Archive for January, 2009

GnuPG fingerprint

Thursday, January 22nd, 2009

It is said that it is best practice put your GnuPG key fingerprint on your card so here is mine ;-)


(click to enlarge)

The Real Hustle

Tuesday, January 13th, 2009

The BBC 3 program “The Real Hustle” is an excelent presentation of just how easy you could be scammed out of your money or confidential information.
The three presenters have real experience scamming and now they are showing their skills on television so that you can avoid being conned.

One of my favourites is the WiFi scam and it is one that is often targeted at the business traveller. It works best in a business hotel or at an airport.

The next time you connect to a WiFi network in a hotel or cafe think of this video clip and don’t type in your credit card number or company passwords.

Using PKI X.509 certificates in GnuPG

Saturday, January 10th, 2009

Many company IT Security policies insist that workers use only encryptions keys that are generated by the company PKI. That allows the company to recover the encryption keys if they are lost or if the employee leaves the company. PKI issued certificates (which contain the keys) are usualy used with S/MIME in programs like Outlook or Thunderbird.

However, some people wish to use the PGP encryption standard, often because it is required by a customer or other correspondent. This post explains how to export a certificate issued by an enterprise PKI for use in the popular open source encryption program GnuPG. GnuPG follows the PGP standard and can be used to exchange encrypted e-mail with users of the commercial PGP.

 In this example the certificate is available in the Firexox certificate store. Click to enlarge the image.


This certificate is for John at


Next backup the certificate onto disk. Firefox uses the extension “.p12” for a certificate that includes the private key.


GnuPG cannot import an X.509 certificate. First we have to import the certificate using PGP which can convert it into a PGP type of key.


In PGPkeys use the “import” function on the “keys” menu.


After importing the key, click on it and select “add” and then “name”. Add a user ID to the key. This is required for GnuPG to recognise the user ID and in this case is useful to identify the key.


PGP protects the key using the IDEA algorithm which is not available by default in GnuPG because it is pattented. To get around this you must remove the key protection by changing the passphrase to an empty one. Be careful to delete the key from PGP afterwards or else change back to a non-empty passphrase.


Now export the key. PGP will write the exported key in standard PGP form which can easily be imported into GnuPG.


Select “Include Private Key”


Import the key into the GnuPG key ring


It is very important that you right away edit the key to protect it by adding a passphrase. You can also edit the trust level of the key at this time.


Now test the key by encrypting and then decrypting a message.


You now have a key in your GnuPG key ring that complies to your company IT Security policy. It came from the company PKI and is therefore archived and recoverable according to the policy.