Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Thursday, November 27, 2014

 
  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption & digital signatures
 
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

PGP Key Signing Party Procedures

  • Before the party:
    1. If you haven't already done so, install PGP or GPG:
    2. Follow the instructions to create your public/private keypair using the default key length.
    3. Determine the fingerprint for your public key:
      • GPG:
        • gpg --fingerprint your_email_address
          where your_email_address is your actual address.
        • Copy and paste the output into an email message.
      • PGP:
        • Windows:
          • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
          • If not already open, expand the PGP Keys section of the left-hand navigation pane.
          • In the list of keys on the right, find your key.
          • Right-click your key and select Key Properties
          • Expand the Fingerprint section if necessary, and click the Copy button on the right-hand side of the pane.
          • Paste your fingerprint into an email message.
        • Mac:
          • Launch PGP.
          • Select Keys in the left-hand navigation pane.
          • In the list of keys on the right, find your key.
          • Ctrl-click your key, and select Show Key Info.
          • Expand the Fingerprint section if necessary, and select the Hexadecimal pane.
          • Click the copy button (the image of two overlapping squares) on the right-hand side of the Fingerprint section.
          • Paste your fingerprint into an email message.
    4. Either publish your public key to the PGP Global Directory or prepare to send it to us via email:
      • To publish your public key:
        • GPG: gpg --send-keys --keyserver ldap://keyserver.pgp.com keyID
          where keyID is the last 8 characters of your fingerprint, without spaces, e.g. EDCA35C9. You can also publish it to http://keys.nayr.net/ by copying and pasting your exported public key into the web page (see exporting instructions).
        • PGP: Mac or Windows
      • To send your public key in email:
        • GPG:
          • gpg -a --export your_email_address > yourkey.asc
            where your_email_address is your actual address.
          • Attach yourkey.asc to an email message.
        • PGP:
          • Windows:
            • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
            • If not already open, expand the PGP Keys section of the left-hand navigation pane.
            • In the list of keys on the right, find your key.
            • Right-click your key and select Export...
            • Save your key, and attach the file to an email message.
          • Mac:
            • Launch PGP.
            • Select Keys in the left-hand navigation pane.
            • In the list of keys on the right, find your key.
            • Ctrl-click your key, and select Export to Clipboard.
            • Paste the key into an email message.
  • At least two working days before the key signing party: RSVP to security@isc.upenn.edu and include your PGP fingerprint. If you've published your public key, let us know. Otherwise, include your public key in your email message. Information Security will collate the keys and print enough copies of the list of names/fingerprints so that each person can get a handout.
  • The day of the party: Bring your PennCard to identify yourself, and bring along a printed (or otherwise readable) copy of your fingerprint.
  • At the party:
    1. Show your PennCard to others to confirm your identity.
    2. Using the copy that you brought with you, read off your key fingerprint.
    3. Each attendee will verify the fingerprint read aloud against the one in the handout.
    4. Take the list of names and verified fingerprints with you after the party.
  • After the party:
    1. For each key you verified, import it from the keyserver onto your keyring:
      • GPG: gpg --keyserver ldap://keyserver.pgp.com --recv-keys keyID
        OR
        gpg --keyserver keys.nayr.net --recv-keys keyID
        where keyID is the key ID you verified (the last 8 characters of the fingerprint, without spaces, e.g. EDCA35C9).
      • PGP:
        • Windows:
          • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
          • If not already open, expand the PGP Keys section of the left-hand navigation pane and select Search for Keys.
          • Search for the key using either key ID or email address.
          • Right-click the key and select Add To -> All Keys
        • Mac:
          • Launch PGP.
          • Expand Keyservers in the left-hand navigation pane and select PGP Global Directory.
          • Search for the key using either key ID or email address.
          • Ctrl-click the key, and select Add To Default Keyring.
    2. Verify each key against the fingerprints from the list you got at the party (see instructions above for viewing the fingerprint for a key).
    3. Sign each key:
      • GPG: gpg --sign-key keyID
        where keyID is the ID for the key you verified, e.g. EDCA35C9.
      • PGP:
        • Windows:
          • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
          • If not already open, expand the PGP Keys section of the left-hand navigation pane and click All Keys.
          • In the list of keys on the right, select the key.
          • Right-click your key and select Sign...
          • In the PGP Sign Key dialog box, select the key, check Allow signature to be exported and click OK.
          • Enter your passphrase when prompted.
        • Mac:
          • Launch PGP.
          • Select Keys in the left-hand navigation pane.
          • In the list of keys on the right, find the key.
          • Ctrl-click the key and select Sign....
          • In the Sign Key dialog box, check Allow signature to be exported, select the key, and click Sign.
          • Enter your passphrase when prompted.
    4. Publish each signed key:
      • GPG: gpg --keyserver keys.nayr.net --send-keys keyID
        where keyID is the key ID you verified. Note that the keyserver for publishing signed keys is different from the aforementioned keyserver. The PGP Corporation keyserver does not aggregate PGP signatures for keys. Alternatively, you can publish it to http://keys.nayr.net/ by copying and pasting the exported public key into the web page (see exporting instructions).
      • PGP: Using the instructions above for obtaining the public key, send signed keys to security@isc.upenn.edu (PGP software does not communicate properly with keys.nayr.net).
      and then notify security@isc.upenn.edu
    5. Once the keys have been signed, Information Security will notify the attendees and publish signed keys to keys.nayr.net.
    6. Import the signed keys from the keyserver:
      • GPG: gpg --keyserver keys.nayr.net --recv-keys keyID
        for each keyID you verified.
      • PGP: ask Information Security to send the signed keys via email; import by double-clicking each key attachment.

Remember to send your public keys and fingerprints to security two working days before the key signing party.

Information Security PGP keys area available at:
http://www.upenn.edu/computing/security/pgpkey.php

Last updated: Monday, April 13, 2009

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania