CONTENTS

PKI: Using Key Pairs

1. Generating a Key Pair. To generate a new key pair select OpenPGP and Key Management



Once in the Key Management window select Generate and New Key Pair



Select the account from the drop down menu to generate a key pair for. Although you can create a key pair without a passphrase, anyone who has access to your system could effectively use your private key to encrypt/decrypt mail. Enter a passphrase that is sufficiently strong, but is also something that you can remember. Optionally, you may enter a description for the key in the Comment field, which is visible on your public key. Finally, select Key Expiry and choose an expiration period.



Next select the Advanced tab and choose a key size and type. By default, GPG will create a 2048-bit key using DSA & El Gamal Click Generate Key and verify the creation of the key. As noted, the key generation process may take a minute or two.



After the key-pair is generated, you will be asked if you wish to create a revocation certificate, which has to be done in order to revoke a key if your private key become compromised. Click OK to generate the certificate. You will be prompted for the passphrase you gave the key in order to complete the process. Your new key will now appear in the Key Management window.



1b.   Using WinPT to add an image to your key.

First you must download WinPT from http://winpt.wald.intevation.org.

Running WinPT will add a launch menu to your taskbar. From here, go to "Key Manager".



Right click your key-pair and select "Add > Photo ID".



A new window will open requiring your private key passphrase. Select the image you wish to use and click "Add".

If you wish to upload your newly modified public key to the key server, right click your key and select "Send to Keyserver". You can now exit WinPT to continue with the lab.

2.  Adding an ID to a Key Pair. If you have multiple email accounts set up in Thunderbird, you have the ability to associate and use those email addresses with the same key pair. To use the same key with multiple email addresses first you have to add an ID to the key pair. Bring up the Key Management window by selecting OpenPGP > Key Management. Then select the key pair to which you wish to add an ID.

Once you have selected the key to add an ID to select Edit then Manage User IDs. You can also right click the key and select Manage User IDs.



Click Add to open the Add User ID window.



Type the email address you wish to add, your name, and an optional comment. and click Ok. To set a particular address as the primary ID, select the address and hit Set Primary ID.



3. Uploading your Key to a Server. Although there are a number of options of making your public key available to those who wish to send secure email to you – emailing it to users, placing it on your website – one of the most convenient methods is to upload your key to a public PGP key server. Not only does this allow anyone access to your public key from an OpenPGP-enabled email client (try Keyserver and Search for Public Keys), but it also allows others to sign your key, thereby verifying that this key does in fact belong to you. In the absence of a central certificate authority that verifies your identity and the authenticity of your public key, PGP relies on users building up webs of trust by signing each other keys.

Right-click on the key you wish to upload and select Upload Public Keys to Keyserver. Select the keyserver where you will send your key (pgp.mit.edu), and click OK.



To verify, select Keyserver then select  Search for Keys, and search for part of your name or email address.



4. To email your public. Compose a new message to whomever you are sending your key. Then select OpenPGP and Attach my Public Key. Your public key will be attached to your message as a *.asc file.



Once your public key is attached it will be visible to the left of the messages header information as seen below.



OpenGPG will ask you how you want to send the message and you should chose to send it unencrypted.

5. Export Public Key to File.



5. Importing Public Keys from the Server. Having your own public-private key pair as only part of the equation in sending encrypted mail using PKI – you also need access to the public keys of those to whom you plan to send the secure email. Ideally, you would physically exchange public keys with others in person via CD, USB memory key, etc. to ensure that the public key really does belong to the person you think it belongs to. Obviously, exchanging public keys in person is not always feasible, so GPG and Enigmail include features allowing you to easily exchange public keys electronically, as well as verifying the authenticity of a public key by signing the key with your digital signature.

Just as you uploaded your public key to a key server, you can also download public keys from the server and attach them to your “public keyring.” Open the Key Management window by selecting OpenPGP then select Key Management. Then select Keyserver and Search for Keys. You can search for part of the person's name or email address, which you did in the previous step to check that your key was upload. Check the box next to the key you wish to import, and click OK.



