Security tip #3: public key cryptography & PGP

Public key cryptography is one of the most essential pieces to online security. It is at the root of what enables you to shop online, do secure online banking, and communicate securely. I will be focusing on the latter in this tip. But first a quick and simple refresher on what public key cryptography is and how it works.

How public key cryptography works

Or rather how you use it. Cryptography allows you can lock any data or information inside of a digital safe. Generally this is done through the use of a shared key (password). This is similar to how you, and only you, can log on to your home wireless internet. But what if you don’t already have a shared key? This is where public key cryptography comes in to play.

Public key crypto works by using two keys instead of one. We will call these keys the public key and the private key. The public key can be thought of as your listing in a phone book, you want everyone to be able to get a hold of it in case they need to get a hold of you. The private key on the other hand is like your voice mail password, you only want one person to know it: you.

Messages and data encrypted with your public key are put into a digital safe that can’t be opened by anyone, even the person who just put the data into the safe, except you. This is important because it means anyone and everyone can encrypt things to send to you but you will be the only one able to decrypt them, or open the safe.

OK, so I can encrypt things with your public key and only you can open it. Now what?

Now we use it to send private e-mail.

Pretty Good Privacy (PGP)

PGP uses a system of keys which are actually just public and private keys. If I want to send you a private e-mail I just need to get a hold of your public key. For added integrity I could also sign the message using my private key, which you could then in turn verify with my public key, but that is beyond the scope of this post. Set up correctly not only does PGP allow me to receive secure e-mails, that no one but me can read, but also verify that the person who actually sent me the e-mail is who I think it is.

GNU Privacy Guard (GnuPG)

GnuPG is a a free and open source implementation of OpenPGP that is very common. Most Linux distributions come equipped with it by default but Windows users will most likely need to download it. Several e-mail clients also integrate seamlessly with GnuPG which makes things very easy. Others, like Outlook and Thunderbird, simply require an add-on.

How to get GnuPG

This is a simple step but is crucial to getting everything to work. Jump over to the official website, http://www.gnupg.org/, or hop right over to their download section here and grab a copy of it. For Window’s users you can just grab the binary, indicated by the letter B, while Linux and Mac users should either look in their software repositories or follow the links available. Once installed GnuPG, or gpg as it will be called, should be good to go.

Generate your first key

There are a number of different ways to generate your keys, from within the terminal or command line to within your favourite e-mail client. Rather than cover all of the numerous possible ways that you could generate your key I’m going to only cover two: the terminal and from within Thunderbird (see below).

1. Open up a terminal or a command prompt

2. Type:

gpg –gen-key

That’s two dashes before “gen”

3. This should prompt you with the following options:

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?

As you can see there are a couple of different options. Let’s break it down a little. Digital Signature Algorithm, is the standard way of signing messages. El Gamal is a widespread way of encrypting a message. Finally RSA is a versatile algorithm that can do both (don’t worry about the sign only part of #5, we can fix that later).

For your first key I recommend making a test key just so you can familiarize yourself with the steps required.

4. Type the number “1” and press Enter. It should now be asking you what size you want the key to be.

DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

The current recommendations seem to be that a 2048 bit key is a very good idea. Creating a larger key will make it more secure but might take a bit longer to generate the key. For now let’s just go with the default 2048. Press enter.

5. Next gpg will ask you how long the key should be valid for. This expiry date is important because should you lose your key, or have it compromised, you will at least feel good that eventually it will become invalid. For this example key we will set it to expire tomorrow. In order to do so type “1” and press enter. If you wanted it to expire in one week, month, or even year you just need to instead type “1w”, “1m”, or “1y” respectively.

Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)

6. This is where you would enter your personal information. You don’t want to lie about this because this key is meant to identify you as you and only you! However for this example I am going to enter the following information:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>”

Real name: Test Key
Email address: testkey@tylerburton.ca
Comment:
You selected this USER-ID:
“Test Key <testkey@tylerburton.ca>”

Once you have verified this information type “o” and hit enter for “OK”

7. It will now prompt you for a passphrase. A passphrase gives your key some additional security. Once your key is generated you want to make sure that no one else can get a hold of your private key. If someone does don’t panic, there are ways for you to revoke the key, but a lot of damage can still be done with someone reading your encrypted e-mails or impersonating you. A passphrase makes it difficult for someone to decrypt your e-mail or impersonate you even if they have a copy of your secret key.

8. One you finish this GnuPG will generate the large prime numbers used in your key. This may take a while depending on the hardware you are running. When it’s done you will be shown your key’s information. It should look something like this:

pub   1024D/E1775F9E 2009-10-04 [expires: 2009-10-05]
Key fingerprint = 6DD1 5B41 1279 03E5 1088  225C 5B1B 90A9 E177 5F9E
uid                  Test Key <testkey@tylerburton.ca>
sub   2048g/4DDF6291 2009-10-04 [expires: 2009-10-05]

9. That’s it! You now have a key that you can use to securely encrypt your e-mail and files. Just be sure to get your public key out to as many people as possible. You can even upload it to a public key server so others can easily retrieve it.

Setting up Thunderbird

Obviously these instructions will only work if you use Thunderbird as your mail client. That being said a quick google search provide you with all of the answers you’ll need to set up PGP with your e-mail client of choice.

1. Download and install the Enigmail add-on for Thunderbird.

2. This will add a title bar option labeled “OpenPGP.” You may want to turn on expert mode to give yourself some extra options but that’s your choice. Inside of this menu you will find something called “Key Management.” If you click this, it will show you all of the keys you have stored in your key ring. The ones for which you have a private key are highlighted in bold.

3. Next go into your account settings and you’ll notice a new option called “OpenPGP Security.” Click this and check the box called “Enable OpenPGP support.” This will add two small icons to the bottom of your new e-mail composition window. One looks like a pen and when it is highlighted means you will sign the e-mail, proving that you were the one who sent it. The other is a key; if you have the recipient’s public key you can use this to encrypt the message you are sending so that no one else will be able to read it. Take a look at the options provided and set it up to your liking.

4. That’s it! You now have PGP support for your e-mail! If you feel like creating a new key, or even your first key, I would suggest doing so from the Key Manager inside of Enigmail instead of via the command line. It provides a very easy wizard to walk you through.

Final points

1. Hopefully this mini-guide  hasn’t scared you away from trying PGP yourself. If you are asking yourself ‘why should I even bother? I have nothing to hide’ you should take a moment while sending that next e-mail and consider if you instead wrote the same thing on a postcard and sent it on an around the world trip. This analogy gives you an idea of how little privacy your current e-mails have. As they are sent out over the internet they hop from server to server until they reach their destination. You have little to no control over what these servers do with your e-mail. Still have nothing to hide? Then you are far less concerned about identity theft then I am.

2. I said above, when selecting what type of key to create, that if you chose RSA (sign only) you could still use it to encrypt e-mail. This is true and all you need to do is edit the key by typing:

gpg –edit-key [e-mail address goes here]

(that’s two dashes in front of edit-key) and then on the next prompt entering:

addkey

This will walk you through adding an additional subkey, this time used for encryption. Just follow the steps as before and you should be set!

3. Remember PGP can be used for more things than just e-mail. You can also digitally sign documents and files or even encrypt them just like you can with your e-mail.

4. Now that you have this set up I fully expect any e-mail being sent my way to make use of it ;)

3 thoughts on “Security tip #3: public key cryptography & PGP

  1. […] Security counsel #3: open key cryptography & PGP […]

  2. […] If you have seen the security news in the last month or so you will know that RSA-768, a 768bit or 232 decimal digit asymmetric key, has been broken (factored). This has important security repercussions for all of us because it is these public key algorithms like RSA, or ElGamal, that guard our online transactions, and e-mail conversations. […]

  3. […] process they requested that he send sensitive materials like his SIN and birth certificate through unencrypted e-mail to them. And you wonder why identity theft is so […]

Comments are closed.