released for glibc, tomcat4, sane, XFree86, sendmail, and openssl. The distributors
include Conectiva, Debian, Mandrake, and NetBSD.Last week, I gave a brief
introduction of cryptography and the differences between symmetric and asymmetric
and encryption. Also, I made several comments on how the strength of cryptography
is measured. This week, I am going to show the basics of using the GNU Privacy
Guard (GNUPG). GNUPG is a text-based command line tool that is very straightforward
to use and based on a public & private (asymmetric) key system.
To begin using encryption
on your Linux machine, you must first download the GNUPG packages. It can be
downloaded from: http://www.gnupg.org After
the application is installed, several steps must be taken before you can begin.
First, a key-pair must
be generated. To generate your keys, go to the command line and issue the following:
[prompt]$ gpg --gen-key
If gpg has been installed
correctly, you will be prompted to enter the type of key, keysize, duration
it is valid, your name, email address, and a comment. At this point, it will
be possible for you to begin using most of gpg's other functions. Probably the
most daunting part of gpg is key management. After generating your key, the
next thing you would want to do is export your public key.
[prompt]$ gpg --export
-a firstname.lastname@example.org > public.key
At this point, you can
share your public key with others. If other people want to send you confidential
data, they can encrypt it with your public key and you'll be the only one who
can decrypt it. If you want to send someone else an encrypted message, you'll
need their public key. To import another person's public key, use the following
[prompt]$ gpg --import
To sign and encrypt data
(filename.txt), the following command can be used:
[prompt]$ gpg -ea
-r TargetUserName filename.txt
For TargetUserName to decrypt
that file, the following command should be used:
[prompt]$ gpg -d
filename.txt.asc > output.txt
Another useful feature
of gpg is its ability to use symmetric encryption. This can be used when you
only wish to encrypt a file for personal use. It uses the same key for both
encryption and decryption. To encrypt a file symmetrically, use the following:
[prompt]$ gpg -c
GNUPG can also be easily
interfaced with email. Several years ago, a feature for LinuxSecurity.com was
written that describes how to interface it with pine. Virtually all modern email
clients will support it. There is a wealth of information available on Google
that can help you learn how to take advantage of GPG's features. Have fun!
Using GnuPG with Pine for
Until next time, cheers!
Benjamin D. Thomas
GDSN Subscription Price Reduction
- Guardian Digital, the world's premier open source security company, announced
today that they will be reducing the annual subscription cost of the Guardian
Digital Secure Network for EnGarde Community users from $229 to $60 for a
- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
This glibc update includes the fix for a local vulnerability and new timezone
maps adjusted for the brazilian daylight saving time 2003/2004 schedule:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3732.html Distribution:Debian 10/13/2003openssl095 ASN.1
teve Henson of the OpenSSL core team identified and prepared fixes for a
number of vulnerabilities in the OpenSSL ASN1 code that were discovered
after running a test suite by British National Infrastructure Security Coordination
http://www.linuxsecurity.com/advisories/debian_advisory-3731.html 10/15/2003tomcat4 denial
of service vulnerability
Aldrin Martoq has discovered a denial of service (DoS) vulnerability in
Apache Tomcat 4.0.x.
http://www.linuxsecurity.com/advisories/debian_advisory-3733.html Distribution:Mandrake 10/10/2003sane multiple
Several vulnerabilities were discovered in the saned daemon, a part of the
sane package, which allows for a scanner to be used remotely.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3727.html Distribution:NetBSD 10/10/2003XFree86 font buffer
There is an integer overflow in the XFree86 font libraries, which could
lead to potential privilege escalation and/or remote code execution.
http://www.linuxsecurity.com/advisories/netbsd_advisory-3728.html 10/10/2003sendmail buffer
Fix a buffer overflow in address parsing. However, a remote exploit of the
sendmail (smmsp - Sendmail Message Submission Program) uid could lead to
opportunities to apply local exploits to further elevate privileges.
http://www.linuxsecurity.com/advisories/netbsd_advisory-3729.html 10/10/2003openssl multiple
OpenSSL had multiple vulnerabilities, they were found by tests performed
by NISCC (www.niscc.gov.uk).