Email Security - Encryption - Part 3

Importing a Certificate from the Web

Overview

You now have the ability to send and receive secure encrypted email messages. You can also send 'signed' email messages, but that is a topic I may cover in a future post. There is a catch. In order to send and receive those encrypted messages, there is a piece of information each party in the conversation has to have from the others. That information or data is their public key. In part 1 of this series I touched on symmetric versus asymmetric encryption. In asymmetric encryption there are two pieces to the key (often referred to as a "key pair"). The first part is what is called your private key. Typically this is also protected with a passphrase. You should never share this part of the key, and some choose to store it on removable media like a flash drive (in the old days your private keys may have been on a floppy disk). The second part of the key is called your public key. This can be shared and there are a few places on the web that these public keys can be uploaded to for easier sharing. Getting someone's public key from one of these repositories is the subject of this post.

Importing a Public Key

If it's not already open, from the Windows Start Menu, start Kleopatra. You should see the certificate you created in part 2 displayed in the "My Certificates" tab.

Kleopatra Main Window

A new installation of Kleopatra will need to be configured with one of the online repositories of PGP (or GnuPG or OpenPGP) certificates. Click the "Settings" menu and select "Configure Kleopatra". The configuration window will open.

Kleopatra Configuration Window

Click on the "New" button on the right hand side of the screen. A line with the default key server will appear in the window.

Kleopatra Directory services (key servers) Window

Click on "OK" and you will return to the main window.

Now that a key server has been defined, we can search for a public key to import to our 'keyring'. In this example we will look up s certificate for one of my email addresses (used for when I suspect I may receive spam when filling out forms on the web).

Select the "File" top menu and then "Lookup Certificates on Server" or press Ctrl-Shift-I. This will bring up the Certificate Lookup Window.

Certificate Lookup Window

In the "Find" field box at the top type "sponge.com" (without the quotes). Then click on the "Search button". You will be presented with a list of possible matches. Select the entry "Bruce Schuck bruce@sponge.com 2002-04-27" and finally click on "Import". You can now close Kleopatra.

Summary

I know that some readers want to get right to it, but I wanted to leave some time between each post for people to install and maybe experiment a little with the GPG4Win application. There are two other  usual ways that public keys can be imported. One is a more manual process that involves getting a person's public key directly, and the other is tied to when a PGP signed email is received from someone you do not yet have a public key for. I think I will cover those methods after I show you how to send an encrypted email using Thunderbird.

Related Posts

• Email Security Encryption Part 1
• Email Security Encryption Part 2

Email Security - Encryption - Part 2

Creating a GnuPG Key

Overview

Part 1 summarized the two common public key technologies (aka PKI for Public Key Infrastructure) used to secure email communications. Here in Part 2 I will take you through the steps to generate your own GnuPG key pair on the Microsoft Windows Operating System. Why GnuPG and not PGP? For the most part the two are interchangeable. Since GnuPG is freely available, I decided to demonstrate it first. One drawback of the GnuPG, is that it does not integrate seamlessly into 64-bit versions of Microsoft Outlook. Because of this, I will first show how to enable Thunderbird to send and receive encrypted email messages.

Installing GnuPG on Windows

Please note that I used Windows 7 Enterprise in this example.

In your browser, navigate to http://gpg4win.org/.

http://gpg4win.org/

Click on "Download Gpg4win". You should be at this page. At the time of this post, the current version is 2.2.5.

http://gpg4win.org/download.html

Now click on the uppermost download button. You will be presented with the dialogue box asking if you want to save the file or run (execute) the file.

Save Dialogue

Select 'Run' and accept the default actions of any dialogue box presented during the installation process. If successful, the last screen displayed should be this.

Gpg4win Wizard Complete

Please unselect the "Show the README file" and then click "Finish". At this time you have successfully installed a Windows version of GnuPG on your computer.

Creating a GnuPG key

The installation of Gpg4win installed the Kleopatra key management tool as one of the components. Navigate through the start menu and launch Kleopatra. The path through the menus should be "Start -> All Programs -> Gpg4win -> Kleopatra".

Kleopatra Main Window

Start the new certificate process by selecting File -> New Certificate from the top menu or by typing Ctrl-N (press Control-Key and 'N' key simultaneously). You will be presented with a dialogue to choose the certificate format.

Certificate Format

Choose "Create a personal OpenPGP pair", and click on Next. On the next screen you will enter details about your certificate.

Certificate Detail Form

Two of the three fields on this form are required. Fill in the Name and EMail fields with your name (usually full name) and email address. You can use the Comment field for any purpose. Some people may choose "Work" or "Home" for this field. For the time being we will not need to be concerned with any of the Advanced Settings. When you have filled in the fields, click on Next.

Certificate Review

On the Review Certificate Parameters screen you can confirm the values of the fields entered on the previous form. If no corrections are necessary, click on Create Key. During the key creation you may be asked to move the mouse pointer or type in random characters. When the key pair is generated, you should the following screen.

