• Aikido
  • Healthcare/Clinical
  • LINK-12
  • Pandora’s Box
  • Tin Foil
  • What is Michael?
  • Projects
    • Personal Projects
  • IPv6 Secure Project

The Krypt

The Krypt

Tag Archives: gnupg

Using GPG Encryption with Web Mail

26 Wednesday Nov 2014

Posted by Michael in Communications, Cryptography

≈ Leave a comment

Tags

1024, 2048, commands, decrypt, encrypt, gnupg, gpg, openpgp, pgp, rsa, webmail

I’ve covered this before, but wanted to redo it as an easier to follow step-by-step guide (with better quality screenshots).

GPG is most commonly used as an email client plugin, but most people use webmail for their personal emails, and most webmail services don’t support PGP encryption.
This post will demonstrate an alternative, where email is composed in a text editor, encrypted, and the ciphertext pasted into a webmail interface. I’ll also show how to do the reverse, so you can also receive PGP-encrypted emails to your webmail address and decrypt them.

While there are graphical interfaces for using GPG, this guide will demonstrate the command line usage, as it will be the same for everyone with GPG installed. Plus, using the command line is a healthy habit to cultivate.

2. Creating Keys
Firstly, you’ll require a ‘key pair’ – your public and private keys, associated with your email address. The point of this is people can exchange encrypted messages without ever sending a secret key – encrypted messages and public keys are communicated openly, but only the recipient has the private key to decrypt. It’s also extremely difficult for a third-party to derive one from the other, if the key sizes are sufficiently large.
So, here the public key is what you make public, and the private key is what you keep secret. The public key encrypts, and the private key decrypts.
The command used for generating the keys is:
$gpg --gen-key

If it works, the following menu appears:

gpg-create-key

My personal preference is to stick with defaults, using RSA with a 2048-bit key. RSA 512 is relatively easy to break, and I suspect RSA 1024 is breakable with custom hardware within a reasonable amount of time (i.e. within months). Conversely, it’s also safe, because the speculation is on resources required to decrypt one individual ciphertext, and the attackers wouldn’t bother unless it was really worth the effort.

Anyway, moving on, the GPG program will generate the keys, using /dev/random as the entropy source (or whatever the equivalent is for Windows NT). The ‘entropy pool’ is populated with values derived from hardware events, so this involves doing pseudo-random stuff with the mouse and keyboard while the keys are generated.

gpg-keys-generated

3. Compose and encrypt email
With the key pair generated, it’s possible to demonstrate the actual encryption and decryption processes. I composed an email message with a standard text editor, saved it as ‘test-email.txt’, then used the following command:
$gpg -e -a [filename].txt

GPG will prompt for the recipient(s) email address, find the relevant public key in its database, then encrypt the plaintext message.

gpg-encrypting-text

The ciphertext is written to another file ([filename].asc). Copy and paste the file’s content into the webmail interface as the message body.

gpg-webmail-client

4. Decrypting email
The process is simply reversed to decrypt. This time, we receive the GPG-encrypted ciphertext, paste into a text editor and save the file as ‘filename.asc’.

When running the following command, GPG should automatically detect the encryption used, fetch the relevant private key and decrypt.

gpg-decrypt-email

5. Importing public keys
Lastly, in order to encrypt emails for other recipients, their public keys must be added to the GPG agent’s database. Like the encrypted email, the public key will be a large block of ASCII ciphertext. Copy and paste this into a file, and save it as ‘[filename].gpg’.

Next, use the ‘gpg --import -a [filename]‘ command to import the contents of the file. The new entry should appear when using ‘gpg --list-keys‘.

gpg-import-list-key

One issue to be aware of: Exercise caution when exporting private keys for backup. The GPG password is not the encryption key, and only protects the application’s key storage function. Once the private key exported to another storage device, it is entirely unprotected, and might be copied and used by others.

Advertisements

Share this:

  • Twitter
  • Facebook
  • Google
  • Reddit
  • LinkedIn
  • Email

Like this:

Like Loading...

Making PGP/OpenPGP Work with Webmail

02 Monday Sep 2013

Posted by Michael in Communications, Cryptography, Linux OS

≈ 2 Comments

Tags

command, editor, email, encrypt, gnupg, gpg, key, line, message, offline, openpgp, pgp, privacy, private, public, webmail

Here’s a problem in need of a practical solution: I’ve recently been assigned an account by an organisation that uses a very untrustworthy firm to host its emails, and I’m insisting (or at least strongly encouraging) that nothing sensitive is uploaded to the servers without being properly encrypted.

Normally email encryption is handled by some part of a client application, or a PGP/OpenPGP extension like Enigmail (for Thunderbird). The problem I’m addressing here is that most people have at least one email/webmail account that isn’t compatible with email clients, and there’s no obvious way of using PGP/OpenPGP without that.

Overview of the Solution
The solution I attempted to find here was:
1. Compose message on local machine
2. Encrypt the message with recipient’s public key
3. Copy and paste the encrypted email in the browser.
4. Send email to recipient

The recipient should then get the encrypted email, and with a bit of luck the encryption can be reversed with his/her private key. If we are the recipient, we simply do the reverse: copy and paste the encrypted email into a text editor and decrypt the message offline.

The Command Line Method
While this method won’t appeal to the average person at first, it’s what we’re stuck with in the absence of a simple GUI application. The good news is it’s pretty quick once we’ve done it a couple of times.
This method assumes that the user has created key pairs for each email/webmail account, and has the public key of the recipient. These can be created/added using a key management application such as Seahorse or Kleopatra.

The following command will list the public and private keys stored on the local system:
$gpg --list-keys

To prepare an email, I opened a standard text editor and typed a message, saving it as TestMessage.txt:


Dear Recipient

Can I request a meeting for Thursday afternoon?

