Pretty Good Privacy
by Klaatu
Not that it probably came as much of a surprise to most regular 2600 readers, but the revelations that the NSA has been monitoring nearly all Internet communications with the acquiescence of some of the largest and most popular service providers does reinforce the importance of encrypting web traffic.
Obviously there are no guarantees with any method of encryption; any encryption could theoretically be broken. However, using the OpenPGP protocol to encrypt files and emails can be made basically transparent to the user, so there's hardly an argument against using it since, at worst, it adds at least a temporary layer of obfuscation to online communication.
History of OpenPGP
The back story of OpenPGP is well documented online, but here's a brief summary. Phil Zimmerman developed PGP and distributed it amongst friends so that they could encrypt communication. Once PGP left the U.S. borders, Zimmerman was accused of exporting munitions and was brought to trial by the U.S. government. He won the battle in the end, and PGP itself has since been owned by a few different corporations and has also become an open standard.
The theory of OpenPGP involves key pairs. Each party involved in communication has a public and a private key. Each message is encrypted using the sender's private and the recipient's public keys, and then decrypted using the recipient's private and the sender's public key.
It might help to think of it in simplified algebra.
For instance, a very simple formula such as:
is fairly easily solved, or at least it is easy to iterate through many possible solutions. However, a more complex example such as:
is quite a lot more difficult and, in fact, mostly impossible without at least one of the private values.
The actual algorithm for OpenPGP would be quite a bit more complex with far longer numbers involved.
The most common implementation of OpenPGP is GnuPG (Gnu Privacy Guard). This is available built-in on Linux, and is freely downloadable for Windows and Mac OS X.
Basics of GnuPG
Once you have installed GnuPG, you must create a key pair for yourself. There are probably GUI programs to help with this, but it is easily done via a UNIX or UNIX-like shell (such as Cygwin or PowerShell on Windows). This article provides instructions for Bash or zsh.
In an UNIX terminal, type this:
A text menu pops up, giving you a choice of encryption methods, and how many bits you want your key to use. The defaults are always safe.
You then must choose if and when you'd like this key to expire. The default is Never (0) and, for personal use, that's probably what you want. Confirm all of your choices, and then assign a user, email address, and an optional comment to that key. GnuPG prompts you for each of these, so enter the email account information you wish to use with this key.
Once your key pair is generated, you can try a test encryption. Since you have no one else's public key incorporated into GnuPG yet, this test will encrypt and decrypt a simple message for yourself:
Now a fully encrypted file called hello.gpg exists on your hard drive. Were you to attempt to open the file, you would see naught but gibberish.
To decrypt it:
These examples have used GnuPG directly.
You are free to do this for files or even tarred and zipped directories as an alternative to something like TrueCrypt, and on Linux most of the popular file managers feature full GnuPG integration so that when you attempt to open an encrypted file, you will be prompted for your key passphrase. Likewise, for email, it's usually convenient to let your email client do the work. There may be PGP plug-ins for the email client of your choice. This article covers Enigmail, a plugin for Mozilla Thunderbird.
Distributing Public Keys
Before you can encrypt an email message for someone, you must import their public key and they, in turn, must have access to yours. The easiest way to distribute your public key is to send it to a keyserver.
First, determine your key's ID:
This returns, for example:
The number following the slash is your key ID.
Push it to a key server thusly:
There are many key servers on the Internet and they regularly duplicate one another's list of keys, so you need only to pick one at random and use it.
keys.fedoraproject.org is as good as any other, but there are lists online.
To import someone else's key into your own GnuPG keychain, use the search function of GnuPG. You can search by name or email address:
This will return a list of keys that seem to match your search; import the one that you feel is appropriate.
Encrypting Email
Using GnuPG with Thunderbird is made possible by the Enigmail add-on. Install the Enigmail add-on via Thunderbird's "Add-On" menu option.
Once Enigmail is installed, your Thunderbird client will have a new menu option for OpenPGP, and a new button or two. If you are averse to the shell-based interface of GnuPG, the "OpenPGP Menu" allows you to do most everything already covered in this article. Assuming you have already generated your keys, however, all you need to do to set up Enigmail is to confirm your key via "OpenPGP Menu > Key Management". Once this exists, you can either sign or encrypt (or both) your emails any time you enter an email address that matches a public key contained in your GnuPG keychain.
When composing a new email, use the OpenPGP button to tell Thunderbird to sign (use your key as a digital signature) or encrypt your message. The default behavior for this can be set in the "Preferences" submenu of the "OpenPGP Menu".
When encrypting email, you will be prompted for your GnuPG password. This gives Enigmail access to your private key for the encryption process, and then sends a fully encrypted message to the recipient. If someone responds to your email with an encrypted message, Enigmail will automatically detect the need for decryption and display the message for you.
Encrypt All The Things
Increasing the usage of encryption for even casual, everyday communication will also help draw less attention to the traffic that, for whatever reason, needs to be encrypted.
It just reduces the signal-to-noise ratio, making the pool of information murkier for anyone trying to take an uninvited sample.
Note: For any readers in Pittsburgh: I am attempting to revitalize the 2600 meetings. Check the meeting list in the back of this issue for time and location.