I firmly believe that all communications should be encrypted. Even if you have nothing to hide you can contribute to the greater good by encrypting your communications. How so? Simple, encrypted communications appear as garbage data to prying eyes that lack the keys necessary to decrypt them. The more encrypted communications flying across the wires the more garbage data prying eyes have to dig through. If all communications were encrypted spies in organizations such as the National Security Agency (NSA) would entirely ineffective.
Tools that enable users to encrypt e-mails have been around for ages but, sadly, few people take advantage of them. In the hopes of alleviating this problem I am going to provide guides to help people get this stuff encrypted. For the first entry in my Encrypt Everything series I’m going to discuss a tool that will allow you to communicate securely over e-mail, OpenPGP.
OpenPGP can be briefly summarized as a software package that allows users to generate public/private key pairs that can be used to securely communicate with other OpenPGP users.
The first question most people are likely to ask is, what the heck is a public/private key pair? Don’t worry, it’s not complicated. Public/private key pairs are used for asymmetric cryptography. Asymmetric cryptography is a fancy way of noting an encryption method that uses two keys, one public and one private. Data encrypted with the private key can only be decrypted with the public key and data encrypted with the public key can only be decrypted with the private key. After generating a public/private key pair you provide your public key to those who want to communicate securely with you. In turn they will provide you with their public key. When they want to send you a secure communication they will encrypt the message with your public key. That message can only be decrypted with your private key, which, as the name implies, is held by only yourself. When you want to reply to the secure communication you encrypt your response with their public key, which can only be decrypted by their private key.
OpenPGP allows you to generate a public/private key pair, encrypt messages with either your private key or another person’s public key, and decrypt messages sent by people who have provided their public key.
An OpenPGP keys looks something like this (which is the public key to blog [at] christopherburg [dot] com):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
mQINBFGkG1IBEACa4FOajIwxUFdwC0C12c1DCg6+gmWcZBnQdfRtV6Z2d1yP9trM
AxdT0ZCSJP5MkEI1t3pvc+r79oPbyK0f4QVe1rJerOVAjEglZhdrWqDyf3Rp5rIH
Ukca7keZ+5Wf9dA+9B//LECzG4sj5qr6Kcssqb27PjK0XLq6O9963/6Lubkdomzj
R/fKjmM2WMLs/tBF0HEZp6sSEeoot+28QtXgzDIE0um2l/ccK4tTLR08NC43+uVu
dh7IJ6CX9bNoeCbmAEjOBONt0pKufvzTMsmGjMuFRc+cJnmXYeAjon9CitnUEXV9
Wmpw2K6XIKxo3PlDQcomKDV6inZySXnzXsOmomTR9XO1G4kaE9BYKdCaOdzCncPb
Au0JeTNu6eqTwrUfQZXuVdKhfRQsqrhxEAEZgpa5ojbseVNt3oOJnYXOYgl3JCku
naILz7hXMGKFQoGOojN6IpffJTjeWNiuj4KMDLTWuOKU1bX1yWJhz84U2HdhoI0L
bWiWVZDLHSjLareSJvXjtdi0v4CgvgF6b+xpIH8pfP+wqBnqZUGT96B5jRUOKuaI
MlHXHkfF070gOa4UbqJtjOHSwU9PcMUXcOxTqJen643+tAXAoqAEHLjIp2fNzmkc
6NB0T1h8JCmqHz+fv5rnKZM9lKkFO6eNPVYz2OoPb+4Zlu2pBvwsja0kBQARAQAB
tCtDaHJpc3RvcGhlciBCdXJnIDxibG9nQGNocmlzdG9waGVyYnVyZy5jb20+iQI4
BBMBAgAiBQJRpBtSAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAXquxa
