Blog

  • How to install a Wazuh SIEM server on a Raspberry Pi 4B

    5.00 of 11 votes

    With many security professionals now working remotely from home, some are looking at ways in which they can improve their home environment network and endpoint security. Commercial SIEM solutions are often considered too costly and complicated to deploy, but free lightweight open-source solutions offering minimal overhead such as Wazuh provide a good compromise for those of modest means aiming to mature the security of their home or small business environment.This is my walkthrough on how to install the Wazuh server manager onto a Raspberry Pi 4B as an all-in-one deployment. I noticed there was no clear guidance online on how to go about doing this for a Raspberry Pi 4B, only a significant number of online posts outlining the installation and deployment difficulties people have faced. So here I've decided to document the process I took, tested and validated from start to finish, with clear directions anyone can follow.By following this guide you can run your own open-source SIEM solution on a Raspberry Pi 4B at home. This is great not only for existing security professionals looking to improve the resiliency of their home setup, but also for those new to the information security industry seeking to gain hands-on experience in SIEM deployment, management, and other SIEM/SOC related activities. Getting started To get started, I used a Raspberry Pi 4B with 8GB RAM and a 128GB SanDisk Extreme SD card for storage. Whilst the Raspberry Pi 4B I used for this project was custom built from TurboPi with high-end hardware for this particular purpose, any Raspberry Pi 4B with adequate hardware capable of running Raspbian OS (buster or greater) leveraging the AArch64 64-bit extension of the ARM architecture should be sufficient. Walkthrough Install a Raspberry Pi 64-bit ARM OS First download and install the official Raspberry Pi Imager. Now download the latest Raspi OS ARM64 .zip image from the official repo (make sure it's the latest version). Open the Raspberry Pi Imager application. Select the CHOOSE OS button and in the dropdown list select the Use custom option. Select the Raspi OS ARM64 .zip file you just downloaded. Select the SD storage card to write this to. Proceed with the prompted erasure, formatting, and writing activities to install the OS to your SD card. The last step here is to write an empty text file named 'ssh' (no file extension) to the root of the directory of the SD card. When the device boots and sees the 'ssh' file present, it will automatically enable SSH, which will allow us to remotely access the device command line in a headless state. Identify your Raspberry Pi local IP address For this I use a Kali VM in VirtualBox, but any flavour of Linux distro can acheive the same. As the guest VM is not visible to the host under the default VirtualBox NAT settings, you need to change your VM network settings to bridge the network adapter between your host machine and the guest VM. Once the network adapter is bridged, we need to identify the Raspberry Pi IP address on the network. There are a few ways to do this (such as logging directly into the router), but we can also use an arp command with the -na flag to display the local network address translation tables and pipe the output using grep to pull any MAC addresses that begin with identifiers we're interested in.arp -na | grep -i dc:a6:32 Raspberry Pi MAC addresses always use the same OUI (Organizational Unique Identifier) in their MAC address (b8:27:eb for all Raspberry Pi devices except Raspberry Pi 4B which uses dc:a6:32). Connecting to the Raspberry Pi Now we have the device IP address (in this example mine is assigned 192.168.1.93), we can SSH into it using default credentials ssh pi@192.168.1.93 with the default password raspberry and get started. Change hostname and update First you may wish to change the hostname from raspberry to wazuh (or something else). To do this run the command sudo raspi-config and navigate to System Options > Hostname using the GUI.Type in your desired hostname and hit Enter, then return to the main menu of the GUI and select Update. Once the device has finished updating, navigate to the to Finish button to save your new raspi-config settings.For the hostname change to take effect, reboot the device using the command sudo reboot, then SSH back in using the same credentials ssh pi@192.168.1.93 with the default password raspberry once the reboot is complete. Enable login as root Then if you want to login as root using SSH or WinSCP you need to edit the config of SSHD. Login, and edit the sshd_config file using sudo nano /etc/ssh/sshd_configFind the line containing PermitRootLogin prohibit-passwordEdit this to reflect PermitRootLogin yes Close and save the file, then reboot or restart sshd service using /etc/init.d/ssh restartSet a root password if there isn't one already using sudo passwd rootNow you can login as root (I recommend using a strong password or SSH keys). Now proceed to sudo up using sudo su and continue the next steps as root. Update the Raspberry Pi packages To update the Raspberry Pi, first ensure the VM you're connecting from over SSH into has an Internet connection and then run the command apt update && apt upgrade -y Once the update and upgrade process is complete, pull down the required packages for the next steps using:apt-get install apt-transport-https zip unzip curl gnupg wget libcap2-bin software-properties-common lsb-release -y Install Java 11 echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/backports.list apt update -y apt install openjdk-11-jdk -y Install Elasticsearch OSS Fetch the Elasticsearch OSS arm64 installation package:wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-7.10.2-arm64.deb Install the Elasticsearch OSS package:dpkg -i elasticsearch-oss-7.10.2-arm64.deb Install Open Distro for Elasticsearch Download and add the signing keys for the repositories:wget -qO - https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - Add the repository definitions:echo "deb https://d3g5vo6xdbdb9a.cloudfront.net/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opendistroforelasticsearch.list