« Language Immersion | Main | Oven-Fresh Blogging »
March 26, 2005
Email Encryption Primer
I've posted my public key, and, as promised, here's a short primer on encryption: by which I mean, a bunch of links to information about email encryption. This stuff is relatively esoteric, even as esoteric technical things go, but I write for the curious. So here we are.
By "email encryption," what I mean is "public key cryptography," the primary email implementation of which was invented in the early 1990s as "PGP" (stands for Pretty Good Privacy). The idea is that you exploit the difficulty of reversing certain mathematical functions -- in particular the difficulty of factoring the product of two very large prime numbers -- to make a private key (the two primes) and a public key (their product). Because of the computational difficulty of solving the private key from the public key, the public key can be distributed anywhere without compromising the security of the encrypted exchange. This is a clever solution to an age-old cryptographic problem: it's easy enough to send a coded message, but if you send the instructions to decode it along with the message, or if those instructions, sent by another route, get intercepted, the coded message isn't quite so coded anymore. With public key cryptography, I give the world my public key; to send an encrypted message to me, you use my public key, and then I decrypt it with my private key which is stored in secret (and encrypted itself with a secret passphrase that's only in my head) on my computer.
So far, so fun. How to actually do this depends on your computer system. If you're using Windows or have a Mac, the PGP corporation will happily take $59 from you for their official product, which, I am assured, works very well. For my part, I not only run Linux (strike one) but I also hate spending that much for something I rarely use (strike two), so I don't use PGP's version. It probably integrates very tightly with your usual desktop email client, though, which is nice.
More useful for those of us who don't keep extra money lying around as a compulsive habit is the open-source GNU Privacy Guard (GPG...cute, right?). The definitive documentation for GPG is the GNU Privacy Handbook, which also has an excellent discussion of public key cryptography concepts in general. See also this more introductory page.
I use GPG set up on the Linux-running laptop to which I download my email (integrated with KMail), and I also have an implementation running on Harvard's email server for those cases where I send email on the go sans laptop. FAS Webmail does not integrate with GPG, and Pine doesn't either (I think), so in order to use it, you'd have to use a better email client like Mutt. You definitely have to know what you're doing with a UNIX shell prompt to get this working, or know someone else who knows what he or she is doing. If you want, and if you ask nicely, I can help you with this. As an added bonus, Mutt really is better than Pine.
If you're running Windows, here's this page on running GPG on Windows. Once you've got the command line part set up, here's a page about GPG with Outlook and here's one about Eudora. If you're on a Mac, here's some information about Eudora on OS X. Beyond this, googling "GPG" along with the name of your email client will usually turn something up.
Finally, a word about the other use of one's keypair: digital signatures. This is the answer to the frequently-asked, "DR, why do all your emails come with an attachment?" This attachment is my PGP signature. To make this signature, GPG takes my private key and uses it in combination with the message body as input into a hash function. The output of this function is attached to my email as the "signature". My public key can be used to verify the output of the function (the signature), confirming 1) that the message came from me (since I'm assumed to be the only person with access to my private key) and 2) that it arrived unaltered.
Posted by David Richmond at March 26, 2005 2:06 PM EST
Trackback Pings
TrackBack URL for this entry:
http://symphonicman.com/moveabletype/mt-tb.cgi/58
Comments
Woohoo, Mutt! Switched from pine when I went from Mandrake to Debian... it really is tons better. Although I'm starting to use Thunderbird these days, too, for certain things.
As for GnuPG, it's just not worth the effort or the extra bytes even. I've never needed to encrypt any electronic correspondence in my entire life as a netizen, aside from money transactions which HTTPS takes care of for me. The moment I find a use for encryption-- which I don't believe will happen anytime soon unless it's for a job-- I'll install GnuPG. Call me lazy.
Good summary though. Kudos.
Posted by: Moses at March 27, 2005 12:18 AM