Silk Road forums

Discussion => Security => Topic started by: LouisCyphre on June 28, 2012, 11:38 am

Title: GPG HOWTO: Creating large keys and mixing algorithms (expert mode)
Post by: LouisCyphre on June 28, 2012, 11:38 am
This document is a step-by-step guide to creating a large, customised OpenPGP key.  It assumes a successful installation of GPG 1.4.x or 2.0.x.  The GPG commands are identical, but my examples use version 1.4.12 with the following details:

Quote
bash-3.2$ gpg -v --version
gpg (GnuPG) 1.4.12
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),
        AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12),
        CAMELLIA256 (S13)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
      SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
bash-3.2$

These instructions utilise the expert mode of GPG and assume you are comfortable using the command line and editing the gpg.conf file.  The instructions are geared towards *nix systems (e.g. Linux, OS X, BSD, Solaris, etc.), but should be adaptable by Windows users (and mostly the same).

First Step:

Open your gpg.conf file (usually located at ~/.gnupg/gpg.conf on *nix systems, but may be elsewhere) in your preferred text editor (e.g. Vim, Emacs, Nano).

Skip to the end of the file and add the following lines:

Code: [Select]
expert
trust-model always

enable-dsa2

default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 H10 H9 H8 H11 H3 H2 H1 Z3 Z2 Z1 Z0
personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4
personal-digest-preferences H10 H9 H8 H11 H3 H2 H1
personal-compress-preferences Z3 Z2 Z1 Z0

no-emit-version

The "expert" option enables expert mode.  It is wise to comment this out with a hash symbol (#) when you've finished making the key.  Alternatively it can be left out and invoked on the command line with the "--expert" flag.

The "trust-model always" option enables you to encrypt to keys that you have not signed or set trust levels for without seeing a warning message.

The "enable-dsa2" option uses new style DSA keys instead of the original which is open to certain kinds of attacks (see the gnupg-users mailing list archive for details).

The preference lists tell GPG which order for cipher, hash and compression algorithms is preferred.  The options above can be decoded with the version information at the top of this HOWTO.  The first three cipher algorithms (used for symmetric/message encryption) in the above lines are: AES-256, Twofish and Camellia-256.  The "default-preference-list" is the "personal-cipher-preferences" followed by the "personal-digest-preferences" and the "personal-compress-preferences" lines.  You may want to change the order around if you favour one particular cipher, the order won't disable any of the supported ciphers and you may send in less preferred ciphers if GPG detects a key can't use your preferred cipher.

The "no-emit-version" option suppresses the GPG version information at the top of a message or key block.

When finished, save and close the gpg.conf file.

Second Step:

At the command line run "gpg --gen-key" (or "gpg --gen-key --expert"):

Quote
bash-3.2$ gpg --gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8 ) RSA (set your own capabilities)
Your selection?

If you want a large RSA key then select "4" from this menu.  If you want a large DSA key then select "3" instead.  I recommend using RSA for the master key/certificate, so for this example I am selecting "4" at this point.

Quote
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

This shows the default key size (2048-bit), but we want the largest size that is guaranteed to work with other OpenPGP installations.  So enter "4096" here.

Note: if creating a DSA key the maximum is 3072-bit.

Quote
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Press enter here, even if you do want your encryption and/or signing key to expire.  The reason for this will become apparent later.

Quote
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

The next step is to enter your pseudonymous data.

Quote
Is this correct? (y/N) y
                       
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Louis Cyphre
Email address: nobody@example.org
Comment: SR Test Key
You selected this USER-ID:
    "Louis Cyphre (SR Test Key) <nobody@example.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

When you are satisfied type "O" and enter.  Then GPG will prompt for the passphrase to be set, make sure that it is a passphrase with a high amount of entropy (128-bits or larger).  Make sure you don't lose it or forget it.

Quote
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

public and secret key created and signed.

pub   4096R/7476C291 2012-06-28
      Key fingerprint = 89FF C1E9 BE69 5A46 7AEA  A42D F730 9299 7476 C291
uid                  Louis Cyphre (SR Test Key) <nobody@example.org>

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
bash-3.2$

Now we need to add a signing subkey for signing messages (the master key that we just created is used to sign other keys).  We also need to add an encryption subkey.

