By Mackenzie Morgan
Contributing Writer, [GAS]
We’re all a security-conscious bunch of folks, right? How much attention do you pay to your email account? You probably don’t give the password out to random strangers on the internet, I hope, but that’s not the only way someone could be snooping on or tampering with your email. In the Middle Ages, it was customary to seal an envelope with your personal seal stamped into hot wax. If that seal was broken or didn’t properly match your seal, the recipient knew there was a chance someone had read, tampered with it, or even forged it. The reality is that even if you never give out your password to anyone, your email is still being transmitted across a bunch of servers to reach its destination. The admins of any of those servers could potentially do something nasty to your email. You want to protect yourself, right?
I almost always get asked about the odd line of numbers and letters at the bottom of my card. The odd line is the fingerprint for my GPG public key. GNU Privacy Guard, or GPG for short, is an implementation of the OpenPGP Standard. PGP stands for “Pretty Good Privacy.” It uses public and private keys to maintain privacy. There’s some ridiculously complex math behind it that has something to do with really big prime numbers, but I will avoid that topic. The way it works, at a high level, is that each person has a public key and a private key. They distribute their public key to anyone who asks. Most people who use it just upload their public key to a keyserver from which anyone can download it. Mine is on three. The private key is, well, private. There is, of course, a second level of authentication involved. The private key is something you have. There is also a passphrase, something you know. A private key can only be used with a passphrase.
There are two options for how you want to secure something. You can either encrypt the message, or you can sign it. You could also do both. I sign all of my emails. At the end of the email, there is a crazy chunk of text, like this:
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
That’s the signature. It looks like a jumble, right? Well, if you save the message and run it through GPG, it can verify whether or not the signature is valid. The signature is an encrypted hash of the message made using your private key. Any holder of the public key can verify that the hash and the signature match. It guarantees to the message recipient that there have been no alterations made to your message. This is the least-obstructive and probably most common way your average GPG-user uses it. It does not require that the recipient know about GPG, but if they do use it, it can give them some piece of mind.
Full message encryption doesn’t really work for normal use unless everyone you communicate with has a public key. It does provide considerably more privacy since your message will be unreadable to everyone except the intended recipient. The message is encrypted using their public key, and when they receive it, they decrypt it using their private key and passphrase. Nobody can snoop, great! There is an upside and a downside to this, though. They both are that there is no proof whatsoever that the message came from you. If you want plausible deniability (“someone must’ve spoofed my return address!”), this is great. If you want the recipient to really be sure it wasn’t forged, sign it as well.
Of course, being able to prove without a doubt who said what to whom could be problematic for certain types of people in certain lines of business. For those people, just plain encryption is probably the best way to go. If it’s not signed, well, as I said, they have plausible deniability. If it’s encrypted and they just happen to forget their passphrase or accidentally delete their private key, um, oops? The encrypted message is now unrecoverable, kind of like those self-destructing messages spies always get in movies.
The simplest way to add privacy to your email is through a mail client, and I don’t mean mutt. If you use mutt, I’m pretty sure you have to stick to CLI GPG. For Thunderbird users, there is the Enigmail addon, named after the Enigma encryption scheme used in WWII. Evolution and Kontact/KMail have GPG support built in. For Outlook users, GData makes a plugin. I know the site’s in German, but there is an English version of the plugin. Users of Apple’s Mail can turn to GPGMail. Finally, if you use Webmail and Firefox, there is FireGPG, which I would not trust for encryption with GMail because GMail sends unencrypted drafts to the server every few minutes. GMail messages are best encrypted outside the browser and then copied and pasted.
In case you’re wondering what’s to keep some jerk from making a fake key, the answer is the web of trust. The way it works is that you show someone else your fingerprint and your ID to demonstrate that it’s yours. They then use their key to sign your key, showing that they have verified it. If you take a look at my key’s entry on the keyserver, you will see that there are the names of 4 different individuals other than myself on that page. They all verified that the key does belong to me and signed it. You can also see that I have multiple email addresses listed on there so that when I send an email from one of those addresses, the mail client can also verify that it came from an approved email address. Getting too many signatures isn’t such a good thing though. Eventually those signatures just make the key huge. Three is a good number. Each person who signed my key has had theirs signed by someone else, and they’ve had their signed, and so on and so forth until it’s just one big web of people establishing trust for each other.