uJ2eMegiEACWDIcNPQibNBNWQ5bBl/sCTxoeQvZrf0aFK4y5n1fLxqGhyZmTZdb2
IWyO5kSyEJ0Q3M3JwFIQOnl09aYT9g75omz3EAjtJCL3XKwc3DPYvKpPj/Zq9iiM
Ou4ClXXuR9mqbvu4JOCYVq2r+NZuoQ+mOvEPjp5zA5ARoJ/9r7nO3/foQZ/22PZZ
t7NMUfv+IYwlQ7vBun01gymC1u4ViBOgyl0DzlXKtUPmmPp8PB6E+I6OvnSmRLdt
tfxFzXYGLPZWva6/hGQeptvofYhv0kAvMgOmPtkCpf4RpUz4ebT2mr9vHgVH+VYc
BNFYJLXPdJmbqqD9KdesQ48YvAi50G/MaP8xxVaYI5YD004HO7h2lp9WX0CMWN/l
jRW1yHP/AW+5aw06/LohcDdG/HQjYYkzjX6qUSYg/U/Tky7hmDile9WkMUP22eOk
AkV7OBKly4c3uxqR5+fH5N9GcSbSk6avkbPU8w27t3E6m0PnKRkpUrn/2OFd7u7h
TuQGvfy3LqsVliTruHCOfIY5pmi3qcGeKkaXu7LCnNbNg86VEYYYTEHyoMw1cC99
9IMXKuvGtKaJ7mjj03n0e+7VpcRd646gw3KuQNRd0GTV2xOAJ/vEgoA30Of7Gxoa
PXRuyo67WATgU36kl9yVS5EfT3m1mMUihI5zeN1R1EJn6/tlMnyY/okCHAQTAQIA
BgUCUaQbnwAKCRADj+sE5VF3XY+TD/9jt3hgGyjFKjhRza9KTRJwBV6gFFcQU3MT
8j5evFtbMjZ1oNc5oongwJ7OtLHFVmst4cQMmupems1X7z8mj5we6MQd24CFChKf
xfJj5YwunIWXIpfilY1QznvZ1YlqNkSaQAFRFjdVY2ip4UxnRY4vf4LGT8+WO33j
gG9CXJ8VLjFs+vbXFtvsCabfJk2aNWgbaKMXzrlzlyaQokb7/tXVECNtpdBn454L
FkNMNK19pzgJcNyQMFl6ApxQJzXu8+vPTdZQCvPrEZOL28cNYU35IL3yZoz+CHR5
j123kJVdXOUyA3Z27S4qmJOC6RR9iAx+Us/W/LT03tyMrKyLZaPT90ZhCG9UDnIg
DDlXoLfPYEaVmXU5MfitwsWgtv/gSHNWTIIvc/5JB6U7XEReZw66oyngQdZSP/s3
uV670Yvvl3PaH7UvMRFmfeazqUG/+r+PFxfoMzfOFSixi+uwbT7nbBa7Iyw3F9A0
5HDP9+28PqJvfUTdGgISbvvPAB50rC2FRFhBtvoMYMROaGn87ANH96caKn8a4ynW
nJqwzCGj2l006BciJlWgvZ0jg4ndW2TJU/neuOHEoPkgdLmqaC6QeQNcWryIgX75
q0iZeqjvzWh8rhaQfPNGUS0yF2JxFU14muvvC55Ar0SKnF005Zs8Za8p9PKRfuTr
DQfVVQiAELkCDQRRpBtSARAA1W5yOTe3JxOLwjBBZeUPJjWn20HPk979593iiq6N
6GBqXNHtI8Vboeyq27qAjZoY9FXnibrIXaIJ40mcNj6yXc7n5tImpLByLPy8Ztyx
Jcpu+wC404Av879e8E8gqhbDhpQpMXHNtiuQHMwbN9kr/ohH0GgaKyJhRoJY4Rap
++CeO42v2nRYtAk9RhXehOCbXRF3szU1vdfqrL5LclqZ8rwksIqAjO6imFtvplwt
xcSXvP0slFtpEHVnY5KwUzMbgGsNuz6Fs1biyRzg9qePd2bDmZ7+/cMvasUvP2Qq
vUlxf9lyzx65i123ax4EgWDM14jWhiy+wLc+jjtXtmQ/EcDaNykoir9Gz+WPSYsp
NO6YZg4vDhGT/Afxd4Q5LNoRZ/lGfjXhmgQOgriMaKOTPAe2SgB8Qc0eYDUWO2qu
/bI3orUbeEsIMCZU3mNOhCNOhm/vhyAcdpXtnfMqQeKx4TkgZZO+lotzJa6KHhay
vCGxkZxzR3o8LP72wUke0apZprEoDymU5HSAoHv3o4aFV0AVBdjVCxcsMeCS0fJ3
aLZP9WZ0DrRktrLO8sjAsFutodInD99Ki+pYCjdS5/jixN6+R9EJ4Ud44PT84PtH
qwRVyzF+bC8Mc/QEY4PNl/698liscEe53WqPBelfR6UdvVEvKxI4jibqHwVjc6K8
e38AEQEAAYkEPgQYAQIACQUCUaQbUgIbLgIpCRAXquxauJ2eMcFdIAQZAQIABgUC
UaQbUgAKCRBAXiyJxWbQ4Zk7D/90MW3mf4tCP4yhBqc01FnZEqJuaeBQxBbK6qDw
fMPDYA1D0LRFfLoAxs40lExQQjAtwcxvuF59K0S1XoVQSPq1NyAcGyTUGwu/P7Lz
VCYsDOcBZgwFRzMZFIhSvEpBSTgnX+uKREXecoaI+MzfZbSCChnPYULIKMK3ONqD
pAfGxNIkHOYcIC93f7hB8ZFnszuyfRasgW7xyv26J4w9W0xPIRwH6dNFDpBXvQcx
JMl5jVb55u6tATGhNy7rXWAqgm5w70UNyUJFAmHfSJftfZKHAhvPmRWamnuZ22rH
cVoj9HeJgxO48BGt0tmRPu0XpCk6oSWzKU+STlSutw4DbpgCLwy+Y6Ll24ik2r+f
YpNp1t2jh/SkypLUK9YVxNGCJXtxom/awqND5QMxsziukqSptd2ltrTP4/jCdShU
FN1Srov/29ZXrM/VA7Jqf3HFOB31cHr1J+ftsqtdHsDFerw8emd9VJKSO0dHGh9f
wsZtBAz7MPS1q4qwVn8lYgrVkoohbhiSft6tHircvSX8pX78kTjUNXBkojx4FL3L
SKg9FoSYuC1nqaUobOyuy28hW5sA2FEoWVf/qb5g6lJSJ+u7zhJmis5b8aeuZ6qS
lE3KtCH35bhj63oRlCEgQUjaqTGFoueIbRrdy+wFbh7zqQuKIgQpwDo0SbvJbjfN
FEsXMemqD/947IjTloC0nFDjWJssLhNBaR1GIl0cQYktfrscCB8y+17jc7fymK3/
rnHYvjC1WpdLRHY4H30yyMutPawgnzjdViJW21sLmf/3HSDDP+0qvYRaq356FkpY
7SWj1wvS93B7UCs4A6VRvFnp5sHGPmIgSo5mqG4E36zrcnKQapPOdDfJ41Aj9l3i
f0I1Q0w+PVe6EZBHtYEOyNrT2OqAR9mq/hbM6HeZM+UilG1g6TLk11JJyKfA1V9Q
guzcjzockfePY+NQe7dy+Zc9l5TBIMBECX5YRa9A8OhZ5+q4SNMqM6itq7z1F66k
NWoFGkI+kx2e75tO7o8b5izueJbD7VPNUeE7T+WCSB8Pf4wBfuwuVbu69QpXH0XQ
WihGSJTHETqA1EoBRN6G6WKsq0affN3nO8GeSubwd3Ip/TPH4tfglxHAxegMqvLE
