the gnu privacy handbook · maintainer, mike ashley (). contributors to this manual also include...

The GNU Priv acy Handbook

The GNU Priv acy HandbookCopyright © 1999by TheFreeSoftwareFoundation

Pleasedirectquestions,bug reports,or suggesstionsconcerningthismanualto themaintainer, MikeAshley (<[email protected]>). Contributorsto thismanualalsoincludeMatthew Copeland,JoergenGrahn,andDavid A. Wheeler. J HoracioMG hastranslatedthemanualto Spanish.

Thismanualmayberedistributedunderthetermsof theGNU GeneralPublicLicense.

Table of Contents1. Getting Started...........................................................................................................9

1.1.Generatinga new keypair.................................................................................91.1.1.Generatinga revocationcertificate......................................................11

1.2.Exchangingkeys.............................................................................................121.2.1.Exportingapublic key.........................................................................121.2.2.Importingapublic key.........................................................................13

1.3.Encryptinganddecryptingdocuments...........................................................141.4.Makingandverifying signatures....................................................................16

1.4.1.Clearsigneddocuments........................................................................171.4.2.Detachedsignatures.............................................................................17

2. Concepts ...................................................................................................................19

2.1.Symmetricciphers..........................................................................................192.2.Public-key ciphers..........................................................................................202.3.Hybrid ciphers................................................................................................212.4.Digital signatures............................................................................................22

3. Key Management .....................................................................................................25

3.1.Managingyourown keypair...........................................................................253.1.1.Key integrity ........................................................................................263.1.2.Addinganddeletingkey components..................................................283.1.3.Revokingkey components...................................................................293.1.4.Updatingakey’sexpirationtime.........................................................31

3.2.Validatingotherkeyson yourpublic keyring.................................................313.2.1.Trustin akey’sowner..........................................................................323.2.2.Usingtrustto validatekeys..................................................................34

3.3.Distributingkeys.............................................................................................36

4. Daily use of GnuPG .................................................................................................39

4.1.Definingyour securityneeds..........................................................................394.1.1.Choosingakey size.............................................................................404.1.2.Protectingyour privatekey..................................................................404.1.3.Selectingexpirationdatesandusingsubkeys......................................42

3

4.1.4.Managingyourwebof trust.................................................................434.2.Building yourwebof trust..............................................................................444.3.UsingGnuPGlegally......................................................................................45

5. Topics ........................................................................................................................47

5.1.Writing userinterfaces....................................................................................47

I. Command Reference................................................................................................49

sign.........................................................................................................................51detach-signature.....................................................................................................51encrypt....................................................................................................................52symmetric...............................................................................................................52decrypt....................................................................................................................53clearsign.................................................................................................................54verify ......................................................................................................................54gen-key...................................................................................................................55gen-revoke..............................................................................................................56send-keys................................................................................................................56recv-keys................................................................................................................57list-keys..................................................................................................................57list-public-keys.......................................................................................................58list-secret-keys.......................................................................................................59list-sigs...................................................................................................................59check-sigs...............................................................................................................60fingerprint...............................................................................................................60import.....................................................................................................................61fast-import..............................................................................................................62export.....................................................................................................................62export-all................................................................................................................63export-secret-keys..................................................................................................63edit-key ..................................................................................................................64sign-key..................................................................................................................68lsign-key.................................................................................................................69delete-key...............................................................................................................69delete-secret-key ....................................................................................................70

4

store........................................................................................................................70export-ownertrust...................................................................................................71import-ownertrust..................................................................................................72update-trustdb........................................................................................................72print-md..................................................................................................................73gen-random............................................................................................................73gen-prime...............................................................................................................74version....................................................................................................................75warranty.................................................................................................................75help.........................................................................................................................76

II. Options Reference...................................................................................................77

keyserver................................................................................................................79output.....................................................................................................................79recipient..................................................................................................................80default-recipient.....................................................................................................80default-recipient-self..............................................................................................81no-default-recipient................................................................................................81encrypt-to...............................................................................................................82no-encrypt-to..........................................................................................................83armor......................................................................................................................83no-armor.................................................................................................................84no-greeting.............................................................................................................85no-secmem-warning...............................................................................................85batch.......................................................................................................................86no-batch..................................................................................................................86local-user................................................................................................................87default-key .............................................................................................................87completes-needed...................................................................................................88marginals-needed...................................................................................................89load-extension........................................................................................................89rfc1991...................................................................................................................90allow-non-selfsigned-uid.......................................................................................90cipher-algo.............................................................................................................91

5

compress-algo........................................................................................................92z..............................................................................................................................92verbose...................................................................................................................93no-verbose..............................................................................................................94quiet........................................................................................................................94textmode.................................................................................................................95dry-run....................................................................................................................95interactive...............................................................................................................96yes..........................................................................................................................96no............................................................................................................................97always-trust............................................................................................................97skip-verify ..............................................................................................................98keyring ...................................................................................................................99secret-keyring.........................................................................................................99no-default-keyring................................................................................................100homedir................................................................................................................100charset..................................................................................................................101no-literal...............................................................................................................102set-filesize............................................................................................................102with-fingerprint....................................................................................................103with-colons...........................................................................................................104with-key-data.......................................................................................................104lock-once..............................................................................................................105lock-multiple........................................................................................................105passphrase-fd........................................................................................................106force-mdc.............................................................................................................106force-v3-sigs........................................................................................................107openpgp................................................................................................................108utf8-strings...........................................................................................................108no-utf8-strings......................................................................................................109no-options............................................................................................................109debug....................................................................................................................110debug-all ..............................................................................................................111status-fd................................................................................................................112

6

logger-fd...............................................................................................................112no-comment.........................................................................................................113comment...............................................................................................................113default-comment..................................................................................................114no-version............................................................................................................114emit-version.........................................................................................................115notation-data........................................................................................................115set-policy-url ........................................................................................................116set-filename..........................................................................................................117use-embedded-filename.......................................................................................117max-cert-depth.....................................................................................................118digest-algo............................................................................................................118s2k-cipher-algo....................................................................................................119s2k-digest-algo.....................................................................................................120s2k-mode..............................................................................................................120disable-cipher-algo...............................................................................................121disable-pubkey-algo.............................................................................................122throw-keyid ..........................................................................................................122not-dash-escaped..................................................................................................123escape-from-lines.................................................................................................123

7

List of Figures3-1. A hypotheticalwebof trust....................................................................................35

8

Chapter 1. Getting Star tedGnuPGis a tool for securecommunication.Thischapteris aquick-startguidethatcoversthecorefunctionalityof GnuPG.This includeskeypair creation,exchangingandverifying keys,encryptinganddecryptingdocuments,andauthenticatingdocumentswith digital signatures.It doesnotexplain in detail theconceptsbehindpublic-keycryptography, encryption,anddigital signatures.This is coveredin Chapter2. It alsodoesnotexplainhow to useGnuPGwisely. This is coveredin Chapters3 and4.

GnuPGusespublic-key cryptographysothatusersmaycommunicatesecurely. In apublic-key system,eachuserhasapair of keysconsistingof aprivatekey andapublickey. A user’sprivatekey is keptsecret;it needneverberevealed.Thepublic key maybegivento anyonewith whomtheuserwantsto communicate.GnuPGusesasomewhatmoresophisticatedschemein whichauserhasaprimarykeypairandthenzeroor moreadditionalsubordinatekeypairs.Theprimaryandsubordinatekeypairsarebundledto facilitatekey managementandthebundlecanoftenbeconsideredsimplyasonekeypair.

1.1. Generating a new keypairThecommand-lineoption--gen-key is usedto createanew primarykeypair.

alice% gpg --gen-keygpg (GnuPG) 0.9.4; Copyright (C) 1999 Free Software Foundation, Inc.This program comes with ABSOLUTELY NO WARRANTY.This is free software, and you are welcome to redistribute itunder certain conditions. See the file COPYING for details.

Please select what kind of key you want:(1) DSA and ElGamal (default)(2) DSA (sign only)(4) ElGamal (sign and encrypt)

Your selection?

GnuPGis ableto createseveraldifferenttypesof keypairs,but aprimarykey mustbecapableof makingsignatures.Therearethereforeonly threeoptions.Option1 actuallycreatestwo keypairs.A DSA keypair is theprimarykeypair usableonly for making

9

Chapter1. GettingStarted

signatures.An ElGamalsubordinatekeypair is alsocreatedfor encryption.Option2 issimilar but createsonly aDSA keypair. Option41 createsasingleElGamalkeypairusablefor bothmakingsignaturesandperformingencryption.In all casesit is possibleto lateraddadditionalsubkeys for encryptionandsigning.For mostusersthedefaultoptionis fine.

Youmustalsochooseakey size.Thesizeof aDSA key mustbebetween512and1024bits,andanElGamalkey maybeof any size.GnuPG,however, requiresthatkeysbeno smallerthan768bits. Therefore,if Option1 waschosenandyou chooseakeysizelargerthan1024bits, theElGamalkey will have therequestedsize,but theDSA keywill be1024bits.

About to generate a new ELG-E keypair.minimum keysize is 768 bitsdefault keysize is 1024 bits

highest suggested keysize is 2048 bitsWhat keysize do you want? (1024)

Thelongerthekey themoresecureit is againstbrute-forceattacks,but for almostallpurposesthedefault keysizeis adequatesinceit wouldbecheaperto circumventtheencryptionthantry to breakit. Also, encryptionanddecryptionwill beslowerasthekey sizeis increased,anda largerkeysizemayaffect signaturelength.Onceselected,thekeysizecanneverbechanged.

Finally, youmustchooseanexpirationdate.If Option1 waschosen,theexpirationdatewill beusedfor boththeElGamalandDSA keypairs.

Please specify how long the key should be valid.0 = key does not expire

<n> = key expires in n days<n>w = key expires in n weeks<n>m = key expires in n months<n>y = key expires in n years

Key is valid for? (0)

For mostusersa key thatdoesnotexpire is adequate.Theexpirationtimeshouldbechosenwith care,however, sincealthoughit is possibleto changetheexpirationdateafterthekey is created,it maybedifficult to communicateachangeto userswho haveyour public key.

10


You mustprovideauserID in additionto thekey parameters.TheuserID is usedtoassociatethekey beingcreatedwith a realperson.

You need a User-ID to identify your key; the software constructs the user idfrom Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der Dichter) <[email protected]>"

Real name:

Only oneuserID is createdwhenakey is created,but it is possibleto createadditionaluserIDs if youwantto usethekey in two or morecontexts,e.g.,asanemployeeatwork andapolitical activist on theside.A userID shouldbecreatedcarefullysinceitcannotbeeditedafterit is created.

GnuPGneedsapassphraseto protecttheprimaryandsubordinateprivatekeys thatyoukeepin yourpossession.

You need a Passphrase to protect your private key.

Enter passphrase:

Thereis no limit on thelengthof apassphrase,andit shouldbecarefullychosen.Fromtheperspectiveof security, thepassphraseto unlocktheprivatekey is oneof theweakestpointsin GnuPG(andotherpublic-key encryptionsystemsaswell) sinceit istheonly protectionyouhave if anotherindividualgetsyour privatekey. Ideally, thepassphraseshouldnot usewordsfrom adictionaryandshouldmix thecaseofalphabeticcharactersaswell asusenon-alphabeticcharacters.A goodpassphraseiscrucialto thesecureuseof GnuPG.

1.1.1. Generating a revocation cer tificateAfter your keypair is createdyoushouldimmediatelygeneratea revocationcertificatefor theprimarypublic key usingtheoption--gen-revoke. If you forgetyourpassphraseor if yourprivatekey is compromisedor lost, this revocationcertificatemaybepublishedto notify othersthatthepublic key shouldno longerbeused.A revokedpublic key canstill beusedto verify signaturesmadeby you in thepast,but it cannot

11


beusedto encryptfuturemessagesto you. It alsodoesnotaffect yourability to decryptmessagessentto you in thepastif youstill dohaveaccessto theprivatekey.

alice% gpg --output revoke.asc --gen-revoke mykey[...]

Theargumentmykey mustbeakey specifier, eitherthekey ID of yourprimarykeypairor any partof auserID thatidentifiesyourkeypair. Thegeneratedcertificatewill beleft in thefile revoke.asc. If the--outputoptionis omitted,theresultwill beplacedon standardoutput.Sincethecertificateis short,youmaywish to print ahardcopy ofthecertificateto storesomewheresafesuchasyour safedepositbox. Thecertificateshouldnotbestoredwhereotherscanaccessit sinceanybodycanpublishtherevocationcertificateandrenderthecorrespondingpublic key useless.

