GPG Encryption
GPG Gnu Privacy Guard is encryption software that uses public keys and private key files to encrypt and/or sign messages.
Using GPG enables you to communicate private email messages across the public Internet without being intercepted and understood by anyone other than the intended recipients whose private key files match the public keys you send to.
To use GPG effectively, you must be able to help new contacts adopt it quickly. Using a standardized method of bringing people up to speed with GPG qualification is essential.
How to use GPG with Mac
GPG Mac Qualification
To be GPG Mac qualified, You should be able to:
- Reliably manage GPG encryption on your Mac.
- Train others to use GPG Mac Encryption and help them qualify.
- Assist the learning of GPG Windows and GPG Linux users by directing them to instructions and testing their GPG qualification.
Installation
- First download and install the latest version of Mac GPG (Download).
- Next download and install GPGMail (Download for 10.4) to enable Apple Mail to encrypt your communications. (If you use a different email client, see Alternatives.
- Finally download and install [1] GPG Keychain Acess 0.7] by dragging it to your Applications folder.
- To encrypt individual files, download and install GPG Drop Thing.
Setup
- Open GPG Keychain Access. Generate a new signing/encrypting 4096 bit key pair with no expiration date.
- Ensure that the email listed is the one you intend to use with the GPG key.
- Choose a Safe Password.
- Wait. Generating will will take about 15 minutes but it will only take fractionally longer to encrypt small messages in the future.
- Key Menu / Send Key to Keyserver.
- Open [Apple Mail].
- Open Preferences in the Mail menu and choose GPG.
- Set your default key to the one you generated.
- Export your key to a file to send it to people who cannot access the keyserver automatically for some reason.
Usage
- Send an email to yourself and someone you know who uses GPG. Attach your key file and ask them to send you something encrypted.
- GPGMail should automatically decrypt the message in a few seconds.
- Practice sending encrypted emails to different people and ensure that you never forget to encrypt.
- Practice sending file attachments and confirming they are received successfully.
- Teach someone you know to use GPGMail and practice using it regularly.
Alternatives
If you use Entourage... If you use Thunderbird...
Issues
- It can sometimes be difficult to exchange keys smoothly. Different people use GPG differently. Some have posted keys, others do not.
- Sometimes when people get too frustrated trying to get GPG to work they send messages unencrypted instead out of haste.
- Have a backup method in case you cannot get GPG to work.
- wwwkeys.pgp.net may go down temporarily, making it impossible to post or check keys for a time. In these cases, import is necessary.
Importing Keys
Importing keys sent by some means rather than posted is tricky.
How to use GPG with Windows
How to use GPG with Linux
Security Issues
GPG Weaknesses
GPG does not conceal that you are engaging in encrypted communications. To conceal the use of cryptography as well as the contents of the message, use steganography. Steganography alone does not conceal the identities of the sender and recipient. To do this, use Anonymization.
GPG does not encrypt your instant messages. For this, use OTR Chat Encryption.
Security Updating is necessary to keep up with the latest versions.
Anyone who gets access to your computer through cracking or physical access could steal your private key file, making decryption easier. If they also used [[keystroke logging]] or [[sniffing]] they could steal your password and decrypt your messages instantaneously.
History
Gnu Privacy Guard (GPG) was created to comply with the OpenPGP (IETF) standard in 1999, by Werner Koch.
In 2004, Phong Nguyen discoverd a security flaw in GPG's signing method, for versions 1.0.2 through 1.2.3. Support for this method of signing was removed from GPG after version 1.2.4.
The current specification for GPG's Internet Standards Track is RFC 2440.
GPG uses the asymmetric key cryptography system.
SEE ALSO: public key
Versions
GPG does not use the patented IDEA algorithm. Therefore, it is safe from legal interactions of use under GNU GPL.
SEE ALSO: RELEASE NOTES
Types of Keys
Keypairs
GnuPG is able to create several different types of keypairs, but a primary key must be capable of making signatures. There are therefore only three options. Option 1 actually creates two keypairs. A DSA keypair is the primary keypair usable only for making signatures. An ElGamal subordinate keypair is also created for encryption. Option 2 is similar but creates only a DSA keypair. Option 4[1] creates a single ElGamal keypair usable for both making signatures and performing encryption. In all cases it is possible to later add additional subkeys for encryption and signing. For most users the default option is fine.
—FROM: Gnu Privacy Handbook
Key Size
- minimum keysize is 768 bits
- default keysize is 1024 bits
- highest suggested keysize is 2048 bits
The longer the key the more secure it is against brute-force attacks, but for almost all purposes the default keysize is adequate since it would be cheaper to circumvent the encryption than try to break it. Also, encryption and decryption will be slower as the key size is increased, and a larger keysize may affect signature length. Once selected, the keysize can never be changed. FROM: Gnu Privacy Handbook
Bugs
As of 18 Dec 2005, there were no comfirmed bugs reported to the CVS.
Comparisons
GPG vs Simple Crypto
A simple Crypto is one which replace alphanumeric code, with shifted alphanumeric code.
For example: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik9ol0pQAZWSXEDCRFVTGBYHNUJMIKOLP
In the above codekey "1" represents the letter "A" therefore, "hSA9k" equals "Wolfe"
This is known as a Cryptogram and is fairly easy to solve.
GPG vs PGP
There are currently only legal differances between GPG and PGP, although there is OpenPGP. OpenPGP is a standard which GPG complies with.
GPG vs DES
DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small; DES keys have been broken in less than 24 hours. - FROM: wikipedia
GPG vs OTP
A One Time Pad (OTP) is the only theoretically unbreakable method of encryption.
Being unbreakable it is the prefered method for secure communications, however there are practical problems with this approach.
First, OTP requires that a secure method of transfering the OTP key. The only true secure method being in person. Impracticable for great distances, and imposiable for anonymous communication between parties.
Second, OTP does not come with any standard, nor should it, therefore the method of using an OTP must be agreed apon, and the communication to agree apon such methods must also be done in secret, leaving us with the original problems of passing the method the same as the problem of passing the key.
See Also:
External links
- Printer-friendly version
- Login or register to post comments
- Email this page