As more and more of our data is stored and/or communicated digitally it’s becoming increasingly important for everyone to be aware of their privacy and security. Even though you might think nobody else could possibly be interested in your data, it doesn’t hurt to take some steps to educate yourself on how to protect your data online.
Encryption is one option to protect your data and using it can be quite straightforward. You may rarely or never come across a situation where you’d need to encrypt a message or file but it might happen and being prepared is always good. Besides that, I’m a bit of a nerd and I find this kind of thing fascinating and if you’re reading this then chances are you do too.
This post should serve as a quick-and-dirty primer, so I won’t be delving into too much detail, but for those who are interested I’ll leave you with some links at the bottom of the page. For those of you still stuck with Microsoft, I’m working on a Windows version of this guide – stay posted!
I’m about to show you how to set up your own public/private PGP key pair in Ubuntu linux. With this key pair you’ll be able to encrypt, decrypt and sign data. PGP stands for Pretty Good Privacy, and is a commercial encryption platform. The people behind it helped create an IETF standard called OpenPGP. The great thing about that is that anyone is free to base their own software on it, and all these different tools can cooperate and exchange data. What you’ll be using is actually called GPG (GNU Privacy Guard) and is a free and open source alternative.
First, a very quick crash course on how PGP works: PGP uses a concept called public-key cryptography to make it possible for us to encrypt, decrypt and sign digital data. To use PGP you need a pair of keys which essentially represent your identity and allow you to encrypt/decrypt data.
Public key
Your public key (which you can distribute freely) is used to encrypt data in such a way that it can only be decrypted by your private key (which you keep completely secret).
Private key
Your private key, as mentioned above, decrypts stuff. It can also attach a signature to your data which can than be used to verify its authenticity. Your private key is basically top secret – if anyone gets their hands on it they can forge your signature and decrypt anything that was encrypted using your public key. That is, assuming they can guess your passphrase.
The basic idea
Bob needs to send Alice some sensitive information via e-mail. Alice and Bob decide to exchange their public keys to facilitate this process. Bob first signs his message with his own private key and then uses Alice’s public key to encrypt everything. He sends it to Alice normally and when she receives the message she uses her private key to decrypt it and Bob’s public key to verify his signature. Alice feels secure because the message was reasonably encrypted and knows that Bob’s private key was used to sign that data, giving her a great deal of confidence that the message is, in fact, from Bob and not from some impostor. Another way to look at this would be to imagine your public key as a lock and your private key as the only key that can open that lock. If someone wants to send you some sensitive data, they put their message in a box and seal it with your lock before sending it to you.
Now that we know a bit about how this stuff works, you need to create your own key pair. To do this you’ll use Seahorse, which is a GUI frontend to the GPG command line tools. For some strange reason, Seahorse is actually labeled “Passwords and Encryption Keys” and is found in the Applications > Accessories menu.
In the File menu, click “New…” (or press CTRL-N) to open the new key dialog. Select “PGP Key” and click the continue button. The next window will prompt you to enter your full name, your e-mail address and an optional comment. Feel free to look at the advanced options dropdown, but I won’t be covering any of that stuff here. Fill in your information and click the create button. You’ll be prompted to enter a passphrase; make it as long and complicated as you think you can handle – if your passphrase is easily crackable then someone could compromise your key.
Once you enter a passphrase your key pair will be created and you can see it under the “My Personal Keys” tab. Pretty easy so far. Now to make it easy to work with encrypted/signed data, you’ll want to use Synaptic to install the seahorse-plugins package. This package enables PGP operations from Nautilus’s right-click menu. At this point, you need to make your public key available so that people can use it to verify your signature and encrypt information they send to you. You can do this by simply exporting it as a text file (by right-clicking on your key pair in Seahorse and selecting “Export…”) or by using public keyservers (I won’t cover that here).
