Xinophobia

I’ve long sang the praises of PGP for secure email and data storage.

The question is: how do I send secure email from a computer where I can’t install any programs?

The answer: PGP on a USB drive!*

The method below will allow you to use all of the GnuPG functions without installing anything on the host computer. In fact, besides file access, there are no any traces that GnuPG was in use.

Ingredients:

- empty, formatted USB drive >128MB – the faster, the better!

- GnuPG 1.4.9 Windows binary – http://www.gnupg.org/download/

- GPGShell 3.73 – http://www.jumaros.de/rsoft/index.html

- Copy2USB 1.05 – http://www.jumaros.de/rsoft/download/Copy2Usb.exe.gpg

- FireFox Portable – http://portableapps.com/apps/internet/firefox_portable

- FireGPG – http://getfiregpg.org/s/home (after FireFox Portable installed)

- SHA1sum – ftp://ftp.gnupg.org/GnuPG/binary/

Directions:

0) Use SHA1sum to check the integrity of the files you downloaded.

1) Install GPGShell on your computer. Install GnuPG in the GPGShell directory. This does not give the cleanest installation but makes everything much easier.

2) Use GnuPG (or some other PGP program) to extract Copy2USB. (Hint: use the decrypt function.)

3) Run Copy2USB. It should be fairly self explanatory. The target directory is a folder on the USB drive.

4) Test the install! Try opening GPGtray and accessing the key manager. If successful go to a command line and check the version “gpg –version” If the home directory is point at C:\Documents and Settings\… then you will need to reset the home folder. This can be done from the gpgconfig program.

Note: Use a fast USB drive. Otherwise, it will seem as if the very paws of Slowcat himself are haplessly fumbling with your instructions.

5) Install FirefoxPortable on the USB drive. Set it up however you like.

6) Install FireGPG as an extension. It may complain about an old library, I haven’t found a way to solve that. However, everything seems to work out fine in the end.

6a) Disable the Gmail integration. At the very least, test it before you rely on it. It doesn’t seem to work properly.

6b) Set the paths. Specify the path to the GPG exectuble. Add a command line option to set the home directory to the proper place on the USB drive. %CD%\..\.. will help here to start the path in your current directory and then go up a couple levels. Not particularly elegant but it works!

7) Test integration with FirefoxPortable. Start GPGTray and create a new keypair. Make the passphrase STRONG! A sentence that is easy for you to remember and difficult for someone to guess is ideal. Throw in some l33t or dirty words. Close the key manager and open the key manager from within FireGPG. If you can see the key, you’ve done things correctly!

Use: Gmail Example

0) Create a new keypair called “Test”. Set the passphrase to something very simple.

1) Open FirefoxPortable. Login to your Gmail account and type a message into the body of the email.

2) Select the entire plaintext message and right click. Choose FireGPG->Encrypt and Sign. In this example. you will encrypt the message with Test’s public key and sign with your private key. You will be asked to enter your passphrase for the private key.

3) Paste the entire PGP message block including headers into the body of the email. You will want to either paste over or delete the plaintext. Send the email to yourself.

4) To decrypt the cyphertext you just sent to yourself, select the cyphertext and right click. Choose FireGPG->Decrypt. You will then be asked to enter the passphrase for the Test private key. If successful, a new window should open up revealing the original message you typed.

Key Points:

1) To Send: Encrypt with the recipient’s public key. Sign with your private key using your passphrase.

2) To Read: Decrypt with your private key using your passphrase.

Of course, you cannot encrypt a message if you don’t know a person’s public key. To find someone’s public key, you can either have them give it to you (via email, paper, telepathy, etc.) or you can search for it on a keyserver like cryptonomicon.mit.edu.

Installing and Using PGP or
HOW TO DO THE STUFF I TALKED ABOUT IN THE LAST POST

This should be no more than a 15-minute process but as the disembodied voice says, your experience may vary.  It looks long but it’s not really that bad.

Part 1) Install PGP

1) The basic functionality of PGP (encryption/decryption/signing…) is available for free in perpetuity as part of PGP Corporation’s PGP Desktop software license. Go to www.pgp.com and click on the “Evaluation” link towards the bottom of the page.
2) Select “PGP Desktop Trial Software (Desktop Client Only)”.
3) Read the text and the license agreement at the bottom of the page. Check the box to accept the license and click “Accept”.
4) Fill out the required information and submit it. PGP Corp will email you a download link to the software. Open the link and click the white “Download” button on the left side of the page.
5) Unzip the downloaded package. There are two files inside and unzip the larger one. The small file is a signature package to verify that the files are legitimate.
6) Follow the install instructions. Reboot as necessary.