Update the packages:apt-get update -y Install the Open Distro for Elasticsearch package:apt install opendistroforelasticsearch -y Configure and run Elasticsearch Run the following command to download the configuration file /etc/elasticsearch/elasticsearch.yml:curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml Now we need to add users and roles in order to use the Wazuh Kibana properly. Run the following commands to add the Wazuh users and additional roles in Kibana:curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.ymlcurl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.ymlcurl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml Remove the demo certificates:rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f Download the wazuh-cert-tool.sh:curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.shcurl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml Run the wazuh-cert-tool.sh to generate the certificates:bash ~/wazuh-cert-tool.sh Move the Elasticsearch certificates to their corresponding location for deployment:mkdir /etc/elasticsearch/certs/mv ~/certs/elasticsearch* /etc/elasticsearch/certs/mv ~/certs/admin* /etc/elasticsearch/certs/cp ~/certs/root-ca* /etc/elasticsearch/certs/ Enable and start the Elasticsearch service:systemctl daemon-reloadsystemctl enable elasticsearchsystemctl start elasticsearch Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:export ES_JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem Run the following command to ensure the installation is successful:curl -XGET https://localhost:9200 -u admin:admin -k An example response should look as follows: The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. The official Wazuh documentation recommends removing this with the following command /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer and restarting the Elasticsearch service afterwards. Install and run the Wazuh manager Install the GPG key:curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - Add the repository definition:echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list Update the Wazuh packages:apt-get update -y Install the Wazuh manager package:apt-get install wazuh-manager Enable and start the Wazuh manager service:systemctl daemon-reloadsystemctl enable wazuh-managersystemctl start wazuh-manager Run the following command to check if the Wazuh manager is active:systemctl status wazuh-manager An example response should look as follows: Install and configure Filebeat Add the repository definition:echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list Fetch the Filebeat arm64 installation package:wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.12.1-arm64.deb Install the Filebeat package:dpkg -i filebeat-oss-7.12.1-arm64.deb Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml Download the alerts template for Elasticsearch:curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.jsonchmod go+r /etc/filebeat/wazuh-template.json Download the Wazuh module for Filebeat:curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module Copy the Elasticsearch certificates into /etc/filebeat/certs:mkdir /etc/filebeat/certscp ~/certs/root-ca.pem /etc/filebeat/certs/mv ~/certs/filebeat* /etc/filebeat/certs/ Enable and start the Filebeat service:systemctl daemon-reloadsystemctl enable filebeatsystemctl start filebeat To ensure that Filebeat has been successfully installed, run the following command:filebeat test output An example response should look as follows: Install and configure Kibana Install the Kibana package:apt-get install opendistroforelasticsearch-kibana Download the Kibana configuration file:curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml Create the /usr/share/kibana/data directory:mkdir /usr/share/kibana/datachown -R kibana:kibana /usr/share/kibana Install the Wazuh Kibana plugin. The installation of the plugin must be done from the Kibana home directory as follows:cd /usr/share/kibanasudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip Copy the Elasticsearch certificates into the Kibana configuration folder:mkdir /etc/kibana/certscp ~/certs/root-ca.pem /etc/kibana/certs/mv ~/certs/kibana* /etc/kibana/certs/chown kibana:kibana /etc/kibana/certs/* Link Kibana’s socket to privileged port 443:setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node Enable and start the Kibana service:systemctl daemon-reloadsystemctl enable kibanasystemctl start kibana Check the Kibana service status to ensure it's running:systemctl status kibana An example response should look as follows: Open the Kibana interface Visit the Raspberry Pi 4B device IP address in your browser (e.g my interface is reachable at https://192.168.1.93). Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured. Login to Kibana using the default user credentials admin with the password admin. For security purposes I recommend these credentials are changed. Change the default passwords To change the default credentials for all users residing in the internal_users.yml file, run the following command:bash wazuh-passwords-tool.sh -a An example response should look as follows: Remember to take note of these credentials or save them into a password manager if you have one. Next we need to also also update the credentials for Filebeat and Kibana (if these were not already covered by the wazuh-passwords-tool.sh script). Open and update the Filebeat configuration file:nano /etc/filebeat/filebeat.yml Change the associated password: value. Make sure you make a record of this, then save and exit. Open and update the Kibana configuration file:nano /etc/kibana/kibana.yml Change the associated elasticsearch.password: value. Make sure you make a record of this, then save and exit. Restart all services for the changes to take effect:systemctl restart wazuh-managersystemctl restart filebeatsystemctl restart kibana Congratulations, you've now installed the Wazuh server manager onto your Raspberry Pi. Now you can install the Wazuh agents on any devices you want to onboard to monitor security related events from within the server manager interface. The Wazuh agent installation guide is relatively simple and can be found here. I hope this tutorial helped.

