Encryption: GnuPG

Sometimes, you want to communicate securely. And, email seems not to be the best medium for doing so, at least not for communicating in plain text (although I would not know how to tap off mail, it seems to be pretty easy). Also, free mail services like Gmail will keep all your mail indefinitely, and will sooner or later use the content, e.g. for marketing purposes. So, sometimes you feel the need to encrypt your messages or files.

Public Key Cryptography allows you to share a 'public key' to anyone you like for encrypting stuff to send to you, but to keep the key needed for decryption (the 'private key' of 'secret' key) for yourselves only. So anyone can encrypt data for you, but only you can decrypt it. Sharing a (good) public key is without risk, you can even put it on your web page (but be very careful with your secret key).

A good tool is the GNU-based GnuPG tool (Gnu Privacy Guard), an openPGP form of PGP. This tool can encrypt using public key cryptography, and is available for all major platforms in a model allowing free use even in commercial environments ("GnuPG is Free Software. It can be freely used, modified and distributed under the terms of the GNU General Public License."). The below explanation is somewhat biased to the Windows environment. You can find documentation on GPG on http://www.gnupg.org/docs.html.

Note: the basic GPG tool is command-line driven; however wrappers are available for e.g. many mail tools, both on Windows (even for Lotus Notes) and on UNIX. I did not yet envestigate all possibilities, however some hints:

for Windows integration in XP I did check on WinPT (Windows Privacy Tray) which installs an icon into the task bar giving quick access to all GPG functions using a windows-based interface.
In Windows Vista I use GPGee (GNU Privacy Guard Explorer Extension) instead, which gives a good explorer integration (i.e. with right-clicking on files you can encrypt/decrypt).
There is also an Outlook Express wrapper, but as we do not use Outlook, I did not test this.
Also tried WinPTEE: instable at the time I tried it!

Looking for encrypted file systems, or how to safely keep all your passwords on a USB stick? Look at my 'veilig'-page (Dutch).

A complete set of tools helping in using GPG from Windows is gpg4win: a installer package for Windows (95 up to XP/2003) with computer programs and handbooks for EMail and file encryption. WinPT is included in this package, as is GPGee (GNU Privacy Guard Explorer Extension): an explorer extension to give you right-click access to GPG to encrypt/decrypt files.

Installation

You need to download the most current release of the GnuPG windows client, for example as a file like gnupg-w32cli-1.4.10b.exe from their download page. This is a Windows setup utility, helping you through the installation. If you want to use the command line (DOS prompt) version, copy gpg.exe to a directory in your path, or change your path to include the GnuPG directory (default C:\Program Files\GNU\GnuPG). In the GnuPG readme.txt, you can find more details if needed.

If you want to use the WinPT windows wrapper, you also need to download it from their download page. Basically, if you want to run it from your system tray, unzip it in C:\Program Files\GNU\GnuPG, create a shortcut to WinPT.exe and place this in your startup directory (or start manually when needed). Detailed installation notes for the combination of GnuPG and WinPT can be found on the help page of WinPT.

A package with many GPG utilities (including WinPT) is GPG4WIN. It also includes plug-ins for for example outlook 2003 (automatic handling of encrypted email) and explorer (file encryption via right mouse context menu).

Public Key Encryption

Classic methods for encryption ('symmetrical cyphers') only use one key for both encryption and decryption. The sender encrypts the message with this key. To be able decrypt this the receiver needs to have this very same key. This key must have been given to the receiver in a way, that others won't have had the opportunity to obtain this key. If somebody else does have the key, this method of encryption is useless.

The use of so-called Public Key Cryptography can solve this problem. Public Key is a concept where two keys are involved. One key is a Public Key (used for the encryption) that can be spread through all sorts of media and may be obtained by anyone. The other key is the decrypting Private Key. This key is secret and cannot be spread. This key is only available to the owner. When the system is well implemented the secret key cannot be derived from the public key. Now the sender will crypt the message with the public key belonging to the receiver. Then decryption will be done with the secret key of the receiver.

Crucial in this concept is that the secret (Private) key remains a secret and should not be given away or become available to anyone else but the owner of this key. YOU SHOULD NOT SEND THIS KEY OVER THE INTERNET (at least not if you want maximum security...). Also it is very unwise to use GnuPG over telnet (one might consider never to use telnet based on the high security risks).

Basic procedures (Windows GUI interface WinPT)

For the command line interface, go further down on this page.

For Windows-addicts not working on the command line, I recommend using the mentioned WinPT graphical user interface. See below for compact instructions for the basic steps using WinPT.

Sending a file to an other party

For encryption to send to an other party, you will (once) need to have the public key of the receiving party, and to have this key entered into your key ring (see separate section further down this page).

