Keyed In
US intelligence agencies tap into billions of call data and electronic messages monthly – reason enough to consider encrypting your email traffic.
|
US intelligence agencies tap into billions of call data and electronic messages monthly – reason enough to consider encrypting your email traffic.
Anyone sending email unencrypted needs to be aware that everyone can intercept or tap into it. Thus, it's highly advisable to encrypt your communications. Two encryption methods have prevailed over the years, S/MIME and OpenPGP. Both are open standards that are constantly being monitored for vulnerabilities by security experts.
S/MIME, like the HTTPS protocol, is based on the name-checking of commercial certificates of Certification Authorities (CAs). It's used mainly in the corporate world, whereas OpenPGP is more prevalent in the private sector. This article focuses on the open source OpenPGP that the free software GnuPG [1] provides under Linux.
In this article, I'll provide some basic guidelines for encrypting your email and explains how to encrypt and decrypt messages with the common Linux mail clients KMail and Thunderbird. This scenario can also be used with other mail programs that support GnuPG. An important part of this process is ensuring that both senders and recipients are prepared to send and receive encrypted email traffic.
Both encryption methods mentioned here rely on a combination of a publicly documented process and a key coding independent of the algorithm. The private key should never be publicly revealed. If it is, after a key change, you can at least continue to use the participating programs (GnuPG and the email client).
How do you secure the key against prying eyes? The answer: You can't. In the age of global telecommunication surveillance, this process definitely requires some personal responsibility. To deal with this, GnuPG uses asymmetric public key cryptography, with two keys that are mathematically linked – a public key for encryption and a secret one for decryption (Figure 1).
More important than mathematical details, however, is the public key cryptography's role in the encryption process. Anyone knowing the public key of the pair can encrypt messages so that they can be decrypted only via the corresponding private key. The latter secret key is normally known only to the recipient; thus, the sender himself can't even decrypt his own message to change it.
With OpenPGP, key servers handle the global availability of public keys. If you want to send an encrypted email to someone with a publicly available PGP key, you can just query one of the independently synchronized key servers for the recipient's email address.
The system, however, has a catch: Anyone can create and publish a key for any email address. If you encrypt an email with the wrong key, its owner can't decrypt it again, because his private key won't correspond to the public key you used.
Things get critical when an attacker uses a spoofed key to successfully intercept your email (Figure 2), because he also has the corresponding private key for decryption. After encrypting it, he can forward the message – even with changes made to its content – to the actual recipient encrypted with the authentic key pair. This so-called man-in-the-middle scenario can occur without the recipient's or sender's knowledge.
OpenPGP provides two methods to ensure authentication of the two keys. Each PGP key has a fingerprint consisting of 10 four-digit hexadecimal numbers. Because spoofing a key with a number of that size is technically impossible, this process virtually ensures its authenticity.
Before sending security-critical emails, you should contact your recipient offline by telephone and compare the OpenPGP key fingerprints. It doesn't help any potential attacker to eavesdrop on your correspondence as long as he can't manipulate it. The key can then be considered trustworthy for any further messaging.
The second method for ensuring key authentication is to have it signed by a third party that vouches for its authenticity based on your OpenPGP key.
Because of potential signature falsification, however, the third-party method works only if you can authenticate it with the recipient's trusted fingerprint. The signature method technically guarantees only that certain fingerprints can't be generated to indicate possession of a specific private key.
Pages: 6
Trojitá is new to the scene of email clients, but it already stands out for its intuitive interface and speed. Even so, this client is still missing some essential functions.
The title of this issue's Editorial section is a shameless rip-off of a section that used to run in Omni, the influential and very cool 80s magazine of "Science Fiction, Fact, and Fantasy." The section in Omni talked about advances in science and technology and where they would lead us. The title played on the actual verbal tense – the word "will" was used a lot in the articles, and the fact that, well, it was about the future.
The current discussion in the Ubuntu forums is about a possible security hole in GNOME, specifically about GNOME registered users having their passwords appear as cleartext on the keyring. Not a bug, say its defenders, but the security concept behind the GNOME keyring.
If you need an anonymous connection to the web, Tails 0.19 is just what you need. The Live system conceals all traces of surfing and mailing.
You can find plenty of spreadsheets offering a multitude of features. The Python-based Pyspread demonstrates that a sophisticated spreadsheet application can also be newcomer-friendly.
© 2024 Linux New Media USA, LLC – Legal Notice