Part 2) Creating Your Keys

1) Open up the PGP Desktop and click on “File -> New PGP Key”
2) Follow the instructions and type in your name and email, etc. This will be one of the ways for people to find you. Don’t use aliases unless people can link you to your alias!
3) Enter your passphrase. You can type anything you want in here. Go ahead and use numbers and spaces and wierd symbols. Make it 1) long enough and varied enough to be secure (look at the little bar at the bottom) and 2) short and easy enough that you can type it all the time.
4) Click, click, click and finish.
5) Congratulations! You made a keypair! That’s right, in that little icon is a private key for you and a public key for the world. Don’t give out your private key. Give your public key to *everybody.*

Part 3) Upload your keys and Download others’ keys

1) Go to “Tools -> Edit Keyservers”
2) Add any servers you’d like. I recommend looking at this page (http://www.rossde.com/PGP/pgp_keyserv.html#pubserv) and adding the servers in bold. Be sure to select whether the server is LDAP or HTTP and enter the correct port number. For example, I would select Type:” PGP Keyserver HTTP”, Address: “cryptonomicon.mit.edu”, port: “11371″ and click “OK”.
3) Click on the “All Keys” tab at the top left of the window, find your key and right click to select “Send to -> cryptonomicon.mit.edu”. This will upload your key to the server so that others can find encrypt messages that only you can read.
4) Then click on “Search for keys” and from the dropdown box at the top of the screen select “Everywhere”. This will search all the servers for the key you want. You can also select particular servers if you know which one you want.
5) In the search box, type “xinophobia” and click search. Right click on the most likely-looking result and add it to “All keys”.
5a) My key is on my Contacts page.

Part 4) Excitement! Sending encrypted email

1) Log into your gmail. (The process is mostly the same for desktop email programs)
2) Write a message to someone (ex. xinophobia)
3) Place the cursor in the main body of the text. Find the PGP lock icon on the system tray (lower right side of the screen) and right click on it. Select “Current window -> Encrypt and Sign”
4) Select the recipient of the message and drag it to the “Recipients” box. Click “Ok” and then enter your passphrase to sign it with your key.
5) The plaintext message is automatically replaced with the a strange looking cyphertext block. If not, try pasting the cyphertext from the clipboard.
6) Send it!

Part 5) What to do when you get encrypted email

1) Place your cursor in the body of the cyphertext.
2) Right click on the PGP icon and select “Current Window -> Decrypt and Verify”
3) Enter your key and a box will pop up with the message. If you like, the message can be copied to the clipboard and pasted somewhere else.
4) Read your friend’s encrypted message about this weekend’s BBQ!

Part 6) Sharing your keys

1) Tell your friends where you uploaded your key.
2) Select your key in PGP desktop and click “email this key”.

—The End—

—Epilogue—
Please don’t forget your passphrase. Don’t write it down anywhere! Just don’t forget it. If you use your key everyday, you’ll be pretty safe. It is rumored that “The Government” (which one???) can crack PGP but it’s unlikely “The Government” will help you if you forget your key.

As case law stands now, you are not required to divulge your passphrase. There is still a great deal of controversy as to whether or not encryption is really protected under the 5th Amendment. Try to stay out of trouble.

Any tool which can be used for good can be used for evil and vice versa. (Generally speaking this is true. I’m struggling to come up with a “good” use for Puppy-kicking Boots. Whoever invented that needs to be shot.) Use PGP for good!

As a followup to my post from a few days ago, I posted my PGP public key block on the Contacts page.

Now you can send me secure email!

I will write a brief tutorial on how to install and use PGP shortly…

I noticed something very strange that really should not be: official emails from UT are signed with PGP.

This is very strange because I have rarely come across anyone who used PGP, or any form of public key encryption, on a daily basis.

This shouldn’t be because it’s one of the easiest encryption methods to use. In addition, it is powerful and free.

So why don’t more people use it?

I actually have a keypair generated way back in the mid-90s. At that point, I was still using “edit README.txt” to get instructions. Of course, the passphrase for those keys are long lost. I can only hope that the keys have been revoked for staleness.

Even then, I thought it was terribly neat to be able to send encrypted emails. Besides PGP, there were entire mail services with security as a core component. I still remember my girlfriend and I getting HushMail accounts in all their garish purple glory.

Whatever happened?

GnuPG and PGP desktop are still free. The community, as far as I can tell, is larger than ever. After initial setup, the process is virtually transparent to the user if configured that way.

I don’t use it. Nobody else I know uses it. I wonder how many people who receive UT emails bother to verify the integrity of the message and signature.

I’d like to get your thoughts on why public key encryption isn’t more common especially with the high demand for privacy and security.

And for those of you interested:
GnuPG: http://www.gnupg.org/
PGP Desktop: http://www.pgp.com/downloads/desktoptrial2.php

PGP Desktop, despite the annoying “buy me” ads, has been really handy for local encryption needs on my Windows machines.

Now seems like a good time to create another keypair. Anybody want to join me and trade signatures?