Advertisements
28 May

Day 3 – Another Shocker

Another shocker today, I’m over my budget but only by 301 calories. The surprise is I slipped badly at work and snacked my way thru another late night. If you take the 885 calorie snacks out of my day I could have ended with 584 calories.

People may be wondering why I’m focusing on the numbers so much. This week is about logging and nothing else. I’m trying to make the healthy choice but I’m also trying to be honest about what I’m actually eating. Its in this honestly I’m able to look back and with hindsight see the healthy choice I could have made. For example today I should have stayed away from the Boost bar and Rice Crackers!

27 May

Day 2 – The Saga Continues

Another full day under my belt and for reasons I may never understand I am under my calorie budget. Breakfast I can say was a good day but after that things went a little off the rails.

Lunch was delicious, but it was still a sausage roll and beans. Dinner fared no better. In fact I had two of them. What started as peanut butter sandwiches turned into lamb stew and bread, as well!

My weight and Body Fat trends are still on the rise but they are levelling out a bit. This is only day two and these things take time, the fact that breakfast was healthy is a big step for me. With one day down another day will start soon, just need to wait and see how that one goes.

26 May

Day 1 – My Silent Return

According to MyFitnessPal I was only a couple of weeks away from my first years, the problem was since I stopped logging I was only signing in to check other people status updates and reaching a year like that seemed to much like cheating so instead I decided to reset my counter. My new count starts from today.

My friend’s and family will know or have noticed I burnt out after my skiing trip this year, it’s hard to explain why but the best I can put it was coming home to find after a week of daily and intense exercise to find I weighed the same as when I started all this last may was possibly to much for what was a tired and possibly jet lagged mind. So I stopped trying. Of course after that it quickly became a self perpetuating cycle. Couple that with completing work on my Fitbit plug-in meant my drive and enthusiasm slipped away.

According to MyFitnessPal I was only a couple of weeks away from my first years, the problem was since I stopped logging I was only signing in to check other people status updates and reaching a year like that seemed to much like cheating so instead I decided to reset my counter. My new count starts from today.

The first thing to do is stop looking at my weight. For me it’s like clock watching between half five. The more you look the worse it becomes. I know I want to track my weight and I know to see progress, but I don’t want to be in the situation where a small hiccup spoils weeks of work. So how do I do it? Since my Fitbit scale syncs with their site I don’t need to see it each day, if I really want to know I can check on the site. If I use my own site or TrendWeight I’ll always see the bigger picture.

The blog has to start again. I used to post daily and at some point decided it was a ‘good idea’ to step down the frequency of posts, but it was a bad idea. I became complacent on days I didn’t post and on the days I supposed to post I skipped the bad days.

At this point I’m not sure of all the details and cant even admit to having a proper plan, just the intention of a plan

OpenPGP: How I Sign Keys
11 May

OpenPGP: How I Sign Keys

Signing is a very personal thing. You are telling the world you believe a key belongs to the person who is claiming it. The value of a web of trust comes from the fact you are willing to put your reputation behind this assertion.

Everyone will treat signing differently. Some may feel bumping into someone at a conference is sufficient, other may want a full DNA breakdown with supporting evidence from three expert witnesses. I like to think I’m somewhere in the middle and have documented my signing policy. This page is about how I sign a key and what you need to do next.

Prerequisite

In order to sign a key you need the master key, and as detailed in my key creation guide I keep my master key separate from my normal key store, so can not do any signing during events. Instead I sign all keys at home then get the signed public key back to you for you.

The Act

Like all repetitive tasks I have created a script for that which you can download from its project page. The script does five things:

  1. First download the key to be signed into my keystore
  2. Sign all key identity’s associated with that key
  3. Export the signed public key
  4. Encrypt it
  5. Finally the script deletes the signed public key from the keystore and re-download the unsigned version from the public key

Next

Now I have an encrypted file containing your key I have just signed, but I do not have a signed copy in my key store. My preferred way of getting a signed key to you is by email. Since I have encrypted the signed file you have to have access to the private key and email address in order to use it and I feel this adds a level of additional verification that you really do have control of the key I just signed, after all there are many reasons you might not – I mean I could have just signed the wrong key.

