Introduction

Are you looking for a safe way to encrypt your files and messages? What if there is a method that can do all that and more and yet it is FREE to use? If you are interested, keep reading to know about encrypting and exchanging files safely with GPG and PGP.

GPG is an acronym for Gnu Privacy Guard. It was developed as a free and open source alternative to PGP, a famous commercial encryption product. Both GPG and PGP can encrypt and decrypt data on your system, in addition they can be used to authenticate emails and files you exchange with other people, this means that if Bob is sending files and emails to Alice, she can check if the data has been altered in the way by any third party and if the sender is Bob for sure and no one else. Furthermore, with these applications, Bob can also make sure that only Alice will be able to decrypt and read/view the data he is sending.

Before proceeding with how this works in practice, let me first start with a small formal introduction to the protocol these programs use, that is OpenPGP (RFC 4880).

OpenGPG

OpenPGP is the most used email encryption standard now a day. It uses public-keys in combination with symmetric cryptography and hash-function to provide security solutions for electronic communications and data storage. Any OpenPGP software should support data confidentiality, integrity and authentication.

So OpenGPG is the standard or the protocol, while PGP and GPG are the applications you can use.

The software

It is best now to get your own copy of the software. GPG is free, if you are using Windows, you can get GPG4win from: http://www.gpg4win.org.

For Mac and Unix/Linux systems, download the copy that is best for you from: here

Usually GPG is installed by default in most Linux distributions. In Ubuntu for example, you can start working on it directly using your command line, but to save yourself time and make your life easier, add the suitable frontend for Gnome: Seahorse, by running the following commands:

sudo apt-get install seahorse

And also install its plug-ins

sudo apt-get install seahorse-plugins

If you are a KDE user then you should get KGpg instead of Seahorse.

On the other hand, you can also use PGP. It is commercial, but the good news is that: if you decide to use their trial version without entering the license key, it works as a freeware version. It does not give you the full functionality of a commercial license of course, however, what you get is convenient enough (I personally use it). You can download the trial version and try it yourself from here

How it works

Now, that you installed a software (I assume), you should have a small program responsible for key management, that will usually be GPA if you got GPG4win, KGpg for KDE Linux or else, Seahorse if you are using Gnome. A Key Manager is used to create, delete, import, export and backup keys in addition to some few other management tasks. So what are these keys used for?

When you create a key, the software generates two, a private key for your own use and a relevant public key that can be sent to all other people to communicate securely with you.

What you really need to understand is that:

• All data encrypted with your public key, can only be decrypted with your private key. This is how GPG provide confidentiality i.e. data can only be read by the person who is meant to read it. So, if Bob wants to send a confidential file to Alice, he encrypts the file with her public key and sends it. Do you see how important it is to keep your private key secure? That is why the software makes you protect it with a passphrase.

• All data you encrypt with your private key can be decrypted using the public key: this implies that if Alice is able to decrypt data using Bob’s public key, she knows for sure that he was the one who encrypted it, no one else.

Digital Signatures

But why should Bob encrypt the whole file if all he needs is to prove authenticity to Alice? What if he is sending the file to many people and only Alice needs to authenticate it?

For this reason, we have digital signatures: Bob can simply sign the file with his private key instead of encrypting it.

Signing files can be done using Kleopatra if you installed GPG4win, otherwise simply right-click any file and the popup menu you get should have a new option to let you sign and/or encrypt the file.

Signing a file results in a digital signature, which contains a message digest (can be produced using a hash function such as MD5 algorithm) of the original file encrypted with Bob’s private key. The message digest maintains data integrity, because any change happens to the file changes its digest as well. While the fact that it has been encrypted with Bob’s private key proves him as the original sender. Interestingly, this can also be used as a method of non-repudiation, which implies that it prevents the sender from claiming that he or she did not actually send the information!

