E-Mail Security & GnuPG
E-Mail is the fastest mail serve in today’s world. All we are now very
much dependent upon this service but how much care do we take to protect
it from tapping? An e-mail easily can be tapped by a third party when
the mail is in transit. In that way, your personal or private mail do
not remain confidential. Suppose, you are going to send a vital password
like your Internet Banking log-in ID and password to your son and think
of the situation, somebody tapped it over net and when you or your son
opened your bank A/c., find that there is no money at all in your
account. So, it is very much insecure to send such confidential
information by e-mail. So, there is no way to send such confidential
information? Yes, you can send those by encrypting your mail. This is a
complete HOW TO regarding this service, and I think this type of similar
complete how to in this subject is still unavailable to net, so if you
think it is required for you, you may proceed with the article.
What is encryption and decryption?
Encryption is simply a secured electronic box within which you can put
your content. It locks automatically at the time of sending of the
message and never unlock unless the recipient opens it with its unlock
key which he knows. There is every chance to trap this e-mail over
internet but nobody can able to open it as he do not know the unlock key
to open the encrypted message. It is believed as the best security of
e-mails over internet. In the above example if you encrypt your
message, then the body of the message will be converted and look like a
Encryption –> Ciphertext –> Decryption –> Plain text
There are two type of passwords involved in this encryption and
decryption. One is public key which can be shared among your trusted
circle. The other is private or secured key.
A public key encrypts data and generates corresponding private or
secured key for decrypting it. So, anybody who have a public key, can
encrypt a message and those who have the particular private key can
decrypt the message.
That is why a pair of key is needed to do the whole task.
PGP (Pretty Good Privacy) is a tool which gives you similar protection
by encrypting and decrypting your message more or less on similar
fashion but here the power of encryption and decryption is much better
as it uses hybrid cryptosystem.
GnuPG is a tool which comes under GPL and can be shared, copied,
modified and redistributed freely. We will discuss about GnuPG and how
to set it up for a e-mail client. In this test, I have used Mozilla
Thunderbird as E-Mail Client. It is also comes under GPL.
The latest version of GnuPG can be obtained from
http://www.gnupg.org/(en)
Some Linux Distribution comes with GnuPG bundled in it, such as PCQ
Linux 2005. So, you do not have to install it again. Take care to
download 1.2.4 version or higher as it is stable and free from lot of
known bugs. PCQ Linux includes 1.2.6 and it is working fine for me.
Hope you have installed GnuPG software or using such a distribution in
“,1]
);
//–>garbage text (term : ciphertext). When it will reach at the recipient’s
address his MUA (Mail User Agent) will decrypt this message and it will
again come to a human readable form. To decrypt an encrypted message is
not so easy, it includes a lot of testing.
Plain text –> Encryption –> Ciphertext –> Decryption –> Plain text
There are two type of passwords involved in this encryption and
decryption. One is public key which can be shared among your trusted
circle. The other is private or secured key.
A public key encrypts data and generates corresponding private or
secured key for decrypting it. So, anybody who have a public key, can
encrypt a message and those who have the particular private key can
decrypt the message.
That is why a pair of key is needed to do the whole task.
PGP (Pretty Good Privacy) is a tool which gives you similar protection
by encrypting and decrypting your message more or less on similar
fashion but here the power of encryption and decryption is much better
as it uses hybrid cryptosystem.
GnuPG is a tool which comes under GPL and can be shared, copied,
modified and redistributed freely. We will discuss about GnuPG and how
to set it up for a e-mail client. In this test, I have used Mozilla
Thunderbird as E-Mail Client. It is also comes under GPL.
The latest version of GnuPG can be obtained from
http://www.gnupg.org/(en)/download/index.html
Some Linux Distribution comes with GnuPG bundled in it, such as PCQ
Linux 2005. So, you do not have to install it again. Take care to
download 1.2.4 version or higher as it is stable and free from lot of
known bugs. PCQ Linux includes 1.2.6 and it is working fine for me.
