getting started with GPG

[BigEasy]

Furthermore, if you were not using GPG, all of your emails would still be collected indiscriminately and stored forever.

But if I using GPG they with fear in their eyes delete it forever as soon as I already read?
Every ISP, every email provider collecting everything for at least 3-5 years regardless of contents (regardless of user's agreements too).

Since they are already targeting everyone, GPG emailing would still give you far superior privacy IMO.

If I want to hide something from my wife then probably yes. Sometimes it is also necessary, I do not argue

if even they can't read your messages but interesting ("Look, John! That guy looks have something important to hide, IMO"), they wiil knock on your door (GPG is only in internet, but not in real life, so they always knows where is your door) and insistently asking. What a secret service's decoding? You will tell them everything by yourself. I'm not paranoid, I knew that.

[Chiefahol]

if even they can't read your messages but interesting ("Look, John! That guy looks have something important to hide, IMO"), they wiil knock on your door (GPG is only in internet, but not in real life, so they always knows where is your door) and insistently asking. What a secret service's decoding? You will tell them everything by yourself. I'm not paranoid, I knew that.

Depends where you live i guess, as someone who does not live in the USA, i am not particularly worried about the MIB knocking.

[mike acker]

the Gnome privacy Guard (GnuPG, currently "gpg2") can be incorporated into software where security is needed

we have been stepping through how this is done in the ENIGMAIL plugin for the Thunderbird eMail client

you can play with GnuPG in TERMINAL,-- if you like to learn more about it. Open terminal and enter

Code: Select all

gpg2 --version

you should get something like this:

Code: Select all

$ gpg2 --version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

you can enter

Code: Select all

man gpg2 

and it will display all of the tokens you can use on the command line

one of the features that is critically needed is the detached signature

in any case where you have a file and you want to authenticate it -- you can create a detached signature for that

in my example here I have a test file: test.txt:

Code: Select all

This has been a test.

Had it been an actual alert you would not have received this message.

I want to make a signature for it so that you can verify its authenticity. this is easy to do on command line but remember this can be incorporated into packaged software

Code: Select all

$ gpg2 --local-user "Mike Acker" --detach-sign --armor --sign test.txt

You need a passphrase to unlock the secret key for
user: "Mike Acker <mike_acker@charter.net>"
4096-bit RSA key, ID 4DEA0DAD, created 2015-09-02

the result is an added file: test.txt.asc

Code: Select all

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJV+UeoAAoJEPbpQbFN6g2tAMsQAJIKdoVCK+2+cjtZjzwRlrib
hNNf6mriq6IMQniLffUuBwPi2+ImpR6BLexBmcG5xqlxOjLhuN8oYzCe6ijqO8cO
KnGe6XgmsbuYZ+pU5CQtJRKagqYGozk2XzszcQD3CnnmUVkXOR8n+hXHKUUSpdh9
cIp8K55LChGsuTSY42NvJT6tsvk56IuDb7Lw8U1JgfuxmsiBY/ZtpjcTkYL92j31
HHkMkeiFY5YboGRMO94TjV5wRuZZpqqaXFfK5iOVmmJRsuphhK7ZtngjJ6zGIZcv
Omi9xvXq4a90bv9FYPmyay9LGASXFubyy7ipvuMLcb8nfZwVDmxvG9i6P3z9PHHB
gwkHNWnNON9gBGLy4UXMm4HeIKI7V+JtmMbyTQrVdle82udX6KUQi2bh2hzm24Su
3+NMU/WburtTYvI4NdbqrRTjtFVNLPmHNCLPK5/CHEPue/YDXclagdDSM9Vd2wP5
rlMHCjUUtfD03M4+gOb07tLis86CkVVAD9fV8xWfM2+5fQGAW0mmaUUiUlH00lS9
PcBJ8P6nUAC+aJX2m/4eERnxqTRjD5PoEThd9+UCMjYPyHAOMA2pgKic/0cW+VHe
0MvbBYHIxegBLfC8yF7jI+GenrecdCI8Hk8zkvXqzWqXF24W5vNA673tbbxvTrH+
W4BL7dINw7EBRUI1PnSa
=kbcV
-----END PGP SIGNATURE-----

the signature can then be used to authenticate the document -- provided that you have a trusted copy of my public key:

