Between Snowden, Greenwald, and the NSA, encryption is in the news. But what is it? And how can you, a mild-mannered student at an American university, use it? And why should you? You’ve got nothing to hide, after all. In this latest SocketHop, Conor Skelding (no tech genius himself) tries to lay that out.
Something to get out of the way first: this chillingly-titled NYTimes article, “N.S.A. Able to Foil Basic Safeguards of Privacy on Web.” A friend sent it to me and asked whether setting up PGP encryption is still worth it, given that title. And I asked a better informed friend.
It is still worth it, for two reasons. First, it’s worth it because it’s unknown what exactly the NSA can foil. According to cryptographers, it probably hasn’t cracked PGP (though it gets around it many other ways). The second reason is, even if PGP encryption doesn’t protect you from the full force of the NSA, it will protect you from trespassers in your GMail account, advertisers, your email provider, hackers, and thieves who physically steal your phone.
Indeed, the NSA, according to that article, is “still stymied by some encryption.” As Snowden wrote, assuming endpoint security, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Here is my layman’s understanding of PGP: you have two huge numbers. They fit together, but on account of really big prime numbers, current computers cannot derive one from the other. One is designated as your private key, the other your public key. Something encoded with one can only be decoded with the other. You make your public key public, either sharing it with friends or uploading it to a public keyserver. As for your private key: keep it secret, keep it safe.
So, say I want to send Glenn a message. I have Glenn’s public key. I encrypt a message with it. He, receiving it, decrypts it with his private key. Simple enough. But how does he know it came from me? I digitally “sign” the message by adding a little text encrypted with my private key. Glenn has my public key, so he can decrypt that, too, and know it came from me. And that’s it! Verified, secure communication between two (or more) parties, with everyone’s private key kept secret.
Encrypted messages can only be read on a machine with your private key (the fewer of those the better). Google or whatever your mail provider is cannot read it; all that’s on their servers is gibberish. Therefore—at the very least, even if the NSA has broken PGP, which cryptographers think exceedingly unlikely—your encrypted messages will be safe from to anyone using your smart phone or computer, or accessing your email via webmail.
0. Download the GPG Suite from GPGTools.org
1. Open your GPG Keychain, install. Click New.
3. Select Advanced.
4. Choose 4096 bit RSA and RSA. (This uses the biggest prime numbers, and is the hardest to crack.)
5. Choose no expiration. For extra security, you can make new keys later.
6. Generate your key.
7. Search for your friends on the public keyserver. If you don’t have any friends on there, you can send me a message. (Edit > Find > Search Key)
8. Open Mail; GPGTools automatically and seamlessly integrates with it.
9. Disable drafts composed in Mail from being stored on the server (This is essential; otherwise your unencrypted drafts would be stored on the mail provider’s servers and all this would be for nothing.)
10. Communicate more securely. All Google/Columbia will see is this*.
Governments, corporations, and criminals have long had access to encryption; now you can have a measure of security, too.
This may seem a little paranoid, but security means a degree of paranoia. Pragmatically, better security means finding a balance between total paranoia and absolute ignorance. This is up that alley: there are more secure tools, but they ask too much of the casual user—they necessitate a severe change of lifestyle. GPGTools is simple to install and use.
[N.B. Much of this information was pulled and condensed from The Freedom of the Press Foundation's comprehensive whitepaper. Credit for a few bits are due one crypto-friend. For further reading, see "Why do you need PGP?", a short essay written by Phil Zimmerman, the inventor.]
*Only email messages sent through Mail can be encrypted or signed with GPGTools. GChats and emails you send through webmail or from your phone cannot be.
GPGTools’s logo from GPGTools.org