1.2. Exchanging keysTo communicatewith othersyoumustexchangepublic keys. To list thekeysonyourpublic keyring usethecommand-lineoption--list-keys.

alice% gpg --list-keys/users/alice/.gnupg/pubring.gpg--------------------------pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <[email protected]>sub 1024g/78E9A8FA 1999-06-04

1.2.1. Expor ting a pub lic keyTo sendyour public key to acorrespondentyoumustfirst export it. Thecommand-lineoption--export is usedto do this. It takesanadditionalargumentidentifying thepublickey to export. As with the--gen-revokeoption,eitherthekey ID or any partof theuserID maybeusedto identify thekey to export.

alice% gpg --output alice.gpg --export [email protected]

12


Thekey is exportedin abinaryformat,but this canbeinconvenientwhenthekey is tobesentthoughemailor publishedonawebpage.GnuPGthereforesupportsacommand-lineoption--armor2 thatthatcausesoutputto begeneratedin anASCII-armoredformatsimilar to uuencodeddocuments.In general,any outputfromGnuPG,e.g.,keys,encrypteddocuments,andsignatures,canbeASCII-armoredbyaddingthe--armoroption.

alice% gpg --armor --export [email protected] PGP PUBLIC KEY BLOCK---Version: GnuPG v0.9.7 (GNU/Linux)Comment: For info see http://www.gnupg.org

[...]---END PGP PUBLIC KEY BLOCK---

1.2.2. Impor ting a pub lic keyA public key maybeaddedto your publickeyring with the--import option.

alice% gpg --import blake.gpggpg: key 9E98BC16: public key importedgpg: Total number processed: 1gpg: imported: 1alice% gpg --list-keys/users/alice/.gnupg/pubring.gpg--------------------------pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <[email protected]>sub 1024g/78E9A8FA 1999-06-04

pub 1024D/9E98BC16 1999-06-04 Blake (Executioner) <[email protected]>sub 1024g/5C8CBD41 1999-06-04

Onceakey is importedit shouldbevalidated.GnuPGusesapowerful andflexible trustmodelthatdoesnot requireyou to personallyvalidateeachkey you import. Somekeysmayneedto bepersonallyvalidated,however. A key is validatedby verifying thekey’sfingerprintandthensigningthekey to certify it asavalid key. A key’sfingerprintcanbequickly viewedwith the--fingerprintcommand-lineoption,but in orderto certifythekey you mustedit it.

alice% gpg --edit-key [email protected]

pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/q

13


sub 1024g/5C8CBD41 created: 1999-06-04 expires: never(1) Blake (Executioner) <[email protected]>

Command> fprpub 1024D/9E98BC16 1999-06-04 Blake (Executioner) <[email protected]>

Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16

A key’sfingerprintis verifiedwith thekey’sowner. Thismaybedonein personor overthephoneor throughany othermeansaslongasyou canguaranteethatyou arecommunicatingwith thekey’s trueowner. If thefingerprintyou getis thesameasthefingerprintthekey’sownergets,thenyou canbesurethatyouhaveacorrectcopy ofthekey.

After checkingthefingerprint,youmaysignthekey to validateit. Sincekeyverificationis aweakpoint in public-key cryptography, youshouldbeextremelycarefulandalwayschecka key’sfingerprintwith theownerbeforesigningthekey.

Command> sign

pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/qFingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16

Blake (Executioner) <[email protected]>

Are you really sure that you want to sign this keywith your key: "Alice (Judge) <[email protected]>"

Really sign?

Oncesignedyou cancheckthekey to list thesignatureson it andseethesignaturethatyou haveadded.EveryuserID on thekey will haveoneor moreself-signaturesaswellasasignaturefor eachuserthathasvalidatedthekey.

Command> checkuid Blake (Executioner) <[email protected]>sig! 9E98BC16 1999-06-04 [self-signature]sig! BB7576AC 1999-06-04 Alice (Judge) <[email protected]>

1.3. Encr ypting and decr ypting documents

14


A publicandprivatekey eachhaveaspecificrole whenencryptinganddecryptingdocuments.A public key maybethoughtof asanopensafe.Whenacorrespondentencryptsadocumentusinga public key, thatdocumentis put in thesafe,thesafeshut,andthecombinationlock spunseveraltimes.Thecorrespondingprivatekey is thecombinationthatcanreopenthesafeandretrieve thedocument.In otherwords,onlythepersonwho holdstheprivatekey canrecoveradocumentencryptedusingtheassociatedpublic key.

Theprocedurefor encryptinganddecryptingdocumentsis straightforwardwith thismentalmodel.If you wantto encrypta messageto Alice, youencryptit usingAlice’spublic key, andshedecryptsit with herprivatekey. If Alice wantsto sendyouamessage,sheencryptsit usingyourpublic key, andyoudecryptit with your key.

To encryptadocumenttheoption--encryptis used.Youmusthave thepublic keysoftheintendedrecipients.Thesoftwareexpectsthenameof thedocumentto encryptasinput or, if omitted,onstandardinput. Theencryptedresultis placedonstandardoutputor asspecifiedusingtheoption--output.Thedocumentis compressedforadditionalsecurityin additionto encryptingit.

alice% gpg --output doc.gpg --encrypt --recipient [email protected] doc

The--recipientoptionis usedoncefor eachrecipientandtakesanextraargumentspecifyingthepublic key to which thedocumentshouldbeencrypted.Theencrypteddocumentcanonly bedecryptedby someonewith aprivatekey thatcomplementsoneof therecipients’public keys. In particular, youcannotdecryptadocumentencryptedby youunlessyou includedyour own public key in therecipientlist.

To decryptamessagetheoption--decryptis used.You needtheprivatekey to whichthemessagewasencrypted.Similar to theencryptionprocess,thedocumentto decryptis input,andthedecryptedresultis output.

blake% gpg --output doc --decrypt doc.gpg

You need a passphrase to unlock the secret key foruser: "Blake (Executioner) <[email protected]>"1024-bit ELG-E key, ID 5C8CBD41, created 1999-06-04 (main key ID 9E98BC16)

Enter passphrase:

15


Documentsmayalsobeencryptedwithoutusingpublic-key cryptography. Instead,only asymmetriccipheris usedto encryptthedocument.Thekey usedto drive thesymmetriccipheris derivedfrom apassphrasesuppliedwhenthedocumentisencrypted,andfor goodsecurity, it shouldnotbethesamepassphrasethatyouusetoprotectyourprivatekey. Symmetricencryptionis usefulfor securingdocumentswhenthepassphrasedoesnotneedto becommunicatedto others.A documentcanbeencryptedwith asymmetriccipherby usingthe--symmetricoption.

alice% gpg --output doc.gpg --symmetric docEnter passphrase:

1.4. Making and verifying signaturesA digital signaturecertifiesandtimestampsadocument.If thedocumentissubsequentlymodifiedin any way, averificationof thesignaturewill fail. A digitalsignaturecanserve thesamepurposeasahand-writtensignaturewith theadditionalbenefitof beingtamper-resistant.TheGnuPGsourcedistribution,for example,issignedsothatuserscanverify thatthesourcecodehasnotbeenmodifiedsinceit waspackaged.

Creatingandverifying signaturesusesthepublic/privatekeypair in anoperationdifferentfrom encryptionanddecryption.A signatureis createdusingtheprivatekeyof thesigner. Thesignatureis verifiedusingthecorrespondingpublic key. Forexample,Alice woulduseherown privatekey to digitally signherlatestsubmissiontotheJournalof InorganicChemistry. TheassociateeditorhandlinghersubmissionwoulduseAlice’spublickey to checkthesignatureto verify thatthesubmissionindeedcamefrom Alice andthatit hadnotbeenmodifiedsinceAlice sentit. A consequenceof usingdigital signaturesis thatit is difficult to deny thatyoumadeadigital signaturesincethatwould imply yourprivatekey hadbeencompromised.

Thecommand-lineoption--signis usedto makea digital signature.Thedocumenttosignis input,andthesigneddocumentis output.

alice% gpg --output doc.sig --sign doc

16


You need a passphrase to unlock the private key foruser: "Alice (Judge) <[email protected]>"1024-bit DSA key, ID BB7576AC, created 1999-06-04

Enter passphrase:

Thedocumentis compressedbeforesigned,andtheoutputis in binaryformat.

Givenasigneddocument,youcaneithercheckthesignatureor checkthesignatureandrecover theoriginaldocument.To checkthesignatureusethe--verify option.To verifythesignatureandextractthedocumentusethe--decryptoption.Thesigneddocumentto verify andrecover is inputandtherecovereddocumentis output.

blake% gpg --output doc --decrypt doc.siggpg: Signature made Fri Jun 4 12:02:38 1999 CDT using DSA key ID BB7576ACgpg: Good signature from "Alice (Judge) <[email protected]>"

1.4.1. Clearsigned documentsA commonuseof digital signaturesis to signusenetpostingsor emailmessages.Insuchsituationsit is undesirableto compressthedocumentwhile signingit. Theoption--clearsigncausesthedocumentto bewrappedin anASCII-armoredsignaturebutotherwisedoesnotmodify thedocument.

alice% gpg --clearsign doc

You need a passphrase to unlock the secret key foruser: "Alice (Judge) <[email protected]>"1024-bit DSA key, ID BB7576AC, created 1999-06-04

---BEGIN PGP SIGNED MESSAGE---Hash: SHA1

[...]---BEGIN PGP SIGNATURE---Version: GnuPG v0.9.7 (GNU/Linux)Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjdYCQoACgkQJ9S6ULt1dqz6IwCfQ7wP6i/i8HhbcOSKF4ELyQB1oCoAoOuqpRqEzr4kOkQqHRLE/b8/Rw2k=y6kj---END PGP SIGNATURE---

17


1.4.2. Detached signaturesA signeddocumenthaslimited usefulness.Otherusersmustrecover theoriginaldocumentfrom thesignedversion,andevenwith clearsigneddocuments,thesigneddocumentmustbeeditedto recover theoriginal. Therefore,thereis a third methodforsigningadocumentthatcreatesadetachedsignature.A detachedsignatureis createdusingthe--detach-sigoption.

alice% gpg --output doc.sig --detach-sig doc

You need a passphrase to unlock the secret key foruser: "Alice (Judge) <[email protected]>"1024-bit DSA key, ID BB7576AC, created 1999-06-04

Enter passphrase:

Both thedocumentanddetachedsignatureareneededto verify thesignature.The--verify optioncanbeto checkthesignature.

blake% gpg --verify doc.sig docgpg: Signature made Fri Jun 4 12:38:46 1999 CDT using DSA key ID BB7576ACgpg: Good signature from "Alice (Judge) <[email protected]>"

Notes1. Option3 is to generateanElGamalkeypair thatis notusablefor makingsignatures.

2. Many command-lineoptionsthatarefrequentlyusedcanalsobesetin aconfigurationfile.

18

Chapter 2. ConceptsGnuPGmakesusesof severalcryptographicconceptsincludingsymmetricciphers,public-key ciphers, andone-wayhashing. YoucanmakebasicuseGnuPGwithout fullyunderstandingtheseconcepts,but in orderto useit wiselysomeunderstandingof themis necessary.

Thischapterintroducesthebasiccryptographicconceptsusedin GnuPG.Otherbookscover thesetopicsin muchmoredetail.A goodbookwith which to pursuefurtherstudyis BruceSchneier’s “AppliedCryptography”.

2.1. Symmetric cipher sA symmetriccipheris acipherthatusesthesamekey for bothencryptionanddecryption.Two partiescommunicatingusingasymmetricciphermustagreeon thekey beforehand.Oncethey agree,thesenderencryptsamessageusingthekey, sendsitto thereceiver, andthereceiverdecryptsthemessageusingthekey. As anexample,theGermanEnigmais asymmetriccipher, anddaily keysweredistributedascodebooks.Eachday, asendingor receiving radiooperatorwouldconsulthiscopy of thecodebookto find theday’s key. Radiotraffic for thatdaywasthenencryptedanddecryptedusingtheday’skey. Modernexamplesof symmetricciphersinclude3DES,Blowfish,andIDEA.

A goodcipherputsall thesecurityin thekey andnonein thealgorithm.In otherwords,it shouldbeno helpto anattacker if heknowswhichcipheris beingused.Only if heobtainsthekey wouldknowledgeof thealgorithmbeneeded.TheciphersusedinGnuPGhave thisproperty.

Sinceall thesecurityis in thekey, thenit is importantthatit beverydifficult to guessthekey. In otherwords,thesetof possiblekeys, i.e., thekey space, needsto belarge.While atLos Alamos,RichardFeynmanwasfamousfor hisability to cracksafes.Toencouragethemystiqueheevencarriedarounda setof toolsincludinganoldstethoscope.In reality, heusedavarietyof tricks to reducethenumberof combinationshehadto try to a smallnumberandthensimplyguesseduntil hefoundtheright

19

Chapter2. Concepts

combination.In otherwords,hereducedthesizeof thekey space.

Britain usedmachinesto guesskeysduringWorld War2. TheGermanEnigmahadavery largekey space,but theBritish built speciailzedcomputingengines,theBombes,to mechanicallytry keysuntil theday’skey wasfound.Thismeantthatsometimestheyfoundtheday’skey within hoursof thenew key’suse,but it alsomeantthatonsomedaysthey neverdid find theright key. TheBombeswerenot general-purposecomputersbut wereprecursorsto modern-daycomputers.

Today, computerscanguesskeysveryquickly, andthis is why key sizeis importantinmoderncryptosystems.ThecipherDESusesa56-bit key, which meansthatthereare256 possiblekeys. 256 is 72,057,594,037,927,936keys. This is a lot of keys,but ageneral-purposecomputercanchecktheentirekey spacein amatterof days.Aspecializedcomputercancheckit in hours.On theotherhand,morerecentlydesignedcipherssuchas3DES,Blowfish,andIDEA all use128-bitkeys,whichmeansthereare2128 possiblekeys. This is many, many morekeys,andevenif all thecomputerson theplanetcooperated,it couldstill takemoretime thantheageof theuniverseto find thekey.

2.2. Public-ke y cipher sTheprimaryproblemwith symmetricciphersis not their securitybut with keyexchange.Oncethesenderandreceiverhaveexchangedkeys, thatkey canbeusedtosecurelycommunicate,but whatsecurecommunicationchannelwasusedtocommunicatethekey itself? In particular, it wouldprobablybemucheasierfor anattacker to work to interceptthekey thanit is to try all thekeys in thekey space.Anotherproblemis thenumberof keysneeded.If therearen peoplewhoneedtocommunicate,thenn(n-1)/2keysareneededfor eachpair of peopleto communicateprivately. Thismaybeok for asmallnumberof peoplebut quickly becomesunwieldlyfor largegroupsof people.

Public-key cipherswereinventedto avoid thekey-exchangeproblementirely. Apublic-key cipherusesapair of keys for sendingmessages.Thetwo keysbelongto thepersonreceiving themessage.Onekey is a publickey andmaybegivento anybody.

20

Chapter2. Concepts

Theotherkey is aprivatekey andis keptsecretby theowner. A senderencryptsamessageusingthepublic key andonceencrypted,only theprivatekey maybeusedtodecryptit.

