You may not know it but that email you’ve sent to your buddy was actually sent through the web in clear text! If your email was intercepted along the way to the destination by malicious users, he/she can read the email without doing much work! While you might not care that malicious users find out you’ve had a few too many drinks last night and collapsed in the club, think about the confidential emails you have sent during the past to another party. What would happen if another individual got a hold of that information? How would it damage you? One of the biggest problems with email today is that emails are sent in clear-text, meaning the information is not encrypted. If an attacker somehow manages to compromise an email server, they can pretty much read any incoming and outgoing email at will. It’s time you do something about this nasty problem.
The Problem with Emails
In order to really understand why we have this problem, you would have to go back to the past and look at when the Internet was first created. At that time, the Internet was nothing like how it was today. There were very little users and it was basically an experimental project. Security was not needed at all. As long as it worked, people were happy. Sending email then is pretty much the same as it is now in that we have some way to quickly send some text over the web to another recipient. Just like with the Internet, no one could have guessed at that time how popular the email system would be. In today’s modern world, users use email as one of their main mode of communication. Confidential information gets transferred via email every second and many of them are not being protected.
Due to the big boom of the email communication system and the fact that there really isn’t any inherent security in place to protect it, many users simply view email as, well, just email! We create an email account on a server, compose a message, hit the big send button and that’s it. Users only care that the email message makes its way to the destination. They do not care about the process of email delivery and how the email actually got there. As long as the recipient can read the email, all is good. Since security wasn’t actually baked into the email service from the beginning, it is a lot harder to do it now. With websites and web servers, the process isn’t really that hard because not everyone operates or hosts a web server. With email however, basically everyone now a days have their own email address. There needs to be a way to incorporate some type of security into our email system.
Pretty Good Privacy (PGP)
PGP is a encryption and decryption system created by Philip Zimmermann in 1991. It employs an encryption technique labeled as asymmetric key encryption to encrypt and decrypt your data. Don’t worry, it’s not that complicated. What it basically boils down to is you, the user, having a pair of keys. One is called the public key and the other the private key. As you can already guess from their names, you can freely distribute the public key to whoever you wish. Friends, family members, co-workers, strangers, hackers, etc. The private key you keep only to yourself. How does it work? Very simple. Anytime users want to send you an email that wished to be kept private, they compose the email as usual. However, they would then encrypt the email with your public key. The output of the email will be turned into a blob of gibberish and random characters. The email then gets sent to you. On your end, you would decrypt the email with your private key. Because both the public and private keys are a matching pair, you will be able to read the email as it was originally written by the sender. If that email was somehow intercepted by a third-party member, all they would see are the random gibberish of characters. Even if the hacker has your public key, it is practically impossible to deduce the private key with only the public key alone. It’s just not possible and that is why the PGP encryption system is the most used email encryption system today. Here is a simple picture depicting how PGP works in general:
For a better description of how PGP actually works, a simple Google search landed me on two awesome sites called wiseGeek and PGPI.org with the related information. Check it out!
Why PGP Isn’t Used More Often
If PGP is so good, why isn’t everyone using it?
- Users are already familiar with the email system and the underlying foundation of how it works. PGP encryption can be seen as an additional complication. The more steps you require of an user to accomplish something and the higher chance of the user not wanting to use that product or service in return. That’s just how it is. Although the process is not really hard, as you’ll see in a little bit, many users do not welcome change.
- The PGP encryption system isn’t widely supported by default. Web email platforms you’re familiar with such as Gmail, Yahoomail, and Hotmail don’t support the PGP system. In order to use PGP with these email accounts and without having to use third party desktop email clients, you’ll need to find add-on’s for your browser. Because the web email platforms don’t include any PGP integration, I have to use a desktop email client such as Mozilla Thunderbird in order to be able to use the PGP encryption system.
- PGP requires that all parties in the conversation have PGP installed on their systems. This perhaps is one of the major deal breakers for PGP. If I encrypt an email with my private key (which therefore proves I did indeed sent the email and no one else) and send it off to Bob and Alice, both parties must have some sort of PGP system installed along with my public key in order to decrypt my signature. If not, all they will see is a bunch of gibberish at the end of the email and wonder if I’m playing a cruel joke on them. Even if you correctly set up PGP (as you’ll later learn) on your computer, if you then log into that same email account via the web interface, you will not be able to read the emails because most web email platforms as I have mentioned earlier do not support the PGP system. Therefore, in order to be able to read your encrypted emails, you must use your PGP configured computer. Hardly efficient at all right? But that’s just how it is as of right now.
