Why?
Sometimes there is data you don't want others to get their hands on it. But you have to transfer it to someone who is, lets say some hundret kilometers away, and as the gas-prizes are exorbitant these times, you can't give it directly to him. So you write an email. And thats where insecurity begins. An email is like a postcard, everybody can read its contents. So lets put an envelope around your postcard and make it a bit harder, if not impossible, for others to read your mail.
An easy way to obtain secure communication is the usage of GnuPG, the GNU Privacy Guard, which is an implementation of OpenPGP.
It allows you to encrypt or sign (yes, like putting your signature under a contract) emails to ensure both sides of a conversation that in the first place the person on the other side is really that person you intended to write to, and/or in the second place to make sure that no other person can read the contents of your conversation.
I think lots of people know about PGP but most just think its too complicated to understand and use. Well, its not as easy as writing a simple letter (write it, envelope it, stamp it, mailbox it, hope the mail-secret will be respected) but far more secure.
The Principle
Once you installed the required software (a list with guides is at the end of this page) you will have to generate two keys. One private key and one public key. The public key is public because you give it to your communication partners. The private one is called private because you'll do anything to keep it in your very own hands and let no one else get a grip on it.
"So, what are the two keys good for?" - The public key will be used by someone who wants to write you an email to encrypt the message. So everyone that has your public key can write you messages securely. Once you have received such an encrypted message you can use your private
key (the one that you will keep as secret as possible) to decrypt the message and read its content. Thats pretty easy, isn't it? But let me show you an example to make it all clear:
Lets pretend we are friends, co-workers, whatever and we want to share sensitive information. We both have GnuPG already installed and the keys generated.
- First step would be exchanging the public keys (more on that one later), so you send me your key, i send you mine.
- Second step is add the public key to your key-ring (also referred to as key-chain) so you don't loose it, i do the same with your key
- Third step is to use the imported key to encrypt an email with it. So, if I want to write you an email, I get my key-ring and use your public key to encrypt the message and send it to your email-adress
- Last step is for you to decrypt the email I sent to you using your private key. Only you can decrypt the message, because you are the only one who owns your private key.
Key Exchange
One more thing you'll need to know is how to securely exchange keys between you and your communication partner. It is a very sensitive part, because this is one of the steps where security might be affected. So you will have to make sure, that the key that you received really belongs to the right person. There are several ways to assure the identity of the key owner:
- direct contact - you receive the key directly on an USB-key or similar
- by phone - you already have the key, but want to authenticate it. If you know the persons voice you may call him and compare the fingerprint (see below) of the key
- through the Web-of-Trust - if you already have authenticated keys you can sign them and with that tell others that this key is to be trusted (more on that at the end of this paragraph under keyserver)
Fingerprint
Every public key has a so called fingerprint which is used to identify the key. It can also be used to verify the owner of the key by phone.
Keyserver
Keyservers are part of the Web-of-Trust. You can upload your key to such a server (they are connected to each other, so one submission should be enough). Other people can obtain your key from there and use it. If your key has been signed by others, so the key was approved to be yours by other people, you can upload this signatures as well to show others that it is really you key and that they can use it without meeting you in personal or verifying the key through the fingerprint.
Keysigning Party
The more people sign your key, the more it can be trusted. I think that one is a clear one. "But how do I get more signatures, if I have only some contacts using GnuPG?" - Go to a keysigning party. Lots of people meet there to verfify each others identity and afterwards sign the keys of the other party visitors. This way you get lots of signatures and your key is easier to trust. And, by the way, you meet people at these parties, real people, outside the lab :-) you know...
Set It Up
All clear? OK, then lets set up your GnuPG-Environment. Here are some external links to guides which will help you to set up the software:
for various operating systems:
- Setting up EnigMail for Mozilla Thunderbird - Thunderbird is a popular mail-client and available for many platforms
- Using your GnuPG key for instant messaging with jabber
for Windows:
- GPG4Win for Novices - english guide on gpg4win.org
GnuPG Guide for MacOS X
- GnuPG with AppleMail - german guide on fixmbr.de
for Linux:
- GnuPG on K/X/Ubuntu - german guide on wiki.ubuntuusers.de
- GnuPG on K/X/Ubuntu - english guide on help.ubuntu.com
If you know other/better guides, please feel free to put them into the comments!
0 Responses to Secure Messaging with GnuPG
Leave a Reply