Title: EMail Encryption and Signing
1E-Mail Encryption and Signing
- Jay Krous
- Computer Protection Program
- Lawrence Berkeley National Laboratory
2Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
3Why?
- Email is clear text
- In some situations you may want to ensure only
the intended recipient can read your message - Example Collaboration with a researcher in
Israel - Sender cannot be verified
- Spoofing or forging email sender is trivial, as
shown in multiple recent virus outbreaks. - Example Beagle spoofs email from jekrous_at_lbl.gov
4Disclaimer
- Email encryption is not for everyone
- Not the recommended configuration
5Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
6Concept Review
- Public / Private Key encryption
- A key pair is created public/private pair
- Public key is made public. In other words, given
to anyone who may want to send you an encrypted
message. - Anyone wanting to send you a encrypted message,
encrypts the message with your public key. - Only the private key can decrypt the message
7Concept Review 2
- http//www.gnupg.org/gph/en/manual/x195.html
- Public-key ciphers are based on one-way trapdoor
functions. A one-way function is a function that
is easy to compute, but the inverse is hard to
compute. - All that is required is that some time before
secret communication the sender gets a copy of
the receiver's public key.
8Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
9Software
- Enigmail
- A Mozilla plug-in that facilitates and seamlessly
integrates GnuPG into Mozilla - GnuPG
- GnuPG is a complete and free replacement for PGP
- Windows Privacy Tools
- A Windows GUI into GnuPG. One useful function is
to facilitate key management
10Software Alternatives
- Enigmail
- Windows,Linux, Mac OS X, FreeBSD, Solaris
- EudoraGPG - plugin for Eudora
- GPGOE Outlook Express MUA
- GnuPG
- PGP (70)
- GPGMail - for MAC OS X.
- Windows Privacy Tools
- KGpg - KDE frontend for GnuPG.
11Software Alternatives
- http//www.gnupg.org/(en)/related_software/
12Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
13Installing Enigmail
- http//enigmail.mozdev.org/download.html
- Enigmail consists of two installation pieces
enigmail and enigmime - Express Install
- Direct install from your Mozilla browser
- Download first, then install
- Download, then open with Mozilla
-
14Enigmail Express Install 1
15Enigmail Express Install 2
16Enigmail Express Install 3
17Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
18GnuPG Gnu Privacy Guard
- http//www.gnupg.org/
- Not much to installing GnuPG, its just a zip
file that needs to be extracted to c\gnupg
19GnuPG Install
20GnuPG
- But we are not going to install GnuPG like the
previous slide. - Instead, we will let Windows Privacy tools
provide GnuPG for us!
21Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
22Windows Privacy Tools
- http//winpt.sourceforge.net/en/
- WinPT Tray is a "Frontend" which allows access to
the GnuPG encryption engine. - WinPT handles all of your key-management and
key-server access needs. - WinPT Tray can be used as a universal plug-in for
all email programs because it allows you to cut
and paste from any email application, and encrypt
the data while it resides in your clipboard.
23Windows Privacy Tools Install 1
24Windows Privacy Tools Install 2
25Windows Privacy Tools Install 3
- Cancel on the last screen, we dont need to do
any of this.
26Windows Privacy Tools Install 4
Notice the new icon in the system tray
27Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
28Enigmail to GnuPG glue 1
- Enigmail needs to know where GnuPG lives!
- In our case, since we let WinPT install GnuPG,
- the default path will be
- C\Program Files\Windows Privacy
Tools\GnuPG\gpg.exe
29Enigmail to GnuPG glue 2
30Enigmail to GnuPG glue 3
31Generate key 1
32Generate key 2
33Generate key 3
- You could also import a existing OpenPGP
compliant key you created previously - You can view the key with gpg from the command
line or with Windows Privacy Tools key manager
application.
34Generate key 4
35Generate key 5
Below are examples of what public/private keys
look like. Remember your private key should be
kept private!
- Public Key
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version GnuPG v1.2.1 (MingW32)
- mQGiBEE/8LwRBACkfpCdKYgBp97jFspo0nGP/03bfzvxdEEDgt
FEPiWwlU7me9 - D68oJdLFk8uxELI2TbKrbO9/SbMqhwrBNgGq4AhxqDsqohtseT