Thisprotocolsolvesthekey-exchangeprobleminherentwith symmetricciphers.Thereis noneedfor thesenderandreceiver to agreeupona key. All thatis requiredis thatsometime beforesecretcommunicationthesendergetsacopy of thereceiver’spublickey. Furthermore,theonepublic key canbeusedby anybodywishingto communicatewith thereceiver. Soonly n keypairsareneededfor n peopleto communicatesecretlywith oneanother,

Public-key ciphersarebasedon one-way trapdoorfunctions.A one-way functionis afunctionthatis easyto compute,but theinverseis hardto compute.For example,it iseasyto multiply two primenumberstogetherto geta composite,but it is difficult tofactoracompositeinto its primecomponents.aA one-way trapdoorfunctionis similar,but it hasa trapdoor. Thatis, if somepieceof informationis known, it becomeseasytocomputetheinverse.For example,if you haveanumbermadeof two primefactors,thenknowing oneof thefactorsmakesit easyto computethesecond.Givenapublic-key cipherbasedon primefactorization,thepublic key containsa compositenumbermadefrom two largeprimefactors,andtheencryptionalgorithmusesthatcompositeto encryptthemessage.Thealgorithmto decryptthemessagerequiresknowing theprimefactors,sodecryptionis easyif youhave theprivatekey containingoneof thefactorsbut extremelydifficult if you donothave it.

As with goodsymmetricciphers,with agoodpublic-key cipherall of thesecurityrestswith thekey. Therefore,key sizeis ameasureof thesystem’ssecurity, but onecannotcomparethesizeof asymmetriccipherkey andapublic-key cipherkey asameasureoftheir relativesecurity. In abrute-forceattackon asymmetriccipherwith akey sizeof80 bits, theattackermustenumerateup to 281-1 keys to find theright key. In abrute-forceattackonapublic-key cipherwith akey sizeof 512bits, theattackermustfactoracompositenumberencodedin 512bits (up to 155decimaldigits). Theworkloadfor theattacker is fundamentallydifferentdependingon thecipherheisattacking.While 128bits is sufficient for symmetricciphers,giventoday’s factoringtechnologypublic keyswith 1024bits arerecommendedfor mostpurposes.

21

Chapter2. Concepts

2.3. Hybrid cipher sPublic-key ciphersarenopanacea.Many symmetricciphersarestrongerfrom asecuritystandpoint,andpublic-key encryptionanddecryptionaremoreexpensive thanthecorrespondingoperationsin symmetricsystems.Public-key ciphersareneverthelessaneffective tool for distributingsymmetriccipherkeys,andthatis howthey areusedin hybridciphersystems.

A hybridcipherusesbothasymmetriccipherandapublic-key cipher. It worksbyusingapublic-key cipherto shareakey for thesymmetriccipher. Theactualmessagebeingsentis thenencryptedusingthekey andsentto therecipient.Sincesymmetrickey sharingis secure,thesymmetrickey usedis differentfor eachmessagesent.Henceit is sometimescalledasessionkey.

Both PGPandGnuPGusehybridciphers.Thesessionkey, encryptedusingthepublic-key cipher, andthemessagebeingsent,encryptedwith thesymmetriccipher,areautomaticallycombinedin onepackage.Therecipientuseshisprivate-key todecryptthesessionkey andthesessionkey is thenusedto decryptthemessage.

A hybridcipheris nostrongerthanthepublic-key cipheror symmetriccipherit uses,whichever is weaker. In PGPandGnuPG,thepublic-key cipheris probablytheweakerof thepair. Fortunately, however, if anattacker coulddecryptasessionkey it wouldonly beusefulfor readingtheonemessageencryptedwith thatsessionkey. Theattackerwouldhave to startoveranddecryptanothersessionkey in orderto readanyothermessage.

2.4. Digital signaturesA hashfunctionis amany-to-onefunctionthatmapsits input to avaluein afinite set.Typically this setis a rangeof naturalnumbers.A simplehashfunctionis f (x) = 0 forall integersx. A moreinterestinghashfunctionis f (x) = x mod37,whichmapsx to theremainderof dividing x by 37.

A document’sdigital signatureis theresultof applyingahashfunctionto thedocument.To beuseful,however, thehashfunctionneedsto satisfytwo important

22

Chapter2. Concepts

properties.First, it shouldbehardto find two documentsthathashto thesamevalue.Second,givenahashvalueit shouldbehardto recover thedocumentthatproducedthatvalue.

Somepublic-key ciphers1 couldbeusedto signdocuments.Thesignerencryptsthedocumentwith hisprivatekey. Anybodywishingto checkthesignatureandseethedocumentsimplyusesthesigner’spublic key to decryptthedocument.Thisalgorithmdoessatisfythetwo propertiesneededfrom agoodhashfunction,but in practice,thisalgorithmis tooslow to beuseful.

An alternative is to usehashfunctionsdesignedto satisfythesetwo importantproperties.SHA andMD5 areexamplesof suchalgorithms.Usingsuchanalgorithm,adocumentis signedby hashingit, andthehashvalueis thesignature.Anotherpersoncancheckthesignatureby alsohashingtheir copy of thedocumentandcomparingthehashvaluethey getwith thehashvalueof theoriginaldocument.If they match,it isalmostcertainthatthedocumentsareidentical.

Of course,theproblemnow is usingahashfunctionfor digital signatureswithoutpermittinganattacker to interferewith signaturechecking.If thedocumentandsignaturearesentunencrypted,anattackercouldmodify thedocumentandgenerateacorrespondingsignaturewithout therecipient’sknowledge.If only thedocumentisencrypted,anattackercouldtamperwith thesignatureandcauseasignaturechecktofail. A third optionis to useahybridpublic-key encryptionto encryptboththesignatureanddocument.Thesigneruseshisprivatekey, andanybodycanusehispublic key to checkthesignatureanddocument.Thissoundsgoodbut is actuallynonsense.If thisalgorithmtruly securedthedocumentit wouldalsosecureit fromtamperingandtherewouldbenoneedfor thesignature.Themoreseriousproblem,however, is thatthis doesnotprotecteitherthesignatureor documentfrom tampering.With this algorithm,only thesessionkey for thesymmetriccipheris encryptedusingthesigner’sprivatekey. Anybodycanusethepublic key to recover thesessionkey.Therefore,it is straightforwardfor anattacker to recover thesessionkey anduseit toencryptsubstitutedocumentsandsignaturesto sendto othersin thesender’sname.

An algorithmthatdoeswork is to useapublic key algorithmto encryptonly thesignature.In particular, thehashvalueis encryptedusingthesigner’sprivatekey, andanbodycancheckthesignatureusingthepublic key. Thesigneddocumentcanbesent

23

Chapter2. Concepts

usingany otherencryptionalgorithmincludingnoneif it is apublicdocument.If thedocumentis modifiedthesignaturecheckwill fail, but this is preciselywhatthesignaturecheckis supposedto catch.TheDigital SignatureStandard(DSA) is apublickey signaturealgorithmthatworksasjust described.DSA is theprimarysigningalgorithmusedin GnuPG.

Notes1. Theciphermusthave thepropertythattheactualpublic key or privatekey couldbe

usedby theencryptionalgorithmasthepublic key. RSA is anexampleof suchanalgorithmwhile ElGamalis notanexample.

24

Chapter 3. Key ManagementKey tamperingis a majorsecurityweaknesswith public-key cryptography. Aneavesdroppermaytamperwith auser’skeyringsor forgeauser’s public key andpostitfor othersto downloadanduse.For example,supposeChloewantsto monitorthemessagesthatAlice sendsto Blake. Shecouldmountwhatis calledamanin themiddleattack.In this attack,Chloecreatesanew public/privatekeypair. ShereplacesAlice’scopy of Blake’s public key with thenew public key. ShetheninterceptsthemessagesthatAlice sendsto Blake. For eachintercept,shedecryptsit usingthenewprivatekey, reencryptsit usingBlake’s truepublic key, andforwardsthereencryptedmessageto Blake. All messagessentfrom Alice to Blakecannow bereadby Chloe.

Goodkey managementis crucialin orderto ensurenot just theintegrity of yourkeyringsbut theintegrity of otherusers’keyringsaswell. Thecoreof key managementin GnuPGis thenotionof signingkeys. Key signinghastwo mainpurposes:it permitsyou to detecttamperingonyour keyring, andit allowsyou to certify thatakey trulybelongsto thepersonnamedby auserID on thekey. Key signaturesarealsousedin aschemeknown asthewebof trust to extendcertificationto keysnotdirectlysignedbyyou but signedby othersyou trust.Responsibleuserswhopracticegoodkeymanagementcandefeatkey tamperingasapracticalattackonsecurecommunicationwith GnuPG.

3.1. Managing your own keypairA keypairhasapublic key andaprivatekey. A public key consistsof thepublicportionof themastersigningkey, thepublicportionsof thesubordinatesigningandencryptionsubkeys,andasetof userIDs usedto associatethepublic key with a realperson.Eachpiecehasdataaboutitself. For akey, this dataincludesits ID, whenitwascreated,whenit will expire,etc.For a userID, this dataincludesthenameof therealpersonit identifies,anoptionalcomment,andanemailaddress.Thestructureoftheprivatekey is similar, exceptthatit containsonly theprivateportionsof thekeys,andthereis no userID information.

25

Chapter3. Key Management

Thecommand-lineoption--edit-key maybeusedto view akeypair. For example,

chloe% gpg --edit-key [email protected] key is available.

pub 1024D/26B6AAE1 created: 1999-06-15 expires: never trust: -/usub 2048g/0CF8CB7A created: 1999-06-15 expires: neversub 1792G/08224617 created: 1999-06-15 expires: 2002-06-14sub 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>Command>

Thepublic key is displayedalongwith anindicationof whetheror not theprivatekey isavailable.Informationabouteachcomponentof thepublic key is thenlisted.Thefirstcolumnindicatesthetypeof thekey. Thekeywordpub identifiesthepublicmastersigningkey, andthekeywordsub identifiesapublic subordinatekey. Thesecondcolumnindicatesthekey’sbit length,type,andID. Thetypeis D for aDSA key, g foranencryption-onlyElGamalkey, andG for anElGamalkey thatmaybeusedfor bothencryptionandsigning.Thecreationdateandexpirationdatearegivenin columnsthreeandfour. TheuserIDs arelistedfollowing thekeys.

More informationaboutthekey canbeobtainedwith interactivecommands.Thecommandtoggle switchesbetweenthepublicandprivatecomponentsof akeypair ifindeedbothcomponentsareavailable.

Command> toggle

sec 1024D/26B6AAE1 created: 1999-06-15 expires: neversbb 2048g/0CF8CB7A created: 1999-06-15 expires: neversbb 1792G/08224617 created: 1999-06-15 expires: 2002-06-14sbb 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>

Theinformationprovidedis similar to thelisting for thepublic-key component.Thekeywordsec identifiestheprivatemastersigningkey, andthekeywordsbb identifiestheprivatesubordinateskeys. TheuserIDs from thepublic key arealsolistedforconvenience.

26


3.1.1. Key integrityWhenyoudistributeyourpublic key, youaredistributing thepublic componentsofyour masterandsubordinatekeysaswell astheuserIDs. Distributing this materialalone,however, is asecurityrisk sinceit is possiblefor anattacker to tamperwith thekey. Thepublic key canbemodifiedby addingor substitutingkeys,or by addingorchanginguserIDs. By tamperingwith auserID, theattackercouldchangetheuserID’semailaddressto haveemailredirectedto himself.By changingoneof theencryptionkeys, theattackerwouldalsobeableto decryptthemessagesredirectedto him.

Usingdigital signaturesis asolutionto thisproblem.Whendatais signedby aprivatekey, thecorrespondingpublic key is boundto thesigneddata.In otherwords,only thecorrespondingpublic key canbeusedto verify thesignatureandensurethatthedatahasnotbeenmodified.A public key canbeprotectedfrom tamperingby usingitscorrespondingprivatemasterkey to signthepublic key componentsanduserIDs, thusbindingthecomponentsto thepublicmasterkey. Signingpublic key componentswiththecorrespondingprivatemastersigningkey is calledself-signing, andapublic keythathasself-signeduserIDs boundto it is calledacertificate.

As anexample,Chloehastwo userIDs andthreesubkeys. Thesignatureson theuserIDs canbecheckedwith thecommandcheck from thekey editmenu.

chloe% gpg --edit-key chloeSecret key is available.

pub 1024D/26B6AAE1 created: 1999-06-15 expires: never trust: -/usub 2048g/0CF8CB7A created: 1999-06-15 expires: neversub 1792G/08224617 created: 1999-06-15 expires: 2002-06-14sub 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>

Command> checkuid Chloe (Jester) <[email protected]>sig! 26B6AAE1 1999-06-15 [self-signature]uid Chloe (Plebian) <[email protected]>sig! 26B6AAE1 1999-06-15 [self-signature]

As expected,thesigningkey for eachsignatureis themastersigningkey with key ID0x26B6AAE1. Theself-signatureson thesubkeysarepresentin thepublic key, but theyarenotshown by theGnuPGinterface.

27


3.1.2. Adding and deleting key componentsBoth new subkeysandnew userIDs maybeaddedto your keypairafterit hasbeencreated.A userID is addedusingthecommandadduid. Youarepromptedfor a realname,emailaddress,andcommentjust aswhenyoucreateaninitial keypair. A subkeyis addedusingthecommandaddkey. Theinterfaceis similar to theinterfaceusedwhencreatinganinitial keypair. Thesubkey maybeaDSA signingkey, andencrypt-onlyElGamalkey, or asign-and-encryptElGamalkey. Whenasubkey or userID is generatedit is self-signedusingyour mastersigningkey, which is why youmustsupplyyourpassphrasewhenthekey is generated.

AdditionaluserIDs areusefulwhenyouneedmultiple identities.For example,youmayhaveanidentity for your job andanidentity for yourwork asapolitical activist.Coworkerswill know youby your work userID. Coactivistswill know you by youractivist userID. Sincethosegroupsof peoplemaynotoverlap,though,eachgroupmaynot trusttheotheruserID. BothuserIDs arethereforenecessary.

