Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1063439
  • 博文数量: 242
  • 博客积分: 10209
  • 博客等级: 上将
  • 技术积分: 3028
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-12 09:27
文章分类

全部博文(242)

文章存档

2014年(1)

2013年(1)

2010年(51)

2009年(65)

2008年(124)

我的朋友

分类: 网络与安全

2008-05-22 14:56:19

############# gpg命令 加/解密 及 验证签名 实例 ###############

一 . 探索 gpg 命令

$ which gpg
/usr/bin/gpg

$ rpm -qf /usr/bin/gpg
gnupg-1.0.6-5

$ rpm -ql gnupg

二 . 开始使用 GnuPG,你必须首先生成一组新的钥匙对:公匙 和 私匙。

.1. 用普通帐户权限来操作, 创建 ./gnupg 目录 跟 ./gnupg/options 文件 :

$ gpg --gen-key
----------------------------------------------
gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
gpg: /home/xxxxx/.gnupg: directory created
gpg: /home/xxxxx/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file
----------------------------------------------

.2. 再次运行 gnupg 命令生成钥匙对 ( 公匙和私匙 ) :
$ gpg --gen-key
----------------------------------------------
gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
gpg: /home/xxxxx/.gnupg/secring.gpg: keyring created
gpg: /home/xxxxx/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? [enter] 默认值

DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) [enter]

Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years

Key is valid for? (0) [enter]
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "

Real name: hello
Email address:
Comment: no
You selected this USER-ID:
"hello (no) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
[ 相对通信一方 ,输入真实用户名和 E-Mail ,Comment(注释)可不填 ]

输入密码
Enter passphrase:xxxxxxxxxx
Repeat passphrase:xxxxxxxxxx

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard,....................
.................................................
.................................................
+++.+++++++++++++++++++++++++.++++++++++.++++++++++++++++++++>+++++
public and secret key created and signed.
------------------------------------------------

[ 若对输入信息有所改动 ,可把 ~/.gnupg 目录下除 options 以外的文件删除 ,再运行 gpg --gen-key 命令 ,或者使用 gpg 的 edit 选项 . ]

钥匙对放在 ~/.gnupg 目录下 .输出你的钥匙:

$ gpg --list-keys
-------------------------------
gpg: Warning: using insecure memory!
/home/xxxxx/.gnupg/pubring.gpg
------------------------------
pub 1024D/A2CCCBF3 2005-06-21 hello (no)
sub 1024g/84F6D7B9 2005-06-21
------------------------------
[ pub(公匙)--- public key , ID : A2CCCBF3
sub(私匙)--- secret key or private key , ID : 84F6D7B9 ]

[ gpg: Warning: using insecure memory! 警告没有锁定内存页 ,假如是root帐户操作就没这错误信息 ,一般是连接网上操作有关安全方面的问题 ,没碍 ! 若碍眼的 ,作这改动 : # chmod 4755 /usr/bin/gpg ]

## 实例 1 : 用 Gnupg密匙加密和解密文件 . ##

$ cd
$ vi gpg-test
------------------------
Hello !
good morning
viewer
The last viewer checked out of their rooms in the morning.
你不下班 ,别人回家还要煮饭 .
------------------------

加密成 ASCII 文件 :
$ gpg -ea -r hello gpg-test
$ ls gpg-test*
gpg-test gpg-test.asc

$ cat gpg-test.asc

解密文件 :
$ gpg -o gpg-test.file --decrypt gpg-test.asc
-----------------------------------
gpg: Warning: using insecure memory!

You need a passphrase to unlock the secret key for
user: "hello (no) "
1024-bit ELG-E key, ID 84F6D7B9, created 2005-06-21 (main key ID A2CCCBF3)

Enter passphrase:[输入生成钥对时的那个密码 xxxxxxxxxx ]
gpg: encrypted with 1024-bit ELG-E key, ID 84F6D7B9, created 2005-06-21
"hello (no) "
-----------------------------------

[ 这里所指密匙包括公匙与私匙 ,从以上ID号可知 ,文件是用公匙加密 ,用私匙解密文件 .假如你要求其他人用加密文件方式给你通信 ,你要把公匙告诉他们 .]

$ ls gpg-test*
gpg-test gpg-test.asc gpg-test.file

$ diff gpg-test gpg-test.file
$ cat gpg-test.file

[ 这里 加/解密方式采用RSA算法 ,公匙与私匙是互补 ,理论上是不可破解 ,也没有人尝试成功过. ]

## 实例 2 : Gnupg 检验软件包 ##

从安装光盘做试验 ,首先挂载光盘后复制软件 :

$ cp /mnt/cdrom/RedHat/RPMS/htmlview-2.0.0-1.noarch.rpm /tmp/
$ cd /tmp

用 rpm 验证软件 ( 选项: --checksig or -K )
$ rpm --checksig htmlview-2.0.0-1.noarch.rpm
htmlview-2.0.0-1.noarch.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#DB42A60E)

[ 钥匙环不存在 htmlview 所属软件包组的公匙. ]

$ rpm --checksig --nogpg htmlview-2.0.0-1.noarch.rpm
htmlview-2.0.0-1.noarch.rpm: md5 OK

[ md5 OK 这条信息说明传送中软件没被篡改 .]

数字签名证明软件所属作者 .
( 数字签名是作者用私匙对软件特征值进行加密 . )

$ cp /mnt/cdrom/RPM-GPG-KEY ./
$ less ./RPM-GPG-KEY

[ 注:
系统有类似的文件: /usr/share/doc/redhat-release-7.3/RPM-GPG-KEY , /usr/share/rhn/RPM-GPG-KEY ]

导入软件组公匙 :
$ gpg --import RPM-GPG-KEY
gpg: Warning: using insecure memory!
gpg: key DB42A60E: public key imported
gpg: Total number processed: 1
gpg: imported: 1

$ gpg --list-keys
gpg: Warning: using insecure memory!
/home/ideal/.gnupg/pubring.gpg
------------------------------
pub 1024D/A2CCCBF3 2005-06-21 hello (no)
sub 1024g/84F6D7B9 2005-06-21

pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc
sub 2048g/961630A2 1999-09-23

$ rpm --checksig htmlv*.rpm
htmlview-2.0.0-1.noarch.rpm: md5 gpg OK

## 实例 3 : 验证 Bastille RPM 发布软件包的分离签名 : ##

这里只介绍验证数字签名 , Bastille 1.3.0 版本没包括数字签名 ,有单独签名包 . 跟以上有点差别 .

在 下载 :
主软件包: Bastille-1.3.0-1.0mdk.noarch.rpm
签名包: Bastille-1.3.0-1.0mdk.noarch.rpm.asc

下载 Bastille 公匙 : bastille-key

导入公匙 :
$ gpg --import bastille-key

验证 Bastille 数字签名 :
$ gpg --verify Bastille-1.3.0-1.0mdk.noarch.rpm.asc Bastille-1.3.0-1.0mdk.noarch.rpm
显示 : .................. gpg ok

--
--
thumb-xiaowei 05-06-25 18:17

--
--
####### Gnupg 实验室 #######

构思 : 单机, X-Windows 环境, 创建两个帐户 redred 和 hathat ,sedmail 为邮件中继 ,在虚拟终端模拟邮件信息 加/解密 跟数字签名 传送操作 .

一. 创建两个帐户 :

转为 root 权限
$ su -

创建帐户
# useradd redred ; useradd hathat
# passwd redred
# passwd hathat
# tail -2 /etc/passwd

Gnupg 操作时拥有 root 权限
# chmod 4755 /usr/bin/gpg

打开两个虚拟终端 ,分别对 redred , hathat 设置 :
第一终端 :
$ su redred
$ cd ~/
$ PS1=$'\u > '
redred >
redred > echo '' > /var/spool/mail/redred

另一终端 :
$ su hathat
$ cd ~/
$ PS1=$'\u > '
hathat >
hathat > echo '' > /var/spool/mail/hathat

