Author Topic: 3 - PGP/GPG  (Read 3088 times)

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
3 - PGP/GPG
« on: February 20, 2014, 08:11:25 PM »
3 - PGP/GPG

"In God we trust. Everybody else we verify using PGP!"
                                                                                                                                Tim Newsome


PGP acronym for "Pretty Good Privacy", is a computer program created by Phil Zimmermann in
1991 to encrypt and decrypt information using public key cryptography.

On 1993 Phil Zimmerman was accused by the US government for "munitions export without a
license"  because cryptosystems using keys larger than 40 bits were then considered munitions
at the moment and PGP always used keys bigger than 128 bits.
That created a lot of legal problems for Zimmerman but also helped PGP to get its fame.

Long history short, Zimmerman proposed in 1997 to create a standard called OpenPGP, that
standard was accepted by the IETF using as specification the document RFC 4880 and that way
a lot of applications were created that could exchange encrypted messages among themselves.

The Free Software Foundation created its own implementation of the OpenPGP standard and
called it GNU Privacy Guard, also called “GnuPG” or GPG for short.

What can PGP/GPG do for you?

In the previous lesson we saw what crypto is, now we have an idea about what PGP is, but why
should you use it? What can it do for you?

PGP/GPG can:

Encrypt messages: You will be able to encrypt messages ensuring only the desired recipient can
read it. There is no known way of decrypting it without using the appropriate key, trying all the
possible combinations would take about 10,000,000,000,000 years, that is 1000 times the age of
the universe.

Decrypt messages: You will be able to decrypt the message others send to you.

Sign messages: You can digitally sign a message and that way authenticating that you really wrote it.

Verify signatures: You can verify if a message was written by the person who supposedly did it.


Why should you use PGP/GPG?

When you operate over a compromised channel, like Internet, the phone or radio waves, you should
expect that Big Brother will be listening and/or recording the communication someplace.

Someone could even send messages claiming to be you, specially using email, have you seen in your
spam folder an email sent from your own account trying to sell you something?
Is not that your account was hacked, what happened is that a spammer “forged” that email to look
like it was sent from your account. Email sucks I’ll write about it in the close future.

So you should use PGP/GPG to ensure that the messages exchanged in your group can only be read
by the desired recipients and that the authors really are who they claim to be.


Private key backup

You should do a private key backup, exporting it and then saving it in a CD or a pendrive to be stored in
your safe box, geocache or whatever you like.
You can also use the backup to install the key in many devices where you would like to work with encrypted
messages.
If your key gets stolen, it is still protected by a symmetric encryption, that’s why you need to type your
passphrase every time you use your private key.
Also you could create and store a “revocation certificate” to be published to notify others that the public key
should no longer be used because it was compromised or the passphrase lost.

PGP/GPG file extensions

Whenever you encrypt or export a key to a file, PGP/GPG will create files whose extension could be .asc,
.pgp or .gpg.

.asc files are “ASCII armored” that means the encrypted data is stored as readable characters that you
will be able to see in any text editor, this format is extremely helpful to use in emails as you can copy/paste
the text.
These files have a header and a tail indicating the beginning and the end of the PGP/GPG data, something
like “-----BEGIN PGP PUBLIC KEY BLOCK-----”, or “-----BEGIN PGP MESSAGE-----”.
Remember to include those beginning and end indicators and that if you manually change the content between
them the file will get corrupted.
ASCII armor is better suited for small files or text messages as armoring the message makes it bigger.

.pgp/.gpg files are binary files, you can’t see the contents using a text editor, you could attach these files to
your emails. This is more useful when you encrypt big files as encrypted files will be smaller than ASCII armored files.

PGP/GPG practice

Enough chit chat, is time to learn practicing.
This week the practice will be to install GPG on your computer and create your key pair, after you create the
keys I want you to post your public key in the forum HERE so we can all start communicating among ourselves
securely.

Depending on your OS you will need to download the appropriate OpenPGP implementation for your platform.
You will notice that each implementation includes a suite of tools that will help you in your daily encryption tasks,
for instance right clicking a file you will see the option to encrypt/decrypt files etc. Also is extremely useful the
tool to manage your keyring, that is your collection of other people public keys.

In a following lesson we will install a tool to help you send and receive encrypted messages transparently, but
you need your keys in order to do that… so, let’s install the GPG.

1 - Download the appropriate software:

Windows: http://www.gpg4win.org/
Linux: https://wiki.gnome.org/Seahorse
Mac: https://gpgtools.org/

2 - Follow the installation steps, I’m extremely sorry if you use Mac but I have no clue on how it is, probably is just
the same that the others, but I never touched a Mac in my life and I’m not planing to change that. Why? I’ll tell
you about in the Free software lesson.
Lucky for you Mac guys, there is a video explaining how to install GPGTools and create your keys in the next step.