  • How to avoid detection during a pen test

    5.00 of 56 votes

    Understanding how to cover your tracks during a pen test is important. The MITRE ATT&CK matrix defines this as defensive evasion, which consists of methods and techniques that an attacker may use to help avoid detection through network monitoring. Below are some defensive evasion techniques that can be used in practice during a pen test engagement. Clearing Command History (ID: T1146) Both Linux and Mac operating systems keep track of the commands users type in the terminal. The BASH shell will record keystrokes in the $home/ .bash_history file. During a pentest, once you obtain access to a Unix/Linux/Mac operating system, it is usually best practice to unset the history file to prevent the user/administrator from knowing what commands you were executing, as well as not commingling your dirty/malicious commands with a user's history. Unsetting the history file is as easy as shown here: unset HISTFILE - The temporary history will not be written to disk. export HISTFILE=0 - The temporary history will not be written to disk. history -c - This will clear the temporary history file. set +o history - Prevents commands from recording to the temporary history. Administrators can counter the defense evasion attack by setting the variable read-only to help preserve the contents of the history file for forensic purposes. Timestomping (ID: T1099) A technique used to modify the timestamps of a file (the modify, access, create, and change times) is called timestomping. This technique can be executed by an attacker against files/directories that were modified. The timestomp feature in a meterpreter shell can be a good way to limit the digital footprint of reading/writing data on the file system. To see a list of options, you can use the following syntax: timestomp -v - Display the UTC MACE values of the file. timestomp -m - Set the last written time of the file. timestomp -a - Set the last accessed time of the file. timestomp -c - Set the creation time of the file. You can see what the date timestamps look like before and after, then change it back to the before look. Imagine you wanted to change the contents of a user's logon script or even a scheduled task that points to a PowerShell file in the administrator's home directory called riggs-script.ps1 and add some arbitrary code to the file to assist with persistence. Once you modify the file, you can use timestomp to change the file back to the original values. This way your modification doesn't set off any red flags when looking at the date timestamp. Let's say you are on a Windows database server after successfully exploiting an SQL injection vulnerability through the customer's web server. You want to remove your nefarious actions from the www.log and db.log files and timestomp them to a period of time prior to the attack. After you remove your malicious entries in the log, you can use PowerShell to change the file properties LastWriteTime, LastAccessTime, and CreationTime for each log file. To do this, you could use the Get-Item cmdlet to identify the item (file) you want to modify, define the date you want to set the files to (the format is MM/DD/YYYY HH:MM am/pm), and apply the new timestamp to each file property. This can help conceal your entry and allow you to continue with your testing objectives and not draw as much attention to yourself. If you modify the contents of a file that a customer is monitoring with integrity checking software (like Tripwire), the change will still be identified and will likely trigger an alert. Integrity monitoring software compares a cryptographic hash of the file from the time the file was last inspected. These tools can be set to run at various times through scheduled tasks. There is a difference between changing the last written/accessed/creation time and creating a cryptographic hash of the target file. File Deletion (ID: T1107) Malware, tools, or other non-native files dropped or created on a system may hadd to the attacker's digital footprint. Metasploit is a great way of avoiding this hurdle when exploiting and executing code from within the framework, as there are automated mechanisms for cleaning up tools and anything residing in memory. The attacker may also clean the contents from /var/log/* on Linux/Unix/Mac operating systems, or wipe out the Event Viewer database on Microsoft systems. To mitigate, organisations can leverage logging servers (e.g, SYSLOG) to send security-relevant messages and information to a central host. This will help make the attacker's job harder when covering their tracks if the log events are stored on another system or part of the network that they don't have access to.