Additional subkeysarealsouseful.TheuserIDs associatedwith yourpublicmasterkey arevalidatedby thepeoplewith whomyou communicate,andchangingthemasterkey thereforerequiresrecertification.Thismaybedifficult andtimeconsumingif youcommunicatewith many people.On theotherhand,it is goodto periodicallychangeencryptionsubkeys. If akey is broken,all thedataencryptedwith thatkey will bevulnerable.By changingkeys,however, only thedataencryptedwith theonebrokenkey will berevealed.

SubkeysanduserIDs mayalsobedeleted.To deletea subkey or userID youmustfirstselectit usingthekey or uid commandsrespectively. Thesecommandsaretoggles.Forexample,thecommandkey 2 selectsthesecondsubkey, andinvokingkey 2 againdeselectsit. If no extraargumentis given,all subkeysor userIDs aredeselected.OncetheuserIDs to bedeletedareselected,thecommanddeluid actuallydeletestheuserIDs from yourkey. Similarly, thecommanddelkey deletesall selectedsubkeys frombothyour publicandprivatekeys.

For local keyring management,deletingkey componentsis agoodway to trim otherpeople’spublic keysof unnecessarymaterial.DeletinguserIDs andsubkeyson yourown key, however, is notalwayswisesinceit complicateskey distribution. By default,

28


whenauserimportsyour updatedpublic key it will bemergedwith theold copy ofyourpublickey onhis ring if it exists.Thecomponentsfrom bothkeysarecombinedinthemerge,andthis effectively restoresany componentsyou deleted.To properlyupdatethekey, theusermustfirst deletetheold versionof yourkey andthenimport thenew version.Thisputsanextra burdenon thepeoplewith whomyoucommunicate.Furthermore,if yousendyourkey to akeyserver, themergewill happenregardless,andanybodywhodownloadsyour key from akeyserverwill neverseeyour key withcomponentsdeleted.Consequently, for updatingyour own key it is betterto revokekeycomponentsinsteadof deletingthem.

3.1.3. Revoking key componentsTo revokea subkey it mustbeselected.Onceselectedit mayberevokedwith therevkey command.Thekey is revokedby addinga revocationself-signatureto thekey.Unlike thecommand-lineoption--gen-revoke, theeffect of revokingasubkey isimmediate.

Command> revkeyDo you really want to revoke this key? y

You need a passphrase to unlock the secret key foruser: "Chloe (Jester) <[email protected]>"1024-bit DSA key, ID B87DBA93, created 1999-06-28

pub 1024D/B87DBA93 created: 1999-06-28 expires: never trust: -/usub 2048g/B7934539 created: 1999-06-28 expires: neversub 1792G/4E3160AD created: 1999-06-29 expires: 2000-06-28rev! subkey has been revoked: 1999-06-29sub 960D/E1F56448 created: 1999-06-29 expires: 2000-06-28(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>

A userID is revokeddifferently. Normally, auserID collectssignaturesthatattestthattheuserID describesthepersonwhoactuallyownstheassociatedkey. In theory, auserID describesapersonforever, sincethatpersonwill neverchange.In practice,though,elementsof theuserID suchastheemailaddressandcommentmaychangeover time,thusinvalidatingtheuserID.

29


TheOpenPGPspecificationdoesnot supportuserID revocation,but a userID caneffectively berevokedby revoking theself-signatureon theuserID. For thesecurityreasonsdescribedpreviously,correspondentswill not trustauserID with novalidself-signature.

A signatureis revokedby usingthecommandrevsig. Sinceyoumayhavesignedanynumberof userIDs, theuserinterfacepromptsyou to decidefor eachsignaturewhetheror not to revoke it.

Command> revsigYou have signed these user IDs:

Chloe (Jester) <[email protected]>signed by B87DBA93 at 1999-06-28

Chloe (Plebian) <[email protected]>signed by B87DBA93 at 1999-06-28

user ID: "Chloe (Jester) <[email protected]>"signed with your key B87DBA93 at 1999-06-28Create a revocation certificate for this signature? (y/N)nuser ID: "Chloe (Plebian) <[email protected]>"signed with your key B87DBA93 at 1999-06-28Create a revocation certificate for this signature? (y/N)yYou are about to revoke these signatures:

Chloe (Plebian) <[email protected]>signed by B87DBA93 at 1999-06-28

Really create the revocation certificates? (y/N)y

You need a passphrase to unlock the secret key foruser: "Chloe (Jester) <[email protected]>"1024-bit DSA key, ID B87DBA93, created 1999-06-28

pub 1024D/B87DBA93 created: 1999-06-28 expires: never trust: -/usub 2048g/B7934539 created: 1999-06-28 expires: neversub 1792G/4E3160AD created: 1999-06-29 expires: 2000-06-28rev! subkey has been revoked: 1999-06-29sub 960D/E1F56448 created: 1999-06-29 expires: 2000-06-28(1) Chloe (Jester) <[email protected]>(2) Chloe (Plebian) <[email protected]>

A revokeduserID is indicatedby therevocationsignatureon theID whenthesignatureson thekey’suserIDs arelisted.

Command> checkuid Chloe (Jester) <[email protected]>sig! B87DBA93 1999-06-28 [self-signature]uid Chloe (Plebian) <[email protected]>rev! B87DBA93 1999-06-29 [revocation]sig! B87DBA93 1999-06-28 [self-signature]

30


Revokingbothsubkeysandself-signatureson userIDs addsrevocationself-signaturesto thekey. Sincesignaturesarebeingaddedandnomaterialis deleted,a revocationwill alwaysbevisible to otherswhenyourupdatedpublickey is distributedandmergedwith oldercopiesof it. Revocationthereforeguaranteesthateverybodyhasaconsistentcopy of yourpublic key.

3.1.4. Updating a key’s expiration timeTheexpirationtime of a key maybeupdatedwith thecommandexpire from thekeyedit menu.If no key is selectedtheexpirationtimeof theprimarykey is updated.Otherwisetheexpirationtimeof theselectedsubordinatekey is updated.

A key’sexpirationtime is associatedwith thekey’sself-signature.Theexpirationtimeis updatedby deletingtheold self-signatureandaddinganew self-signature.Sincecorrespondentswill nothavedeletedtheold self-signature,they will seeanadditionalself-signatureon thekey whenthey updatetheir copy of your key. Thelatestself-signaturetakesprecedence,however, soall correspondentswill unambiguouslyknow theexpirationtimesof yourkeys.

3.2. Validating other keys on your pub lickeyring

In Chapter1 aprocedurewasgivento validateyourcorrespondents’public keys: acorrespondent’skey is validatedby personallycheckinghiskey’sfingerprintandthensigninghispublic key with your privatekey. By personallycheckingthefingerprintyou canbesurethatthekey really doesbelongto him, andsinceyouhavesignedtheykey, youcanbesureto detectany tamperingwith it in thefuture.Unfortunately, thisprocedureis awkwardwheneitheryoumustvalidatea largenumberof keysorcommunicatewith peoplewhomyou donot know personally.

GnuPGaddressesthis problemwith amechanismpopularlyknown asthewebof trust.

31


In thewebof trustmodel,responsibilityfor validatingpublic keys is delegatedtopeopleyou trust.For example,suppose

• Alice hassignedBlake’s key, and• BlakehassignedChloe’skey andDharma’s key.

If Alice trustsBlake to properlyvalidatekeys thathesigns,thenAlice caninfer thatChloe’s andDharma’s keysarevalid withouthaving to personallycheckthem.Shesimplyuseshervalidatedcopy of Blake’spublickey to checkthatBlake’ssignaturesonChloe’s andDharma’s aregood.In general,assumingthatAlice fully trustseverybodyto properlyvalidatekeys they sign,thenany key signedby a valid key is alsoconsideredvalid. Theroot is Alice’skey, which is axiomaticallyassumedto bevalid.

3.2.1. Trust in a key’s ownerIn practicetrustis subjective. For example,Blake’s key is valid to Alice sinceshesignedit, but shemaynot trustBlake to properlyvalidatekeys thathesigns.In thatcase,shewouldnot takeChloe’s andDharma’s key asvalid basedon Blake’ssignaturesalone.Thewebof trustmodelaccountsfor this by associatingwith eachpublic key onyour keyring anindicationof how muchyou trustthekey’sowner. Therearefour trustlevels.

unknown

Nothingis known abouttheowner’s judgementin key signing.Keysonyourpublickeyring thatyoudonot own initially have this trustlevel.

none

Theowneris known to improperlysignotherkeys.

marginal

Theownerunderstandstheimplicationsof key signingandproperlyvalidateskeysbeforesigningthem.

32


full

Theownerhasanexcellentunderstandingof key signing,andhissignatureon akey wouldbeasgoodasyourown.

A key’s trustlevel is somethingthatyou aloneassignto thekey, andit is consideredprivateinformation.It is notpackagedwith thekey whenit is exported;it is evenstoredseparatelyfrom your keyringsin a separatedatabase.

TheGnuPGkey editormaybeusedto adjustyour trustin akey’sowner. Thecommandis trust. In this exampleAlice editshertrustin Blake andthenupdatesthetrustdatabaseto recomputewhichkeysarevalid basedon hernew trust in Blake.

alice% gpg --edit-key blake

pub 1024D/8B927C8A created: 1999-07-02 expires: never trust: q/fsub 1024g/C19EA233 created: 1999-07-02 expires: never(1) Blake (Executioner) <[email protected]>

Command> trustpub 1024D/8B927C8A created: 1999-07-02 expires: never trust: q/fsub 1024g/C19EA233 created: 1999-07-02 expires: never(1) Blake (Executioner) <[email protected]>

Please decide how far you trust this user to correctlyverify other users’ keys (by looking at passports,checking fingerprints from different sources...)?

1 = Don’t know2 = I do NOT trust3 = I trust marginally4 = I trust fullys = please show me more informationm = back to the main menu

Your decision? 3

pub 1024D/8B927C8A created: 1999-07-02 expires: never trust: m/fsub 1024g/C19EA233 created: 1999-07-02 expires: never(1) Blake (Executioner) <[email protected]>

Command> quit[...]

Trustin thekey’sownerandthekey’svalidity areindicatedto theright whenthekey isdisplayed.Trustin theowneris displayedfirst andthekey’svalidity is second1. Thefour trust/validity levelsareabbreviated:unknown (q), none(n), marginal (m), andfull

33


(f). In this case,Blake’skey is fully valid sinceAlice signedit herself.Sheinitially hasanunknown trustin Blake to properlysignotherkeysbut decidesto trusthimmarginally.

3.2.2. Using trust to validate keysThewebof trustallowsa moreelaboratealgorithmto beusedto validateakey.Formerly, akey wasconsideredvalid only if yousignedit personally. A moreflexiblealgorithmcannow beused:akey K is consideredvalid if it meetstwo conditions:

1. it is signedby enoughvalid keys,meaning

• you havesignedit personally,• it hasbeensignedby onefully trustedkey, or• it hasbeensignedby threemarginally trustedkeys;and

2. thepathof signedkeys leadingfrom K backto yourown key is fivestepsorshorter.

Thepathlength,numberof marginally trustedkeys required,andnumberof fullytrustedkeys requiredmaybeadjusted.Thenumbersgivenabovearethedefault valuesusedby GnuPG.

Figure3-1 showsa webof trustrootedat Alice. Thegraphillustrateswho hassignedwho’skeys. ThetableshowswhichkeysAlice considersvalid basedonhertrustin theothermembersof theweb. Thisexampleassumesthattwo marginally-trustedkeysoronefully-trustedkey is neededto validateanotherkey. Themaximumpathlengthisthree.

Whencomputingvalid keys in theexample,BlakeandDharma’sarealwaysconsideredfully valid sincethey weresigneddirectlyby Alice. Thevalidity of theotherkeysdependson trust. In thefirst case,Dharmais trustedfully, which impliesthatChloe’sandFrancis’s keyswill beconsideredvalid. In thesecondexample,BlakeandDharmaaretrustedmarginally. Sincetwo marginally trustedkeysareneededto fully validatea

34


key, Chloe’skey will beconsideredfully valid, but Francis’s key will beconsideredonly marginally valid. In thecasewhereChloeandDharmaaremarginally trusted,Chloe’s key will bemarginally valid sinceDharma’skey is fully valid. Francis’s key,however, will alsobeconsideredmarginally valid sinceonly a fully valid key canbeusedto validateotherkeys,andDharma’s key is theonly fully valid key thathasbeenusedto signFrancis’s key. Whenmarginal trustin Blake is added,Chloe’s keybecomesfully valid andcanthenbeusedto fully validateFrancis’skey andmarginallyvalidateElena’skey. Lastly, whenBlake,Chloe,andElenaarefully trusted,this is stillinsufficient to validateGeoff ’s key sincethemaximumcertificationpathis three,butthepathlengthfrom Geoff backto Alice is four.

Thewebof trustmodelis aflexible approachto theproblemof safepublic keyexchange.It permitsyou to tuneGnuPGto reflecthow youuseit. At oneextremeyoumayinsiston multiple,shortpathsfrom your key to anotherkey K in orderto trustit.On theotherhand,youmaybesatisfiedwith longerpathsandperhapsaslittle asonepathfrom your key to theotherkey K. Requiringmultiple,shortpathsis astrongguaranteethatK belongsto whomyour think it does.Theprice,of course,is thatit ismoredifficult to validatekeyssinceyoumustpersonallysignmorekeys thanif youacceptedfewerandlongerpaths.

Figure 3-1. A hypothetical web of trust

trust validity

35


marginal full marginal full

Dharma Blake,Chloe,Dharma,Francis

Blake,Dharma Francis Blake,Chloe,Dharma

Chloe,Dharma Chloe,Francis Blake,Dharma

Blake,Chloe,Dharma

Elena Blake,Chloe,Dharma,Francis

Blake,Chloe,Elena Blake,Chloe,Elena,Francis

3.3. Distrib uting keysIdeally, you distributeyourkey by personallygiving it to yourcorrespondents.Inpractice,however, keysareoftendistributedby emailor someotherelectroniccommunicationmedium.Distributionby email is goodpracticewhenyouhaveonly afew correspondents,andevenif youhavemany correspondents,youcanuseanalternativemeanssuchaspostingyourpublic key onyour World Wide Webhomepage.This is unacceptable,however, if peoplewho needyourpublic key do notknow whereto find it on theWeb.

