any interest in working with public key encryption ("PGP")

[mike acker]

Code: Select all

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

is anyone interested in learning more about Public Key Encryption?
This would  be GnuPG on our Linux systems -- or 
PGP/Desktop for those needing an "official" commercial system.

Similarly we would use Enigmail on Thunderbird on our Linux systems 
while those needing "official" commercial software would be using Outlook.

I think one of the aspects of Public Key Encryption is
that PGP or GnuPG provides authentication and integrity -- not just encryption.

Authentication allows you to verify that a message 
is from the person who claims to have sent it.

Integrity allows you to verify that a message has not been altered "in transit"

Provided that you have a trusted copy of the other person's public key.  
Which gets us into the subject of Trust Models.  
These are discussed in Phil Zimmerman's original essay on PGP -- and -- 
as far as I'm concerned -- that's still the best read on the topic.

I'll sign this for you with GnuPG -- just for fun.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJTLJTWAAoJEMxYQmPg90u5iLMH/1MPH3E1kDDtVqxb5BxF42e7
BnYBClU0EfSaZpIQ+stbVAGA9uU96dyPAj/uR1ceep/P0RCkvqJ8BmWSjxUBHjod
lVlrUqSUCD1kBsJ5yu9gC/pBInDT+nMoPgoqZpuc3XqTc43MGKWe9j7lQ2H6VHtu
hT/xSATXUoL5/Ql6tFkrsudW0+3huR4LV+ZPkYq2fXhZb3JSzNhPkE783Kx/Ao+l
Hx8ZSXDWlvNKQbSuRNto7nFZIQT6lnsPM0bhX6iSX4xyjC36a1taX45XLTeuP7ic
Ao/g4A/I0aCdaD7IwjMx9aTLEiaDTtXJpfp9ctGvCLNHLm3WEgpta8o7uubtA+o=
=L3+Q
-----END PGP SIGNATURE-----

my Public key is on the default server.

Link to Zimmerman's Original Document Vol 1

From my own studies it is my view that a lot of what we call "hacking" results from our failure to authenticate the credentials of sources that we communicate with . this would apply to software downloads as well as e/mails, credit card transactions, tax returns, web sites -- you name it.

[Habitual]

you've got mail.

[mike acker]

you've got mail.

where'd ya put it?

[Habitual]

the email went to charter.net (addy as shown on the mit keyserver key)

[mike acker]

the email went to charter.net (addy as shown on the mit keyserver key)

+ I received an e/mail from <>
+ i was able to obtain your key from the keyserver, and thus
+ i was able to send you a signed/encrypted reply

let us know if you receive the message and are able to decrypt it
are you using Thunderbird with ENIGMAIL ?

one of the key elements that we would like to examine in this thread is the subject of Trust Models

+ how would you ascertain whether or not to trust the key that you obtained from the key server ? How would I decide whether to trust your key ?

the reader is invited to read notes regarding Whitfield Difgfie's testimony in NewEggs defense v. patent troll TQP as well as Section 6 Managing Keys in Phil Zimmerman's original documentation.

exerpt

The problem was vast, Diffie explained—nothing less than how to keep things private in a networked world. He recalled a conversation with his wife in 1973, sitting on a New Jersey park bench. "I told her that we were headed into a world where people would have important, intimate, long-term relationships with people they had never met face to face," he said. "I was worried about privacy in that world, and that's why I was working on cryptography."

At that time, the only encryption happened within "closed systems." IBM could encrypt information within its own company's networks, and Texas Instruments could encrypt on theirs. But some kind of courier would have to carry encryption "keys" to both companies before they could do so.

That was the "key distribution" problem Diffie strove to solve. "It's arranging to provide keys to two people who have never met before, who suddenly find themselves with a need to communicate," he explained. "This is much the way we visit websites these days."

There was one other big need: proving authenticity.

"The receiver of the document can come into court with the signed document and prove to a judge that the document is legitimate," he said. "That person can recognize the signature but could not have created the signature."

[mike acker]

here is the PGP management menu that you get on Thunderbird after you install the ENIGMAIL plug-in

keymanagement.png

you can do pretty much all you need to do from this GUI menu

or you could use GPG on the terminal

[mike acker]

the email went to charter.net (addy as shown on the mit keyserver key)

the interesting thing about our exercise today is that we can chatter over a pgp secured link
with scarcely any more effort than running bare

once the keys are exchanged the only added effort is in checking to make sure the PGP keys are set on.
optionally I can set Thunderbird to use PGP as the default for this correspondent.

[Habitual]

side note:
Exchanging keys via enigmail on an older version of Thunderbird will cough up errors.

Once I got my Tbird and enigmail into the 21st century, it was "smooth sailing".

[mike acker]

interestingly, once you have ENIGMAIL installed you can set RECIPIENT RULES
and then just chatter away with anyone that you have a shared key with.

I'm thinking about running a monolog thread on establishing TRUST --
I created a dummy person for the dialog
whatcha think ?