GPG / GNUPG

tags : Security, SSH, Linux, Networking, Email

What §

• PGP (“Pretty Good Privacy”): Name of the original commercial software
• OpenPGP: IETF standard compatible with the original PGP tool
• GnuPG (“Gnu Privacy Guard”): Free software that implements the OpenPGP standard
• gpg : CLI tool for GnuPG
• gpg2 : symlink to gpg

Understanding PGP keys §

Keyserver §

A PGP key will contain info in 2 parts

• Identity info : email, name etc.
  • This is not stored in the keyserver without consent
  • You verify your email here: keys.openpgp.org - upload
• Non-identify info: Rest of the key.
  • Used for encryption and signing

Basis §

A PGP key can have 4 capabilities(each key can have one of more of these caps):

• [S] for signing
• [E] for encryption
• [A] for authentication
• [C] for certifying other keys (This is the identity key)

Certification/Primary/Master key §

• This is the [C] key and is your digital identity. Take extra care.
• It’s not 100% correct to call this master key because this does not have the ability to decrypt stuff that was encrypted for one of the subkeys
• Can do these things
  • Add or revoke other keys (subkeys) with S/E/A capabilities
  • Add, change or revoke identities (uids) associated with the key
  • Add or change the expiration date on itself or any subkey
  • Sign other people’s keys for the web of trust purposes

Subkeys §

These can be same. But having these separate is useful, eg. workplaces can escrow your encryption key but if they escrow your signing key, that means they can impersonate you.

• There is NO technical differences between primary key and subkeys
• Since we created [C], now we need to create [S], [E], [A]

Web of Trust (WOT) §

GPG sort of adapted TOFU model from SSH to counter some problems of WOT

Web of trust - Wikipedia

• Is decentralized and sort of works on smaller groups.
• It’s an alternative to PKI
• This is a concept of the PGP compatible systems.

Certificates §

• OpenPGP certificates include one or more public keys along with owner information
• Sometimes done in Key Signing Parties! (LOOK IT UP!)

Issues §

Exposing key-id §

• Encrypted OpenPGP message by default exposes the key-id (not the user-id) of the recipient.
• Because of public keys are public, one might sometimes identify the recipient/track who is contacting a given recipient
• If you can intercept network traffic
• Solution: Remediated by using throw-keyid

user-id too verbose §

• user-id contain name and email by default, somewhat enforced by default GnuPG key generation process
• You can change this using --expert
• But now mail client will not be able to automatically find your key because they look up by email.

Uses §

Realtime communication §

• This usecase is not so common. Signal and other E2E enc systems use PKI but GPG itself is not directly used. Delta chat is one that uses GPG probably. But not a popular usecase.

Encryption and Signing §

• Probably one of the most popular usecase. Can send encrypted emails this way.

Backups and data recovery §

See Encryption

Links §

• Good summary of the state of gpg
• crypto/OpenPGP.md at master · weirdnik/crypto · GitHub
• The PGP Problem: A Critique [The Call of the Open Sidewalk]​
• Could Age Replace OpenPGP? [The Call of the Open Sidewalk]​
• itpol/protecting-code-integrity.md at master · lfit/itpol · GitHub