Basic Encryption

[at0m]

This is by no definition of the term complete. Please help by correcting my mistakes or points I may have missed. Use it as you see fit but what you do with it is not my responsibility. If this isn't allowed, please remove it.

GPG

Links:

• http://www.gnupg.org/ - Main GPG website
• http://www.gpg4win.org/ - GPG for Windows

What is GPG:

GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.

In simpler words: GPG is a tool used to sign (to prove authorship) and also to encrypt messages or files to ensure only the intended recipient can access the decrypted content.

Pictorials:

• Windows - Installing GPG4Win
• Windows - Creating your first public key
• Windows - Exporting your public key
• Windows - Basic text encryption
• Windows - Basic text decryption

The commands in those pictorials should work with both Mac and Linux aswell. The installation, however, would be different.

TODO:

• Signing
• More detail
• GUI version (Using Kleopatra)
• Flesh this out
• Add some basic truecrypt information?
• Fix errors?

[ThunderIdeal]

bravo. this is an awesome guide. i tried using the kleopatra GUI using the included guides and gave up. in the last ten or so years software has become so intuitive that now i run out of patience with less intuitive software pretty quickly.

this seems to be the ideal way to communicate without fear of prying eyes. privnote etc are convenient but they have drawbacks.

[indigo264nm]

Not a bad guide... good to understand why public keys and private keys are necessary for secure encryption these days which is pretty well explained in this diagram.

http://upload.wikimedia.org/wikipedia/commons/4/4d/PGP_diagram.svg

Ultimately when it comes down to communication unless you can guarantee anonymity on both sides encryption is only of certain use to you. Pretty sure in Australia you get charged if you don't provide the key to decrypt on seized files... so if they intercept any communication or files between the two parties then you choose between whether the information encrypted is going to land you more time in prison then not providing the keys to them.

There are means of being able to conceal small segments of data on your hard drive by memory, which would probably work in a way that disguises the data by way of cluster allocation.

PGP is otherwise great, just not wise to send keys between addresses unless you know for certain that there cannot be any means of it being intercepted along the way (i.e. man in the middle attacks)

Edited April 6, 2013 by -=IndigoSunrise=-

[Yeti101]

A lot more convenient than old-school cryptography with one-time pads etc.

As for withholding the key - https://www.efa.org.au/Issues/Privacy/cybercrimeact.html

Good guides and a timely discussion.

[endorfinder]

These encrypted chat/phone tools are worth checking out, I haven't used them all personally:

http://www.bitwisechat.com

https://crypto.cat/

https://silentcircle.com/

http://blacksms.info/

Also, many IM packages allow you to encrypt your chat on the fly with GPG (the open source version of PGP, pretty good privacy, which has been the definitive standard for 20 years or so). This is probably about the security equivalent of talking naked in an open grassy field, you're not going to do much better.

GPG is just a bit more work, so I find that things like bitwise are much easier to get less computer literate people using.

Edit: last time I checked, GPG had an excellent GUI for OS X, including Apple Mail integration and other nice features.

@IS oh thank god I thought we were going to learn about alice and bloody bob before I clicked your link. ;)

Edited April 7, 2013 by endorfinder

[at0m]

Bumpity bump.

I still haven't gotten around to finishing/redoing this (that happens a lot, can you tell?) but I do have an awesome addition for you guys, girls and other life forms:

Mailvelope!

It's PGP, in your browser!

Who's it for?

For those of you not comfortable with a command line and aren't after an application which requires heaps of copy and pasting to get your messages about, this one's for you (and me because I like it. Makes shit easy). So basically, everybody.

So what does it do?

It encrypts and decrypts messages on the fly, in your browser, without sending any network traffic whilst performing the encryption/decryption so it can't be sniffed or blocked.

It also works with both Chrome/Chromium & Firefox though from my experience the Firefox version is sadly not as good as it locks up a fair bit.

Why should I trust it?

That's ultimately up to you but here's why I would trust it:

• It implements the safe & secure (even, supposedly, against certain somebodies) OpenPGP encryption standard using OpenGPG.js, not some wonky, half-assed 'alternative'
• It's opensource! You can check out the source yourself if that's your thing but even if you don't understand the code behind it, you can trust in the fact that it's a project being used by many others who do read the source and use it themselves. So basically trust that others trust it.
• because it works

So it works with webmail providers and that's cool and all but how do I get it working with SAB or another website which I'd like to encrypt my communications on?

Easy peasey lemon squeezey! Here's a really brief example with Firefox. Chrome/Chromium will be almost identical it's just that the location of the icon will have changed (top right, where all your other addon icons are).

