Showing posts with label encryption. Show all posts
Showing posts with label encryption. Show all posts

02 May 2012

128. Encrypting your email, chat and VOIP in linux (Debian Wheezy)

I'll show how to use GnuPG with Gajim, mcabber, Evolution, Thunderbird and Mutt below
.
I'll also show SRTP/ZRTP using Twinkle with iinet for encrypted VOIP calls -- this solution should work computer-to-computer, but not from computer to phone and vice versa.

You may also want to look at truecrypt (http://verahill.blogspot.com.au/2012/04/using-truecrypt-with-dropbox.html) to secure your files and/or devices, in particular portable storage media like USB sticks. Truecrypt is a good way of backing up or managing your pgp/gpg keys.

I do recognise that there's a lot of info on this page, so don't feel shy about using 'search' to get to where you want to be.

Why?
If you have nothing to hide, why worry?

University and company email systems get hacked. What you do and say can come back to haunt you in unintended way. A lot of employers in the US are scared of submitting honest letters of recommendation because they fear getting sued if they are not favourable enough. Politicians are, often illegally, using private email for official business.

On the one hand, if something doesn't pass the 'newspaper test' (how would you feel if this was the headline on today's newspaper?) maybe you shouldn't be doing/writing/saying that.

On the other hand, in particular in academia, it is important that discourse can be direct and honest.

For these reasons I favour using PGP/GPG encryption as much as possible, since I feel that it strikes a good balance between the need for privacy and unfettered discourse, and the need for a paper trail. PGP/GPG encrypts the content of your conversation, but still leaves it open with whom you converse, thus providing a trail ensuring  that you don't get involved in something which you shouldn't.

In some jurisdictions this means that you can be ordered to decrypt your conversation, while, to my understanding, in e.g. the US the content and relevance of the conversation needs to be known to some extent for this to happen. The bottom line is that you will be involved in the release of the material, and that it will take a court order for that to happen.

As with everything else, encryption is just a tool, and it can be used responsibly for good purposes, or irresponsibly with bad intent.

And if even you truly don't have anything to hide, you may support the right for each citizen to decide for themselves whether they want to use encryption or not. The view of law enforcement in many countries seems to be that only criminals have reasons to use encrypted communication, while at the same time security/intelligence agencies believe that their job becomes more difficult to do if they can't sniff all traffic (e.g. ECHELON).  These are legitimate opinions, but as with everything you have to make a choice between how much liberty you are willing to sacrifice for a little bit of security. You have to decide for yourself where you draw that line.

Enough meaningless banter, time to get configured.

1. IMPORTANT

The key KEY principle is that:
1. the PUBLIC key ENCRYPTS
2. the PRIVATE key DECRYPTS.

You can encrypt with a private key (e.g. signing), but then anyone with your public key can decrypt it.

I'll write this in bold because it is central to encryption with public and private keys:
use the recipients PUBLIC key to encrypt correspondence to them, and they should use your public key to encrypt correspondence to you. If a private key is used to encrypt, everyone can read the correspondence.

IF, on receiving an encrypted email from someone else, you have to go online to download their key to decrypt, then they used their private key and not your public key to encrypt. That is wrong and INSECURE.

A side effect is that,UNLESS you cc and encrypt to yourself using your public keys when emailing, you WILL NOT BE ABLE TO READ SENT EMAILS which have been encrypted using someone else's public key.

In a more formal setting you will probably want to use expiring keys. For personal use, keys that don't expire are probably fine.


2. How?


2a. Keys and key-management

First install seahorse, gnupg, and gnupg2.

Regardless of how you create your key, it will be found in ~/.gnupg

ls ~/.gnupg/
gpg.conf      pubring.gpg   pubring.gpg~  random_seed   secring.gpg   trustdb.gpg

This means that anyone with root/sudo access on that system can access your private key and decrypt all your correspondence unless you password protect it.  In general, don't store your key on a shared computer.

Creating a key


  • using gpg (terminal)


gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
[..]
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) Y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: I Lindqvist
Email address: i.lindqvist@email.net
Comment: fake address
You selected this USER-ID:
    "I Lindqvist (fake address) <i.lindqvist@email.net>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
You'll get asked for a passphrase twice. Then:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 283 more bytes)
..+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 109 more bytes)
.....................+++++
gpg: key 2B4C5636 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/2B4C5636 2012-05-02
      Key fingerprint = 5B71 C3F1 0C2D E008 B299  21A8 019F 907E 2B4C 5636
uid                  I Lindqvist (fake address) <i.lindqvist@email.net>
sub   2048R/78F9B6C1 2012-05-02
gpg --list-key
/home/me/.gnupg/pubring.gpg
-----------------------------
pub   2048R/2B4C5636 2012-05-02
uid                  I Lindqvist (fake address) <i.lindqvist@email.net>
sub   2048R/78F9B6C1 2012-05-02
To add more email address, do
gpg --edit-key 2B4C5636
>adduid
and follow the prompts. You do not want to add subkeys.