3 - Create your key pair. Computationally today isn’t a problem to use 4096 bits keys, so go for them!
If you are using windows you'll need to select "advanced settings" in the screen where you type your name and email,
and then select 4096 bits as the RSA key size, I added a screenshot following this post for you to see it.
Also remember to use a good passphrase, it is used to symmetrically encrypt your private key so no one else can use it
even if it gets stolen from your computer or backup.

IMPORTANT:
Use the real email account that you plan to use to exchange encrypted messages.
If you use a fake account GPG Mail integration won't be able to automatically know what public key to use for encrypting
the messages!


You can follow this excellent text guide on how to create your keys in Windows and Linux from the riseup.net guys,
or you can follow the steps in these videos:

Windows:
gpg4win Generate Keys


Linux:
PGP Key Creation and Exporting your PGP Public Key Block


Another one for Linux:
Getting Started with GPG - [1/2] - Generating a GPG Key


Mac:
GPG Encryption Software for Mac


4 - If you reached this step that means you have successfully generated your key pair.
To share your public key open your keyring management tool and select the option to export your public key.
Get your newly exported public key and post it in a new thread HERE.
Remember to name your public key export file like this [your Name]PublicKey.asc, for instance APX808PublicKey.asc

5 - It would take me a lifetime to explain every suite for each OS, so it will be awesome if you read some
documentation of your corresponding GPG implementation or watch a few Youtube videos about it.
If you play a little with the tools you’ll see that encrypting/decrypting files isn’t so complicated.

Let’s see who is the first one in sharing his key, and don’t forget I’m here to help you if you need assistance!
« Last Edit: February 21, 2014, 02:12:30 PM by APX808 »

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: 3 - PGP/GPG
« Reply #1 on: February 21, 2014, 06:36:27 AM »
Hey guys

When you are creating your key in Windows using Kleopatra, in the screen where you type your name and email you need to click on advanced options and select as RSA key size 4096 bits, here is a screen capture.


Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Lesson 3 discussion
« Reply #2 on: February 21, 2014, 09:11:31 AM »
I saw some of you already posted your public keys, great work guys  :pirateThumbUp:

Have you tried importing other guys keys? If you do, you'll be able to encrypt messages for them.
Each key has our emails, so we can start messaging each other.

Did the videos I posted explain how to import keys or do you need some help with it?


Offline JohnyMac

  • Administrator
  • *****
  • Posts: 9641
  • Karma: +11/-0
Re: Lesson 3 discussion
« Reply #3 on: February 21, 2014, 09:24:09 AM »
I haven't had a chance to do this. I was going to find a YT video to watch to figure out how to do it.  :)
Defund both the Democrats and Republicans to stop their collusion with the Insurance companies!

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 3 discussion
« Reply #4 on: February 21, 2014, 09:51:09 AM »
Well it's really easy.

Windows instructions:
Download the shared key files and save them in a directory
Open Kleopatra
Click "Import Certificates", select the file and click on Open, you will see the new key listed on Kleopatra





Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: 3 - PGP/GPG
« Reply #5 on: February 21, 2014, 09:54:34 AM »
To import the other guys keys

Windows instructions:
Download the shared key files and save them in a directory
Open Kleopatra
Click "Import Certificates", select the file and click on Open, you will see the new key listed on Kleopatra


Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 3 discussion
« Reply #6 on: February 21, 2014, 11:24:02 AM »
Sorry I screwed it up moving the post...

But John asked me:

"OK I have searched YT but can not find a vid on how to send a gpg encrypted message from outlook or AOL. Everything seems to be gmail or google+ . Any thoughts?"

In the following lesson we will configure an application called Thunderbird with an add-on called Enigmail that will allow to send and receive encrypted email.

What you can do meanwhile is to encrypt the text file and attach it to your email.

OR

You can encrypt a file, use the ASCII armor and then copy and paste the text in the email, similar to what you did to share your public key.

Offline Nemo

  • Hardcore Prepper
  • ******
  • Posts: 3409
  • Karma: +13/-1
  • From My Cold Dead Hands
Re: Lesson 3 discussion
« Reply #7 on: February 21, 2014, 11:38:57 AM »
Whats Kleopatra?

Nemo

If you need a second magazine, its time to call in air support.

God created Man, Col. Sam Colt made him equal, John Moses Browning turned equality to perfection, Gaston Glock turned perfection into plastic fantastic junk.

Offline special-k

  • Peasant Extraordinaire
  • Administrator
  • *****
  • Posts: 2027
  • Karma: +8/-0
Re: Lesson 3 discussion
« Reply #8 on: February 21, 2014, 11:41:02 AM »
Mac user here.

I've watched the recommended video and installed the app.  Also read much of the info at support.gpgtools.

So if I'm reading this correctly, this app only works in conjunction with your OS's mail app (called "mail.app" on Macs)?? 

Is "Kleopatra" the PC counterpart to Mac's "mail.app"??

I've never found it necessary to use "mail.app" and have there fore never even set it up.  I just want confirmation that this should be my next step.

"It wouldn't do any good.  I've had the shit beat out of me a lot of times.  I just replenish with more shit."  - Billy McBride

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 3 discussion
« Reply #9 on: February 21, 2014, 11:53:37 AM »
Kleopatra is the equivalent to "GPG Keychain" in the GPGTools suite, and is used to create/import/export keys.
You should use that one to create your public key.

Here is a screenshot of it, as you can see you have new/import/export options:


GPGTools includes something called "GPG Services" that probably give you the option to encrypt/decrypt files or text, probably just doing right click on them... Are you on Mac still with only one button mouses?

I think you'll need to configure the mail.app for the next lesson when we will install Thunderbird and Enigmail.

Here is a tutorial on basic GPG Keychain usage, I think is the same one you mentioned

http://support.gpgtools.org/kb/how-to/first-steps-where-do-i-start-where-do-i-begin

Offline special-k

  • Peasant Extraordinaire
  • Administrator
  • *****
  • Posts: 2027
  • Karma: +8/-0
Re: Lesson 3 discussion
« Reply #10 on: February 21, 2014, 12:01:56 PM »
I have a 2 button mouse.

Here is where I got stumped:
Quote
When asked for your email address in the "New key" dialog,
type in the email address you use in Mail.app to send mails from.
Make sure that the address is identical to the one in Mail.app (Double check with the mail address specified in Mail.app -> Preferences -> Accounts).

Must I have mail.app configured before I generate a new key?
« Last Edit: February 21, 2014, 12:03:51 PM by special-k »
"It wouldn't do any good.  I've had the shit beat out of me a lot of times.  I just replenish with more shit."  - Billy McBride

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 3 discussion
« Reply #11 on: February 21, 2014, 12:07:10 PM »
Use the email address that you use normally, you don't need to have the mail.app configured previously.
They just say that because they suppose you already have it configured and will use it in the next step with the integration the suite provides.

After the key creation probably you should read about how to configure the mail.app to use your email.
Just send me an email if you have any questions about it and don't want to provide your email address publicly.


Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: 3 - PGP/GPG
« Reply #12 on: February 21, 2014, 12:36:32 PM »
How to encrypt a file/message on Windows with GPG4Win and Kleopatra

PGP Encryption Tutorial (using gpg4win and Kleopatra)
« Last Edit: February 21, 2014, 12:38:09 PM by APX808 »

Offline special-k

  • Peasant Extraordinaire
  • Administrator
  • *****
  • Posts: 2027
  • Karma: +8/-0
Re: 3 - PGP/GPG
« Reply #13 on: February 21, 2014, 12:45:45 PM »
I have generated a key.  So what do I do to actually see the key block so I can post it?
"It wouldn't do any good.  I've had the shit beat out of me a lot of times.  I just replenish with more shit."  - Billy McBride

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 3 discussion
« Reply #14 on: February 21, 2014, 12:50:33 PM »
I have generated a key.  So what do I do to actually see the key block so I can post it?

You need to open "GPG keychain" select your key, and then press on the export icon, be sure just to export the public key.

That will create the export file, if you edit with a text editor you can copy paste its contents.

Offline special-k

  • Peasant Extraordinaire
  • Administrator
  • *****
  • Posts: 2027
  • Karma: +8/-0
Re: Lesson 3 discussion
« Reply #15 on: February 21, 2014, 01:06:44 PM »
So is the version & comment (at the top) part of the key block that will be needed later to de-crpyt?
"It wouldn't do any good.  I've had the shit beat out of me a lot of times.  I just replenish with more shit."  - Billy McBride

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 3 discussion
« Reply #16 on: February 21, 2014, 01:13:39 PM »
Cool you could create it and share it, don't forget to attach the file with the key too, that's handy

The version and comment at the top is just to know what software was used to export the key, it doesn't really matter.

Offline APX808

  • Administrator
  • *****
  • Posts: 1806
  • Karma: +10/-0
    • APX R4nt5
Re: Lesson 3 discussion
« Reply #17 on: February 21, 2014, 02:15:12 PM »
Guys, this is extremely important:

Use the real email account that you plan to use to exchange encrypted messages.
If you use a fake account GPG Mail integration won't be able to automatically know what public key to use for encrypting the messages!


Also people will copy the email from the public key to write to you and the emails will get rejected and never reach you, just like it happened
a few minutes ago when I tried to write to you!


Offline brat

  • Committed prepper
  • *****
  • Posts: 594
  • Karma: +3/-0
Re: Lesson 3 discussion
« Reply #18 on: February 21, 2014, 05:50:46 PM »
I guess I need to email myself more, cause in my first key I posted, I didn't remember my correct email address when I created my key. Someone waaaaay more smarts than me caught that and I had to regenerate a new key. My new key is posted on my original post in the key locker. Sorry for the inconvenience, but you can delete the old key and add the newest one, otherwise you'll be going
"shit I must have messed up cause brat ain't answering my emails".. and it won't be your fault. It's mine. Sorry  :facepalm:
"Peace is that brief glorious moment in history, when everybody stands around
reloading" - Thomas Jefferson