There are many tools out there that allow you to communicate privately with varying levels of security. PGP (Pretty Good Privacy), specifically the OpenPGP standard, is a well tested and solid method of encrypting emails and messages, before transmission, to ensure that the only person who can read them is the intended recipient. I need not reiterate the importance of privacy, especially for activists in different regions around the world, including the USA, where domestic spying can and has been used to attempt to thwart activist groups. PGP is a reliable standard and the one used by Edward Snowden in his communications with Glenn Greenwald.
PGP relies on what is called “Public Key Cryptography” to cipher and decipher messages. In times gone by, to send cryptographic messages to a recipient, an agreed upon key or method would need to be shared beforehand. This may have required meeting with the recipient in person to establish the “key” without fear of interception. If an encrypted letter was likely to be intercepted, it is just as likely that a letter detailing a secret decryption algorithm would be intercepted. This situation is clearly impractical in the current state of mass communication across the world with people you cannot easily meet in person.
Public Key Cryptography, or Asymmetric Key Cryptography, is a solution to this problem. First both parties wishing to engage in an encrypted conversation must generated key pairs. Each participant will generate a public and a private key using their PGP software (this only needs to be done once per person). The public key is the cipher. This is the key used to encrypt a message. The private key, which is mathematically related to the public key, is used to decipher the message. In reality, a symmetric session key is generated to encrypt each message. The session key itself is then encrypted with the public key and sent within the message.
How this works, practically,
- Person A shares their public key with Person B.
- Person B uses this key to encrypt a message and send it back to Person A.
- Person A then uses their own private key to decrypt the message.
- Person B‘s public key can be included in the return message or published publicly.
The efficacy of modern cryptography relies on the fact that certain mathematical problems are extremely difficult to solve. Such problems used are Prime factorisation and elliptic curve relationship; knowing this is not necessarily required to effectively use modern cryptography, but it is worth mentioning for those who may be interested.
A good analogy to this would be Person A sending Person B a lock-box with just a padlock, but no physical key. Person B then places a message inside the lock-box and locks it. From that point onward, Person A is the only one able to unlock the box with the key they have in their possession. Using this method, it is safe for anyone to have access one’s public key because all that it allows someone to do is encrypt messages to for that person. Only by compromising someone’s private key or failing to authenticate who you are communicating with will this secrecy and security be readily broken.
Now that there is a basic understanding of how PGP works, we will go through an easy method to implement it in email communications. Keep in mind that PGP will protect the privacy of communications, but not anonymity. An effective eavesdropper will still be able to know that you, Person A, has communicated with Person B. They will only be unaware of what is being communicated.
One of the easiest methods of setting up and using PGP is a browser plugin called Mailvelope. This is what I will be covering in the rest of the article. I suggest this because it does not require the installation of software to the PC, as it runs on the browser platform. This along with the fact that PC Email clients are in declining use is why I think Mailvelope is a worthy option. I will also link my public key and email at the end of the article, if you wish to practice sending and receiving encrypted email.
Mailvelope is currently only available for Chrome. It can be downloaded as an extension here: http://mailvelope.com/
Once you have Mailvelope added to your browser, a padlock icon will appear in the top right next to the Chrome settings button.
Left click on it and select “Options.” From here we need to generate a public/private key pair. This option will be in the left hand menu button.
Input your details in the fields provided. Make sure the passphrase you use is both long and something you can remember. If you forget this passphrase, you will no longer be able to encrypt or decrypt messages using that particular key pair. In the “Advanced>>” section, choose a keysize longer than 1024 bit for future’s sake. Once you have filled in the forms, click “Submit.”
Once you have completed this, go to the “Display Keys” option in the menu. From here you can “Export” your public key. You can choose to send it to another PGP user via email or you can export it as a block of text and shared via other means. Do not give out your private key – ever. Your public key is totally public and can be safely shared far and wide or published anywhere without worry – as promiscuously as you like. All the public key allows someone to do is send a message to you.
In order to send encrypted messages to others, you must import their public key. You can do this by importing an “.asc file” with the public key or copying their public key block. When obtaining someone’s public key, make sure you have, to the best of your ability, ascertained that who you are speaking to is really who you are speaking to.
Now that you have your keys set up and have imported someone else’s public key, you need to know how to send an email.
Open up your email client. Mailvelope comes configured to support Gmail, Outlook.com, Yahoo Mail and GMX. For this Demonstration I will use Gmail:
Go to compose an email. You will immediately notice a new “pencil and paper button” inside the compose box. First enter the recipient and subject, then, once you get to the body of the email, click this “pencil and paper button.”
Compose the email in the box that opened up – this prevents clear text email from being automatically saved as draft by your email provider and potentially compromising the secrecy of your message.
Once you have written your message, click on the “padlock button,” choose the recipient’s public key from the drop-down menu, click “Add” and “Ok.” You then press the “Transfer button” to move the encrypted text back to the compose box. Note that because PGP encrypts your message with a generated session key, then encrypts the session key with the recipient’s public key, it is possible to encrypt a message for multiple recipients.
An encrypted block of text will look like this:
—–BEGIN PGP MESSAGE—–
Version: OpenPGP.js v.1.20130820
—–END PGP MESSAGE—–
You can now send your message knowing that if intercepted, it will be unreadable.
When you receive an encrypted email, Mailvelope will detect this and overlay a “padlock and envelope symbol” over it. Clicking on this “padlock and envelope symbol” will prompt you to enter your passkey. Entering this will display the message in clear text for you to read.
Now you should be fully capable of using PGP to encrypt and decrypt emails to and from your contacts.
If you wish to test Mailvelope out and don’t yet know anyone else with PGP set up, I have set up an email account to receive encrypted messages. The Email is: firstname.lastname@example.org
My public key can be found on the MIT server: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x12E28DE5DAC9CB82
I will respond to all encrypted emails I receive. Ensure you include your public key in the email.
Below are a number of other tools that are worth noting, if Mailvelope does not suit your specific habits or setup.
EnigMail for Thunderbird mail client
A very clean and versatile addon for those who still use local mail clients, once it is set up it is arguably easier to use than mailvelope.
Comes with a number of utilities, including the certificate manager Kleopatra, which allows you to import and export encrypted messages, allowing you to copy send encrypted messages over other platforms.
GNU Privacy Guard
For Linux users, GPG can be downloaded from the distro’s repository, or a source package can be downloaded from the website.
A PGP suite for Mac users.
Translations for this article:
- Portuguese, Como usar criptografia PGP para comunicação privada.