Why bother with PGP ...???

Sunday, April 04, 2010

K S Abhiraj


Cross-Posted from http://raj-blogg.blogspot.com/2010/04/why-bother-with-pgp.html

The very nature of email communication makes it perfect for spying and tapping. Imagine all the emails that fly across the Atlantic Ocean. Every single one of them could be tapped without you even noticing it. Of course, thinking that someone will sit and read every single one of them is preposterous - but the "problem" is that nobody has to.

The biggest reason in my mind to use PGP some years back was to resist the government. That sounds pretty crazy. I don't mean resist in an anarchistic or Disestablishmentarian way but in the same way that one doesn't want themselves being frisked by police daily. (Which used to happen to my *underground internet friends a lot*. Maybe its the way they look... ;) )  The FBI, NSA, DEA and other government agencies had the ability to wire-tap pretty much anything they want to. Most recently this has come in the form of the Omnivore and Carnivore boxes, which are installed most probably in every ISP and filter through all the incoming or outgoing packets to pick out those of suspected criminals. This means they read all the information passing though an ISP. That could be anything mine or your private emails, to our banking records, to this node I write, right now. Maybe thats not a terrible thing but I will feel alot safer when my web browser uses cryptographically strong encryption.

PGP stands for 'Pretty Good Privacy'. This is a self-depreciating joke, since PGP uses 'military strength' strong cryptography, to provide privacy, confidentiality and validity to your data and that of other peoples.

The software was first released in 1991, and was distributed by, (among others) Kelly Goen, who used several pay-phones, each miles apart, and an acoustic coupler to upload it to various BBS', USENET groups, and FTP sites within the US, staying at one location for several minutes before moving on. From there it spread rapidly, and quickly disseminated to Europe and Australasia, among other places.
Since it's initial release, PGP has evolved considerably. Network Associates has taken the PGP brand and expanded it to take the form of a complete personal security/privacy package. The standard tools are now:

Email encryption - this is the main use case. It is now capable of using Diffie-Hellman algorithms as well as RSA. There are plug-ins for the most common email clients.

File encryption - Apart from the possibility of using public key encryption in email, it can also be used on traditional files. PGP uses strong encryption such as CAST, IDEA, Triple DES, and in the latest version Rijndael.

File wipe - in most operating systems, when you delete a file, it isn't really gone. All that has been deleted is the pointer to the file's location - the bytes which that file used to consist of still exist, and can be recovered using commonly available tools, and can be recoverable even after they actual bytes have been overwritten by special forensic tools.  PGP contains a utility which directly over-writes the bytes of the file with pseudo-random data up to thirty-two times. At the highest setting, it takes about four hours to wipe a gigabyte of data. Recent advances in data recovery using very expensive atomic-level imaging equipment may circumvent even this.

Disk cleaner - this simply writes over all the free space on your hard-drive in the same method as above. This is used for making sure that any programs you've used do not leave sensitive temporary files half-deleted. It's best to leave this running overnight, unless you sleep in the same room as your computer, in which case it's too noisy - it thrashes your hard-drive, after all :)

Secure networking protocol suite - if anyone's actually used this, feel free to add a w/u below.

PGP has also established the openPGP message format which is now used by several applications such as GPG. PGP has occasionally made the headlines for having various flaws discovered.

To guard against this, keep your private key on media that you trust not to be available to an attacker, i.e. your home PC under a further (different) layer of encryption, a disk in your wallet, or, if you don't trust disks, burn a CD and keep it with you - If you feel that someone might want access to your encrypted conversations that badly.

Other vulnerabilities discovered meant that additional decrypting keys (ADKs) could be appended to the end of a public-key without any error checking. This 'feature' was originally included in version six and above for corporate use - as a message recovery feature. However, it was discovered that it was possible to add additional ADKs without PGP including them in the key-block hash function checking procedure. Anything encrypted with that public key-block would then be available to the owner of the appended key.

Despite these two flaws (and probably others which happened before my time), PGP remains one of the most user-friendly encryption tools around. However, if you run a NIX variant, GPG is recommended, as the whole thing is GPLed, and they generally fix flaws such as the ones described above within weeks as opposed to months.

To encrypt and sign a message the following steps are observed:

Signing: An encrypted (or unencrypted) message can be signed to provide absolute proof that the message did indeed come from its apparent recipient. To achieve this, MD5 is applied to the message to get a unique checksum that can only apply to that message. This is then encrypted using RSA and the sender's private key (which only he knows), this can then be decoded using the sender's public key (as held by the recipient) to verify that the message is authentic. This works on the principal that only the sender's public key will decrypt a message encrypted with his private key, which only the sender knows, therefore if it can be decoded it must be from him. The signature is sent along with the main body of the message.

Encryption: Firstly a unique and random 128bit key is generated for that session (called the session key), the message (or the message and its encoded signature) is then encoded using IDEA using this key. The random key is then encoded using the RSA method with the recipient's public key and these two encoded parts are combined to form the encoded message (along with a signature if one is present).

