Re: how to have a gpg public key?

• Previous message: Ivan Wills: "help apache-ssl does not show any pages"
• In reply to: Michael D. Crawford: "Re: how to have a gpg public key?"
• Next in thread: Louie Miranda: "Re: how to have a gpg public key?"
• Reply: Louie Miranda: "Re: how to have a gpg public key?"
• Reply: Vineet Kumar: "[OT] Re: how to have a gpg public key?"
• Reply: Paul Johnson: "Re: how to have a gpg public key?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Louie Miranda <louie@axishift.ath.cx>
Date: 21 Jul 2003 23:08:53 -0700

Bah dum ba...

1st: A problem with this list is its huge signal to noise ratio.
     If you don't have an answer to give jokes are less than helpful.

2nd: Louie, the answer to your question is:

You don't need just a gpg public key. What you probably want is a
gpg key pair. Having just a public key doesn't do you much good.
You need both a private key and a public key; the two keys
together make up an asymmetric key pair. (and they are dependent
on each other; you can just use any public key with any private
key. they have to be created together.

Since your post implies you may be new to the world of
asymmetric ciphers I'll add a little bit of theory here...

symmetric ciphers are ones such that only a single key is
needed. You use the single key to turn plaintext into
cipher text by encrypting the plaintext with the key
(well actually you use an algorithm that requires both
the key and the plaintext as input.)

its "symmetric" because to turn the ciphertet back into
plaintext (decryption) you use the same key.

This has some disadvantages: anybody that knows the key
can encrypt and decrypt anything to/from you and they
can even give the key away and then basically everybody
can encrypt and decrypt your messages and you are just
wasting time.

They don't readily support current security concepts of
digital signatures. But they are very strong for their
key size (in bits) compared to what I will now describe...

So along comes asymmetric key systems.

basically you have two keys A and B. If you encrypt with
key A you need to know only key B to decrypt it. GPG, RSA, PGP
take this a bit further they also support the fact that if
you encrypt with B you can decrypt the message with A.
(not all asymmetric systems do B->A)

So what? Well let's call A "private" and B "public". (we
could have called either one private it wouldn't matter.) Nobody,
and I mean nobody, else should ever know the private key other than
the owner (i.e. you). But *everybody* can/should/may be
allowed to have complete knowledge of the "public" key.

Now if they want to send you a message that only you can
read they encrypt the message with your public key knowing
that only you possess the private key necessary to decrypt
the message and other people who also know the public key
still can't decrypt it because the public key won't decrypt
that which was encrypted using the public key. (If you want
to send encrypted messages to them you need to know *their*
public key and encrypt with that. (that part is a bit
unintuitive to security beginners who are use to using the
same set of secrets to both send and receiver messages.)

But now you can also digitally sign messages. You simply encrypt
the message with your private key. people know your public key
and only the public key will decrypt the message is if it was
encrypted with your private key. AND *only* you know the private
key. Therefor if the public key successfully decrypts the message
then it must have been you that wrote it.

So it good to have a private key for signing your outgoing
mail so that others can know and use your public key to
verify that you actually wrote the messages.

This is glossing over a lot of the problems associated with
two sticky points:
  1) how do you reliably distribute your public key?
  2) What happens if somebody else actually does come to
     know your private key? (this requires the ability to
     "revoke" a key pair.)

  These are why Veri$ign charges $75 per year to maintain
certificates on their distribution system.

anyhow, that was a lot of theory, here's your answer...

##############################################################
This is what you really wanted to know...
  gpg --gen-key
##############################################################

it will interactively ask you a bunch of questions.
You probably want DSA ElGamal keys since these let
you sign and encrypt stuff

keysize of 1024 is ok, but some recent work in the area of
number theory indicates that somebody with about 10 billion
dollars can create a specialized computer capable of cracking
such keys in a not-unreasonable period of time.

I go with 2048, the disadvantage is that it takes quite a bit
more processor time to sign and encrypt using larger keys. It
also makes your armor (ascii) representation of your public
key crazy huge.
 
you will be asked for a passphrase... This is sort of like
a password. actually its a symmetric key that you pick that
will be used to encrypt your private key. This way even if
your system gets stolen that can't figure out what the
private key is since it, itself, is encrypted. Anything that
needs access to your private key such a mail user agent
will prompt you for this passphrase.

Want to be fascist like me? check out
  http://world.std.com/~reinhold/diceware.html

its a system for creating memorizable passphrases that are
many words long. each letter of such a passphrase generates
approximately 3 bits of entropy (random data). So a such
a passphrase consisting of 6 words with an average length
of 4 characters generates 24 characters * 3 bits = 72 bits.
Thus your private key will be encrypted with a strength
roughly equal to a purely random 9 character password. But
you'll be able to remember it (while we are back on
theory: symmetric keys are generally stronger than asymmetric
systems. it takes about 1024 bit asymmetric keys to obtain
the same strength as an 80 bit symmetric key. Such
such a passphrase it really strong.

Oh... you're second question is gonna be... what happened
to the keys gpg generated? Well it stored them on your
"keyring". you collect keys and store them on this "ring"
and then you can select which one you want to use to decrypt
or encrypt something.

But you need to get your public key in an exportable fashion...

