jgillman's Liquid Web Update Unofficial tips, tricks, and happenings from a Liquid Web sales engineer


Using GPG to Sign and Encrypt Email

Although you may use SSL encryption to communicate with your mail server, there is an additional level of security that you can use on top of that.

Welcome to the world of GPG.

What is GPG?

Simply put, GPG (Gnu Privacy Guard) is a way to sign/encrypt email traffic at the message level.

It does this using a public key cryptography (but it can do symmetric encryption as well). Take a look at the link to get the details, but view below to get a general idea of how public key cryptography works for signing (authentication) and encryption of traffic. The exact details may be slightly off, but the theory is correct.

Say you are my stock broker, and require all email traffic to be signed. This way, you know it's me placing that order for 2,500 shares of SLV.

Me: I write an email ordering the shares of SLV. Before sending, I create a hash of the message, and encrypt that hash with my Private Key. I can also send my public key via that same email as well.

You: You, as my broker, receive the signed message. In order to verify it's me, you decrypt the hash using my public key, and compare that decrypted hash to what you computed. If it matches, you know it's me, and you place the market order I just sent you.

Now those of you sitting in the front of the class may be asking "How does your broker know that the public key is actually yours, and not someone who man-in-the-middled you?". That is a good question, and something that PKI attempts to resolve.

With that said, the issue is beyond the scope of this article, but the short of it is that if you want to make sure your your recipients absolutely sure of your public key, deliver or verify it's yours in person.

What to do if your private key/password to use the key gets compromised? This is where a revocation certificate comes in play. This is equivalent of what we in the Signal community would call a Zeroize Button on a piece of COMSEC equipment - it essentially tells people that at this point the key should no longer be used and trusted.

Now this is the good stuff, kids. This is how you send those engineering documents without worry in case some hob-knobbing corporate spook from the other company sniffs your traffic.

Me: I write my email with the attached CAD drawing for SuperDuper Product (TM). When said email is done, not only is it signed, as shown above, but then the whole thing is encrypted using the Public Key of the person I'm sending it to.

You: You receive the email. The email is then decrypted using your private key, and you now go and manufacture said product. Assuming your private key isn't acquired, no one will be able to easily read it.

So.. how do I use GPG with my email client?

As it is, GPG is a stand alone application that can be run from the command line.

However, depending on the email client, there are various plugins for integration. For Thunderbird/Icedove (which is what I use), Enigmail is one of the most common. The setup is real easy, and so is the key generation.

There's also a Chrome plugin to use PGP encryption for the web interface of GMail. With that said, I haven't had a chance to test it yet.

Once you generate the key pair, you will probably want to upload your public key to a key server. The one I use is pgp.mit.edu, but it really doesn't matter. This way, you can send a message, and if your public key isn't sent in the email, the recipient can pull it from the key server. Again, the issue of key trust comes in to play, but as I mentioned, you could probably call (if you trust that the person on the other end is who they say they are) the person to verify the key, or get that verification in person.

Wut? No more?!?

There is much, much more that you research about GPG, and the subject of cryptography itself. This piece was just designed to give you knowledge that you can further secure your email communications than just making SSL connections to your SMTP/POP/IMAP server.

If you have any questions or critiques, don't hesitate to let me know in the comments!

Oh yes, I also forgot... here is my public key in case you would like to contact me on my work email (Key ID: 0x8293B187)

Version: SKS 1.1.0


Comments (0) Trackbacks (0)

No comments yet.

Leave a comment


No trackbacks yet.

FireStats icon Powered by FireStats
Optimization WordPress Plugins & Solutions by W3 EDGE