To solve thisproblempublic key serversareusedto collectanddistributepublic keys.A public key receivedby theserver is eitheraddedto theserver’sdatabaseor mergedwith theexistingkey if alreadypresent.Whenakey requestcomesto theserver, theserverconsultsits databaseandreturnstherequestedpublic key if found.

A keyserver is alsovaluablewhenmany peoplearefrequentlysigningotherpeople’skeys. Without akeyserver, whenBlakesign’sAlice’s key thenBlake wouldsendAliceacopy of herpublic key signedby him sothatAlice couldaddtheupdatedkey to her

36


ring aswell asdistributeit to all of hercorrespondents.Goingthroughthis effortfulfills Alice’s andBlake’s responsibilityto thecommunityat largein building tightwebsof trustandthusimproving thesecurityof PGP. It is neverthelessanuisanceifkey signingis frequent.

Usingakeyservermakestheprocesssomewhateasier. WhenBlakesignsAlice’skeyhesendsthesignedkey to thekey server. Thekey serveraddsBlake’s signatureto itscopy of Alice’skey. Individualsinterestedin updatingtheir copy of Alice’skey thenconsultthekeyserveron their own initiativeto retrieve theupdatedkey. Alice needneverbeinvolvedwith distributionandcanretrievesignatureson herkey simplybyqueryingakeyserver.

Oneor morekeysmaybesentto akeyserverusingthecommand-lineoption--send-keys. Theoptiontakesoneor morekey specifiersandsendsthespecifiedkeysto thekey server. Thekey server to which to sendthekeys is specifiedwith thecommand-lineoption--keyserver. Similarly, theoption--recv-keys is usedto retrievekeys from akeyserver, but theoption--recv-keys requiresakey ID beusedto specifythekey. In thefollowing exampleAlice updatesherpublic key with new signaturesfrom thekeyservercertserver.pgp.com andthensendshercopy of Blake’spublic key to thesamekeyserver to contributeany new signaturesshemayhaveadded.

alice% gpg --keyserver certserver.pgp.com --recv-key 0xBB7576ACgpg: requesting key BB7576AC from certserver.pgp.com ...gpg: key BB7576AC: 1 new signature

gpg: Total number processed: 1gpg: new signatures: 1alice% gpg --keyserver certserver.pgp.com --send-key [email protected]: success sending to ’certserver.pgp.com’ (status=200)

Thereareseveralpopularkeyserversin usearoundtheworld. Themajorkeyserverssynchronizethemselves,soit is fine to pick akeyservercloseto youon theInternetandthenuseit regularly for sendingandreceiving keys.

Notes1. GnuPGoverloadstheword “trust” by usingit to meantrustin anownerandtrustin

akey. This canbeconfusing.Sometimestrustin anowneris referredto as

37


owner-trust to distinguishit from trustin akey. Throughoutthis manual,however,“trust” is usedto meantrustin akey’sowner, and“validity” is usedto meantrustthatakey belongsto thehumanassociatedwith thekey ID.

38

Chapter 4. Daily use of GnuPGGnuPGis a complex tool with technical,social,andlegal issuessurroundingit.Technically, it hasbeendesignedto beusedin situationshaving drasticallydifferentsecurityneeds.Thiscomplicateskey management.Socially, usingGnuPGis notstrictly apersonaldecision.To useGnuPGeffectively bothpartiescommunicatingmustuseit. Finally, asof 1999,laws regardingdigital encryption,andin particularwhetheror notusingGnuPGis legal,vary from countryto countryandis currentlybeingdebatedby many nationalgovernments.

Thischapteraddressestheseissues.It givespracticaladviceon how to useGnuPGtomeetyoursecurityneeds.It alsosuggestswaysto promotetheuseof GnuPGforsecurecommunicationbetweenyourselfandyour colleagueswhenyour colleaguesarenotcurrentlyusingGnuPG.Finally, thelegalstatusof GnuPGis outlinedgiventhecurrentstatusof encryptionlaws in theworld.

4.1. Defining your security needsGnuPGis a tool you useto protectyourprivacy. Yourprivacy is protectedif you cancorrespondwith otherswithout eavesdroppersreadingthosemessages.

How youshoulduseGnuPGdependson thedeterminationandresourcefulnessof thosewho mightwantto readyourencryptedmessages.An eavesdroppermaybeanunscrupuloussystemadministratorcasuallyscanningyourmail, it mightbeanindustrialspy trying to collectyourcompany’ssecrets,or it might bea lawenforcementagency trying to prosecuteyou. UsingGnuPGto protectagainstcasualeavesdroppingis goingto bedifferentthanusingGnuPGto protectagainstadeterminedadversary. Your goal,ultimately, is to make it moreexpensive to recovertheunencrypteddatathanthatdatais worth.

Customizingyour useof GnuPGrevolvesaroundfour issues:

• choosingthekey sizeof your public/privatekeypair,

39

Chapter4. Daily useof GnuPG

• protectingyourprivatekey,• selectingexpirationdatesandusingsubkeys,and• managingyourwebof trust.

A well-chosenkey sizeprotectsyouagainstbrute-forceattacksonencryptedmessages.Protectingyourprivatekey preventsanattacker from simply usingyour privatekey todecryptencryptedmessagesandsignmessagesin your name.Correctlymanagingyourwebof trustpreventsattackersfrom masquaradingaspeoplewith whomyoucommunicate.Ultimately, addressingtheseissueswith respectto your own securityneedsis how you balancetheextrawork requiredto useGnuPGwith theprivacy itgivesyou.

4.1.1. Choosing a key sizeSelectingakey sizedependson thekey. In OpenPGP, apublic/privatekeypairusuallyhasmultiplekeys. At theleastit hasamastersigningkey, andit probablyhasoneormoreadditionalsubkeys for encryption.Usingdefault key generationparameterswithGnuPG,themasterkey will beaDSA key, andthesubkeyswill beElGamalkeys.

DSA allowsakey sizeup to 1024bits. This is not especiallygoodgiventoday’sfactoringtechnology, but thatis whatthestandardspecifies.Without question,youshoulduse1024bit DSA keys.

ElGamalkeys,on theotherhand,maybeof any size.SinceGnuPGis ahybridpublic-key system,thepublic key is usedto encrypta128-bitsessionkey, andtheprivatekey is usedto decryptit. Key sizeneverthelessaffectsencryptionanddecryptionspeedsincethecostof thesealgorithmsis exponentialin thesizeof thekey.Largerkeysalsotakemoretime to generateandtakemorespaceto store.Ultimately,therearediminishingreturnson theextrasecuritya largekey providesyou. After all, ifthekey is largeenoughto resistabrute-forceattack,aneavesdropperwill merelyswitchto someothermethodfor obtainingyourplaintext data.Examplesof othermethodsincluderobbingyourhomeor officeandmuggingyou. 1024bits is thustherecommendedkey size.If yougenuinelyneeda largerkey sizethenyouprobablyalreadyknow this andshouldbeconsultinganexpertin datasecurity.

40


4.1.2. Protecting your priv ate keyProtectingyourprivatekey is themostimportantjob you have to useGnuPGcorrectly.If someoneobtainsyour privatekey, thenall dataencryptedto theprivatekey canbedecryptedandsignaturescanbemadein yourname.If you loseyour privatekey, thenyouwill no longerbeableto decryptdocumentsencryptedto you in thefutureor in thepast,andyou will notbeableto makesignatures.Losingsolepossessionof yourprivatekey is catastrophic.

Regardlessof how you useGnuPGyoushouldstorethepublic key’s revocationcertificateandabackupof your privatekey onwrite-protectedmediain asafeplace.For example,youcouldburn themon aCD-ROM andstorethemin your safedepositbox at thebankin asealedenvelope.Alternatively, youcouldstorethemon afloppyandhideit in your house.Whateveryoudo, they shouldbeput onmediathatis safetostorefor aslongasyouexpectto keepthekey, andyoushouldstorethemmorecarefullythanthecopy of yourprivatekey you usedaily.

To helpsafeguardyour key, GnuPGdoesnotstoreyour raw privatekey on disk.Insteadit encryptsit usingasymmetricencryptionalgorithm.Thatis why you needapassphraseto accessthekey. Thustherearetwo barriersanattackermustcrosstoaccessyourprivatekey: (1) hemustactuallyacquirethekey, and(2) hemustgetpasttheencryption.

Safelystoringyour privatekey is important,but thereis acost.Ideally, you wouldkeeptheprivatekey ona removable,write-protecteddisksuchasafloppy disk,andyouwoulduseit on asingle-usermachinenot connectedto anetwork. Thismaybeinconvenientor impossiblefor you to do. For example,youmaynotown yourownmachineandmustuseacomputerat work or school,or it maymeanyouhave tophysicallydisconnectyour computerfrom yourcablemodemevery timeyou wanttouseGnuPG

Thisdoesnotmeanyoucannotor shouldnotuseGnuPG.It meansonly thatyou havedecidedthatthedatayouareprotectingis importantenoughto encryptbut not soimportantasto takeextrastepsto make thefirst barrierstronger. It is yourchoice.

A goodpassphraseis absolutelycritical whenusingGnuPG.Any attacker whogainsaccessto your privatekey mustbypasstheencryptionon theprivatekey. Insteadof

41


brute-forceguessingthekey, anattackerwill almostcertainlyinsteadtry to guessthepassphrase.

Themotivationfor trying passphrasesis thatmostpeoplechoosea passphrasethatiseasierto guessthana random128-bitkey. If thepassphraseis aword, it is muchcheaperto try all thewordsin thedictionariesof theworld’s languages.Evenif theword is permuted,e.g.,k3wldood,it is still easierto try dictionarywordswith acatalogof permutations.Thesameproblemappliesto quotations.In general,passphrasesbasedon natural-languageutterancesarepoorpassphrasessincethereis littlerandomnessandlots of redundancy in naturallanguage.You shouldavoid naturallanguagepassphrasesif youcan.

A goodpassphraseis onethatyou canrememberbut is hardfor someoneto guess.Itshouldincludecharactersfrom thewholerangeof printablecharacterson yourkeyboard.This includesuppercasealphabeticscharacters,numbers,andspecialcharacterssuchas} and|. Be creativeandspenda little timeconsideringyourpassphrase;a goodchoiceis importantto ensureyourprivacy.

4.1.3. Selecting expiration dates and using subke ysBy default,aDSA mastersigningkey andanElGamalencryptionsubkey aregeneratedwhenyoucreateanew keypair. This is convenient,becausetherolesof thetwo keysaredifferent,andyoumaythereforewantthekeys to havedifferentlifetimes.Themastersigningkey is usedto makedigital signatures,andit alsocollectsthesignaturesof otherswhohaveconfirmedyour identity. Theencryptionkey is usedonly fordecryptingencrypteddocumentssentto you. Typically, adigital signaturehasa longlifetime, e.g.,forever, andyoualsodonotwantto losethesignatureson yourkey thatyou workedhardto collect.On theotherhand,theencryptionsubkey maybechangedperiodicallyfor extra security, sinceif anencryptionkey is broken,theattackercanreadall documentsencryptedto thatkey bothin thefutureandfrom thepast.

It is almostalwaysthecasethatyouwill notwantthemasterkey to expire. Therearetwo reasonswhy you maychooseanexpirationdate.First,you mayintendfor thekeyto havea limited lifetime. For example,it is beingusedfor aneventsuchasapoliticalcampaignandwill no longerbeusefulafterthecampaignis over. Anotherreasonis

42


thatif you losecontrolof thekey anddonot havea revocationcertificatewith which torevoke thekey, having anexpirationdateon themasterkey ensuresthatthekey willeventuallyfall into disuse.

Changingencryptionsubkeys is straightforwardbut canbeinconvenient.If yougenerateanew keypairwith anexpirationdateon thesubkey, thatsubkey willeventuallyexpire. Shortlybeforetheexpirationyou will addanew subkey andpublishyour updatedpublic key. Oncethesubkey expires,thosewho wish to correspondwithyou mustfind your updatedkey sincethey will no longerbeableto encryptto theexpiredkey. Thismaybeinconvenientdependingonhow youdistributethekey.Fortunately, however, noextra signaturesarenecessarysincethenew subkey will havebeensignedwith your mastersigningkey, which presumablyhasalreadybeenvalidatedby your correspondents.

Theinconveniencemayor maynotbeworth theextra security. Justasyoucan,anattackercanstill readall documentsencryptedto anexpiredsubkey. Changingsubkeysonly protectsfuturedocuments.In orderto readdocumentsencryptedto thenewsubkey, theattackerwouldneedto mountanew attackusingwhatever techniquesheusedagainstyou thefirst time.

Finally, it only makessenseto haveonevalid encryptionsubkey on akeyring. Thereisno additionalsecuritygainedby having two or moreactivesubkeys. Theremayofcoursebeany numberof expiredkeysonakeyring sothatdocumentsencryptedin thepastmaystill bedecrypted,but only onesubkey needsto beactiveat any giventime.

4.1.4. Managing your web of trustAs with protectingyourprivatekey, managingyour webof trustis anotheraspectofusingGnuPGthatrequiresbalancingsecurityagainsteaseof use.If you areusingGnuPGto protectagainstcasualeavesdroppingandforgeriesthenyou canafford to berelatively trustingof otherpeople’ssignatures.On theotherhand,if you areconcernedthattheremaybeadeterminedattacker interestedin invadingyour privacy, thenyoushouldbemuchlesstrustingof othersignaturesandspendmoretimepersonallyverifying signatures.

43


Regardlessof your own securityneeds,through,you shouldalwaysbecareful whensigningotherkeys. It is selfishto signakey with just enoughconfidencein thekey’svalidity to satisfyyourown securityneeds.Others,with morestringentsecurityneeds,maywantto dependon yoursignature.If they cannotdependonyou thenthatweakensthewebof trustandmakesit moredifficult for all GnuPGusersto communicate.Usethesamecarein signingkeys thatyou would likeothersto usewhenyou dependontheir signatures.

In practice,managingyour webof trustreducesto assigningtrustto othersandtuningtheoptions--marginals-neededand--completes-needed.Any key you personallysignwill beconsideredvalid, but exceptfor smallgroups,it will notbepracticaltopersonallysignthekey of everypersonwith whomyoucommunicate.Youwillthereforehave to assigntrustto others.

It is probablywiseto beaccuratewhenassigningtrustandthenusetheoptionsto tunehow carefulGnuPGis with key validation.As aconcreteexample,youmayfully trusta few closefriendsthatyouknow arecarefulwith key signingandthenmarginally trustall otherson yourkeyring. Fromthere,youmayset--completes-neededto 1 and--marginals-neededto 2. If you aremoreconcernedwith securityyou mightchoosevaluesof 1 and3 or 2 and3 respectively. If you arelessconcernedwith privacy attacksandjust wantsomereasonableconfidenceaboutvalidity, setthevaluesto 1 and1. Ingeneral,highernumbersfor theseoptionsimply thatmorepeoplewouldbeneededtoconspireagainstyou in orderto haveakey validatedthatdoesnotactuallybelongtothepersonwhomyou think it does.

4.2. Building your web of trustWantingto useGnuPGyourselfis notenough.In orderto useto communicatesecurelywith othersyoumusthaveawebof trust.At first glance,however, building aweboftrustis adauntingtask.Thepeoplewith whomyoucommunicateneedto useGnuPG1,andthereneedsto beenoughkey signingsothatkeyscanbeconsideredvalid. Thesearenot technicalproblems;they aresocialproblems.Nevertheless,youmustovercometheseproblemsif you wantto useGnuPG.

44


WhengettingstartedusingGnuPGit is importantto realizethatyouneednot securelycommunicatewith everyoneof yourcorrespondents.Startwith a smallcircle ofpeople,perhapsjust yourselfandoneor two otherswhoalsowantto exercisetheirright to privacy. Generateyourkeysandsigneachother’spublic keys. This is yourinitial webof trust.By doingthis you will appreciatethevalueof asmall,robustwebof trustandwill bemorecautiousasyou grow yourwebin thefuture.

In additionto thosein your initial webof trust,you maywantto communicatesecurelywith otherswhoarealsousingGnuPG.Doingso,however, canbeawkwardfor tworeasons:(1) youdo notalwaysknow whensomeoneusesor is willing to useGnuPG,and(2) if youdo know of someonewhousesit, youmaystill have troublevalidatingtheir key. Thefirst reasonoccursbecausepeopledonot alwaysadvertisethatthey useGnuPG.Theway to changethis behavior is to settheexampleandadvertisethatyouuseGnuPG.Thereareat leastthreewaysto do this: youcansignmessagesyoumail toothersor postto messageboards,youcanput yourpublic key on yourwebpage,or, ifyou putyourkey onakeyserver, you canputyour key ID in your emailsignature.Ifyou advertiseyourkey thenyoumake it thatmuchmoreacceptablefor otherstoadvertisetheir keys. Furthermore,youmake it easierfor othersto startcommunicatingwith you securelysinceyouhave takentheinitiativeandmadeit clearthatyouuseGnuPG.

Key validationis moredifficult. If youdo notpersonallyknow thepersonwhosekeyyou wantto sign,thenit is notpossibleto signthekey yourself.Youmustrely on thesignaturesof othersandhopeto find achainof signaturesleadingfrom thekey inquestionbackto your own. To haveany chanceof finding achain,you musttake theintitiveandgetyourkey signedby othersoutsideof your intitial webof trust.Aneffectiveway to accomplishthis is to participatein key signingparties.If youaregoingto aconferencelook aheadof time for akey signingparty, andif you donotseeonebeingheld,offer to holdone.You canalsobemorepassiveandcarryyour fingerprintwith you for impromptukey exchanges.In sucha situationthepersonto whomyougave thefingerprintwouldverify it andsignyourpublic key oncehereturnedhome.

Keepin mind, though,thatthis is optional.You haveno obligationto eitherpublicallyadvertiseyourkey or signotherpeople’skeys. Thepowerof GnuPGis thatit is flexibleenoughto adaptto your securityneedswhatever they maybe.Thesocialreality,however, is thatyou will needto take theinitiative if youwantto grow your webof

45


trustanduseGnuPGfor asmuchof yourcommunicationaspossible.

4.3. Using GnuPG legall yThelegalstatusof encryptionsoftwarevariesfrom countryto country, andlawregardingencryptionsoftwareis rapidlyevolving. Bert-JappKoopshasanexcellentCryptoLaw Survey to whichyou shouldreferfor thelegalstatusof encryptionsoftwarein yourcountry.

Notes1. In thissection,GnuPGrefersto theGnuPGimplementationof OpenPGPaswell as

otherimplementationssuchasNAI’ sPGPproduct.

46

Chapter 5. TopicsThischaptercoversmiscellaneoustopicsthatdo notfit elsewherein theusermanual.As topicsareadded,they maybecollectedandfactoredinto chaptersthatstandon theirown. If you would like to seeaparticulartopic covered,pleasesuggestit. Evenbetter,volunteerto write afirst draft coveringyour suggestedtopic!

5.1. Writing user interfacesAlma WhittenandDougTygarhavedoneastudyonNAI’ sPGP5.0userinterfaceandcameto theconclusionthatnoviceusersfind PGPconfusingandfrustrating.In theirhumanfactorsstudy, only four out of twelve testsubjectsmanagedto correctlysendencryptedemailto their teammembers,andthreeoutof twelveemailedthesecretwithout encryption.Furthermore,half of thetestsubjectshada technicalbackground.

Theseresultsarenotsurprising.PGP5.0hasaniceuserinterfacethatis excellentifyou alreadyunderstandhow public-key encryptionworksandarefamiliarwith theweb-of-trustkey managementmodelspecifiedby OpenPGP. Unfortunately, noviceusersunderstandneitherpublic-key encryptionnor key management,andtheuserinterfacedoeslittle to help.

YoushouldcertainlyreadWhittenandTygar’s reportif youarewriting auserinterface.It givesspecificcommentsfrom eachof thetestsubjects,andthosedetailsareenlightening.For example,it wouldappearthatmany of subjectsbelievedthatamessagebeingsentto otherpeopleshouldbeencryptedto thetestsubject’sown publickey. Considerit for aminute,andyou will seethatit is aneasymistake to make. Ingeneral,noviceusershavedifficulty understandingthedifferentrolesof thepublic keyandprivatekey whenusingGnuPG.As auserinterfacedesigner, you shouldtry tomake it clearat all timeswhenoneof thetwo keys is beingused.You couldalsousewizardsor othercommonGUI techniquesfor guidingtheuserthroughcommontaskssuchaskey generationwhereextrastepssuchasgeneratingakey revocationcertificationandmakingabackupareall but essentialfor usingGnuPGcorrectly.Othercommentsfrom thepaperincludethefollowing.

47

Chapter5. Topics

• Securityis usuallyasecondarygoal;peoplewantto sendemail,browse,andsoon.Do notassumeuserswill bemotivatedto readmanualsor go looking for securitycontrols.

• Thesecurityof anetworkedcomputeris only asstrongasits weakestcomponent.Usersneedto beguidedto attendto all aspectsof their security, not left to proceedthroughrandomexplorationasthey mightwith awordprocessoror aspreadsheet.

• Consistentlyusethesametermsfor thesameactions.Do not alternatebetweensynonymslike “encrypt” and“encipher”.

• For inexperiencedusers,simplify thedisplay. Too muchinformationhidestheimportantinformation.An initial displayconfigurationcouldconcentrateongivingtheuserthecorrectmodelof therelationshipbetweenpublicandprivatekeysandaclearunderstandingof thefunctionsfor acquiringanddistributingkeys.

Designinganeffectiveuserinterfacefor key managementis evenmoredifficult. TheOpenPGPweb-of-trustmodelis unfortunatelyquiteobtuse.For example,thespecificationimposesthreearbitrarytrustlevelsontotheuser:none,marginal,andcomplete.All degreesof trustfelt by theusermustbefit into oneof thosethreecubbyholes.Thekey validationalgorithmis alsodifficult for non-computerscientiststounderstand,particularlythenotionsof “marginalsneeded”and“completesneeded”.Sincetheweb-of-trustmodelis well-specifiedandcannotbechanged,youwill have todo yourbestanddesignauserinterfacethathelpsto clarify it for theuser. A definiteimprovement,for example,wouldbeto generateadiagramof how a key wasvalidatedwhenrequestedby theuser. Relevantcommentsfrom thepaperincludethefollowing.

• Usersarelikely to beuncertainon how andwhento grantaccesses.

• Placeahighpriority onmakingsureusersunderstandtheir securitywell enoughtopreventthemfrom makingpotentiallyhigh-costmistakes.Suchmistakesincludeaccidentallydeletingtheprivatekey, accidentallypublicizingakey, accidentallyrevokinga key, forgettingthepassphrase,andfailing to backup thekey rings.

48

I. Command Reference

1. Key specifier sMany commandsandoptionsrequireakey specifier. A key specifieris thekey ID orany portionof theruserID of akey. Considerthefollowing example.

alice% gpg --list-keys chloepub 1024D/B87DBA93 1999-06-28 Chloe (Jester) <[email protected]>uid Chloe (Plebian) <[email protected]>sub 2048g/B7934539 1999-06-28

For this key, 0xB87DBA93, Chloe, Plebian, andoe@tel areall examplesof keyspecifiersthatmatchtheabovekey.

Command Reference

sign

Namesign — signadocument

sign filename

DescriptionThiscommandsignsthedocumentfilename. If theparameterfilename isomitted,thenthedocumentto signis takenfrom standardinput. If theoptionoutputisused,gpgwill outputthesignedinformationto thespecifiedfile.

detac h-signature

Namedetach-signature — makeadetachedsignature

detach-signature filename

51

CommandReference

DescriptionThiscommandcreatesasignaturefile thatcanbeusedto verify thattheorginal filefilename hasnotbeenchanged.Verificationof thefile usinga detachedsignatureisdoneusingthecommandverify.

encr ypt

Nameencrypt — encryptadocument

encrypt filename

DescriptionThiscommandencryptsthedocumentfilename to recipientsspecifiedusingtheoptionrecipient.If theparameterfilename is omitted,thenthedocumentto encryptis takenfrom standardinput. If theoptionrecipientis omitted,gpgwill promptfor arecipient.If theoptionoutputis used,gpgwill outputtheencryptedinformationto thespecifiedfile.

52

CommandReference

symmetric

Namesymmetric — encrypta documentusingonly asymmetricencryptionalgorithm

symmetric filename

DescriptionThiscommandencryptsadocumentusingasymmetricalgorithmwith a key derivedfrom apassphrasesuppliedby youduringexecution.Thekey shouldbeselectedtomake it difficult to randomlyguessthekey. To decryptadocumentencryptedin thismannerusethecommand.decrypt.

decr ypt

Namedecrypt — decryptanencrypteddocument

decrypt filename

53

CommandReference

DescriptionThiscommanddecryptsfilename andputstheresulton standardoutput.If theparameterfilename is omitted,thenthedocumentto decryptis takenfrom standardinput. Usetheoptionoutputto outputthedecryptedmessageto afile instead.

clearsign

Nameclearsign — makea cleartext signature

clearsign filename

DescriptionThiscommandsignsamessagethatcanbeverifiedto ensurethattheoriginalmessagehasnotbeenchanged.Verificationof thesignedmessageis doneusingthecommandverify.

54

CommandReference

verify

Nameverify — verify asigneddocument

verify signature document

DescriptionThiscommandverifiesadocumentagainsta signatureto ensurethatthedocumenthasnotbeenalteredsincethesignaturewascreated.If signature is omitted,gpgwilllook in document for aclearsignsignature.

gen-key

Namegen-key — generatea new keypair

gen-key

55

CommandReference

DescriptionThiscommandgeneratesaprivate/publickey pair for usein encrypting,decrypting,andsigningof messages.You will br promptedfor thekind of key you wish to create,thekey size,andthekey’sexpirationdate.

gen-revoke

Namegen-revoke — generatea revocationcertificatefor apublic/privatekeypair

gen-revoke key

DescriptionThiscommandgeneratesa revocationcertificatefor apublic/privatekey pair. Theparameterkey is akey specifier.

send-ke ys

Namesend-keys — sendkeys to akey server

56

CommandReference

send-keys key

DescriptionThiscommandsendsa public key to akeyserver. Theparameterkey specifiesthepublic key thatshouldbeuploaded.Thecommandrequirestheoptionkeyserver tospecifyto which keyservergpgshouldsendthekeys.

recv-ke ys

Namerecv-keys — retrievekeys from a key server

recv-keys key-id key-id ...

DescriptionThiscommanddownloadsoneor morepublickeys from akeyserver. Eachkey-id isakey ID. Thecommandrequirestheoptionkeyserver to specifyfrom whichkeyservergpgshoulddownloadthekeys.

57

CommandReference

list-ke ys

Namelist-keys — list informationaboutkeys

list-keys key ...

DescriptionThiscommandlists thepublic keysspecifiedby thekey specifierson thecommandline. If nokey specifieris given,gpgwill list all of thepublic keys.

list-pub lic-ke ys

Namelist-public-keys — list keysonpublic keyrings

list-public-keys name ...

Description

58

CommandReference

List all keys from public keyringsor just thekeysspecifiedwith name ....

list-secret-ke ys

Namelist-secret-keys — list keysonsecretkeyrings

list-secret-keys name ...

DescriptionList all keys from secretkeyringsor just thekeys specifiedwith name ....

list-sigs

Namelist-sigs — list informationaboutkeys includingsignatures

list-sigs name ...

59

CommandReference

DescriptionThiscommandlists thepublic keysspecifiedby thekey specifierson thecommandline. Signatureson thekeysarelistedaswell. If no key specifieris given,gpgwill listall of public keys.

check-sigs

Namecheck-sigs — list informationaboutkeys includingvalidatedsignatures

check-sigs name ...