You have noticed my bash script now leaves without a signed copy for you key, this was a deliberate step. I said above by emailing you I am able to assure myself I have not only signed the right key but you have access to the correct email box. Once you import the key and push it back out to your key server I will retrieve a copy from there.

What do you do now?

If you receive a signed key from me you simple need to run the following command:

PGP will ask for your password and import the new signed key and verify the attachment was signed with my primary key fingerprint: BB2C EB25 BE05 16A7 A9C6 F2FB EEB4 96E6 1FA1 E814. It is now up to your to send your newly signed key back to a server for the rest of the world to see.

05 May

Install SSH Key In A Remote Linux Server

I’ve been setting up a new server and as always the first things to do is forbid root login using a password and install my SSH keys. Once again I had to Google for how to do this, so I thought I would write about it instead.

After creating a new SSH key, if you don’t already have one, you can install it into the target computer using the ssh-copy-id command to install you certificate directly onto the machine.

There are many ways to use the ssh-copy-id command:

  1. Create the SSH keys:

  1. (A) Install the public key:

  1. (A) I If you do not have ssh-copy-id installed on your PC this will also work:

OpenPGP: My Keys
03 May

OpenPGP: My Keys

Its May again and the sun has finally made an appearance. With summer comes the regular spring clearing and it seems as good a time as any to update my public encryption keys. My previous keys were cryptographically less secure, 2048-bit compared to 4096-bits. I have also learnt allot more about best practices when managing keys and feel its about time to put everything I’ve learnt into affect.

My Secondary key 0xB784045B remains the same. This key was and has always been stored off line in a TrueCrypt volume using a 4096-bit key so I always have been, and still remain, confident about its security. I am replacing my Primary key using the full key creation and cross signing guide. This new key is also covered by my signing policy.

My OpenPGP Keys

Bellow is listed my current PGP keys including my Primary-key and Secondary-key. The Key id is a short identifying mark for all keys. It is made up of two components separated by a slash. The first identities the strength and algorithm of the key, so 4096R means its a 4096-bit RSA key. The second is the last 8 digits of the key fingerprint. These are the short form of identification. The keys full identification is its fingerprint, 40 hexadecimal digits.

The key also publishes its creation and expiry dates. All my keys will expire – encase of loss or compromise – however it is my intention to continue extending the expiry date for as long as I feel confident of their security.

Primary OpenPGP Key

0x1FA1E814

The key mentioned bellow (and on /about/me) is my main key, for every day use. It can be considered acceptably-safe, as I take grate care in assuring it remains that way. However, since it is my main key it has to be store on other devices such as laptops, mobile phones and tablets. This opens the key to danger from theft.

Following the advice in the Debian Subkeys wiki I have created separate subkey for signing. This mean the key stored on my devices does not contain the master key – this is stored separately on a TrueCrypt volume in an offline laptop which doesn’t leave the house. Key signing is still done using the master key which means I can not do it during any key-signing events, I have to do it once I get home again – See my full key-signing policy for how I manage this.

The most recent version of this keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0x1FA1E814 (67 downloads) , it is also returned by my DNS server. If you issue the command dig +short stuart._pka.nxfifteen.me.uk. TXT the returned key should match that provided here.

If there ever comes a time when I can no-longer assure my self of this keys security/integrity I have revocation certificates stored in a number of safe locations.

pub 4096R/1FA1E814 Created: 2014-05-04
Key fingerprint = BB2C EB25 BE05 16A7 A9C6 F2FB EEB4 96E6 1FA1 E814

SmartCard OpenPGP Key

0xB7266A16

The most recent version of this keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0xB7266A16 (57 downloads) .

If there ever comes a time when I can no-longer assure my self of this keys security/integrity I have revocation certificates stored in a number of safe locations.

pub 2048R/B7266A16 Created: 2014-05-04
Key fingerprint = 0E06 2B0D 4E2D BE43 29B9 1C01 9FCD F90A B726 6A16

Secondary/Alternate OpenPGP Key

0xB784045B

A second key is also available, which can be considered extremely-safe and is never stored on any computer (the keys are located on a TrueCrypt protected USB drive stored in a safe location) or ever been transmitted over the any internet connections, so please be patient if you requires a reply.

This keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0xB784045B (55 downloads) .

For verification purposes my other keys is always cross-signed with my secondary key.

Feel free to use the following public key if you are concerned or paranoid about what you wish to send to me, however if you are in doubt you should probably use my primary key instead.

pub 4096R/B784045B Created: 2011-09-19
Key fingerprint = 2642 7F79 DA14 44C4 CBE9 23BB 22C7 2B37 B784 045B

Chairman of The Software Society OpenPGP key

0x69AA4946

Since April 2012 I have held the position of Chairman of The Software Society Ltd. On the 23th of March this year, 2013, it was decided that the board of directors and office bares (Chairman, Company Secretary and Chief Financial Officer) should all create an use OpenPGP keys for all official business.

It was also decided that each office barers key should last as long as they are in office, the new incumbent creating a new key apon their election.

To this end, during my time in the post my key will be 0x69AA4946 and will be subject to the same signing policy as I has been in use on my personal key.

pub 2048R/69AA4946 Created: 2013-03-24
Key fingerprint = CFAE 70BC 1735 BF50 C993 DACB 6415 6795 69AA 4946

Retired Keys

I have been using PGP on and off since about 2008, in that time many keys have come and gone and I did not set expiry dates on most of them and never thought to generate or use revocation certificates. The nature of OpenPGP and the Web-of-Trust means there is no way retrospectively to remove these keys. The best I can do now is list them here. Do not use any of the keys listed bellow. This is not a complete list, only the ones I can no longer revoke.

0x5DCC0296, 0x541784DD, 0x132DED8D, 0xC5751341, 0xCB52DED2, 0xC941927D, 0xDFA274F2, 0x9F9A8CE0,0x2DF1892D, 0x843D80BA, 0xA7EEB609

OpenPGP: How does PGP work?
03 May

OpenPGP: How does PGP work?

How does it work

The magic, and I call it magic because I freely admit I do not have the mathematical background to explain it better, of this system is that if you encrypt something using the Public-key only the Private-key can decrypt it and vice versa. So there is no way for someone holding the Public-key to decrypt something encrypted using the Public-key, only the Private-key will decrypt it. The same is true in reverse. If something is encrypted using the Private-key only the Public-key can decrypt it again – in practice you won’t have a problem here, because if you hold the Private-key you already hold the Public-key as well.

Now when I write an email and want to sign it PGP looks at the message or file (for simplicity I’ll stick to email as my example) then runs a mathematical hash such as SHA256. A hash is a one way process. If you hash a block of text, using SHA256, you will get a string of what appears to humans as gibberish. The important part is, it is always the same. No matter how many times you run the same block of text through the SHA256 algorithm you will always get the same gibberish. PGP then uses my Private-key to encrypt that hashed result and includes that ether as an attachment to the email or at the bottom of the body.

To verify the integrity of a email the receiving PGP aware application uses the Public-key to decrypt the attached signature and reads the included hash. At this point you have already verified the signature was created using the Private-key because if it had been altered in any way after encryption the Public-key would no longer work. The next step is for the receiving copy of PGP to run the email through the same hash as before, SHA256, and then compare the hash encrypted in the email with the hash it just created. If the two match the email has been verified and you can be sure it has not been altered in transit.