6. Importing Keys from an Email. If someone sends a message to you with their public key attached, Enigmail automatically recognizes the key and alerts you to the presence of the key. To import the key, you can select Decrypt in the Thunderbird toolbar, then click Yes to import.

7. Importing Keys from a File. If you obtained someone’s public key by other means you can also import the text file containing the key into OpenGPG. Select OpenPGP then Key Management.  From the menu select File and  Import Keys from File.



If the file contains a valid PGP key block, Enigmail will add the public key to your list of keys. (Note: if you have ever used PGP, you can also import your public and private keyring files into GPG.)

8. Sign a public key. Before you can a send someone a secure email encrypted with the recipient’s public key, Enigmail requires that you verify that the public key is authentic. GPG does not rely on a central certificate authority (such as VeriSign) to verify the identities of those who generate key pairs; instead, it relies on key holders to vouch for each other’s identity by digitally signing others’ public keys.

Signing a public key has to be done before you can email that person using their public key. Open the Key Management windw by selecting OpenPGP then Key Management. Select the key you wish to sign and select Edit > Sign Key or right click click the key and select Sign Key.



A dialog pops up asking you which key you wish to use to sign, as well as how well you have verified the identity of the key holder. Select the key and the level of verification, then hit OK. Even if you select “I will not answer” or “I have not checked at all”, the key will still be signed.



Alternatively, you can sign a key by viewing a message containing the public key to be signed, right-clicking on the pen icon Enigmail places next to the email and selecting Sign Sender’s Key. When you have signed the recipient’s public key, you will then be able to send encrypted email to them through Enigmail.

If you created your public-private key pair through Enigmail, you were asked at the end of the creation process if you wanted to create a revocation certificate for the key pair. If you believe your key pair has been compromised, you have the ability to revoke the keys by importing the key pair’s revocation certificate into Enigmail, thereby permanently nullifying the private key. If you have uploaded the public key to a key server, you can use the revocation certificate to revoke the public key by uploading the revocation certificate to the key server.

9. Create a revocation certificate.  Open the Key Management window by selecting OpenPGP and Key Management, and then select the key pair you wish to create a revocation certificate for. Select Generate then Revocation Certificate or right-click on the key and select Generate & Save Revocation Certificate. You are prompted to choose a location to save the certificate. It is best to save the revocation certificate to some type of removable media that is kept in a safe place. Select the destination folder, and click Save.



10. Revoke a key pair. Open the Key Management window by selecting OpenPGP then select Key Management, and then select the key you wish to revoke. Select Edit and Revoke Key (alternatively, right-click on the key and select Revoke Key.)



You will be prompted to allow OpenPGP to create and import a revocation certificate, which must be done to complete the revocation process. Select Yes to continue with the revocation process.



After the key has been revoked the key listing becomes italicized, gray, and marked as “(revoked).” At this point, the private key has been permanently revoked. After you have revoked the key on your system you must also revoke the corresponding key on the server to prevent anybody from using this old key.

11. Revoke a Key on Server. To revoke a public key open the Key Management window and select right click the key you just made a revocation certificate for and select Upload Public Keys to Server. This will upload the revocation certificate to notify others that you are no longer using that certificate.

While key servers provide a convenient, centralized repository for public keys, the management of the repository itself is the responsibility of individual users. While this decentralized approach works fine for such tasks as making valid keys available or signing each other keys, a broadly-defined search of any one of the key servers reveals the problem of cleaning up old keys. The assumption was that individual users would take responsibility of managing the removal of old keys, either by revoking the keys manually or setting an expiration date whereby the keys would be dropped by the server. Instead, many keys were set to never expire; furthermore, their owners often have either lost the private keys and/or revocation certificates or cannot remember the required passphrases.

The reality is that many of the keys on the key server may no longer be valid, and there is no way to delete the invalid keys without the revocation certificate. Managers of the key servers refuse to take requests to remove keys because they have no way to identify you as the true owner of the key, and key servers generally synchronize their keystores among each other; if a key is removed from one server, the synchronization algorithm will dutifully copy the “missing” key from another server.