An Introduction to GNU Privacy Guard

An anonymous reader writes "This is a great article about GnuP . . . "In the first half of this article David Scribner discussed the various uses that GNU Privacy Guard could bring to your business or personal life in enhancing security of your digital documents and files, as well as the basics in getting started with GnuPG. As there is so much more to public-key security than command-line operations, in this second half I will continue with importing and exporting keys, building (and keeping) your 'web of trust' sound, and a few of the more popular GUI front ends available for GnuPG . . ."

Ok...

Warm and fuzzy feeling aside, how do we convince companies to use this? Is it at all possible? Are there any success stories (I know it's new and all)?

The Anonymous Reader

"the first half of this article David Scribner discussed ..., in this second half I will..." (emphasis mine).

Gee, could the "anonymous reader" be David Scribner giving himself a shameless plug? See the above quote.

Excellent article!

I'd just like to commend the author for an excellent article on how to protect your privacy from spying government eyes on the Internet. Now all my friends can:

• Read PGP messages I send them
• Encrypt messages they send to me
• Sign their messages and
• Verify messages that came from me

This is just the first step in the great battle for our Constitutional online rights, but it's a good one. As long as I have something to keep them from tying all my information together in a giant government database and crossreferencing them to steal my organs when I die, I can sleep at night.

Really that useful yet?

I know new systems and apps create a bit of a chicken-and-egg situation.. but what about this:

Today, I use GnuPG for a variety of tasks. Whether it's to sign and encrypt documents and contracts submitted to businesses, encrypt local files, or merely sign email and files to ensure others that no modifications have occurred to its content, I have found GnuPG to be a 'must have' utility kept close at hand when using my PCs.

Documents submitted to businesses? Signing e-mail and files?

Signing these sorts of things is a good idea, but just how many businesses are going to have GnuPG at this time. And, since you can get the files out of the e-mail without HAVING to use GnuPG (GnuPG just checks the authenticity), it doesn't really encourage people to go get it either.

Considering most people are Joe Schmoes using Windows, I can't see how using GnuPG (or even PGP, for that matter) to sign things is going to help anyone at this stage.

Outlook Express is the most common e-mail client out there today and from all the e-mail I get.. I'd say that far less than 1% of its users actually use the signing and encryption features that are BUILT IN! GnuPG is an add-on, at best.. so can we really see millions of people using this?

Until the public learn more about security, how it works, and why it should be used, I think not.

Re:Really that useful yet?

I know new systems and apps create a bit of a chicken-and-egg situation.. but what about this:

...

Until the public learn more about security, how it works, and why it should be used, I think not.

So you state it's a chicken-and-egg problem and then go on to demonstrate it's a chicken-and-egg problem, adding nothing to the discussion. Then you say we all shouldn't use it, because it's a chicken-and-egg problem. Give me a break! Here are a few ways to crawl out of the chicken-and-egg situation:

Signing your e-mail makes GPG visible to those that don't know yet. Every once in a while someone will actually look at that attachment, follow the little link, and maybe learn something. For technically saavy users, this is simply tech evangelism. Someday we will all learn in high school how to manage our private keys, instead of teaching us how to fill in the blanks on a check. I have personally converted 4 or 5 friends (and my dad!) to using it.

I use GPG to store sensitive information. I keep a GPG-encrypted file with passwords (mostly for websites) in it. That way for each %@#(&@$ vendor that insists on storing my credit card info, I can generate a 20-character random password, put it in this file and forget about it.

As a system administrator, I have had many occasions where people want an account but I'm not physically nearby for them to type in a password. I usually point out GPG saying that if they used it, I could send them a password. Since they don't, they'll have to wait a few days until we can be in the same room. Again, it's evangelism.

I pointed out gpg to my bank [umbrellabank.com] for account-related communications (but they don't seem to get it yet...they're a bank). Everybody else ask your bank about it too. It's evangelism. The squeaky wheel gets the grease.

And most importantly, I encrypt love letters to my girlfriend. Don't want anyone reading that stuff. ;)

Making the public aware that this kind of technology exists is, in my mind, the single most important revolution happening today. It is the key to take back freedom from our oppressive government (and the even more oppressive governments out there). It is the key to the electronic money of the future. It is the key to the electronic contract of the future (this click-to-accept shit has got to go). I definitely don't want to "click" to buy a house. As long as we keep them ignorant and don't evangelize, we can guarantee we will never see the electronic future we read about in books.

-- Bob

The weakest link

Ok, so I have n-bit keys protecting my super secret confidential data that is going to take x-million computers y-thousand years to crack and I feel pretty good knowing the CIA won't spend $z trillion dollars finding out my grandma's secret cookie recipe.

