When Glenn Greenwald was first contacted by Edward Snowden he found the use of PGP to be so complicated that he almost gave up. One of the big criticisms of PGP and similar email encryption software is that it is difficult and confusing to use. Let’s face it – Public Key Encryption is complicated. But at a general level it doesn’t have to be all that confusing. Some people try to explain it in the most superficial ways that don’t really answer the obvious questions, while others go into way too much depth for a non-technical user. Let’s discuss briefly how the process works and how to send an encrypted message to someone using PGP.
The definition of encryption that I like best is: “conversion of electronic data into another, form, called ciphertext, which cannot be easily understood by anyone except the authorized parties.” That is exactly what you do when you encrypt something -put it into an unreadable form that can only be made readable again by the intended recipient.
I’m not a technical person myself so I don’t know enough to bore you to sleep! In fact, computers and technology in general should be fun for the casual user. If you read a simple primer on encryption and come away with your head hurting (instead of a smile) then the material isn’t being presented correctly or it is intended for a more specialized audience (like IT students).
The GNU Privacy Guard (GnuPG) (gpg) is an implementation of OpenPGP. The graphical front end of GnuPG is GPA (Gnu Privacy Assistant). In this brief tutorial I’ll be using GPA on my Ubuntu machine and Gpg4Win on my Windows machine. Gpg4Win is simply a Windows distribution of GnuPG. To illustrate public-key encryption we will use gpg to generate key pairs and encrypted text. Public-key encryption is a form of asymmetric encryption which forms the basis of secure communication on the internet. Without it we could never be sure that our communication was secure. Think about it, if you encrypt a message with a secret key and want to send it to someone on the internet you first need to get them the secret key so they can decrypt the message. But how do you get them the secret key and be sure no one is listening in and stealing the secret key? The answer lies in asymmetric encryption. There is a ton of information on the Internet explaining symmetric and asymmetric encryption. I won’t go into all that here. Suffice it to say - asymmetric encryption is made possible by some really cool math. A key pair is created via a complex algorithm and very large prime numbers. The result can be split into two parts. What one part encrypts only the other part can decrypt. We call the part we share with the world the “public key” and the part we keep secret the “secret” key. What the public key encrypts only the secret part of that key pair can decrypt - no other key in the universe will be able to decrypt that data. Also, even though one key can encrypt the data it cannot decrypt it. It takes both keys to encrypt and decrypt data. So, to send text via an email to someone you don’t know you get their public key and plug it into the algorithm (via PGP) along with the message and the result is an encrypted text call ciphertext. When the recipient gets the message they load it into PGP and run it against their private key. The result is the plain text message again. In the real world things are much more complicated but this is how the concept works at its most basic level. Symmetric and asymmetric encryption are used together in PGP and allow us to communicate securely. They make Digital Signatures possible. They make it possible for you to know that you are communicating with your bank and not “hacker bank” in Russia or somewhere. If you encrypt something with your private key it can only be decrypted with your public key (which is available to anyone). So, if I am able to decrypt your message with your public key I know it either came from you or someone who has stolen your private key. Let’s illustrate this concept by doing something fun like sending an encrypted email message to someone and in the process discover how people who don’t know each other can still communicate securely on the Internet. Again, this can be done thanks to asymmetric encryption.
If you’re using Linux you will want to install gpa. If you’re using Windows install Gpg4win. Since most people reading this will be using either Windows or Linux we’ll work an exercise where we encrypt a message on an Ubuntu machine and decrypt it on a Windows machine. Then, we will reverse the process.
But first, let’s briefly explain how PGP works and define some terms. This will be helpful as you go through the process.
Basically, PGP works like this.
1. Creates a key pair if you don’t already have one.
2. Asks for passphrase to encrypt a private key on your computer
3. Allows you to import the recipient’s public key.
4. Creates session key to encrypt the plain text. Performs symmetric encryption.
5. Encrypts session key to recipient’s public key.
6. Produces encrypted content ready to be transmitted to the recipient.
Terms to know for understanding PGP:
key – a value (a very very very large prime number) that works with the encryption algorithm to produce the ciphertext
key pair – product of asymmetric encryption that splits a key into public and private parts. What one encrypts only the other can decrypt.