  • How to torrent (on Windows)

    4.51 of 45 votes

    The purpose of this tutorial is to provide guidance on how to access and download torrents. Torrents are hosted on file-sharing websites, which act as a directory for finding desired data (such as movies, TV shows, OS images, or open-source software). File-sharing sites themselves do not host the desired data - they just host the torrent files that tell your torrent client where it can retrieve them from. Torrents Torrents are simply peer-to-peer pointers that work by providing a torrent client with an address book of seeds that possess and are actively uploading the desired data. Seeds Seeds (also known as peers) are those in possession of the full data with an open upstream connection that shares it.   Accessing file-sharing sites ISPs block a number of well-known file sharing sites such as ThePirateBay and KickassTorrents, usually via DNS filtering and blocking requests to blacklisted server IP addresses. If you cannot visit these or other file-sharing sites, it may be because your ISP is blocking access. There are a number of methods to circumvent these blocks (and one or more may need to be adopted), but I will focus on three of the most common. Windows: Change DNS Server Navigate to Control Panel > Network and Internet > Network and Sharing Center On the left hand panel, click Change adapter settings Right-click on the connection type (could be Ethernet or WiFi) and select Properties Scroll down the list of items to find Internet Protocol Version 4 (TCP/IPv4) Click on it once to select it and then click Properties Near the bottom of the box is Use the following DNS server addresses Select that option and type in 8.8.8.8 and 8.8.4.4 Now flush your DNS resolver cache by opening CMD and typing ipconfig /flushdns then press Enter Use a VPN You can use a VPN such as ProtonVPN. Using a VPN will mask the traffic to your ISP by tunnelling your connection through a VPN server. Use Tor You can use Tor (The Onion Router). Tor acts in a similar way to a VPN, but introduces a series of encrypted hops which bounce your communications between distributed relays before arriving at the desired destination.   How to torrent files Install a torrent client To torrent files you first need to install a torrent client. For this example I will be using uTorrent. Find the desired torrent Then you need to find which torrent you want from a file-sharing site. For this example I will be using ThePirateBay. Select the desired torrent To select the torrent, you need to copy the torrent URL. For this example, I right-click the magnet icon and select Copy link address This URL follows the magnet URI scheme and identifies a torrent using a SHA-1 or truncated SHA-256 hash (commonly termed the infohash). This is the same value that your torrent client will use to identify a particular torrent when communicating with other peers. Download the desired torrent You must instruct your torrent client to request that torrent. For this example, I open uTorrent and press Ctrl + U to open the Add Torrent from URL window. Then paste the copied torrent link and hit OK   How torrenting works When you click to download a particular torrent, your torrent client will request that the trackers included in the torrent URL search for any peers broadcasting the associated file hash. Trackers Trackers are address-book servers which help organise, manage, and connect active peers. If found, your torrent client will then check if those peers have an authorised open upstream connection. If these conditions are met, your torrent client will then mark them as seeds and begin downloading the desired data. During the download process, your torrent client will automatically verify the integrity of data received by hashing each piece in a Merkle tree format. This ensures any corrupt or incorrect data is dropped during the transfer process to maximise download speed, security, and efficiency. Additional notes File-sharing sites are natural breeding grounds for malware. Torrenting safely requires an appreciation for basic security practices. I recommend you avoid torrenting if you do not know what you are doing. Accessing file-sharing sites and torrenting is perfectly legal, but torrenting unsanctioned copyrighted material is not. Be kind – torrenting can throttle your network and may affect others that share it. You may need to check your torrent client settings to ensure bandwidth rate limiting is correctly optimised. If you are concerned about upload usage, you may need to adjust your torrent client settings to automatically stop seeding once a download has completed. I recommend avoiding peer blocker software such as PeerBlock. These are designed to prevent you from connecting to blacklisted peers, but are often unreliable, significantly reduce your download speeds, and serve little purpose if you’re already using a VPN or Tor.

