Rietta
Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Introduction to OpenPGP: Decrypt This Message

Comments

If you have been following the news in light of the revelations of the NSA domestic surveillance program, which is probably unconstitutional in the United States but in practice is being permitted by the courts, then you should know something about the encrypt everything movement and Google’s End-to-End project, which is to add OpenPGP to the Chrome web browser. If this is new to you, this fun challenge will help you get started with what you need to decrypt a message with GnuPG!

Introduction to OpenPGP: Decrypt this Message

I’ve been a user of PGP and GnuPG for over a decade. I like the GNU Privacy Guard (GPG) because it’s GNU Privacy Guard (GnuPG or GPG) is a GPL alternative to the PGP suite of cryptographic software. Encryption software is a significantly important tool for protecting the confidentiality of information on the internet, from prying eyes – both private parties and various governmental agencies.

It is a technology that lets you encrypt files and messages. Generally it is thought of as an e-mail encryption system, but its uses include protecting backups, storing secrets in your Git repository, and it is supported in major SQL database servers – such as in PostgreSQL.

OpenPGP Encryption Modes

Asymmetric Mode (Key Pairs)

OpenPGP supports two encryption modes. The most famous, and useful, is public key crypto where each user has his or her own private key that is kept confidential and the public key that is shared with anyone who needs to send encrypted messages. The Wikipedia article on public-key cryptography is a good place to start to read up on the foundation.

My OpenPGP public key since 2003 is 0x1F9016AF.

The normal mechanism for storing your private key is in a file on your computer that is protected by a passphrase, so it takes something you have (the key file) and something you know (the password) to decrypt messages or data that is encrypted to your associated public key. When you go to sign a message or decrypt a message that you have received, your computer prompts you for your password that locks the private key material. The password decrypts the key, that in turn decrypts the asymmetrically encrypted message that you want to open.

There is an OpenPGP Smart Card that uses Chip & PIN technology to protect the private key so that it is not stored on your general computer. I have several of these here in the Rietta office, and I will be sure to release a post about them in the future. One of my cards is pictured in the photo above. Basically, with these cards your private key is stored off your computer on the smart card that cannot be copied and is protected with a minimum 6 digit PIN.

Symmetric Mode (Passwords)

Whereas in the more powerful asymmetric mode, two related keys are used for encryption and then decryption of a message, in symmetric mode the same key is used for both encryption and decryption.

Really, for all practical purposes that means the data is encrypted with a password that you choose! The challenge then is two-fold:

  1. You have chosen a sufficiently random, high entropy password to be resilient against brute force attack
  2. How communicate that password to your recipient so that the data can be decrypted

These are two big challenges, but in many cases this may be all you need.

In fact, full drive encryption software such as Microsoft Bitlocker and Apple FileVault work on the same principle.

Read onto the challenge below, in which you will decrypt a secret message that was enciphered with a symmetric key!

The Challenge

Decrypt this message

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

jA0ECQMCV530KEoloxPQ0ukB5br5XkO4HB0UNpLYWbPd2i6yKVmSiHYXqNuQrI5S
swr0OymJPDDazkjn5+V44prkPMGq4JtlSjjlLrFfeb7s9te9rtKCRUDZdVl6dIOF
t/CyN0QQV/dYENcBO2onRyOmj1+pWqSyesX906gZNVjp8MUi44ukOIGpbeUKPZ98
PeE3xieYYRV1NGY2DWzSmDPrF0GOnByZD5UswRc2DadwhE7eT18Q6qlceK0wntim
CzL92gvpltiwBlWq5q29owGY3pfjM2gdwQlPpW4vrM9CTZ+LX/yyGOR6QC0I/Zfr
8qI6peI9p8Fs/999Gn4uub7rH0G0oWQDtLzOfwD/UCrWMcKi6gONJP4bHndnMPzm
Srs0zFoFXj3WKHI6pY6e+md2m1dNJ/cuhH+9lGRdMk2rYMfruYDOfqrO56jSmd+H
buUphwU/+KweHNwkvCXlirdmWUbytJ72OiOeDNSZ33WyoEnf4muCY3LiD2mTrnde
usG5Npe0FmJtI9hxGhSgF1vJNdNL79nSKrYa1KPVz70/HlKo2toyAJEY7P0XTVil
/NFLEmINdlfxZay5friRdn/sLuGn/fI9n8Q1oYYrULMiUx4iXbvMz52EZ3rJp+IS
2YwEO4wxy+1FsUOFHHHa06Ruwo9/DTv67WpDbgLuxjbv3wx184sfpTCy3oXmLEZ4
8UhDHJGITkNmd5Z9Xi+eZhYT6cpoUrxuZnLC7tS5NMsu4Cz9bqVYaBAk/k49lqUA
mSsyb1FscxopCTrSy+WV5kW5V/2XAOOHzjc=
=AJfS
-----END PGP MESSAGE-----

