Enigmail : OpenPGP Extention for Thunderbird : OpenPGP Made Easy.

[+Warwagon MVC]

Have you ever wanted to setup OpenPGP to send Encrypted emails back and forth or try it out with someone? The OpenPGP "extension for Thunderbird makes it super simple to configure and setup. You'll have it setup and be encrypting and decrypting email communications with someone else in minutes.

 

Enigmail

https://www.enigmail.net/home/index.php

 

Thunderbird

https://www.mozilla.org/en-US/thunderbird/?icn=tabz

 

If you also want to read or Send those Encrypted communications on your Android phone. I have a few recommendations for that too.

 

APG

 

https://play.google.com/store/apps/details?id=org.thialfihar.android.apg&hl=en

 

Use AGP in conjunction with the K9 email client.

 

K9

https://play.google.com/store/apps/details?id=com.fsck.k9&hl=en

 

You can still use your favorite email client on your Android phone, but when you want to Encrypt or decrypt a message just open it in K9 mail and click the decrypt button.

 

If you already use Enigmail you can export your Master key and import it into APG.

 

If anyone wants someone to try it out with, shoot me a PM and we can exchange public keys.

[+Warwagon MVC]

Did anyone try it?

[+BudMan MVC]

What your old news..  You know enigmail has been around for years right?  2009 or so I think..

 

Been using pgp/gnupg from like before 1997, still have key pairs from 97 and 98, one rsa and the other dsa elg-e.

 

Not sure why anyone needs a client to do this stuff..

 

Here..  read this

 

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (MingW32)

hQEMA0oQ2ZdYfT9UAQf/WZ6DBoYFRnZEz5ixGWWcBrTU47MFat0UzDrX+iyQg2jb
uAEada+31AHmWZH0t7kXX1g39hVjXNqLkIVRIjk1LFmVOpVIDtr9FJydPr+SDVWm
o4Js5YbHvdLmw41/QRDaHE29D7AbPUfkb2TID2yC0pfpD+Fq5FqBIFtL/V9pw8Oq
vDGK6GgBnxqfLQWSgdhj2A/vUnCpMt8u9JiTOdcUtya9w1bt5Hzg1n0EU5na6WUt
QlodVI1NaGzoG6p7ZTs070nBQ1dzsMDmYQg86LRBxrY044zKWlKaL4ECCFENbuxM
1Ur9H8Lg+rXAjfRNqK8RVQreAkVSq3YFEswX+4zP09JjAXGeK/+oll5Hehc5soMN
0Y9P6DjtS6b2E9cLp+DUvuq6cNFeJ3g1K4i7t78sVsm0Bo9WBJNgMupU84CvvTWs
7wlPcYM70M2sOEOcO3nDrmYx/v2UFCtX8nOJroHRWuQDQSrW
=xGEx
-----END PGP MESSAGE-----
 

[sc302 Veteran]

never played with free email encryption, only the pay for stuff like zixmail, cisco ironport encryption, symantec encryption, and barracuda encryption...some free with the product, most you have to pay for.

[PGHammer]

What your old news..  You know enigmail has been around for years right?  2009 or so I think..

 

Been using pgp/gnupg from like before 1997, still have key pairs from 97 and 98, one rsa and the other dsa elg-e.

 

Not sure why anyone needs a client to do this stuff..

 

Here..  read this

 

-----BEGIN PGP MESSAGE-----

Version: GnuPG v2.0.22 (MingW32)

hQEMA0oQ2ZdYfT9UAQf/WZ6DBoYFRnZEz5ixGWWcBrTU47MFat0UzDrX+iyQg2jb

uAEada+31AHmWZH0t7kXX1g39hVjXNqLkIVRIjk1LFmVOpVIDtr9FJydPr+SDVWm

o4Js5YbHvdLmw41/QRDaHE29D7AbPUfkb2TID2yC0pfpD+Fq5FqBIFtL/V9pw8Oq

vDGK6GgBnxqfLQWSgdhj2A/vUnCpMt8u9JiTOdcUtya9w1bt5Hzg1n0EU5na6WUt

QlodVI1NaGzoG6p7ZTs070nBQ1dzsMDmYQg86LRBxrY044zKWlKaL4ECCFENbuxM

1Ur9H8Lg+rXAjfRNqK8RVQreAkVSq3YFEswX+4zP09JjAXGeK/+oll5Hehc5soMN

0Y9P6DjtS6b2E9cLp+DUvuq6cNFeJ3g1K4i7t78sVsm0Bo9WBJNgMupU84CvvTWs

7wlPcYM70M2sOEOcO3nDrmYx/v2UFCtX8nOJroHRWuQDQSrW

=xGEx

-----END PGP MESSAGE-----

Because most non-enterprise users still use mail clients (from Thunderbird to Outlook) and they don't want to move away from them?

PGP itself (not OpenPGP) had plug-ins for the most popular Windows e-mail clients (including both Thunderbird and Outlook) - in that area, they competed directly with other e-mail-encrypting plug-ins (including those from RSA). (Symantec - who acquired PGP a few years back, still does - however, they have concentrated on enterprises, though it is still available for non-enterprises.)