  • How to validate file integrity with checksums

    4.66 of 41 votes

    A checksum is a unique string derived from a block of digital data for the purpose of detecting any changes which may have been introduced during its transmission or storage. In short, checksums are a file integrity validation measure. If you download a file from an untrusted source, a checksum can help you validate that the file you have downloaded perfectly matches that which the file issuer intended. In practice, this helps identify any files which have been corrupted or maliciously altered in transit. Checksums are commonly seen on websites alongside downloadable software binaries, patches, hotfixes, and updates. Due to their low computational overhead, they are also useful in security operations for fingerprinting malware and can be added to anti-virus signature databases or stored as artifacts for future reference.   Windows: HashTab is a free shell extension for Windows which integrates itself within Windows Explorer as a property page for files with a context menu to generate and compare hashes. Once installed, HashTab can be accessed by right-clicking a target file and navigating to Properties and selecting the File Hashes tab. HashTab will then automatically attempt to hash the target file and report the relevant values. Alternatively, Windows comes with a pre-installed utility called CertUtil, which can be used to generate hashes. To generate a hash for a particular file using CertUtil, open CMD (Command Prompt) and type the following: CertUtil -hashfile [TARGET FILE LOCATION] [DESIRED HASH ALGORTHM] For example: This will generate a SHA256 hash string which can then be compared against the checksum provided by the file issuer to verify the file integrity.   Linux: Linux comes with a number of pre-installed checksum utilities. To generate a hash for a particular file using these, open terminal and type the following: [DESIRED HASH ALGORITHM]sum [TARGET FILE LOCATION] For example: This will generate a SHA256 hash string which can then be compared against the checksum provided by the file issuer to verify the file integrity.

  • How to generate PGP keys

    4.59 of 41 votes

    To receive PGP encrypted emails and sign your own messages, you will need to generate your own key pair. There are both easy and advanced (best practice) ways to go about doing this. Here I will try to guide you through the process. The easy method Use an online third party web service such as PGPKeyGen. This is simply an application layer representation of the advanced method below, where a third-party web server hosts the necessary libraries and backend functionality to generate PGP keys for you. The natural risk associated with this, however, is that relying on a third-party online web service offers no guarantee a copy of the keys you receive will not be stored, sold, or shared elsewhere. Some web-based services generate keys client-side by using specific JavaScript libraries (such as OpenPGP.js) within your browser. Whilst this mechanism is still not as secure as the best practice methods detailed below, it provides a good balance between PGP security and day-to-day usability. The advanced method (best practice)   Windows: To generate PGP keys on Windows we require the latest version of the GnuPG software package Gpg4win. This is a free implementation of the OpenPGP standard which enables local key generation, encryption, and signing operations. Once installed, run the Kleopatra application. Navigate to File > New Key Pair and then choose the key format you want to create. For this example we will be creating a personal OpenPGP key pair. Now we need to input our name and email address values. Then click Advanced Settings and ensure the following fields are completed as shown in the image below. Now we can click OK and check that our key configuration is correct. We can now click Create to generate the key pair. We are now presented with a prompt requiring we input our desired passphrase. We must input the secure passphrase we wish to use. This is the password we will need to use each time we wish to decrypt or sign a PGP message using these keys in the future. Our key pair has now successfully been generated.   Linux: To generate PGP keys on a Linux distribution we require the latest version of GPG (GnuPG). This is a free implementation of the OpenPGP standard which enables local key generation, encryption, and signing operations. To get started, we run the install command. sudo apt install gnupg Once installed, we can move on to generating our key pair. For this we use the --full-generate-key parameter. We will then be prompted to specify the type of key we want to create. We can press the Enter key to accept the default (RSA and RSA). We must then select our desired key size, which I recommend (at the time of this blog post) is at least 4096 bits to conform with best practice. We then have the option to choose how long the keys should be valid for. In practice, this means the amount of time someone intending to communicate with you via PGP should consider that particular key pair safe for use. For this example, we do not want our keys to expire, so we press Enter as that is already selected as the default. We will then be prompted to input specific identifier values which will reside within the core structure of the keys themselves. We must then input the secure passphrase we wish to use. This is the password we will need to use each time we wish to decrypt or sign a PGP message using these keys in the future. Depending on our hardware processing capabilities, we may then be prompted to generate entropy using the mouse or keyboard. Once this process is complete, the newly generated keys will be stored internally on our GnuPG keyring. This is a location within the filesystem where PGP keys generated locally using GnuPG naturally reside. If we want to view the public keys within our keyring, we can use the --list-keys parameter. If we want to view the private keys within our keyring, we can use the --list-secret-keys parameter. If we want to view the fingerprint of the public keys within our keyring, we can use the --fingerprint parameter. Existing PGP keys can be exported out of the keyring using the --export parameter. This will write our newly generated public key to a plaintext .key file which we can publish and share online. Other parties can then use this public key to encrypt messages and send them to us securely.To learn more about PGP keys, consider checking out my previous blog post on how PGP keys work.

