Tuesday, May 28, 2019

Tools of the Resistance (encryption)

Any resistance to be successful requires communication to organize. The prefered way to communicate is face to face, but this is not always possible. Many times communication must happen electronically be it email, text, or voice. Because of the nature of electronic communication it is possible for others, the status quo, to listen in on what we are saying. Because of this it is best to limit our use of the methods. If one must communicate electronically one should always use encryption. Today, 2019, we have free, open source encryption that 10 years ago would be considered military grade.

Even with strong encryption we need to be careful what we say in our email and text. The establishment has enormous resources at their disposal and can, if given enough time, crack most any encryption. So one should take care what one writes. A message like "The chair is against the wall" is not so clear as "We are having a sit-in at the CEO's office"

This post is the first in a series of posts explaining what modern encryption tools exist and how to use them. The first, this one, will be about PGP and it's open source counterpart, GPG. Then I will be writing about using GPG with email. The I'll cover text apps that encrypt.

PGP & GPG

The encryption tool pgp (Pretty Good Privacy) was written by Phil Zimmermann in 1991 and was the first serious encryption tool that supported public key encryption. After several years of lawsuits and government challenges pgp was declared to be legal for US citizens to own and use. Phil Zimmerman then founded a company to sell pgp as a security tool. Around 1997 Phil and several engineers decided that there should be an open standard for pgp encryption with an open source implementation. The Free Software Foundation agree with him and wrote what is now called gpg AKA GnuPG or GNU Privacy Guard.

Public Key Encryption

So what is public key encryption? The answer to that can get very deep and complicated The link above is to an excellent article on Wikipedia but to make this simple PKE (Public Key Encryption) is a way for 2 people to have an encrypted communication with only the recipients of the messages being able to decrypt the message and a way to confirm the identity of the person sending the message.

To begin with, both parties of the conversation have 2 keys, a public key and a private key. The public key is public, that is the public key is listed on a public key server. Anyone who wishes to have an encrypted conversation with you will write a message and encrypt it with your public key. which they downloaded from the public key server. The sender does not have, nor do they need a password to encrypt a message with a public key.

Once the message has been encrypted with the public only the person with the private key can decrypt the message. This requires the recipient of the encrypted message to decrypt with the private key and their password. To be truly secure the person sending the encrypted message will sign the message with their public key. The signature is confirmed against the sender's public key that is retrieved from the public key server.

This all sounds very complicated but, if one is using the correct tools, all this is hidden under the hood. There are a few simple steps needed to get set up. The steps are


  1.  Install the software
  2. Create your public and private key
  3. Configure Thunderbird (email reader)
  4. Distribute your public key 

I will be publishing three additional blog posts about how to do the above steps on Linux, Macintosh, and Windows.









No comments:

Post a Comment