Category: Security

3/18/09

Secure Forms Part 2, GPG Keys

This is part two of a series of tutorials demonstrating how to setup a secure online form for your website. We will be using the GNU Privacy Guard (GPG or GnuPG) to encrypt and decrypt the messages for us. GPG is a complete and free implementation of the OpenPGP standard. Today we will look at how to create a public/private key pair and export it for use on our web server.

We’ll start off by opening the command prompt. Click Start and choose Run… Type in cmd and hit Enter. Now we’re ready to get to work. The first thing we need to do is create a public/private key pair. The public key will be used on the web server to encrypt the message, while the private key will be used on our local machine to decrypt the message. To create a key pair, type gpg –gen-key We will then be asked to choose what kind of key we want. We want the default option, which is number one (DSA and Elgamal), so we can just hit Enter to continue.

GPG Key #1

Next we must choose what key size we want. I’ll be accepting the default of 2048 for this tutorial, so I’ll just hit Enter and continue.

GPG Key #2

Next we need to specify how long we would like the key to be valid. Since we’ll be using this to encrypt forms from our website, we don’t really want it to expire. The default of 0 creates a key that doesn’t expire. It will ask for confirmation, so we’ll type y and hit Enter.

GPG Key #3

Next we need to enter a few details to create a user ID to identify our key. We will first be asked for our real name, after which we will be asked for our email address, and finally we must enter a comment. We will then have a chance to edit our choices before creating the key. When you have finished, type o and hit Enter to create the new key.

GPG Key #4

Finally, we need a passphrase. Whenever we receive an encrypted message from the our website, we will be asked to enter this passphrase before we can decrypt the message. (Please note: You will not be able to see the letters as you enter them, so you’ll have to keep track of what you’re typing yourself). We must then repeat the passphrase just to be safe.

GPG Key #5

After successfully setting our passphrase, the encryption key will be generated. This will take a little bit of time. Keystrokes and mouse movements will be used to ensure the generation of a random key, so feel free to move your mouse around and pound away at the keyboard. Here is the final output:

key6

To ensure that our key was created, type gpg –list-keys

PGP Key #7

Perfect. Now all that’s left is to export the public key so that we can transfer it to our web server. The following command will export the key to My Documents and save it in a file called public.asc. gpg –export -a “User Name” > “my documents\public.asc” Replace User Name with the real name you entered when creating the key.

GPG Key #8

Now we’ll head over to My Documents to check out our new key. Windows most likely won’t recognize an .asc file and will tell us it cannot open it. It will however, give us the option of either using a Web service to find the appropriate program to open it, or choosing a program from a list of already installed programs. We’ll choose option two (Select the program from a list) since notepad will open our key file just fine.

GPG Key #9

Choose Notepad from the list and leave Always use the selected program to open this kind of file checked. Click OK and we should be set.

GPG Key #10

Here is the public key in all it’s glory:

GPG Key #11

That’s all for now folks. Next time we’ll take a look at moving the public key to the server where we can put it to use encrypting our messages.

Posted in Security | No Comments »

2/24/09

Secure Forms Part 1, Install GPG

This is part one of a series of tutorials demonstrating how to setup a secure online form for your website. We will be using the GNU Privacy Guard (GPG or GnuPG) to encrypt and decrypt the messages for us. GPG is a complete and free implementation of the OpenPGP standard. Today we will look at how to setup GPG on our personal computer.

We must have GPG installed locally to decrypt the messages that we’ll be receiving from our online form. We’ll also need a mail reader that can work with GPG, but we’ll cover that in a future lesson. Finally, although I personally use Linux, I’m going to be showing you how to set this up on a Windows XP machine.

First, we need to download GPG. The exact file we need is called gnupg-w32cli-1.4.9.exe and can be found at ftp://ftp.gnupg.org/gcrypt/binary/

Once it’s finished downloading, we’ll go ahead and install it. First, we’ll choose a language.

Choose a Language

Choose a Language

Then we’ll start the installation by clicking Next.

Start the Installation

Start the Installation

To continue with the installation, we have to agree to the GNU General Public License.

GNU General Public License

GNU General Public License

I don’t need support for languages other than English, so I’ve unchecked the NLS option. If you need support for other languages, leave the NLS option checked. I’ve left the Tools and Documentation options checked.

GPG Options

GPG Options

I’ll be installing GPG to it’s default location. While you are free to change this, be warned that you’ll have to modify some of the instructions later on if you choose a different location.

GPG Location

GPG Location

Next it will ask us to choose our preferred start menu folder for GPG. I accepted the default start menu folder, but feel free to change this if you’d like. Then click Install. When the installation is complete, click Next. Then choose whether on not you want to view the README file, and click Finish.

Now that we have GPG installed, we need to let Windows know where it’s stored so that other programs (such as Thuderbird) can access it. To do that, we’ll open the Start Menu, right-click on My Computer, and choose Properties. Under the Advanced tab, choose Environment Variables near the bottom.

Environment Variables

Environment Variables

In the System Variables section, locate the Path variable. Click it once, and choose Edit.

Add a New Path

Add a New Path

At the end of Variable value, add “;C:\Program Files\GNU\GnuPG” and click OK. A few notes on this step. First, the semi-colon at the begining is not a typo. You’ll need it there. Second, make sure you don’t leave a trailing space at the end of the line. Finally, if you decided to install GPG somewhere other than the default location, you will need to enter the path to the location you specified. However, if you used the default location (as I did in the example) you should be fine following my instructions to the letter.

Add GPG to Paths

Add GPG to Paths

Click OK on the Environmental Variables window, and then OK in the System Properties window. We should now be ready to use GPG. Just to make sure, we’ll run a quick little test. GPG is a command line program, so click the Start button and choose Run… Then type cmd and hit Enter. Now we should be ready to run some commands. To check what version of GPG is installed (and to make sure that it installed properly) type gpg –version and hit enter. You should see something like this:

gpg --version

gpg --version

Alright, that’s it for this lesson. In Secure Forms - Part 2 we’ll start learning how to actually use the program.

If you found this tutorial useful, or if you have any questions about this subject, please leave a comment below.

Posted in Security | No Comments »