Now if Bob’s public key can decrypt and read the signature, Alice knows he is the sender, and then she uses the content (the message digest hash) to compare with a new calculated hash of the file she received. If they match, then the file has not been altered. Meanwhile, other people who might have received the file and does not have Bob’s public key, can simply use the file (because it is not encrypted) and ignore the digital signature.

Of course all of this is done easily by the software, no much manual work for you other than understanding how the software works.

Key Servers and Public Key Distribution

Exchanging public keys can be easy with a friend you already know, but what if you don’t have a direct contact with the person? How can you make sure the key you get isn’t fake? What if someone else made it up?

As a solution, Key Servers host public keys for everyone and provide you with solutions to work around this problem. PGP Global Directory for example verify the email address attached to every key before listing them online, hence, if you recognize the email address, you could trust the public key attached belongs to the owner of the email address.

Another one is SKS OpenPGP Keyserver. It shows you how many users trusted a certain public key and signed it as valid. In principle, if you see that many users signed a key, you might have a reason to think it actually belongs to its owner. This method is called “web of trust” and it helps to authenticate keys. So, it is best that you sign the keys you personally trust and ask the people who know you to sign your key as well to show it as valid. Make sure you don’t forget publishing any public key you sign to the key servers.

There are many key servers and many of them are linked together, so once you send your public key to one of them manually or by using your software, consequently, they will update each other with your information.

Digital Certificates

When someone signs a public key as valid, this operation results in what we call: a digital certificate. So, a digital certificate consists of a public key, identity information (owner’s name, email etc) and a digital signature by a third party to verify that the identity information belongs to the public keys. The third party can be a person, group, organization etc.

Conclusion

An interesting idea if you have some private data that you share with somebody is to encrypt it twice with both of your public keys. That way, neither of you can make use of it alone!

In Windows: MD5summer can be used to perform the task.

While in Linux: The famous md5sum utility is usually used.

The following examples shows how md5sum can be used from the command line.

To compute the MD5 sum of an ISO file for example use:

md5sum filename.iso

The result will be something like:

f8c7451b0de5a1e5f7a68fb3d15f4064 filename.zip

Note that the wild card can be used too, so if you are in a folder containing many files, you can compute the hashes to all files using:

md5sum *

or

md5sum h*.exe

Some applications/distributions provide a file with all MD5 hashes of the released files. Ubuntu for example provide a file called MD5SUMS and it looks like this from inside:

836440698456aa2936a4347b5485fdd6 *ubuntu-9.10-alternate-amd64.iso
3faa345d298deec3854e0e02410973dc *ubuntu-9.10-alternate-i386.iso
dc51c1d7e3e173dcab4e0b9ad2be2bbf *ubuntu-9.10-desktop-amd64.iso
d91659de6e945dbb96eb8970b2b4590a *ubuntu-9.10-desktop-armel+dove.img
297875d2a7531824a0fb08f241d33e85 *ubuntu-9.10-desktop-armel+imx51.img
8790491bfa9d00f283ed9dd2d77b3906 *ubuntu-9.10-desktop-i386.iso
ed6e77587b87fe0d92a2f21855869f00 *ubuntu-9.10-netbook-remix-i386.iso
14707e8847b9c9ba2dd1869fb5086e4f *ubuntu-9.10-server-amd64.iso
55618ad5f180692f9dac20cbff352634 *ubuntu-9.10-server-i386.iso
37a04db193b1a342f961f59aea2fada8 *wubi.exe

Now assume you downloaded: ubuntu-9.10-alternate-i386.iso
You can verify it’s hash against that list with the following command:

md5sum ubuntu-9.10-alternate-i386.iso -c MD5SUMS

If the comparison results in a single match then your file is alright.

To cultivate the result, use the following to show the positive match only:

md5sum ubuntu-9.10-alternate-i386.iso -c MD5SUMS | grep -v "FAILED$"

grep -v “FAILED$” is used to ignore the failed comparisons in the results, hence, if we change it to grep -v “OK$” we can get the failed comparisons only. this is useful when you run md5sum to verify many files against a list and need to check if there are any bad files.