Now, how do I keep my passphrase a secret while the CIA is bashing my toes with a hammer?

I guess my point is that public/private key encryption is only as good as the passphrase which is often not good enough, and that the ecryption is way stronger than your personal torture threshold anyway.

Re:The weakest link

I guess my point is that public/private key encryption is only as good as the passphrase which is often not good enough, and that the ecryption is way stronger than your personal torture threshold anyway.

That's true, which is why it was originally well-named as "Pretty Good Privacy." It solves the lowest-order problem, that your email is transmitted as plaintext across the Internet for anyone to read.

And of course, the CIA doesn't really need to bash your toes; they can just put a keyboard sniffer on your machine, or put a spy camera to capture your keystrokes while you type your password, or lots of other interesting things that only require a warrant and don't require torture.

GPG was easy to setup (on our Macs, even!) and now I don't have to worry about whether or not the script kiddie down the road can sniff the private messages I send to my wife. That's Pretty damn Good Privacy.

Re:Book on Encryption - Methods of Attack

> and last time I checked my cat wasn't talking.

The CIA has a way around this. They drop 2 tabs of acid, each, wait a while, and then furiously start writing down anything your cat says.

They're way ahead of you.

False sense of security?

There are a number of applications GPG is good for besides cryptography -- I use it to verify Linux kernels from kernel.org, for example -- but I know several people that think that once you figure out how to encrypt mail you're secure. It's probably good to keep in mind that there are a number of other points at which an attacker can read the mail (swapfile, keyboard logger, trojan, net sniffer, tempest, emp, and buffer overflows) even if the application itself is bugfree and Open Source, so remember that this is just supposed to be a component in a system of security.

GnuPGExch

If your family and friends insist on using Outlook or Outlook Express, try pointing them at G-Data [gdata.de]'s, GnuPG Plugin [gdata.de]for those MUAs. One downloadable Win32 .exe and a simple installation puts buttons to sign/verify and encrypt/decrypt on the toolbar.

Because let's face it, /we/ all know how to encrypt our email. But until "Your Mom" (TM) can do it, it's not useful.

GPG 1.2 available

sorry if this is a repost..

Great, but

the "original" handbook [gnupg.org] does the job much better.

Too much effort

I've been interested in GPG and encryption for a couple of years, but I can't convince any of my friends to be interested. So all my communications with them must be unencrypted.

I know you can get it as easy as typing in a password when an email gets sent, but that's too much effort for my parents and most of my friends. :(

crypting for the masses ;)

crypting to the masses, make it mainstream to crypt your messages... i'd like to see one single person who isn't all that paranoid etc... in security things that would use some kind of crypting...

GnuPG is the way to go.

GnuPG is definitely, certainly, and really the way to go with secure encryption and security systems, here's why..

The simple and undisputed -- and often argued -- fact is that we've come a long way, and the majority of large businesses are now using Linux as both a desktop and server OS which means these things are efficient to do.

GnuPG's (shouldn't that be GNUPG since GNU is an acronym?) ease of use and its (almost) seamless connectivity with most Linux communications applications allows the average workplace user to encrypt documents and files, preventing PR-disasteresque leaks -- such as the recent leak of the salary details of Lycos' staff to InternalMemos.com.. [com.com]

The seamless and very good encryption and decryption system allows staff of lots of big and small companies to simultaneously access and also work on their valuable and secure data as usual, but means that even if sites like F**kedCompany get hold of it, it's no use to them. Copying and pasting will just result in goobledygook being produced.

GnuPG's automated hyperencryption routines also mean that it could have some extremely useful and oblique military functionality, allowing our brave patriots to fight terrorism around the world.

One such example is in the encryption of numeric data such as numbers like digits between 0 and digits under 9. These encyrption routines can improve the efficiency of this by 24%.

Excellent

I use gpg all the time, and I know a lot of other people that use it, it is a great program.

However, a problem is that people just aren't good enough at getting their public-keys out. I hope this article enlightens them on the lovely export option. Which I believe to be one of the most important parts. I receive email from a lot of lists everyday, LUGS, development lists and so on. A lot of this email is signed, but a lot of these people obviously don't get the points of signing completely since they haven't got their public key available in anyway (of course some may not believe in the keyservers and so on, and want to be contacted in other ways for key-exchange, but not all are that pre-cautious, some just don't understand), and thus I cannot verify their signature.

Advocating privacy

I don't believe most people with 'nothing to hide' will be convinced by this argument for privacy. So, can anyone come up with a concise line of reasoning that will work?

Re:What are you hiding?

It's all about hiding, actually. Cause that's what cryptography does.. is.. uh.. hide stuff.

