You down with PGP? Yeah you know me!

When “pretty good” is good enough

PGP stands for “Pretty Good Privacy”. It’s a set of algorithms for encrypting, compressing, and signing data so that a specific person can open and read that data, without a third party being able to also do so. They call it “pretty good” because when you talk about encryption, one of the first things you have to assume is that it’s going to be broken, or is already broken and no one knows. It’s important to know that given enough time, money, and computing power; every encryption can be broken. You also have to realize, There are people in this world who have a much simpler method of breaking encryption and it’s usually called the 5$ wrench attack.

xkcd

For the most part. Your data is not something that someone is going to spend billions of dollars trying to get at. So long as you’re not in a country that routinely violates human rights, you might also not be susceptible to the 5$ wrench attack. I should note however that it seems people in the United States have been held in prison on contempt of court charges for not giving up decryption keys to encrypted data. It could very well be that you forget passwords to encrypted data and end up languishing in jail. A truly cruel punishment.

More acronyms

So PGP is the standard however it is owned by Symantec and considered proprietary. An open, non proprietary version of this standard is called OpenPGP. OpenPGP is just a concept, a piece of data outlining how OpenPGP works. GPG is actual code that does the things outlined in the OpenPGP standard.

All this lingo and stuff can be confusing so from now on I’ll just be talking about how to use GPG. All you need to take away from that is GPG is a program that let you use the stuff thats outlined in OpenPGP

A word on why

When you talk about securing yourself on the web you have to realize that it’s not just about securing you. Your life might not be at risk because of your views, your government, your ideals, or your beliefs. The thing is there are many people in this world who aren’t so lucky. Whistleblowers, Journalists, political dissidents opposed to fascist regimes all have to worry about whether or not they are going to be found out by someone who may not like what they have to say.

The truth is that using GPG, and encryption in general, normalizes the use of encryption. Imagine if you would, that nobody had locks on their front doors. When walking down the street, you would assume that the only door in the neighborhood with a deadbolt would be hiding something. This is a perfect analogy because it’s also a great response to people who say “Well I have nothing to hide why should I encrypt things”. You’re not hiding anything in your house, why have a lock on the door? Why have a door at all? The answer is that A: You don’t want people wandering in. B: You want to keep bad people out.

The same thing goes for encryption. Your identity is something that you need to protect. Identity theft occurs every day and it has far reaching implications. On top of that. As a society, we need Whistleblowers, Journalists, and yes, sometimes dissidents.

How does encryption work?

In order to talk about encryption, you usually have to talk about math. Lots of fairly complicated math. People write theses on encryption algorithms and base their entire mathematical careers off them. I’ve always found it to be a very intimidating way to approach the concept.

Basically, in order to encrypt something, you need a secret password known by both yourself and the person you’re trying to contact. This “shared secret” is then used to take your input data (your secret message) and transform it into something that is unrecognizable to an outside observer. Throughout history, this has taken many forms. One-time pads are very tight encryption, the enigma machine was famous for needing the first Turing machine to be built to crack it. If you want explanations as to how the math works for these, this isn’t the right blog.

This shared secret is then used in a “mathy” way to scramble the letters up in your message so much that it would be very difficult or impossible to unscramble without knowing the secret key.

When people talk about encryption they also always seem to use “Alice” and “Bob” as the people wanting to send messages. “Eve” is always the nefarious third party trying to spy on the communication. I don’t know why but make your own story up.

One-time pad encryption example

Let me take you through a quick example using a One-time Pad. A One-time pad is called such because in order for it to be secure, you can only use it once to encrypt data. Each successive use, weakens its encryption strength. They’re basically two paper booklets that are identical to each other with random letters on them. Those random letters are identical in each pad as well. The two people wanting to send messages to one another should each have one.

So let’s make our super secret one time pad. First we’re going to agree on a way to turn letters into numbers. We’ll go elementary school style with just listing the numbers of the letters in the alphabet. There are many techniques to making these, commonly called checkerboards or conversion tables, that allow for more characters and the use of a codebook to represent whole words as numbers as well.