Hope you have installed GnuPG software or using such a distribution in
which GnuPG is installed.
Create a key pair
Now you start creating your own pair of keys.
[gagan:~]$ gpg –gen-key
gpg (GnuPG) 1.2.6; Copyright (C) 1999 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: /home/gagan/.gnupg: directory created
gpg: /home/gagan/.gnupg/options: new options file created
gpg: /home/gagan/.gnupg/secring.gpg
gpg: /home/gagan/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1
You must select the type of key you would like to use. For most users
the default, DSA and ElGamal, is sufficient.
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Next, you are asked what keysize you want. In general, 1024 bits is more
than adequate. The larger the key the longer it will take for encrypting
and decrypting messages.
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y
In this example, Gagan doesn’t want his keys to expire, so he accepts
the default.
You need a User-ID to identify your key;
the software constructs the user id
from Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) “
Real name: Gagan D. Public
Email address: gagan@example.org
Comment: Potential
You selected this USER-ID:
“Gagan D. Public (Potential) “
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
…
[gagan:~]$
Gagan is prompted for his name, email address, comment, and passphrase.
GNU Privacy Guard then starts generating the keys.
Once a pair of keys is generated, Gagan needs to make his public key
available so others can send encrypted messages to him. This is done
with the “–export” option to the gpg command. The key is exported as a
binary file, which isn’t suitable for emailing, so the “–armor” command
will ASCII armor the key. The key is also sent to stdout, to send the
output to a file, use the “–output” option as follows:
[gagan:~]$ gpg –armor –output pubkey.asc –export gagan@example.org
Now that gagan has exported and distributed his key, I’ll send him my
key (named abc.asc) so he can send me encrypted messages.
[gagan:~]$ cat abc.asc
– —–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDfYgxcRBAClzpK+9KxwE4Njl2B4z3yTyiFXwEGFteJu3FM4u//CQwQAnXvk
gVRy0gmHUnkxFj2yK+BFkcjaNmRZbSKcTZXsO27cv63TAQw8oNKWYzDThiFKvpB2
Srsh3ipp+qOcmk1IQXu5hmL80Xx2F0Wwl95p8uLeCkepBVC8gr4awpRHswCgz3YR
EfUAhjYPgklzGdqkKxUD23MEAJAF5GYXwVxfzPZcgxOs1jpUel60wLXXQaDRmJ7i
mlhBwU/j6DmDeI0tASWrtgt8mS90/PYBj1sSRzH7SqcWtUySMjypX/BEIQHNWZTn
I/TXSC8Wn+SPXcqTPIEEZnJJuZTWFujoHzZgu3ARqtDFMi7Rt3SPCFRBrTwoykZX
ztXMA/9kGAmQkdO9wpxRR9uXI5Stx3BMRipbI/msK3pxCXO2A5EaQADsVB/83joW
3rpApg/9HL6HwGMO6Qbh55rjbpBkaH0q0VK52aTt259PqtbE86jiPNxo3XR62UH2
bhWfAnm6IPBQ+EE7vQmglTo5WbIljykKx+Q5FvY9o7vBJSYeJ7QkUmljaCBKYW5r
b3dza2kgPHJpY2hAc2F0dXJubGluay5jb20+iFUEExECABUFAjfYgxcDCwoDAxUD
AgMWAgECF4AACgkQhSdZBHa/b61NXACgnfDwwAg3Oc/pFTFLajsJETx52K4AoK1f
+iZCCmhkGD3nQHCqxRH5dIEfuQENBDfYgyAQBAD6luCMMwlrefFkHaRD2svnFNWG
g48Zu5q4Ef1w03R+NlwbBOcxoCSthyhNY1pqxwaWZSB3yAhmgGHY8qHLcKovCMSe
Qp8IjFzykt+dWzyOwRcxa9Kpo3KxD2pFzU8feQzW9F7LVv+j5SxJsPijrxjeeE0X
nsR9q8myTLRd7E8/4wADBgP/V+gwREI9uds/IO2vDve6h9P7m1MYu8nEGVjOoFEO
