I thought I would write up a topic expanding on my previous thread on Communication techniques and talk about secure communications.
I have no background in computers as I am in the medical field, but this is an interest of mine so if I make any mistakes correction would be
appreciated. What I don't understand is that these security techniques should come preinstalled into any mail software or even windows itself. It is
as if though they do not want the computers secure. Well lets change that shall we.
This thread will look at a methodology to provide secure email communications
using Public Key encryption (asymmetric key) combined with symmetric key encryption to transmit emails.
A little primer on cryptography first. When a message is written and needs to be exchanged between two entities there is a key that is needed to
decoded the encrypted message. So the problem arises about how to distribute the key without someone eaves dropping on us and getting the key. The
key is a symmetric key and is used to encrypt and decrypt the message. So now we have the problem of distributing a secure key to transmit data. So
how do we solve the problem? Via public key encryption systems such as RSA. What a public key system does is
it creates a key pair (public and private) for a user. The private key is kept secret and the public key is shared. A person who wants to send [Person
A] a message must use [Person A]'s public key to encrypt the message. The only way to decrypt the
message is using the private key that only [Person A] has. RSA relies on the difficulty of factoring large numbers, there are other algorithms but RSA
is widely studied and deemed secure provided the key is sufficient length.
So now we have solved the problem of exchanging a symmetric key using Public key encryption via the RSA algorithm.
So [Person B]-----sends Person B's symmetric key encrypted via person A's Public key to [Person A]
[Person A]-----sends any data to person B using the key provided by person B
So now that we have securely solved the problem of exchanging a key, lets begin with a practical tutorial how to implement secure email communications
on a specific email client. I am using Thunderbird from Mozilla and an addon called enigmail.
Here are the files you will need to play around with this:
(scroll down and download "GnuPG 1.4.10b compiled for Microsoft Windows")
Install all these files one by one as per instructions.
1.Thunderbird install and add your email account as per instructions:
2.GnuPG Install instructions: Pretty simple, I don't think you will need instructions.
3.Engimail install and start instructions (this is what I will focus on):
a: Creating a Public Key pair (remember what we talked about above) --
Click on Open PGP tab under Thunderbird and select Key Management and then
Generate -->New Key pair.
One thing that it will ask is to create a revocation certificate. You use this certificate whenever you lose your keys and it invalidates your key. It
is good to have a backup file of all your keys and revocation certificates.
b: Publishing your public key (remember that when people want to send you
something they encrypt with this key) --
c: Creating and sending a PGP signed message -- if the recipient knows how to
check signatures then it should work. I belive gmail is experimenting with
PGP signatures which means you should be able to send this from thunderbird
to another gmail client with it working in the near future.
d: Creating and sending a PGP encrypted message --
In order to send encrypted email to someone you need someones public key. I
have put mine on the bottom for you to play with
Public key info:
How to find my key (search the keyserver and import)
So a few things. On step 3a, when creating a keypair I chose RSA-4096 bit because the SHA-1 hash used in el gamal is not as secure as it should be,
there are a few articles related to this topic:
The symmetric key encryption algorithm that engimail uses is AES by default I believe. What it does is it creates a unique session key that is unique
to each message you send and your message is encrypted via this 'session key' and this 'session key' is exchanged via the RSA method we talked
And here is my email I can use and I am publishing a public key for you to send me secure email :-) Happy emailing
[edit on 9-6-2010 by THE_PROFESSIONAL]