JfOKQW2NE8qyd3 - liyQSwsIuZ8fekB0Nu4xE25IF7ykH78xcQfj4ZkpN2JQD6ez0T
EksVvzNwCgqvEH - KNsCeAW/4woVM77gs1o1IcEAIbYFBDOhz6Q3RyldBS6B3qHe5
FXmKk6A5qgz5iw - ayUj26wZJJ9KktcSvqYh5AdEpFz0wU5yatkd8jebqbxbmMM7F6
GIwyi/PIBtptu - eZpDoH86DDloE0kvWeS4NZ/W279nNd2Mpul4wAoZNAO7GRHd
lODD6mQQqLJW3m - hl5PA/91aLEd9RSt2NdIPpHqmG2usi7opPJnuK8O5eaadMAyrj
Fy1pGGlKf8oSm - U59/VDV6f1SAIoBE5woGO1P4dmRCyzjftjPT9VX7OZNlyCi7
YOlXFxqEBKq0q - B3o4vnOu6K/oU47zzcopzDnTOVyzEQhld3hPGpOoOr4RfSexr
Q0SmF5IEtyb3Vz - IChCZXJrZWxleSBMYWIgR251UEcga2V5KSA8amVrcm91c0BsYm
wuZ292PohZBBMR - AgAZBQJBP/C8BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRB8YVSgp8
Mh2GZdAJ46DH7N - 0SHRvZSqvy8zTxLl701HDgCghdT6AxE5v38fPL5VLeZ0H4zcST
u5AQ0EQT/wvhAE - APjZLe6mw6XtWkvNoC4tlooxYGQhaCWpx7rDeLdN1tQ9I0P7
LiFtLfia3Nae10 - 2xuFf8g//YFXjn54FA8CHV0k23gZaLRgadl19L4aLEG518IEqZ
nx8kUmAj1uzBPV
Private Key -----BEGIN PGP PRIVATE KEY
BLOCK----- Version GnuPG v1.2.1
(MingW32) lQHhBEE/8LwRBACkfpCdKYgBp97jFspo0nGP/03
bfzvxdEEDgtFEPiWwlU7me9 D68oJdLFk8uxELI2TbKrbO9/
SbMqhwrBNgGq4AhxqDsqohtseTJfOKQW2NE8qyd3 liyQSwsIu
Z8fekB0Nu4xE25IF7ykH78xcQfj4ZkpN2JQD6ez0TEksVvzNwC
gqvEH KNsCeAW/4woVM77gs1o1IcEAIbYFBDOhz6Q3RyldBS6
B3qHe5FXmKk6A5qgz5iw ayUj26wZJJ9KktcSvqYh5AdEpFz0w
U5yatkd8jebqbxbmMM7F6GIwyi/PIBtptu eZpDoH86DDloE
0kvWeS4NZ/W279nNd2Mpul4wAoZNAO7GRHdlODD6mQQqLJW3m
hl5PA/91aLEd9RSt2NdIPpHqmG2usi7opPJnuK8O5eaadMAyr
jFy1pGGlKf8oSm U59/VDV6f1SAIoBE5woGO1P4dmRCyzjft
jPT9VX7OZNlyCi7YOlXFxqEBKq0q B3o4vnOu6K/oU47zzc
opzDnTOVyzEQhld3hPGpOoOr4RfSexv4DAwIkOFOYR515 UGDU
sw2duKWQbaFwo1p9CXAzX0K2a7iM8nrQjrwzw8Nfck5XYrTYe
JLJSIUNWRN 8YtdRbQ0SmF5IEtyb3VzIChCZXJrZWxleSBMYWI
gR251UEcga2V5KSA8amVrcm91 c0BsYmwuZ292PohZBBMRAgAZ
BQJBP/C8BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRB8 YVSgp8Mh2
GZdAKCNXq4haDRDoErfwvGZt6hwxeRYACfT0HVwrauLSb8om/
8DTfj DoQzNGGdAVgEQT/wvhAEAPjZLe6mw6XtWkvNoC4tlo
oxYGQhaCWpx7rDeLdN1t Q9I0P7LiFtLfia3Nae102xuFf8g//
YFXjn54FA8CHV0k23gZaLRgadl19L4aLEG5 18IEqZnx8kUmAj
1uzBPVWeZDtxoNhW0UjAINxkdCvzJJBsmJaX4JVhp9lNcbzpJ/
AAMFBADycQO33eDqab5Eq6cOC4WXDRqG8PAqH5GCafSGV82
48xgBbfhGvrK7SA y/DoGae7j7qoCOA4oRKT7pngv0N/IQhuPF
TsaPMjQrx3knXnaTRa0bx5Gda9hW EK6fzjYoFHtHNaAUdi9
iEWjGjEf7DqzsHuCnqBVdwuxFIGFv4DAwIkOFOYR515 UGBI
1G0QpBV82Eu36hEUPopQl6uaObVsueTq8mQx/ddrnhklx2Gk3
xNF7GzLBZ5 /Q00HhBH6uYewdjli2sy5IhGBBgRAgAGBQJBP/C
AAoJEHxhVKCnwyHY9QEAnjoO /cDI7vM1QhxjSOdCLjH4BHNV
AJ9/Fzek0qvRs5JmOjj6NY953CvpQ RCh5 -----END
PGP PRIVATE KEY BLOCK-----
36Get your public key out there 1
- Send it to those that need it
- Publish in email
- Post on a webpage
- www.lbl.gov/jekrous/pgp.txt
- Put on keyserver
- http//keyserver.veridis.com/en/
37Get your public key out there 2
38Get your public key out there 3
39Get your public key out there 4
40Get your public key out there 5
41Importing other peoples public keys
- In order to send encrypted messages to other
people, you need their public key. We will look
at two ways to import their public key. - Import using enigmail
- Import using WinPT
42Import with Enigmail 1
43Import with Enigmail 2
44Import with Enigmail 3
45Import with WinPT
46Agenda
- Why?
- Concept Review
- Software
- Enigmail
- GnuPG
- Windows Privacy Tools
- Configuration
- Putting it all together
47Signing and Encrypting 1
- Lets look at some examples of how to send a
signed or encrypted message to someone - Signing recipient can verify the message
originated from you - Encrypted only recipients with an appropriate
private key can decrypt the message
48Signing and Encrypting 1
Notice the new options provided by Enigmail
49Signing and Encrypting 2
50Signing and Encrypting 3
Message recipients notice a PGP envelope
51Signing and Encrypting 4
52Signing and Encrypting 5
Message recipients notice garbled gook
53Signing and Encrypting 6
until they decrypt the message
54Signing and Encrypting 7
55Some common settings
- Automatically decrypt so you dont have to
manually decrypt each message - Encrypt to self so you can see encrypted
messages you send - Key Selection display selection when necessary
- Passphrase cache set an appropriate time (60
minutes)
56Reference
- GNU Privacy Handbook
- http//www.gnupg.org/gph/en/manual.html
- Enigmail website
- http//enigmail.mozdev.org/download.html
- Windows Privacy Tools
- http//winpt.sourceforge.net/en/
- LBNL Computer Protection Program
- http//www.lbl.gov/ITSD/Security/
57Questions?