[+Warwagon MVC]

What your old news..  You know enigmail has been around for years right?  2009 or so I think..

 

Been using pgp/gnupg from like before 1997, still have key pairs from 97 and 98, one rsa and the other dsa elg-e.

 

Not sure why anyone needs a client to do this stuff..

 

Here..  read this

 

-----BEGIN PGP MESSAGE-----

Version: GnuPG v2.0.22 (MingW32)

hQEMA0oQ2ZdYfT9UAQf/WZ6DBoYFRnZEz5ixGWWcBrTU47MFat0UzDrX+iyQg2jb

uAEada+31AHmWZH0t7kXX1g39hVjXNqLkIVRIjk1LFmVOpVIDtr9FJydPr+SDVWm

o4Js5YbHvdLmw41/QRDaHE29D7AbPUfkb2TID2yC0pfpD+Fq5FqBIFtL/V9pw8Oq

vDGK6GgBnxqfLQWSgdhj2A/vUnCpMt8u9JiTOdcUtya9w1bt5Hzg1n0EU5na6WUt

QlodVI1NaGzoG6p7ZTs070nBQ1dzsMDmYQg86LRBxrY044zKWlKaL4ECCFENbuxM

1Ur9H8Lg+rXAjfRNqK8RVQreAkVSq3YFEswX+4zP09JjAXGeK/+oll5Hehc5soMN

0Y9P6DjtS6b2E9cLp+DUvuq6cNFeJ3g1K4i7t78sVsm0Bo9WBJNgMupU84CvvTWs

7wlPcYM70M2sOEOcO3nDrmYx/v2UFCtX8nOJroHRWuQDQSrW

=xGEx

-----END PGP MESSAGE-----

 

 

Can I have your public key so I can read that

[PGHammer]

never played with free email encryption, only the pay for stuff like zixmail, cisco ironport encryption, symantec encryption, and barracuda encryption...some free with the product, most you have to pay for.

Symantec acquired PGP Corporation after they were spun off from Network Associates (prior to their own acquisition by Intel); however, while their trialware is available to individuals, they are concentrating on enterprises. The drivers of THAT are easily identified - regulations (especially Sarbanes-Oxley and HIPAA). Yes - OpenPGP plays in that area as well (especially HushMail's own enterprise-level products, including one specifically designed around HIPAA's requirements - I will talk to my cousin the MD who owns a medical-coding business - HIPAA is a great big PITA for her), as this could be of use. Hardware-assisted encryption (especially Cisco Ironport) was aimed at taking the CPU load of encryption off clients and "handing it off" to an appliance (such as a Cisco switch or router) - which, in theory, should make said encryption easier to deploy. However, that was typically NOT the reason why it wasn't deployed - even in enterprises; encryption anywhere tends to be difficult to deploy, difficult to use, and a pain in the rear to manage; therefore, it has been heavily resisted.

[+Warwagon MVC]

So whats the best way to give someone your public key?

 

 Enigmail allows you to easily attach your public key to the 1st encrypted message you are sending to another person, but my feeling is, because the message is going out encrypted but with the public key to decrypt attached to it, couldn't someone intercept the email and install the certificate to decode that message and all future messages?

 

I've also heard of the key servers where you can post your public key. in that case can't someone just look up the person who's email they want to decrypt and get the key?

 

I was thinking public key via email in a password protected zip.

 

Then give them the password over the phone.

[sc302 Veteran]

quite aware of that..  my coworkers were playing with pgp back in the early 00's...you could say they were beta testers.   I did not touch it until after Symantec bought them.  

 

You don't have to tell me how much of an issue mail encryption is to deploy.  There is a reason I don't want to touch it.

 

 

In enterprise solutions, the public key isn't always handed out, but it can be done through email.  The unsecure user is handed a link that they use to access the mail message provided that they can authenticate into the system.  Upon initial auth, you are asked to create a password or user and password.  Provided that the original person viewing the message is authentic, they will always be allowed to logon and view the encrypted message.  As with anything though, there is room for error and for others to receive the initial email.  However once the user has confirmed access and can logon with their credentials, the room for error/unauthorized access diminishes..where as if you hand out the public key who knows how many devices in the middle have caught that transaction.

[+theblazingangel MVC]

So whats the best way to give someone your public key?

There are two components to this, exchanging the key and verifying a key that you have received. Exchanging the public key is easy, send it via email, or publish it on a key server. Verification is the tricky bit.

Research secure key signing! The two parties exchanging public keys need to make sure that they have each received a genuine copy of the other person's key (a MITM attack could have taken place during transmission). To do so they need to communicate with one another through a means that itself is not susceptible to a MITM attack, i.e. sending an email or SMS text messages are no good, but meeting in person, or possibly speaking over the phone or through video chat could be sufficient, should you be certain that you can recognise their voice.