然后仿照上篇文档 hello 帐户生成钥匙对方法 ,运行两次gpg --gen-key .要有以下条件 :
name : redred or hathat
E-Mail : redred@localhost or hathat@localhost

[ 主机名不一定是 localhost ,uname -n 作准 . ]

现模拟 redred 为发信人 , hathat 为收信人 ,按上文档加/解密的实例 , redred 要有 hathat 的公匙 .

hathat 导出公匙 :
hathat > gpg --list-key
/home/hathat/.gnupg/pubring.gpg
-------------------------------
pub 1024D/64C4C484 2005-06-24 hathat
sub 1024g/6D9088CC 2005-06-24

hathat > gpg --armor --export hathat@localhost > hathatkey.asc

[ armor 为输出ASCII编码 ,便于邮件传送 . 其中命令项 hathat@localhost 可为用户名hathat 或 64C4C484 ( ID号 ) ]

发送邮件 :
hathat > mail redred@localhost -s "give public key" < hathatkey.asc

邮件内容生成公匙文档 :
redred > awk '/BEGIN PGP PUBLIC/,/END PGP PUBLIC/' /var/spool/mail/redred > hathatkey.asc

[ 若先查看邮件后生成公匙文档 :
redred > mail -u redred
redred > awk '/BEGIN PGP PUBLIC/,/END PGP PUBLIC/' /home/redred/mbox > hathatkey.asc
][ 也可在查看邮件时用粘帖文本方式生成公匙文档 . ]

清空邮件 ,方便实验 ,若粘帖方式可不用 .
redred > echo '' > /var/spool/mail/redred

导入公匙 :
redred > gpg --import hathatkey.asc
gpg: key 64C4C484: public key imported
gpg: /home/redred/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg: imported: 1

用数字签名--fingerprint 指纹信息选项。来验证此证书是否符合使用 。
redred > gpg --fingerprint hathat
pub 1024D/64C4C484 2005-06-24 hathat
Key fingerprint = 2688 6ED6 76DD A63F 1F71 2E41 BF62 CE9B 64C4 C484
sub 1024g/6D9088CC 2005-06-24

列出钥匙对及签名 :
redred > gpg --list-sig hathat
pub 1024D/64C4C484 2005-06-24 hathat
sig 64C4C484 2005-06-24 hathat
sub 1024g/6D9088CC 2005-06-24
sig 64C4C484 2005-06-24 hathat
[ name : hathat , ID : 64C4C484 , gpg命令中可通用 . ]


怎知道所导入公匙是 hathat ? Gnupg 要你承诺并使用 gpg --sign-key name 对这个公钥进行签名,来告诉 gpg 你能够确认公钥是正确并有效的 :
redred > gpg --sign-key 64C4C484
.......................
Really sign? y
.......................
passphrase : 输入 redred 生成钥匙对时的密码

跟没签名时对比 :
redred > gpg --list-sig hathat
pub 1024D/64C4C484 2005-06-24 hathat
sig 64C4C484 2005-06-24 hathat
sig 9188C6F7 2005-06-25 redred
sub 1024g/6D9088CC 2005-06-24
sig 64C4C484 2005-06-24 hathat


一. 尝试 加/解密 及传送过程 :
生成加密文档 encrypt.test
redred > echo -e " Thoughts are expressed by means of words. " > encrypt.test
加密文件 :
redred > gpg -ea -r hathat encrypt.test
redred > ls
encrypt.test encrypt.test.asc hathatkey.asc mbox

redred > more encrypt.test.asc
redred > mail hathat@localhost -s "encrypt file" < encrypt.test.asc
redred >

hathat 解密邮件
hathat > awk '/BEGIN PGP/,/END PGP/' /var/spool/mail/hathat > redredfile.asc
hathat > ls
hathatkey.asc redredfile.asc

hathat > gpg -o redred.file -d redredfile.asc
passphrase : 输入 hathat 生成钥匙对时的密码

hathat > cat redred.file

Thoughts are expressed by means of words.

