Category: encryption

  • Email Encryption How To (not Why)

    January 28, 2011 EDIT: Hello to all you people coming from Stumbleupon. Note that I haven’t checked out these instructions to see if they’re still relevant after two years. If you find anything that’s out of date, let me know!

    This post is not intended to convince you to start encrypting all of your email. This post is intended to do that. As well as the book, “Little Brother” by Cory Doctorow.

    This post is more of a how-to, in simple layman’s language (I hope). Others have done this before, but I think I’ve broken it down more for the people who aren’t familiar with the various platforms and I’ve included some of the pitfalls that I hit while I was doing all the setup. There are many many little tutorials around. Google is your friend. If you find that any of the instructions here are unclear or lead you down the primrose path, please let me know.


    Email Encryption How To
    I have been thumbing my nose at The Man recently by joining the ranks of people who regularly encrypt email messages.1 I accomplish this through three different tools: GnuPg, Thunderbird/Enigmail (actually two separate tools there), and Firefox/FireGPG (which are again two separate tools working together).

    1. The first and most important one of these tools is GnuPG which stands for GNU Privacy Guard. If you don’t know what GNU is, go here, but it’s not important for this discussion.
    2. The second set of tools is the Thunderbird/Enigmail combination which I use because I like being able to access my email whereever I go via IMAP. Thunderbird is a free email client via the Mozilla project which also publishes Firefox, a browser similar, but much superior, to Windows Internet Explorer. Then there is the Enigmail extension, which must be installed on top of Thunderbird.
    3. Thirdly is the Firefox/FireGPG combo which allows me to use encryption through Google Mail. Firefox, as I just mentioned, is a superior web browser to Internet Explorer and FireGPG is an extension downloaded through Firefox’s extension utility in order to bring on board the capabilities of GnuPG.

    This is all a lot of detail, but I can break it down. Firstly, a quick summary of Public Key Encryption (which is what GnuPG is for) for people who don’t care about the math. If you don’t want the explanation, skip to the paragraph marked Step 1.

    Public Key Encryption
    Encrypting a message takes your Plaintext, mangles it through a magic mathematical process to come up with a bunch of gobbledy-gook that requires a Key to understand. If you have the Key, you may de-mangle the gobbledy-gook and end up with the Plaintext that was originally mangled. What Public Key Encryption does is provide you with two keys that, combined with someone else’s two keys, allow for a secure communication route.

    Why does everyone get two keys, and what are these key things anyway? One is called your private key, and one is called your public key. The private key you keep private and never let anyone see, ever. The public key you distribute to everyone, everywhere so they can check your messages. Keys look like this: mQGiBEicoXYRBACFu+jc9... and go on for a very long time.

    The reason for two keys is simple in concept, but mathematically complex. The concept is this: Any message you send is “signed” with your private key. Anyone who has your public key can verify that it is “you”2 that sent that message. If they send a message to you that has been signed by their private key, you may then use their public key to verify that they were the person who sent that message.

    So far, though, we’ve only talked about verifiability, not encryption. Anyone can still read these “signed” messages. The slick part is when you send a message to a recipient that is encrypted with their public key. Only a person’s private key can “de-mangle” or decrypt a message that has been encrypted with their public key. That is the purpose of the two keys. A message is encrypted using your public key—which everone has—then it is sent to you. You decrypt it using your private key—which only you have—and read the message. As long as you preserve the secrecy of your private key, there is no possibility of someone reading that encrypted message. 3

    The way to close the loop for secure message transmission is for both you and your buddy to have exchanged public keys. If you’re sending a message to your friend, you first “sign” it using your private key, then encrypt it using their public key. Now you send the message and your friend first decrypts it using her private key, then she examines the signature using your public key, verifying that it came from you. Simple! Brilliant!

    So, how do all those programs I mentioned figure into this mess? GnuPG is the program that handles all the heavy lifting about dealing with your keys. Enigmail and FireGPG handle the conversion of email messages from plaintext to signed or encrypted versions of themselves and back again. Firefox and Thunderbird provide the platforms upon which all that work can be interfaced with the world. What you can take out of this is: You must have GnuPG (or similar program, but that’s the one I’m pimping). Thunderbird and Enigmail are required if you want a computer-based email program; Firefox and FireGPG are required if you want a browser-based email program.4 For those of you who are die-hard Outlook users, I don’t believe that Outlook supports GnuPG. I believe it only does S/MIME, which works as well as GnuPG, but it’s a different system, it’s proprietary, and is beyond the scope of this document.