1. Install the addon
2. Restart your browser (for good measure)
3. Load any page on the SAB forums
4. Find the icon (bottom right in Firefox, top right in Chrome/Chromium) and click "Add page" (hit save for good measure)
5. Select "Security" and change your token & colour to something you'll remember (this is so other people can't falsify the page to steal your key/message)
6. Generate or import a key (self explanatory. MAKE SURE YOU DON'T FORGET THIS! Passwords are a MUST for private keys)
7. Import other people's public keys (be sure they are who they say they are )
8. Load up a PM (or even a thread?) to the person you want to contact
9. Click the icon that appears inside the editor
10. Write your message
11. Click the icon again in the top right of the pop-out editor
12. Select the recipients (ONLY the people selected via this previous section can read the message!)
13. Hit Ok
14. Press Transfer

Voila, the encrypted message should now be in the editor

If anyone wants to try it out on me, my public key is listed in my profile. Just follow the instructions above, in a PM, and if you include your public key I'll respond in kind.

Hopefully this will help encryption become more common and easily accessible to all and you can keep your carrots safe from prying wabbits.

[Slybacon]

As stated in other threads. It IS illegal not to provide the password to your encryption if the fuzz requires it. Some of the punishments are harsher then the crimes that are being covered by encryption. Now I totally still think its a great idea and totally necessary, just don't get lured into a false sense of security. Torsten know more about this and can provide specifics if required.

Sly

[Sallubrious]

As stated in other threads. It IS illegal not to provide the password to your encryption if the fuzz requires it. Some of the punishments are harsher then the crimes that are being covered by encryption. Now I totally still think its a great idea and totally necessary, just don't get lured into a false sense of security. Torsten know more about this and can provide specifics if required.

Sly

Is it illegal to forget it?

Just kidding, that would just piss them off and we wouldn't want to do that now would we

--------

If someone's installed a keystroke logger on your system it could be an issue. I think most of the browser clipboard hacks have been fixed in the last few years (not sure about flash though) so creating your private key password on an a known uncompromised system might add another layer of security. It could then be copied and pasted from removable media (possibly on a true crypt volume) to negate any keystroke logging. Block those scripts and turn java off if it's active.

Even though this is very safe, a strong password policy still applies. It will only be a matter of time before they can be buteforced on the cloud. So make your passwords long and don't use names or dictionary words ect.

[indigo264nm]

Just want to bump this thread up so I could throw this out there as an idea for group chat hosting...

i2p or freenet + IRC?

[etherealdrifter]

i personally have no idea ........but a safe 'er' chatroom full of groovers would be groovy indigo264neutronmetres above sea level.

if this ever happened could somebody send me a massage invitation to join............just saying

the lab was kinda a fun place there for a bit

[C_T]

ok this is all well and good but you need to remember the form of communication also

If your encrypting an email, its not secure no matter what!

Meta data in the email is not encrypted, no matter what, the address of the sender, receiver, their ip addresses, the time and date, subject etc.

In alot of cases, this meta data information is more important than the contents of the email itself!

email is not safe, EVER. it just wasn't designed that way

[C_T]

i personally have no idea ........but a safe 'er' chatroom full of groovers would be groovy indigo264neutronmetres above sea level.

if this ever happened could somebody send me a massage invitation to join............just saying

the lab was kinda a fun place there for a bit

unfortunately theres no such thing as a safe, text chat box on the internet.

irc is transported as free text on the web, any packet sniffer can read it. even ssh encryption can be beaten by the feds, so thats only secure to people who arnt motivated to break it.

so much of what we assume to be secure, has nsa backdoors. PGP being one of them!

The only TRUE unbreakable encryption is actually deemed illegal by the USA gov. So all the encryption technology we use day to day is readable.

Edit: Yes it sounds overboard, but this is fact when large law enforcement wants to follow what your doing, thinking you are safe from prying eyes is a false sense of security.

You would need to take several steps to remain somewhat anonymous, and nobody can ever be 100% anon. it comes down to how good you are verse how good the person tracking you is. 99% of the time, teams of 1000's of people will easily track you.

Think about it, if the text makes it to your screen, there's a trail left behind.

Edited November 20, 2013 by C_T

[etherealdrifter]

uh kk, cool C_T.....valid.

so what /how to go around that one then?

weel just strap the massage to a homing pigeon or hawk or whatever is in right now..lol.....and let it fly up into the ether, i'll see it and telepathically speak to it and it can then relay it's massage

[etherealdrifter]

PGP

pretty good pigeon

[indigo264nm]

The whole freenet idea allows for a darknet mode - meaning a p2p mesh of only nodes that we invite to join, though the downside is there needs to be a few dedicated nodes with constant uptime.

Pigeon with OTR is pretty fuckn solid though if you run off a tails install.

[ThunderIdeal]

he means pidgin the instant messenging software

http://pidgin.im/