DescriptionThiscommandlists thepublic keysspecifiedby thekey specifierson thecommandline. Signatureson thekeysarelistedaswell, andeachsignatureis validated.If no keyspecifieris given,gpgwill list all of public keys.

60

CommandReference

fing erprint

Namefingerprint — displaykey fingerprints

fingerprint name ...

DescriptionThiscommandprintsthefingerprintsof thespecifiedpublickeys. Theparameternameis akey specifier. If no parametername is provided,gpgwill print thefingerprintsofall thekeyson your publickeyring.

impor t

Nameimport — import keys to a local keyring

import filename

61

CommandReference

DescriptionThiscommandimportsoneor morepublic keysontotheuser’s public keyring from thefile filename.

fast-impor t

Namefast-import — import/mergekeys

fast-import file ...

DescriptionThis is thesameasthecommandimport,but thekeysarenot addedto thetrustdatabase.Thiscanbedonelaterusingthecommandupdate-trustdb,

expor t

Nameexport — export keys from a local keyring

62

CommandReference

export key ...

DescriptionThiscommandexportsthepublic keyscomponentsof thekeysspecifiedby thekeyspecifierskey .... Theexport commandby default sendsits outputto standardoutput.Thiskey file canlaterbeimportedinto anotherkeyring usingthecommandimport.

expor t-all

Nameexport-all — exportall public keys

export-all name ...

DescriptionThis is thesameasthecommandexport,but keys thatarenot OpenPGP-compliantarealsoexported.

63

CommandReference

expor t-secret-ke ys

Nameexport-secret-keys — export secretkeys

export-secret-keys name ...

DescriptionThis is thesameasthecommandexport,but privatekeysareexportedinsteadof publickeys. This is normallynot veryusefulandis a securityrisk sinceprivatekeysareleftunprotected.

edit-ke y

Nameedit-key — presentsamenufor operatingonkeys

edit-key key

64

CommandReference

DescriptionThiscommandpresentsamenuwhichenablesyou to performkey-relatedtaskes.Thekey specifierkey specifiesthekey pair to beedited.If thespecifiermatchesmorethanonekey pair, gpgissuesanerrorandexits.

Key listingsdisplayedduringkey editingshow thekey with its secondarykeysandalluserids. Selectedkeysor userids areindicatedby anasterisk.Thetrustandvalidityvaluesaredisplayedwith theprimarykey: thefirst is theassignedtrustandthesecondis thecalculatedvalidity. Lettersareusedfor thevalues:

Letter Meaning

- No ownertrustassigned/ not yetcalculated.

e Trustcalculationhasfailed.

q Not enoughinformationfor calculation.

n Never trustthiskey.

m Marginally trusted.

f Fully trusted.

u Ultimately trusted.

Thefollowing listseachkey editingcommandanda descriptionof its behavior.

sign

Makesasignatureon thecurrentkey. If th key is not yet signedby thedefault userortheusergivenwith theoptionlocal-user,theprogramdisplaystheinformationof thekey again,togetherwith its fingerprintandaskswhetherit shouldbesigned.Thisquestionis repeatedfor all usersspecifiedwith theoptionlocal-user.

lsign

65

CommandReference

Sameassign,but thesignatureis markedasnon-exportableandwill thereforeneverbeusedby others.Thismaybeusedto makekeysvalid only in thelocal environment.

revsig

Revokeasignature.Asksfor eachsignaturemakdeby aoneof theprivatekeyswhethera revocationcertificateshouldbegenerated.

trust

Changetheownertrustvalue.Thisupdatesthetrustdatabaseimmediatelyandno saveis required.

disab le

Disablethekey. A disabledkey cannotnormallybeusedfor encryption.

enable

Enableakey thathasbeenpreviouslydisabled.

adduid

Add anew userid to thecurrentkey.

deluid

Deleteauserid from thecurrentkey.

66

CommandReference

addkey

Add anew subkey to thecurrentkey.

delkey

Deleteasubkey from thecurrentkey.

revkey

Revokeasubkey of thecurrentkey.

expire

Changeakey expirationtime. If asubkey is selected,thetimeof thatkey will bechanged.With no selectiontheexpirationtimeof thecurrentprimarykey is changed.

key n

Toggleselectionof subkey with index n. Use0 to deselectall.

uid n

Toggleselectionof userid with index n. Use0 to deselectall.

tog gle

Changethepassphraseof theprivatekey of theselectedkey pair.

67

CommandReference

tog gle

Togglebetweenpublicandprivatekey listings.

check

Checkall selecteduserids.

pref

List preferences.

save

Saveall changesto thecurrentkey andquit.

save

Quit without updatingthecurrentkey.

sign-ke y

Namesign-key — signapublic key with aprivatekey

68

CommandReference

sign-key name

DescriptionThis is ashortcutfor thesubcommandsign.within thecommandedit-key.

lsign-ke y

Namelsign-key — locally signapublic key with aprivatekey

lsign-key name

DescriptionThis is ashortcutfor thesubcommandlsign. within thecommandedit-key.

69

CommandReference

delete-ke y

Namedelete-key — removeapublic key

delete-key name

DescriptionRemove thepublic key specifiedby name.

delete-secret-ke y

Namedelete-secret-key — removeapublicandprivatekey

delete-secret-key name

DescriptionRemove thekeypair (boththepublicandprivatekeys)specifiedby name.

70

CommandReference

store

Namestore — makeonly simplerfc1991packets

help

DescriptionElaborate.

expor t-owner trust

Nameexport-ownertrust — exportassignedowner-trustvalues

export-ownertrust file ...

Description

71

CommandReference

Theowner-trustvaluesareexportedin ASCII format.This is usefulfor makingabackupof thetrustvaluesassignedto key owners.

impor t-owner trust

Nameimport-ownertrust — importowner-trustvalues

import-ownertrust file ...

DescriptionThetrustdatabaseis updatedwith thetrustvaluestake from thefilesfile .... If nofilesarelisted,theinput is takenfrom standardinput.

update-trustdb

Nameupdate-trustdb — updatethetrustdatabase

72

CommandReference

update-trustdb

DescriptionEnoughsaid.

print-md

Nameprint-md — displaymessagedigests

print-md algo file ...

DescriptionDisplaysamessagedigestusingalgorithmalgo for eachof thefilesfile .... Ifno filesarelisted,theinput is takenfrom standardinput. If thealgorithmspecifiedis“*”, thendigestsusingall availablealgorithmsaredisplayed.

73

CommandReference

gen-random

Namegen-random — generaterandomdata

gen-random level n

DescriptionThiscommandemitsn bytesof randomdatawith qualitylevel. If theparametern isomittedthenanendlesssequenceof randombyteswill beemitted.Thiscommandshouldnotbefrivolouslysinceit takesentropy from thesystem.

gen-prime

Namegen-prime — ?

gen-prime mode bits qbits

74

CommandReference

DescriptionThisprobablygeneratesa primenumber. Readthesourcefor detailsif youarecurious.

version

Nameversion — displayversioninformation

version

DescriptionPrint versioninformationalongwith a list of supportedalgorithms.

warranty

Namewarranty — displaywarrantyinformation

75

CommandReference

warranty


help

Namehelp — displayusageinformation

help

DescriptionDisplaysusageinformationincludea list of commandsandoptions.Theoptionslistmaybeincomplete.

76

II. Options Reference

1. Setting optionsOptionsmaybespecifiedon thecommandline or in anoptionsfile. Thedefaultlocationof theoptionsfile is ~/.gnupg/options. Whenspecifyingoptionsin theoptionsfile, omit theleadingtwo dashesandinsteadusesimply theoptionnamefollowedby any arguments.Linesin thefile with ahash(#) asthefirst non-white-spacecharacterareignored.

77

Options Reference

keyser ver

Namekeyserver — specifythekeyserver to useto locatekeys

keyserver server-name

DescriptionThisoptionis usedin conjunctionwith eitherrecv-keys or send-keys to specifyakeyserver to managepublic key distribution.

output

Nameoutput — specifythefile in which to placeoutput

output file-name

Description

79

OptionsReference

Thisoptiontakestheoutputfrom commandsandprintsit to thefilenamegivento it asaparameter

recipient

Namerecipient — specifytherecipientof apublic-key encrypteddocument

recipient name

DescriptionThisoptionis usedin conjunctionwith thecommandencrypt.It mustappearbeforeencrypton thecommandline. Theparametername is eitherthenameof theindividualor thee-mailaddressof theindividual to whomyou aresendingthemessage.

default-recipient

Namedefault-recipient — specifythedefault recipientof apublic-key encrypteddocument

80

OptionsReference

default-recipient name

DescriptionTheuserID name is usedasthedefault recipientif a recipientis nototherwisespecified.

default-recipient-self

Namedefault-recipient-self — usethedefault key userID asthedefault recipientof apublic-key encrypteddocument

default-recipient-self

DescriptionTheuserID of thedefault key is usedasthedefault recipient.gpgdoesnotqueryfor arecipientif thisspecifiesa valid key. Thedefault key is thefirst key on theprivatekeyring or thekey specifiedwith theoptiondefault-key.

81

OptionsReference

no-default-recipient

Nameno-default-recipient — ignoretheoptionsdefault-recipientanddefault-recipient-self

no-default-recipient

DescriptionThis is usefulif thedefault recipientis usuallysetin theoptionsfile but mustbeignoredfor aparticularrun of gpg.

encr ypt-to

Nameencrypt-to — specifyanadditionalrecipientof apublic-key encrypteddocument

encrypt-to name

82

OptionsReference

DescriptionThisoptionis similar to recipientbut is intendedfor usein theoptionsfile. It maybeusedwith one’sown file userID to yield an“encrypt-to-self” option.Thekey specifiedby name is usedonly whenthereareotherrecipientsgivenby theuseror by useof theoptionrecipient.No trustcheckingis performedon thekey specifiedby name andevendisabledkeysmaybeused.

no-encr ypt-to

Nameno-encrypt-to — ignoretheoptionencrypt-to

no-encrypt-to

DescriptionThis is usefulif messagesarenormallyencryptedto oneor morekeysby default butmustnotbefor aparticularrun of gpg.

83

OptionsReference

armor

Namearmor — ASCII-armorencryptedor signedoutput

armor

DescriptionThisoptiontakesoutputfrom commandsandprintsit in formatthatcanbesafelye-mailed.

no-armor

Nameno-armor — assumeinput datais notASCII armored

no-armor

Description

84

OptionsReference

Enoughsaid.

no-greeting

Nameno-greeting — suppresstheopeningcopyright noticebut do notenterbatchmode

no-greeting


no-secmem-warning

Nameno-secmem-warning — suppresswarningsif insecurememoryis used

no-secmem-warning

85

OptionsReference


batc h

Namebatch — usebatchmode

batch

Descriptiongpgwill neveraskquestionsandwill not allow interactivecommands.

no-batc h

Nameno-batch — disablebatchmode

86

OptionsReference

no-batch

DescriptionUsefulif theoptionbatchis setin theoptionsfile.

local-user

Namelocal-user — specifiesa userid to usefor signing

local-user name

DescriptionUsename astheuserID to sign.Thisoptionis silently ignoredfor thelist commands,sothatit canbeusedin anoptionsfile.

87

OptionsReference

default-ke y

Namedefault-key — specifiesauserID asadefault userID for signatures

default-user name

DescriptionUsename astheuserID to sign. If this optionis notusedthefirst userID foundon theprivatekeyring is thedefault userID.

completes-needed

Namecompletes-needed — specifiesthenumberof fully-trustedpeopleneededtovalidateanew key.

completes-needed n

88

OptionsReference

DescriptionA public key on yourkeyring is validatedusingthosesignatureson thekey thatweremadeby othervalid keysonyour keyring. Theoptionspecifiesthenumberofsignaturesneededif you fully trusttheownersof thekeys thatmadethesignatures.Your trustin a key’sowneris setwith thecommandedit-key.

marginals-needed

Namemarginals-needed — specifiesthenumberof marginally-trustedpeopleneededtovalidateanew key.

marginals-needed n

DescriptionA public key on yourkeyring is validatedusingthosesignatureson thekey thatweremadeby othervalid keysonyour keyring. Theoptionspecifiesthenumberofsignaturesneededif youmarginally trusttheownersof thekeys thatmadethesignatures.Your trustin akey’sowneris setwith thecommandedit-key.

89

OptionsReference

load-e xtension

Nameload-extension — specifiesanextensionto load.

load-extension object-file

DescriptionElaborate.

rfc1991

Namerfc1991 — try to bemoreRFC1991(PGP2.x) compliant

rfc1991

DescriptionElaborate?

90

OptionsReference

allo w-non-selfsigned-uid

Nameallow-non-selfsigned-uid — allow theimportof keyswith userIDs whicharenotself-signed

allow-non-selfsigned-uid

DescriptionThisonly allows theimport - key validationwill fail andyouhave to checkthevalidityof thekey my othermeans.Thishackis neededfor someGermankeysgeneratedwithpgp2.6.3in.You shouldreally avoid usingit, becauseOpenPGPhasbettermechanicsto doseparatesigningandencryptionkeys.

cipher -algo

Namecipher-algo — useaspecifiedalgorithmasthesymmetriccipher

cipher-algo name

91

OptionsReference

DescriptionUsename asthesymmetriccipheralgorithm.Runningthegpgwith thecommandversionyieldsa list of supportedalgorithms.If this is notused,thecipheralgorithmisselectedfrom thepreferencesstoredwith thedefault keypair. For symmetricencryption,thedefault is Blowfish.

compress-algo

Namecompress-algo — usea specifiedcompressionalgorithm

compress-algo n

DescriptionDefault is 2, which is RFC1950compression.Youmayuse1 to usetheold zlib versionwhich is usedby PGP. Thedefault algorithmmaygivebetterresultsbecausethewindow sizeis not limited to 8K. If this is notusedtheOpenPGPbehavior is used,i.e.,thecompressionalgorithmis selectedfrom thepreferences;note,thatthiscan’t bedoneif youdonot encryptthedata.