How about encrypted messages

The process for full message encryption is slightly different. The problem with Public-key cryptography is it is incredibly expensive in computational power and CPU time and far large messages it is impractical to encrypt the whole message using a Private-key, so instead we use Symmetric-key encryption. Unlike Public-key encryption Symmetric-key encryption uses the same key to encrypt and decrypt a message.

So now when I send an encrypted message PGP signs the message in the same way detailed above then generates a large random password then uses this to encrypt the message. Now we have an encrypted block of text and a key to decrypt it again and we have to get both to the recipient without the decryption key becoming public, so we call on Public-key cryptography again. Using the recipients Public-key we can no encrypt our generated Symmetric-key and include it in the email header. At the other end the recipient uses their Private-key to decrypt the start of the email then can use the Symmetric-key we provided them to decrypt the message. This actually allows you to send the same email to multiple recipients as well, all we have to do is use the public-key of each person to encrypt a copy of the Symmetric-key.

Why Isn’t It Used More

PGP key management is hard work. Generating key, managing them and adding support to email applications that do not already support them is not for the faint hearted and the process is quite geeky. So while support is there its not easy to use, in simple terms it doesn’t yet pass the granny test.

I hope this will change in future and by signing the majority of my messages and writing these posts I would like to think that I can make it a little easier to get involved. Cryptography and PGP technique in particular is a subject I am interested in. I have given several talks to The Software Society (my local LUG) on the topic and plan to give another over the summer in the hopes of increasing awareness to my little corner of the universe.

If you have any questions or struggle to implement PGP in your own corner please drop me a line and I will do the best I can to help. Even if, like me, you see no reason to encrypt your emails the advantages of being able to sign your emails is huge deal in a world of spam and viruses being distributed by email – often appearing to come from an address you know.

OpenPGP: How do I create a OpenPGP Key?
03 May

OpenPGP: How do I create a OpenPGP Key?

Creating a Secured Key

When you build a PGP key you going to start using that key to verify your identity, so like all other forms of identification you have to protect it. Unfortunately to make PGP usable you cant permanently store you private keys locked in a safe, you actually need a copy of it one your computer, phone, table, laptop, basically any place where you want to send verified emails or decrypt messages you receive.

So what do you do if you phone or laptop are stolen? Even if you have secured your private-key with a strong password it is still at risk from someone with direct access to it.

Protection Using Subkeys

There isn’t allot of information on web about how to secure your key in this situation. I was able to find a few reference sites most notably the Debian Wiki about Subkeys.

When you create a OpenPGP key you are creating one key for signing and another for encryption. Its the signing key that is your master key and the one you need to protect. So after creating a new OpenPGP key you can create a new subkey just for signing.

This way the only things stored on your mobile device are your encryption key and your signing-subkey. If you lose control of your laptop, but still retain control of you master key, you can revoke the sub signing and encryption keys and create replacements.

If an attacker were able to break your password they would get access to anything encrypted before you revoked the key but nothing after that point. They could also only sign emails and files using the subkey you just revoked and any receiving PGP application would see that the key used to sign the message had been revoked and not validate the signature.

So how do we do it?

Step-By-Step

Creating the Keypair

Use the gpg --gen-key command to create the new keypair

You will be prompted to enter a password, its a good idea to make this a secure one; hard to guess and one you want forget. Keep it safe. If you lose your password you could lose control over your key and will have to start again.

Preferred Hash

PGP uses hashes through the signing and encrypting process, I’ve better explained this on the “How is works” page. To strengthen your key you can set your preferred hashes. This is useful because as time moves on and computers become more powerful weaknesses are being discovered in previously thought secure hashes such as SHA-1.

Use the gpg --edit-key command and when prompted enter the commandsetpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed, then save.

Subkey for Signing

OpenPGP subkeys work the same as normal (master) keys, expect they are mathematical related to the master key and they can be used for signing or encrypting. What makes them special here is they can be revoked and store independently of the master key.

