Samodzielnie należy przed tym laboratorium przygotować:
Nadawca i odbiorca mają ten sam klucz.
Nadawca:
Odbiorca:
Oprócz szyfrogramu musi być przekazany klucz!
N. i O. mają pary własnych kluczy (Pub/Prv). Wymieniają się publicznymi.
Nadawca:
Odbiorca:
Przykład z mcrypt:
$ mcrypt --list blowfish (56): ofb cfb nofb cbc ecb ncfb ctr des (8): ofb cfb nofb cbc ecb ncfb ctr blowfish-compat (56): ofb cfb nofb cbc ecb ncfb ctr tripledes (24): ofb cfb nofb cbc ecb ncfb ctr enigma (13): stream
$ mcrypt -a des moj_plik File: moj_plik Enter the passphrase (maximum of 512 characters) Please use a combination of upper and lower case letters and numbers. Enter passphrase: Re-Enter passphrase: File moj_plik was encrypted.
$ mdecrypt moj_plik.nc File: moj_plik.nc Enter passphrase: File moj_plik.nc was decrypted.
$ md5sum moj_plik 02a5c225dab5aaf2801c896c22203ac6 moj_plik $ md5sum /bin/bash 603492287ea2f26b9fb9266c961d5b0c /bin/bash $ du -h /bin/bash moj_plik 503k /bin/bash 2.0k moj_plik
Nadawca i Odbiorca mają pary kluczy (Pub/Prv), nadawca: Wymieniają się publicznymi.
Nadawca:
To jest wersja podpisu z szyfrowaniem wiadomości.
Odbiorca:
Najważniejsze etapy używania programu:
$ gpg --gen-key gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. gpg: /home/gjn/.gnupg: directory created gpg: /home/gjn/.gnupg/options: new options file created gpg: you have to start GnuPG again, so it can read the new options file $ gpg --gen-key gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. gpg: /home/gjn/.gnupg/secring.gpg: keyring created gpg: /home/gjn/.gnupg/pubring.gpg: keyring created Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) Your selection? DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct (y/n)? y You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Grzegorz J. Nalepa Email address: gjn@agh.edu.pl Comment: Akademia Gorniczo-Hutnicza You selected this USER-ID: "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.+++++.+++++..+++++.+++++.+++++++++++++++++++++++++++++++++++++++++++++ public and secret key created and signed.
$ gpg -a --export gjn > klucz_publiczny_gjn.asc $ file klucz_publiczny_gjn.asc klucz_publiczny_gjn.asc: GPG key public ring $ gpg --list-keys /home/gjn/.gnupg/pubring.gpg ---------------------------- pub 1024D/51DDA662 2003-01-08 Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl> sub 1024g/D9D30169 2003-01-08 $ gpg --import ~/Igor.asc gpg: key 65DE877A: public key imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg --list-keys /home/gjn/.gnupg/pubring.gpg ---------------------------- pub 1024D/51DDA662 2003-01-08 Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl> sub 1024g/D9D30169 2003-01-08 pub 1024D/65DE877A 2001-10-22 Igor Wojnicki <wojnicki@agh.edu.pl> sub 1024g/1819CFA3 2001-10-22 $ gpg --edit-key Wojnicki gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. pub 1024D/65DE877A created: 2001-10-22 expires: never trust: -/q sub 1024g/1819CFA3 created: 2001-10-22 expires: never (1). Igor Wojnicki <wojnicki@agh.edu.pl> Command> sign pub 1024D/65DE877A created: 2001-10-22 expires: never trust: -/q Fingerprint: 11A0 0ED7 A3DB 0614 8B53 52DD 23F4 A7DA 65DE 877A Igor Wojnicki <wojnicki@agh.edu.pl> Are you really sure that you want to sign this key with your key: "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>" Really sign? y You need a passphrase to unlock the secret key for user: "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>" 1024-bit DSA key, ID 51DDA662, created 2003-01-08 Command> quit Save changes? yes $ gpg -a --export gjn -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) mQGiBDu3Bh4RBACLZSaCMKZsYc1XIxFC3WyViY3qREBdC5Wo9D77ppBbmIHlWG/8