Do
>trust
to set the trust level. Ultimate for your own key, full for your pals.

  •  using seahorse:
    if it isn't already installed, then
    sudo apt-get install seahorse

    and start it by typing seahorse in the terminal, or selecting Passwords and Keys in gnome. Select New
PGP key
Add details

You can add additional addresses later by selecting your key and right-click, then select Properties




Publish your PUBLIC key:
You can either do this directly using seahorse (very easy), or, if you prefer a more manual approach:

gpg --export -a
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQENBE+gt4IBCADPY9CyEr1aqU1uqOKquwFOUgsiLNV7pYRLKkTa3hki/8Zz0Ssr
16DIvuO5dGQVsDu712E2FaW3FSzThzPBW9R9z1WNHjZUWtRu78WVNyJJ3WwjJFWV
hmA9kmWzFn14pcqzeD6RAkpK7YrKENu05A2vWB47mWFxlysCxo8VdPoj/uEG0Cvw
BHNrI8raVarwWOPPZiVTp7nbbHySQxZjJTpdR5bEFH+L1AqA3T0YG5FdXryGFXG0
DMLPD3mCSZHoT27WRH4l8mH7K25m6ONUV8u6JDLtSy/WAi9J2nGo5K5r/OetDqe7
zTOaQk7u+WyTxK41nzNk/NRVAUlcc7aM7WXFABEBAAG0MkkgTGluZHF2aXN0IChm
YWtlIGFkZHJlc3MpIDxpLmxpbmRxdmlzdEBlbWFpbC5uZXQ+iQE4BBMBAgAiBQJP
oLeCAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRABn5B+K0xWNtxlB/9K
GAq9Q8YlZjKOnOx2jZWRqE6dHZ5BjNX24SmsVWf0jpEIP1Bj699QiWxxEYeIc2S7
E0vm3G323oEHfiGUlTpqi4piCnrEgm63JKNGWKamKBkYBTvygRFRC7DUWhB6kwP3
FmOU8SMR9+8lSei6IJoRlJUThdF3gWLiNnQtDDowjQL2gIHvh+Ht/geC+fDtN0i5
R7yGUOyIicYDa04dSsX5LZJneouIavNYulTpJc0wth6GOrzAbitVsfdQ84O/Q/Ld
lyI6HSzz/QNDuY2YkAPiejapHBtBP9LukBvFChfkiwNv+RPG9VE8zm0vIg9ylmaf
Fbe1CrawAsjQDM8f1KEtuQENBE+gt4IBCADK5PJMH0I8CB1RoMLo13Ewd8tFoIYu
bXIuV2RpUCTwxOA1nbKiJUrZP0Dxe0aK6GXspEzRtYjpT2QdIvdYsHrr85V4+AsJ
BFQ3ehp6XW2NtyECQyzYlUm4Yo06EU128E0whfeK42b+egWazOrdnt9QKlZCP5lz
UU8L9zJiDI64old79AkbRm7mKdH6uIAwkPG3Eft+2H312MkRGfmiJ/Eq/HQO8ygo
pcg93kqU9RrI8xwfO5plqF9yc9iNzrgDu8iuOPSxYuJtG3cj0W4CzuwLRzMnWFXO
CQpcCWF38/a2HTrXCxA5QAf0Td3P7zc7eZd6JhpzNTTJ7zQeeQreKjhfABEBAAGJ
AR8EGAECAAkFAk+gt4ICGwwACgkQAZ+QfitMVjbn2Af/SURRS72DJ66F0Gpt9bIe
p2zr98c+W4bPru7fVg4uOAxz95H1vK65kX7jZ+9M5yqHGqLNxmVcUcVhbXS+Fkik
LoBxLezU7s1bC40HSFPu00IQQxiH5jv9Dd/kqP16oel+JVGDwmRXFWXqByaWaaNm
6JYHYcCH6B4UwSpSRiwJScbTWsvxq9+WVAUO730FwGy3BYnZAXNeibV2/bbtZbz6
P23zyitFqOizuafvwFIS9pGvbL3pmUkQne0dF1OGhfhsdczZi+LVhnKy6iOy7lTx
6saK149HMndyLNOlS8pmJez2ULXF/fijLlrXAi3zr8a2UFkpYPEIj+emkeFpAGiE
mQ==
=VnnT
-----END PGP PUBLIC KEY BLOCK-----
Then copy/paste it into the front page at pgp.mit.edu




2b. Chat

Gajim
Gajim is seven kinds of awesome, but is primarily used for jabber-compatible protocols. This means gmail gmx, etc.