Session key – created by PGP as a one time only secret key used to encrypt the plain text using symmetric encryption. Symmetric encryption is much faster than asymmetric encryption and is used to encrypt messages and data. Asymmetric encryption is used to encrypt the session key. When PGP asks you to randomly move the mouse around it is helping create the session key. It is then encrypted to the recipient’s public key and transmitted. The recipient uses their private key to decrypt (recover) the session key and the session key is used to decrypt the ciphertext.
Keyring – used by PGP to store keys on your computer – one file for public keys and one for private keys.
Passphrase, passcode, password – used by PGP to encrypt the private key on your computer using a hash of that passphrase. That is what you are doing when PGP asks for a passcode or passphrase.
Know these terms and things will make more sense when using PGP.
Ubuntu should come with gpa installed but if not install this way -
sudo apt-get install gnupg
gpa is a great graphical user interface for OpenPGP keys. After installing GnuPG you should have gpa on your machine. In my case I had to start gpa from the command line for the process to work properly. Just type sudo gpa
Bob wants to send Alice an encrypted message using GnuPG. Let’s walk Alice and Bob through the process.
The first thing Bob needs to do is find Alice’s public key.
This is really kind of fun. Let’s make a public – private key pair for Bob using Kleopatra. Then we’ll make one for Alice on her Ubuntu machine.
- Click File – New Certificate
- Choose the first option
3. Enter a name and fake email address
4. Choose the “advanced” option and make sure RSA is selected
Create the certificate
6. Enter a passphrase (used to encrypt the secret key on your computer)
7. Move the cursor around at random in the window then go do something while the key pair is being generated.
8. Click Finish
9. You have successfully created a public/private key pair. These keys work together to encrypt and decrypt data. Let’s export the public key so you can give it to anyone and everyone.
10. With the name you want highlighted hit “export certificates” and save it to wherever you want.
11. Browse to it and open it with notepad – you’ve done it! There is your public key in all its glory.
12. Now, export your private key to a location of your choosing and never ever share it with anyone. From the menu choose “export secret keys”. In PGP the secret key is your private key and the certificate is your public key – helps to know the terminology. Make sure ASCII armor is checked.
Now, we switch back to Alice on her Ubuntu machine.
13. Alice will use gpa to create her public/private key pair.
14. Under “Key” select “New Key.” Enter name and fake mail address. Enter password and your done.
15. Export the public key to a folder and view it with a text editor.
Now for the fun part. Let’s have Alice publish her public key. We will pick up with Bob as he imports her key into his key manager.
16. Bob imports Alice’s public key.
17. Bob’s certificate is visible under “My Certificates” and Alice’s is visible under “Imported Certificates.”
18. Open notepad and write a message. Then copy it to the clipboard.
19. In Kleopatra go to clipboard drop down and select encrypt. Then go to select recipient. Look under “other certificates” and find Alice’s imported certificate. This is her public key that you will use to encrypt the message.
20. Hit next and you’re done (session key is created and encrypted to pubic key)!
21. Encrypted message is now in the clipboard. Paste it into an email and send to Alice
22. Now is is really cool. After Alice gets the encrypted message from Bob she paste’s it into the gpa clipboard. She hits “decrypt” and types in her passphrase. This uses her private key managed by gpa to decrypt the message. The message appears in decrypted form! Yesss! Success!
In order to respond back to Bob the process is reversed. Alice will get Bob’s public key that he exports from Kleoptra and import it into her gpa. She will then use it to encrypt a message back to him.
23. Alice opens gpa and imports Bob’s public key. Once imported it should show up in the gpa key manager.
24. Alice pastes or types her reply message into the clipboard.
25. Hit encrypt buffer text and select Bob’s public key. When asked if you are sure say yes.
26. Ahhh, the encrypted message.
27. Email or otherwise get the encrypted message to Bob who will paste it into the Kleopatra clipboard and decrypt it with his private key.
28. Bob can save the returned secret message to a txt file and then use “decrypt” from the file menu to select and open the file. The file is decrypted and placed as a text file (.txt.out) next to the encrypted version of the message.
This should get you going with encryption. Keep practicing with PGP. By knowing the basics you will have a much better understanding of what is going on when you use encryption based email plugins and other real world encryption products.