- Many users believe that most emails they send out or receive have no confidential information whatsoever. However, what about times when privacy and confidentiality is needed when sending or receiving emails? Well, both parties will either have to learn how to use PGP or send each other the data and information using another communication method. In most cases, users will most likely just send the email in unencrypted form anyway because they are either too lazy to set up PGP (if they can even manage to find out about it in the first place) or by using a different communication method.
Using OpenPGP with Thunderbird
Here, I will demonstrate how to use the PGP encryption system with the Thunderbird desktop email client. Thunderbird is the popular email client developed by Mozilla, the same team that brought you the Firefox web browser. Thunderbird is a rival to Microsoft’s Outlook email client. One of the main reason why I choose Thunderbird over Outlook is due to faster speeds and the fact that it doesn’t cost you a penny to use. Also, it is much easier to implement the OpenPGP system in Thunderbird than in Outlook.
Prerequisites for this Tutorial:
- A Thunderbird email client configured with an email account. I personally recommend using Gmail as it gives you native IMAP support without going through any hoops.
- A friend who is willing to also experiment with the PGP encryption system on their machine for testing purposes. If you cannot find any volunteers, then use a second computer and also configure the Thunderbird browser but this time with a different email account. Feel free to create a dummy email account for this testing purposes. You will need to also configure this second email account with OpenPGP. If you don’t have a spare computer, use virtualization. If you are using Windows 7 Professional or higher, you are entitled to use Windows XP Mode. If these are still impossible for you to setup, then I can simply be your testing partner for this exercise. Email me your public key and then download and import my public key listed at the beginning of the Testing section.
1. We first need to install the actual PGP encryption system onto our machines. PGP is a licensed technology and was purchased by Symantec Corporation. However, there is an open source version of PGP called OpenPGP. Anyone can use it without any fees or restrictions. GnuPG is the actual name and you can download it here. I will from now on use both terms interchangeably. I’m assuming you are using a Windows machine. Scroll down to the Binaries section and click on the first FTP link for the download to begin. As of this writing, the latest version being used is 1.4.10b. As for the installation, just keep hitting Next and you should be fine.
2. GnuPG is actually a command line application. Because the team over at Engimail knows that users hate working in the command line environment, they have created an awesome Thunderbird add-on that acts as the graphical interface for GnuPG. You can download the Enigmail Thunderbird add-on here.
Once downloaded, open up Thunderbird and head over to Tools ==> Add-on’s. Hit the Install button and browse to the Enigmail XPI file. Restart Thunderbird when prompted.
3. Once Thunderbird restarts, you should now see a new menu option at the top titled OpenPGP. We now have everything in place to begin working with the OpenPGP encryption system. We must now create our public/private key pair. Click on the OpenPGP menu option and select the Setup Wizard option. Hit the Next button, making sure that the wizard option radio button is enabled.
Next, you’ll get to choose which email accounts (if you have more than one) you want to create the encryption keys for. In the picture, you can see I have three email accounts listed. One is a personal email account, one for this blog and another for a newsgroup account. I will only be creating a key pair for my blog email account so I’ll leave only that option checked. On my second computer, I will be creating a different key pair for my personal email account. This helps me demonstrate how OpenPGP works once we have it configured later on.
Next, you’ll be asked if you want to now sign all of your outgoing emails with your digital signature. Your digital signature proves that the email the recipient received indeed have been sent by you and no one else. The actual contents of the emails will not be encrypted, however. Therefore, the email can still be read by any normal user. However, users without a PGP aware email client will see your digital signature as just a big blob of random text and this might confuse them. In my opinion it’s best to manually hand pick which emails to digitally sign.
Next, you’ll be asked if you want to automatically encrypt all of your outgoing emails from now on. Once again, you have to think about the consequences of doing so. Remember, if you encrypt your emails from now on, all recipients of that email must have in possession your public key in order to decrypt that email back to its original form. If not, the email is meaningless to them. Again, my advice is to manually hand pick which emails to digitally encrypt.
Next up is the Preferences window. Enigmail will suggest to make a few changes to your email preferences to better work with OpenPGP. As stated in the description, one of the main option being changed is to make it so that you’ll now be creating plain text emails by default rather than HTML. OpenPGP doesn’t really like it when you create emails in HTML and so it’s usually best to write your emails in plain text. However, this is not required, only recommended. You can at any time create a plain text email by simply holding the Shift key while click on the Write button in Thunderbird. I left this option unchecked as well.