Again use the gpg --edit-key command and type addkey. Select a sign only key, ether 3 or 4 depending on if you want to use DSA or RSA. After the new key is ready type save.

Revocation Certificate

Since we are creating subkeys we do not have to worry about theft of a laptop or phone. In that case you could still use your master key to revoke only that subkey. What I describe bellow is when you lose your master key and must revoke everything.

If you ever lose your private key you will have no way of generating the revocation certificates needed to revoke your new key. So best practice is to generate those certificates now and store them in a safe place encase you need them later.

You can do this from the command line with the command:

However I has also worked on a bash script that can automate the process of creating these certificates. More information on this is available from the project page.

Export The Final Product

Now export your keypair. You can export both the private-key and public-key using these commands:

You should protect these two files. Do not keep them on your laptop of mobile. The private file we exported contains your master key. Losing this could compromise your entire keypair.

Creating your Laptop Key

Now that your master key is ready you can create your laptop key. GPG does not make this easy, but with a little trickery you can make it work. These instructions assume you have created your master key on your laptop, if you have created your key on your desktop machine you can just skip the step two and not delete your secret key.

  1. Start by exporting your subkeys gpg --export-secret-subkeys 1FA1E814 > 1FA1E814.sub.gpg
  2. Next delete the master key from your key ring gpg --delete-secret-key 1FA1E814
  3. Now reimport the subkeys back into your keyring, or if you are not working from your laptop just import the subkeys theregpg --import 1FA1E814.sub.gpg.

Using your new key

You can now use your laptop keypair to sign, decrypt or encrypt emails and files. If you want to sign someone else’s key or revoke a subkey attached to your mast key you need to use the original master key.

Now that your key is ready for public consumption your can start sharing it. You can distribute your key anyway you like, but the simplest solution is to send it to a key server:

There are hundreds of key servers online, but you don’t need to send your key to all of them. In most cases any key server you use will distribute your public key across all the others. This process is fully automatic but it can take a few days for your key to appear on them all.

OpenPGP: Encryption should be easier than this
02 May

OpenPGP: Encryption should be easier than this

Why I Digitally Sign My E-Mail

Most e-mails I send are digitally signed using a process called “Pretty Good Privacy”, commonly referred to as PGP or GnuPG. PGP has been around since 1991 yet still is not commonly supported by the majority of email clients, at least in the Microsoft echo system, or webmail applications like Gmail or Yahoo Mail. When a digitally signed email is displayed in applications that do not support PGP you may see one of two things; either there will be an attached PGP.sig file or the message may start with “BEGIN PGP SIGNATURE” and appended to the bottom of the text will be a block of gibberish text. These components are used by PGP aware applications to cryptographically verify the identity of the sender. If you also have or use PGP I could send you encrypted email so that only you can read it. Over the next few pages I will give some background on PGP and why I use it.

Email Attachments

Since implementing PGP in my in all my email clients I will no longer open attachments or click links in unsigned emails. Like all security mined people this rule will no doubt cause problems for some and will make the internet a less user-friendly place, but with the amount of spam and viruses delivered by email – often coming from addresses you know – there is no better protection available, likewise I will never send an attachment unsigned.

Background

In 1991 PGP was created by Phil Zimmermann as a way to digitally sign or encrypt messages and file. This is achieved using Public-key cryptography. When you create a PGP key you are creating two very large numbers that are mathematically related, but due to the size of these numbers it is not possible to derive one from the other. So you now have two keys, one considered private the other public and as the name suggests who must keep the Private-key secret from everyone but you can share the Public-key with the world.

I was planning to include a section on this page detailing how PGP works but as I started writing it quickly grew beyond the scope I had indented this introductory page to be. If you are interested in the propeller hat explanation of how PGP can encrypt and digitally verify messages you can find it on at the “How does it work” page.

My Keys

My public keys are published all over the net; on key servers, in my DNS records, on this site on my “OpenPGP Keys” page and on some mailing lists. That is the way you want your public keys after all.