Certificate Complete

Congratulations! You have successfully generated an OpenGPG key pair. When you click on Finish, you will be returned to Kleopatra's main screen and see your certificate listed in the window.

Summary

While composing these steps I realized that if you are following these steps you may not know someone that you can send and receive test messages with. So before we move on to configuring an email client (Thunderbird) to utilize GnuPG, I should go over how to import someone's public key to your keyring. There are a few ways to accomplish that, and that will be covered next in Part 3.

Related Posts

• Email Security Encryption Part 1

Email Security - Encryption - Part 1

Email Security and Privacy

Introduction

We have seen communication over the internet expand over the last 20 years. Once it was just the realm of those in academia and science. Today nearly everyone uses the internet regularly to communicate with others. Along with this rise in popularity has been a heightened concern for privacy and security. People (and businesses) want to be able to communicate and not fear hackers or even their own government. From all the clamor we see related to how our content and messages are used by the social media sites, and how various laws affect what the government can access with or without a warrant, you would think that there are no safeguards available to combat perceived or real threats to our privacy. But fortunately, that perception is without merit.

Encryption

The perception is without merit because it is possible to secure your email so that only the intended recipient(s) can view it using encryption. Better news is that this is easier to accomplish than you might believe. There are actually two types of encryption that can be utilized, symmetric and asymmetric encryption. The details of these are beyond the scope of this blog, but for more information please visit http://resources.infosecinstitute.com/symmetric-asymmetric-encryption/. Here we are going to focus on asymmetric encryption and using it to send and receive email securely.

SSL (S/MIME) and PGP (or GnuPG)

There are two main methods to send and receive secure email. Most modern email clients (Outlook, Thunderbird, Evolution, etc) natively support one or both methods. You don't need to understand the technology beneath these two systems, only how they differ with respect to setting up and using your email client.

SSL (S/SMIME)

When an email client uses SSL to secure messages, it is also called S/MIME. This encryption (and electronic signing) is very similar to how web sites using HTTPS are encrypted. The certificates used are commonly purchased from a known vendor of SSL Certificates. Examples of these companies are Thawte, Digicert, and Verisign. A source of free SSL certificates is CAcert, but its root certificates are not usually included in the bundles that come with operating systems and software. If desired (especially for testing), those of you who are more technical could create your own certificates using OpenSSL.

PGP (or GnuPG)

PGP stands for Pretty Good Privacy. First written and released as freeware, it has since become commercialized, now part of Symantec. Some older versions of PGP can be found at http://www.pgpi.org/. The most common current opensource derivative is GnuPG or GNU Privacy Guard. PGP was originally created to securely store messages and files on bulletin board systems (BBS) in 1991.

Summary

We will start getting into the details of using these technologies to secure email communications in part 2 of this series. For now, please take some time to visit some of the links posted above to learn more. Feel free to post comments or questions.

Thank you.

Related Posts

• Email Security - Encryption - Part 2

64 Bit Ubuntu and 32 bit Check Point SSL Network Extender

Recently I decided to change the operating system on my home Linux desktop to Ubuntu. I have been running OpenSuSE for a while since the prevalent OS at my last gig was SLES or SuSE Enterprise Linux (before that I was running Solaris x86). The current LTS version of Ubuntu is 14.04. I saw no reason to install the 32-bit version, so I downloaded and installed the 64-bit OS.

The installation of Ubuntu Desktop is straightforward, but unless I missed something you cannot select what packages and software are included during the initial install.

The VPN we use at work provided through a Check Point appliance. For Mac OSX and Linux operating systems you have to download the installation script from the "Settings" link after logging in to the web portal, or from the Check Point website. Having an older unit, the script installs a 32-bit version of the Check Point SSL Network Extender also simply known as 'snx'.

Everything seems to be simple and easy until you attempt to execute 'snx' (gets installed to /usr/bin/snx). What you see is something like:

$ snx -h
bash: /usr/bin/snx: No such file or directory

An 'ls' command will prove the file does in fact exist, but attempting to execute 'ldd' to see what libraries it may be looking for adds to the mystery.

$ ldd /usr/bin/snx
  not a dynamic executable

I did some digging and found that the default 64-bit install of Ubuntu 14.04 does not include any 32-bit libraries. Using 'apt-get' I installed the 32-bit version of a few of the "standard" libraries. I don't know which one it was, but now the output of 'ldd' listed libraries and which ones were not found. To save you some time here are the libraries I needed to install to get the Check Point SSL Network Extender to work.

• lib32stdc++6
• lib32z1
• lib32objc3
• lib32readline6
• lib32gcc1
• libX11-6:i386
• libpam0g:i386
• libstdc++5:i386 

Easily done with one command:

# apt-get -y install lib32stdc++6 lib32z1 lib32objc3 lib32readline6 lib32gcc1 libX11-6:i386 libpam0g:i386 libstdc++5:i386

It wasn't too hard to figure out, but if this helps a few people save time it was worth the effort to create this post.

Related Links

• Ubuntu - http://www.ubuntu.com/
• Check Point - http://www.checkpoint.com/
• Check Point Remote Access (VPN) Clients