hathat > echo '' > /var/spool/mail/hathat

二 . 数字签名
已 知 : redred 为发送方 , hathat 为接收方 . 数字签名是证明原作者(redred)身份的标识 . 通常用原作者(redred)的私匙加密 , 由于Gnupg中公匙与私匙是互补的 , 因而接收方(hathat)要有原作者(redred)的公匙 .

redred 导出公匙并 mail 给 hathat :
redred > gpg --armor --export redred > redredkey.asc
redred > mail hathat@localhost -s "give redredkey.asc" < redredkey.asc

hathat 导入公匙 :
hathat > awk '/BEGIN PGP PUBLIC/,/END PGP PUBLIC/' /var/spool/mail/hathat > redredkey.asc
hathat > echo '' > /var/spool/mail/hathat

hathat > gpg --import redredkey.asc
gpg: key 9188C6F7: public key imported
gpg: Total number processed: 1
gpg: imported: 1

hathat 给公匙签名 :
gpg --sign-key redred

redred 创建签名文件 :
redred > echo -e "Hello 早上好 " > redred-sig.file

用 redred 的私匙对签名文件进行透明签名(保持文本可读)
redred > gpg --clearsign redred-sig.file
redred > mv redred-sig.file redred-clearsign.file.asc
redred > more redred-clearsign.file.asc

用 redred 的私匙对签名文件签名,
redred > gpg --sign --armor redred-sig.file
redred > more redred-sig.file.asc

发送邮件 :
redred > mail hathat@localhost -s "redred-sig.file.asc" < redred-sig.file.asc
redred > mail hathat@localhost -s "redred-clearsign.file.asc" < redred-clearsign.file.asc

还原文件 :
hathat > mail -u hathat

用粘帖/复制方式还原redred-sig.file.asc和redred-clearsign.file.asc两文件

hathat > ls -l redred-*.file.asc
-rw-rw-r-- 1 hathat hathat 296 6月 25 10:57 redred-clearsign.file.asc
-rw-rw-r-- 1 hathat hathat 301 6月 25 10:56 redred-sig.file.asc

验证签名 :
hathat > gpg --verify redred-sig.file.asc
hathat > gpg --verify redred-clearsign.file.asc

显示 > gpg: Good signature from "redred "

解密文件 [ 一般解密时包括验证签名 ] :
hathat > gpg -o redred-sig.file1 -d redred-sig.file.asc
hathat > gpg -o redred-sig.file2 -d redred-clearsign.file.asc

hathat > cat < redred-sig.file2 ;cat < redred-sig.file2
hathaat > echo '' > /var/spool/mail/hathat

对文件进行签名和加密,并使输出ASCII编码 :

创建测试文件 :
redred > cat > sign-encrypt.file
---------------------------------------
对文件进行签名和加密,并使输出ASCII编码 :
gpg --recipient user_name --sign --encrypt --armor file
[crtl+D]
---------------------------------------

redred > gpg -r hathat -sea sign-encrypt.file
redred > mail hathat@localhost -s "give sign-encrypt.file.asc" < sign-encrypt.file.asc

hathat 还原文件和解密 :
hathat > awk '/BEGIN PGP MESSAGE/,/END PGP MESSAGE/' /var/spool/mail/hathat > sign-encrypt.file.asc
hathat > gpg -o sign-encrypt.file -d sign-encrypt.file.asc

hathat > cat sign-encrypt.file
hathat > echo '' > /var/spool/mail/hathat

分离签名 :
redred > echo "make a detached signature " > redred.detach
redred > gpg -sba redred.detach

redred > ls redred.de*
redred.detach redred.detach.asc

先作验证
redred > gpg --verify redred.detach.asc redred.detach

redred > mail hathat@localhost -s "test redred.detach" < redred.detach
redred > mail hathat@localhost -s "test redred.detach.asc" < redred.detach.asc

hathat 用粘帖方式还原两文件 , 并验证 :
hathat > mail -u hathat
[ 粘帖时要仔细 ,差一个空格都影响验证 . ]

hathat > ls -l /home/hathat/redred.deta*
-rw-rw-r-- 1 hathat hathat 26 6月 25 16:47 /home/hathat/redred.detach
-rw-rw-r-- 1 hathat hathat 232 6月 25 16:47 /home/hathat/redred.detach.asc