Yours,
Michael

The content of TestMessage.txt (the message) can be encrypted with a single command:
$gpg --armor -e [file name]

In this case:
$gpg --armour -e TestMessage.txt

cmdline-encrypt

GPG will then prompt the user for the recipient(s) email address and check whether a public key is available for that address. The ‘–armor‘ option produces ASCII ciphertext, as opposed to a pure encrypted file.
Having encrypted the message, GPG will create a file called [filename].asc that will contain the ciphertext. The content of that file should appear something like:

EncryptedMessage

This block of ciphertext can now be pasted into a webmail message and sent to the recipient. Job done.

Decrypting the Message
A recipient receiving the message simply does the reverse. Here, the ciphertext is copied from the browser into a text editor, and saved locally as [filename].asc. I’ve tested this by deleting the plaintext file I created earlier and using the following command to decrypt the ciphertext in TestMessage.txt.asc:
$gpg -d TestMessage.txt.asc

If we’re the recipient and we have the relevant private key, GPG will then prompt for the password before displaying the plaintext in the command line:

MessageDecrypted

So there we have it. Problem solved. All that remains is to develop the software to make the solution more accessible.

Share this:

  • Twitter
  • Facebook
  • Google
  • Reddit
  • LinkedIn
  • Email

Like this:

Like Loading...

Symmetric File Encryption with GPG

11 Monday Feb 2013

Posted by Michael in Cryptography

≈ 2 Comments

Tags

algorithm, crypt, decrypt, encrypt, file, gnupg, gpg, symmetric

Many cloud storage providers boast strong encryption, but that does little to protect users’ data if they retain the keys. On the other hand, the conventional method of using GPG to encrypt data relies on a private key that must also be stored somewhere, making it logistically unsuitable for backing up.
Fortunately there’s a very simple way to encrypt files (or .zip archives) with GPG using symmetric encryption, and with a password instead of a keyfile. This feature can be used with just two simple commands.

To encrypt a given file:
$ gpg -c example.txt

The program will ask for a password twice, and the encrypted copy of the file, with the .gpg extension, is generated in the same directory.

Of course, anyone wanting to decrypt the file must use the same password, as there is no public key here. To decrypt the file, simply use:
$ gpg example.gpg

Which Algorithm?
It’s also possible to define which algorithm to use for encrypting file, from the following:

GPGopt

For example:
$ gpg -c --cipher-algo=BLOWFISH example.txt

To encrypt with AES, substitute ‘BLOWFISH’ with ‘AES’:
$ gpg -c --cipher-algo=AES example.txt

Share this:

  • Twitter
  • Facebook
  • Google
  • Reddit
  • LinkedIn
  • Email

Like this:

Like Loading...

Menu

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.com

Categories

  • .NET
  • Communications
  • Cryptography
  • Development
  • Forensics and Investigation
  • IPv6
  • Linux OS
  • Martial Arts
  • networking
  • privacy
  • Python
  • Systems Integration
  • Uncategorized

Profile

Michael

Michael

My name is Michael, and I’m a software developer specialising in clinical systems integration and messaging (API creation, SQL Server, Windows Server, secure comms, HL7/DICOM messaging, Service Broker, etc.), using a toolkit based primarily around .NET and SQL Server, though my natural habitat is the Linux/UNIX command line interface. Before that, I studied computer security (a lot of networking, operating system internals and reverse engineering) at the University of South Wales, and somehow managed to earn a Masters’ degree. My rackmount kit includes an old Dell Proliant, an HP ProCurve Layer 3 switch, two Cisco 2600s and a couple of UNIX systems. Apart from all that, I’m a martial artist (Aikido and Aiki-jutsu), a practising Catholic, a prolific author of half-completed software, and a volunteer social worker.

View Full Profile →

GitHub

Blogs

  • Alexander Riccio
  • Brian Krebs
  • Bruce Schneier
  • Chris Lansdown
  • cypherpunks
  • Daniel Miessler
  • Dimitrios
  • Dirk Rijmenants
  • EXTREME
  • George Smith
  • Jeffrey Carr
  • Jericho@Attrition
  • Krypt3ia
  • Light Blue Touchpaper
  • MNIN Security
  • Pen Test Lab
  • Strategic Cyber LLC Blog
  • Tech Antidote
  • The Pro Hack
  • UWN Thesis
  • Volatility Labs
  • W.M. Briggs

Catholica

  • Bible Gateway
  • Brandon Vogt
  • Catholic Answers
  • Jacqueline Laing
  • Patrick Coffin
  • Rational Catholic
  • Rosary Confraternity
  • Strange Notions
  • Theology Like a Child
  • Thomas Aquinas' Works
  • Vericast
  • Word on Fire

Cryptography

  • Cipher Machines and Cryptology
  • Crypto Museum
  • Matthew Green

Developers

  • CodeAcademy
  • Codemanship
  • Hacker News
  • Puneet Kalra
  • SWLUG

InfoSec

  • Airbus Cyber Security Blog
  • Cryptome.org
  • Fuzzy Security
  • Linux Security
  • OSVDB
  • Packet Storm Security
  • PHRACK
  • Qjax Blog
  • RISKS Digest
  • SecTools.org
  • Strategic Cyber LLC Blog

Interesting Stuff

  • 27b/6
  • Attrition Online
  • Frank Langbein
  • Learn WordPress.com
  • Theme Showcase

Martial Arts

  • AikiCast
  • Aikido Journal
  • Aikido Sangenkai
  • AikiWeb
  • Welsh Aikido Society

ISTQB Certified Tester

Update by RSS

  • RSS - Posts
  • RSS - Comments
Advertisements

Blog at WordPress.com.

Cancel
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
%d bloggers like this: