Security and Privacy series pt. 1 - Securing your communications with OpenPGP

For the first part of my series on data security, I want to talk about the use of public key cryptography as a way to encrypt your communications, prove that you’re the original author and ensure that communications you receive really originate from who they claim to.

Cory Doctorow did a great job of describing how public key encryption works in his book “Little Brother”, so I won’t reinvent the wheel, but instead give you his words:

In public key crypto, each user gets two keys. They’re long strings of mathematical gibberish, and they have an almost magic property. Whatever you scramble with one key, the other will unlock, and vice-versa. What’s more, they’re the only keys that can do this – if you can unscramble a message with one key, you know it was scrambled with the other (and vice-versa). So you take either one of these keys (it doesn’t matter which one) and you just publish it. You make it a total non-secret. You want anyone in the world to know what it is. For obvious reasons, they call this your “public key.”

The other key, you hide in the darkest reaches of your mind. You protect it with your life. You never let anyone ever know what it is. That’s called your “private key.” (Duh.)

Now say you’re a spy and you want to talk with your bosses. Their public key is known by everyone. Your public key is known by everyone. No one knows your private key but you. No one knows their private key but them.

You want to send them a message. First, you encrypt it with your private key. You could just send that message along, and it would work pretty well, since they would know when the message arrived that it came from you. How? Because if they can decrypt it with your public key, it can only have been encrypted with your private key. This is the equivalent of putting your seal or signature on the bottom of a message. It says, “I wrote this, and no one else. No one could have tampered with it or changed it.”

Unfortunately, this won’t actually keep your message a secret. That’s because your public key is really well known (it has to be, or you’ll be limited to sending messages to those few people who have your public key). Anyone who intercepts the message can read it. They can’t change it and make it seem like it came from you, but if you don’t want people to know what you’re saying, you need a better solution.

So instead of just encrypting the message with your private key, you also encrypt it with your boss’s public key. Now it’s been locked twice. The first lock – the boss’s public key – only comes off when combined with your boss’s private key. The second lock – your private key – only comes off with your public key. When your bosses receive the message, they unlock it with both keys and now they know for sure that: a) you wrote it and b) only they can read it.

To employ this theory we are going to use the de facto standard for message encryption and signing; OpenPGP. OpenPGP is a widely supported in all major email applications and operating systems. In these examples we will use GPG - Gnu Privacy Guard - available in in Ubuntu in the gnupg package (installed by default). GPG is a free, open source application that uses the OpenPGP standard. For the usage examples we will use Mozilla Thunderbird with the OpenPGP plugin Enigmail.

Creating a key

The first step is to create your very own privat/public key pair. This can be done by the command:

gpg --cert-digest-algo=SHA256 --default-preference-list="h10 h8 h9 h11 s9 s8 s7 s3 z2 z3 z1 z0" --gen-key

In detail, this example tells gpg to use the SHA256 algorithm when signing other people’s keys (–cert-digest-ago=SHA256),

more about this later on, in the “ring of trust” section. Then_ –default-preference-list_ tells gpg what preferences to use for encryption and hashing, for the specifics of the values see this page. Lastly we tell gpg to generate the keys using the –gen-key command.

After you have issued the command you will be presented with a fairly self-explanatory wizard. If you are still unsure, you should select  _RSA and RSA (default) _as key type, and use the standard values for key size and key duration (2048 and unlimited). After that enter your information and password when asked, and your key will be created.

Take a note of the key ID in the final output of the process on the “gpg: key ABABABAB marked ….” line. (here ABABABAB would be your key ID.)

The public and private keys you created are now stored in your private keyring. This means that GPG can access and use them when needed. To be able to use your key pair though, there are still more to do:

Spreading your public key

This step will upload the newly created key to Ubuntu’s key servers. This is Doctorow’s previously described action of spreading your key for everyone to know. When a key server has received your key, it will be propagated through the internet to all the other key servers, and people will be able to download it from there.

gpg --send-keys --keyserver keyserver.ubuntu.com 6A9212EB

Your key can also be exported and spread through other means, e.g. put on your website, given to friends etc. For more information on this, see the “Moving, backing up and sending your key” section further down.

Using Thunderbird to read and send encrypted messages

First you have to install Thunderbird, as well as the Enigmail plugin. In Ubuntu this can be done by installing the thunderbird and enigmail packages:

sudo aptitude install thunderbird enigmail

If you are using another package management system or use another operating system, you can download them from the above links.

You can configure Enigmail under the OpenPGP option in the Thunderbird menus. In my case, Enigmail automatically detected the gpg exectuables and everything was good to go. When you first write an email and want to encrypt or sign it, Enigmail will prompt you for which key to use, and you can select your previously created key from a nice list.

When you recieve an encrypted or signed email from someone who’s public key you have, or who’s key is residing on a keyserver on the internet (Enigmail is automatically set up to check a large amount of them), email messages are automatically decrypted, and Enigmail shows you a nice notification about who they key used belongs to.

Moving, backing up and sending your key

To get a copy of your public key to send to your friends or put on your website, you can use the command

gpg --export -a ABABABAB > public_key.asc

This will export your key in ASCII representation to a file called public_key.asc. If you just want to print the key to the command line for copy-pasting you can skip the “> public_key.asc” part.

To export your private key for backup purposes and for use on your other computers you can use the command:

gpg --export-secret-key -a ABABABAB > secret_key.asc

Do note that this key is strictly personal and should be kept extremely private. Stick it on a USB drive, preferably encrypted, and stick it in a safe or lock box. Also note that if you ever lose this key - or the password you used to create it - your public key will be useless as you can never decrypt anything encrypted by it. This is extremely important.

To import someone’s public key you can issue this command:

gpg --import some_public_key.asc

To import your private key on another computer, e.g. if you have multiple computers or are upgrading to a new one:

gpg --import --allow-secret-key-import your_secret_key.asc

Help, I’ve lost my private key!

If you ever lose your private key, or someone steals your computer and gets a hold of it a nice feature is in place to have it revoked. To be able to do this, you have to create a revocation key while you still have your key, so you should do this as soon as possible. To create a revocation key:

gpg --gen-revoke ABABABAB > revocation_key.asc

This key is also strictly personal, and should be kept hidden away. Do not store a single copy along with your other keys, as you need to have this key in case your computer gets stolen and you must revoke your key.

To use this key to revoke your key, simply import it to your keyring and upload it to a key server like you did earlier on, or upload it directly to a key server that supports doing that (some key servers will allow you to upload it in a web interface or similar)

Web of trust

Another cool feature in OpenPGP is key signing. This is the process of signing another persons key with your own. This tells everyone that you vouch for his or her key belonging to whom it says. A random key found on the internet can of course come from anyone, but if that key says that Sarah trusts it, and Sarah’s key says Jake trusts it, and you personally know Jake, then that key just became a lot more reliable. For key signing to work properly though, it should only be done with people who know each other and can verify the other person’s identity - and ideally, only in a “real life” setting where both parts are gathered.

To read more about key signing and web of trust take a look at the Ubuntu Wiki’s article on GPG and the GNU Privacy Handbook.

References

During the making of this article I’ve learned and transcribed a lot from other sources, notably: