The primary use of cryptography on a Linux system is to encode data to hide it (encryption) from unauthorized eyes and then decode the data (decryption) for authorized eyes.
On a Linux system, you can encrypt:
– Individual files
– Partitions and volumes
– Web page connections
– Network connections
– Zip files
These encryption and decryption cryptography process use special math algorithms to accomplish their task. The algorithms are called cryptography ciphers.
encryption and decryption cryptography
Below we will discuss some of the cryptography ciphers
Understanding how each cipher works is important because the strength of the cipher you choose should directly relate to the security needs of your data.
Below are few cipher methods whcih are currently in use .
It is also called Rijndael . Symmetric cryptography. Block cipher, encrypting data in 128-, 192-, or 256-bit blocks using a 128-, 192-, or 256-bit key for encrypting/decrypting.
Symmetric cryptography. Block cipher, encrypting data in 64-bit blocks using the same 32-bit to 448-bit keys for encrypting/decrypting.
Symmetric cryptography. Block cipher, encrypting data in 64-bit blocks using the same up to 128-bit key for encrypting/decrypting.
No longer considered secure. Symmetric cryptography. Block cipher, encrypting data in 64-bit blocks using the same 56-bit key for encrypting/decrypting.
Symmetric cryptography. Data is encrypted up to 48 times with 3 different 56-bit keys before the encryption process is completed.
Asymmetric cryptography. Uses two keys derived from a logarithm algorithm.
Asymmetric cryptography. Uses two keys derived from an algorithm containing two randomly chosen points on an elliptic curve.
Block cipher, encrypting data in 64-bit blocks using the same 128-bit key for encrypting/decrypting.
It is also called ArcFour or ARC4 Stream cipher, encrypting data in 64-bit blocks using a variable key size for encrypting/decrypting.
Symmetric cryptography. Block cipher, encrypting data in 32-, 64-, or 128-bit blocks using the same up to 2,048-bit keys for encrypting/decrypting.
Symmetric cryptography. Same as RC5, but slightly faster.
It is also called AES. Symmetric cryptography. Block cipher, encrypting data in 128-, 192-, or 256-bit blocks using a 128-, 192-, or 256-bit key for encrypting/decrypting.
The most popular asymmetric cryptography. Uses two keys derived from an algorithm containing a multiple of two randomly generated prime numbers.
cryptographic cipher keys:
Cryptographic ciphers require a piece of data, called a key, to complete their mathematical process of encryption/decryption. The key can be either a single key or a pair of keys. Usually a cipher with a key size of 256 bits is considered secure because it would take trillions of years to brute-force crack such a keyed cipher.
Symmetric key cryptography
Symmetric cryptography, also called secret key or private key cryptography, encrypts plain text using a single keyed cipher. The same key is needed in order to decrypt the data. The advantage of symmetric key cryptography is speed. The disadvantage is the need to share the single key if the encrypted data is to be decrypted by another person.
An example of symmetric key cryptography on a Linux system is accomplished using the OpenPGP utility, GNU Privacy Guard, gpg. The example that follows shows the gpg utility used to encrypt the file Secret.File. With the -c option, gpg encrypts the file with a symmetric key. The original file is kept and a new encrypted file, Secret.File.gpg, is created.
$ cat Secret.File This is my secret message. $ $ gpg -c Secret.File Enter passphrase: Repeat passphrase: $ $ ls Secret.File.gpg Secret.File.gpg $ $ ls Secret.File Secret.File
The single key used to encrypt the file is protected by a passphrase. This passphrase is simply a password or phrase chosen by the user at the time of encryption. To decrypt the file, the gpg utility is used again. The user must use the -d option and provide the passphrase for the secret key.
$ gpg -d Secret.File.gpg gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase This is my secret message.
Asymmetric key cryptography
Asymmetric cryptography, also called private/public key cryptography, uses two keys, called a key pair. A key pair consists of a public key and a private key. The public key is just that, public. There is no need to keep it secret. The private key needs to be kept secret.
The general idea of asymmetric key cryptography is a plaintext file is encrypted using a public key of a key pair. The encrypted file then can be securely
transmitted to another person. To decrypt the file, the private key is used. This private key must be from the public/private key pair. Thus, data that has been encrypted with the public key can only be decrypted with its private key. The advantage of asymmetric cryptography is heightened security. The disadvantage is speed and key management.
You can perform asymmetric encryption on your Linux system using gpg. Here we will show a example where user root2 will send encrypted message to user root using the gpg command. Below are the summary of actions needs to be done to achieve this.
1. Generate the key pair and the key ring. -- root user 2. Export a copy of your public key to a file. -- root user 3. Share the public key file. -- root user 4. Individuals who wish to send you encrypted files add your public key to their key ring. -- root2 user 5. A file is encrypted using your public key. -- root2 user 6. The encrypted file is sent to you. -- root2 user 7. You decrypt the file using your private key. -- root user
It is a very versatile cryptographic utility. Before you can encrypt a file, you must first create your key pair and a “key ring.” In the example that follows, the gpg –gen-key command was used. This command will create a public/private key pair for the user root, according to his desired specifications. It also will generate a key ring to store his keys.
# gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 8 Key expires at Sun 06 Jul 2014 07:31:51 AM IST Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: TechPaste.com Email address: admin(at)techpaste.com Comment: Sample Key For Testing You selected this USER-ID: "TechPaste.com (Sample Key For Testing) <admin(at)techpaste.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. gpg-agent: directory `/root/.gnupg/private-keys-v1.d' created We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key D4A08BC4 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2014-07-06 pub 2048R/D4A08BC4 2014-06-28 [expires: 2014-07-06] Key fingerprint = DB9F 8FA0 F5C2 44FA BA8B 6289 4AED 880E D4A0 8BC4 uid TechPaste.com (Sample Key For Testing) <admin(at)techpaste.com> sub 2048R/E2CC95BC 2014-06-28 [expires: 2014-07-06]
The command will ask for below specifications before generating a key pair.
- Cryptography cipher . RSA was chosen in the example.
- Bit size . A longer key size provides higher security.
– Validity period — Eight days was chosen in the example.
– User ID — Identifies the public key portion of the public/private key pair.
– Passphrase — Used to identify and protect the private key portion of the public/private key pair.
The user root can check his key ring by using the gpg –list-keys command, as shown in the code that follows. Notice the User ID (UID) of the public key is displayed just as it was created, containing root’s real name, comment, and e-mail address.
# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 2048R/D4A08BC4 2014-06-28 [expires: 2014-07-06] uid TechPaste.com (Sample Key For Testing) <admin(at)techpaste.com> sub 2048R/E2CC95BC 2014-06-28 [expires: 2014-07-06]
Once the key pair and key ring are generated, files can be encrypted and decrypted. First, the public key must be extracted from the key ring so it can be shared. In the example that follows, the gpg utility is used to extract the public key from root’s key ring. The extracted key is put into a file to be shared. The filename can be any name you wish it to be. In this case, the user root chose the file name TechPaste.pub
# gpg --export TechPaste.com > TechPaste.pub # ls *.pub TechPaste.pub
The file containing the public key can be shared any number of ways. It can be sent as an attachment via e-mail or even posted on a web page. The public key is considered public, so there is no need to hide it. Now let user root2 wants to send some secret message to the user root who is the owner/creator of TechPaste.pub public key. Below are the things root2 need to do to send a message in encrypted format which can only be read by the root.
root2 user needs to add the root users shared public key(TechPaste.pub) to his key ring using below command.
In root2 machine:
# gpg --import TechPaste.pub gpg: directory `/root2/.gnupg' created gpg: new configuration file `/root2/.gnupg/gpg.conf' created gpg: key 3B2E46D5: public key "TechPaste.com (The User) <adminATtechpaste.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Once the key is added to the key ring, that public key can be used to encrypt data for the public key’s original owner.
root2 has created a text file, MessageForRoot.txt, for user root.
– He encrypts the file using his public key.
– The encrypted file, MessageForRoot, is created by the –out option.
– The option –recipient identifi es root’s public key using only the real name portion of his public key’s UID in quotation marks, “TechPaste.com”.
$ gpg --out MessageForRoot --recipient "TechPaste.com" --encrypt MessageForRoot.txt ... $ ls TechPaste.pub MessageForRoot MessageForRoot.txt
The encrypted message file, MessageForRoot, created from the plaintext file, MessageForRoot.txt, can be securely sent to the user root. In order to decrypt
this message, root will use his private key, identified and protected by the secret passphrase used to originally create the key. Once root provides the proper passphrase, gpg will decrypt the message file and put it into the file, MessageFromRoot2, designated by the –out option. Once decrypted, he can read the plaintext message.
$ ls MessageForRoot MessageForRoot $ $ gpg --out MessageFromRoot2 --decrypt MessageForRoot You need a passphrase to unlock the secret key for user: "TechPaste.com (The User) <adminat techpaste.com>" 2048-bit RSA key, ID 0F0E0672, created 2015-02-27 (main key ID 3B2E46D5) gpg: encrypted with 2048-bit RSA key, ID 0F0E0672, created 2015-02-27 "TechPaste.com (The User) <[email protected]>" $ cat MessageFromRoot2 Thank you For Sharing Your Public Key.
This is how asymmetric cryptography works. Remember that in asymmetric cryptography, each public and private key is a paired set that works together.
Cryptography using digital signatures
A digital signature is an electronic originator used for authentication and data verification. A digital signature is not a scan of your physical signature. Instead, it is a cryptographic token sent with a file, so the file’s receiver can be assured that the file came from you and has not been modified in any way.
When you create a digital signature, the following steps occur:
1. You create a file or message.
2. Using the gpg utility, you create a hash or message-digest of the file.
3. The gpg utility then encrypts the hash and the file, using an asymmetric key cipher. For the encryption, the private key of the public/private key pair is used. This is now a digitally signed encrypted file.
4. You send the encrypted hash (aka digital signature) and file to the receiver.
5. The receiver recreates the hash or message digest of the received encrypted file.
6. Using the gpg utility, the receiver decrypts the received digital signature using the public key, to obtain the original hash or message digest.
7. The gpg utility compares the original hash to the recreated hash to see if they match. If they match, the receiver is told the digital signature is good.
8. The receiver can now read the decrypted file.
Notice in Step 3 that the private key is used first. In the description of asymmetric key cryptography, the public key was used first. Asymmetric key cryptography is flexible enough to allow you to use your private key to encrypt and the receiver to use your public key to decrypt.