From the Archive of 2015: Introduction to Encryption and PGP.

Encryption

Let’s talk about encryption.

My last article was a brief introduction to the world of Open-Source Intelligence; it garnered a fair amount of attention, and I got several requests to make my next article about ways to remain private online. After reading the OSINT article, I can see why people would want to take action to ensure their privacy online; especially with so much of your information being mined and gathered by people like me, and making everything you do online wide open for everyone to see. So, for that reason, let’s look at one of the easier steps you can take to make sure your electronic communications are secure.

Author’s Note: If you’re just here for the PGP installation instructions, scroll down to “Installing PGP.”

For the purpose of this article, I am going to assume that the primary audience of this article is utilizing Windows as their operating system. I believe that most Linux users would, otherwise, know how to install and generate a PGP key, by using the very simple guides that can be found online. As such, the following instructions are specifically for Windows XP through Windows 8.1. Before we get to the instructions, however, let’s look at what PGP and encryption actually is.


What is encryption?

Simply put, encryption is the method in which we take some piece of information or data (for example, conversational data such as private messages and emails), and encode them in such a way that only authorized parties are capable of reading the original method. Ideally, unauthorized parties would not be able to read the message, because it would be obfuscated to the point of being illegible to the unauthorized party. It is a method that can be utilized to assist with the interception of information; however, it does not prevent the act of interception, but the ability for the interceptor to read the information after it has been intercepted. Let’s take a look at a basic encryption exercise.

Scenario:

People involved: Tyler, Melanie, and Lacey.

Let’s set the mood:

Tyler, Melanie and Lacey are all working over late; everyone else in the office had long since left to go home. Tyler, excited about his recent discovery involving the project he is working on, wants to tell Melanie all about the discovery he just made. However, he does not want Lacey to know of his project, as Lacey will likely steal all of his ideas and use his work in her own project. Knowing that Melanie understands the concept behind a Caesar Cipher, Tyler writes down the information that he wants to tell Melanie; but, instead of writing it in plain English (read: plaintext), Tyler moves each letter to the right, by 5. For instance, the letter “a” would become the letter “f”. When he passes Melanie the letter, he quietly whispers “5” into her ear. She knows that is the key for deciphering the encrypted text. She looks down at the letter, and this is what she sees:

“Htslwfyzqfyntsx, dtz hwfhpji fs fshnjsy xzgxynyzynts hnumjw. Dtz lt, dtz.”

This is, of course, a rudimentary example of a very, very simple substitution cipher. Albeit, go ahead and and decode the message for fun, if you want. Obviously, the encryption that we will actually be working with is more more complex than this. Modern cryptographic algorithms are much more sophisticated and depend upon advanced mathematics to ensure their security. Before we proceed to working with PGP, however, let’s take a quick look at the differences between two encryption techniques.


Symmetric Vs. Asymmetric Encryption.

To begin, let’s start by looking at symmetric encryption.

Symmetric encryption is a very simple encryption technique; and it is also a very old encryption technique, as well. Contextually speaking, a symmetric encryption key is a key that is the same for both the encryption and decryption process. That is to say, the key that is utilized to encrypt the information is also the same key that is utilized to decrypt the information; there is no change to the key, in symmetric encryption.

For example, the aforementioned substitution cipher that Tyler and Melanie utilized to pass messages back and forth, in such a way to prevent Lacey from reading them, would fall under the category of symmetric encryption. The cipher used, Caesar’s Cipher, shifted each individual character forward by five characters, on the alphabet line. That same key, the five character shift, would then be utilized again, only in reverse, to decrypt the information. That way, to encrypt (write it for the first time in an encrypted state) the letter “a” would become “f”. And when decrypting the information, the letter “f” would be shifted to the left by five, taking it back to the letter “a”. Got it? It’s very simple to understand.

Thinking of it another way, a very common symmetric encryption that we use every day is the password. You remember how we mentioned that the symmetric encryption technique is one of the oldest and simplest encryption techniques that can be used? Go ahead, put 2 + 2 together, and you’ll come to the conclusion that passwords are actually the weakest form of authentication method that can be utilized. It is for this reason alone that multi-factor authentication is absolutely necessary when it comes to being secure online.