To test things out, create a text file on your desktop. First, let’s try signing it. Right-click on the file and select “Sign”. You’ll be prompted to choose who the “signer” will be (i.e. which private key to use). Select your key from the list and enter your passphrase when asked. A text file will pop up on your desktop containing your signature. If you double-click on that file, it will be used to verify the contents of the signed file. Pretty neat right? If you distribute this file (who wouldn’t want an empty text file?), just send your signature file along with it and someone who has your public key can now verify your signature on that file.
Now let’s try encrypting data. The process is similar to signing above. Right-click on your text file and select “Encrypt…”. You’ll see a window pop up asking you to select recipients. The recipients you have to choose from will correspond to the public keys that you have in your Seahorse keyring. In this case you’ll probably just have yours, so you have to encrypt the message to yourself. When you encrypt data, it’s usually a good idea to sign it first as well, and you can do so using the “Sign message as:” dropdown box (you can also choose not to sign it). An encrypted copy of your file will appear on you desktop, with a .pgp extension. If you double-click on that file, you’ll be prompted to enter your passphrase to decrypt it. If you had chosen someone else as a recipient and then sent the file to them, they’d be doing the same thing on their end.
That’s pretty much it. Evolution comes with support for GPG/PGP keys so you are able to sign/verify and encrypt/decrypt messages from right within it.
The Web of Trust
Everything up until now seems pretty good, but there’s still a bit of a problem. How do you know whether someone actually is who they say they are based on their public key? As you probably know by now, there’s nothing stopping you from creating a set of keys with another name. I could easily create a key purporting to belong to Elvis Presley and attempt a resurrection. How can you decide whether to trust a key or not? PGP’s solution to this is called the Web of Trust, and the underlying concept is actually quite simple. Public keys themselves can be signed as a sort of vote of confidence, the idea being that you cryptographically sign the public keys of people you trust. Anyone who sees that public key can choose whether or not to trust it based on the signatures it has – if they trust someone who has signed that key, they can trust it as well (unless they don’t want to). For example, Alice and Bob sign each other’s keys, implying that the trust each other to be who they say they are. Alice also signed her friend Carol’s public key. If Bob happens to exchange keys with Carol independently of Alice, he can choose to trust her key based on the fact that he trusts Alice, who signed the key herself (which Bob can verify using his copy of Alice’s public key).
There are other rules and criteria used to determine trust in PGP, but you’re essentially building a web/network based on trust and verified by PGP signatures.
Armed with your public/private key pair, you’re one step closer to protecting your privacy and data :). The only thing left is to exchange public keys right? So here’s my public key. Feel free to put a link to yours in the comments (please don’t include the entire key in the comment itself), and if you trust someone, you can sign their key and start establishing your very own web of trust!
Resources:
Encryption is one option to protect your data and using it can be quite straightforward. You may rarely or never come across a situation where you’d need to encrypt a message or file but it might happen and being prepared is always good. Besides that, I’m a bit of a nerd and I find this kind of thing fascinating and if you’re reading this then chances are you do too.
This post should serve as a quick-and-dirty primer, so I won’t be delving into too much detail, but for those who are interested I’ll leave you with some links at the bottom of the page. For those of you still stuck with Microsoft, I’m working on a Windows version of this guide – stay posted!
I’m about to show you how to set up your own public/private PGP key pair in Ubuntu linux. With this key pair you’ll be able to encrypt, decrypt and sign data. PGP stands for Pretty Good Privacy, and is a commercial encryption platform. The people behind it helped create an IETF standard called OpenPGP. The great thing about that is that anyone is free to base their own software on it, and all these different tools can cooperate and exchange data. What you’ll be using is actually called GPG (GNU Privacy Guard) and is a free and open source alternative.
First, a very quick crash course on how PGP works: PGP uses a concept called public-key cryptography to make it possible for us to encrypt, decrypt and sign digital data. To use PGP you need a pair of keys which essentially represent your identity and allow you to encrypt/decrypt data.
