Protecting your data from prying eyes - in some cases it can be a matter of life and death, and relying on others for this matter means trusting them with your data. GPG encryption will help protect your correspondence from prying noses on your own .
I can also advise you on the article "Encrypted mail", in which we told you how to encrypt confidential correspondence using GPG encryption.

Content:

  • GPG encryption
  • History of PGP / GPG encryption
  • GPG encryption terms
  • Installing GPG encryption
  • Encrypting messages and files
  • GPG encrypted signatures
  • Web of Trust feature
  • Why encryption is needed

GPG encryption
GPG (Gnu Privacy Guard)
is an asymmetric encryption tool. To put it simply, it creates a message that only the person to whom you wrote it can read. It is irreplaceable when transmitting any important text information. These can be emails, private messages on forums, or even on public open services. Besides encryption, it also provides several other security features.

Always the most obvious way to protect your communications has been encryption. Previously, symmetric encryption was used for this, which required the transfer of keys over a reliable channel. With the development of electronic communications, the increase in data volume and eavesdropping capabilities, reliable key transfer has become a challenge.

History of PGP / GPG encryption
In the 1970s, asymmetric algorithms were developed to allow secure, open, and automated key exchange. The schemes of such algorithms allow two parties to exchange public keys used to designate the recipient of a message, and when encrypting, use the recipient's public key simultaneously with the sender's secret key. The message can only be decrypted with the recipient's secret key, and it will be seen that the encryption was performed by the owner of the public key, that is, the sender. In this scheme, the secret keys used for decryption do not need to be transferred, so they remain safe, and the sender of the message is revealed during decryption, which excludes the substitution of information. But such an invention was available only to the military and special. services.


Merkl-Hellman-Diffi.jpg


Authors of the public key encryption algorithm, from left to right: Diffie, Hellman, Merkle

In 1991, a publicly available asymmetric encryption tool for personal use, PGP, appeared and set the standard, but it was paid and was a registered trademark.
In 1999, GPG was created, a free, free, open source, and fully standard-compliant counterpart to PGP. It is GPG that has become the most popular and mature asymmetric encryption tool.

GPG encryption terms
Before you start using GPG, you need to understand a few of the main features of this tool. The first and main feature is the concept of "keys". Each user creates his own personal key. The user key has two parts

  • Public key (from the public part)
  • Secret key (from the secret part)
The public key (hereinafter simply "key") is a kind of business card that the user distributes to all his contacts who want to correspond with encryption.

The secret key is responsible for the processes of encrypting outgoing messages and decrypting received ones. It should be stored in a safe place. It is generally accepted that if someone gets hold of the secret key, then the key can be considered compromised, and therefore insecure. This should be avoided.


Gnu-Privacy-Guard.jpg


GPG4USB

The second feature is that keys based on different algorithms are compatible with each other. It doesn't matter if the user is using RSA or ELGamal, there is no need to bother with such details for encryption. This is achieved by working on the above standard and through some cryptographic techniques. This is one of the main advantages of GPG. It is enough to know the required commands, and the program will do everything by itself. The library includes a large number of asymmetric algorithms, symmetric ciphers and one-way hash functions. Variety is also an advantage because it allows you to create both generic recommended configurations that suit most and the ability to tweak for more advanced users at the same time.

How to install GPG encryption
To get started, you need to install the GPG itself. Linux users can install it from any package manager by looking for "gnupg", or build it manually. Windows users can use the heavily outdated GPG4Win client, which has a few nasty bugs and more features, or the portable and more recent GPG4USB client, which has fewer features but is much simpler and more stable. By the way, we have already written about how to encrypt your correspondence using the GPG4USB client.


gpg-kljuch.jpg


GPG key

Regardless of the operating system and client, after installation, you will need to create your own key by entering the appropriate command in the terminal or by clicking in the client. The program will ask you to decide on the encryption algorithm. Usually there are two of them - this is RSA and ELGamal (actually three, if on Linux you dared to put an experimental branch "modern" with cryptography on elliptic curves). There are no specific recommendations for algorithms, they are different and everyone chooses a scheme to their liking.

Then you need to decide on the size of the key in bits. There is no short and unambiguous answer here either. Keys that are too long have drawbacks. One thing is for sure: when choosing RSA and ELGamal, do not use keys less than 2048 bits, they are extremely insecure. Next, the program will ask you to fill out several forms: E-mail, Name and comment. E-mail and Name - this is public information that can be seen by everyone with whom you will correspond.

• As mail, you can specify other types of communication, for example, the ID of a service or messenger (Tox, Jabber, BitMessage, etc.), separating the identifier / address and the name of the service with the “@” sign. Most often, the content of this particular field is used to identify the owner of the key.
• The name to choose at your own discretion. For example, a commonly used nickname or "Anonymous" in general.
• The comment field is optional. You can enter an additional one. address or position. The comment will be visible to other users.