Yes, I know that multi-factor authentication methods can be inconvenient. Normally, a multi-factor authentication method is as simple as an additional pin that is sent to your phone, after you logged in with your email and password. As you can see, you now add a second authentication factor to your equation that must be completed prior to being able to log in. In that scenario, that would be a two-factor authentication method; however, not all authentication methods rely on text messages or pin numbers as the second authentication method. I realize that waiting for that text to come through, or having to deal with a second authentication after the first, takes a little bit of extra time… but is your privacy and security not worth that extra time? It only takes a few seconds more – usually no more than an extra thirty seconds. To answer my rhetorical question, YES your security should be worth that extra few seconds. And as you’re reading an article concerning encryption, I assume that you feel that your security is important, too.

Now, let’s take a look at the second encryption technique: asymmetric encryption.

Unlike the symmetric encryption, in which you utilize one single key to both encrypt and decrypt your information, asymmetric encryption utilizes a key pair. Yes, that means there’s now more than one key. This key pair will usually consist of a public key and a private key. Now, as you probably have already concluded, a symmetric key is going to be faster than an asymmetric key. In fact, an asymmetric key can actually be quite slow, when encrypting and decrypting information. However, the speed is not entirely what we’re focused on here. More importantly, the asymmetric key is significantly more secure than its single key brethren.

One example of asymmetric encryption is PGP. Which, we’re now going to proceed with the installation instructions for PGP. I imagine you are all likely bored by the introductory lesson and just want to get right to the installation instructions so you can begin sending encrypted messages to shadowy figures on the Internet. So, let me go ahead and explain how to send those messages to those shady people.


Installing PGP on Windows

Here, we’re going to take a look at how to generate a public/private key pair, so you can hit the ground running, with encryption. First thing’s first, we’re going to need to find a PGP program. Since this guide is primarily catering to Windows users (which, btw… why? Get on Linux, already!), we’ll be utilizing GPG4Win, and the program that it brings along with it: GPA. Let’s do that now.

Installing GPG4Win and GPA.

  1. Click here to go to the download page for GPG4Win, and begin your download.
  2. Very important: During the installation of GPG4Win, you will come to a screen titled CHOOSE COMPONENTS. By default, the check mark box for GPA is unchecked. MAKE SURE YOU CHECK MARK THAT BOX. GPA must be installed – so install it!
  3. With the GPA box checked, go ahead and click next and finish the installation.

Generating a Public/Private Key

  1. Open up GPA, which you have now installed.
  2. Click KEYS in the menu at top of the GPA window.
  3. Click NEW KEY in the keys menu that you just opened.
  4. At this point, GPA will take you through a generation wizard that will help you set up your new key.
  5. The information that it asks for does not have to be valid; however, your key is only worth the validity behind the key, and verification is an crucial issue when it comes to asymmetric encryption. You may choose to either enter real information in the creation wizard or to enter false information. The name and email does not matter – it will not check that this information is valid, so you may use whatever you want during this process.
  6. Eventually, you will come to the part of the wizard that asks you if you wish to create a backup copy of your key. CREATE THE BACKUP!
  7. After the creation of the backup, it will ask you to create a passphrase; make sure you select something that you will be able to remember (or at least back it up if you wont remember it), but something that is also strong.
  8. Now, go find that backup you made. It will be a .ASC file type. It should look something like the following:
This is an example public key. It is not my public key.

This is an example public key. It is not my public key.

Congratulations. You have now generated your very own public/private key pair. Take note of the above picture – notice that I included —–BEGIN PGP PUBLIC KEY BLOCK—– and the —–END PGP PUBLIC KEY BLOCK—–. This must be included.

Author’s Note: Now, the public key in the above image was generated to be a 2048 bit RSA key type. In my professional opinion, I am going to suggest that you do a little bit of further research and re-generate a second key (at a later time, when you’re more comfortable with how this all works), that is at least 4096 bits. Minimum. If you don’t really understand what all of that means, don’t worry; do a little research and it’ll become very clear what I’m talking about.

Now that you have generated your very own public/private key pair, you can utilize GPA to import other people’s public keys. I guess it should be stated that you NEVER GIVER YOUR PRIVATE KEY OUT TO ANYONE. That is why it is called a private key. You can also utilize GPA to encrypt and decrypt messages and files, as well. I’ll let you guys play around with all of that. Also, feel free to add my PUBLIC KEY as well. Hope you enjoyed the article.

Tyler
Written by Tyler