######################################################################
Your second bit of meat...

   gpg --export --armor
######################################################################

now you can give the resulting block to the rest of the world.
(I've assumed you only have one public key on your keyring.

gpg --list-keys
gpg --list-public-keys
gpg --list-private-keys

will show you your various keys. Though since you are asking
about creation you'll probably just have the one single
public key and the above command will export the armor block
version of it to stdout.

gpg --export --armor somestring

would export the public key that has "somestring" as part
of the name given to it when it was created.

umm... sorry for the length but it should have answered your
question and more.

last tip... "evolution" is apretty good graphical mail user
agent and it has good support built in for signing and
encrypting mail using GPG/PGP

What you should wind up with is something that looks like this...

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD8czdURBACrz4UfwKHHqIFBa+1spiFn8OJ+JoHyZpUlDZXjV5qWMLTjJ+FD
S1YTHWAb49n9e+ZwzlPiHs5tSeKXK3bKHddwrmuBscRe1ZXKZunN1U/TDd49VZbD
5YHWdxCQwnLK3RnZ/oVhqvSLEV9F8ACcBkaegrOj3iDIVxEvxww3RZzVfwCgvHs2
caFrD9FqgDSbIoZe7NsQrTED/0T+XdIxtDjNQNdA5TS7E1HdIBqXsen3hygYsre/
3O8cmD8uwINhygYu4VUXmMRBOnt3AzKdIm72UV2ShtrVL3V6qJDIGwhx4mlolKer
325mR1OfDSsHE2G3cSmmbdsptFdtdldpTZ9ZxKW5vfnQkcWXHwBQ+I7LfVuqg2cw
XEULA/0aTAJYf9DHnBilqmPRtixgT9c47ZWsreSF3wD07Q0T4YotzIHsvmKJgA6X
mEwB/Q7PQWhzYgL9WyRzNF3dxlZ855jUBiyJOpSBTXFDs625U3/384l+h+2cGAyk
0GMQ0xuh4N7vicwwj/gJic3nsoimoBedtPmkrIvBZ+GCXBi6VrQlSmVmZnJleSBX
aWVnbGV5LCBQaEQgPGplZmZ3QGN5dGUuY29tPohZBBMRAgAZBQI/HM3VBAsHAwID
FQIDAxYCAQIeAQIXgAAKCRBMXNqawuYjSSW6AJ95YTZMycvSTNDBtrttOTj0l3LT
7wCdHGdFrzBiGQezckJOLKwkihGbxim5Ag0EPxzN3xAIALrNh1X84y42rZyLfn72
s5KChctZskNuCAbcEtxCNDEFNx9FzRvzv9T3j30RF8dE66phRcAZwvuF1PKUbw3a
ojIFTm1Ow50p1cVxXnfNh0IOsfElrUz9Tor4yQxZkoUUS190eCb6FCk3vB7wC1vK
ilKtdkl6UCzxbwOZhpqBxQ49jidDz9DoAUFiZn7+Fcey9ZaDsMDN0xqIabvrv1BP
zy58lHCX8j5wpcIsjBBbQ77kUUWkdQYqdqznHoWd7JgTWMngfHAnktUgZsrXxes6
t6nLrabjsGhhh9fzv31/hVmvYWKh0fBn5bDEXJlq0252QSqjsVpqrj1QcFd6+kSt
JzcAAwUH/0DmAI0yOUopFP+G4NCuJ1Jp/2FtRjkAIM8gRHFLxojpyB6lk9wykrms
wmuS3JBw5smpZ20DIUU8vca82nWxQgk9XE8G/qwVrWH+oTfyS3nnOKWuaZyDx40a
b16Gudp/wQMIex9kvN51PjPc2ltW94OzPwJ7c0nnqyXZWirlxBphuQjuXHJDl6qZ
rlHvQYGD5FNAxNyM4EERJi3bU4L9QZ1QqepJ/ppYAcVLqRS7RlCs/r0rGgubwb8o
uZlYkmTeoB1vSSzzaGcrAcP3eos3oJsPIxQAN+YY0DCVfdUCyAurQWrAfy/P79Wm
ziSP26VJK3x7OTMcpYWyBCTu5rUfYriIRgQYEQIABgUCPxzN3wAKCRBMXNqawuYj
SXOUAJ91l+Rng/ZpVl9YEmYLLzENX2hLZwCgg4yfhVq6gWe48+YwQ29z8IA5iJw=
=Fvnd
-----END PGP PUBLIC KEY BLOCK-----

which I just generated using the above two commands.

For more see "man gpg". Sorry if you already knew all the
theory stuff and were just having gpg syntax problems.

- Jeff

On Mon, 2003-07-21 at 22:35, Michael D. Crawford wrote:
> > How can i have a gpg public key?
>
> Go to a locksmith in your nearest town and ask them to cut you one. They keep
> blanks on hand.
>
> Warmest regards,
>
> Mike
> --
> Michael D. Crawford
> GoingWare Inc. - Expert Software Development and Consulting
> http://www.goingware.com
> crawford@goingware.com
>
> Tilting at Windmills for a Better Tomorrow.
>
> "I give you this one rule of conduct. Do what you will, but speak
> out always. Be shunned, be hated, be ridiculed, be scared,
> be in doubt, but don't be gagged."
> -- John J. Chapman, "Make a Bonfire of Your Reputations"
> http://www.goingware.com/reputation/
>

-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Ivan Wills: "help apache-ssl does not show any pages"
• In reply to: Michael D. Crawford: "Re: how to have a gpg public key?"
• Next in thread: Louie Miranda: "Re: how to have a gpg public key?"
• Reply: Louie Miranda: "Re: how to have a gpg public key?"
• Reply: Vineet Kumar: "[OT] Re: how to have a gpg public key?"
• Reply: Paul Johnson: "Re: how to have a gpg public key?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]