Base64 and IRC and GPG, this is BIG!

And yes I thought Very Hard about that pun :P

Fixing the IRC!

Did you know that the web client on irc.stuylinux.org used to break when more than 3 people were online?

I dug around the InspIRCD docs, and found that the globalmax and localmax are set up to limit concurrent connections from the same host IP, but on the web interface, all of them are being proxied from the same WebSockets server. Now, up to 50 people can use the web interface at the same time, with more users being able to connect via their own IRC clients!

Logging onto IRC (wee!)

IRC is just a protocol, a set of rules to describe how server and client software can interact (in this case, to send instant messages, just like Matrix or Signal or XMPP or Telegram), but IRC is effectively the grandfather of them all, with a rich legacy of servers and clients!

For our meetings, we'll be using WeeChat, not to be confused with the Chinese service WeChat.

To install and run WeeChat on an Alpine environment like our containers:

apk add weechat
weechat

If you've never connected to our IRC server, you can add it with the /server add stuylinux irc.stuylinux.org. You'll notice that it automatically goes to port 6697, which is that standard port for IRCS (IRC + SSL encryption!).

To connect to the IRC server, run /connect stuylinux. It's a good idea to run /nick [name] so others can tell who you are.

You can join any of the usual channels on our Gitter chat, #general, #meeting-plans, and #off-topic. To join, just run /join #[channel]. Once you've done that, you can type messages to the rest of the community! :D

During meetings, we can send our commands, URLs, and other text information for your copy-pasting convenience.

Installing GPG and a key

GPG (GNU Privacy Guard) is a FLOSS implementation of the PGP (Pretty Good Privacy) standard, which uses pairs of public keys and private keys to encrypt and authenticate secure messages.

To install the GPG suite on Alpine, run

apk add gnupg

I've prepared a shared member key for us to use today, and you can find it in member-keys.tar.__. As a reminder, curl -O [url] will download a linked file.

In modern versions of tar, you can just run tar xf member-keys.tar.__ to immediately extract the data from a file, but try to figure out what the __ in the filename should be... (Hint: file --help).

Once you've extracted the keys, they'll appear as .asc files in the member/ folder. To import the keys from all of the .asc files in the folder, you can use a * wildcard to grab all files that have this extension, with any "name".

gpg --import member/*.asc

(Note: an ASC file should be ASCII text, but filename extensions are arbitrary, and if you try to cat these files, all you'll see is binary data for the keys in these files)

The password is the usual, but with 123 at the end.

Base64 decoding a file

Base64 is a way to encode any data into text. As the name might suggest, there are 64 characters (letters, lower and upper-case, numbers, and a few symbols). This is similar to hexadecimal (base16), but 4x more efficient. Another option is Base32, which eschews case sensitivity at the cost of half the efficiency.

To encode a file, you can run base64 [file], and to reverse the process, run base64 -d, paste in the base64 text and press Ctrl-D (common notation is ^D) to send the "End of File" signal. Alternatively, you can echo text into the command via pipe, or provide it in a text file argument).

Try running base64 -d > secret.tar.gpg.___ (the > tells your shell to redirect the data into the secret.tar.gpg.___, which will blank out/override any existing data there).

Paste in the following text, and press ^D when you're done.

KLUv/WTzAJkPAIReA28J8udf11kkEgEHQKNCcWN6OdP2bs0j2wuzcpgxnLPRj8MLSyCWV155XVNn
MH/Ndbn29fjUejmppisSyByhOGBNj0YrYJJh7Pkfto5BwxB1x6XrKDkYfv2AEaWMR9TA0AEJAhDA
4MWIGd/YYvqEvdyljQ39ZyfDmSpl5PV6mxW7Vbu1BYAvQfJS9yHdE2mhiAQvym7YeINRSsugEI0q
BzkgKaDZIuYeLBEZ+oDNRkj98EVyL7nUuLF1sIKzg1tjqYXT2lrSt76COEiYedGgCLgPpeH3tmJX
pag1eHLs2d6J/glPKkVBa5wmnonIMfBemLiHCJjbB71QnWTosAa9VlSR9oWF4G3qP1xBoOhlcRFx
ny9qr4jhIIHdvtW5a32FbPW0hn8oeQyxeuxLC9pj8RRX/oyh3rNIW1dosK+xGZpn8QCBAb1robU0
BjNTzeys87vRbkSVDiHVdtiBTMWfBD80Eb9GAdkqYm9GcV4Xzr6GJglgJMCXiFHhIK7+tUkGCdCd
w8dZUsQsj9ValjEbL0ZlGgN1Cuk+C8VWvr+KJeQj6WiOC8kL43D/6zDWb0cnKZ0MMIHrzUSIklps
vqgpMyZa5AO5JuJh8fwU3Z0/6BWxdnxnZUOsjGDvuuiFjM1sIhTBlpnaaE1urlfboBbssFTfqmMp

Now you have a compressed, GPG-encrypted file! Because the tarball is GPG encrypted (think of it like a hard clamshell around the data), then compressed (which is more of a standard cardboard box), you can't automatically use tar to extract it.

Figuring out the correct compression algorithm, and how to decompress ("unbox") the data, is left as an exercise to the reader.

Decrypting a GPG-encrypted file

We have a secret.tar.gpg file now.

GPG lets you encrypt files for specific recipients only based on their public key. Only the person holding the private key data has the "password" to open the file up. In this case, only people with the member@stuylinux.org key are able to decrypt the data.

To decrypt the data, run

gpg --decrypt secret.tar.gpg

This will print out the raw contents of the tarball (a format to store folders), which includes some next steps we did at the meeting.

You can encrypt data by running:

gpg --encrypt secret

and then following the wizard to choose a username. (You can type a name or email, GPG will automatically figure it out)

For the Stuy Linux member key, you may have to renew it, since I set it to expire a week from the meeting. If you don't renew the key, GPG will complain that no key was specified. To do this, you just need to run the following commands to reset the expiration date.

$ gpg --edit key Member
> expire
> key 1
> expire
> save

You need to reset your subkey in addition to the public key if you have it installed. Use the wizard to pick an appropriate expiration time.

If you use the --armor optio, you can get base64-armored text that can be sent via IRC or email.

Appendix: Symmetric Encryption

Firstly, symmetric encryption is just encryption with only a password. That's all.

If you'd like a simpler method to encrypt your data to share with a friend, you can use this method. Note: this is less secure than public key encryption, as an attacker could try to guess your only method of encryption, the passphase.

For a simple encryption of a string or the text output of a command, you can pipe the text into gpg

echo "hello world" | gpg -c --armor

Note that the --armor flag simply makes the encrypted output as ASCII text instead of the binary OpenPGP format. This makes it easier to copy and paste the output.

To encrypt any file symmetrically (such as a tarball) directly without needing to use a pipe, use

gpg -c input.tar

(The absence of the --armor flag means the output will be a binary format)

Further practice

1. Try out this baseic PicoCTF exercise Bases. Can you think of a way to do it in one command, without inputting and pressing ^D?

• Hint: Pipes are very "straightforward...", and "echo" whatever you put in...

2. I have two messages, A and B. Can you think of a way to tell which one I "signed", and which one is written by my evil clone, Davis Chem?

• Hint: My public key is 3F96 0BBC 44CC 8521 0C00 4438 5143 313E 89B1 0698, Davis's is 1B3E 8462 5048 E4DC D519 110C FF81 959F 3C44 988F. You can find our keys at david.pgp and davis.pgp.
• Challenge: Make your own GPG signed message!

3. Try and decrypt this symmetric encrypted string! (Hint: ssh...)

-----BEGIN PGP MESSAGE-----

jA0ECQMCkPz1TDVuMff/0mMBYzM0rB2CntxdrEetjNkMAHP0EcSf9hbNWFpf4Jf0
X6Ur2+2Dng6OGduJmDtdosYfaVvNajScv+MGPuJlt/4CoLhbh+k8NO+6OY5Xe8lS
v7DZ7qAPbE34bLT8UKWgqaUP6n4=
=O6XY
-----END PGP MESSAGE-----