Oracle Arion

There can exist no revolutionary movement without revolutionary theory.

Encrypt Email

Signing and Encrypting Email Messages

Organizations often want to protect the confidentiality and integrity of some of their email messages, such
as preventing the exposure of personally identifiable information in an email attachment. Email messages
can be protected by using cryptography in various ways, such as the following:

  • Sign an email message to ensure its integrity and confirm the identity of its sender.
  • Encrypt the body of an email message to ensure its confidentiality.

These two methods, message signing and message body encryption, are often used together. For
example, if a message needs to be encrypted to protect its confidentiality, it is usually digitally signed as
well, so that the recipient can ensure the integrity of the message and verify the identity of the signer.
Messages that are digitally signed are usually not encrypted if the confidentiality of the contents does not
need to be protected.

The most widely used standards for signing messages and encrypting message bodies are Open Pretty Good Privacy (OpenPGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME). Both are based in part on the concept of
public key cryptography, which involves a user having a pair of related keys: a public key that anyone can
hold, and a private key that is held exclusively by its owner.

Symmetric key cryptography requires a single key to be shared between the sender and recipient of an email message. The process involves the sender generating a random key and encrypting the message with it using a symmetric key encryption algorithm. The sender then encrypts the symmetric key with a corresponding public key encryption algorithm using the recipient’s public key, and sends both the encrypted message and encrypted symmetric key together to the recipient. This hybrid process uses public key encryption only to encrypt the symmetric key. Because only the intended message recipient holds the private key that is needed to recover the symmetric key, no other party can decrypt the message and read it.

Key Pairs

The engine that drives Public Key Cryptography is the “key pair”. A key pair is basically a set of two numbers, each of which can be used to encrypt data.

Key pairs have 2 properties that make them very useful.

1) Things encrypted with one key of the pair can only be decrypted by using the other key in the pair.

2) It is exceedingly difficult to derive one key from the other. Doing so requires solving a problem known to be difficult in computer science (like for instance factoring large prime numbers).

 

One naive encryption scenario involves splitting a key pair between two people who want to communicate privately. Example: When Alice wants to send a private message to Bob, she encrypts it with her key, and Bob uses his to decrypt. When Bob wants to reply, he encrypts with his key and Alice uses hers to decrypt.

 

Public Key Encryption

Public Key Encryption takes this scenario one step further. In Public Key Encryption, the idea is that every participant has their own pair of keys. But rather than treat both keys as secret (as in the naive scenario above), only one of the keys is secret. The other is considered to be Public—its owner disseminates it far and wide. This is safe to do because of the second property of key pairs—just because someone knows your public key does not give them an advantage in guessing what your secret key is.

aaaaaa.gif

 

Digital Signatures

You would do that to authenticate the message—to prove that it came from you. Any message decryptable with a given public key is sure to have come from the person holding the corresponding private key. So to the extent you can trust that a given public key really belongs to a particular person, you can be sure that such a message really did come from that person. This is the basis of Digital Signatures.

Digital signature techniques rely on the creation of a digest or fingerprint of the information (i.e., the message being sent) using a cryptographic hash, which can be signed more efficiently than the entire message.

encrption.gif

OpenPGP

OpenPGP is a protocol for encrypting and signing messages and for creating certificates using publ cryptography. It is based on an earlier protocol, PGP, which was created by Phil Zimmerman and implemented as a product first released in June 1991. The initial PGP protocol was proprietary and u some encryption algorithms with intellectual property restrictions. In 1996, version 5.x of PGP was defined in IETF RFC 1991, PGP Message Exchange Formats. Subsequently, OpenPGP was develop as a new standard protocol based on PGP version 5.x. fined in RFC 2440

Many free and commercial products that use the OpenPGP standard are currently available. The software
can be downloaded or purchased from a variety of Web sites.15 Some OpenPGP-based products fully
support the cryptographic algorithms recommended to the Federal government by NIST in FIPS PUB
140-2 and other publications, including 3DES and AES for data encryption, Digital Signature Algorithm
(DSA)16 and RSA for digital signatures, and SHA for hashing.17 Some implementations of OpenPGP
support other encryption schemes not addressed here.

Although certain aspects of OpenPGP do use public key cryptography, such as digitally signed message
digests, the actual encryption of the message body is performed with a symmetric key algorithm, as
outlined earlier. The following is a brief description of signing and encrypting a message with OpenPGP
(some steps may occur in a different order):

  • OpenPGP compresses the plaintext, which reduces transmission time and strengthens cryptographic security by obfuscating plaintext patterns commonly searched for during cryptanalysis.
  • OpenPGP creates a random session key (in some implementations of OpenPGP, users are required to move their mouse at will within a window to generate random data).
  • A digital signature is generated for the message using the sender’s private key, and then added to the message.
  • The message and signature are encrypted using the session key and a symmetric algorithm (e.g., 3DES, AES).
  • The session key is encrypted using the recipient’s public key and added to the beginning of the encrypted message.
  • The encrypted message is sent to the recipient.

Encrypting Gmail Messages through Firefox

FireGPG

FireGPG is a Firefox extension under GPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG. FireGPG features a contextual menu giving access to several GPG functions. It also brings GPG features to the Gmail webmail interface, making it easy to use GPG directly from within Gmail.

Download FireGPG !

Now install the GnuPG software!

Gnu Privacy Guard (GPG) software that implements the PGP algorithm for Public Key Cryptography GNU/Linux and Mac OS

You can download the latest version at


 .

Windows Users,

download WinPT and GPG, and install it at the default location.

GnuPG Logo

  • Investigate FireGPG options, manually the select the foler location of “gpg.exe”
  • Use GnuPG to create Public and Priavte keys, make sure you choose “RSA/RSA (PGP)”
  • Reload Firefox, open Gmail, experiment with the FireGPG right-click context menu. (for now avoid “Signing”)
  • Create test email addressed to yourself, encrypt send… now attempt to decrypt the received mail.
  • Your Gmail dashboard should look similar to this:

untitled-2.gif

 

 

Encryption:

What the big deal?

Googleplex grants us conforable anonymity.

Hyperspace hides our individuality, like a blizzard blankets every one snowflake.

We hacked the planet. Dissolved despotism, Abolished cesorship. We began creating global cultural literacy; Technology radically transformed Industry. Teleology, however, could not triumph over tyranny’s tactics of fear.

I

chap6.gif

 

 finis