Code: Select all

$ gpg2 --verify test.txt.asc
gpg: assuming signed data in 'test.txt'
gpg: Signature made Wed 16 Sep 2015 06:42:48 AM EDT using RSA key ID 4DEA0DAD
gpg: Good signature from "Mike Acker <mike_acker@charter.net>" [ultimate]

if even one bit is changed in the corresponding file -- test.txt corresponds with test.txt.asc -- the signature will not verify

Code: Select all

$ gpg2 --verify test.txt.asc
gpg: assuming signed data in 'test.txt'
gpg: Signature made Wed 16 Sep 2015 06:42:48 AM EDT using RSA key ID 4DEA0DAD
gpg: BAD signature from "Mike Acker <mike_acker@charter.net>" [ultimate]

all that i did was to add a line feed character to the end of the last line. if I did anything at all to the test.txt file it will not verify

Code: Select all

This has been a test.

Had it been an actual alert you would not have received this message.

in the next annex we will talk about forms 1040. remember: if you have several documents that need to be submitted together they should be zipped. the .zip is then signed and then the signature with the .zip containing the documents can be zipped into a transmittal package. this is the manner in which Symantec/PGP products have been delivered . while this might sound like a lot of fuss -- remember -- the process should be incorporated into a software solution so that it is done automatically . the only thing external is the need to verify and authenticate the encryption keys,-- i.e. make sure you know who you are communicating with. this is important for Forms 1040 and similar business .

[mike acker]

Authentication

it is important to recognize that "PGP" is mainly about AUTHENTICATION : the verification of IDENTIFICATION

as soon as you stop thinking of PGP as and encryption program and see it as a system for authenticating identifications you will recognize its importance and application

[mike acker]

Forms 1040

Earlier this year you filed Forms 1040 with the IRS to settle your Tax Liability for 2014.

Unfortunately a lot of crooks also filed fradulent Forms 1040 -- in order to scam off with tax refunds. CNBC reports the IRS expects tax fraud to hit $21B by 2016

Tax-refund fraud to hit $21 billion, and there's little the IRS can do

This fraud, along with credit card fraud and more -- is generally facilitated by a failure to authenticate. The IRS receives a form 1040 -- and what ? they just run it and pay the refund. maybe 3 years later they might check it .

What can be done?

Forms like 1040 need to be authenticated. PGP or the Gnu Privacy Guard version -- GnuPG -- has that capability -- and has had it for over 15 years

The missing element is a convenient method for everyday people to create and authenticate their private/public key pairs

this needs two things: First a keyring device that can generate and store PGP keryrings. This must NOT be a smart phone; it must be a separate dedicated device using USB connection* -- so you can use it with any related computer.

Second: a means of authenticating public keys is needed . this should be a service of local DMV offices, Credit Unions, Notary Publics, and such -- offices which already authenticate individual identifications . all they need to do is add the ability to authenticate the public key on an individual's keyring device -- and upload it .

after this is done tax software can be changed to access the keyring device and sign the 1040 forms.

the IRS needs to be notified that -- as of a point in time -- forms will be authenticated . non authentic forms would then be rejected . for those using tax prep services the tax prep could sign as agent for the individual -- or the individual could sign the form in the tax prep office using a USB extension connector .

this idea needs more work -- but -- we really ought to get to it . the existing situation is un-acceptable .

* near field radio might also be helpful .

[mike acker]

the essence of the security debauch in our computer systems today revolves around two fundamental problems:

(1) computer users in the general public have not been provided with the means necessary to acquire digital credentials .

this needs to change . every computer user should have access to the ability to acquire reliable digital credentials: PGP keys and a secure device to service the keys .


(2) a general lack of secure endpoint software

security starts when you press the POWER switch -- and then becomes a function of the operating software . a Secure Operating System will not permit itself to be compromised by the activity of an application program -- whether by error or by intent . a Secure Operating System protects application programs from each other -- again -- covering both error and intent .


data mining be darned: we have business to attend .

[Fred Barclay]

Hey mike_acker! Quick question: what version of thunderbird do you have? Mine is 38.3.0--I suppose this is the latest version.

I'm asking because my options for writing an email are different than http://forums.linuxmint.com/viewtopic.p ... 6#p1065648 . Mine has fewer options and looks much different...

TBfixed.png

Thanks!

[mzsade]

I can't help feel that this belongs in the Tutorial section.