Steganography

Steganography is all the techniques used to exchange secret messages without drawing attention. It is the science of hiding information.

Some of the old school methods to hide information are: invisible ink, null ciphers, microdots or the use of pinpricks, deliberate misspelling or slightly different font to mark certain words in messages and maps.

Null cipher

It’s a normal text written in the clear, but includes a hidden message. For example:

‘‘Fishing freshwater bends and saltwater coasts rewards anyone feeling stressed. Resourceful anglers usually find masterful leapers fun and admit swordfish rank overwhelming anyday.’’ [2]

If we take out the third letter in each word, we get: Send Lawyers, Guns, and Money.

Modern steganography refers to hiding information in digital images, audio files or even video. There are many methods and tools to do that. Nevertheless, and to have double protection, secret messages are first encrypted and then hidden using a steganography tool.

The steganographic process can be described with the following formula:

Cover medium + Data to hide + Stego key* = Stego Medium

* Note that if no encryption is added, there is no need for a Stego key.

Hiding messages in pictures

This is usually done by:

Using LSB is famous, so I will choose it to explain how data can be hidden in images.

LSB is always the last bit on the right-hand side of any binary number. Changing this bit causes the least possible effect to the original value.

In a 24-bit image, there are 3 bytes of data to represent RGB values for every pixel in that image. This implies that we can store/hide 3 bits in every pixel. For example, if the image has the following bits:

10010101 00001101 11001001
10010110 00001111 11001010
10011111 00010000 11001011

To store 101101101. we replace with the original LSBs like this:

10010101 00001100 11001001
10010111 00001110 11001011
10011111 00010000 11001011

To reveal the stored message, the LSBs are extracted alone from the Stego Medium and combined together.

Hiding messages in audio files

Two known methods to store message in audio files are: Frequency Domain and Time Domain.

In Frequency Domain, a message can be stored in practically unused frequencies of audio files. For instance, In a CD where the sample rate is 44.1 kHz, the highest frequency without aliasing is 22.05 kHz.

Now, because the average peak frequency that an adult can hear is approximately 18 kHz, this leaves 4 kHz of frequency that is “practically unused”. This space can then be used to hide a message (a copyright message for example).

In Time Domain, a message can be stored in the LSBs, something similar to what we saw with images. To maintain CD quality, it is important to encode at 16 bits per sample at a rate of 44.1kHz. However, we can also record at 8 bits per sample using the high significant bits (first bits on your left-hand side) and save the other 4 LSBs to hide our message without making any perceptible change to the audio quality.

In a comparison between the two, detecting messages hidden with time domain is harder because it requires more resources. [4]

Watermarking (digital watermarking)

Whenever there is a topic about steganography now a day, Digital Watermarking is also mentioned. It refers to embedding hidden messages as well, but not for the purpose of sending secret information. Instead, Watermarking is usually used for the following:

1. Copyright protection: include ownership information.
2. Copy protection: include instructions to stop data copying devices from making and distributing copies of the original.
3. Prove data authenticity.
4. Tracking: If copies of a file are distributed illegally, the source can be revealed if the master copies had unique watermarks included.

Stego Tools

The following freeware tools have been tested by me on Windows 7 and they work great:

To find more tools (commercials and freeware) make use of the following lists as they are the best I found online or do your own googling:

Steganalyses and countermeasures

Steganalyses aim to investigate suspected information to determine whether they include any sealed data and reveal the hidden message if exist.

Any unusual patterns (visual or statistical) are usually analyzed to detect suspected information. Hence, any method can be useful, for instance, image editors and hex editors (e.g. HEX Workshop).

Some methods are designed and developed to detect and reveal information hidden by known steganography tools. There are also enhanced and powerful digital forensic analysis tools such as StegAlyzerSS (Steganography Analyzer Signature Scanner) developed by the Steganography Analysis and Research Center [5].

Conclusion note