jgillman's Liquid Web Update Unofficial tips, tricks, and happenings from a Liquid Web sales engineer

1Aug/120

Using GPG to Sign and Encrypt Email

Although you may use SSL encryption to communicate with your mail server, there is an additional level of security that you can use on top of that.

Welcome to the world of GPG.

What is GPG?

Simply put, GPG (Gnu Privacy Guard) is a way to sign/encrypt email traffic at the message level.

It does this using a public key cryptography (but it can do symmetric encryption as well). Take a look at the link to get the details, but view below to get a general idea of how public key cryptography works for signing (authentication) and encryption of traffic. The exact details may be slightly off, but the theory is correct.

Signing
Say you are my stock broker, and require all email traffic to be signed. This way, you know it's me placing that order for 2,500 shares of SLV.

Me: I write an email ordering the shares of SLV. Before sending, I create a hash of the message, and encrypt that hash with my Private Key. I can also send my public key via that same email as well.

You: You, as my broker, receive the signed message. In order to verify it's me, you decrypt the hash using my public key, and compare that decrypted hash to what you computed. If it matches, you know it's me, and you place the market order I just sent you.

Now those of you sitting in the front of the class may be asking "How does your broker know that the public key is actually yours, and not someone who man-in-the-middled you?". That is a good question, and something that PKI attempts to resolve.

With that said, the issue is beyond the scope of this article, but the short of it is that if you want to make sure your your recipients absolutely sure of your public key, deliver or verify it's yours in person.

Revocation
What to do if your private key/password to use the key gets compromised? This is where a revocation certificate comes in play. This is equivalent of what we in the Signal community would call a Zeroize Button on a piece of COMSEC equipment - it essentially tells people that at this point the key should no longer be used and trusted.

Encryption
Now this is the good stuff, kids. This is how you send those engineering documents without worry in case some hob-knobbing corporate spook from the other company sniffs your traffic.

Me: I write my email with the attached CAD drawing for SuperDuper Product (TM). When said email is done, not only is it signed, as shown above, but then the whole thing is encrypted using the Public Key of the person I'm sending it to.

You: You receive the email. The email is then decrypted using your private key, and you now go and manufacture said product. Assuming your private key isn't acquired, no one will be able to easily read it.

So.. how do I use GPG with my email client?

As it is, GPG is a stand alone application that can be run from the command line.

However, depending on the email client, there are various plugins for integration. For Thunderbird/Icedove (which is what I use), Enigmail is one of the most common. The setup is real easy, and so is the key generation.

There's also a Chrome plugin to use PGP encryption for the web interface of GMail. With that said, I haven't had a chance to test it yet.

Once you generate the key pair, you will probably want to upload your public key to a key server. The one I use is pgp.mit.edu, but it really doesn't matter. This way, you can send a message, and if your public key isn't sent in the email, the recipient can pull it from the key server. Again, the issue of key trust comes in to play, but as I mentioned, you could probably call (if you trust that the person on the other end is who they say they are) the person to verify the key, or get that verification in person.

Wut? No more?!?

There is much, much more that you research about GPG, and the subject of cryptography itself. This piece was just designed to give you knowledge that you can further secure your email communications than just making SSL connections to your SMTP/POP/IMAP server.

If you have any questions or critiques, don't hesitate to let me know in the comments!

Oh yes, I also forgot... here is my public key in case you would like to contact me on my work email (Key ID: 0x8293B187)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0

mQENBFAYI/YBCADKpEyFWXQ6fCwiIhu8yVKDIaT+OuECE7+0/aMste5ZvTBCzM8/xzxI5+t+
LOeZcoo9waGMmzeB4TNXgJEzeQgdZu4ONjBUIbJXPLEimZ3OU7czewJmVSiZlukRluq1J+ae
qPXv3U2w1Wbxdr/WGZkM2eio/vYTk+XxCEQafmSt9v7XimpiZKKUV1PMkBkl5suLHv/4TA6E
9W0F0EIdSAoFLADwMG6xxxHGdlPV4ofy2sJAtHrKiP+nn3aEM53UE5K2AxZfJpOa4RcrEZxr
WRvC7PMjAhT8JR2mitx7zY0Bjqt3cLTLKkyNH76IiW37xxqPkCl6soRMwKl0ln4jrZf5ABEB
AAG0Kkphc29uIEdpbGxtYW4gSnIuIDxqZ2lsbG1hbkBsaXF1aWR3ZWIuY29tPokBPgQTAQIA
KAUCUBgj9gIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQQgTW+YKTsYe7
JQgAhscjJkV75wtu2cj+hWCiXpl+BNpMzyGU4WJdgEvnKb6v9x1WNoQGx9CVetc7cRMa/FK8
wvyiBdPUkPucvejnloJeyicyMft0ygjL8yWKjDCji1FmlFXmVjdIhDCBKwYuArmb2M2U7XwV
8h2FJuV1IqaXqutdQ5KK1sWahoN3QzIN8KztO+tn8R1pyZrEiiLaZ1Jw9xoXwTsmnpNlYsex
j8OjwCBr5AsixKYREE5jp0EZX0P8gFFUxyGAjIUFrhH2eSidlxu/sKcZDL2N16hABQa5oXOa
PWar+BkfyN68YdsGH9EF6Tk+z5gqa/0P2F/FBP5yvn6L9tZOnRaE0yv0ZLkBDQRQGCP2AQgA
yqBMy7A788kmvDBvRdXmxHg+ej4H+ezhSX7W3eejksinE2/wCAX7QMoGtbzZzfn/0zzKpLSA
B5UU12cFBtbcKsn79GmkzESU1mSFYQfCdzYGa2egpfkHWhBPCL78PicVKCuBH3TZJniVu/mm
Yqe43xGreIn4UJB1k6ZIwPWvTFsv2o5l2moljfWrBB5z8nHT+YktERzd+as2qIsIb0ySfDOC
2wnm4HSFrvX8hg+6NO95uk8z/Q4f8tccI8MsLreeWGonufiUQ6MX80xccz+JMzGq5oIyWixd
Yu/23JVlFIHSRez7UurmneH2nUkDGV67yVGsw8fkpsdMlIe42KZLqQARAQABiQElBBgBAgAP
BQJQGCP2AhsMBQkJZgGAAAoJEEIE1vmCk7GHNDUIAIbJ1h1EMcawg6wOuOarrCiX04lemil5
VIu6tyK8MjvbKwPUsu6N6Q7kERSiierwgWJqpLCHFrmZMnj4Epaf0HY3wvew3oagJdrkCfUK
BGAC9FvPyKioZr1k2rnXADg/rXdwVQZxVdLqT/ffzGSKxWW4a8hypyGrkDjq/5SkpSQrxj/Z
LIpambLnWUN02eM7NwzGMwkZgmjSDmf65dVobX1HksNIfg/3kJVE7laoKmzaFbJwZcJljU0W
Buw5eoGn51/6ruRcXne1JNRGRi3k2faF4a9efQoDykEwtnFE8eONara+hTvPJGtDO6TUv8QT
2sQG39EHDSLDWjvKzr/5jJg=
=wwrS
-----END PGP PUBLIC KEY BLOCK-----

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment


*

No trackbacks yet.

FireStats icon Powered by FireStats
Optimization WordPress Plugins & Solutions by W3 EDGE