Performing a key exchange with a stranger is obviously more difficult than with a friend you've made in real life - how can you be sure that the person you are meeting is really who they say they are. For example, let's say you want to exchange keys with Bill Gates. Bill Gates is a very well known person and it would be relatively easy to check that the person with the face YOU know as Bill Gates is the same person that everyone else knows to be Bill Gates (i.e. to avoid an imposter tricking you), and so then all you need to do is speak with him face to face to perform the key verification. The less well know a person is, the trickier it becomes to be certain that they are who they say they are, and it may come down to having to place trust in a photo ID (which could possibly have been forged).

 

Enigmail allows you to easily attach your public key to the 1st encrypted message you are sending to another person, but my feeling is, because the message is going out encrypted but with the public key to decrypt attached to it, couldn't someone intercept the email and install the certificate to decode that message and all future messages?

I've also heard of the key servers where you can post your public key. in that case can't someone just look up the person who's email they want to decrypt and get the key?

You need a refresher in how this works!

Your public key is supposed to be publicly available to anyone and everyone who may wish to communicate with you, that's why it's called the PUBLIC key, whereas the private key you need to keep securely to yourself.

Each person has a pair of keys, one key in that pair is designated public and the other designated private. Something encrypted with one key in a pair can only be decrypted with the other key in that pair.

 

A message can be encrypted, or signed, or both signed and encrypted.

To send an encrypted message, you encrypt your message with the recipient's public key (which you would have previously obtained and verified). This encrypted message can then only be decrypted with the recipient's private key, which only they should have.

Signing a message (which proves both that the message has not been modified in transmission, and who sent it) works as follows. The message is run through a hashing algorithm to generate a hashsum (as in md5/sha1). This hashsum is encrypted with your (senders) private key, and then attached to the message. The message is then sent. At the recipient's end, this encrypted hash is separated from the message. The message is run through the same hashing algorithm. The encrypted hash is decrypted using your (senders) public key, and the two hashes are compared. If they match, then thus the email has not been modified in transmission, and it must have been sent by someone in possession of the private key that goes with the public key the recipient has checked the message with.

 

Beware that thunderbird's word wrapping can cause problems, causing the email to be modified after signing, and thus failing validation at the recipient's end.

[Psion7]

Can I have your public key so I can read that

 

You shouldn't need his public key (although it doesn't hurt to have it). It is encrypted against your public key so needs your private key to decrypt. If BudMan only encrypted it with you as a recipient (and not himself also) then only your private key can decypt it. You will need his public key to verify the signature though.

[PGHammer]

So whats the best way to give someone your public key?

 

 Enigmail allows you to easily attach your public key to the 1st encrypted message you are sending to another person, but my feeling is, because the message is going out encrypted but with the public key to decrypt attached to it, couldn't someone intercept the email and install the certificate to decode that message and all future messages?

 

I've also heard of the key servers where you can post your public key. in that case can't someone just look up the person who's email they want to decrypt and get the key?

 

I was thinking public key via email in a password protected zip.

 

Then give them the password over the phone.

That is indeed how Kerberos works (except for the over-the-phone part) - same with X.509.

 

The public key and private key are different (though based upon a common algorhythm) - you can sign with a public key, however, you can't encrypt with it verifiably if your OWN private key is different.  Unless you can verifiably sign with a key, it's pretty much useless, as a public key is only HALF the solution.

 

The government's Common Access Card (started in the military, but is a governmentwide standard) is based on X.509 (which is itself based on Kerberos) - it is also accepted in Windows clients (and is usable back to Windows 2000 Professional and Server with SP4) and servers as well.  Theoretically, CAC and X.509 are interoperable (which means that CAC could be usable in civil applications - such as drivers' licenses or even the Land Crossing Card - the card-based version of the US Passport for land crossings, such as the Canadian and Mexican border) - however, I have no idea if the CAC standard has been approved for use by the states (or even for DHS/State Department use for the LCC).  However, if it could (and the issue is legal - NOT technical), One ID would indeed become reality.

[Psion7]

So whats the best way to give someone your public key?

 

Just send it to them It is your public key so you can stick it on a key server, on your website, in your signature, anywhere you want. It doesn't matter. Yes it can be intercepted but that is the point of the second part in key exchange. Verifying the key.

 

Your public key has a fingerprint, which is how people can easily find your key. For example you don't need to include your whole public key in your signature, just the fingerprint, then you can upload your public key to a key server and people can just search for your fingerprint and get the right key.

 

Then when they add the key to their keyring and set the trust level they need to verify the fingerprint with you. You can do this in person or on the phone or over skype, etc. As long as you can be sure whoever you are confirming the fingerprint with is actually the owner of the key.

 

To put it simple just upload your key to one of the popular key servers, stick your fingerprint in your signature, on your website, etc. so people can easily find the right key, then verify it with them in person/offline/on video chat, etc.

 

The verify stage can get a little bit tricky with people on the other side of the world for example (although much easier today that in was in the 90s!) so we have something called the Web of Trust. This means if you trust person A and person A trusts person B then you can measure your trust of person B based on your trust of person A. This can spread out to many, many people and you can build up a very robust network of trust this way just like you do in real life. If you have a friend, Bob, and you bump into some new person in the street, Alice, you can ask Bob "is Alice alright or a bit dodgy?" and you trust what Bob has to say before you make your own conclusions of Alice over time