Encrypting your Communication

From DevSummit
Jump to navigation Jump to search

facilitated by Cooper Quintin

What is Cryptography?

Cryptography -- tools for securing communications

  • THERE ARE still strong tools, math doesn't lie --> it works!

Technologies to discuss

  • PGP -- for email
  • OTR -- for chat services [jabber, aol]
  • TruCrypt -- full disk encryption
  • Android programs - Textsecure, ostphone / redmail / k9mail (mobile) or Kaiten Mail for tablet with AGP App [but phones are not secure so don't put your private key on it, ok?]
  • iPad - ??

PGP

ex. enigmail w PGP keys set up

  • invented by Phillip Zimmerman
  • URL: see GnuPGP
  • How PGP Works: public / private key encryption a la SSL
    • private is secret, public travels w email
    • plain text + key + combined via exor [a binary method] = cipher text
  • if I have key, I can decipher
    • problem: need to securely share key beforehand
    • BUT! Method to share key is what can be used
  • Public key encryption method used
    • Public key used to give me a message, only with private key can I decrypt
    • Analogy: 1000 boxes that lock, anyone can put anything in the boxes and lock them [with public key], only I can unlock them [with private key]

Math

  • Due to mathematical properties [almost impossible] to determine private key from public key
  • It's easy to multiply numbers, much harder to determine what numbers were multipled once you have the result

When to use PGP

  • Not just for passwords and plots
  • If you use it for everyday life, it's harder to know who/what to focus on
    • therefore everyone should use it

"it's harder to find an needle in a haystack than a needle in a needle stack"

  • Can be used for ALL email! (but not for any webmail. Must be on your machine)
    • Thunderbird, Macmail
  • There are clients being developed for webmail that are close but not quite ready to deploy.
    • Chrome extensions being developed
  • Is it always encrypted?
    • It remains encrypted on your machine, the program decrypts in memory then discards

Setting up PGP

Thunderbird

  • Enable toolbar --> tools & addons --> Enable Enigmail
    • Enigmail uses GNUPGP, a FLOSS program that implements PGP
  • Restart Thunderbird --> OpenPGP setup wizard
    • Option: creates a signature with your private key, proves it comes from you
      • Maybe you don't want to be able to prove the email came from you, maybe you really want to --> this can be turned on and off per message
  • NOTE: only ppl who use PGP will get emails in encrypted form. Other ppl will get a string of characters
  • Encryption by default? Not gonna work if you don't have ppl's public keys --> no by default
    • We'll set up rules to employ PGP selectively
  • Plain text? YES
    • HTML emails can run cross-site scripting bugs in your email client = reading plain text is much more secure.
  • Key Pair! Generate or use your existing PGP key pair
    • NOT your SSH key pair, this is a different key pair
    • create a passphrase for your private key *IMPORTANT* because you'll use this to sign/encrypt/de-encrypt
SIDE NOTE: HOW TO CREATE A SECURE PASSPHRASE
  • see XKCD on this: http://xkcd.com/936/
    • The most memorable passcodes are a sentence, easy to remember but hard to guess
    • Pick 4-9 words and use them: flip to random pages of a book and use those. NOT in order though!
    • NOTE: hey don't use an online password generator!
  • Expiration: recommend to 5 years.
  • Revocation certificate? YES.
    • Use to revoke in case you forget password [but, don't forget] or if its compromised.
    • Store off your computer, say on a flash drive.
  • Manage keys
    • Upload to key server [will propagate across all]
    • Identities
      • You can add as many identities [name/email addresses] to a key as you want.
      • Click on key in list --> key properties --> add/manage identities
  • Search for individual keys for people

TO SEND ENCRYPTED

  • See pen icon: gold= signing, grey=not signing
  • Key icon gold = encrypting, grey not encrypting
  • Key sign to receive from people's encrypted emials

PGP Email Practices

  • Subject lines
    • Headers are in the clear
    • Keep subject lines legal/non-trouble-creating "it's pizza time!"
  • Key
    • Upload to key server, anyone can find out your key so they can send you emails
    • Put on your b-card
  • Emails
    • Sign emails w your public key
    • Have a link/signature that says "seeing random characters at the end of this email? I'm using encryption on my email. Learn more about that here: [link GNUPGP]

ANDROID APPS

  • k9 and kaiten mail both work with AGP