    So now you know the basics of public key cryptography. Here’s the nuts and bolts of getting things set up:

    Step 1:
    Download Gnu Privacy Guard. This is the link to the executable file of version 1.4.9. If this doesn’t work, go to the GnuPG download page and look for the Windows Install FTP link. Make sure you save this executable to disk before installing. Saving it, rather than just clicking on “run” allows you to confirm the integrity of the file, making certain that the file you’re downloading is the same as the file the GnuPG is intending for you to download. When installing something that is going to secure ALL of your email communications, it makes sense to take some time and get it right.

    Step 1a:
    To check that you’ve got the right version, you compare the “checksum” of a file against what is posted by GnuPG. This, unfortunately, requires additional steps and downloads. If you want to just get on with it, skip to the next step. If not, keep reading.

    A “checksum” is an integer string resulting from performing an analysis of a block of data. Basically, it’s a fingerprint of a series of data. Any modification to the data will result in an altered checksum. For example, the checksum of the windows GnuPG download for v. 1.4.9 is:
    c2efad983dfe50e6d8007257bad2c76604be389a.
    If the file is altered, when you run the checksum the result will be very different.

    Unfortunately, windows doesn’t come equipped to run checksums. I like using Checksum for Windows which has a convenient interface. Once you download and install it, you can run the “Simple Checksum” which gets posted under the Start Menu. Then you drag the GnuPG executable file over onto the little Simple Checksum window and it will give you the resulting checksum. If it matches the one posted at GnuPG, you’ve got a good file and can proceed with installation.

    Step 2:
    Install GnuPG. Run the executable you saved in step 1. Click next next next next until you’re done. It’s very easy.

    Step 3:
    Install Thunderbird. The Thunderbird website has nice instructions. Use them.

    When setting up your email accounts, make sure you read my horror story here, to avoid similar problems yourself.

    Step 4:
    Install Enigmail. Enigmail also has some nice manuals. I’m going to send you there, too. You’ll notice that some of what I’ve written is very similar to Enigmail’s page. One place they’re lacking, though, is the checksum. I’m disappointed by that.

    It’s very important that you read the instructions on how to install Enigmail. It is not obvious and is what I consider the primary failure by Mozilla on user-friendliness. Thunderbird Extensions are not Firefox Extensions. This was something that took me a week to figure out. Learn from my pain. Read their manual. Follow their instructions.

    Step 5:
    Install Firefox if you haven’t already. Once you get used to it, you’ll never go back to Internet Explorer.

    Step 6:
    Install FireGPG.

    • Open the Firefox Browser
    • Click on the Tools menu –> Add Ons.
    • Click on the top where it says “Get Add-Ons”.
    • Click on “Browse all Add-Ons” which should be on the top right hand side of the screen. This will bring you to a new website which allows you to search for Firefox add-ons.
    • In the “Seach for add-ons” bar, type “FireGPG” then [enter]
    • When it comes up with the FireGPG result, click on the “Add to Firefox” button. It will download.
    • Click Install and then when it tells you to, restart FireFox.

    Step 7:
    Develop your first public/private key pair for email encryption. I’m totally going to throw you back to the Enigmail manuals. They did a good job. Use them.

    However, before you click over there, it’s critical that you sit down, take a deep breath, and think up a passphrase that is going to represent your private key for the rest of eternity. Remember, you are the only one who will ever have access to your private key. This ensures the security of the encryption. You aren’t going to memorize the huge long list of characters that looks like this, mQGiBEicoXYRBACFu+jc9 but is more than a thousand characters long. Instead, you’re going to memorize a passphrase that is difficult to guess, is cryptographically strong, but that you can remember. Bruce Schneier talks about bad passwords. A passphrase is longer and should contain multiple special characters, numbers, capitalizations, etc. But it also has to be easy to remember for you. The character Randall Waterhouse memorized a sentence from a biography in the book “Cryptonomicon” (of course, he got it wrong when he tried to enter the passphrase). Ultimately, it’s up to you, but be sure that you can remember it. If you forget the passphrase, your encrypted data is gone gone gone.

    My passphrase is more than thirty characters long, includes both random captitalizations, alphanumeric characters and misspellings.

    Step 8:
    Publish your public key. Put them on keyservers, and send them to family and friends (these family and friends need to have followed all these steps, too). Then verify that you have good keys from everyone. More about that in a moment.