Quote
bash-3.2$ gpg --edit-key 7476C291
Secret key is available.

pub  4096R/7476C291  created: 2012-06-28  expires: never       usage: SC 
[ unknown] (1). Louis Cyphre (SR Test Key) <nobody@example.org>

gpg>

At any time you can obtain a list of the commands used to edit the key with the "help" command.

Quote
gpg> help
quit        quit this menu
save        save and quit
help        show this help
fpr         show key fingerprint
list        list key and user IDs
uid         select user ID N
key         select subkey N
check       check signatures
sign        sign selected user IDs [* see below for related commands]
lsign       sign selected user IDs locally
tsign       sign selected user IDs with a trust signature
nrsign      sign selected user IDs with a non-revocable signature
adduid      add a user ID
addphoto    add a photo ID
deluid      delete selected user IDs
addkey      add a subkey
addcardkey  add a key to a smartcard
keytocard   move a key to a smartcard
bkuptocard  move a backup key to a smartcard
delkey      delete selected subkeys
addrevoker  add a revocation key
delsig      delete signatures from the selected user IDs
expire      change the expiration date for the key or selected subkeys
primary     flag the selected user ID as primary
toggle      toggle between the secret and public key listings
pref        list preferences (expert)
showpref    list preferences (verbose)
setpref     set preference list for the selected user IDs
keyserver   set the preferred keyserver URL for the selected user IDs
notation    set a notation for the selected user IDs
passwd      change the passphrase
trust       change the ownertrust
revsig      revoke signatures on the selected user IDs
revuid      revoke selected user IDs
revkey      revoke key or selected subkeys
enable      enable key
disable     disable key
showphoto   show selected photo IDs
clean       compact unusable user IDs and remove unusable signatures from key
minimize    compact unusable user IDs and remove all signatures from key

* The `sign' command may be prefixed with an `l' for local signatures (lsign),
  a `t' for trust signatures (tsign), an `nr' for non-revocable signatures
  (nrsign), or any combination thereof (ltsign, tnrsign, etc.).

gpg>

To add a signing subkey use the "addkey" command and enter your passphrase at the prompt.

Quote
gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Louis Cyphre (SR Test Key) <nobody@example.org>"
4096-bit RSA key, ID 7476C291, created 2012-06-28

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8 ) RSA (set your own capabilities)
Your selection?

You will see that the options are slightly different from the first "--gen-key" command.  You can select option "3" for a DSA key or "4" for RSA here.  We'll be sticking with RSA for this example.

Quote
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8 ) RSA (set your own capabilities)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

A signing subkey doesn't really need to be as large as the encryption keys, so we're going to leave it at the default.

Quote
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Either set an expiration or not.  An expiration can be modified later, but if other people have a copy that pre-dates modification then their parts of that key will expire.  This example will use an expiration of 2 years.

Quote
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sat Jun 28 21:07:25 2014 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  4096R/7476C291  created: 2012-06-28  expires: never       usage: SC 
sub  2048R/C257E199  created: 2012-06-28  expires: 2014-06-28  usage: S   
[ unknown] (1). Louis Cyphre (SR Test Key) <nobody@example.org>

gpg>

Now we just need to do the same thing to create an encryption subkey.  This time, though we are going to create a 4096-bit Elgamal subkey instead of usig RSA.

Quote
gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Louis Cyphre (SR Test Key) <nobody@example.org>"
4096-bit RSA key, ID 7476C291, created 2012-06-28

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8 ) RSA (set your own capabilities)
Your selection? 5
ELG-E keys may be between 512 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri Jun 28 21:16:30 2013 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  4096R/7476C291  created: 2012-06-28  expires: never       usage: SC 
sub  2048R/C257E199  created: 2012-06-28  expires: 2014-06-28  usage: S   
sub  4096g/124E119B  created: 2012-06-28  expires: 2013-06-28  usage: E   
[ unknown] (1). Louis Cyphre (SR Test Key) <nobody@example.org>

gpg>

Finally we need to save these modifications.

