Now I Just Need Paranoid Friends.

My last post was about protecting data stored on a server by having the data encrypted and un-encrypted by a special Linux file system. It is a very elegant way of securing data against physical theft (though, obviously, a hacker gaining access would be able to see the files).

The other area of interest that came back recently is more generic. Edward Snowden shocked America by blowing the whistle on the US government hoovering up everyone’s emails. One of the things I thought was very interesting was the unspoken part of the story. The ‘controversy’ is that the government is doing it to US citizens in contravention of the 4th Amendment. Apparently not controversial is the fact that various governments have been doing it to the citizens of the rest of the world for a long time, and with complete impunity.

Back in the day when I used to work at WorldPay we used to say to customers that they shouldn’t send anything by email which they wouldn’t write on a postcard and send by Snailmail. Despite that, there were occasional people who would email use with their complete credit card number in the email asking why their transaction had failed.

So what can you do to protect the information that you send by email? The best solution is to encrypt everything that you send. Classic encryption used to come in the form of a shared secret between the message sender and the message receiver. The same method that was used to encrypt the information was used to unencrypt it. The problem in this case is always how do you share the secret of encryption/decryption securely. In many ways this was the major weakness in the Enigma machines used by Germany in the Second World War. Many radio operators got lazy in how they transmitted their first message of the day (which included information on the days secret configuration).

The modern solution to this problem is to have an asynchronous key pair for encryption. There are two parts to the key, the public and private. The public key is intended for distribution. This can include publishing on web pages, uploading to public keyservers and the like. The private key must be kept safe and protected.

The way that the asynchronous encryption works is simple in concept:

  1. Identify the address of the person that you want to send an encrypted email to, and if they have a public key available download it.
  2. Use the public key to encrypt the information that you wish to send. The important point is that the encryption process is a one way street. Even with the public key to hand the original message cannot be extracted from the encrypted data.
  3. Send the encrypted data to the intended recipient. The user will receive the data and can then upencrypt the data using their private key and a passphrase associated with the encryption keys.

As you can see, the data treated in this way is secured. However, this information can only be sent to users who have generated their own encryption keys.

Another, more common use of the encryption key pair is to ‘sign’ messages or files in order to confirm their veracity. In many ways the signing process is similar to that of generating an m5 signature of a file. An apparently random string of characters which is a product of the information being signed, the users private key and passphrase is appended to the information. The public key can be used to compare the signature with the signed data, and can confirm that whoever created the signature has access both to the private key for the user, the key’s passphrase and the original content of the data. Changing either the data that is signed or the signing string will cause a mismatch indicative of data that has been tampered with.

All of this probably sounds like quite a lot of hassle. The good news is that it is simple to automate the process in a simple, cross-platform way. Thunderbird supports a simple add-on ‘Enigmail’ which handles importing and managing public keys, signing and encrypting. It also confirms the identity of users if content is signed.

The only downside? No one I know cares enough about this stuff to actually go through the steps of creating a key pair and starting to encrypt their information. I’ll just keep to signing for the time being.

If you want to be able to email me securely then the following are my public keys, along with their associated email addresses:

rf343@cam.ac.uk (Work address):

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: SKS 1.1.4
Comment: Hostname: keyserver.ubuntu.com

mQENBFHTXjMBCADKxtvkuyXKKYweYeluH1b0+tJE7b9CYPqbPI7sHUSiwO72SM/P9c9SJQGi
SmyywuNuD/X21pwPyUzzltVX5o5zjaJFFZ0h/zXsK6PXlm7ItAHzfgwQRvsuUfete/lG5jR1
QQeDSMk/vM3iMUKOLrP+VHIE1FGwZwXUU2FGnAglRnqa1YEmI6K7isJvqsP6lsoGa8ZnbAEp
IiIVXFOC3wejRlFBhwoq4P9B4l4vIWjBA88ha9Vh9YnGCWERLZCuMeG4ogkgf1w3EbCKflei
A/6IZrlOR+d9jsgWl5Gab7pxSLoGGn0fp2aP1r/V1hcw59jBynxn/Tcx55kMJUlRfuG9ABEB
AAG0OFJpY2hhcmQgRmllbGRzZW5kIChXb3JrIGVtYWlsIGFkZHJlc3MpIDxyZjM0M0BjYW0u
YWMudWs+iQE+BBMBAgAoBQJR014zAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
gAAKCRDMRKIrQNJwv9N3B/98XZcOVYOmrWpDxUPJSrU4Av4PjvUsTZvnsWOU0O8B/nYi1tvh
ZIwclL7AJxsDqk14T6v2RRiw6Lik3Ug/zkSecVgqSqY+As2kYfyliKAvUPutK1hxrkhvYbvq
iAfxP5DjGI89YWbmuuUxjOt7bGhw/J40EesTkqyhFM6CxvMlVfyiyGCvHuAOm8vwk+apNQo3
/lpsfIprp55i6oIsBgFWhxqAHKFesahd8bnA3rI8ATEiYMx9ck8yc5GDYjS4wFcUZ9XESIjY
D8Cxc40fJdSEMmE8EUbrnzQEpFrPOUpP7RiAeCugOHZFiyd4sucCHspkqoJ9VdMxpb695hKh
GeYuuQENBFHTXjMBCADW4c67GmNjQm8wkfFp+0QH0SI3Ba16M/s5NArEWVcNxx0luy7LjLcT
m0L3EVHpekNnlHpKOFaQYQOI/BRjfKfTR0MNxaQ4GiUfvqAYzOnspVqP+rJwLaS5O3Fk05FY
VacXxZDetwB8W7yKLRjt/fQk+9y1DrJv6MXlB9mCa+IRLyT1i/uha/HHWCi5ea/zJUK7SJLL
ewSWcBxft2quuROdv1EuyTJHEQqAg0fzyEv2L0qn46Xrgi+SBx8b3vwcDWm80OWyGxAbeIWv
pij5rGNluIS6Gdq+Ic3ExCz6ywfGzwt5K6u4twcOYDKprds9X51ok49qnZySg7hkEhu1DN+X
ABEBAAGJASUEGAECAA8FAlHTXjMCGwwFCQlmAYAACgkQzESiK0DScL+zMgf+L9WEVLWqjTQx
1EEUI1e7jNmPoKa6J3Y5eb1vQp+rS5clM67QQD7z0U0T7hgirj1Yi2QRiZlMiNhrlF2DGiUa
qXgWmQ0yxZYyXe6KFHTgeNOd5svczB183vskOlH9QdBfRdrooiSckKYjUqqaPHeHaZrBqloE
mKaddlkuneuI+/Z/jWa9JYQGpo4For7JVXZPHPu3Pp8Fr2Z5T0vxQl4zil7/Ocj6W4gs8Nev
n899sm19kWRZQxKKAX9VJcflX77bSFdLoP+0NzT/aCFHzUPcc9sP8BM9qTP4W09TfL42pBpL
vbRdcG/FAUA3JjUERXya291YmdeIzM0PhEuDC8qOgg==
=yyx7
—–END PGP PUBLIC KEY BLOCK—–