IEVJoZgu+wuaJ+m3IhABzcS8ZlDZ481hwjBT9RmLB0pyNqHQyamvGsZVvAdzNIll
JMjhCxOTBNWI5A1dI2C9y4lBz/7En97k0JswsLSHsTS2+4RkdfVjHW2jjP0Kl7AF
8uGIRgQYEQIABgUCN9iDIAAKCRCFJ1kEdr9vrVNeAKC4fcHmplnjr+DXV6WLdAY+
uD4OtgCgnIR2Jq2FFLmU/u63BWTk6PMmn2c=
=Unun
– —–END PGP PUBLIC KEY BLOCK—–
The “–import” option will allow you to import a public key into your
keyring as follows:
[gagan:~]$ gpg –import abc.asc
gpg: key 76BF6FAD: public key imported
gpg: /home/gagan/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg: imported: 1
To list the keys in a keyring, use the “–list-keys” option:
EXTENSIONS–>INSTALL and install the .xpi file.
After installation of the above file, you open a shell and go the
directory where these files are loaded and produce the following command,
[gagan:~]$ gpg –verify filename.xpi.asc
This will provide you a message like this
gpg: Good signature from “Gagan D. (Enigmail sig) <enigmail@mozdev.org>”
Now, close Thunderbird and restart it. You should see the `Eningmail’
“,1]
);
//–>[susan:~]$ gpg –list-keys
/home/gagan/.gnupg/pubring.gpg
– ——————————
pub 1024D/533F200F 2000-03-07 Gagan D. Public (Potential)
sub 1024g/C8F2C0F7 2000-03-07
pub 1024D/76BF6FAD 1999-09-10 ABC Jhunjhunwala
sub 1024g/61A19A5E 1999-09-10
(To view more of the above please follow this link,
http://www.linuxsecurity.com/content/view/117464/49/ )
N.B. At the very beginning if you fail to create the key pair using
`gen-key’ command and get an error ‘cannot create directory’, you please
proceed with making the `.gnupg’ directory under YOUR `~’ directory
using `cd ~’ and then `mkdir .gnupg’ command. This will solve the
problem. Then use `gen-key’ command.
Now you have created the key pairs for yourself. It is the time to make
your MUA gpg compatible. I am using Mozilla Thunderbird and that is why
discussing with that, but others can also be configured in the same way.
To make Mozilla Thunderbird gpg compatible, you should download and
install a small software `enigmail’. This comes in two very small files
one is `enigmail-0.92.0-tb-linux.xpi’ and the other is
`enigmail-0.92.0-tb-linux.xpi.asc’.
Open Thunderbird and install the software using menu
TOOLS–>EXTENSIONS–>INSTALL and install the .xpi file.
After installation of the above file, you open a shell and go the
directory where these files are loaded and produce the following command,
[gagan:~]$ gpg –verify filename.xpi.asc
This will provide you a message like this
gpg: Good signature from “Gagan D. (Enigmail sig) <enigmail@mozdev.org>”
Now, close Thunderbird and restart it. You should see the `Eningmail’
PREFERENCE –> ACCOUNT SETTINGS –> OpenPGP Security
Check : Open PGP support (Enigmail) for this identify
Also click the radio button, `Use specific OpenPGP key ID (0x1234ABCD)’.
Click ‘Select Key’ button and target your key ID.
Check : Sign non-encrypted message by default
Check : Sign encrypted message by default
Now look at the left pane and find `Composition and Addressing’. Click
it. Uncheck `Compose message in HTML format’.
Click OK.
Now, you can send mails using your OpenPGP signature. Send some mails.
