Azitech

Azimout's Linux weblog

PGP encryption of your emails

leave a comment »

Introduction

Email was not designed from the start to be a secure system. In fact in early email systems for example you could change the “From” field to whatever you wanted. Some security mechanisms have been added in the meantime, but issues remain.

Pretty Good Privacy (or PGP) uses public key cryptography (or PKI) to help secure your email. And it’s free!

PGP helps you fulfill 3 out of the 5 basic principles of information security:

  1. authenticity (the recipients of your message will know for sure it was you who sent it)
  2. confidentiality (only your recipients and no one else can read the body of your message)
  3. integrity (your recipients will know that your message has not been modified after you sent it)

Basic concepts

PKI is based on a pair of keys that are generated together and are mathematically linked in such a way that something encrypted with key A can be decrypted only by key B, and vice versa. When these keys are generated, one will be your private key which you should keep, well, private, and the other is your public key, which you should share as widely as possible. In fact there are a number of servers called keyservers, to which you can upload your public key for free. They all synchronize their databases regularly, so uploading your key to one of them is sufficient. People can then look you up on these servers by your email address that you associated with this key pair, and download your public key. MIT hosts such a server; give it a try, look me up!

This way, if you sign an email with your private key, people will be able to verify it by using your public key. The fact that the email verifies correctly will then prove that the email was really sent by you (authenticity) and that it has not been modified by someone else since you signed it (integrity). On the other hand, if you want to send someone a message that only they can open, you can encrypt the email with the other person’s public key. This way only their private key can decrypt that email (confidentiality). This is called End-to-End Encryption (E2EE).

Creating and sharing your key

If you are running Ubuntu, you can do everything from Seahorse, the “Passwords and Keys” application. Start by creating a PGP key pair (New – PGP key): enter your Full Name and Email Address (plus a comment if you feel like it), and leave the rest of the advanced settings as they are (currently RSA, 2048 bits, never expires). Then choose a passphrase to keep your key pair secure, and then do some random activity (move the mouse, type on the keyboard) to produce some random data for the key generation process. Finally, upload your public key to the keyservers (Remote – Sync and Publish Keys).

(If you’re using Windows, try GPG4Win. On the Mac, try GPGtools.)

Now, one problem with this approach is that no one knows if the name and email you entered during key generation is really you, i.e. anyone can create a key claiming to be you and impersonate you! To get around this, there’s the option of meeting people and signing each other’s keys. Each public key has a fingerprint, which is a shorter (160 bits, or 40 hexadecimal characters long) version of your public key. Then when you meet someone you want to securely communicate with, you give them this fingerprint (e.g. on a piece of paper). If you’ve never met this person before, you might want to see also some photo ID just to make sure they are who they claim. Then, when you download and import their public key from the keyservers, you can verify that the fingerprint matches the one they gave you.

Signing, encrypting and decrypting emails

The best way to use PGP with your email is by using Thunderbird and Enigmail. It allows you to sign and/or encrypt your outgoing messages, and it will decrypt/verify your incoming messages. Give it a try!

Further reading: https://help.ubuntu.com/community/GnuPrivacyGuardHowto

Advertisements

Written by azimout

20/11/2012 at 16:25

Posted in Reference

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: