3 - PGP/GPG"In God we trust. Everybody else we verify using PGP!"
Tim Newsome
PGP acronym for "Pretty Good Privacy", is a computer program created by
Phil Zimmermann in
1991 to encrypt and decrypt information using public key cryptography.
On 1993 Phil Zimmerman was accused by the US government for "munitions export without a
license" because cryptosystems using keys larger than 40 bits were then considered munitions
at the moment and PGP always used keys bigger than 128 bits.
That created a lot of legal problems for Zimmerman but also helped PGP to get its fame.
Long history short, Zimmerman proposed in 1997 to create a standard called OpenPGP, that
standard was accepted by the IETF using as specification the document RFC 4880 and that way
a lot of applications were created that could exchange encrypted messages among themselves.
The Free Software Foundation created its own implementation of the OpenPGP standard and
called it GNU Privacy Guard, also called “GnuPG” or GPG for short.
What can PGP/GPG do for you?In the previous lesson we saw what crypto is, now we have an idea about what PGP is, but why
should you use it? What can it do for you?
PGP/GPG can:
Encrypt messages: You will be able to encrypt messages ensuring only the desired recipient can
read it. There is no known way of decrypting it without using the appropriate key, trying all the
possible combinations would take about 10,000,000,000,000 years, that is 1000 times the age of
the universe.
Decrypt messages: You will be able to decrypt the message others send to you.
Sign messages: You can digitally sign a message and that way authenticating that you really wrote it.
Verify signatures: You can verify if a message was written by the person who supposedly did it.
Why should you use PGP/GPG?When you operate over a compromised channel, like Internet, the phone or radio waves, you should
expect that Big Brother will be listening and/or recording the communication someplace.
Someone could even send messages claiming to be you, specially using email, have you seen in your
spam folder an email sent from your own account trying to sell you something?
Is not that your account was hacked, what happened is that a spammer “forged” that email to look
like it was sent from your account. Email sucks I’ll write about it in the close future.
So you should use PGP/GPG to ensure that the messages exchanged in your group can only be read
by the desired recipients and that the authors really are who they claim to be.Private key backupYou should do a private key backup, exporting it and then saving it in a CD or a pendrive to be stored in
your safe box, geocache or whatever you like.
You can also use the backup to install the key in many devices where you would like to work with encrypted
messages.
If your key gets stolen, it is still protected by a symmetric encryption, that’s why you need to type your
passphrase every time you use your private key.
Also you could create and store a “revocation certificate” to be published to notify others that the public key
should no longer be used because it was compromised or the passphrase lost.
PGP/GPG file extensionsWhenever you encrypt or export a key to a file, PGP/GPG will create files whose extension could be .asc,
.pgp or .gpg.
.asc files are “ASCII armored” that means the encrypted data is stored as readable characters that you
will be able to see in any text editor, this format is extremely helpful to use in emails as you can copy/paste
the text.
These files have a header and a tail indicating the beginning and the end of the PGP/GPG data, something
like “-----BEGIN PGP PUBLIC KEY BLOCK-----”, or “-----BEGIN PGP MESSAGE-----”.
Remember to include those beginning and end indicators and that if you manually change the content between
them the file will get corrupted.
ASCII armor is better suited for small files or text messages as armoring the message makes it bigger.
.pgp/.gpg files are binary files, you can’t see the contents using a text editor, you could attach these files to
your emails. This is more useful when you encrypt big files as encrypted files will be smaller than ASCII armored files.
PGP/GPG practiceEnough chit chat, is time to learn practicing.
This week the practice will be to install GPG on your computer and create your key pair, after you create the
keys I want you to post your public key in the forum
HERE so we can all start communicating among ourselves
securely.
Depending on your OS you will need to download the appropriate OpenPGP implementation for your platform.
You will notice that each implementation includes a suite of tools that will help you in your daily encryption tasks,
for instance right clicking a file you will see the option to encrypt/decrypt files etc. Also is extremely useful the
tool to manage your keyring, that is your collection of other people public keys.
In a following lesson we will install a tool to help you send and receive encrypted messages transparently, but
you need your keys in order to do that… so, let’s install the GPG.
1 - Download the appropriate software:
Windows: http://www.gpg4win.org/Linux: https://wiki.gnome.org/SeahorseMac: https://gpgtools.org/2 - Follow the installation steps, I’m extremely sorry if you use Mac but I have no clue on how it is, probably is just
the same that the others, but I never touched a Mac in my life and I’m not planing to change that. Why? I’ll tell
you about in the Free software lesson.
Lucky for you Mac guys, there is a video explaining how to install GPGTools and create your keys in the next step.
3 - Create your key pair. Computationally today isn’t a problem to use 4096 bits keys, so go for them!
If you are using windows you'll need to select "advanced settings" in the screen where you type your name and email,
and then select 4096 bits as the RSA key size, I added a screenshot following this post for you to see it.
Also remember to use a good passphrase, it is used to symmetrically encrypt your private key so no one else can use it
even if it gets stolen from your computer or backup.
IMPORTANT:Use the real email account that you plan to use to exchange encrypted messages.
If you use a fake account GPG Mail integration won't be able to automatically know what public key to use for encrypting
the messages!You can follow this excellent text guide on
how to create your keys in Windows and Linux from the riseup.net guys,
or you can follow the steps in these videos:
Windows:
Linux:
Another one for Linux:
Mac:
4 - If you reached this step that means you have successfully generated your key pair.
To share your public key open your keyring management tool and select the option to export your public key.
Get your newly exported public key and post it in a new thread
HERE.
Remember to name your public key export file like this [your Name]PublicKey.asc, for instance APX808PublicKey.asc
5 - It would take me a lifetime to explain every suite for each OS, so it will be awesome if you read some
documentation of your corresponding GPG implementation or watch a few Youtube videos about it.
If you play a little with the tools you’ll see that encrypting/decrypting files isn’t so complicated.
Let’s see who is the first one in sharing his key, and don’t forget I’m here to help you if you need assistance!