Management Group Key dengan Konsep Subkeys dan Pass-phrase part:2
==================================================
Menu Utama :
1.Menambahkan anggota baru (oleh Admin only)
2.Mengubah pass-phrase I
3.Pemecahan Key I
4.Mengubah pass-phrase II
5.Pemecahan Key II
6.Mengubah pass-phrase III
7.Pemecahan Key III
8.Pembuatan Keypair baru
9.Import key pair untuk anggota 2
10.Tahap pengujian pass-phrase
11.Catatan
==================================================
1.Menambahkan anggota baru (oleh Admin only)
$ gpg --edit-key 52036D4C
Command> addkey
(5) RSA (sign only)
Command> addkey
(6) RSA (encrypt only)
Command> save
$ gpg --list-key group
pub 1024D/52036D4C 2006-10-12 [expires: 2006-11-11]
uid group company (group)
sub 2048g/9A909C7A 2006-10-12 [expires: 2006-11-11]
sub 1024D/381A73C7 2006-10-12 [expires: 2006-11-11]
sub 2048R/35212595 2006-10-13 [expires: 2006-11-12]
sub 2048R/8425BA75 2006-10-13 [expires: 2006-11-12]
2.Memberikan pass-phrase pertama
$ gpg --edit-key 52036D4C
Command> passwd
//pass-phrase : anggota2-rsa-sign
3.Pemecahan Key I
$ gpg --export-secret-key 52036D4C| gpgsplit -vp pass3
gpgsplit: writing `pass3000001-005.secret_key'
gpgsplit: writing `pass3000002-013.user_id'
gpgsplit: writing `pass3000003-002.sig'
gpgsplit: writing `pass3000004-007.secret_subkey'
gpgsplit: writing `pass3000005-002.sig'
gpgsplit: writing `pass3000006-007.secret_subkey'
gpgsplit: writing `pass3000007-002.sig'
gpgsplit: writing `pass3000008-007.secret_subkey' //subkey id 35212595
gpgsplit: writing `pass3000009-002.sig'
gpgsplit: writing `pass3000010-007.secret_subkey'
gpgsplit: writing `pass3000011-002.sig'
$ pgpdump pass3000008-007.secret_subkey
Old: Secret Subkey Packet(tag 7)(956 bytes)
Ver 4 - new
Public key creation time - Fri Oct 13 12:06:09 WIT 2006
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(6 bits) - ...
Sym alg - CAST5(sym 3)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA1(hash 2)
Salt - 38 73 f7 ed 7d 27 b7 ea
Count - 65536(coded count 96)
IV - de 26 4c f0 42 7b a3 b8
Encrypted RSA d
Encrypted RSA p
Encrypted RSA q
Encrypted RSA u
Encrypted SHA1 hash
4.Mengubah pass-phrase II
$ gpg --edit-key 52036D4C
Command> passwd
// pass-phrase : anggota2-rsa-decr
5.Pemecahan Key II
$ gpg --export-secret-key 52036D4C| gpgsplit -vp pass4
gpgsplit: writing `pass4000001-005.secret_key'
gpgsplit: writing `pass4000002-013.user_id'
gpgsplit: writing `pass4000003-002.sig'
gpgsplit: writing `pass4000004-007.secret_subkey'
gpgsplit: writing `pass4000005-002.sig'
gpgsplit: writing `pass4000006-007.secret_subkey'
gpgsplit: writing `pass4000007-002.sig'
gpgsplit: writing `pass4000008-007.secret_subkey'
gpgsplit: writing `pass4000009-002.sig'
gpgsplit: writing `pass4000010-007.secret_subkey' //subkey id 8425BA75
gpgsplit: writing `pass4000011-002.sig'
$ pgpdump pass4000010-007.secret_subkey
Old: Secret Subkey Packet(tag 7)(956 bytes)
Ver 4 - new
Public key creation time - Fri Oct 13 12:07:15 WIT 2006
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(6 bits) - ...