Alright, so we’re finally at the good part. We now get to actually create our key pair. We need to create a really strong pass-phrase to protect our private key. Anytime you wish to encrypt/decrypt an email with the key, you will be asked to type in this pass-phrase, although this option can be turned off (not recommended though). You’ll want to make the pass-phrase as strong as possible.
In summary window, review the choices you have made and if any needs to be changed, hit the Back button to do so. You should also note that your key pair will be valid for up to 5 years. Once 5 years is up, you’ll need to create a new key pair or renew your existing one’s. If you want a longer expiration time, you’ll need to generate your key pair without the help of the setup wizard. If everything looks fine to you, hit Next and your key pair will be generated.
Once the key pair have been successfully generated, you’ll be asked if you want to create a revocation certificate for your key pair. This basically allows you to easily revoke a key pair and deem it untrustworthy. For example, if your private key was somehow compromised, you’ll want to mark the key pair as invalid so that users with your public key will know not to encrypt emails to you with that public key because a third party individual may be able to read it. If you plan on generating the certificate, simply save the resulting file and type in your pass-phrase. You’ll want to store that certificate in a very safe place from then on and only use it should your private key gets compromised.
I can help you with this part of the experiment if you have no one to test OpenPGP with. Simply email me your public key, which you’ll learn to do next, and download and import my public key to your key ring. Once we both have imported each others public keys respectively, we should then be able to trade secure emails with each other. For anyone interested, here is my public key for download (right click and do a Save Link As) if you wish to test this OpenPGP encryption feature.
1. Alright, so now I’ll assume the second email account (whether it’s your friend or a second dummy email account you have created) have also done the steps above and have generated their own key pair. We now need to trade the public keys with each other. We can do this one of two ways. I can either attach my public key to an email and send it to the other party member or I can upload my public key to a public key server so that anyone can download it. Since I am doing a test session, I’ll go ahead and manually export my public key and send it to my other account.
In the OpenPGP menu, select Key Management. Check the “Display All Keys by Default” option. Right click on your email account and select “Send Public Keys by Email”.
An email compose window will immediately popup with your public key attached. Address the email to your test email account and send it. Now, on your test account, we will need to import that public key to our keyring. Open the email and save the public key. In Key Management under OpenPGP, select File ==> Import Keys from File and browse to the public key you have just saved. You should then get a message indicating the success of the key import. Now do the same export/import procedure with this test email account and your main account. Once accomplished, you should now have the public keys of each email attached to your key rings.
2. At this point, everything is in place to begin testing of our OpenPGP encryption system. While in Thunderbird (you can use either account), hold the Shift key and click on the Write button to compose a new email message in plain text. Write a test email of some sort and in the To: field, send it to the other email account.
To encrypt our message, click on the OpenPGP icon at the top. A small window should appear giving you three options. To encrypt and/or digitally sign the message, simply check the appropriate options. You can leave the third option alone.
Nothing happens at first but when you now hit the Send button, you’ll be presented with the pass-phrase dialog box asking you to type in your secret. If you are not digitally signing your email, then you would not be asked for your pass-phrase secret. In that situation, OpenPGP will automatically encrypt the email with the recipient’s public key and send it on its way. It’s completely automatic. As long as you have the public key of the recipient in the To: field and have opted to encrypt the message, OpenPGP will know to use the right public key for the encryption job without having to ask you.
3. Once the email has been sent, check the inbox of the other account. When you click on the email you will be presented once again with a pass-phrase window. Type in the pass-phrase for this email account to decrypt the actual email. If everything went smoothly, you should be able to read the email message in its original form without any problems as seen here:
So what happens when a third party member somehow gets their dirty hands on our message? Well, because he/she doesn’t possess the resulting private key to the public key used to encrypt the message, that person will never be able to decrypt it. This is all they will see:
OpenPGP works *only* if all party members use the OpenPGP system. If not, then the system breaks and would serve no purpose whatsoever. We need to start pressuring companies and organizations to start giving users the option to use OpenPGP on their platforms. While email encryption is a standard norm in businesses and organizations, that doesn’t mean normal people like us have to suffer with the insecurities of the email system. Imagine if major software giants like Microsoft, Gmail and Yahoo started giving their users the ability to use OpenPGP in their web mail. Communications would be a lot more secure and it will be a huge blow to the bad guys. As of right now, not enough is being done to promote the usage of the OpenPGP email encryption system. Hopefully in the near future, we will get to use the email communication system without fear of malicious third party eavesdroppers.
