Sunday, March 7, 2010

Networking with Linux: Encryption Using GnuPG

Transferring data securely is one of greatest challenges which you will face as a network administrator. New spywares are being developed everyday. Any one can capture and modify unencrypted data packets and can cause severe damage to you. So, today I will talk about encrypting data. We will encrypt data with two of the most well known algorithms, namely DES and RSA using a very popular and robust tool called GnuPG (GNU Privacy Guard) but first let us talk about these algorithms a bit. Encryption algorithms are classified in two categories, namely symmetric key cryptography and asymmetric key cryptography. A natural question arises "what is a key?". A key is a string which is used to encrypt and decrypt the data. Fir symmetric key cryptography we have only one key for encryption and decryption while asymmetric key cryptography uses two keys, one for encryption and another for decryption.

Now let us start talking about GnuPG. First of all we will install GnuPG. Fedora users can use yum to install the GnuPG:
yum install gnupg
while Ubuntu users can fire the following command:
sudo apt-get install gnupg

Now we have a working instance of GnuPG, lets create a key. On command prompt type:
gpg --gen-key
This will prompt you to choose the algorithm you want. Let us begin with RSA. It is an asymmetric cryptographic algorithm.  It has two different key, namely a public key and a private key. Anything encrypted with a public key can only be decrypted by the private key and vice versa. The idea is to share the public key with entire world and keep private key secret. So if anyone wants to send you some data he/she will encrypt it with your public key and send it. Only your private key will be able to decrypt it.
Next you have to decide the key size. While longer key give more security, it also adds to the computational cost. For now we will go with the default key size, that 2048 bits. So, write the key size and press enter.
Now you have to decide the validity period of the key. Usually people choose the option "key does not expire" but at times it is advisable to set a time period for expiration, specially in the scenarios where you have a contract with someone for a definite period of time. Let us choose "key does not expire" and hit enter. You will be asked to confirm the same.
Now you will be asked to enter a user ID. The required credentials are your Real Name, Comment and Email Address. Enter these details one by one.
Next you are required to create a passphrase. Passphrase is just a fancy name for password. So enter a secure password.
Now the key will be generated. You are required to do a lot of random stuff. Open some file, do some random clicks or type in a few characters. After all this pain you have created a key finally.

Now let us create a revoke certificate. A revocation certificate come handy when you loose your key or it gets stolen. To create the certificate fire the following command.
gpg --output revoke.asc --gen-revoke key-name
Here key name is any specifier of the key. It can be your name, comment or the email id.

Now let us try to encrypt a file named aditya.txt. For this you need to fire the following command.
gpg --output enaditya.txt --encrypt aditya.txt
Now you will be asked to pick a key for the encryption. Specify the key by using a key-name/specifier.

To decrypt the data use:
gpg --output deaditya.txt --decrypt enaditya.txt
and enter your passphrase.

DES key generation, encryption and decryption follows the same process. I will talk about key exchange and importing the keys in a later post.