Wealth International, Limited (trustprofessionals.com) : Where There’s W.I.L., There’s A Way

Secure Email Communication with PGP

© Copyright 2015 Wealth International, Ltd.

Note: This article is based on a now old version of PGP which could legitimatedly be deemed obsolete. The basic principles still apply, so we are leaving it up, but the version may not work well with modern versions of Windows such as versions 7 and 8. It works fine on Windows XP.

If you have read very much of this site then it will not be a surprise to discover that we do not believe that your private communications have much legal or practical protection from government snoopers, should you come into the crosshairs of one of them. While your mail posts in sealed envelopes actually still have some legal protections against being opened and viewed, the practical protection derives from the need for physical intervention and effort to perform the search. The envelope has to be acquired, carefully opened, and carefully resealed by a human being.

A postcard is clearly a less secure form of communication. Not only can every Postal Service employee who handles the card sneak a look, as well as your nosy neighbor if you do not immediately pick it up, but your friendly government agent can also interpose him/herself somewhere along the line and surreptitiously observe the message without anyone really being the wiser. Consider that your emails are less secure than messages sent by postcard. They bounce along several to hundreds of internet network nodes on their way to the recipient, and anyone with remote access to one of the intermediate servers, or (more likely) your email server, can read the contents, possibly even after you have downloaded the message to your local machine. Accessing and searching email messages for certain key words can even be automated.

If you are going to take advantage of the tremendous convenience of email, but keep your affairs to only yourself and those you choose to share them with, you will have to encrypt your email messages. The age-old method of encryption involves both sender and recipient having the same “key”, analogous to them both having identical keys that open the figurative padlock that protects the “trunk” with the message in it. But if the other party is far away how do you get the “key” to them safely, avoiding the possibility that some interposer makes a copy of the key for himself? The ingenious solution manifested in “Pretty Good Privacy” (PGP) is analogous to the following situation: I am expecting a secured package from you so I send you an open padlock to which I have the key. You lock the contents box with the padlock, and nobody can unlock it except me.

PGP logoWith PGP when you go through the process of generating a key, two keys are created: 1.) A public key that you give to everyone (within reason) to use to encrypt messages sent to you, and 2.) A private key that only you have. Moreover, the private key alone is not sufficient to decrypt a message encrypted with your public key – you also have to have the secret “passphrase” that you chose when creating the keyset. Access to a machine with your private key plus your passphrase are both needed to decrypt the message. How secure is a message against brute force decryption attempts by someone who does not have your private key or know your passphrase? The bottom line is that if you choose a sufficiently long key and complex passphrase then it would take today’s most powerful supercomputers centuries to break the “lock”, except by luck. That is why the U.S. Government fought so long to prevent the export of versions of PGP that could handle long keys, and harrassed PGP’s creator Phil Zimmerman, one of the people who has truly made a difference on behalf of human freedom.

Using PGP

PGP can be obtained from the International PGP site here. (U.S. export restrictions were circumvented when someone printed out the PGP program source code, took it overseas, reentered the code and compiled it ... thus the “international.”) There are many alternative download sites, easily found using your favorite search engine, if there are any problems. Execution of the most useful tasks are summarized below for Microsoft Windows users. Note that the screenshots shown are from PGP version 6.5.8. The procedures – especially for more recent versions – may involve very different sequences. If you have never used PGP before and do not consider yourself an intermediate or higher when it comes to computer competence, we strongly suggest installing version 6.5.8. That is the only version we can really help anyone with.

PGP toolbarThe installation of PGP is relatively straightforward. As usual you may choose where in your system it will be installed, and a set of icons will be inserted in your Start Menu – probably in a program group named “P G P”. As a starting point, operating from the “PGPtools” icon array will help one to understand and readily execute all of PGP’s basic operations. To bring up PGPtools, click on the “PGPtools” icon that should now be in your Start Menu. A screenshot of PGPtools is shown to the right. All the operations below start from there.

PGP keysCreating a keyset  Click on the “PGPkeys” icon – the leftmost one with the two opposing keys. This will bring up the PGPkeys applet window, an example of which is shown below. All public keys – those to whom you have the capacity to send encrypted email – will be listed. On the PGPkeys window, clicking on Keys/New Key ... will start the key creation process (“wizard”, in MS Windows parlance). When asked which type of key you would like to generate, use the default Diffie-Hellman/DSS. Next, when you are asked how large a key pair do you wish to generate?, pick “Custom” and fill in “4096”. Moving to the next stage, leave in place the selection indicating that the key pair never expires. Moving on, to generate a passphrase, mix in capital and small letters in odd places as well as some special characters (@,#,&,~, etc.), numbers, and spaces. After the key pair generation is complete, you will encounter a dialog asking if you want to export the key to a public key server – it is fine to decline the option.
PGP key manager applet
The final stage of the key generation wizard will inform you that the process is complete, and you can click on the “Finish” button. PGPkeys will now reflect the addition of the user’s key pair, as in the example below. When you ultimately close PGPkeys, you will be asked whether to backup the now-modified keyring. This is a very good idea, as the wizard closing dialog explains.