Decryption: To decode the message, the recipient applies his private key to the encoded session key to obtain the session key. This is then applied to the main IDEA encoded message to decode the message, and, if applicable, the electronic signature.

Authentication: To verify that a message is authentic, the recipient must decode the checksum using the sender's public key and then MD5 applied to the message to compare with the checksum sent with the message (if they match the message has not been tampered with).  

Personally, I am not a criminal, and I really don't mind the monitoring of terrorism. But at the same time, I strongly resent the fact that I can't seem to keep my privacy either, because of the mentioned laws and law practices. That's why I urge you to have a look at PGP - Pretty Good Privacy. Free encryption that makes sure that only the recipient can read your emails! 

Possibly Related Articles:
General Operating Systems Enterprise Security Security Awareness
Email Privacy PGP
Post Rating I Like this!
Fred Williams Good article K.S. I wonder if you could post a good tutorial on the easiest and fastest way for a typical user like me to locate, download, install and start using PGP for my email?
Terry Perkins Great article, indeed. PGP gets forgotten.
Terry Perkins Great article, indeed. PGP gets forgotten.
K S Abhiraj Thank You Fred! Will certainly look forward to have hands on 'efficient utilization of PGP in todays scenario'.
My pleasure, Terry.
Julian Tosh Thank you very much for advocating PGP and privacy practices but I'd like to point out though, that you're most likely not too far from being a criminal, if not, in fact a real criminal (like most unsuspecting generally good people). How could we possibly be aware of all the (tens of thousands??) laws on the books in each jurisdiction that overlaps our daily lives? I invite you to watch this video to see what I mean.


Again, great article!
K S Abhiraj That's 'Very True', Julian!
Its a mere fact to observe,"Our words could easily compel us in any criminal case to be a witness against ourself..."
Moreover it wrecks my mind when i hear, 'Gov. has more than 10K ways for convicting us with different charges...'
Great post!

Again, thank you very much!
Marlin Fischer Fred: Your best bet is to do some searching on the 'Net for PGP. I started using PGP over 10 years ago for a number of years to encrypt my customers credit card orders safely for years when I had my biz... both 'brick and mortar' and Internet. I had great success in fulfilling orders with no security consequences and it was not that difficult to setup. Your host should help also... if they want your biz :-) Look for a host that has 'PGP module' capability. I'm guessing a few things may have changed since I last used it.

Second...I have spent a few days mulling over this situation but I just cannot allow someone to 'copy and paste' info that was first published 10 years ago... and the authors have not been given credit.

I have been in IT for over 17 years, IT security for just over 15 years, and I am not 'comfortable' with those who just lift info from someone else with NO credit given to the authors of the comments in the article.

Both 'Crash Override' and 'Jetifi' (http://everything2.com/title/PGP) had published these exact comments found in this article, copied almost verbatim (word for word), from their published comments on Wed Jul 19 2000 and Sun Jun 03 2001... almost 10 years ago. You did add a somewhat obscure link on your blog page (http://raj-blogg.blogspot.com/2010/04/why-bother-with-pgp.html) at the very end, (again giving no credit) but nothing here, so it's no question you were aware of your source. That doesn't begin to follow professional procedures... IMHO.

Sorry if I rained on anyone's parade.
K S Abhiraj Hhaha..you are exactly right Marlin, the author being paran0id's(co-author in hackhound clauses) cousin in everything.com!
And i have taken permission from paran0id, as we are fellow's in hackhound.com to substitute my fav. parts from the sources..yet thought no need to mention in here since its been specified over my blog ,Sir!
Though no problem, yet it does not need to be mentioned if we have duly spoked over this.
Thanks for your time in re certifying these, to paran0id.

Bill Wildprett, CISSP, CISA A very good article K.S. I do have one concern, albeit unsubstantiated yet - during a three-day CISA bootcamp I took, the instructor (former military) stated that the U.S. and British governments have the master decryption keys for PGP by agreement with PGP.

Similarly, all Motorola mobile phones have an 'always-on' GPS and On-Star allows remote passive listening/recording of in-vehicle conversations.

If true in the case of PGP, what other encryption solution could we use & trust?

All the best!
Julian Tosh Bill,

While code for PGP remains close source, GPG is open. Any such back doors would have been revealed by any number of skilled cryptographers and coders and the news of it would have shook (destroyed?) the foundations of information security. When properly implemented, AES and GPG are worthy of the public's trust.
Marlin Fischer I agree Julian. Since AES is made up of 3 block ciphers and uses both permutations and substitutions (rearrangement of data and replacing one unit of data with another) it's at least close to the idea of producing random number generator-like results as any other; output of one block cipher is the input for the next. That alone makes it very difficult in determining a trend. Maybe someday it will be easier to hack, but until then...

I don't get overly concerned (interested, yes) about reported cracks, either on paper or lab-environment controlled, but if it's used 'in the wild', that's when users have be on the alert. Then its gone beyond a 'proof of concept' and where your 'risk mitigation' plans are a 'must'. Lets face it, 'risk elimination'... well.... just doesn't exist!
Rod MacPherson For Fred and others looking for a tutorial on installing PGP/GPG for mail encryption, look here:
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.