Thursday, October 27, 2011

Yes, Virginia, We need Email Encryption !

Email encryption has been gaining a lot of attention lately. With growing numbering of security attacks, often in public places like coffee shops, airports and cyber cafes, it is not hard to imagine your confidential data being hacked. There are so many loop holes that a bad guy can use to reach you and sniff your data. Let alone the public places. How about your email security ? What if you lost your Email password ? Now-a-days there are many security features like Recovery Email, SMS Alerts/One Time Password, a 2 stage password mechanism and the like. But still, a little insight about you and your passwords can get the hacker right into your inbox. Though you might know it later, there would be nothing you could’ve done, because, the details that the person had wanted would’ve already been stolen !

May be it could seem like a very complicated case, but sure enough not be taken lightly. Email is more like a personal diary. People might have so many things in their Mail history. Theft of their Email password or mail account is no less than losing their identity.

We now present a way of encrypting your email safely and securely so only you could read it – PGP Encryption !


What is PGP ?

PGP stands for Pretty Good Privacy. It is data encryption cum decryption standard generally used for transmission of confidential data like Email and files. It was written by Phil Zimmermann in 1991 to answer email security issues.

Some patent problems with the PGP led to Corporates forming their own version of PGP standards, thus making it unavailable for the larger public. So, by July 1997, Open PGP was formed by the IETF. Under this regard, the Free Software Foundation has its own version of the PGP Software – GnuPG, expanded as GNU Privacy Guard.

How it works ?

Open PGP standard that we are currently about to use, works through public key cryptography or in other terms, asymmetric cryptography. In layman’s terms, we encrypt the data using a key and decrypt it with an other key. So, in the end-to-end transmission data we need two keys to work with.

What we do is, we generate two keys. One public key and the other private key. The names are actually arbitrary. Any key can be used as public or private key. Its just that encrypting data with one key can be opened with only the other key.

After generating the public/private keys, we send the public key to the person who wants to send us email/data securely. We can send the public keys through email or can upload it to public key server so anyone wanting to reach us can do so in a secure manner. Anyone trying to read the data in between can get away with only gibberish.

The data they send can be viewed only us, as only we have the private key. This is very important. Never lose your private key or send it to anyone by any means. Better have a backup.

 


Setting up Email Encryption

Before we start this, things you’ll need to set up the email encryption are, GnuPG – if you plan to go open source or the PGP Desktop, an email client – Thunderbird preferable or if you insist, you might also try having Postbox or Outlook and in case if you’re using Postbox or Thunderbird, you also might have to install Enigmail. The links for all the necessary softwares have been provided at the bottom of the article.

First install your email client, in my case Thunderbird and setup your email accounts. Not to worry much here. Thunderbird has a very easy to setup email account wizard that will guide you. Install the Enigmail addon. Same goes with Postbox.

 

The next thing you need to do is to install a PGP Software. The Enigmail extension that you’ve installed in Thunderbird works only if you’ve got a PGP Engine. I personally would recommend using Gpg4win. It is so easy to use and comfortable to work with. There are two options you can go with – either the full version(38 MB) or just the engine (15MB). The second option is fine.

Once you’ve done all the above, open Thunderbird Client and choose Key Management from the OpenPGP option in the menu bar. Choose key management and you’ll get a screen similar to the one below.

 

Now, choose Generate option to create your new key pair – remember the public and private keys we talked about ? That’s exactly what we’re going to create now.

Type in your account details, choose a passphrase – to verify your authenticity and to revoke your private and public keys. Choose your key validity and you are good to go.

Click on Generate key option and it’ll be a few seconds before you have a valid key. Gpg4win might prompt you to type in your password again to store the generated keys in its local database.

That’s it! You’re done.

Now, send your public keys to the person you want to have secure communication with or upload your public keys to any of the public key servers. Anybody wanting to communicate with you shall use it from there.

When you want to compose an encrypted message, type in your message and choose Encrypt Message from the OpenPGP option in your compose window. Remember, you need to have the public key of the person whom you want to send the encrypted message to.

Once you’ve chosen that option, you could see the message turn gibberish. Perfect Encryption ! Take a look at an example of what you would be sending the message as…

 

 

As for the receiver, he would be prompted for the password on first use to view the encrypted message that he has received and would see the decrypted version of it.

 

See, its that simple ! But remember to backup your keys before you send it to anybody, especially your private keys.

To view the decrypted message in browser, I didn’t find any convincing solution, except for FireGPG that works with Mozilla Firefox, although it didn’t work for me.


Download Links

Mozilla Thunderbird - http://www.mozilla.org/en-US/thunderbird/download

Postbox - http://www.postbox-inc.com/

GnuPG - http://www.gnupg.org/download/

GPG4win - http://www.gpg4win.org/download.html

PGP Desktop - http://www.symantec.com/business/theme.jsp?themeid=pgp

Enigmail - https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/

FireGPG - https://addons.mozilla.org/en-US/firefox/addon/fire_gpg/