    You publish public keys on keyservers so that people who receive “signed” messages from you can go download your public key to verify that it’s from you. Enigmail has a tutorial on how to do this.

    With people whom you are acquainted with, you can exchange public keys and then verify them by vocally confirming their key IDs or key fingerprint (whatever you want to call them). Key IDs or fingerprints are a hash (kind of like a checksum) of your public key. My fingerprint is C422C269 but you shouldn’t trust this blog post. You should call me and verify that the fingerprint being displayed next to my Public Key on your Enigmail is the same as the one I give you over the phone. That eliminates the possibility of Man in the Middle attacks on our communications.

    This might seem slow, but what it allows you to do is set “trust levels” on your friends’ and families’ public keys on your encryption program. For example, on my enigmail, I can go into the Key Management and right-click on another person’s key and the “set owner trust” to anything from “I Don’t Trust” to “I Trust Ultimately”. Anyone who receives an “I Trust Ultimately” or “I trust fully” is permitted to download their trusted public keys to me automatically. Therefore, if I trust Bob and Bob trusts Jane, and I receive a message from Bob with Jane’s public key attached, I will automatically trust Jane. There is a detailed description here.

    This is powerful and dangerous. Be careful with your trust assignments.

    Step 9:
    Start sending only encrypted and signed emails to people.

    I haven’t talked much about the mechanics of doing the encryption and signature stuff inside Thunderbird or Google Mail. If feel that this can be left as an exercise for the reader. Besides, the Google Mail client changes on a weekly basis, so what I write today might be out of date by next month. Suffice to say, if you send an email and you’re not asked to type in your passphrase, you might have things set up incorrectly.

    Caveats and Warnings
    I am not a security expert. If someone says, “That Bill Ruhsam character doesn’t know his ass from his elbow!”, I would give them at least the benefit of the doubt. However, I may be wrong about the gritty details of things (descriptions of cryptography, statements about Outlook) but these programs work.

    Encryption is only as good as the system it’s based on. If you’re going to take this to heart, run the checksum in Step 1a, and verify the fingerprints of the public keys you receive as described in Step 8. Currently my public key network is entirely within friends and family, so I call them on the phone and ask them for their fingerprint by voice. Easy and secure.

    Encryption is also only as good as your passphrase and the desire and resources of someone else to break that encryption. Given enough processing power, any encryption scheme can be broken5, so don’t think that this makes your messages entirely unreadable for all time. Very secure codes from the 50’s can now be broken with ease because computers are leaps and bounds faster. Who’s to say what breakthroughs in the next ten to fifty years would allow the NSA, or whomever, to read your encrypted mail.

    Lastly, there are ways to break encrypted mail that involve trojans and viruses etc. It’s important to maintain a clean computer. If you suspect that your private key has been compromised, it’s time to revoke it and create a new one.


    1: I don’t encrypt any other method of communication, voice, SMS, twitter, paper notes, so maybe I’m being hypocritical.
    2: Or anyone who’s in possession of your private key. Remember, it’s for you and you alone. No one else should ever know what it is.
    3: Until the mathematical/computational capability arises to attack any particular key length. I refer you to various articles about encryption and encryption attacks.
    4: There are other methods for enacting public key cryptography, but I’m not going to describe them. This is a bare-bones beginners tutorial. For more, I recommend Google.
    5: Massive caveats to that statement. Don’t bother me with the exceptions.

  • Public Key Encryption

    Because I solved the issue I was having with Thunderbird, I’m ready to publish my public key for all and sundry to use.

    What does this mean? Well, from now on the emails you receive from me will be digitally signed and with the public key listed below you can confirm that they are from me1. Do I suspect that I’m being the target of multiple email address stealing thieves? No, but I’d rather start now than later when it becomes an issue. Insurance is something you purchase before you need it.

    It also means that anyone who goes through the trouble (and it is a bit of trouble, no matter what the websites say) to set up encryption on their email will be able to exchange fully encrypted emails with me. Do I suspect that some nefarious group is snooping on my emails? No (although my company explicitly says they have that right, as does my ISP, as does the NSA, FBI, law enforcement…), but I’d rather keep my private conversations private, from anyone. As it is right now, your emails flying around the ether are open for snooping by anybody who really wants to. Sure, innocent people have nothing to fear, but we shouldn’t tacitly agree to the snooping. I am not. I want to spread the encryption meme about and make it that much more difficult to access my communications.

