aka public key), the key is not shared. Each user has two keys - a public key and a private key. These two keys are mathematically related in such a way that if another user encrypts using my public key then only my private key can decrypt it. There are a lot of other things going on but that's the crux of the situation. With asymmetric cryptography, we have to worry less about the distribution of the key. (But we should still worry - remember the onion).
Once you have GnuPG installed and keys generated, you can do all types of encrypting and decrypting - but only for yourself. You need to get some other keys so you can communicate with others. If you're going to use GnuPG with the outside, you need to build your web of trust. If you're going to be using it by yourself, generate another keypair (as another user) and then exchange keys (that is, if you trust yourself).
update: Of course, you can use a single keypair if you just wish to encrypt/ decrypt stuff for yourself. I was going to give more examples of using GnuPG/GPG in a web environment where the user running the httpd process would encrypt data with the public key of another user. This would have been a good example of another layer of security. If the web user is compromised, the data is still fairly secure because it's encrypted with the other user's keys and that keyring is stored in a safe somewhere and only brought out to run reports (isn't it?).
For example, let's say you created two users - alice and bob. Here's two simple scripts. One where alice encrypts a message for bob, the other where bob decrypts it.
#!/usr/bin/perl -w use strict; use Carp; use GPG; my( $gpg ) = new GPG( homedir => "/home/alice/.gnupg" ); croak $gpg->error() if $gpg->error(); my( $enc ) = $gpg->encrypt( "Can you read this", "bob\@dot.com" ); croak $gpg->error() if $gpg->error(); print $enc;
Which is rougly equivalent to the gpg command:
gpg --encrypt --recipient bob@dot.com
This will produce something like this:
-----BEGIN PGP MESSAGE----- Comment: For info see http://www.gnupg.org hQEOA9QD1LpROcE4EAQAg1EHC7h2n6ziXat276UZXrMsMkmYp5CUJx7DFgEMrOcm RjGcvF52HRBVjNiiiICN2PohAjWY3ZPCrzS0gALSkHIKQsRW+9eF5sCILtQCUERm Zls10oPsuSyGM1nrkfd84t9G3QrlJI7ojUAtzD9CFbQOUm/CFWF0Xn7vVSDfNckD /iG43Irj4GmHy5IWclXveZmYe/Z6jSxfwJhn2YqL4ihyRchXIWIykESoaBQSR9rt 0WUo+h0dbbWK2/NoC3kzfj3IbM2VvHnuGh4jgL8C8FcwFkypzuoP+h5RJesc1H+l XHJZBYCZN4y4+YLgSqtlgZBFZMy/PpLFi3smSiqj3HyV0kwB7FJjMswEyRhiAEbc 9+DMW0Y6m/V9NZ92ORjLBvKmjz/UoLOlHqhA/OR5knD3nn6IJu5OZHXt+IUEUhYC QnM+Zs1Rug+v6lYBCpN7 =Rjs4 -----END PGP MESSAGE-----
Send that to bob and he can decrypt it like so:
#!/usr/bin/perl -w use strict; use Carp; use GPG; my( $gpg ) = new GPG( homedir => "/home/bob/.gnupg" ); croak $gpg->error() if $gpg->error(); my($text) = join( "", <> ); my( $dec ) = $gpg->decrypt( BOBS_PASSPHRASE, $text ); croak $gpg->error() if $gpg->error(); print $dec;
Which produces:
Can you read this
note: I leave how to get the bob's passphrase as an exercise. Just remember the passphrase is the Achilles heel of GnuPG - lose it and you've lost your ability to decrypt records (or worse, you've given someone else the opportunity to read your data). Write it down, seal it in an envelope and lock it in a safe and have dual control to open it up (remember - onion).
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Getting Started with GnuPG and GPG
by jaf0faj (Novice) on Mar 13, 2012 at 13:10 UTC | |
by derby (Abbot) on Mar 14, 2012 at 13:09 UTC | |
by jaf0faj (Novice) on Mar 17, 2012 at 00:58 UTC | |
by Anonymous Monk on Mar 14, 2012 at 06:24 UTC | |
by derby (Abbot) on Mar 14, 2012 at 12:54 UTC |