[wellylug] gpg info

Tue Feb 18 10:33:14 NZDT 2014

Hi Klaatu,

Thanks.

Your info seems timely.

I've read several news reports about email's
general lack of privacy.

Maybe gpg can help.

If I ask you nicely, may I please have the benefit
of your thoughts on two questions about your
article?

1.) In its section titled "History of OpenPGP",
    you wrote 

        "Each message is encrypted using the
        sender's private and the recipient's
        public keys"

    I'm no expert, but I assumed that only the
    recipient's public key was required.

    In your example, is the sender's private key

        a.) part of a second key pair and

        b.) used to sign the message?

2.) What is the relation of

        "(private_x * 2) * e = (private_y / 4) * e"

    to gpg?

Thanks,
Kingsley

On 02/18/14 06:38, Klaatu wrote:
> For the blokes who were curious about GPG, I have two resources I can
> offer up. One is an article I wrote for 2600 magazine (at 2600.net) on
> getting started with GPG. I'm attaching the article in .txt format to
> this email.
> 
> The other is a reference post online:
> http://straightedgelinux.com/blog/howto/setupgnupg.html
> 
> which I don't think is good as an intro but it's handy to have around
> when you're trying to remember how to do things like import keys and
> search for keys and so on.
> 
> Hope these are useful.
> 
> -klaatu