YLX96XueqzeCxyZroH9xqsFmUhszZz3BtuCO8h705Cv2DNprSZJah3+OTLwgMuLZ
GM2ogcvLzPTjZgib5h5j5Pp9tjBYrYnOE4/tctvQ26X2ipedV4/O1gBNTMY6ba+1
2HuLrhgrtbL698KhQahlSfTq9a0GO/GLHM+wtlrVlslSjnZt0eldQf4M+UFIEOxh
w38h55tSuK1XbKSuTpmTE5MIjebksHy6ynAco4ZQo7MLWciGcFbTQQ==
=3COR
-----END PGP PUBLIC KEY BLOCK-----
OpenPGP users can use that gobbledygook to encrypt messages that can only be decrypted by me. Generally people also post their public keys to key servers such as the one provided by the Massachusettes Institute of Technology (MIT) or Canonical, the creators of Ubuntu Linux. If you go to either of those key servers and enter my e-mail address into the search box you will be provided with my published public key.
Many OpenPGP applications can be configured to automatically check key servers for public keys. Later in this series, when I cover specific implementations of OpenPGP, I will explain who an e-mail client can automatically search OpenPGP key servers for public keys associated with e-mail addresses that have send OpenPGP encrypted e-mails. Suffice it to say publishing your public key to a key server makes life easier for other OpenPGP users but there is no requirement to do so (OpenPGP is a decentralized system).
OpenPGP public keys can also be signed by other OpenPGP users. When you sign a public key you are verifying that the person who holds the corresponding private key is who he claims to be. This establishes, what is referred to as, a web of trust. What is a web of trust? A web of trust is a decentralized alternative to the chain of trust system most of us use every day.
When you access this site through its secure connection you receive a public key that has been signed by StartCom. StartCom is a certificate authority, which is an organization that signs Secure Socket Layer (SSL) certificates (certificates used to provide secure connections to websites). StartCom’s public signing key is included in most major web browsers and operating systems so whenever you access a site secured by a certificate signed by StartCom your browser will trust it. By signing the certificate StartCom is verifying that your website is who it claims to be (in my case, blog.christopherburg.com). This system is highly centralized since it relies on a handful of certificate authorities.
Returning to the original question, what is a web of trust, the answer is that a web of trust is a system where individuals sign public keys instead of centralized authorities. If I sign your public key anybody who trusts my public key will see that I trust your public key. A person who trusts my judgement of character will then be more inclined to trust that your public key corresponds to a private key in your possession. This system becomes more effective as more people sign your public key, which is why key signing parties exist (yes, us geeks know how to party). When somebody sees your public key has been signed by several people they personally trust they can be reasonably sure that it is your key.
Now you have a general overview of OpenPGP. In the next installment of my Encrypt Everything series I am going to explain how to use GPGTools to encrypt your e-mails with OpenPGP on OS X (Why am I starting with OS X? Because that’s the operating system I generally use for e-mail. Don’t worry, I will cover other tools as the series progresses).