    Join me in making it more difficult for the government, or anyone else for that matter, to monitor us. I promise that in the next few weeks, I’ll post a how-to for setting up public key encryption using Mozilla Thunderbird and GnuPG. There was a learning curve for me because most of the tutorials were written by and for people who spend a lot of time in front of a command line interface. I think there’s a market for a how-to that’s a bit more explicit.


    1This requires software. You don’t just check that public key against my email. As I say in paragraph three of this post, this is a bit of trouble to set up, but relatively seamless once it is


    Check over there to your right for my public key.

  • Learning Computer Stuff -and- Birthday

    For my birthday, I decided I needed to learn more about Mozilla Thunderbird. Specifically, I decided to remove an email account before transferring over all the email inside it. Whoops. Thus leading to “how to recover a removed Thunderbird account” google search. Thankfully, it’s easy.

    I’m moving all of my email accounts (bruhsam, junk account, and TalkingTraffic) from POP to IMAP so I may access my email wherever I am. I’ve got plenty of server space, so it’s not a problem to leave it there. I’ll also be able to access my encrypted email from my work computer (the quantity of which will keep going up as I convince my friends and family to start using it) which I wouldn’t be able to do through the webmail interface. Thankfully, Thunderbird and Enigmail (along with GNU Privacy Guard) have a lovely solution to that issue.

    As a relative newcomer to the encryption store, I’ve run into some issues when trying to get it up and running. The “how to” web pages are mostly geared to a higher level of computer user than I tend to be and definitely a person more used to command-line interface. I’ve been a Windows user since Windows came into existence (I only ever dicked around with Unix in college) so I can hardly be called a wiz with the CLI. I seem to have gotten things running, though. It sounds like I need to write a dumbed-down “how to” page if I’m going to try and convince others to sign on. Frankly, the people who advocate encryption from the tops of their computer-expertise-towers seem to be underestimating how steep the initial learning curve is, especially for someone (unlike me) who’s not willing to sit for a few hours and figure it out.

    But not today. Today’s my birthday. “Happy birthday to me, happy birthday to me…” I’ve already received an e-card from my mom (Very amusing, mother :), a card from my Aunt (Thanks Aunt Janet! Note coming!), a singing card from my mom-in-law (also very amusing, other mom), and flowers from my wifey-poo. Looks to be a good day.

  • Encryption, Security, Passwords

    If you are a hip, with-it, web 2.0 person, you probably have more online IDs and passwords than you can shake a stick at1. I do. Sitting here in front of my computer, I can think of 15 without breaking a mental sweat. To simplify my life, I’d been basically keeping the same user ID and password for everything, to avoid having a long list of passwords sitting around for someone to find. Unfortunately, there are numerous websites that don’t allow my standard password (which has special characters2). Some modifications were called for. To date, I’d really only needed to remember 3 or 4 different variations on my password theme.

    Then I read Little Brother, by Cory Doctorow (great book, by the way), and I kicked off a huge security revamp on my online life. I generally now have different passwords for everything, although I’m keeping the same user ID.

    This raises the question of how I’m going to remember all of these (strong) new passwords. An example of one I use would be “yelling@OutLoud294&+”, which is hard to figure out but easy to forget. Thankfully, TrueCrypt, a free, open-source encryption software lets you encrypt bits and pieces of your hard drive where you can place those passwords.

    But wait! What happens if you’re travelling and you want to log in to your bank account? Therein lies my woefully unused thumb drive, pictured here.

    Passwords

    After ridding the drive of the terribly annoying U3 software3 I turned half of the 1gb thumb drive into an encrypted volume that lets me use it like a regular drive space once I’ve “mounted” it with the encryption password. So, I essentially have a 1/2 gb thumbdrive worth of free space for regular document transport and a 1/2 gb thumbdrive to which I need a password for access. Remembering one crazy password is easier than 15.

    One of the nice things about TrueCrypt is that you can load the executables onto your portable drive; whatever computer you plug into won’t need to have TrueCrypt installed as long as you have those files.

    So, now you know where to go to find all of my passwords. You still need to torture me for the encryption key, though.

    1What does that phrase really mean, anyway?
    2This list includes some finanicial websites that really should know better: Bank of America, American Express, Fidelity, US Department of Education, for a few. Not permitting me to use strong passwords does not give me a warm fuzzy about my security.
    3This software crashed my home computer every single time I plugged in.