After filling out all the forms, you need to enter a password. You can also skip it, which is not recommended, since this is the only security measure that will protect the secret part of the key in the event that a file with this key is captured by an intruder. It is also important not to forget the password, otherwise work with the key will no longer be possible. When creating a key, you need to carefully check the correctness of the input of all fields - then the errors cannot be corrected. The public key is distributed among a large number of people, so it is not customary for users to change them often - not all contacts may have a fresh key.

Once you've generated your GPG key, you can start distributing it. To do this, enter the command for displaying the public part. Historically, the program was originally used to encrypt mail and sign public messages in mailing lists, so the keys are displayed according to the principle of the PEM format (English "Privacy Enhanced Mail"). The format is a single standard key block starting with the heading - BEGIN PGP PUBLIC KEY BLOCK -, followed by a rather long body of the key itself, encoded with numbers and the Latin alphabet, and the final heading - END PGP PUBLIC KEY BLOCK -. The entire header block is a GPG key and must be distributed in its entirety. Besides manual distribution of keys, it is possible to use specialized servers. The user uploads his public key to the server, and anyone can request it if necessary. Many programs often specify the MIT server as the default server.

Each GPG key is unique. It is impossible to memorize and compare such large blocks of keys manually, so key fingerprints exist for this. Each key fingerprint is also unique, formed from the public part, providing a short unique string for identification. The fingerprint line contains 40 characters, separated by 4 characters by spaces. It is important to know that the last 8 or 16 characters are also the key ID. When using commands from the terminal, you will need to specify the ID to work. Fingerprints are useful for quickly comparing two keys, or a short index of the desired key when space is tight.

Encrypting messages and files
GPG-encrypted messages consist of blocks similar to a public key, only with a header - BEGIN PGP MESSAGE -, and the length of the encoded part depends on the length of the message. Such messages can only be read by the owner of the key to whom the message is addressed. You can also encrypt your message for several keys, which is very convenient when communicating with a small group of people. Files can also be encrypted, then the encryption result will be written to a file, and not encoded with text characters.

GPG signatures
Signing messages is a convenient means of open public confirmation of authorship, because, as in the case of encryption, only the true holder of the key can sign his message with such a key, and such a signature cannot be forged. It differs from encrypted messages in that the text remains open, enclosed on both sides by the corresponding header, and a small block of the signature itself is added at the bottom, also encoded with characters. If you try to change at least one character in the plaintext, the signature will become invalid. Signature verification is also done using GPG.

Signatures can also be applied to files. This feature is especially used by security software developers. This is done in order to prevent the spoofing of files by cybercriminals who can embed malicious code into programs. Usually archives or assemblies are signed, the signature itself is saved in a separate file with the .asc or .sig extension. The key is published in several places and / or uploaded to the server, where it is very difficult to replace it. The verification process itself is called "signature verification".

Web of Trust feature
Another GPG feature worth mentioning is Web of Trust. It is used to confirm that a public key belongs to a specific person. To do this, GPG users who are familiar with each other exchange keys in person.

Each of them verifies the fingerprint of the keys and creates an electronic certificate for each received key, proving a reliable correspondence between a certain person and a public key.
The creation of a certificate is called key signing. The certificate itself is then uploaded to the key server, and anyone can request it. It is understood that the more users signed the key, the higher the trust in the owner.

The WoT usage model assumes that users always indicate their real names in the keys and everyone who wants to establish a web of trust can physically meet for a personal exchange of keys. This makes such a scheme difficult to implement when communicating anonymously.

With pseudonymous communication, communication channels or services with authentication can be used for exchange, which will confirm the authenticity. In any case, the networks of trust in anonymous or pseudonymous communication are not as strong, partly due to the lack of a “strong set” that forms the main group of trusted users, partly due to human factors. The decision on the advisability of such a web of trust lies entirely with the group of users who want to build it.

Why encryption is needed
Why do we need all this encryption if a person does not hide or violate anything? This is one of the most frequently asked questions. There are several answers to it. In recent years, the possibility of total surveillance of the network activity of millions of users has become a matter not of technical complexity, but of resources. The owners of such resources are all the intelligence services of the world and dozens of large corporations, using programs such as PRISM and XKeyscore, they can collect and store all emails, SMS messages and call history for years.

This violates the constitutional rights of citizens to privacy of correspondence, but the influence of these organizations is so strong that it is impossible to stop the illegal collection of information. Using GPG will not remove surveillance from millions of people or magically fix the whole world. It is just a tool in the hands of man. A tool that allows you to save letters and words only for those to whom they are intended and for no one else. This is not much, but at least it returns the right of every person to privacy of correspondence.

You may be interested in an overview of the MiniLock Encrypted File Transfer Browser Extension.
If data collection and snooping seems too remote, encryption can be considered from an even more practical side. The same e-mail in clear text goes through dozens of intermediate nodes. Each can have any number of vulnerabilities and security holes that can be exploited by anyone.

In a world where digital communications play a key role, encryption is the basic rule of security, preventing a huge number of problems. It is foolish not to take advantage of the opportunity to improve security, given that the program is distributed free of charge, and you can master it quickly enough. You can learn more about the commands in the official manual.
 
Top Bottom