I have also posted this to HackThisSite.org articles
Are you looking for a safe way to encrypt your files and messages? What if there is a method that can do all that and more and yet it is FREE to use? If you are interested, keep reading to know about encrypting and exchanging files safely with GPG and PGP.
GPG is an acronym for Gnu Privacy Guard. It was developed as a free and open source alternative to PGP, a famous commercial encryption product. Both GPG and PGP can encrypt and decrypt data on your system, in addition they can be used to authenticate emails and files you exchange with other people, this means that if Bob is sending files and emails to Alice, she can check if the data has been altered in the way by any third party and if the sender is Bob for sure and no one else. Furthermore, with these applications, Bob can also make sure that only Alice will be able to decrypt and read/view the data he is sending.
Before proceeding with how this works in practice, let me first start with a small formal introduction to the protocol these programs use, that is OpenPGP (RFC 4880).
OpenPGP is the most used email encryption standard now a day. It uses public-keys in combination with symmetric cryptography and hash-function to provide security solutions for electronic communications and data storage. Any OpenPGP software should support data confidentiality, integrity and authentication.
So OpenPGP is the standard or the protocol, while PGP and GPG are the applications you can use.
It is best now to get your own copy of the software. GPG is free, if you are using Windows, you can get GPG4win from: http://www.gpg4win.org.
For Mac and Unix/Linux systems, download the copy that is best for you from: here
Usually GPG is installed by default in most Linux distributions. In Ubuntu for example, you can start working on it directly using your command line, but to save yourself time and make your life easier, add the suitable frontend for Gnome: Seahorse, by running the following commands:
sudo apt-get install seahorse
And also install its plug-ins
sudo apt-get install seahorse-plugins
If you are a KDE user then you should get KGpg instead of Seahorse.
On the other hand, you can also use PGP. It is commercial, but the good news is that: if you decide to use their trial version without entering the license key, it works as a freeware version. It does not give you the full functionality of a commercial license of course, however, what you get is convenient enough (I personally use it). You can download the trial version and try it yourself from here
How it works
Now, that you installed a software (I assume), you should have a small program responsible for key management, that will usually be GPA if you got GPG4win, KGpg for KDE Linux or else, Seahorse if you are using Gnome. A Key Manager is used to create, delete, import, export and backup keys in addition to some few other management tasks. So what are these keys used for?
When you create a key, the software generates two, a private key for your own use and a relevant public key that can be sent to all other people to communicate securely with you.
What you really need to understand is that:
- All data encrypted with your public key, can only be decrypted with your private key. This is how GPG provide confidentiality i.e. data can only be read by the person who is meant to read it. So, if Bob wants to send a confidential file to Alice, he encrypts the file with her public key and sends it. Do you see how important it is to keep your private key secure? That is why the software makes you protect it with a passphrase.
- All data you encrypt with your private key can be decrypted using the public key: this implies that if Alice is able to decrypt data using Bob’s public key, she knows for sure that he was the one who encrypted it, no one else.
But why should Bob encrypt the whole file if all he needs is to prove authenticity to Alice? What if he is sending the file to many people and only Alice needs to authenticate it?
For this reason, we have digital signatures: Bob can simply sign the file with his private key instead of encrypting it.
Signing files can be done using Kleopatra if you installed GPG4win, otherwise simply right-click any file and the popup menu you get should have a new option to let you sign and/or encrypt the file. When Seahorse is used, you might need to restart your Linux box to have the right-click window refreshed with the new options i.e. Sign and Encrypt!
Signing a file results in a digital signature, which contains a message digest (can be produced using a hash function such as MD5 algorithm) of the original file encrypted with Bob’s private key. The message digest maintains data integrity, because any change happens to the file changes its digest as well. While the fact that it has been encrypted with Bob’s private key proves him as the original sender. Interestingly, this can also be used as a method of non-repudiation, which implies that it prevents the sender from claiming that he or she did not actually send the information!
Now if Bob’s public key can decrypt and read the signature, Alice knows he is the sender, and then she uses the content (the message digest hash) to compare with a new calculated hash of the file she received. If they match, then the file has not been altered. Meanwhile, other people who might have received the file and does not have Bob’s public key, can simply use the file (because it is not encrypted) and ignore the digital signature.
Of course all of this is done easily by the software, no much manual work for you other than understanding how the software works.
Key Servers and Public Key Distribution
Exchanging public keys can be easy with a friend you already know, but what if you don’t have a direct contact with the person? How can you make sure the key you get isn’t fake? What if someone else made it up?
As a solution, Key Servers host public keys for everyone and provide you with solutions to work around this problem. PGP Global Directory for example verify the email address attached to every key before listing them online, hence, if you recognize the email address, you could trust the public key attached belongs to the owner of the email address.
Another one is SKS OpenPGP Keyserver. It shows you how many users trusted a certain public key and signed it as valid. In principle, if you see that many users signed a key, you might have a reason to think it actually belongs to its owner. This method is called “web of trust” and it helps to authenticate keys. So, it is best that you sign the keys you personally trust and ask the people who know you to sign your key as well to show it as valid. Make sure you don’t forget publishing any public key you sign to the key servers.
There are many key servers and many of them are linked together, so once you send your public key to one of them manually or by using your software, consequently, they will update each other with your information.
When someone signs a public key as valid, this operation results in what we call: a digital certificate. So, a digital certificate consists of a public key, identity information (owner’s name, email etc) and a digital signature by a third party to verify that the identity information belongs to the public keys. The third party can be a person, group, organization etc.
An interesting idea if you have some private data that you share with somebody is to encrypt it twice with both of your public keys. That way, neither of you can make use of it alone!