What Happens When My Computer Gets Stolen?
If someone stole your computer, here’s what can happen:
1. The thief CAN send encrypted emails to your recipients on your behalf. This is because anyone can use public keys to send encrypted emails to one another. This is no different than if you are not using OpenPGP. If I stole your computer and launched Thunderbird, I can still send regular emails to your friends claiming to be you even if you are not using OpenPGP. For example, if someone hacked into your online Gmail or Hotmail account, they can log in, send emails to your friends and claim to be you. To prevent this, you need to quickly change your email password (Google, Yahoo, Hotmail, etc) once you realize your computer has been stolen so that the thief cannot use your Thunderbird client to send emails out on your behalf.
2. What the thief CANNOT do is digitally sign emails or decrypt emails that have been sent to you via OpenPGP. Remember, in order to do both, you need to enter your magic passphrase in order to unlock your private key for use. So, let’s say you’ve sent 100 emails to your friend prior to having your laptop stolen and each email has been digitally signed by you. If the thief then sent another email to that same friend but without digitally signing it (as he cannot use your private key), then I’m sure it will raise a red flag and your friend will be aware that something is wrong. This is why OpenPGP is so useful. Without it, anyone can claim to be you. But with digital signatures, you can guarantee that you are who you say you are.
3. While the thief cannot at first use your private key, he now has possession of that private key file itself. He now has all the time in the world to crack your passphrase. Once he does, then GAME OVER! He can then actually digitally sign emails claiming to be you and decrypt emails that have been encrypted with your public key. Once your private key is in the hands of another person, it can be said that it no longer belongs to you and that it has been compromised even if you had a 20 character passphrase protecting it. In a situation like this, it’s best to create a new key pair and start all over. Tell your friends to delete your old public key and send them the new one. Once you do this, then it doesn’t matter if the thief actually cracked your passphrase or not because you are no longer using the old key pair (although he can still read your old encrypted emails on your computer at the time it was stolen). On a bigger stage, this is called key revocation.
Additional Notes of Interest
- If you wish to use OpenPGP with multiple computers, simply configure the email account on one computer and then simply export the private keys. On the other computers, perform an import and you’ll be back in business. Do know that the more computers you use OpenPGP for your email accounts, the higher the chances of your private key being compromised. When that happens, you’ll need to immediately revoke your keys to render them invalid. How you would know if your private keys are actually compromised or not is another story.
- If you only have a handful of recipients that use OpenPGP, it’s usually best to just send them your public keys via email and be done with it. If however, you plan on using OpenPGP as your main source of email communication, you’ll definitely want to upload your public key to a key server. That way, anybody can find you and use your public key without you lifting a finger. However, the decision is ultimately up to you. Just remember that uploading your public key to a public key server (which therefore means that just about anyone can use it to encrypt emails to you) can do you no real harm. It is technically impossible to create the matching private key that is stored on your computer with just the public key alone.
- You generally sign an email message with your own private key for signature verification purposes only and not for encryption. For example, if you send an email to Bob, Joe and Alice signed with your private key, just about anyone with your public key can also verify your signature and read the message if they are in possession of the message itself since no encryption was added. Digitally signing your email with your own private key only proves that you yourself have actually sent that message and no one else. If you need confidentiality, you must encrypt the email with the recipient’s corresponding public key. That way, only they will be able to read the email message because they have the corresponding private key.
- The tutorial I have given here on OpenPGP with Thunderbird only covers how to actually get it up and working. If you want to set other preferences, head over to OpenPGP ==> Preferences and hit the Display Expert Settings button. Here, you’ll get to view and set other advanced settings related to how OpenPGP works with your email accounts and keys.
- You must keep in mind that from now on, you are only able to read your encrypted emails in Thunderbird because that is where it will use your private keys to decrypt the messages. If you log back into Gmail’s web interface (www.gmail.com), you will not have a way to decrypt the messages and therefore, it will be unreadable to you. You must absolutely remember this at all times. You might find some browser add-on’s to help solve this problem but if you use a lot of different computers, it will be hard keeping up with all of them.