Asymmetric cryptography, also known as public-key cryptography, is a process that uses a pair of related keys – one public key and one private key – to encrypt and decrypt a message and protect it from unauthorized access or use.
A public key is a cryptographic key that can be used by any person to encrypt a message so that it can only be decrypted by the intended recipient with their private key.
- When someone wants to send an encrypted message, they can pull the intended recipient’s public key from a public directory and use it to encrypt the message before sending it. The recipient of the message can then decrypt the message using their related private key.
If the sender encrypts the message using their private key, the message can be decrypted only using that sender’s public key, thus authenticating the sender. These encryption and decryption processes happen automatically; users do not need to physically lock and unlock the message. Asymmetric encryption It is by far the most secure encryption process because users are never required to reveal or share their private keys, thus decreasing the chances of a cybercriminal discovering a user’s private key during transmission.
One of the best implementations of the Asymmetric,symmetric algorithms is
by using GNUPG also known as GPG
which is a Cross-Platform free software.
So let’s take a look on how we could use GnuPG to do that.
Generate GPG keys
gpg --full-gen-key
To list your keyrings
gpg --list-keys
Or by using
gpg --list-public-keys
List your secret key
gpg --list-secret-keys
Export your own public gpg key for others
gpg --armor --export user-id > public_key.asc
Note
If you’re not sure what’s youruser-id
- You can find it with
gpg --list-key | grep -B 3 "Your name or email address (or the name you used when generating the keys)"
# Example
gpg --list-key | grep -B 3 "anas@cschad.com"
# It's the line containing 40 characters
Export your own private gpg key (Keep it safe)
gpg --armor --export-secret-keys user-id > pubkey.asc
Upload your key to keys.opengpg.org so people can easily find your key
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org
Export someone’s public key
gpg --import my_friends_public_key.asc
Find someone’s key
gpg --auto-key-locate keyserver --locate-keys user@example.net
You can also search/upload keys directly from
https://keys.openpgp.org
To refresh all your keys (e.g. new revocation certificates and subkeys):
gpg --refresh-keys
gpg –edit-key
This will bring you to a gpg command line interface from which you can display the fingerprint using:
fpr
Once verified with the owner, you can sign the key using:
sign
Then, to double check that it is signed, you can run:
check
To exit from gpg cli, enter: “quit” or hit Ctrl+d You will be asked if you want to “Save Changes? (y/N)”, enter y for this. Now you have validated that public key.
To encrypt a file
gpg -e -r keyId filename
Key revocation
If your private key got compromised or no longer active …
gpg --output revocation_cert.asc --gen-revoke keyId
After your keypair is created you should immediately generate a revocation certificate for the primary public key using the option –gen-revoke. If you forget your passphrase or if your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.
- Note that you cannot create this revocation certificate after you’ve lost your private key! So it is recommended to create one at the same time that you create the key pair, then keep it in a really safe place. If you had to use this revocation certificate, you would do the following to update your keyring:
Delete a key
gpg --delete-secret-key [uid]
gpg --delete-key [uid]
Send someone an encrypted message
After you have imported his gpg public key and verify its fingerprint with him Then you sign the public key.
Now you want to send him an encrypted document using his public key
gpg --output doc.gpg --encrypt --recipient (hisemail|ID|uid) doc_you_wish_to_send.txt
Decrypt a message you have received
gpg --output doc --decrypt doc.gpg
Making and verifying signatures
To make a digital signature that the file you have uploaded … send has not been tempered with.
gpg --output doc.sig --sign doc
This is not very useful since you’ll have to decrypt the doc and edit the keys etc
a Better way is to use detached signatures
Detached signatures (recommended)
To make a signature
gpg --output doc.sig --detach-sig doc
To verify a signature of a file you need both the signature and the file.
gpg --verify doc.sig doc
the output should look something like: Good signature from “xxx” email@example.com