I second that. Even though i have no use for encryption of any kind or even privacy for that matter, this is something that i would want to refer to should i ever come to my senses. Thank you Mike.

[mike acker]

I can't help feel that this belongs in the Tutorial section.

I second that. Even though i have no use for encryption of any kind or even privacy for that matter, this is something that i would want to refer to should i ever come to my senses. Thank you Mike.

why should I use secure communication?

Phil Zimmerman put it this way in his original essay:

It's personal. It's private. And it's no one's business but yours.

I agree.

Many times I hear people say: "Im not doing anything interesting. Why should I bother with security?"

The answer of course is: Because you don't know what other parties might use your data for. A lot of "hacking" has been accomplished by "targeted" "phishing" -- sending a message that is on-subject and spoofed to appear to be from a known correspondent -- but which in fact is a scam. Usually an infected flash object is used to deliver the payload but word and excel documents infected with scripts or macros have also been used.

which is why I tell people: Authentication is the first thing you are looking for in a security solution like PGP/GnuPG . Scamming, since the days of Kevin Mitnick ( see _Ghost in the Wires_ ) -- has been facilitated by impersonation -- faking credentials . The huge problem with fake tax returns -- also depends on faking credentials -- a form of impersonation : the scamster impersonates the tax payer .

intercepted private messages provide fodder from which scamsters can start their work .

It is key to recognise here then that communication security ( COMSEC ) -- concerns first of all what improper use may be made of information you transmit -- i.e. what other parties might do with your data .

Computer Security starts with your Operating Software. A secure operating system is required. A secure operating system is one which will not allow itself to be compromised by the activity of an application program -- such as a flash file, macro, script, etc

Once you have a secure operating system -- then -- you can implement PGP or GnuPG and address COMSEC .

Remember: an attacker must not be able to get physical access to a protected computer. Nothing helps,-- not even disk encryption. If the attacker installs a root kit on your device then when you log onto <whatever> the attacker is right there in your chair with you -- reading your screen and typing on your keys. He can transfer your bank balance to Russia and cause your computer to print what would appear to be a correct statement.

&&

[mzsade]

...Remember: an attacker must not be able to get physical access to a protected computer....
&&

This assured safeguard, that no one but i have access to my computer, is the only thing that's making me cocky, but then i don't get out much. Even the Online purchases i make are only those with a Cash On Delivery option. One of these days some "Grey Hat" will hack me just to teach me a lesson.

[Fred Barclay]

While choosing "Digitally sign this message" under S/MIME I get "You need to set up one or more personal certificates before you can use this security feature. Would you like to do so now?" What should I do? What exactly is a personal certificate?

TB2fixed.png

Thanks!

[mike acker]

While choosing "Digitally sign this message" under S/MIME I get "You need to set up one or more personal certificates before you can use this security feature. Would you like to do so now?" What should I do? What exactly is a personal certificate?

TB2fixed.png

Thanks!

you are selecting s/mime rather than pgp/mime:

pgp-mime-option.png

s/mime would be used -- if -- you obtained an x.509 (SSL) certificate. This is an entirely different method.

for GnuPG to work in Thunderbird you need to have installed the ENIGMAIL plug-in for Thunderbird. It's the plug-in that adds the PGP options to the Thunderbird client as shown in the image here . remember to use

Code: Select all

MINT Forum GPG Test

as the subject in a test message if you send me an email test at mike_acker@charter.net

[mike acker]

OpenPGP v Gnu Privacy Guard (GnuPG)

it is my understanding from the ENIGMAIL mail list that Thunderbird/ENIGMAIL will be switching from GnuPG to OpenPGP. The reason, according to what I've read on that list -- is that Mozilla requires programming for Thunderfird to be done using Javascript* only . Further, again from what I've read on the mailing list -- "OpenPGP" is written in JavaScript

this grates on me against proper programming: critical work should be done using C or asm.

CLAWS Mail

I've been looking into CLAWS mail -- which is also distributed for us in the Package Manager. And it appears CLAWS interfaces into GnuPG using GPGME -- where GPGME ( GPG Made Easy ) is an interface into GnuPG -- written in C

according to the help menus on CLAWS for this to work it is necessary to install the GnuPG plug-in -- again -- this is available in the package manager that we have as part of MINT ( I'm working from 17.2 --- until we clear Beta on 17.3 )

I installed the plug-in from the package manager and CLAWS connected with GnuPG with no further action on my part . remember the keyrings belong to GnuPG . CLAWS immediately found my keys with no further fuss .