Public key
Your public key (which you can distribute freely) is used to encrypt data in such a way that it can only be decrypted by your private key (which you keep completely secret).
Private key
Your private key, as mentioned above, decrypts stuff. It can also attach a signature to your data which can than be used to verify its authenticity. Your private key is basically top secret – if anyone gets their hands on it they can forge your signature and decrypt anything that was encrypted using your public key. That is, assuming they can guess your passphrase.
The basic idea
Bob needs to send Alice some sensitive information via e-mail. Alice and Bob decide to exchange their public keys to facilitate this process. Bob first signs his message with his own private key and then uses Alice’s public key to encrypt everything. He sends it to Alice normally and when she receives the message she uses her private key to decrypt it and Bob’s public key to verify his signature. Alice feels secure because the message was reasonably encrypted and knows that Bob’s private key was used to sign that data, giving her a great deal of confidence that the message is, in fact, from Bob and not from some impostor. Another way to look at this would be to imagine your public key as a lock and your private key as the only key that can open that lock. If someone wants to send you some sensitive data, they put their message in a box and seal it with your lock before sending it to you.
Now that we know a bit about how this stuff works, you need to create your own key pair. To do this you’ll use Seahorse, which is a GUI frontend to the GPG command line tools. For some strange reason, Seahorse is actually labeled “Passwords and Encryption Keys” and is found in the Applications > Accessories menu.
This is the main Seahorse screen
Select PGP Key here
Fill in your information
Signatures on your key
Key properties
Key details
Now let’s try encrypting data. The process is similar to signing above. Right-click on your text file and select “Encrypt…”. You’ll see a window pop up asking you to select recipients. The recipients you have to choose from will correspond to the public keys that you have in your Seahorse keyring. In this case you’ll probably just have yours, so you have to encrypt the message to yourself. When you encrypt data, it’s usually a good idea to sign it first as well, and you can do so using the “Sign message as:” dropdown box (you can also choose not to sign it). An encrypted copy of your file will appear on you desktop, with a .pgp extension. If you double-click on that file, you’ll be prompted to enter your passphrase to decrypt it. If you had chosen someone else as a recipient and then sent the file to them, they’d be doing the same thing on their end.
That’s pretty much it. Evolution comes with support for GPG/PGP keys so you are able to sign/verify and encrypt/decrypt messages from right within it.
The Web of Trust
Everything up until now seems pretty good, but there’s still a bit of a problem. How do you know whether someone actually is who they say they are based on their public key? As you probably know by now, there’s nothing stopping you from creating a set of keys with another name. I could easily create a key purporting to belong to Elvis Presley and attempt a resurrection. How can you decide whether to trust a key or not? PGP’s solution to this is called the Web of Trust, and the underlying concept is actually quite simple. Public keys themselves can be signed as a sort of vote of confidence, the idea being that you cryptographically sign the public keys of people you trust. Anyone who sees that public key can choose whether or not to trust it based on the signatures it has – if they trust someone who has signed that key, they can trust it as well (unless they don’t want to). For example, Alice and Bob sign each other’s keys, implying that the trust each other to be who they say they are. Alice also signed her friend Carol’s public key. If Bob happens to exchange keys with Carol independently of Alice, he can choose to trust her key based on the fact that he trusts Alice, who signed the key herself (which Bob can verify using his copy of Alice’s public key).
There are other rules and criteria used to determine trust in PGP, but you’re essentially building a web/network based on trust and verified by PGP signatures.
Armed with your public/private key pair, you’re one step closer to protecting your privacy and data :). The only thing left is to exchange public keys right? So here’s my public key. Feel free to put a link to yours in the comments (please don’t include the entire key in the comment itself), and if you trust someone, you can sign their key and start establishing your very own web of trust!
Resources:
- Learn about all things GPG in the GNU Privacy Handbook
- Public-key cryptography on Wikipedia
No comments:
Post a Comment