Posted by Shane
So I am a little paranoid. Everyone has the right to be and depending on the content of the messages and the sensitivity of the message you may want to encrypt them so they are secure and only your designated receipt is allowed to read them. So this little tutorial that I am putting together will help you get started on your “digital signature” so your messages either over email or IM are protected from unwanted eyes.
This tutorial should be good for both Unix, Windows, and Apple user’s although I am writing this as if you were a Windows user.
So the most basic requirements for this session you will need these programs installed:
If you are using these right now, make sure they are at their latest version. If you are reading this just to see how it works, by all means download them and try it out yourself. You might have to configure the clients to work.
Download my key: [download id=”1″]
For encrypting you need to install:
- For Windows 2000/XP/Vista/7 – GPG4Win – http://www.gpg4win.org/ (Needed for Pidgin; You can just install GnuPG if you are going to use just Thunderbird from this Suite)
- EnigMail Plugin (For Thunderbird)
- GPG/OpenPGP Plugin (For Pidgin, XEP-0027)
For those users who have Android phones:
- APG – On Android Market Place
- Best one I found
Once you have everything installed for your operating system let take a look “under the hood”.
The concept of signing your emails and/or encrypting them is to allow a user to verify that the “email” or “file” they got is legitimately from you. Take this for example, I send you an email. When I send an email it goes through my computer, to my router, and internet provider. When it gets to the “internet”, the message is routed over a series of “nodes” (aka computers either hardwired with software or applications that send the “message”) and as it’s moving from one node to the other, it leaves it behind in-case there is a failure. At one point it will reach your server where you use your computer to download the message. Sounds simple right?
Now I am a hacker. I hack into one of those nodes and read all the emails or messages that go through it. That hacker what’s to modify my email/message before it reaches you. If I had not “signed” it, the message would seem legitimate and it came from me, but instead he has modified it to include a virus or something that I did not say. Now if I had signed it and you knew my “signature” and read the message after it be modified, it would say “This message is not valid.” because when I sent it I gave that message a unique code along with my “signature” embedded into it. Doing that prevents my messages from being hijacked. Of course this is if your are interpreting my emails when they arrive at your computer in which this tutorial will show you how to do that.
Encrypting works the same way except for one caveat. When I send the message I have to know your signature and you need to know mine. When I hit “send” it makes the message into a format that only a OpenPGP reader would be able to understand encrypting it with my “secret key” as part of my “signature” and knowing your “public key” does it generate the content in which I am sending it to. This way as long as the email maintains it’s formatting though out the entire process I described above, you should be able to get my encrypted email without anyone else being able to read it.