Print

[Radium]

Dedicated to BubbleCat,
who introduced me to this awesome life-saving trick.

============
INTRO

PGP = Pretty Good Privacy
GPG = GNU Privacy Guard

For the layman, both terms mean the same thing, and is usually called PGP/GPG.

It was invented by the two good German fellas called Phil Zimmermann & Werner Kock.
We all owe them really deep if you ask me.

Their invention guarantees everybody's true & real (not fake & perceived) liberty, privacy, and safety.

It is open-source (assurance of existence of no back-doors) and free.
Allowing us to send/receive encrypted messages/files over internet,
While being sure that only the intended person can decrypt it, and the Man-in-the-middle only gets a bunch of garbage random scrambled text.

==============================================
DIFFERENCE WITH OTHER CRYPTOGRAPHY METHODS

When you send files/texts encryption using "password-based" methods to a friend, you must give them the password too, and if you tell them the password via email/phone/SMS/etc, the purpose of encryption is lost, since the Man-in-the-middle will hear the password too, and will be able to decrypt the file/text.
The only safe way to tell the password to your friend is to go to your friend's place physically and tell it to them face-to-face quietly in his/her ear.

PGP/GPG solves this problem by replacing the password with 2 keys.
Every person owns 2 keys:

• Public key:
  You send this (via email/PM/etc) to anyone who wants to send you encrypted files/texts.
  The Man-in-the-middle can hear it, but it will be totally useless to him/her, except humming it in toilet or using it to send you an encrypted "***K YOU".
• Private key:
  you keep this for yourself and NOT give it to anyone.

==============================================
THE PROCEDURE

Steps in order:

• you generate a pair of keys, a PUBLIC and a PRIVATE key (your friend do this too)
• you send the PUBLIC key to your friend, and receive his/her PUBLIC key (via email/chat/PM/SMS/etc)
• your friend uses your PUBLIC key to encrypt the file/text.
• your friend sends you the encrypted file/text (via email/PM/SMS/chat/etc)
• you decrypt the received encrypted file/text using your PRIVATE key.
• now you use your friend's PUBLIC key to encrypt the reply, and send it to him/her (via email/PM/SMS/chat/etc)
• your friend decrypts your encrypted reply using his/her own PRIVATE KEY.

Optional step:

• you can "sign" the file/text, so the receiver get sure that the file/text is indeed written and sent by you, not the Man-in-the-middle.

Very simple, amiright?

==============================================
SOFTWARES USING PGP/GPG

It is originally a shell/command-line program, which might appear "too hard and complicated" for the average layman.
Do not worry, there are lots of graphical clients (programs), open-source and free, which implement PGP/GPG.

One of the awesome of graphical clients is called "Portable PGP"
It is written in Java, and thus runs on almost all platforms.
But you need to install Java Runtime Environment for it to work.
==============================================

That's all folks!

This thread should be stickied if you ask me.
The more people learning how to use PGP/GPG, the better.

Post any questions you have,
I will gladly answer.

5 Likes Mangrove, BubbleCat, danzick, Athena and nikshaz like this.

[danzick]

Thanks Radium.  Nice tutorial.   

[Radium]

Thanks Radium.  Nice tutorial.   

Welcome!

Feel free to share it on other forums and everyone you love.

The Man-in-the-middle HATES this tutorial.

[misplant]

Moreover, data extracted from our own database confirms that Java is the second biggest security vulnerability that requires constant patching, after Adobe’s Flash plugin.

In 2015 alone, we’ve already deployed 105925 patches for Java Runtime Environment for our clients.

https://heimdalsecurity.com/blog/java-biggest-security-hole-your-computer/

the problem with PGP is generally speaking a person has absolutely no way of knowing how secure or insecure the person you are exchanging encrypted messaging with really is.  They just as easily could be kissing cousins with the man in the middle, lol.

Offhand I'd think there'd be a lot more attention paid to an IP / MAC address that was sending/receiving encrypted messages vs the billions of ones that were not.

3 Likes plantlight, modern and LIBERTYNY like this.

[Radium]

Moreover, data extracted from our own database confirms that Java is the second biggest security vulnerability that requires constant patching, after Adobe’s Flash plugin.

In 2015 alone, we’ve already deployed 105925 patches for Java Runtime Environment for our clients.

https://heimdalsecurity.com/blog/java-biggest-security-hole-your-computer/

the problem with PGP is generally speaking a person has absolutely no way of knowing how secure or insecure the person you are exchanging encrypted messaging with really is.  They just as easily could be kissing cousins with the man in the middle, lol.

Offhand I'd think there'd be a lot more attention paid to an IP / MAC address that was sending/receiving encrypted messages vs the billions of ones that were not.

• That's not a problem related to PGP at all, that is about trusting contacts based on reliability and loyalty.
• There are lots of other non-Java clients for PGP, one of them being GPGTools.
• I still prefer attracting attention but be impossible to investigate, instead of not attracting attention but leaving easily readable data which can be reviewed anytime in future when eventually I attract some attention.

[BubbleCat]

Nicely done !

Youre a bit wrong on one thing tho:
Assymetric encryptions do have two enemies:
A potent and capable operational quantum computer...
aaaand... THE MAN IN THE MIDDLE, given that he is there from the beginning on producing a key exchange with both parties. Highly unlikely but theoretically possible. Well, the quantum computer isn't exactly to be feared either as of now.

One thing is sure: PGP gives you security NOW but many people forget: DONT discuss anything, using PGP or not, that you dont want to be discovered in say 20 years as one thing is certain: They may not be able to read your messages NOW but they can save encrypted messages and decipher them as soon as the computing power needet is available. So dont discuss your most recent murders as in most jurisdictions they can always get you for that. Speeding is fine tho.

1 Like Mangrove likes this.

[Mangrove]

Well done !

You're a bit wrong on one thing tho:
Asymmetric encryptions do have two enemies:
A potent and capable operational quantum computer...
aaaand... THE MAN IN THE MIDDLE, given that he is there from the beginning on producing a key exchange with both parties. Highly unlikely but theoretically possible. Well, the quantum computer isn't exactly to be feared either as of now.

One thing is sure: PGP gives you security NOW but many people forget: DON'T discuss anything, using PGP or not, that you don't want to be discovered in say 20 years as one thing is certain: They may not be able to read your messages NOW but they can save encrypted messages and decipher them as soon as the computing power needed is available. So don't discuss your most recent murders as in most jurisdictions they can always get you for that. Speeding is fine tho.

I couldn't help but post these masturpieces in response to this post:
FFS LISTEN TO THESE

[BubbleCat]

2 Likes Mangrove and Plantyman8 like this.