Right-click the WinPT icon on the task bar, select File Manager. A popup window will appear in which you can drag your file(s) to encrypt, or use the File/Open menu to select files. Use File/Encrypt to encrypt. Select the receiver from the popup menu. The encrypted files will be placed in the same directory as the original files, having a .pgp extension.

Receiving files from other parties

To receive an encrypted file from an external party, this party first needs to have your public key (see separate section later on, on how to send this to him/her). The sending party uses this key to encrypt the data and will send the resulting file to you.

Procedure is basically the same as for encryption, however now select decrypt instead of encrypt. Enter your password into the popup box.

Importing public keys received from others

A public key is typically send to you via email in preparation to you having send a file. For example, have a look at my public key file (can also be used for testing).

From a mail: copy the key including the ----BEGIN and ----END lines (^C or menu edit/copy will do so), right-click the WinPT icon on the task bar and select 'Key Manager', then paste (menu: edit/paste) the key into the key manager.
From file: import from a text file using the WinPT Key Manager, menu key/import.

Generating your own key

This is a one-time only process. I still have to describe this in more detail... Using WinPT:

Right-click the WinPT icon on the task bar, select Key Manager. Select menu key/generate... You get a pop-up box you need to fill in. Choose key length at 1024 bits. You need to enter (and remember!) a passphrase (password), will be requested when decrypting received files.

You also need to export your public key for distribution, this can be done right-clicking the WinPT icon in the task bar, selecting the key manager, selecting your key and exporting it using the menu key/export. This will generate an ASCII (text) file with the specified name, which you can e.g. mail to persons needing to send you encrypted mail. This key file is a normal text file, no special handling required.

Generating a key revocation certificate does not seem to work under WinPT currently. Use the command line 'gpg --gen-revoke <user_id>' and answer the questions asked..

Basic procedures (Command line interface)

On Windows and Linux/UNIX, GPG can be accessed via the command line. In order to ease working with the program (there are quite some options and possibilities), I have some simple pre-wrapped batch files collected in a zip file (you can use the commands from these files to make your own UNIX/Linux scripts). The settings are such that the system is compatible with the widely used PGP tools. Feedback is welcomed, as I am only a starter with GPG. Note: text in italics has to be replaced by your input. A more extensive explanation (Windows-based) can be found on 'A Practical Introduction to GNU Privacy Guard in Windows'.

Sending a file to an other party

The batch file gpg_enc will encrypt a specified file using the public key of the receiver, generating a file with the same name but with the .asc extension (is in ASCII format).

gpg_enc <filename> -r <recipientname>

The script:
- will overwrite an existing .asc file
- will ask whether you trust the key (if not set at trusted after reception)
- will only encrypt but not sign
- settings are PGP-compliant (version 5.x and higher)
- Basically does, next to some checking on arguments: gpg --compress-algo 1 --cipher-algo cast5 --yes -a -r <recipientname> -e <filename>

Receiving files from other parties

In order to decrypt, you can use the gpg_dec batch file (basically doing: gpg -o <decrypted_file> -d <encrypted_file>). Note that this file will ask you to enter your password/phrase for your key.

gpg_dec <encrypted_file> <decrypted_file>

Importing public keys received from others

A public key is typically send to you via email in preparation to you having send a file. For example, have a look at my public key file (can also be used for testing).

Save the key in an ascii text file, and import it into your public key collection (key ring) using the gpg --import batch command.

gpg --import <file_with_key>

How to be sure a key can be trusted: calculate the 'fingerprint' and check the fingerprint by phone:

gpg --fingerprint <recipientname>

If you are sure the key is trustworthy, you can indicate this in the key ring database to prevent questions during an encryption process. Note: the below lines indicate a communication with an interactive gpg run giving the user input only:

gpg --edit-key <recipientname> trust 4 quit

gpg --list-keys will list all your available imported keys.

Generating your own key

This is a one-time only process. I still have to describe this in more detail... Start the interactive program using

gpg --gen-key

Choose key length 1024 bits. You need to enter (and remember!) a passphrase (password), will be requested when decrypting received files. You also need to export your public key for distribution:

gpg --export -a <yourname> > <yourkey.asc>

This will generate an ASCII (text) file <yourkey.asc>, which you can e.g. mail to persons needing to send you encrypted mail. This key file is a normal text file, no special handling required.

Cryptography rules and laws

Here you can find a survey of existing and proposed laws and regulations on cryptography - systems used for protecting information against unauthorized access. Governments have long restricted export of cryptography for fear that their intelligence activities are hampered by the cryptography use of foreign states and scoundrels. Since the rise of crypto use over the past decades, governments increasingly worry about criminals using cryptography to thwart law enforcement. Thus, many countries have passed laws or are considering laws to maintain law-enforcement and national-security capabilities through regulation of cryptography.