验证 :
hathat > gpg --verify redred.detach.asc redred.detach
gpg: Signature made 2005年06月25日 星期六 16时40分50秒 CST using DSA key ID 9188C6F7
gpg: Good signature from "redred "


三 . 撤回证书
如接收方 hathat 忘记了口令、更换了 E-mail(地址),或硬盘损坏的情况下,可制作废弃证书来宣告你原来的公钥无效。

hathat > gpg --output revoke.asc --gen-revoke hathat@localhost
--------------------------------------------------------
sec 1024D/64C4C484 2005-06-24 hathat

Create a revocation certificate for this key? y
Please select the reason for the revocation:
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
0 = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> redred E-mail change .
>
Reason for revocation: Key has been compromised
hathat E-mail change .
Is this okay? y

You need a passphrase to unlock the secret key for
user: "hathat "
1024-bit DSA key, ID 64C4C484, created 2005-06-24

Enter passphrase: ( hathat 密码 )
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
--------------------------------------------------

发布证书 :
hathat > mail redred@localhost -s "hathat give revoke.asc" < revoke.asc

redred 还原证书和导入证书 :
redred > mail -u redred
用粘帖方式还原证书 revoke.asc

redred > ls -l revoke.asc
-rw-rw-r-- 1 redred redred 334 6月 25 16:11 revoke.asc

先作些测试准备 :
redred > echo -e " test revoke.asc OK or NO" > revoke.test

导入证书 :
redred > gpg --import revoke.asc
redred > gpg --list-sig hathat
---------------------------------------
pub 1024D/64C4C484 2005-06-24 [revoked]
rev 64C4C484 2005-06-25 hathat
uid hathat
sig 64C4C484 2005-06-24 hathat
sig 9188C6F7 2005-06-25 redred
sub 1024g/6D9088CC 2005-06-24
sig 64C4C484 2005-06-24 hathat
---------------------------------------

加密 revoke.test
redred > gpg -ear hathat revoke.test
gpg: hathat: skipped: unusable public key
gpg: revoke.test: encryption failed: unusable public key
[ 显示公匙失效 . ]

知道公匙没效 ,不如把 hathat 公匙删除 :
redred > gpg --delete-key hathat

redred > gpg --list-sig hathat
gpg: error reading key: public key not found

redred > gpg --list-sig
/home/redred/.gnupg/pubring.gpg
-------------------------------
pub 1024D/9188C6F7 2005-06-24 redred
sig 9188C6F7 2005-06-24 redred
sub 1024g/9DB247D3 2005-06-24
sig 9188C6F7 2005-06-24 redred
更换GRUB密码
 
..
..
更换GRUB密码:

..打开终端,转换root权限。

$ su -
password:
root # grub
GRUB version 0.91 (640K lower / 3072K upper memory)

[ Minimal BASH-like line editing is supported. For the first word, TAB
lists possible command completions. Anywhere else TAB lists the possible
completions of a device/filename. ]

grub>md5crypt

password:********
Encrypted: $1$./i6A1$.cU3H2RYYSSc5ixPuuT.x0

grub>quit

把生成密码粘贴在 /boot/grub/grub.conf,如下:
root # vi /boot/grub/grub.conf
..........................
password --md5 $1$./i6A1$.cU3H2RYYSSc5ixPuuT.x0
..........................

下次重启系统,GRUB 菜单按‘P’键,输入 ******** 密码。
..
..

阅读(11074) | 评论(1) | 转发(0) |
0

上一篇:ubuntu gunpg安装使用ZZ

下一篇:xwindows 简介ZZ

给主人留下些什么吧!~~

chinaunix网友2009-04-30 07:22:01