Little known features: Symmetric encryption with PGP/GPG
Pretty Good Privacy (PGP) and the open source Gnu Privacy Guard (GPG) are the popular public key encryption tools that don’t require the complexities of a Public Key Infrastructure. They are excellent tools for strong encryption and non-repudiation using de facto standards.
By default PGP and GPG use public key cryptography which provides a form of two factor authentication: to decrypt, you must know both a passphrase and have the correct private key. If your passphrase is compromised (e.g. by someone shoulder surfing or via a keylogger), the attacker still has to have your private key to decrypt any files.
However, once in a while you need to send a sensitive file to someone who doesn’t use PGP or GPG regularly and doesn’t have a public key. Without a public key, you can’t encrypt so that only that person can decrypt.
In that situation either you talk the person through the finicky process of creating and publishing a PGP/GPG key pair, or take the easy way out and use weak encryption such as the "password protect" feature of MS Word or WinZip. Word’s "encryption" is easily cracked. The original Zip encryption is also weak, though products like WinZip have added proprietary ciphers that are stronger.
A little known feature of both PGP and GPG is that they can also do symmetric encryption. Just a passphrase is needed- no public or private keys are involved. It’s a quick and dirty way to get strong encryption that even a novice can use.
To encrypt a file with symmetric encryption, the syntax is:
pgp --symmetric filename
gpg --symmetric filename
The result is a binary file with the same name as the original and ".pgp" or ".gpg" appended.
If the encrypted file must be pasted into the body of an e-mail message (instead of added as an attachment), you’ll want to use the plain ASCII form of output:
pgp --symmetric --armor filename
gpg --symmetric --armor filename
The result is a plain text file ending in ".asc"
Decryption is performed using the usual "-d" switch:
pgp -d filename
gpg -d filename
(The documentation for PGP and GPG describe the symmetric encryption option and all the command-line switches available for output formats).
Symmetric encryption with PGP/GPG uses a strong cipher (GPG uses CAST5) so it’s much more resistant to attack than using application encryption or WinZip. However, the passphase is the weak point: the longer and more complex the passphrase, the more secure the file. A single dictionary word can be brute forced in only a few hours, so use a complex passphrase of mutiple words broken up with letters and symbols.
Getting the passphrase to the recipient is another issue. Key distribution is always tricky with symmetric encryption schemes. If the encrypted file is sent via email, don’t also use email to send the passphrase (sounds obvious, but you’d be amazed how often people do that). Use the phone, send a fax, strap it to a pigeon… whatever method works best for the situation and won’t let an attacker intercept both the encrypted file and the passphrase.
Related posts:
- Little known features: HTTP digest authentication
- Protecting laptop data with TrueCrypt
- Testing SSL with command line tools
One Response to “Little known features: Symmetric encryption with PGP/GPG”:
April 12th, 2008 at 4:10 am
[...] GPG:n symmetristä salausta tiedoston salaamiseen, komentamalla seuraavasti: gpg -c [...]