____________________ CRYPTOGRAPHY HOWTO David K. Trudgett ____________________ Table of Contents _________________ 1. The OpenPGP Standard 2. Getting Set Up With OpenPGP Tools 3. How to Verify the Integrity and Authorship of Files in this Gopherhole .. 1. Downloading and Importing the Key from here .. 2. Obtaining the Public Key from a Public Keyserver .. 3. Verifying a Downloaded File Against its Signature 1 The OpenPGP Standard ====================== OpenPGP is the internet open standards take on Phil Zimmermann's original PGP encryption program, and subsequent development of it. For an overview, you may wish to refer to the [Pretty Good Privacy] article on Wikipedia. Many sources of information, including the [OpenPGP website] itself, will tell you that OpenPGP is an email encryption standard. That is not true. It is an open encryption standard which can be applied to virtually anything, such as files, documents, whole disk contents, and so on. It is also commonly applied to email communications; however, it is not limited to that domain. This gopherhole, for instance, uses OpenPGP (and, in particular, the GnuPG implementation of it) to provide cryptographic signatures for the main files which are available for download. When you verify these signatures, you can be assured of two things: 1. The file was created by me; and 2. The file has not been altered in any way, shape or form since I created and signed it. This also tells you that the file was not corrupted during the download process. [Pretty Good Privacy] [OpenPGP website] 2 Getting Set Up With OpenPGP Tools =================================== All of the major platforms, such as Linux, BSD*, Mac OS, Windows, iOS and Android, have OpenPGP implementations available for them. If you have not yet read my Recipe for Freedom snippet, you should consider doing so, as it contains further rationale and links to practical things you can do increase privacy and freedom in general. 3 How to Verify the Integrity and Authorship of Files in this Gopherhole ======================================================================== Having installed and configured your OpenPGP implementation according to the suggestions under the previous heading, you are now ready to perform the simple steps required to verify the integrity and authorship of the files you download from this gopherhole. When you download a PDF article or image file from this gopherhole, download its signature file at the same time. Do not wait until later to download the signature file, for the simple reason that if the document or file is updated in the gopherhole in the future, so will its signature be updated, and you will never be able to verify the old file because you do not have the old signature that goes with it. All you could do in that case would be to download the updated file and the updated signature and verify the new file only. Once you have both the file and the signature that goes with it (named the same, but with an additional `.sig' extension), then you are set to verify the integrity of the file. The first time you verify one of my files, you will need to retrieve my public key to use in the verification process. This is a once-off thing, which you will not need to repeat. You can get this key either by downloading it directly from this gopherhole (in the `resources' folder or main index), or by obtaining it from one of the public "keyservers" that are out there. 3.1 Downloading and Importing the Key from here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These are the required steps: 1. Go to the main index or resouces folder of this gopherhole, and find the link to download my public key, and download it to your computer. 2. Use your keyring manager, for example, Kleopatra, to import the downloaded public key (sometimes called a "certificate"). 3. Use your keyring manager to check that the fingerprint of the imported key matches the one published in this gopherhole or the website. You can generally also use a command line to do this, if you wish. For example, to import a key from `some-key.asc': ,---- | $ gpg --import some-key.asc `---- Downloading my key from here obviously assumes that the Torah Toolbox gopherhole itself has not itself been compromised. 3.2 Obtaining the Public Key from a Public Keyserver ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are only two steps required for this: 1. Use your keyring manager, for example, Kleopatra, to search for and import my public key. Search for `david@trudgett.me' 2. Use your keyring manager to check that the fingerprint of the imported key matches the one published in this gopherhole or the website. Using the `gpg' command line, you could do the same with the following command: ,---- | $ gpg --search-keys david@trudgett.me `---- 3.3 Verifying a Downloaded File Against its Signature ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With the `.sig' file and the document file in the same folder/directory, follow these steps: 1. Open your keyring manager, for example, Kleopatra, and select the option to verify a file. In Kleopatra, you may find this on the toolbar, and it is called, "Decrypt/verify..." 2. Select the `.sig' file and choose "Open". If all goes well, you will have a message displayed to you which says that a valid signature from me (my email address) was found. You can generally do the same thing using the command line, similar to the following example: ,---- | $ gpg --verify the-name-of-the-article.pdf.sig `---- and you should get results similar to: ,---- | gpg: assuming signed data in 'the-name-of-the-article.pdf' | gpg: Signature made Thu 28 May 2020 09:31:29 AEST | gpg: using RSA key B3F45566982B67549B1FE2865676F1279D1C2A91 | gpg: Good signature from "David Trudgett " `---- The example commands assume, of course, that you are using GnuPG.