A B C D E F G H I J K L M
01 02 03 04 05 06 07 08 09 10 11 12 13
N O P Q R S T U V W X Y Z
14 15 16 17 18 19 20 21 22 23 24 25 26

Next we’ll make our one time pad by generating a bunch of random letters. Important to note here that randomness is essential to this whole thing. Most of the things you think are random are not. Truly random things are difficult, but we’re not dealing with life or death info.

I went to random.org/strings and got 20 random 2 character strings. One of the most important security rules for making iron clad One-time Pad ciphers is to not use computers at all for encryption/decryption. You do want something truly random to make the pad and that is usually a computer of some sort. True randomness is hard to come by but that’s another post. when using a computer to encrypt or decrypt, you leave behind data without even knowing it and it’s usually a variable that you cannot properly control. But again, we’re just having fun.

IM OT WM GU BY SH EB JR PU YC PV LW ZI CZ DB DM RU BH TY FV

I’ve arranged them in 2 letter groups because this next part is how we’ll encode/decode our message. Let’s convert these to numbers. I’m just going to grab a couple to use as we won’t need all of them.

IM OT WM GU BY SH EB JR PU YC PV
0913 1520 2313 0721 0225 1908 0502 1018 1621 2503 1622

Encrypting

We’re going to now use this to encode our secret message “I THINK EVE IS LISTENING” by grouping them by two characters, removing spaces, and formatting it like we did before. We do this because we don’t want “Eve” to know how many characters each word has. That would be a hint to our message’s contents.

IT HI NK EV EI SL IS TE NI NG
0920 0809 1411 0522 0509 1912 0919 2005 1409 1407

The next part is where the magic happens. We are going to keep the first secret key the same so Alice can know which One-time pad to use to decode the message. Ideally a One-Time pad is made up of several pages of random characters and you’ll need a way to let each other know which one you’re using. So we’re going to line up the data and add one to the other. We’re only adding the individual digits and ignoring any time it goes over 10 by just writing the remainder. This is called Modulus 10, but that’s getting into the “mathy” thing we talked about. Just think 9 + 4 = 13 so we take off the 10 part and end up with 3.

Key
Secret 0920 0809 1411 0522 0509 1912 0919 2005 1409 1407
One-time 0913 1520 2313 0721 0225 1908 0502 1018 1621 2503 1622
Cipher 0913 1440 2112 1132 0747 1407 1414 1927 3626 3902 2029

Remember we are only adding single digits. You should never be adding more than one digit from the message to more than one digit of the One-time at a time.

Now that we have our secret encrypted cipher text, we destroy our pad and it will be secure. If we’re caught with the message we wouldn’t be able to provide a way to read it even with a 5$ wrench attack.

0913 1440 2112 1132 0747 1407 1414 1927 3626 3902 2029

Decrypting

So Bob sends his message to Alice via carrier pigeon. Eve has a fleet of pigeon intercepting hawks who grab Bob’s pigeon so Eve can copy down the message and send them on their way. Upon arriving, the pigeon tells Alice its harrowing tale. Unfortunately, Alice doesn’t understand the pigeon’s regional dialect but even if she did, she would not be concerned that the message’s contents were compromised.

Circling back to GPG

Luckily though, I’ve found this

Image alt text

https://alexcabal.com/creating-the-perfect-gpg-keypair/
http://biglumber.com/index.html

https://www.linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/
https://disjoint.ca/til/2017/10/05/a-guide-to-setting-up--managing-gpg-keys-on-a-yubikey-4/

https://github.com/drduh/YubiKey-Guide#22-install---macos

https://medium.com/@ahawkins/securing-my-digital-life-gpg-yubikey-ssh-on-macos-5f115cb01266
https://eklitzke.org/using-gpg-agent-effectively

https://superuser.com/questions/879977/how-to-have-a-different-pass-phrase-for-a-gpg-subkey

http://duplicity.nongnu.org/