Q
Problem solve Get help with specific problems with your technologies, process and projects.

# Protecting PGP keys

## Security expert James Turnbull describes public and private PGP keys and hwo to protect yourself.

Can PGP keys be forged? How can I protect my key from duplication?

There are two answers to this question, depending on exactly what key you are talking about -- private or public....

First, let's look at what PGP is: a public key encryption system.

In such systems there are two keys involved, public and private. It is assumed that any user's public key is readily available but that their private key is only known to them. PGP uses these public and private keys to ensure that messages between users are encrypted and, hence, private. An attacker capturing a message will not be able to decipher and read the message.

To provide this privacy, PGP uses a mathematical encryption algorithm to combine or encrypt your message with your recipient's public key. The recipient then has to use their private key to decipher and read your message. If you create keys of a sufficient size (generally a minimum of 2,048-bits these days) it's not practically feasible (warning - I am by no means a mathematician or a cryptographer) to break PGP encryption short of someone discovering a mathematical shortcut or possibly being the NSA.

PGP private keys can't be 'forged' as such but they can be stolen or duplicated. The weakness of PGP is the private key and the passphrase used to protect that key (you can't use your private key unless you input your pass phrase first). If you are careless with your private key then anyone with a copy of this key and the passphrase for the key can de-crypt your messages. So, keys can't be forged as such but if someone gets access to it then you risk having your security compromised.

So how to protect your keys? Well here are some starting points:

1. Choose a good, strong passphrase
2. Don't use the passphrase for anything else (login IDs, etc)
3. Don't write down or share your passphrase
4. Store your private key somewhere secure -- if it's on a host you share, then lock down the permissions on your key ring so only you can access it
5. Don't email your private key

You can find an excellent and much more detailed discussion of this topic at http://senderek.de/security/secret-key.protection.html.

Now onto to public keys. Public keys can be forged and are vulnerable to what is called a 'man in the middle attack'. With PGP, it is a tricky attack to implement but it is feasible.

Let's take the scenario with Bob, who wants to exchange some private information with Alice. To do this, Bob is going to give Alice his public key, have her encrypt the message with his public key and deliver it to him. Bob can then de-crypt it with his private key and read the message. To get his public key to Alice, Bob emails it to her. An attacker, Peter, intercepts the email and substitutes a forged public key for Bob's real public key. Alice receives the forged public key, combines it with her message and emails it back to Bob. Peter intercepts the email and de-crypts and reads the message (having the private key for the forged public key). If Peter wants to maintain the ruse he could then encrypt the message with Bob's real public key and let it continue onto Bob. Otherwise he has the information he requires and can make whatever use of it. In either case, Bob or Alice would probably be unaware that Peter has read the message.

If you are worried about someone compromising your public key like this, then use a trusted and secure mechanism to exchange it. For example, exchange keys personally or via some secure medium. This can become very cumbersome if you have to exchange keys with large numbers of people or across large distances.

Another approach is to have your public key signed by a trusted third party. In this model, PGP users digitally sign each other's keys to validate the key belongs to the correct person. Usually this signing requires the person whose key is being signed to somehow prove their identity like with a driver's license or passport. Many organizations (open source groups for example) host key-signing parties and some companies (in banking or finance) even organize meetings to exchange/sign keys in a secure manner. Obviously, this only works if you trust the person or people who have signed the key.

You can read about key signing parties and related information at http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html.

This is a very simplistic explanation of the topic of PGP key security. I strongly recommend you read about PGP, security of keys and the secure use of PGP in more details before implementing anything. Bruce Schneier's excellent "Practical Cryptography" (ISBN 0-471-22357-3) is a good starting point.

This was last published in December 2006

## Content

Find more PRO+ content and other member only offers, here.

#### Have a question for an expert?

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

#### Start the conversation

Send me notifications when other members comment.

## SearchWindowsServer

• ### Roll your own Windows patching tool with PowerShell

This tutorial based on PowerShell helps administrators build an automated routine that audits Windows machines, then applies ...

• ### Server Core management remains a challenge for some

Server Core, the minimal Windows Server deployment, removes some admins from their GUI comfort zone, but its benefits reduce some...

• ### Meltdown and Spectre vulnerabilities dominate January Patch Tuesday

Complications surrounding the fix for the Meltdown and Spectre microprocessor architecture flaws will make the patching process ...

## SearchServerVirtualization

• ### Copy files from the host to a Hyper-V machine

There are many ways to copy files from the host to a Hyper-V machine, including Enhanced Session Mode and the Copy-VMFile ...

• ### VMware VVOLs adoption now poised to grow after slow start

VVOLs' low adoption rates lie in overhyped expectations and the risk-averse nature of enterprise IT. The problem it solves is ...

• ### Migrate cloud applications back to on-premises applications

In the cloud frenzy, it's easy to lose sight of what to do if the cloud doesn't work. With time, patience and cost planning, ...

## SearchCloudComputing

• ### Google Cloud Dedicated Interconnect offers VPN alternative

Google's Dedicated Interconnect enables an enterprise to privately connect its data center to the public cloud. Here's a ...

• ### Chip bugs hit cloud computing usage less than first feared

IT shops expected their cloud usage to flag due to recent chip bugs, but most environments survived the patches unscathed.

• ### Providers continue to push hybrid cloud technologies in 2018

The hybrid cloud market changes rapidly, as major cloud providers release new services to bridge private and public platforms, ...

Close