Like the example the writer gave, if your ISP tech knows you're out of town, you could come home to an empty house.

If you're just using cryptography for the sake of using cryptography, what's the point?

Integrating GPG with mail - mozilla+enigmail

One of the problems I always had using pgp/gpg was client support. Getting it to work with outlook/outlook express, then finding something under Linux that would support it, having to scrap together a bunch of tools, all of which were half-written...

I've found a solution. Mozilla [mozilla.org] and Enigmail [mozdev.org]. Yes, Mozilla/Netscape mail used to be putrid. It's better with Mozilla 1.0+, honestly. It has progressed to a competitive state, and I switched over totally about a month ago.

Enigmail is a plugin for Mozilla that handles signing, encrypting, decrypting and verifying mail for you.

GnuPG, Mozilla and Enigmail all work on Windows as well as Linux, so I have the same tools no matter what I'm running.

You still need a key manager, but getting what mozilla+enigmail provides is a great step forward.

Pseudo-random Key-gen Security

After reading Crypto, and now this Slashdot post, PGP has really heightened my interest.

I'm particularly curious about how secure the GnuPG key-gen process is. How "pseudo-random" is it? What's the likelihood that I could generate a private key matching someone else's?
Should I be concerned?

Needs a LGPL lib

GPG only runs from the command line meaning apps that wish to call it have to construct a command-line, invoke gpg and parse the results in a pipe. It desperately needs a LGPL lib to relieve this burden. The only lib so far is gpgme which is GPL making it pretty useless for this task.

A gentle introduction for Windows users

A key aspect of GPG's success is to increase its adoption by users of Windows. For those of you wishing to give GPG a whirl, I suggest you get WinPT [winpt.org], an easy-to-use, open-source frontend.

Here are four easy steps to get you up to speed:

• First, download the full WinPT install [v. 0.5.5, 1.2 MB] [lcsweb.net]. This also handles the tricky job of installing and configuring GPG on your system.
• Now, get the incremental WinPT update [v. 0.7.91, 200 KB] [winpt.org]. It's a developmental version but contains fewer bugs than 0.5.5 and is quite stable. Unzip its contents into the WinPT install directory.
• Head over to the GPG mirrors page [gnupg.org], choose your nearest location, then navigate to /pub/gnupg/binary/ and download gnupg-w32cli-1.2.0.zip [1068 KB]. Unzip its contents into the WinPT install directory.
• Read up on the excellent GPG Manual and HOWTO [gnupg.org] and WinPT's documentation [winpt.org].

If you use Outlook Express, you would definitely want to get GPGOE [winpt.org], a GPG plugin that seamlessly integrates with Outlook. You need to install and configure GPG for this - the easiest way is to install WinPT as described above [WinPT also makes key management very easy, so there's a bonus]. Then you can download and install GPGOE, and enjoy all the goodness of integrated GPG functionality within OE.

Play around with the different options available; make a key for fun; experiment and learn. Spread the word. But most of all, have fun and be excellent to each other ;-)

Good luck.

Re:What are you hiding?

Well, there's your collection of bestiality porn.

Why is it that people assume that anyone who wants to communicate in private has something to hide?

Re:What are you hiding?

Crypto is not necessary about hiding, but can be (as coined Ayn Rand I believe), the minorities protection against the oppression of the majority. And this is something that is vitally important.

Re:What are you hiding?

What are you doing that you don't want the government to know about?

How about you? When you snail mail, is everything on postcards? Or do you use envelopes, you terrorist?

Re:But shouldn't this really be called.....

I run it on Windows, so rightly it should be the GNU/Windows XPrivacy Guard...

Re:What are you hiding?

because they dont have a right or even a need to see it. just like you dont.

i may not have something incredibly important to protect.

but just because i its not important, doesnt mean im going to put a billboard up

Re:What are you hiding?

So I suppose you use postcards for all of your mail. Love letters, hate mail, whatever... you have nothing to hide so why should you use an envelope?

Or when you do get mail that's in envelopes (hmmmm, why do they presume your need for all that secrecy?), I suppose you take all the bills and letters out, scan them, and post them on the internet? No?

Then just what is it that you're trying to hide? You're clearly either a terrorist or a pornographer (both are generally held in approximately the same regard in most places). Or could it be that you just want the smallest amount of privacy? Could it be that it's not the damn business of every postal worker who comes in contact with your letters to read them?

Yes, indeed it could. It's called privacy. And the public will continue to insist on more internet privacy once they begin to understand it. The problem right now is that they actually THINK that nobody can read their e-mail but the person they're sending it to. Boy are THEY in for a surprise.

RP