Advertisement

How to actually use encrypted email — idiot proof edition PT2

Understanding key signing, authentication, and revocation

PGP_a
Last week, we highlighted email encryption’s ability to protect sensitive information — social security numbers, trade secrets, and banking info — and walked you through a step-by-step guide on setting up the PGP protocol on your computer. This week, we’ll discuss the basics of actually using the encryption.

1. Indoctrinate your friends and family
Email encryption is fantastic, but ultimately useless if there’s no one to communicate with. So take the knowledge you’ve gained, and share it with friends and family to help them get started with PGP encryption.

2.  Warning: Subject line is not encrypted
Bear in the mind that while OpenPGP and Enigmail encrypt the body of your email, they also subject to Internet standards, and those standards do not permit the subject line encryption. Meaning, snooping parties will able to see the content of your email header, so beware of what information you disclose in this section. If your purpose in using encryption is to obstruct casual snooping (not because you have something to hide, but out of principle), and there’s nothing sensitive in your email’s content, then it doesn’t really matter if the subject line is too revealing. If, on the other hand, you’re the CEO of a private start-up who is speaking to venture capitalist backers about going public, then you may wish to be far more discrete with the content of the subject line.

3. Digital certificates must be signed
Digital certificates are digital fingerprints containing a digest of the public key and its identifying data; the certificate is computed using the cryptographic hash function and encrypted with the owner’s private key. Speaking in simpler terms, digital certificates ensure that public keys (other user’s address) cannot be swapped on the public key server to intercept and read messages intended for someone else. But in order for digital certificates to fulfill this function, they must first be signed — essentially vouched for — with the private keys of at least one trusted third party or the certificate authority. 

As it turns out, OpenPGP requires that the “key fingerprint” is signed by several trusted third parties who the sign certificate by computing the digest of the identifier and public key, then encrypting with their own private key.

4. How to key sign
The important takeaway here is that the more credible the third parties signing your certificate are, the more credible your public key is in suggesting that it belongs to you and not an imposter, as the imposter would have to subvert all those who’ve signed for you. The entire principle is self-policed through a trust network, so to speak, where signing someone’s key is equitable to recommending them. A comparison can be drawn to how Reddit and other self-policed forums operate. Users who’ve meaningfully contributed to the community receive “karma” or some sort of recognition by other members, and the higher the karma (or in this, the greater the number of people who’ve signed the certificate), the greater the credibility. 

Do not be afraid to ask other users to sign your key, and to sign their key in return; this is understood within the OpenPGP community. Once you’ve asked someone to sign your key, provide them with your email address and key fingerprint written on paper, not digitally. They will then use your email address to look up your public key on a key server such as the MIT PGP Public Key Server , and verify that key fingerprint you’ve provided matches the key on the server. If the two keys match, the user will get your key from the server and be able to certify that it belongs to you by including his digital signature and sending back into the server.

PGP_b
5. Assessing key credibility
Best practice dictates that you assign a trust level to all keys in your collection of private keys. There are four levels of trust:

a. Untrusted: known to sign public keys carelessly
b. Unknown
c. Marginally trusted
d. Fully trusted: you signed the key yourself, or has signed by enough fully trusted keys in your                   network.

Typically, keys obtained from the key server are valid if two conditions are met: First, they must have accrued a key signature from at least one user who you fully trust or three you marginally trust. Secondly, the path of signatures stemming from the key to yours must have five or less degrees of separation. Of course, these rules are subjective, but this is a general guideline.

6. Creating a revocation certificate
Keys uploaded onto the key server are impossible to remove, but you may wish to disassociate yourself from your current key under certain circumstances: email address changed or private key has become lost or compromised. By disassociating yourself with your key, you are revoking it and telling other users that it’s no longer effective as a public key. 

Revocation certificates should be produced early on at the time of generating your key pair as it must be signed with your private key. To create the revocation certificate, you must first access the command prompt interface of GnuPG located in the directory where you’ve installed GnuPG. If you can’t recall where, click start and type “gpg.exe” into the search bar. The default directory will be Program FilesGNUGnuPG.exe
Next, enter the following line into the command prompt while filling in “key” with the eight digit hex character ID of you key you wish to revoke: 

gpg –output .revoke.asc –gen-revoke

It’ll look something like this:

PGP_c

Once activated, the process will create a file called .revoke.asc in the same directory as GnuPG.exe. It’s very important that you remove the certificate from this location and store it in a very secure place.  

7. Signing unencrypted messages
GnuPG can also be added to emails that have not been encrypted in order to provide cryptographic authentication of the sender and make the message tamper-evident, allowing one to verify that the message has not been intercepted and altered. The downside of doing this, however, is that the message will contain a PGP header and a base 64 code digital signatures, making it appear out of the ordinary to the none-initiated. 

If the recipient uses an email client that understands OpenPGP, then authentication is automatic and the headers will be concealed and replaced by a short indication that the message has been authenticated. But if their client does not natively understand OpenPGP, then the digital signature may be validated by  copying the entire message, “—–BEGIN PGP SIGNED MESSAGE—–” and ending with “—–END PGP SIGNATURE—–,” into a temporary notepad file and validated using the Decrypt/Verify File function of Kleopatra; the function is located under the File menu. The only restraint is that the recipient must have imported the sender’s public key certificate.

I recommend using Mozilla Thunderbird with the Enigmail, whose installation was covered in the first part of this series, to auto-authenticate and save the headache. Similarly, Enigmail can be configured to add digital signatures on a address-by-person basis, making it very easy to manage your encryption. 

In closing
The PGP encryption process may seem daunting to outsiders viewing the process as a whole, but if you follow clear instructions and familiarizing with the steps, then the entire setup is significantly simplified. 

Source: Bitmonger

Advertisement



Learn more about Electronic Products Magazine

Leave a Reply