Public key encryption isn’t just the preserve of large organizations. That’s because there are open source PKE solutions which enable smaller companies and individuals to use the technology at no cost—most commonly to encrypt and digitally sign e-mail messages.
In a previous article in this series we looked at PGP Corp.’s public key encryption platform, and what’s interesting about this commercial platform is that it adheres to the OpenPGP standard - an e-mail encryption standard defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 4880. OpenPGP was actually derived from PGP, the pioneering public key encryption program created by Phil Zimmerman back in 1991 which is the basis for PGP Corp.’s platform.
The good news is that there’s a completely free, open-source implementation of the OpenPGP standard called GNU Privacy Guard (or, more commonly, “GPG”). Since any OpenPGP compliant software (should) work with any other, this means that GPG is compatible with PGP. Like any open-source alternative to a commercial product there are differences between PGP Corp.’s platform and GPG in terms of support and additional features, but GPG offers solid public key encryption and key management features as an alternative to a system such as that offered by PGP Corp., on a number of platforms including Windows, Linux, UNIX and OS X.
To illustrate GPG’s use I’ll concentrate on the Windows platform for the simple reason that 90 percent of all desktops and laptops run Windows—if you use another platform then the general information will still apply even of the details are slightly different.
GPG is actually a command line tool, but thanks to some handy plug-ins to popular e-mail clients you shouldn’t ever have to learn any of the commands. (But like most command line tools, if you do take the time to master the commands you’ll find GPG much easier to control directly than through a front end.)
The first step to running GPG is to run the Windows installer, which you can download from GPG’s web site < ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe>
GPG for Thunderbird
The next step is to find a GPG plug-in for the e-mail client you intend to use: In this article we’ll use the open-source Thunderbird 2 e-mail client, although plug-ins of varying quality are available for many more clients including Eudora and Outlook Express on Windows, Thunderbird, KMail and Evolution on Linux, and Thunderbird and Mail.app on OS X.
The GPG plug-in for Thunderbird is called Enigmail, which you can download from Enigmail’s download page and then install into the e-mail client. (Don’t skip the download stage and try to install it directly if you are running Firefox or your browser will try to install Enigmail into itself instead of Thunderbird.)
Once Thunderbird has been restarted you’ll see an “OpenPGP” menu item, and clicking this will bring you to the OpenPGP Key Management window. It’s from here that—by clicking the “Generate” option—you can create your own public and private keys. These can be associated with a particular e-mail address, or you can choose to use this key pair with two or more e-mail addresses you might use. You’ll also be asked for an optional passphrase to protect your key.( It’s a good idea to use this feature—otherwise anyone with access to your computer will be able to sign messages in your name and decrypt confidential incoming messages.) There’s also a comment box, where you can add a description of yourself (such as “Managing Director of Rubens Inc.”) which makes it much easier for anyone searching a key server for your public key to identify you correctly.
Once you click “Generate Key” a key pair is created, after which you’ll be asked if you want to create and save a revocation certificate, which you can use to invalidate your key pair at some future time if it becomes compromised. The final step—if you want your public key to be widely available—is to upload it to a key server by choosing the “Upload Public Keys option.”
Sending Encrypted Messages
So how do you go about sending an encrypted message? Simply write an e-mail message using the e-mail client in the normal way, and then click on “Encrypt Message” in the message’s OpenPGP menu. When you send the message, the OpenPGP Key Selection window will pop up, allowing you to select the recipient’s public key from your store of keys. If you don’t have the recipient’s key you can click on “Download missing keys” to carry out a keyserver search to try and find it. Assuming you find the key you need, select it and download it to your key store, and send the message again.
As you’ll recall, you can sign an e-mail with your private key to prove that the e-mail really came from you. To do this simply choose the “Sign Message” option instead of “Encrypt Message.”
If you want to make it easy for others to find your public key (especially if you don’t want to submit your key to a keyserver—perhaps to avoid the risk of spam) you can also send them an e-mail after selecting the “Attach My Public Key” option in this menu. (Of course they should be aware that although the e-mail might appear to come from you, it might have come from someone else.)
One handy thing about installing GPG is that it is available to any application that needs encryption capabilities if a suitable plug-in for that application has been written. That means that as well as using GPG through your e-mail client, you can also use it through a Web browser. After installing the FireGPG Add-on into Firefox you can use Gmail to send and receive encrypted or signed emails using the extra buttons that appear on the Gmail web interface. (You can also encrypt, decrypt, sign or verify the signature of text in any Web page by right clicking in Firefox or selecting FireGPG from the Tools menu.) The FirePGP Add-on is far from perfect—looking up keys from a key server doesn’t seem to work properly, for example—but it’s certainly useful and will likely improve in future versions.
Compared to commercially available solutions GPG does have drawbacks. Unlike gateway solutions offered by the likes of PGP Corp. GPG’s functionality isn’t transparent to users, and can’t be relied to encrypt all messages as encryption can easily be switched off by the user. Key management is also much more rudimentary, and if a user forgets their private key passphrase then the key pair becomes unusable as there is no way to retrieve it. But overall GPG is a useful (and—let’s not forget—free) implementation of OpenPGP, and it can be a very effective solution for individuals and small businesses.