PGP key manager applet after new key import

Importing another’s public key  Go to PGPkeys, click on Keys/Import ... The form in which the public key was sent to you will dictate that the file type drop menu be set to “Text Files” or “Keyring Files”. Navigate to the key file to be imported and import. The screenshot below shows a dialog similar to what one would encounter in importing W.I.L.’s public key to one’s keyring.
Importing a public key

Exporting your public key  In PGPkeys, right click on the key you want to export and click on Export ... Send the resulting file as an email attachment to the desired parties, or, if attachments are a problem you can load the .asc file into Notepad or another text editor and copy all the contents into the body of an email. An example of a public key in text format – W.I.L.’s public key – can be seen here. The screenshot below shows the dialog we encounter when exporting one of our public keys.
Exporting one’s public key

encrypt iconEncrypting a message  Once you have written your message, highlight it and copy it into the Clipboard. On the PGPtools icon array click on “Encrypt” (2nd icon from left) or “Encrypt + Sign” (4th icon from the left), then on “Clipboard”. (If you choose “Encrypt + Sign” you can securely sign the document. Someone would need your private key and passphrase to impersonate you.) Choose your recipients by dragging names from the top of the window to the bottom, or by double-clicking on the names in the top one at a time. Note: Unless you include yourself in the recipients list you will not be able to decrypt your own message later. Strange but true! (Note that there may be good reasons to not want to be able to decrypt your message later.) The now-encrypted message is now in the Clipboard and can be pasted in the appropriate place, e.g., the body of an email.
PGPtools key selection dialog

Encrypting a file (including ZIP and other compressed archives)  Drag the file to be encrypted onto either the PGPtools “Encrypt” or “Encrypt + Sign” icon. Choose recipients, etc. as outlined immediately above. A file with extention .pgp will appear in the originating folder of the file you encrypted. You can change the name of this file, but should retain the .pgp extention. When the recipient decrypts it by double-clicking on the file (or by dragging it onto the “Decrypt/Verify” icon, see below) the original file with its original name will reappear on his/her end.

decrypt iconDecrypting an encrypted message  Highlight the message and copy it into the Clipboard. Click on the “Decrypt/Verif”q icon (3rd from right) on the PGPtools icon array and then on “Clipboard”. Fill in your passphrase. The decrypted message is now in the Clipboard.
PGPtools enter passphrase

Decrypting an encrypted file  Assuming it has a .pgp extention just double click on it and fill in your passphrase when asked. Otherwise drag the encrypted file onto the “Decrypt/Verify” icon to invoke the same process. The decrypted file will appear in the same folder as the encrypted one.

wipe iconSecurely wiping (deleting) a file  Although not strictly part of the secure communication process, it is always a good idea to securely delete any file with sensitive information within once it has finished serving its purpose. Using the Windows “Delete” file command does not do this. PGP provides a ready-made mechanism for this. Just drag the targeted file only the “Wipe” icon – the 2nd icon from the right on PGPtools.

free space wipe iconSecurely cleaning free space on a partition  Even if you have been careful about securely deleting sensitive files, it is a good idea to securely wipe all free disk space periodically. Files deletely (nonsecurely) years ago containing private information might still reside in some dark corner of your disks. Click on the “Freespace Wipe” icon – the rightmost icon on PGPtools – and follow the wizard. The more “passes” you choose on the first wizard dialog, the longer the procedure will take. You may want to schedule the procedure for large disks overnight.

That covers enough to do the fundamental PGP tasks. Another introduction to PGP with links to other tutorials can be found here. And if you choose not to learn how to use PGP at this time, then we highly recommend obtaining a HushMail account and communicating with WIL via our HushMail email address, wealthintltd@hushmail.com. Emails between any two HushMail account holders are encrypted using a PGP-like protocol.

How PGP can be compromised

Obviously if the wrong parties discover your passphrase you effectively have no encryption where it might matter most. Government parties can compromise passphrases, and famously did so in the case of a mobster boss, by planting a keyboard tap on a computer that gives a readout of every key stroke. It is just a matter of finding when the passphrase key stroke sequence was entered. More likely sources of compromise occur when one stores the passphrase in some supposedly obscure corner of the machine, or writes it down somewhere. Do not do this. Memorize you phrase and leave no other traces of it.

Another form of compromise occurs when the relevant key is not rendered ineffective outright, but rather use patterns are discerned over time that might tip off the observing party. If almost none of your email messages are routinely encrypted and then suddenly all of those with one of your email partners are, then an observer would surely wonder what was up. The suggestion here is to use encryption as often as is practical. Not only does that obscure your personal use patterns but it adds to the aggregate amount of noise out there and keeps the spooks busy with red herrings.

Finally there are inherent limits in the internet protocols themselves that limit how anonymous you are on the internet. Your normal interaction with the internet leaves tracks that make it easy to discover where a communication over the internet originated, down to the telephone number you used to dial into your ISP. To effectively cover your tracks you need to use a service like Anonymizer, although this should not be considered failsafe.

Communicating with W.I.L.

While the sheer quantity of international voice, fax, and email communications might make it seem unlikely that any one communication would be observed by an outside party, it should be kept in mind that offshore service providers as a group are singled out for special attention by the international financial police force. Acting as if you are under surveillance when dealing with us is a good discipline, even if the odds are with you. To paraphrase a famous advertising slogan: When it absolutely has to get there uncompromised, use PGP.

W.I.L.