92

OptionsReference

z

Namez — setcompressionlevel

z n

DescriptionSettingn to 0 disablescompression.Thedefault is to usethedefault compressionlevelfor zlib (6). Unlikeall otheroptions,this optionmayonly beusedfrom thecommandline andis precededwith asingleleadingdashinsteadof two dashes.

verbose

Nameverbose — provideadditionalinformationduringprocessing

verbose

93

OptionsReference

DescriptionIf usedonceprovidesextra informationduringprocessing.If usedtwice, theinput datais listedin detail.

no-verbose

Nameno-verbose — resetsverbosityto none

no-verbose

DescriptionThiscausesprevioususesof theoptionverboseto beignored.

quiet

Namequiet — supressinformationaloutput

94

OptionsReference

quiet

DescriptionAs little extra outputaspossibleis displayed.

textmode

Nametextmode — usecanonicaltext mode

textmode

DescriptionWhatgoodis this option?

95

OptionsReference

dry-run

Namedry-run — do notmakechanges

dry-run

DescriptionThis is not completelyimplemented.Usewith care.

interactive

Nameinteractive — promptbeforeoverwritingfiles

interactive


96

OptionsReference

yes

Nameyes — assume“yes” to mostquestions

yes


no

Nameno — assume“no” to mostquestions

yes


97

OptionsReference

always-trust

Namealways-trust — skipkey validation

always-trust

DescriptionThisassumesthatusedkey arefully trusted.Thisoptionshouldnotbeusedunlesssomeexternalschemeis usedto validateusedkeys.

skip-verify

Nameskip-verify — skipsignatureverification

skip-verify

Description

98

OptionsReference

Thiscausessignatureverificationstepsto beskipped.This leadsto fasterdecryptiontimesif signedmessagesarebeingdecrypted.

keyring

Namekeyring — addakeyring to thelist of keyrings

keyring file

DescriptionAddsfile to thelist of keyringsusedduringprocessings.If file beginswith a tildeandaslash,thesearereplacedby theHOME directory. If thefilenamedoesnotcontainaslash,it is assumedto bein thehomedirectory. Thehomedirectoryis “~/.gnupg” iftheoptionhomediris notused.

Thefilenamefile mayalsobeprefixedwith ascheme.Thescheme“gnupg-ring:”makesthespecifiedfile thedefault keyring. Thescheme“gnupg-gdbm:”makesthespecifiedfile theGDBM ring. It maybeusefulto usetheseschemestogetherwith theoptionno-default-keyring.

99

OptionsReference

secret-ke yring

Namesecret-keyring — addasecretkeyring

secret-keyring file

DescriptionThis is thesameastheoptionkeyring but for secretkeyrings.

no-default-ke yring

Nameno-default-keyring — donotaddthedefault keyringsto thelist of keyrings

no-default-keyring

DescriptionThedefault keyringstakenfrom thehomedirectoryarenot usedduringprocessing.

100

OptionsReference

homedir

Namehomedir — setthehomedirectory

homedir directory

DescriptionIf thisoptionis not used,thehomedirectorydefaultsto “~/.gnupg”. ThisoverridestheenvironmentvariableGNUPGHOME.It doesnotmakesenseto usethis in anoptionsfile.

charset

Namecharset — setthenameof thenativecharacterset.

charset name

101

OptionsReference

DescriptionThis is usedto convertsomestringsto UTF-8encoding.Valid valuesfor name are

Name Character set

iso-8859-1 Thedefault Latin 1 set

iso-8859-2 TheLatin 2 set

koi8-r TheusualRussianset(rfc1489)

no-literal

Nameno-literal — ?

no-literal

DescriptionThis is not for normaluse.Usethesourcecodeto seehow it mightbeuseful.

102

OptionsReference

set-filesiz e

Nameset-filesize — ?

set-filesize size

DescriptionThis is not for normaluse.Usethesourcecodeto seehow it mightbeuseful.

with-fing erprint

Namewith-fingerprint — modifieskey listing output

with-fingerprint

Description

103

OptionsReference

This is similar to thecommandfingerprintbut is anoption.Thisappearsto befor usewith thecommandlist-keys.

with-colons

Namewith-colons — modifieskey listing output

with-colons

DescriptionThiscauseskeysdisplayedwith thecommandlist-keys to bedelimitedby colons.

with-ke y-data

Namewith-key-data — modifieskey listing output

with-key-data

104

OptionsReference

DescriptionThiscausesthecommandlist-keys to print keysdelimitedby colonsaswell asthepublic key datafor eachkey.

loc k-once

Namelock-once — locksthedatabasesonce

lock-once

DescriptionThisoptionlocksthedatabasesthefirst timea lock is requestedanddoesnot releasethelock until theprocessterminates.

loc k-multiple

Namelock-multiple — locksthedatabaseseachtime they areused

105

OptionsReference

lock-multiple

DescriptionThisoptionlocksthedatabaseeachtime it is neededandreleasesthelock whendone.Thisoptionmaybeusedto overridetheuseof lock-oncefrom theoptionsfile.

passphrase-fd

Namepassphrase-fd — readthepassphrasefrom adifferentinput stream

passphrase-fd n

DescriptionIf theparametern is 0, thepassphrasewill bereadfrom standardinput. Thiscanbeusedif only onepassphrasemustbesupplied.Do notusethisoptionif youcanavoid it.

106

OptionsReference

force-mdc

Nameforce-mdc — forcetheuseof encryptionwith appendedmanipulationcode

force-mdc

DescriptionThisoptionis alwaysusedwith newercipherswith ablocksizeof greaterthan64bits.Thisoptionmaynot yetbeimplemented.

force-v3-sigs

Nameforce-v3-sigs — forcetheuseof v3 signatureson data

force-v3-sigs

Description

107

OptionsReference

OpenPGPstatesthatanimplementationshouldgeneratev4 signatures,but PGP5.xrecognizesv4 signaturesonly onkey material.Thisoptionforcesv3 signatureson dataaswell.

openpgp

Nameopenpgp — resetall packet,cipher, anddigestoptionsto theOpenPGPspecification

openpgp

DescriptionThisoptionresetsall previousoptionssuchaslock-once,lock-once,cipher-algo,digest-algo,compress-algo,s2k-cipher-algo,s2k-digest-algo,ands2k-modetoOpenPGPcompliantvalues.

utf8-strings

Nameutf8-strings — assumethatargumentsareprovidedasUTF8 strings

108

OptionsReference

utf8-strings

DescriptionOptionargumentsfollowing this optionareassumedto beencodedasUTF8 strings.

no-utf8-strings

Nameno-utf8-strings — assumethatargumentsarenotprovidedasUTF8 strings

no-utf8-strings

DescriptionOptionargumentsfollowing this optionareassumedto beencodedencodedin thecharactersetspecifiedwith theoptioncharset.This is thedefault behavior for gpg.

109

OptionsReference

no-options

Nameno-options — useno optionsfile

no-options

DescriptionThisoptionsis processedbeforeanattemptis madeto openanoptionsfile.

debug

Namedebug — setdebug flags

debug flags

Description

110

OptionsReference

Theparameterflags is built by applyinga logicalOR on individualflags.Theparametermaybegivenin C syntax,e.g.,0x0042.Theflagsare

Flag Meaning

1 Packet readingandwriting details

2 MPI details

4 cipherandprimenumberdetails(mayrevealsensitivedata)

8 Iobuf filter functions

16 Iobuf details

32 Memoryallocationdetails

64 Caching

128 Show memorystatisticsonexit

256 Trustverificationdetails

debug-all

Namedebug-all — setall usefuldebuggingflags

debug-all

111

OptionsReference

DescriptionSeealsotheoptiondebug.

status-fd

Namestatus-fd — write statusmessagesto analternativeoutputstream

status-fd n

DescriptionThisoptioncausesstatusmessagesto beredirectedto file descriptorn. SeethefileDETAILS in thedistribution for a listing of themessages.

log ger-fd

Namelogger-fd — write log messagesto analternativeoutputstream

112

OptionsReference

logger-fd n

DescriptionThisoptioncauseslog messagesto beredirectedto file descriptorn insteadof tostandarderror.

no-comment

Nameno-comment — do notwrite commentpackets

no-comment

DescriptionThisoptionaffectsonly thegenerationof secretkeysOutputof option(comment?)packetsis disabledsinceversion0.4.2of GnuPG.

113

OptionsReference

comment

Namecomment — setthecommentstringto usein cleartext signatures

comment string


default-comment

Namedefault-comment — usethestandardcommentstringin cleartext signatures

default-comment

DescriptionThisoptionoverridesprevioususesof theoptioncomment.

114

OptionsReference

no-ver sion

Nameno-version — omit theversionstringin cleartext signatures

no-version


emit-ver sion

Nameemit-version — emit theversionstringin cleartext signatures

emit-version

DescriptionThisoptionoverridesprevioususesof theoptionno-version.

115

OptionsReference

notation-data

Namenotation-data — adddatato asignatureasnotationdata

notation-data name=value

DescriptionThisaddsthename/value pair to asignature.Theparametername mustconsistofanalphabeticcharacterfollowedby any numberof alphanumericor underscorecharacters.Theparametervalue maybeany printablestring. It will beencodedinUTF8,soit is importantthattheoptioncharsetis usedto setthecharactersetproperly.If theparametername is prefixedwith anexclamationmark,thenotationdatawill beflaggedascritical (seerfc2440:5.2.3.15).

set-polic y-url

Nameset-policy-url — setthepolicy URL for signatures

set-policy-url string

116

OptionsReference

DescriptionTheparameterstring is usedasthepolicy URL for signatures(seerfc2440:5.2.3.19).If thestringis prefixedwith anexclamationmark,thepolicy URLpacket will beflaggedascritical.

set-filename

Nameset-filename — setsthefilenamestoredin encryptedor signedmessages

set-filename string

DescriptionTheparameterstring is usedasthefilenamestoredin messages.Doesthis specifytheoutputfile whena messageis verifiedor decrypted?

use-embed ded-filename

Nameuse-embedded-filename — usethefilenameembeddedin amessagefor storing

117

OptionsReference

its plaintext or verifiedversion

use-embedded-filename

DescriptionThisoptionshouldbeusedwith caresinceit mayoverwritefiles.

max-cer t-depth

Namemax-cert-depth — setthemaximumdepthof acertificationchain

max-cert-depth n

DescriptionTheparametern setsthemaximumlengthof achainof certifiedkeys leadingfrom anultimatelytrustedkey to akey beingvalidated.Thedefault is 5

118

OptionsReference

dig est-algo

Namedigest-algo — setthemessagedigestalgorithm

digest-algo name

DescriptionTheparametername specifiesthenameof thedigestalgorithmto beused.Runninggpgwith thecommandversiongivesa list of supporteddigestalgorithms.Notethatthis optionmayviolatetheOpenPGPrequirementthata160-bitdigestalgorithmbeusedfor DSA. For symmetricencryption,thedefault algorithmis RIPEMD-160

s2k-cipher -algo

Names2k-cipher-algo — useaspecifiedalgorithmasthesymmetriccipherforencryptingprivatekeys

s2k-cipher-algo name

119

OptionsReference

DescriptionUsename asthesymmetriccipheralgorithmto protectprivatekeys. Runningthegpgwith thecommandversionyieldsa list of supportedalgorithms.Thedefault cipherisBlowfish.

s2k-dig est-algo

Names2k-digest-algo — setthemessagedigestalgorithmfor manglingpassphrasesprotectingprivatekeys

s2k-digest-algo name

DescriptionTheparametername specifiesthenameof thedigestalgorithmto beusedfor manglingpassphrasesThedefault algorithmis RIPEMD-160.

120

OptionsReference

s2k-mode

Names2k-mode — setshow passphrasesaremangled

s2k-mode n

DescriptionTheparametern specifiesthenumberof timesto whicha saltis addedto passphrases.If n is 0 aplain passphrasewill beused.Oneiterationis thedefault. Unlesstheoptionrfc1991is used,this modeis alsousedfor thepassphrasefor symmetricencryption.

disab le-cipher -algo

Namedisable-cipher-algo — preventsasymmetriccipherfrom beingused

disable-cipher-algo name

121

OptionsReference

DescriptionTheparametername specifiesthenameof asymmetriccipheralgorithmto bedisabled.If thenamedcipheris loadedafterthis optionis processedit will notbedisabled.

disab le-pubke y-algo

Namedisable-pubkey-algo — preventsapublic key cipherfrom beingused

disable-pubkey-algo name

DescriptionTheparametername specifiesthenameof apublickey cipheralgorithmto bedisabled.If thenamedcipheris loadedafterthis optionis processedit will notbedisabled.

thr ow-keyid

Namethrow-keyid — do notput key IDs into encryptedpackets

122

OptionsReference

throw-keyid

DescriptionThisoptionhidesthereceiverof theencrypteddataasa countermeasureagainsttrafficanalysis.It slowsdecryption,however, sincein theworstcaseall thekeyson areceiver’sprivatekeyring mustbetried to find thedecryptionkey.

not-dash-escaped

Namenot-dash-escaped — changestheformatof cleartext signatures

not-dash-escaped

DescriptionThisoptionis usefulfor cleartext signatureson patchfiles. Messagessignedthis wayshouldnotbesentvia emailbecauseall spacesandline endingsarehashedtoo. Thisoptioncannotbeusedfor datawhichwhichhasfivedashesat thebeginningof a line. Aspecialheaderline is usedto tell GnuPGthatthis optionhasbeenused.

123

OptionsReference

escape-fr om-lines

Nameescape-from-lines — modifiesmessagesbeginningwith “From” whencleartextsigning

escape-from-lines

DescriptionBecausesomemailerschangelinesstartingwith “From” to “<From” thisoptionisusefulfor instructinggpgto handlesuchlinesspeciallywhencreatingcleartextsignatures.All otherPGPversionsdo it this way too. Thisoptionis notenabledbydefault becauseit wouldviolaterfc2440.

124