Debian miniconf JP 2016-12-10

GnuPG Now!

g新部 裕 <gniibe@fsij.org>

Contents

  • Introduction
  • GnuPG in Debian
  • GnuPG 2.1
  • Recommendations
  • And more!

About Me

Niibe with 'g'

  • FSIJ chair person
  • GNU Project web pages in Japanese
  • GnuPG Project
  • Gnuk / NeuG / FST-01G
  • FSM-55

GnuPG and libgcrypt

  • One of release keys: NIIBE Yutaka

    031EC2536E580D8EA286A9F22071B08A33BD3F06

  • libgcrypt RSA implementation since 2014

    When you examine RSA signature, the computation is done by my implementation.

  • scdaemon

GnuPG in Debian

GnuPG in Debian

Until Jessie, we have three packages

  • gnupg for GnuPG 1.4
  • gnupg2 for GnuPG 2.0
  • dirmngr

Changes for Stretch

  • New Team Maintenance (eric and dkg)
  • Upstream developers involved (gniibe and wk)
  • Packages:
    • gnupg for GnuPG 2.1
    • gnupg1 for GnuPG 1.4
    • libassuan, libgpg-error, pinentry
    • gpa, gpgme1.0

Major change in Stretch

  • gnupg is now GnuPG 2.1 (not GnuPG 1.4)
    • 'gpg' is now version 2.1!
  • Binary packages
    • gnupg-l10n, dirmngr, gnupg, gnupg-agent, gpgsm, gpgv, scdaemon
    • gpgv-static, gpgv-win32, (gnupg2, gpgv2)

What's new in GnuPG 2.1?

Major design changes

  • New public key format: KBX
  • New management of private key
    • It's under control of gpg-agent

GnuPG programs (1)

  • Mandatory: gpg, gpg-agent
  • Passphrase: pinentry
  • Smartcard/Token: scdaemon
  • Key retrieval: dirmngr
  • Others: (gpgsm, ssh)

GnuPG programs (2)

image

New Public Key Algorithm

  • ECC (Elliptic Curve Crypto)
    • Classic: NIST P-256, etc.
    • Modern: Curve25519

My Recommendations

Use of Authentication key

  • Use gpg-agent as ssh-agent
  • Distribution of auth key easily & securely

Use of smartcard/token

  • Avoid having multiple copies of private keys on different machines

Typical Example

FST-01

At work computerA
Home computerB
On the Go computerC

Use of Curve25519

  • Ed25519/X25519 is more secure
  • Key is small
  • Fast!

And more!

Key signing party?

  • Important for Debian
  • However, it's difficult for normal users

  • More casual mothod?

    Given the situation lesser security level would be OK

WKD and ToFU

  • WKD: Web key directory

    Mail providers also serve public keys

https://www.gnupg.org/blog/20161027-hosting-a-web-key-directory.html https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-01.html

  • ToFU: Trust On First Use

    Easier and can scale

g13 with DM-Crypt

  • Use gpg public key crypto for encrypted disk partition

Happy Hacking!