Archive: March, 2009

3/18/09

Secure Forms Part 2, GPG Keys

This is part two of a series of tutorials demonstrating how to setup a secure online form for your website. We will be using the GNU Privacy Guard (GPG or GnuPG) to encrypt and decrypt the messages for us. GPG is a complete and free implementation of the OpenPGP standard. Today we will look at how to create a public/private key pair and export it for use on our web server.

We’ll start off by opening the command prompt. Click Start and choose Run… Type in cmd and hit Enter. Now we’re ready to get to work. The first thing we need to do is create a public/private key pair. The public key will be used on the web server to encrypt the message, while the private key will be used on our local machine to decrypt the message. To create a key pair, type gpg –gen-key We will then be asked to choose what kind of key we want. We want the default option, which is number one (DSA and Elgamal), so we can just hit Enter to continue.

GPG Key #1

Next we must choose what key size we want. I’ll be accepting the default of 2048 for this tutorial, so I’ll just hit Enter and continue.

GPG Key #2

Next we need to specify how long we would like the key to be valid. Since we’ll be using this to encrypt forms from our website, we don’t really want it to expire. The default of 0 creates a key that doesn’t expire. It will ask for confirmation, so we’ll type y and hit Enter.

GPG Key #3

Next we need to enter a few details to create a user ID to identify our key. We will first be asked for our real name, after which we will be asked for our email address, and finally we must enter a comment. We will then have a chance to edit our choices before creating the key. When you have finished, type o and hit Enter to create the new key.

GPG Key #4

Finally, we need a passphrase. Whenever we receive an encrypted message from the our website, we will be asked to enter this passphrase before we can decrypt the message. (Please note: You will not be able to see the letters as you enter them, so you’ll have to keep track of what you’re typing yourself). We must then repeat the passphrase just to be safe.

GPG Key #5

After successfully setting our passphrase, the encryption key will be generated. This will take a little bit of time. Keystrokes and mouse movements will be used to ensure the generation of a random key, so feel free to move your mouse around and pound away at the keyboard. Here is the final output:

key6

To ensure that our key was created, type gpg –list-keys

PGP Key #7

Perfect. Now all that’s left is to export the public key so that we can transfer it to our web server. The following command will export the key to My Documents and save it in a file called public.asc. gpg –export -a “User Name” > “my documents\public.asc” Replace User Name with the real name you entered when creating the key.

GPG Key #8

Now we’ll head over to My Documents to check out our new key. Windows most likely won’t recognize an .asc file and will tell us it cannot open it. It will however, give us the option of either using a Web service to find the appropriate program to open it, or choosing a program from a list of already installed programs. We’ll choose option two (Select the program from a list) since notepad will open our key file just fine.

GPG Key #9

Choose Notepad from the list and leave Always use the selected program to open this kind of file checked. Click OK and we should be set.

GPG Key #10

Here is the public key in all it’s glory:

GPG Key #11

That’s all for now folks. Next time we’ll take a look at moving the public key to the server where we can put it to use encrypting our messages.

Posted in Security | No Comments »