 |
|
^ click above ^ |
05.26.04
 By
Brian Hatch
Last time I showed you how to exchange and verify public PGP keys
with an individual. After you've verified a user's key (KeyID, bits,
type, fingerprint, and user's actual identity) you should sign their
key. Signing a key tells the PGP software (GnuPG in most cases
for us Linux heads) that you've acknowledged the key is legitimate
when verifying the signature. Let's take a look at the different verification
possibilities.
Here's the mutt[1] header of a PGP signed email, where we've never
downloaded the key at all: |
gpg: Signature made Wed Apr 14 18:59:36 2004 PDT using DSA key ID
D5D3BDA6
gpg: Can't check signature: public key not found
Compare to the next one, where we do have a copy of their public key,
but have never signed the key:
gpg: Signature made Wed Apr 14 18:59:36
2004 PDT using DSA key ID D5D3BDA6
gpg: Good signature from "John Doe (My First PGP Key) < jdoe@example.com
>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B53F E57B D0C1 F689 FCE2 5623 5B9A A5F8 801E
A932
Or this one, where the public key is on our keyring, and the key is
signed by us:
gpg: Signature made Wed Apr 14 18:59:36
2004 PDT using DSA key ID D5D3BDA6
gpg: Good signature from "John Doe (My First PGP Key) <jdoe@example.com>
"
And, to round things out, one where the key is on our keyring, signed
and all, but the signature is invalid (the message was corrupted in
transit, most likely)
gpg: Signature made Wed Apr 14 18:59:36
2004 PDT using DSA key ID D5D3BDA6
gpg: BAD signature from "Jon Doe (My First PGP Key) <jdoe@example.com>"
The third example above is what we'd like to see - messages signed
by other parties whom we've verified, received with a valid signature,
assuring us that the message came unaltered from the owner of the
PGP key. When you see this success, either the individual sent it
and all is well, or their key has been compromised, no other possibilities
exist. Naturally, we're hoping they haven't been compromised...
Before we sign the key, let's check out the existing signatures on
this key on our keyring:
# Show the key, and all the signatures too
$ gpg -kvv D5D3BDA6
pub 1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@example.com>
sig 3 D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@example.com>
sub 1024g/26F8D783 2003-12-14
sig D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@example.com>
Yup, the key is just signed by John himself, no one else yet. Now
it's time for us to sign his key, so GnuPG will stop telling us that
it's untrusted, and so we can introduce John to other people:
$ gpg --sign-key jdoe@example.com
pub 1024D/D5D3BDA6 created: 2003-12-14 expires: never trust: -/f
(1). John Doe (My First PGP Key) <jdoe@example.com>
pub 1024D/D5D3BDA6 created: 2003-12-14 expires: never trust: -/f
Primary key fingerprint: 0E43 DC31 C484 431C 5B07 3875 7B2D D3D8 D5D3
BDA6
John Doe <jdoe@example.com>
How carefully have you verified the key you are about to sign actually
belongs to the person named above? If you don't know what to answer,
enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection?
At this point you get to tell GPG how thorough you were in verifying
the key owner's identity. If you followed the procedures in the previous
article, you probably verified their identity by looking at their
driver's license, passport, doing a fingerprint scan and DNA test,
etc. In my opinion, if you can't honestly say #3 above, then you shouldn't
be signing the key at all.[2]
Ok, so, let's get this finished up:
Are you really sure that you want to sign this key with your key:
"Jane Doe (Home Key) <janedoe@example.net>>"
I have checked this key very carefully.
Really sign? yes
You need a passphrase to unlock the secret key for user: "Jane Doe
(Home Key) <janedoe@example.net>" 1024-bit DSA key, ID 42851101,
created 2004-01-01
|
Effective
online ads.  |
|
Passphrase: (type passphrase)
Note the utter lack of output in the event that you've typed the passphrase
correctly - good old Unix tradition at work. So, let's check out the
key now and see our new signature on it.
# Show the key, and all the signatures
too
$ gpg -kvv D5D3BDA6
pub 1024D/D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@example.com>
sig 3 D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@example.com>
sig 3 42851101 2004-04-19 Jane Doe (Home Key) <janedoe@example.net>
sub 1024g/26F8D783 2003-12-14
sig D5D3BDA6 2003-12-14 John Doe (My First PGP Key) <jdoe@example.com>
So you can now see that Jane has signed John's key on 19-Apr-2004
with her key, 0x42851101. At this point it's a good idea to send the
newly signed key back to John, and if he has no objections upload
it to the keyservers as well so everyone can benefit from her signature.
We covered this previously, but here's a reminder:
# Send all keys to keyservers
$ gpg --send-keys
# Or just the one key
$ gpg --send-key "john doe"
# Extract and email him his signed key
$ gpg --export -a 'john doe' > john_keys.asc
$ mutt -a john_keys.asc jdoe@example.com
There are, of course, other ways you can get the keys to owner if
you want. For example rather than attaching the key manually as I
have above with mutt[3] you could attach the key using esc k from
the message creation screen. Incidentally, if someone sends you keys
in email, you can import them using ctrl-k in mutt.
So, by this point we have all the important parts of PGP/GPG/GnuPG
in our hands. You can create your keys, verify and sign the keys of
others, verify and/or encrypt data. Many tools have built in PGP support
to save you from working on the command line, which will make work
with PGP as seamless as working with your editor.[4]
NOTES:
[1] Greatest email program in the world
[2] There is a second kind of signature, called a local signature.
This type of signature won't be exported to any keyservers, so no
one would know you signed their key. This is useful if you want to
stop getting "untrusted signature" warnings on keys that you're fairly
sure are legit, but don't want to have others believe you have actually
verified. The PGP key that comes with your Linux distribution would
be a good candidate for local signing. To sign locally, you'd use
gpg --edit-key and then lsign, but I won't cover that further.
[3] I simply cannot plug this email client enough...
[4] And, naturally, that editor should be vim. ;-)
About the Author:
Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
Linux Exposed and Building
Linux VPNs. Brian can be reached at brian@hackinglinuxexposed.com.
Read this newsletter at:
http://www.linuxpronews.com/2004/0526.html |
|
| From
the Forum: |
| Anyone
know where I can get multiple forums? |
Does anyone know of a forum system/ software/
service which will allow me to set up many forums while allowing
the users of each forum to log into each and every forum with
one username and password?
I don't mind if it's remotely hosted. I think proboards allow
its members to log into all proboards with one username and
password (I could be mistaken) ..but I kinda don't like proboards
much. ...
|
 |
|
