Tuesday, May 30, 2006

Securing your Data and Communications

Hi all,
I wanted to talk about improving your online privacy. The internet is an invaluable tool for information and communication, but it is important to be aware that every email you send and every URL you go to is recorded and can be monitored.
However, there are some steps you can take to protect your privacy.

Today's class will cover securing data and sending secure emails.

When you send an email, there is no protection against eavesdroppers intercepting and reading your email. An email travels through a series of servers to get to it's recipient, and each of those servers can and does record a copy in it's logs that can be accessed by the government or by a hacker or identity thief.
Here's how to secure your data so that only the intended recipient can read it.

GPG (Gnu Privacy Guard) is a free utility that allows you and a friend to trade secure data. It is based on PGP (Pretty Good Privacy) written by Phil Zimmermann. For more information about Phil Zimmermann, you can go to http://www.philzimmermann.com/
PGP is a very effective tool and integrates very well with Windows, but it costs money to purchase. To find out more about it, go to http://www.pgp.com/

GPG is just as effective at protecting data, is compatible with PGP, and is free, so I'll be using it for my instructions here. GPG and PGP users can trade secure data with each other. There is no secret "backdoor" in either PGP or GPG. They have both made their source code publicly available so that it can be independently confirmed by security experts.

Installation
  • Download GPG for Windows from http://www.gpg4win.org/download.html

  • Run the executable to start the install

  • Keep clicking Next, using the default options (I think you click Next 5 times)

  • Click Install (and close any programs it tells you to)

  • When the install is done, click Next and Finish (restart your computer if it tells you to)

  • On your menu bar, go to Start > All Programs > GnuPG for Windows > WinPT

  • Select 'Generate a GnuPG key pair'

  • Enter the name and email address you want people to associate with your keys.

  • Enter a passphrase. This should be a secure password that other people will not be able to guess, but that you can remember. YOU MUST REMEMBER THIS PASSWORD! One good approach is to pick a phrase, then use the first letter from each word. For example, "Four score and seven years ago our fathers brought forth on this continent a new nation" gives you the password: fsasyaofbfotcann. It's also a good idea to add at least one number and at least one punctuation-type character to your password.

  • It will take a little while for the keys to be generated

  • Back up your keys if you like on a USB drive

  • You now should have a key icon on your menu bar task area. Installation is done!


How it works
You have now generated a pair of keys: a public key and a private key. These two keys work together to let you send and receive secure data.

Anyone who wants to send you encrypted data needs a copy of your public key. Your public key does not need to be protected. If everyone in the world had a copy of your public key, you would still be secure. In fact, that would be great because then anyone could send you encrypted data.
Similarly, in order for you to send encrypted data to someone, you will need their public key. We'll talk about exchanging public keys later.

Your private key on the other hand, must be kept safe. No one other than yourself should ever have access to your private key. If someone else got a hold of it, not only could they read information meant only for you, they could also impersonate you and send false data to your contacts.

Now let's go over some terminology:
encrypt - protect data so that only you and your chosen recipients can read it
decrypt - return the encrypted data to a usable form
sign - signing data assures your recipients that it was really you who sent the data to them. No one else can impersonate your digital signature without your private key.
encrypt (PK) - means encrypt with your Public Key. This is the best way to encrypt data, but requires that everyone involved have PGP or GPG
encrypt (symmetric) - symmetric encryption does not use your keys. Instead, it encrypts with a password that you choose. Anyone with that password can access the data. This is useful for sending data to people who do not have PGP/GPG, but you will need to somehow supply them with the password (over the phone, for example).

Usage
Add someone's public key to your keyring, so that you can send them encrypted data
  • Email me for my public key

  • Save that file to your computer

  • Right-click on your key icon in the task tray and select Key Manager

  • In the Key Manager, select Key > Import and select the file I gave you


Send someone your public key
  • Right-click your GPG key icon and select Key Manager

  • Select Key > Export (not Export Secret Key)

  • Select the folder to save to and the file name

  • Send that file to everyone you want to be able to receive encrypted data from (they will also need PGP or GPG)


Send an encrypted email
  • Create an email to me but don't send it yet

  • Select all the text in the body of your email (ctrl+a)

  • Copy the texxt to your clipboard (ctrl+c)

  • Right-click on the GPG key icon and select Clipboard > Sign & Encrypt

  • In the list of keys, check my name (you can check multiple recipients if you have their public keys)

  • Click Okay

  • Enter your password you chose earlier

  • Back in your email, select all the text in the body (ctrl+a)

  • Paste the encrypted data now in your clipboard (ctrl+v)

  • Make sure the original text is no longer in the email, otherwise it defeats the point of encrypting it

  • Send the email. I will confirm that I received it and was able to decrypt it.

  • If you have sent me your public key, I will send you an encrypted response


Decrypting an email
  • If someone has sent you an encrypted email, open the email and select all the text in the body (ctrl+a)

  • Copy the body to the clipboard (ctrl+c)

  • Right-click on your GPG key icon and select Clipboard > Decrypt & Verify

  • Enter your password

  • GPG will confirm who created the data

  • Open up a text editor (notepad, wordpad, word, etc)

  • Paste the decrypted data that is now in your clipboard (ctrl+v)

  • You can now see the original message


Encrypting a file
  • Right-click on the file you want to encrypt

  • Select GPGee > Sign & Encrypt

  • Select everyone whom you would like to be able to decrypt the file. Make sure that you choose your own key if you want to be able to read it yourself.

  • In the Signing Keys dropdown, check the box next to your key

  • Hit Okay (you can leave all the other settings at the defaults)

  • Enter your password

  • There is now an encrypted copy of the file with the .gpg extension


Decrypting a file
  • Right-click on the encrypted file

  • Select GPGee > Verify/Decrypt

  • Enter your password

  • The decrypted file is now available.


Whew! I know that was a lot to take in, so we'll call it a day for now. Have fun exploring GPG. I hope it serves you well.
Our next class will cover improving your privacy when surfing the web.

2 Comments:

At 12:11 PM, Anonymous Scott said...

You would thing that they would have come up with a more user friendly way to do this by now. When I first started playing with pgp back in the late 90's you had to do the same copy paste crap. I want a button in thunderbird or outlook to do it all for me. And this all needs to be installed by default on every computer in the world.

Then again, you could just use Private messages on your favorite ssl enabled message board, and hope that the owner doesn't log all PMs.

 
At 12:21 PM, Blogger Xander said...

PGP Desktop 9.0 actually has some really nice integration into Outlook and Outlook Express. You can tell it to automatically encrypt any email sent to an address that you have a public key for, and automatically decrypt any email you receive.
Of course, it costs $99 and everyone still needs it installed on both ends.
If GPG can catch up on the ease of integration, and get bundled more effectively in all the linux distributions, then we'd be on to something.

 

Post a Comment

<< Home