$ gpg --encrypt --armor -o moja_wiadomosc.asc moja_wiadomosc You did not specify a user ID. (you may use "-r") Enter the user ID: Nalepa $ head -5 moja_wiadomosc.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org hQEOA7Ek7eXZ0wFpEAP9ErVtkzekylOUMOyf2d+tw17eVUd7w5OGK++AZ6IZRXLB $ file moja_wiadomosc.asc moja_wiadomosc.asc: PGP armored text message
$ gpg --decrypt -o moja_wiadomosc moja_wiadomosc.asc You need a passphrase to unlock the secret key for user: "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>" 1024-bit ELG-E key, ID D9D30169, created 2003-01-08 (main key ID 51DDA662) gpg: encrypted with 1024-bit ELG-E key, ID D9D30169, created 2003-01-08 "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>"
$ gpg --sign --armor -o moja_wiadomosc.sign moja_wiadomosc You need a passphrase to unlock the secret key for user: "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>" 1024-bit DSA key, ID 51DDA662, created 2003-01-08 $ head -5 moja_wiadomosc.sign -----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org owGNlL1v1DAYxo9+CIjEcExIMFiKkBgCTlLdtYW7Y0BMwFDEwkLlOA4XiD9kO73
$ gpg --clearsig -o moja_wiadomosc.asc moja_wiadomosc You need a passphrase to unlock the secret key for user: "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>" 1024-bit DSA key, ID 51DDA662, created 2003-01-08 $ grep -A1 '^-----BEGIN' moja_wiadomosc.asc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) $ gpg --verify moja_wiadomosc.asc gpg: Signature made Fri Nov 29 00:55:22 2003 CET using DSA key ID 51DDA662 gpg: Good signature from "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>"
$ gpg --verify patch-2.4.20.gz.sign patch-2.4.20.gz gpg: Signature made Fri Nov 29 00:57:46 2002 CET using DSA key ID 517D0F0E gpg: Good signature from "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>"
$ gpg -sear Wojnicki -o moja_wiadomosc_do_igora.asc moja_wiadomosc_do_igora You need a passphrase to unlock the secret key for user: "Grzegorz J. Nalepa (Akademia Gorniczo-Hutnicza) <gjn@agh.edu.pl>" 1024-bit DSA key, ID 51DDA662, created 2003-01-08
wygenerowanie kluczy na maszynie z której się logujemy:
enterprise$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/gjn/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/gjn/.ssh/id_rsa. Your public key has been saved in /home/gjn/.ssh/id_rsa.pub. The key fingerprint is: b2:2e:01:08:31:21:43:04:87:65:dc:ea:1c:dc:07:95 gjn@enterprise
skopiowanie klucza publicznego na maszyny na które się logujemy:
enterprise$ scp .ssh/id_rsa.pub gjn@voyager:.ssh/id_rsa.pub-enterpise gjn@voyager's password: id_rsa.pub 100% |*****************************| 604 00:00
dopisanie klucza publicznego do listy kluczy autoryzowanych
enterprise$ ssh voyager 'cat .ssh/id_rsa.pub-enterpise >> .ssh/authorized_keys' gjn@voyager's password: voyager$
logowanie przy pomocy klucza:
enterprise$ ssh voyager Enter passphrase for key '/home/gjn/.ssh/id_rsa': Linux voyager 2.4.20 #4 Sun Jan 5 20:32:43 CET 2003 i586 unknown voyager$
przekazywanie autoryzacji przez SSH Agent
enterprise$ ssh-add .ssh/id_rsa Enter passphrase for /home/gjn/.ssh/id_rsa: Identity added: /home/gjn/.ssh/id_rsa (/home/gjn/.ssh/id_rsa) Identity added: .ssh/id_rsa (.ssh/id_rsa) enterprise$ ssh [-A] voyager Linux enterprise 2.4.20 #4 Sun Jan 5 20:32:43 CET 2003 i586 unknown $ voyager
Uwaga: ćwiczymy na studencie!
gpg -‐gen-key
, NIE należy zmieniać proponowanych wartości domyślnych (poza pierwszą algorytm (2) = DSA and ElGamal
)-‐sign
)cd /tmp
gpg -‐list-keys
-‐export
-‐import
md5sum
skrót wybranego pliku.echo a » plik
, wyliczyć hash i porównać z wcześniejszym.Przy pomocy wybranego algorytmu symetrycznego za/rozszyfrować plik za pomocą mcrypt.
Pracę z GPG mogą wspomagać:
gnupg gnupg-doc gpa mcrypt openssh-client openssh-server