Sym alg - CAST5(sym 3)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA1(hash 2)
Salt - bb 7a b4 96 2d d7 3f 2e
Count - 65536(coded count 96)
IV - 08 f3 c2 6a bf b8 7b c9
Encrypted RSA d
Encrypted RSA p
Encrypted RSA q
Encrypted RSA u
Encrypted SHA1 hash
6.Mengubah pass-phrase III
Pengubahan pass-phrase ini digunakan untuk primary key yang dipegang oleh Admin:
$ gpg --edit-key 52036D4C
Command> passwd
// pass-phrase : group
7.Pemecahan Key III
$ gpg --export-secret-key 52036D4C| gpgsplit -vp pass
gpgsplit: writing `pass000001-005.secret_key'
gpgsplit: writing `pass000002-013.user_id'
gpgsplit: writing `pass000003-002.sig'
gpgsplit: writing `pass000004-007.secret_subkey'
gpgsplit: writing `pass000005-002.sig'
gpgsplit: writing `pass000006-007.secret_subkey'
gpgsplit: writing `pass000007-002.sig'
gpgsplit: writing `pass000008-007.secret_subkey'
gpgsplit: writing `pass000009-002.sig'
gpgsplit: writing `pass000010-007.secret_subkey'
gpgsplit: writing `pass000011-002.sig'
8.Pembuatan Keypair baru
Pembuatan kunci baru untuk anggota dengan dua pass-phrase berbeda antara untuk tandatangan(sign) dan dekripsi file. File ini yang akan di pakai pada anggota suatu group :
$ cat pass000001-005.secret_key \
pass000002-013.user_id \
pass000003-002.sig \
pass3000008-007.secret_subkey \
pass000009-002.sig \
pass4000010-007.secret_subkey \
pass000011-002.sig >new-anggota2.pgp
9.Import key pair untuk anggota 2
###################
Import pada client anggota 2
—-——————————————-
$ gpg --import new-anggota2.pgp
$ gpg --import new-anggota2.pgp
gpg: key 52036D4C: secret key imported
gpg: key 52036D4C: public key "group company (group)
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
#####################
Dibawah ini hanya nampak list subkey yang dibutuhkan saja:
$ gpg --list-key group
pub 1024D/52036D4C 2006-10-12 [expires: 2006-11-11]
uid group company (group)
sub 2048R/35212595 2006-10-13 [expires: 2006-11-12]
sub 2048R/8425BA75 2006-10-13 [expires: 2006-11-12]
10.Tahap pengujian pass-phrase
$ date | gpg -u 52036D4C --clearsign
—--
You need a passphrase to unlock the secret key for
user: "group company (group)
2048-bit RSA key, ID 35212595, created 2006-10-13 (main key ID 52036D4C)
Enter passphrase: ***************** //pass-phrase : anggota2-rsa-sign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fri Oct 13 12:35:41 WIT 2006
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iQEVAwUBRS8lyqOwfDY1ISWVAQL9CQgAk3ojm9vPQFgB+kD9yMcLTvSdsW+hZhiy
12+LljwZnrgpnf3X9xPZhTEGYMoECFnyxaXwr16UU+4te4kPiX/JUtlyKY3gU5jK
sGu0WZXVyD8MXHX/u7VDbF2YTMRmK/wQul526GSvmHMlp4noECmLFRvtSFbqFAEq
sGxBaJmbuMM3hI43vz8oy2+oRgw+yr7XhFACXDWGZz6MRcAK8G/qsC42W2lLuGEb
7HTLKEkojt3xvQz3MH2YzP67pZcTOsLb6dN3nXeIAjqbkIZH59aCoZW+7+a3I8Th
HHbCdOeG5wFPo7YamJ4vUNmsh0DHcPBC9Q0SMS8HHV/Mmiu3Z7WHDg==
=gHSA
-----END PGP SIGNATURE-----
Memastikan sidik jari sama dengan pada saat mengetes pass-phrase untuk decrypt:
$ gpg --fingerprint group
pub 1024D/52036D4C 2006-10-12 [expires: 2006-11-11]
Key fingerprint = FD3E 59C4 3EC9 2B56 43D6 7934 09BE 9F93 5203 6D4C
uid group company (group)
sub 2048R/35212595 2006-10-13 [expires: 2006-11-12]
sub 2048R/8425BA75 2006-10-13 [expires: 2006-11-12]
$ date | gpg -ear 52036D4C | gpg --decrypt
—-
You need a passphrase to unlock the secret key for
user: "group company (group)
2048-bit RSA key, ID 8425BA75, created 2006-10-13 (main key ID 52036D4C)
Enter passphrase: ***************** //pass-phrase : anggota2-rsa-decr
gpg: encrypted with 2048-bit RSA key, ID 8425BA75, created 2006-10-13
"group company (group)
Fri Oct 13 12:39:08 WIT 2006
11.Catatan
* Penambahan subkey baru menggunakan metode seperti diatas
* Keuntungan penggunaan metode ini anggota group tidak bisa merubah pass-phrase atau melakukan pengeditan lainya kecuali dia tahu pass-phrase milik primary key. Karena perubahan pass-phrase yang pertama dimintai adalah pass-phrase primary key.
* Admin membagikan key pair baru dengan pass-phrase yang sudah ditentukan.
* Admin memiliki hak akses yang sangat penuh dengan memiliki pass-phrase utama dan berwenang untuk melakukan pengubahan ataupun penghapusan keypair anggota
* Ingat pass-phrase primary key hanya untuk admin
* Antar subkey memiliki key yang sama dan penulis masih melakukan research untuk mendapatkan key yang berbeda^.
^Keuntungan kunci yang sama dari Subkey, kita dapat menyebarkan public key manapun dan tidak harus update( setiap kali melakukan penambahan subkey).
1 comments:
Ya, mungkin karena itu
Post a Comment