Chapter 3 Public Keys

3.1 Getting Someone ’ s Public Key

Sam sends Bob a link (http://crypto.loshin.com/my.public.key.asc/) and says,“You’ve got GnuPG installed and ready to go; just go to my link and you’ll see my public key³. What I want you to do is copy that whole public key block, starting from the first hyphen of the first line, and ending just after the last hyphen of the last line. In your browser window, highlight the whole thing (on Windows, press,Ctrl-c., on a Mac press ,Command-c., on Linux, just leave the key highlighted

2To be really safe, consider MAC spoofing. See Reverse Engineering Forensics (http://crypto.

loshin.com/2013/01/17/reverse-engineering-forensics/) for more information.

3Or, download it from a public keyserver, and compare it to the key at the URL provided; that makes it harder for an attacker to fake a public key. For more about keyservers, see Chapter 6.

25 Public Keys

when you switch to the terminal window). The public key I’m pointing you to looks like this”:

---BEGIN PGP PUBLIC KEY BLOCK ---

mQENBFD1u2UBCADNwvLGUnivhWrL+UtpkohaZXpdwCbO8cKVf3aeLsTZi8iP2bKT /LaopR+tr+mA4AwU5biHBrm7FHLrBef49qUqiCI7v0vjlH7NBEEfIZwscnMZUjke EVNE7g+Ag+yJLCNaMJRuTuSLoDV4gIevIZgJ1TFwpHoXoo173O4xIgr4R75qkIPg 5I5GMRXZ+MSlerEAanfrTG8HFeNhPaOrLKj4GzJr+SAdOqVuLp+DNf1xCAhGHmpR HcQLCgFqpAanFSOGgFRxRMoo2Gu7Kw5rqHu5N3v4H2h+Q2jaHSYDw9UHzBkD4ZRJ IdC+AXgpZ1K/+ghy9jXsNohi1efJ7akMLM7jABEBAAG0P1NhbSBNYWxsb3J5IChQ ZXJzb25hbCBDcnlwdG9ncmFwaHkpIDxzYW0ubWFsbG9yeS40MDRAZ21haWwuY29t PokBPwQTAQIAKQUCUPW7ZQIbAwUJBKKGAAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4B AheAAAoJEDs7s7MaD3Ea3hIH/i2Gpt951eboWUp480dWJr5ZfaKpkgWA+aDWN2K6 D1fo3NkxrOiD5U2fdfrAaCBeA4iAL9f1BQiYjmep6dY6oupmHODvS+euYl5rsTOl Ey7WRhGqJ+HjQ6tc2/wfgVi/QS2vLtHn9Hr6LDg8QoIyfVTfDd6x+k1Bk3n02yOh Ruz70vUTiW8XSiFWlKoK2JFa3gjdRJW7CoK4ZFlHLX8O9mJEvQOwVB0BVP1XMfQn 1+2Y+w2CdgHJ/HklLxp7u39F8eixS9cfx1jILibMATxhkV9Y3BjrCZY4NM1JQL/F GTo59BzTkoGIyKfgMLl3WWhgca3qoFE77IJ3dzKKRgaEVb65AQ0EUPW7ZQEIAJXF +iJ2U5+56rwq64x3GsT8SebhRXYfapdllHTryYxKaPs6FROTthpFevSKrCOEwnSi lsW2EEUCKZ+oSUYcOqxMs0ugTYu2WXtSZNA6n1LARZIRrNmvjicOYm5GJDsUmz1y nUkmde9qLsgc9f5oEvsRbGh3CIVko8gDapnnO2NWA76zUhgEXC7tA5fzkEtWYN3E CSJjKMqwiSxHhjsNfQE4tyranXnsOAx0RuseD/zyNUuKe+Cl+NDDHR15YtSwDMUw ZU7eWDIp0vkRkfzKX0nFVYVwDvP36uUhtjU2aPhfvf6bxhrnzxYSswsyf0HyQdVw 2GblWF/nSvNAXYrUEpEAEQEAAYkBJQQYAQIADwUCUPW7ZQIbDAUJBKKGAAAKCRA7 O7OzGg9xGs3VB/0QP8xfjDCOthQd57EAuntkJ+hN5cI8mRZGo540+vleI8qO1WYe HjTMeTe1karIdDHbDOPFYAdA1F6OcD/jbCSObBHr2RsNfHSMeN5MLFZY9Uwepf1y DEgC5Cjei5TY2oQJKIKrmF2egtP3e+RgDszNoDaFM6+m+I2703qGTeSXa1VUUd9Q lEXCHbWZYedu+pmBkRQaEqPo0ug4kMfuctew35n56eF32hzlU1paEoqGsggdW8Q/

I7bUUOZ8hJqPfMLNe5IZge2j2llA/ZQQH39RxVJCnaqgrkxCWI99PvvkF89W29mD AgW6nCFtEZnn/4bMEWfwf452TCQmvWR/ajN9

=qxpG

---END PGP PUBLIC KEY BLOCK---

“Now, in the terminal window, enter the GnuPG command gpg --import; when you hit ,Enter., you’ll get the same sort of nothing as we did before when we were encrypting interactively. Then paste the public key⁴. You’ll see that big chunk of text, with the flashing cursor at the end of the last line. Then, press ,Enter. once, then the

‘end-of-file’ character⁵.” Bob followed along, and was rewarded with this output from GnuPG:

gpg: key 1A0F711A: public key "Sam Mallory <sam.mallory.404@ gmail.com>" imported gpg: Total number processed: 1

gpg: imported: 1 (RSA: 1)

Sam says,“That’s what it looks like when the public key is imported the first time; if you already had my key in your keyring, GnuPG would try to update the key and return a message about it being updated (if

4,Ctrl-v.on Windows,,Command-v. on a Macintosh or middle mouse click on Linux.

5Ctrl-z on Windows, Ctrl-d on OS X/Linux.

something in my key had changed) or a message that the key is unchanged.

If the public key wasn’t valid, you’d get a message, and so on.”

“Now,” Sam says, “you’ve got my public key in your keyring so you can do public key encryption, but only with me, for now. Type your essay in at the command line to encrypt it. Start by entering the commandgpg -ao essay.gpg -r 'Sam Mallory' -eand press,Enter., then type in the essay, and after the last line press,Enter. and‘end-of-file’.”

Bob says “This seems so complicated,” as he types in the terminal window:

$ gpg -ao essay.gpg -r 'Sam Mallory' -e Free Sylvania!

Now is the time for all good men to come to the aid of their country!

“Nothing seems to have happened,”Bob says.

“Actually, a lot happened,” says Sam, “but let’s translate the com- mand. It starts with gpg--start GnuPG; then, two options, -a (for ASCII-armored output) and -o (short for --output) tells GnuPG to write ciphertext to the filename that follows,essay.gpg.”

Sam continues. “Then we get to -r, short for --recipient, which means I want to specify a recipient from my keyring. It can be a name, an e-mail address, or key ID. In this case, you typed in the name, in quotes, from the public key you just imported⁶. Finally, you specified the-ecommand (short for --encrypt) telling GnuPG to encrypt to the recipient’s public key. Then GnuPG encrypts and writes the result to the file.”

“One way to‘read’ this command is to start from the last part:‘Do public key encryption using the public key for Sam Mallory, and out- put the result with ASCII-armor, into a file calledessay.gpg’.”

Sam sips from his champagne flute and says, “GnuPG took the data you entered, encrypted it with my public key, and wrote ASCII- armored ciphertext into the file. Do a directory listing for files with the extensions.gpg, and you’ll see--the command would be ls .gpg (or dir.gpgon Windows).”

6Also acceptable would have beensam.mallory.404@gmail.com(the e-mail address associ- ated with that key) or1A0F711A(key ID).

27 Public Keys

This is what Bob saw:

$ ls *.gpg essay.gpg

Sam says, “I suggested using ASCII armor so it would be easy to see what an encrypted file looks like; also, you could just paste the contents of the file into an e-mail. Use the catcommand and you can see what’s in that file”:

$ cat essay.gpg

---BEGIN PGP MESSAGE ---

hQEMAyETvsDdu2pNAQf/TuPHs8tPDi7IW3o+Wzzsg80gwNXjmfe4ec5V9LhcdgU9 MoFr3U/zEl0zEqeHlZ4HtdTzlBkPvswpYlHLFbFqNWtsncsTdX0njnCqbOQbtFrc gLbl8nOBaYmnMhDQNJxVrpRAbPzs6HpuYHMSe6VSj+B6dSG+TNLdvg9N4k8V+q8p EJuyvmATq4UnPXjN8Y7CEG19N5zpE+52a4ymoYmAmTSKb71VClEd1E4IcA6AUOys zfAsSciPbEEjxzKtUsPyHFXCjtPiWf5IUAlHMFaNq0Ef7NTgBo56zxvwKgI4dvlI tJT0a1lLD2Ax4uVeBjmmRyRS3nYsVepm9KXk8OTNzNJxARHrXjiyM1jqlXlszpp1 eYv9IvOToqXtFU0cBSRNCTwW7TeEw1qyfzreUCRbOLWzB6N01viG6VK6xjDtFHXo /Y1A4IXgsrwUPA9MaGyDo8m4HiwvZQ3n7Opfxq/JU85OXTF3m4oHuY49ZVsSZw4n R54=

=YpFz

---END PGP MESSAGE---

As he looks over the ciphertext, Bob asks, “So, how can I decrypt this?”

“Youcan’t decrypt it at all. Only I can decrypt it, with my own pri- vate key. And since you did it interactively, there’s no file on your computer with the essay on it. And before you ask, as long as you delete (securely) the ciphertext file after you send it to me, no one should be able to link you to that file,”Sam answers.

Sam continues,“If you wanted to just generate the ciphertext, with- out creating a file, you could do that, too. Enter the command without the-ooption”:

$ gpg -ar 'Sam Mallory' -e

“and type in the same essay, and you get the ciphertext output to the screen. You can then copy the ciphertext from inside the command line window and paste it into any other window. So, you could paste it into an e-mail message, or drop it into an input field on a web site, or just print it out.”

Bob ponders and says, “OK, that makes sense, but I’m still unclear on what a public key pair is. How do I get my own? What can I do with it?”