Running Linux, 5th Edition - Matthias Kalle Dalheimer [102]
These problems haunted cryptography until the mid-1970s, when Whitfield Diffie and Martin Hellman invented a new method of key exchange that no longer required a shared secret. They used asymmetrical encryption, where the encryption key is public, but the decryption key is secret. In this scheme, everyone can encrypt a message to, say, Alice, but only Alice can decrypt it with her secret key.
This makes it easy to address the situation described earlier: encrypt the message to each recipient using that recipient's public keys. Only the intended recipients can read the message. In addition, there is only one key for each person, instead of one per pair of persons; the problem is said to be reduced to O(n) complexity. Glossing over the new problem of ensuring that a public key marked as belonging to Alice actually does belong to her, encrypting a message to another person is as easy as downloading her public key from a keyserver, and then encrypting the message to that key. (We discuss the problem we glossed over here in "The Web of Trust" later in this chapter.)
Creating a New Key Pair
To be able to send and receive messages using public-key encryption, you have to own a secret and a public key—that is, a key pair. They can be created using the command gpg --gen-key. In this mode, GnuPG will prompt you with a series of questions, at the end of which it has generated a new key pair. The following shows a screen capture of the procedure for GnuPG 1.4.0. GnuPG asks for a passphrase that is used to protect (lock away) your secret key. It is not used to encrypt any messages later on.
$ gpg --gen-key
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0) 5y Key expires at Tue Mar 2 10:33:35 2010 CET Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) Real name: John Doe Email address: john@doe.example.net Comment: work You selected this USER-ID: "John Doe (work) Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. Enter passphrase: Re-enter passphrase: We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.+++++++++++++++++++++++++++++++++++.++++++++++.++++++++++.++++++++++++ ++++++++...+++++.++++++++++++++++++++..+++++...++++++++++++++++++++>+++++.++ +++..+++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.++++++++++.++++ +.+++++..+++++++++++++++.+++++.+++++.++++++++++++++++++++..+++++++++++++++.. .+++++>++++++++++.....>+++++................................>+++++.......... .........<+++++...........+++++^^^^ gpg: key 461BA2AB marked as ultimately trusted public and secret key created and signed. gpg: please do a --check-trustdb pub 1024D/461BA2AB 2005-03-03 [expires: 2010-03-02] Key fingerprint = E880 E195 62A8 9EFD ED83 3CD7 0B38 4F5D 461B A2AB uid John Doe (work) sub 2048g/6D18BF84 2005-03-03 [expires: 2010-03-02] After creating the