File and mail security is easy to achieve with the right tools. PGP has proven itself the leader, and GnuPG is the tool of choice in the Linux world.
Anyone who has read this column a while knows I’m a bit obsessive about crypto. With the speed of modern or even old processors, there’s no reason that there should be any cleartext transmissions on the Internet at all.
Over the next few articles, I’ll cover PGP (Pretty Good Privacy) and the GnuPG (GNU Privacy Guard) implementation of it.
PGP is the defacto encryption and authentication algorithm for file and email security.[1] PGP does not protect transmissions, such as Telnet, HTTP, etc. You could probably build something to do a VPN in a PGP-like manner[2], but it’s traditional use is file/email protection.
PGP offers the abilities you’d expect from crypto:
Encryption
The ability to keep anyone except your intended recipient(s) from reading what you send.
Authentication
The ability to verify that a message came from the sender, not someone impersonating as the sender.
Integrity
The ability to prove that the message arrived intact, as the sender created it, without any tampering.
PGP relies on two mathematically related keys to do it’s job, known as a public key and a private key. I’ll skip the mumbo jumbo of how it all works — if you’re mathematically inclined, there are many places you can read about the specifics online. Google is your friend.[3] The fancy name for cryptographic algorithms which use public and private keys is ‘asymmetric cryptography’ because there are two keys, used asymmetrically, rather than one single key.
The important thing about the public and private keys is that they are complementary. Specifically:
To explain how these keys work a bit more, let’s take an analogy. In the ‘real’ world, you have a lock on the front door of your house. You use the same key to lock and unlock the door. This is akin to symmetric key cryptography in the crypto world, algorithms like blowfish, IDEA, or RC4.
In PGP, the keys that the end user will be dealing with are the public/private keys, which are part of an asymmetric cryptographic system. Examples include RSA and DSA. If we had this in the real world, you’d have two front door keys. You could use key ‘a’ to lock, and then only key ‘b’ could unlock it, or vice versa.
Over the next weeks I’ll show you how all the pieces go together, but here’s our rough outline:
First, we’ll create a key pair, and learn about the various bits of info it contains. We’ll then learn how to exchange this key with others, including key servers, and how you can encrypt, sign, and verify messages manually. We’ll also show a bit of how PGP/GnuPG can be integrated with other tools so you can have everything automated.
NOTES:
In other news, we’re conducting a survey for baby names for the twins. You can find it at http://www.ifokr.org/bri/name-the-twins.cgi.
[1] S/MIME, which uses X509 certificates, is the other main contender. X509 certs are the same things you are authenticating when you use SSL such as with https:// url’s.
[2] And I’d be surprised if no one has done so at some point.
[3] Now had they allowed themselves to be bought out by Microsoft, that’d be another matter.
Brian Hatch is Chief Hacker at Onsight, Inc and author of
Hacking Linux Exposed
and Building Linux VPNs.
Brian can be reached at brian@hackinglinuxexposed.com.
