Actions

Privacy

From RonWareWiki

Revision as of 07:00, 28 August 2008 by Ron (talk | contribs) (→‎Keys)

Communication over the Internet is public - anyone with sufficient technical skill can monitor any communication. Email, in particular, is usually sent in a "plain text" format (even HTML mail is essentially plain text). If you want to communicate privately with others, or if you want to keep information on your computer private so that other people cannot access it, you need to use "encryption". The specific kind of encryption I am mentioning here is called "public-key" encryption, and the specific package I use to encrypt is called "GnuPG". There are other systems available, but I use GnuPG.

Why encryption?

There are a number of reasons one might wish to use an encryption package such as GnuPG:

  • Protecting financial information. For example, credit card or bank account numbers. Using GnuPG it is possible to send such information over the Internet without concern someone might intercept and abuse it.
  • Keeping business plans secret. One may wish to discuss sensitive or proprietary information in an email. Using GnuPG it is possible to do so without concern the competition will access it.
  • Personal discussions. Anything of a private or personal nature may be discussed in a GnuPG encrypted email without worrying a person who should not be privy to the information will read it.
  • Proof of sender. When an email is digitally signed with GnuPG, one may be absolutely certain the mail originated from the purported sender. The return email address is not sufficient for this purpose.

Besides these uses, it is trivially possible to encrypt documents on one's own machine so that third parties cannot access them. Similarly, one may encrypt a backup file and put it in a public storage area without concern it will be read.

Installation

How to set it up:

  1. Download the GNUPG package.
    • Windows users: There is a Windows installer which includes everything (just run the installer).
    • Linux users: consult your distribution for details on whether there is an installable package already (most distros do have a gpg package). If not, you'll have to download, compile and install it yourself.
  2. After you have it installed, create your own "key pair".
    • Windows: start the "GPA" program, which will allow you to do all the steps mentioned here.
    • Linux users: you can run "kgpg" and do things the GUI way like Windows users, or type "gpg --gen-key"
  3. Upload your public key to a public key-server.
    • Windows: GPA has an easier way to accomplish the same thing.
    • Linux: "gpg --send-keys KEYID", where "KEYID" is the eight-character ID associated with your new key. To figure out what it is, do "gpg --list-keys myname", where "myname" is the email you gave GPG to generate your key.
  4. Import my key to your key-ring (that is, if you want to communicate with me!).
    • Linux:"gpg --recv-keys ad29415d" (That last is the "KEYID" for my key, "ron@ronware.org").

Testing

After having set up the program (which admittedly is a bit of a pain), you should test it. First thing you want to do, is send your "KEYID" to the person you want to communicate with. For example, if I wanted to communicate with you (I do!) I might send you an email containing the line: My KEYID is: ad29415d

NOTE: My public key "fingerprint" is: 8130 734C 69A3 6542 0853 CB42 3ECF 9259 AD29 415D . If you use some other key, it is not mine!

Send an email to the person you want, using the program you prefer. There are GPG "plug-ins" for Outlook (included in the Windows installer link above), and for Thunderbird (called "EnigMail). There are other plug-ins as well, check out the GnuPG.org site for details (look at "frontends"). You will want to send the mail encrypted for the recipient you are interested in (you may also want to encrypt it to yourself so you can read it later!).

Caveats

  • It doesn't matter much what key-length you use, as long as it is 1024 or higher. However, the higher it is, the slower things get - and at this point and for the foreseeable future such a key is unbreakable.
  • The passphrase you use to access your keys (which you create when you generate a key pair), gives access to your private key. Make very sure it is something you will remember, but not something anyone else can guess. Longer is better, up to a point. The phrase is case-sensitive, so "DoG" is not the same as "dog". Do not let anyone else know this phrase!
  • The "keyring" you created (e.g. the place where your private-public key pair is stored) is the linchpin of the encryption system. If someone gets a hold of it, and knows your passphrase, that person can decrypt anything you encrypted with that key. So be careful, and don't leave it on publicly-accessible computers. You will want a backup of it, which you should probably put on a USB key (in fact, keeping your key only on such a USB key is probably the most secure thing you can do).

Keys