Presentation on theme: "Welcome to the January Hacks/Hacker meeting: Encrypted communications Keep up with upcoming events about the future of storytelling and data on the OpenDataSTL."— Presentation transcript:
Welcome to the January Hacks/Hacker meeting: Encrypted communications Keep up with upcoming events about the future of storytelling and data on the OpenDataSTL Meetup page www.meetup.com/Open-Data-STL Hacks/Hackers STL on Twitter www.twitter.com/STLHacksHackers Hacks/Hackers STL on Facebook www.facebook.com/STLHacksHackers
Why encrypt my emails and chats? Some people encrypt their communications in response to government- sanctioned surveillance, inside the US and overseas, on principle or because they are working with sensitive issues. Some email providers scan email content to serve customized advertising while you surf the web, but they can't read content you encrypt with your own keys. See “Gmail Does Scan All Emails, New Google Terms Clarify,” April 2014 at The Guardian.Gmail Does Scan All Emails, New Google Terms Clarify Signing and encrypting your emails and using encrypted chat programs preserves message integrity to prevent tampering. If no one else has your communication partner's key and passphrase, you can guarantee that your message will only be read by the intended recipient (and vice versa). Encrypted chat programs also offer verification tools. If someone steals your email account credentials, they won't be able to read your encrypted emails unless they also have your key passphrase.
Today we're going to discuss CryptoCat: an easy-to-use Firefox extension ChatSecure: an Android chat app Enigmail: an extension for encrypted email in Thunderbird GPG4Win: a basic key manager for Windows Mailvelope: a Firefox extension for encrypting email in-browser Tools for closed-source platforms are harder to find or are not free to use. We'll discuss solutions for other platforms at the end. The Electronic Frontier Foundation Secure Messaging ScorecardSecure Messaging Scorecard
Just because an app describes itself as secure doesn't mean it makes any guarantee about respecting your privacy or whether someone can break their encryption. A good algorithm isn't broken by allowing others to review it. We'll discuss weaknesses in all systems, even good ones, later in the presentation.
CryptoCat A browser extension for Chrome, Firefox, Safari, Opera, OS X, and iPhone. Developed by Nadim Kobeiisi. Strengths: Easy to use, thoroughly reviewed, and available for a wide range of platforms. Weaknesses: Conversation names and nicknames should be exchanged in person beforehand. Vulnerable to keyloggers. If someone gets hold of your conversation partner's details, they can easily impersonate that individual.
ChatSecure A chat client for iPhone, iPad, iPod Touch, and Android. Developed by The Guardian Project in the UK (check out their Orbot, Orweb, and ObscuraCam projects too!). Strengths: Easy to set up a new chat account with Jabber and XMPP. Includes a challenge question function and ways to visually confirm that messages are being encrypted. Weaknesses: A little buggy when trying to identify online users. No big flashing warning if your conversation partner fails the challenge question.
Before we move on to generating keys, let's cover some basics. You can think of encrypting files and emails with this diagram –--------Sender----------------In transit-------------Recipient-------- MessageEncryptionCiphertextDecryptionMessage Public keyPrivate key In examples, cryptographers often use the names Alice and Bob. Alice encrypts a message to Bob with Bob's public key. The message cannot be decrypted with Bob's public key. Alice then sends the ciphertext to Bob, who decrypts the message with his private key (unlocked, in most cases, with a passphrase). A signature on an encrypted document is a unique string that is a function of your private key and the message. It proves that only the person with access to the private key could have sent the message, and also that the message has not been tampered with.
Good advice regardless of what tools you are using: Most of them are only as secure as your passwords. Make sure you use passwords that you won't forget, and don't re-use passwords. Secure passwords are long, don't include whole words straight from the dictionary, include numerals and symbols, and are difficult to guess. Challenge questions and security questions are usually pretty easy to guess, so arrange with your conversation partner beforehand to make them difficult to predict. Exchange details in person or by another encrypted method because unencrypted traffic is often easy for attackers to read. If you really can't remember your password or other conversation method parameters (CryptoCat chatroom names, challenge questions and answers), write them down on paper and keep them somewhere safe, far away from your computer. If you loose your password to use your private key, there is no way to decrypt messages sent to you and you cannot revoke your certificate. Be careful! Keyloggers and malware can break many of these tools, so regular antivirus scans (regardless of your operating system) are vital to your security.
Enigmail An add-on for Mozilla Thunderbird and Seamonkey email clients. Good instructions for implementation at Email Self-Defense by the Free Software Foundation.Email Self-Defense You will also need to download Gnu Privacy Guard (GPG), the Windows version of which is GPG4Win. During installation, choose to install GPA.GPG4Win Enigmail will be in your Thunderbird options. Click the arrow beside Enigmail, click “Key Management,” and then click “Generate” and select “New Key Pair.” Enter a passphrase and then click “Generate Key.” Enigmail also gives the option to generate a revocation certificate, which lets you revoke your key's validity if someone gets your private key and passphrase. Generate the revocation certificate and keep it in a safe place somewhere other than your computer. Next, we're going to test using the key for encrypting and decrypting emails.
Open the Enigmail Key Management window, right-click on your key, and click “Send Public Keys by Email.” Send the email to firstname.lastname@example.org: subject line and content don't matter yet. Don't encrypt the email, but you can try signing it by clicking the pen icon in the lower right corner of the email email@example.com Remember, even if your email is encrypted, the subject line and email recipients are never encrypted. Adele will send you an email encrypted with your public key. Thunderbird should prompt you to enter your passphrase to decrypt it. Click the “Decrypt” button in the mail toolbar. It will prompt you to add Adele's public key (in the email) to Enigmail. Now send a reply email to Adele— erasing the text in the body of the email first and adding a brief message of your own. Click on the key icon next to the pen icon and choose to encrypt the email with Adele's private key.
Signing keys and uploading to a keyserver An important feature of asymmetric (public and private) key encryption is the trust web. Someone looking to communicate with you can search for your public key through a keyserver and knows that the one signed by other people you both know and trust is the right one. Upload your key to a keyserver by clicking on it, then “Keyserver,” then “Upload Public Keys.” To sign a key, find it by searching in Enigmail. Click on “Keyserver,” then “Search for keys.” Select the one you want and add it. Then right-click on it in the Key Management pane and select “Sign key.”
Mailvelope A browser add-on for Firefox or Chrome. It works for most web mail applications. The documentation page is great for instructing you on how to generate a key pair, add public keys to your keyring, encrypting and decrypting emails, and more.documentation page It does not give you the ability to sign keys or upload them to key servers.
Questions? If you know the answer, please feel free to speak up. Now, time to sign!
If you have Enigmail: Find your fingerprint in the Key Management window by double-clicking on your key. Search for a key by its fingerprint by clicking “Keyservers,” then “Search for keys,” and enter the whole fingerprint in the search bar. Select it, add it to your keyring, and then right-click and sign it. If you're using GPA: Find your fingerprint by clicking on your key. GPA prefers to find keys by key ID, which is the last 8 characters in the fingerprint. It will add the public key automatically if found. Right-click on it and select “Sign keys.” If you're using something else, ask for help! My fingerprint is 9C80 407F 9613 3D15 18B6 9816 2BC1 4507 66F8 75A1 Feel free to sign my key when you can!