I have not been able to ascertain that GPGME is using GPG2 -- hopefully it is as the earlier version should be regarded as "depreciated" .

UPDATE: by sending a signed eMule from CLAWS into Thunderbird I was able to display the signature block that CLAWS generated. It showed that GPG2 had been used .

at this point these notes are "informational"; I hope work through this in greater detail in the coming weeks .

---
* Javascript
In LINUX the text ( binary executable ) of a program should normally be running on protected ( READ|EXEC only ) pages . I'll post a question on the GnuPG mail list and try to find out that this is done for GPG/GPG2 ( or it could be executing in Kernel mode but I would not think it would be ) . The huge question that concerns me is whether a script such as Javascript is subject to the same security. Javascript is just ASCII and is interpreted by a run-time executor . it might be regarded as ordinary data -- and left running on a READ|WRITE page -- which would be unacceptable .

[Fred Barclay]

you are selecting s/mime rather than pgp/mime:

s/mime would be used -- if -- you obtained an x.509 (SSL) certificate. This is an entirely different method.

Oh I see.

I don't have that option AFAIK, though:

TB3.png

I do have enigmail installed:

Code: Select all

fred@aussie! ~ $ sudo aptitude search enigmail
[sudo] password for fred: 
i   enigmail                                                               - GPG support for Thunderbird and Debian Icedove                                   
p   enigmail:i386                                                          - GPG support for Thunderbird and Debian Icedove                                   
v   iceape-enigmail                                                        -                                                                                  
v   iceape-enigmail:i386                                                   -                                                                                  
v   icedove-enigmail                                                       -                                                                                  
v   icedove-enigmail:i386                                                  -                                                                                  
v   xul-ext-enigmail                                                       -                                                                                  
v   xul-ext-enigmail:i386                                                  -         

[mike acker]

you are selecting s/mime rather than pgp/mime:

s/mime would be used -- if -- you obtained an x.509 (SSL) certificate. This is an entirely different method.

Oh I see.

I don't have that option AFAIK, though:

TB3.png

I think you have an old version of Thunderbird-- you should be on v 38x
it should look like this:

enigmail-on-tbird.png

even on the old one though to get ENIGMAIL to work you need to select the SIGN option and|or the ENCRYPT option.

always select the PGP/MIME protocol option . the 'inline' option doesn't work unless your message is strictly plain text.

is your copy of ENIGMAIL communicating with PGP ?
click on the ENIGMAIL option and select Key Management. It should display a list of PGP keys. If you have not yet generated a keypair you need to do that before you try to use Enigmail .

[Fred Barclay]

No, it's thunderbird 38.

I did just notice, though, that the version of enigmail in Betsy's repos was 1.7. I just downloaded and installed version 1.8 from the Debian Sid repos and it looks like what you have.

Time to do some testing!

[mike acker]

No, it's thunderbird 38.

I did just notice, though, that the version of enigmail in Betsy's repos was 1.7. I just downloaded and installed version 1.8 from the Debian Sid repos and it looks like what you have.

Time to do some testing!

Remember: when you encrypt in PGP you have to address the message to a particular recipient(s) and to do that you have to have a copy of their key. mine is on the keyserver; you can pull it in using the key management dialog from the keyserver .

[Fred Barclay]

Would that affect the pgp/mime option?
I still don't have it.
Sorry--newbie alert!

TB4.png

[mike acker]

Would that affect the pgp/mime option?
I still don't have it.
Sorry--newbie alert!

TB4.png

your screen looks ok

1. when you open Key Management do you see that you have a key pair ?

2. when you open key management select KEYSERVER and then Search for Keys. put in my eMail address to search for my key:
mike_acker@charter.net

it should pull the key right in . after that you can encrypt a message to me; without that key it will just give you an error

3. start by sending a plain message to make sure your e/mail is working ok

[Fred Barclay]

2. when you open key management select KEYSERVER and then Search for Keys. put in my eMail address to search for my key:
mike_acker@charter.net

it should pull the key right in . after that you can encrypt a message to me; without that key it will just give you an error

You have four keys--which should I import?