To set up encryption for an address, go to Edit, Accounts, select the address and go to the Personal tab.
GPG Agent is broken on Debian, so don't use that.
 Before you use gajim to encrypt chat you may need to rightlick on the recipient and assign the correct key:
 Once all that is done, encryption is easy.



mcabber
Mcabber is a terminal chat client and that makes configuration very easy.
Edit ~/.mcabber/mcabberrc and add (or uncomment):

set pgp = 1
set pgp_private_key = "06403515C1XXXX6B"
set pgp_passphrase_retries = 3
The private key ID is much longer than what you may be used to -- you can look it up using seahorse. pgp.mit.edu will also report it if you've uploaded your public key:



Anyway, start mcabber, select the contact you presumably already have a key for and type:
/info

05-02 16:02 *** jid:  <xxx.xxxxx@xxxx.xxx>                                                                                                                                                                      
05-02 16:02 *** Name: xxxxx at xxxx                                                                                                                                                                              
05-02 16:02 *** Type: user                                                                                                                                                                                        
05-02 16:02 *** Subscription: both                                                                                                                                                                                
05-02 16:02 *** Resource: [o] (50) Gajim76E72461                                                                                                                                                                  
                Status timestamp: 2012-05-02 16:02:09                                                                                                                                                              
                PGP key id: 06403515C1XXXX6B                                                                                                                                                                         
                Last PGP signature: good                                                                                                                                                                             

The contact is recognised and you have their key. So, you should be able to simply start chatting.

Switch encryption on and off using
/pgp enable
and
/pgp disable


So how can you tell whether it's encrypted or not?


05-02 16:02 -~> This is encrypted

05-02 16:09 --> This is not encrypted

Yup. A ~ makes the difference.

Received encrypted messaged look like this:
05-02 16:12 <~= encryption the other way




2c. E-mail

Evolution
Evolution supports integration with gnupg out of the box, but each email address needs to be configured separately. Start evolution, click on Edit, select Preferences, Mail Accounts, highlight the email address you want to configure, click on Edit. Select the Security tab in the Account Editor and type in the key ID.
When you're composing, this is what meets you:


You will have problems encrypting to people who's keys haven't been associated properly with the email address you're composing to.



Thunderbird
Thunderbird isn't as well-supported for PGP/GPG as evolution but there's an add-on, Enigmail 1.4.1 (you might have to download it manually from http://enigmail.mozdev.org/download/index.php.html), which is compatible with Earlybird/Thunderbird 11. The downside on using an add-on is that compatibility sometimes breaks.
The key here is the 'GnuPG was found...' bit. To  gain access the tabs below you can click on Display Expert Settings.

Once you've installed enigmail via the add-on menu and restarted, you can set the preferences:
Most options are straight-forward
You may need to set the key manually if the email address isn't explicitly associated with an address.




Go to Edit, Account Settings, and uncheck use html under Composition and Addressing for each address. Partly because signing will work better, but mainly because you have no reason to use html. Ever.

 And this is how it looks when you are composing emails:
You can choose to sign and/or encrypt emails from simple menu.




Mutt
The key ID is C1XXXX6B. Edit your  .mutt/muttrc file and add (the field which need to be edited are given in red below):
# GPG stuff - autosign
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0xC1XXXX6B -- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0xC1XXXX6B -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
set pgp_autosign=yes
set pgp_sign_as=0xC1XXXX6Bset pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"
In mutt, p is associated with gpg/pgp:
 In mutt, write your email in vim or nano, then exit the editor and hit p. Select e to encrypt:
And it now shows 'Security: Encrypt', and you can send.







Encrypted VOIP
While skype encrypts by default, skype isn't 'open', and you are not in control.

For twinkle (below), you need a sip address. You sometimes have one via your ISP, but you can also get one for free from e.g. https://www.ekiga.net/index.php?page=register

Twinkle and ccRTPp are available in the debian repos.
sudo apt-get install twinkle
pulls in everything you need

Next, start twinkle and configure it:




The only interesting step is this one:
Select ZRTP/SRTP
Next log in:


 My guess is that you need to include the country code. Don't forget to drop any leading 0s off the area code (the scatter brained cause of the failed call listed in the log below)