Schierer Space

Thanks to Bill for finally pushing me over the edge to secure email communications, I have transitioned to the use of Enigmail/GnuPG for signing and encrypting email. Of course, I must now struggle with the inevitable incompatibilities of the email viewers of the rest of the world. This includes my workplace, my friends’ workplaces, my family (both tech savvy and not so savvy), etc.
For those of you who understand the OpenPGP technology (and encryption in general), this rest of this post will be review, but for those who don’t, it will be needed to provide backround for future posts. Thanks to Phil for familiarizing me with the “PAIN” acronym for security:

• Privacy: Only the intended recipient can view the information.
• Authentication: The information came from the person you think it did.
• Integrity: The information has not been tampered with.
• Non-Repudiation: The sender cannot deny the message was from them.

OpenPGP uses a public-private key encryption system. You can read a lot about this on the web, but I’ll trouble you with a summary. I generate a key-pair which is associated with ME. There is a private key which I keep and never share with anyone, and a public key which I can give to whomever I wish. The encryption system is rather mathematically interesting because it allows anyone with the PUBLIC key to encrypt a message that only the PRIVATE key can unlock. What’s especially funky about this is it allows the unwary sender to encrypt a message that they themselves CANNOT read. ^[1] So if you want to send me an encrypted message you have to have my public key. Click on the link to download it (then contact me to validate the fingerprint if you wish). This is the Privacy part.
Authentication, Integrity and Non-repudiation is achieved by a process called signing a message. The sender generates a ‘signature’ which is based on the sender’s PRIVATE key (yes, they need a key-pair too) and the content of the message (or attachments). The receiver, can validate the signature by combining the sender’s PUBLIC key and the content of the message. Having received a message with a signature from the sender, the receiver knows that the message WAS in fact sent by the sender and has not been altered in between. Think of the signature as an encrypted check-sum. Of course, if the private key is compromised, then all bets are off. So the private key is generally password protected. If you want more information, the Wikipedia article on public-key cryptography is quite good.

Whew! You made it through the technical stuff and you’re still reading! I’ve decided to be kind and cut off this post and save some material for a later day. Look for future posts about the impacts and how-to of encrypted email (unless Bill beats me to it).

1. There’s a setting in Enigmail to prevent this by adding yourself to the recipient list, so the message is also encrypted with your own public key. [↩]

This entry was posted on Saturday, September 13th, 2008 at 10:10 am and is filed under Advice, Computer / Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.