r.fieldsend@btopenworld.com (Home address):

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: SKS 1.1.4
Comment: Hostname: keyserver.ubuntu.com

mQENBFHTXdYBCADDh4q4y6GL5qfvNnNuDVyggCr4i9MFdtBFy1Hl5iR+GCULajLASytg/Efp
YPc9n/1TqR4OspgL97hJvnLoyXB0f8MRiKSY46+X8J34usv+9yQ5e0nceMwJyVFukwoEWHHh
jQVLTXHcQH0sRXVJzV+zC5x1jyyUZAfrFb+y4Dc2XVlm3m+6i4bfUqrgsdT7JEcG04Ru74Q+
tuI4aMZGWw2Xpen7MtWcuNVfVA10PzGJNfKE0pi2jRpB1/nii4C0F9NX85tRcofA4IxhOxWd
PvoSY8UpqIaD0P8p7Km/jtiMMUvzdsC2K4/+KOzMnL9pW6bqaA8RAMl3SDe9nOH8dHu3ABEB
AAG0RFJpY2hhcmQgRmllbGRzZW5kIChIb21lIGVtYWlsIGFkZHJlc3MpIDxyLmZpZWxkc2Vu
ZEBidG9wZW53b3JsZC5jb20+iQE+BBMBAgAoBQJR013WAhsDBQkJZgGABgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRD4AnIBCb53rKOYB/0dE8H56gTpi5Kz9ZWBsd5wBI4reaEQ4KJ6
QVwR59DLQkjrZPpxnlkZhsGMcUKf8rSg4T5d9jHzu3b4BKKj9uTLv0QXcooj7V+h7Pmu1IgU
AEGx5A1espsjjPfvjZoFDZAcHVyO5owG33XC+cBc3f0hhxr6SUIrNcXr8m8HjCtkVUVTk2Kh
BqwrICY2xjTkwnGl901IkGWu8DwBI5y1Rr8+blMK9OZW6/4REpa0X2+0/Khzz7KGyD0sTwb0
m6/AH+SEbeaqq4gHkKdbGJXqHFZbqqdcxKzmmZs0rDd+/0s+pMZMnjf9/xKVemhtZya3MaJd
km3RWTUJ/qGmFJNWAyCYuQENBFHTXdYBCAChoKNH9jk+tpaHQ/G0ipsZhL3C7qKfpabDs3sP
ilAroC6RBGEGXe0gJ0x3BjZEAF8ueHf5DsmyZKwifXBnxEfYyzS7QRTu4B+2m5fyq6W/rA9Z
+41i/OfHTxCzQcK9WOdJ0WJNJ0i8PZrtOrsDK409n34FgDAif0yn7P0e8ysowt4MDW1L3kLv
bSFo6kvyp8jIXtImo8LZToj73ZQtDBH6C1ujtyThhP+VNrYGJTPiXbxZBmjX0o4flDidl0X6
ZvWSVNQdnHrVo3jdfbBmSeRei3NCVEHVTnszxbqEp7EYfrQwYXzrYnXd1Gyf27e88HyYSFaj
Ximo6MkIB1CpeBmxABEBAAGJASUEGAECAA8FAlHTXdYCGwwFCQlmAYAACgkQ+AJyAQm+d6yt
dwf+JiZyZoP6o10wLNAH+RZMjwhmsBPygS4tzzzpIyqXOd8STnzaUbrjv7YZmOobXFG24+Uf
g4X+q+KdGGgqJIOoZG2JHqjL/3defsgTEOpgkxtRF5OrnmMQoOIoLs8U0qsTPv0jXzVZXfB0
r+TsbKo/n9FOPN8jEoXuqZF0VaXfyWKm3AyOOdNIW/RTNr427qMHn2BLeEPhWaf4VoGAoHlW
wCJeULl1ZpDiW4NdlzOJv1+l4PwU5xPeeV8rsLKYXWDJMzqEAuJpkkHwyk/Qjv3+IYPokxBV
ie0W71LQHFK6U+EW9p7EsSSLla3yQ/Ay4CTVn9WabcfwMd67tdNtuj6M/Q==
=M0g+
—–END PGP PUBLIC KEY BLOCK—–

The really cool thing is that with the apps APG and K9-Mail I can have this same functionality on my phone as on my desktop machines!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s