begriffs

An Advanced Intro to GnuPG

November 5, 2016
Newsletter ↳

I used to perceive PGP as an esoteric error-prone accessory to email. The talk below showed me that GnuPG is relevant to much more than emails. It gives everyone sophisticated tools for using strong crypto. It supports not only encrypting data in transit, but protecting long term data storage, verifying program integrity, and authenticating the source of messages.

Enjoy this talk by Neal Walfield, full-time contributor to GnuPG. Neal explains the OpenPGP standard, the GnuPG suite of programs, the structure of GnuPG messages, good security practices, and neat tricks you should know. The video below is released under the Creative Commons CC-BY license.

  • OpenPGP
    • data integrity for messages and files
    • RFC 4880
    • Good for data at rest
      • formats will be supported for decades
      • hence hard to phase out old algos
    • No interaction between encrypter and decrypter
      • cannot negotiate encryption params to our future partner
    • RFC 4880bis has new goodies
      • deprecate weak algos
      • new ecc curves (ed25519, curve448) — ecc is simpler and better than rsa, especially against timing attacks
  • OpenPGP Messages
    • No fixed format, package based
    • unbuffered, single pass processing to accommodate little embedded machines
    • seventeen types of packets!
  • Encryption algos
    • Encypting a message with the keys of multiple recipients would make a huge payload
    • Instead encrypt with a single “session” key
    • Encrypt the key itself for each recipient
    • gpg2 --list-packets – try encrypting a message and piping it in
  • How do you verify that the encrypted data was not modified?
    • You could sign it…but sometimes you want to remain anonymous
    • Use the MDS (modification detection system)
    • It has its own packet type, MDC, modification detection code
    • The MDC packet is always at the end of the message
    • Data signing algo acts on the message and also the header part of the HDC
  • OpenPGP is also used to communicate keys
    • Uses the same packet-based format to express them
    • But you should update and re-upload keys to signal that you support newer algorithms
  • GnuPG is one implementation
    • It’s not just a binary, it’s a multi-server architecture
    • It’s not a library either, the library is gpgme (GPG made easy)
    • Why the multi-server?
    • Each process is insulated from the address spaces of others
    • GnuPG 2.1 Components
      • GPG, low security — session encryption, encoding etc
      • GPG Agent, high security — manages private key and passwords, delegates to servers
      • (The above is similar to PC vs smartcard)
      • SmartCard Daemon — interacts with smartcards, packaged as a separate program
      • Pinentry — Not running all the time, just pops up to get a pin or passphrase. Use pinentrycurses or pinentrytty to avoid pulling in lots of (insecure?) libraries
      • Dirmngr — Interacts with keyservers, it’s the only program to interact with the network
    • The components talk with one another via IPC
      • Does NOT use dbus because dbus is complicated
      • Uses Assuan protocol, very simple, can do it yourself on the command line
  • Private key management
    • Online: pgp2 –gen-key, key stored locally, low security, must trust all local software
    • Offline (Store on a smartcard)
      • GnuK is the rad one, ubikey is not as good
      • It doesn’t use complicated crap that has been backdoored
      • you can build it yourself, or buy from FSF and support them
      • Nitro is a mass produced modified GnuK
      • Will need subkeys, slightly more complicated
      • NEED BACKUPS (cannot export keys)
      • Much higher security although malicious software might get in between the pin entry and the smartcard
  • Offline key management
    • Your BIOS is infected with malware, it really is
    • Use a dedicated offline computer
      • Old ThinkPad x40 or x60, cheap on ebay
      • Remove wireless network card
    • Boot Tails off USB
  • Generating secure passphrase
    • Adversary can guess 1 trillion per second – snowden
    • Do not use any natural language model
    • Also cannot use /dev/random | base64 because you can’t memorize it
    • Use diceware
      • Wordlists — diceware (8k) hard to remember, pgp biometric word list (512), voice of america’s simple english word list (1.5k)
  • MITM attacks
    • Mathematically it cannot be done over an insecure channel
    • Need a secure channel, like a geeky key signing party
      • Signing parties are NOT sufficient to build the “web of trust!”
      • It’s just one small step and it is a lot of work
    • Use the phone to verify a key where you can recognize someone’s voice
      • gpg2 –recv-key 630052D9
      • gpg2 –with-icao-spelling –fingerprint 630052D9
    • Web of trust is pretty much screwed because people don’t build it correctly
      • Cannot transitively verify people across key signing parties
      • You can verify that people are who they say they are, but not that you trust the info they give you
      • So only set people as fully trusted that you actually trust
  • Trust on First Use (TOFU)
    • That SSH thing that prompts you about unknown keys
    • NOBODY checks keys, who calls up the admin and asks for the server key?
    • But… it does tell you if the key gets changed
    • Tofu makes sure an adversary must perform an MITM if they want to keep fooling you, which is expensive
    • Aka tofu says that you’re always talking to the same person, even the same evil person
    • But it’s hard to consistently impersonate
    • Don’t need that web of trust business
    • pgp.conf: trust-model tofu+pgp
  • Key Management
    • When you get a signed message, fetch the key
    • Refresh keys often to update preferences, also to see if it is revoked
    • Do not use pgp2 –refresh-keys because it exposes your social network
    • Install parcimonie (it uses tor)
    • But future versions of dirmngr will include random intervals in key refreshes
  • Key Disclosure
    • What if the cops knock on your door?
    • Use the session key to decrypt a message, and that is all you need to give them!
  • Do not backup the RNG seed
    • Exclude .gnupg/random_seed!
  • Key Expiry
    • Always use an expiration
    • Means if you don’t extend it then it will expire
    • (You can certainly extend it though)
    • Bonus: people forced to refresh the key and get new prefs
  • Key Rotation
    • Getting a new ECC based key
    • When generating new key, cross sign the keys
    • The revocation message is only for people, so it won’t help machines
  • Cool tricks
    • Improving OpenSSH
      • It stores private keys on the hard drive
      • Can we do offline keys?
      • GnuPG implements the ssh agent protocol!
      • So gnupg can use the keys on your smart card
    • gpg-agent on a separate, secure PC