  • How do PGP keys work

    4.63 of 48 votes

    PGP (Pretty Good Privacy) encryption has become a long-standing pillar for protection and security for one primary reason: it permits you to send a coded message to somebody without sharing a key in advance.Suppose you wanted to send a sensitive message to someone without anyone else being able to access the content. Perhaps the best arrangement would be to encrypt it to a symmetric key that only you and the recipient know. If an attacker intercepts your message, nothing can be deciphered. Systems like this work well, but there is one major flaw – how can you send an encrypted message to somebody without an already-established secure channel to share keys? Public Key Cryptography This is a problem that PGP solves with something referred to as public key cryptography, which permits the secure sharing of information irrespective of physical distance or boundaries and without the need for establishing secure prior contact. Encryption / Decryption In public key cryptography, encryption and decryption processes rely on a mathematically unique key pair. This consists of two keys, one termed a public key and the other a private key, both keys being capable of encrypting and decrypting one another. A public key represents a one-way function similar to that of an open padlock – a security property that any individual can easily lock, but only the private key holder can open. Crucial to the nature of this operation is that the private key to decrypt a public key encrypted message must always remain secret, known only to the key pair owner.The image below illustrates an example of the encryption and decryption process. If Jacob wants to send Julian an encrypted message, he requires Julian’s public key. This means Julian must share his public key with Jacob. Jacob can then take Julian’s public key, use it to encrypt a message, and send the encrypted cipher text to Julian. Upon receipt, Julian can then use his private key to decrypt the message. Fingerprinting One issue with public keys is impersonation. There is no easy way to guarantee that a particular public key published online actually belongs to a specific individual. This means an attacker could generate their own key pair and publish their own public key impersonating a specific target. To get around this, PGP users tend to publish fingerprints of their public keys on multiple platforms. This usually includes social media and key directories, but can also include other media such as email signatures and business cards. Fingerprints can be thought of like a barcode – a unique identifier for a specific property. Fingerprints are the result of a mathematical one-way function termed hashing, which converts the public key block property into an input value, then compresses it into a fixed length numerical string output. This is conveniently easier to read and appropriately referred to in cryptography as a digest. Publishing a fingerprint through multiple channels increases an impersonation attack cost, as for an attacker to effectively impersonate a PGP user in practice, they would need to compromise every platform the legitimate fingerprint was published on. This also makes impersonation attacks easier to identify in practice. Message Signing Another core component of PGP is message signing. This is the process of signing a message with a unique digital signature. The image below illustrates an example of the signing process. If Jacob wants to send a signed message to prove it came from him and has not been modified in transit, he hashes it first, then encrypts it using his own private key. If a recipient can decrypt the message using Jacob’s public key, they know that it must have been encrypted using Jacob’s private key, which only Jacob has access to, and can therefore conclude that the message must have originated from Jacob. By hashing the message again and comparing it to the expected hash value, a recipient can also conclude whether or not the message has been modified in any way during transit. Combining signing with encryption provides the following assurances: Confidentiality – the guarantee that no party other than the intended recipient can access the message content. Integrity – the guarantee that the message was not modified in transit. Authentication – the guarantee that the identity of the sender can be verified. Non repudiation – the guarantee that the sender cannot reasonably deny having sent it. In my next blog post I'll cover the key pair generation process and provide guidance on how to set up and manage your own PGP keychain.