Quote
gpg> save
bash-3.2$

By following these instructions you will end up with a key of comparable strength to mine.  Except I did not set an expiration date on the subkeys, I prefer to revoke subkeys as I deem it necessary rather than be locked into a particular date.

The result should be something like this:

Quote
bash-3.2$ gpg -k --fingerprint 7476C291
pub   4096R/7476C291 2012-06-28
      Key fingerprint = 89FF C1E9 BE69 5A46 7AEA  A42D F730 9299 7476 C291
uid                  Louis Cyphre (SR Test Key) <nobody@example.org>
sub   2048R/C257E199 2012-06-28 [expires: 2014-06-28]
sub   4096g/124E119B 2012-06-28 [expires: 2013-06-28]

bash-3.2$

Note: It is possible to create RSA and Elgamal keys larger than 4096-bit, but it is not recommended.  Asymmetric encryption does not scale in the same way as symmetric encryption so there is a law of diminishing returns when creating larger keys.  A table with the details is available here (clearnet):

http://www.keylength.com/en/4/

Hopefully you will find this of some benefit.

Title: Re: GPG HOWTO: Creating large keys and mixing algorithms (expert mode)
Post by: LouisCyphre on August 05, 2012, 11:08 pm
Addendum:  It would be a good idea to read through my guide on GPG configuration before creating keys using the above method.  That guide is here:

http://dkn255hz262ypmii.onion/index.php?topic=34204.0
Title: Re: GPG HOWTO: Creating large keys and mixing algorithms (expert mode)
Post by: LouisCyphre on September 01, 2012, 02:56 pm
The one thing I can add. You should always be on the lookout for a good passphrase. Take a look.

http://world.std.com/~reinhold/diceware.html

Choose a five word passphrase. You could add one more word a day till it became strong. This command is simple enough to use.

gpg --edit-key 0xDEADBEEF
passwd

Yeah, Diceware is good, but I usually recommend people pick a favourite line from a book, poem, play, song or film that they will remember and don't quote aloud.  That can be very strong indeed, especially when punctuation is included.

The example I normally give is from Hamlet:

To be or not to be, that is the question.

That's got over 300 bits of entropy.
Title: Re: GPG HOWTO: Creating large keys and mixing algorithms (expert mode)
Post by: LouisCyphre on September 06, 2012, 01:44 am
The example I normally give is from Hamlet:

To be or not to be, that is the question.

That's got over 300 bits of entropy.

Now, when I saw the passphrase, that's got 0 bits of entropy, since outcome is entirely predictable. ;)

Heh.  :)

To everyone else: StonedEmo is correct when the passphrase is able to be guessed.  So don't use my example, pick something else.

Yeah, Diceware is good, but I usually recommend people pick a favourite line from a book, poem, play, song or film that they will remember and don't quote aloud.  That can be very strong indeed, especially when punctuation is included.

Diceware is the same. Let's take a look.

If anyone would pick a line from a favourite book and DEA would know it... Let's count the entropy of Hamlet. Hamlet speaks over 1500 lines. Of course, it depends on what you consider a "line". Some of the play is in prose and some of it is in iambic pentameter verse. Each line yields log2 (1500), i.e. 11 bits of entropy. To get better results, you can find a strange but easy-to-remember passphrase. Let me get Hamlet: 2c-b or not 2c-b :O, that is the question (maybe that was dragonfly?!!, ohmygod, ohmygod, ohmygod!). It is better than 11 bits. I think you might have not been able to find such a passphrase in a book. Unless you pick a favourite line from a book in the library of babel, which must contain, somewhere, every coherent book ever written, or that might ever be written, and every possible permutation or slightly erroneous version of every one of those books, and where your ciphertext could be selected as your passphrase. In any case, the estimate is very rough. Some sentences could be built with Markov's chains. I think that using words is better than random letters anyway. I dont understand how people are still choosing lines of perl code for their passwords.

A good assessment.  What I like about the quote option is that it helps people remember a passphrase if it is something they normally have trouble with.