> Pretty Good Privacy
> by Klaatu
> 
> Not that it probably came as much of a surprise to most regular 2600
> readers, but the revelations that the NSA have been monitoring nearly
> all internet communications with the acquiescence of some of the
> largest and most popular service providers does reinforce the
> importance of encrypting web traffic. 
> 
> Obviously there are no guarantees with any method of
> encryption; any encryption could theoretically be broken. However,
> using the openPGP protocol to encrypt files and emails can be made
> basically transparent to the user, so there's hardly an argument
> against using it since at worst it adds at least a temporary layer of
> obfuscation to online communication.
> 
> History of OpenPGP
> 
> The back story of openPGP is well documented online, but here's a
> brief summary. Phil Zimmerman developed PGP and distributed it amongst
> friends so that they could encrypt communication. Once PGP left the US
> borders, Zimmerman was accused of exporting munitions and was brought
> to trial by the US Government. He won the battle in the end, and PGP
> itself has since been owned by a few different corporations and has
> also become an open standard.
> 
> The theory of OpenPGP involves key pairs. Each party involved in
> communication has a public and a private key. Each message is
> encrypted using the sender's private and the recipient's public keys,
> and then decrypted using the recipient's private and the sender's
> public key. 
> 
> It might help to think of it in simplified algebra.
> 
> For instance, a very simple formula such as:
> 
> x + 2 = y + 1 
> 
> is fairly easily solved, or at least it is easy to iterate through
> many possible solutions). However, a more complex example such as:
> 
> (private_x * 2) * e = (private_y / 4) * e
> 
> is quite a lot more difficult and in fact mostly impossible without at
> least one of the private values.
> 
> The actual algorith for openPGP would be quite a bit more complex with
> far longer numbers involved.
> 
> The most common implementation of OpenPGP is GnuPG (Gnu Privacy
> Guard). This is available built-in on Linux, and is freely
> downloadable for Windows and OS X.n
> 
> Basics of GnuPG
> 
> Once you have installed GPG, you must create a key pair for
> yourself. There are probably GUI programmes to help with this, but it
> is easily done via a UNIX or UNIX-like shell (such as cygwin or Power
> Shell on Windows). This article provides instructions for BASH or ZSH. 
> 
> In a UNIX terminal, type this:
> 
> gpg --gen-key
> 
> A text menu pops up, giving you a choice of encryption methods, and
> how many bits you want your key to use. The defaults are always safe.
> 
> You then must choose if and when you'd like this key to expire. The
> default is Never (0) and for personal use that's probably what you
> want. Confirm all of your choices, and then assign a user, email
> address, and an optional comment to that key. GPG prompts you for each
> of these, so enter the email account information you wish to use with
> this key.
> 
> Once your key pair is generated, you can try a test encryption. Since
> you have no one else's public key incorporated into GPG yet, this test
> will encrypt and decrypt a simple message for yourself:
> 
> echo "hello world" | gpg --encrypt > ~/hello.gpg
> 
> Now a fully encrypted file called hello.gpg exists on your hard
> drive. Were you to attempt to open the file, you would see naught but
> gibberish.
> 
> To decrypt it:
> 
> gpg --decrypt ~/hello.gpg
> 
> These examples have used GPG directly. You are free to do this for
> files or even tarred and zipped directories as an alternative to
> something like Truecrypt, and on Linux most of the popular file
> managers feature full GPG integration so that when you attempt to open
> an encrypted file, you will be prompted for your key
> passphrase. Likewise, for email, it's usually convenient to let your
> email client do the work. There may be PGP plugins for the email
> client of your choice. This article covers Enigmail, a plugin for
> Thunderbird.
> 
> Distributing Public Keys
> 
> Before you can encrypt an email message for someone, you must import
> their public key and they, in turn, must have access to yours. The
> easiest way to distribute your public key is to send it to a
> keyserver.
> 
> First, determine your key's ID:
> 
> gpg --list-keys | grep pub
> 
> This returns, for example, 1024D/BC9AE666 2009-09-11
> 
> The number following the slash is your key ID.
> 
> Push it to a key server thusly:
> 
> gpg --send-keys --keyserver keys.fedoraproject.org BC9AE666
> 
> There are many keyservers on the internet and they reguarly duplicate
> one another's list of keys, so you need only to pick one at random and
> use it. Keys.fedoraproject.org is as good as any other, but there are
> lists online.
> 
> To import someone else's key into your own GPG keychain, use the
> search function of GPG. You can search by name or email address.
> 
> gpg --search-keys klaatu
> 
> This will return a list of keys that seem to match your search; import
> the one that you feel is appropriate.
> 
> Encrypting Email
> 
> Using GPG with Thunderbird is made possible by the Enigmail
> add-on. Install the Enigmail add-on via Thunderbird's Add-On menu
> option.
> 
> Once Enigmail is installed, your Thunderbird client will have a new
> menu option for OpenPGP, and a new button or two. If you are adverse
> to the shell-based interface of GPG, the openPGP menu allows you to do
> most everything already covered in this article. Assuming you have
> already generated your keys, however, all you need to do to set up
> Enigmail is to confirm your key via the OpenPGP Menu > Key
> Management. Once this exists, you can either sign or encrypt (or both)
> your emails any time you enter an email address that matches a public
> key contained in your GPG keychain.
> 
> When composing a new email, use the OpenPGP button to tell Thunderbird
> to sign (use your key as a digital signature) or encrypt your
> message. The default behaviour for this can be set in the Preferences
> submenu of the OpenPGP menu.
> 
> When encrypting email, you will be prompted for your GPG
> password. This gives Enigmail access to your private key for the
> encryption process, and then sends a fully encrypted message to the
> recipient. If someone responds to your email with an encrypted
> message, Enigmail will automatically detect the need for decryption
> and display the message for you.
> 
> Encrypt All the Things
> 
> Increasing the usage of encryption for even casual, everyday
> communication will also help draw less attention to the traffic that,
> for whatever reason, needs to be encrypted. It just reduces the
> signal-to-noise ratio, making the pool of information murkier for
> anyone trying to take an uninvited sample.
> 
> A Note to Pittsburgh
> 
> For any readers in Pittsburgh: I am attempting to revitalize the 2600
> meetings. Check the meeting list in the back of this issue for time
> and location.

> 
> -- 
> Wellington Linux Users Group Mailing List: wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug

-- 
Time is the fire in which we all burn.