No, it is still not from tursted source. Now, you need to create Web of
Trust. You may now see some terminology related to the article which
must help you, http://www.cryptnet.net/fdp
Uploading your key to a secured keyserver
Now, open the web site http://keyserver.pgp.com/
Now, click BROWSE button beside `Upload your PGP public key’ and target
your pubkey.asc file. Click UPLOAD. Now follow their instructions. They
will send a mail to your mail ID and verify according to their need.
You now have uploaded your key to a key server.
Again open Thunderbird. Open EDIT –> PREFERENCE –> ACCOUNT SETTINGS
– –> OpenPGP Security and,
Check : Send OpenPGP key ID
Check : Send URL for key retrieval and put your keyserver name, such as
`http://keyserver.pgp.com/’
This will make your public key available to others and they can check
“,1]
);
//–>menu before Tools menu.
To know more enigmail, download and its installation read
http://enigmail.mozdev.org/download.html
Open EDIT –> PREFERENCE –> ACCOUNT SETTINGS –> OpenPGP Security
Check : Open PGP support (Enigmail) for this identify
Also click the radio button, `Use specific OpenPGP key ID (0x1234ABCD)’.
Click ‘Select Key’ button and target your key ID.
Check : Sign non-encrypted message by default
Check : Sign encrypted message by default
Now look at the left pane and find `Composition and Addressing’. Click
it. Uncheck `Compose message in HTML format’.
Click OK.
Now, you can send mails using your OpenPGP signature. Send some mails.
No, it is still not from tursted source. Now, you need to create Web of
Trust. You may now see some terminology related to the article which
must help you, http://www.cryptnet.net/fdp/crypto/gpg-party.html
Uploading your key to a secured keyserver
Now, open the web site http://keyserver.pgp.com/
Now, click BROWSE button beside `Upload your PGP public key’ and target
your pubkey.asc file. Click UPLOAD. Now follow their instructions. They
will send a mail to your mail ID and verify according to their need.
You now have uploaded your key to a key server.
Again open Thunderbird. Open EDIT –> PREFERENCE –> ACCOUNT SETTINGS
– –> OpenPGP Security and,
Check : Send OpenPGP key ID
Check : Send URL for key retrieval and put your keyserver name, such as
`http://keyserver.pgp.com/’
This will make your public key available to others and they can check
OpenPGP key management. If somebody have his own PGP key
and he sends you a mail then you can see a pen icon right side of the
thunderbird ADDRESS pane. Right click the pen icon, and search his key
using the keyservers, if you do not find his key, use some other
keyservers. You can find a lot of key servers searching at Google. You
may ask the person to send his .asc file also, which you can add to your
public keyring, but in this case you cannot be sure about his web of trust.
You can send encrypted message to whom whose public key is signed by you.
You have finished the topic. Enjoy and WELCOME YOU AT THE KEY SIGNING PARTY.
– –Anindya Banerjee
Public key ID : 0x6E09BDCE
Keyserver : http://keyserver.pgp.com/
So, find my mail ID by searching out at my keyserver and send me your
mail with your valid key ID and URL of your keyserver.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird – http://enigmail.mozdev.org
iD8DBQFDCfqpQsgTNm4Jvc4RAt9jAK
t7qCaCG36qhdyhbzBIRzlWo=
=lfd7
—–END PGP SIGNATURE—–
“,0]
);
//–>your web of trust from the keyserver.
Now add anybody’s public key, sign it and define level of trust using
ENIGMAIL –> OpenPGP key management. If somebody have his own PGP key
and he sends you a mail then you can see a pen icon right side of the
thunderbird ADDRESS pane. Right click the pen icon, and search his key
using the keyservers, if you do not find his key, use some other
keyservers. You can find a lot of key servers searching at Google. You
may ask the person to send his .asc file also, which you can add to your
public keyring, but in this case you cannot be sure about his web of trust.
You can send encrypted message to whom whose public key is signed by you.
Enjoy and WELCOME YOU AT THE KEY SIGNING PARTY.