How the above cipher-text was prepared

I have encrypted a fun, secret message using GnuPG with the following symmetric key (a password):

VseIokxmYYc6gY5X

The command I used was:

gpg -a --symmetric --cipher-algo AES256 the-challenge.txt

The -a flag told GPG to write the output in ASCII encoding rather than binary. I chose this because I knew that I was going to copy the text from the resulting the-challenge.txt.asc file and paste it into this blog post, as seen above.

If I were going to encrypt a file to store it on a thumb drive or some such situation, I would have not used the -a flag. In that case, GnuPG would have wrote to an output file called the-challenge.txt.gpg. I have used this trick for years and in my experience the size of the binary .gpg file is equivalent to a gzip-compressed .gz file. In other words, if you take a large tarball file and encrypt it with GnuPG instead of compressing it with gzip, then the resulting output file will be approximately the same size – within a margin of a few bytes!

If you are already a user of OpenPGP software than this challenge is going to be a simple one. Simply paste the cipher-text that I encrypted with the password above.

To solve the challenge

  1. Install GnuPG on your system, if you do not already have it
  2. Decrypt the message that I posted.
    • Hint, you will want to use gpg -d if you are on the command line.
    • Running gpg -d will cause your terminal to block for input. Paste the cipher-text above into your terminal, enter the password if prompted then, press enter and then Ctrl+D to tell the system that it is at the end of the input. GnuPG will then present to you the decrypted plain-text for this cipher-text.
  3. Share your thoughts in the comments section below!
  4. Use the links in the further reading section to learn all about GnuPG, setting up your own public/private key pair, and the web of trust. It is in asymmetric mode of operation that the true power of OpenPGP can be realized.

Installing GnuPG on your system

In Linux

There is a good chance that GnuPG is already installed on your system as it is used to verify packages in some Linux distributions. If not, use your package manager to install it like apt-get install gnupg on Ubuntu or Debian. Read more at GnuPrivacyGuard Howto.

There are two branches of GnuPG. The class 1.x and the latest 2.x. I am personally using GnuPG 2 and am not sure why its not the default on most Linux distributions. Ubuntu seems to have a gnupg2 package, if you want to go with the latest version.

On Mac OS X

There are a couple of ways to get GnuPG installed on your Mac OS X system. My personal preference is through Homebrew, which is a FreeBSD-like ports collection that makes tons of open source tools available on the Mac. In their words, “Homebrew installs the stuff you need that Apple didn’t.”

A good alternative though is to install the GPG Tools for Mac OS X. It’s a nice GUI package.

Via Homebrew

The command to download and install Homebrew from terminal is:

ruby -e "$(curl -fsSL https://raw.github.com/Homebrew/homebrew/go/install)"

You can read more about the Homebrew Installation Instructions.

Once you have that, you can install GnuPG 2 by running:

brew install gnupg2

Via GPG Tools

The alternative if you do not want to build GnuPG from source for your Mac OS X system is to download GPG Tools. It’s a nice packaged version for OS X that includes GPGMail for Apple Mail!

In Windows

In Windows, a complete, free implementation of OpenPGP is GPG4Win.

Further reading

About Frank Rietta

Frank Rietta's photo

Frank Rietta is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

Comments