Encrypting your Communication

From DevSummit
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

facilitated by Cooper Quintin

What is Cryptography?

Cryptography -- tools for securing communications

  • THERE ARE still strong tools, math doesn't lie --> it works!

Technologies to discuss

  • PGP -- for email
  • OTR -- for chat services [jabber, aol]
  • TruCrypt -- full disk encryption
  • Android programs - Textsecure, ostphone / redmail / k9mail (mobile) or Kaiten Mail for tablet with AGP App [but phones are not secure so don't put your private key on it, ok?]
  • iPad - ??

PGP

ex. enigmail w PGP keys set up

  • invented by Phillip Zimmerman
  • URL: see GnuPGP
  • How PGP Works: public / private key encryption a la SSL
    • private is secret, public travels w email
    • plain text + key + combined via exor [a binary method] = cipher text
  • if I have key, I can decipher
    • problem: need to securely share key beforehand
    • BUT! Method to share key is what can be used
  • Public key encryption method used
    • Public key used to give me a message, only with private key can I decrypt
    • Analogy: 1000 boxes that lock, anyone can put anything in the boxes and lock them [with public key], only I can unlock them [with private key]

Math

  • Due to mathematical properties [almost impossible] to determine private key from public key
  • It's easy to multiply numbers, much harder to determine what numbers were multipled once you have the result

When to use PGP

  • Not just for passwords and plots
  • If you use it for everyday life, it's harder to know who/what to focus on
    • therefore everyone should use it

"it's harder to find an needle in a haystack than a needle in a needle stack"

  • Can be used for ALL email! (but not for any webmail. Must be on your machine)
    • Thunderbird, Macmail
  • There are clients being developed for webmail that are close but not quite ready to deploy.
    • Chrome extensions being developed
  • Is it always encrypted?
    • It remains encrypted on your machine, the program decrypts in memory then discards

Setting up PGP

Thunderbird

  • Enable toolbar --> tools & addons --> Enable Enigmail
    • Enigmail uses GNUPGP, a FLOSS program that implements PGP
  • Restart Thunderbird --> OpenPGP setup wizard
    • Option: creates a signature with your private key, proves it comes from you
      • Maybe you don't want to be able to prove the email came from you, maybe you really want to --> this can be turned on and off per message
  • NOTE: only ppl who use PGP will get emails in encrypted form. Other ppl will get a string of characters
  • Encryption by default? Not gonna work if you don't have ppl's public keys --> no by default
    • We'll set up rules to employ PGP selectively
  • Plain text? YES
    • HTML emails can run cross-site scripting bugs in your email client = reading plain text is much more secure.
  • Key Pair! Generate or use your existing PGP key pair
    • NOT your SSH key pair, this is a different key pair
    • create a passphrase for your private key *IMPORTANT* because you'll use this to sign/encrypt/de-encrypt
SIDE NOTE: HOW TO CREATE A SECURE PASSPHRASE
  • see XKCD on this: http://xkcd.com/936/
    • The most memorable passcodes are a sentence, easy to remember but hard to guess
    • Pick 4-9 words and use them: flip to random pages of a book and use those. NOT in order though!
    • NOTE: hey don't use an online password generator!
  • Expiration: recommend to 5 years.
  • Revocation certificate? YES.
    • Use to revoke in case you forget password [but, don't forget] or if its compromised.
    • Store off your computer, say on a flash drive.
  • Manage keys
    • Upload to key server [will propagate across all]
    • Identities
      • You can add as many identities [name/email addresses] to a key as you want.
      • Click on key in list --> key properties --> add/manage identities
  • Search for individual keys for people

TO SEND ENCRYPTED

  • See pen icon: gold= signing, grey=not signing
  • Key icon gold = encrypting, grey not encrypting
  • Key sign to receive from people's encrypted emials

PGP Email Practices

  • Subject lines
    • Headers are in the clear
    • Keep subject lines legal/non-trouble-creating "it's pizza time!"
  • Key
    • Upload to key server, anyone can find out your key so they can send you emails
    • Put on your b-card
  • Emails
    • Sign emails w your public key
    • Have a link/signature that says "seeing random characters at the end of this email? I'm using encryption on my email. Learn more about that here: [link GNUPGP]

ANDROID APPS

  • k9 and kaiten mail both work with AGP
Retrieved from "https://devsummit.aspirationtech.org/index.php?title=Encrypting_your_Communication&oldid=221"