Cryptography HOWTO
--------------------------------------- ______ __ /_ __/___ _________ _/ /_ / / / __ \/ ___/ __ `/ __ \ / / / /_/ / / / /_/ / / / / /_/ \____/_/ \__,_/_/ /_/ ______ ____ /_ __/___ ____ / / /_ ____ _ __ / / / __ \/ __ \/ / __ \/ __ \| |/_/ / / / /_/ / /_/ / / /_/ / /_/ /> < /_/ \____/\____/_/_.___/\____/_/|_| --------------------------------------- Messianic resources for you ---------------------------------------
Cryptography HOWTO
Overview and Background
There is a general belief out there that you can go to any arbitrary website, read and download the stuff that is there, and you know what you are getting and who you are getting it from. This general belief is false.
The first reason it is false is simply that a significant number of websites are still available only over traditional HTTP and do not use HTTPS encryption. If you visit one of these sites, you:
- cannot know the identity of the publisher (are they who they say they are?);
- cannot trust the integrity of the material browsed or downloaded from the site.
Besides those two problems, what you are reading and downloading can also be observed by third parties, which is a privacy concern.
HTTPS to the rescue, because HTTPS gives you three benefits:
- A level of privacy, because third parties are able to see only the sites to which you connect, and not what you browse or download.
- A certain amount of data integrity, because third parties are unable to tamper with content en route from the publisher to your browser.
- A reasonable level of authentication of the identity of the publisher, because HTTPS certificates are often issued by organisations which perform some checks on the identity of the publisher requesting the certificate.
These benefits are not, however, absolute, because of the following weaknesses in HTTPS:
- HTTPS does not mask the sites you visit;
- Intelligence agencies around the world, including those which are actively hostile, spend a lot of resources in breaking, cracking, compromising and circumventing HTTPS, and have succeeded in the past;
- HTTPS only ensures integrity of information in transit from the publisher’s website to your browser, and does nothing to protect the information from surreptitious tampering on the publisher’s computer systems unbeknown to the publisher.
- HTTPS certificates only identify the owner of a domain, but cannot identify the author of any particular information found within that domain. For instance, an HTTPS certificate can identify the owner of “good.news.for.you” domain as being owned by “Good News For You Corporation”, but it cannot tell you that Fred Flintstone really wrote that front page article on their site the other day.
- Many HTTPS certificates (from Let’s Encrypt, for instance) are issued with no authentication guarantees whatsoever, because no identity checks are made. This is by design, and is not bad per se, as these certificates still support the privacy and integrity aspects of HTTPS.
Weaknesses 2, 3, 4 and 5 constitute the second major reason why one cannot, in general, have high trust in the integrity of browsed or downloaded information, nor have assured confidence in the identity of the author of the information you have browsed or downloaded. Weakness 3, in particular, is of major concern on the internet today: how does one verify that software downloads have not been tampered with? HTTPS will never tell you.
So, HTTPS is very important, and you will never find a bank site that doesn’t use it, but it does have its well-known limitations and weaknesses.
Enter the OpenPGP public key encryption standard.
The OpenPGP Standard
OpenPGP is the internet open standards take on Phil Zimmermann’s original PGP encryption program, and subsequent development of it. For an overview, you may wish to refer to the Pretty Good Privacy article on Wikipedia.
Many sources of information, including the OpenPGP website itself, will tell you that OpenPGP is an email encryption standard. That is not true. It is an open encryption standard which can be applied to virtually anything, such as files, documents, whole disk contents, and so on. It is also commonly applied to email communications; however, it is not limited to that domain.
This website, for instance, uses OpenPGP (and, in particular, the GnuPG implementation of it) to provide cryptographic signatures for the main files which are available for download. When you verify these signatures, you can be assured of two things:
- The file was created by me; and
- The file has not been altered in any way, shape or form since I created and signed it.
With the vast majority of websites out there today, you simply cannot do those two simple verifications.
Getting Set Up With OpenPGP Tools
All of the major platforms, such as Linux, Mac OS, Windows, iOS and Android, have OpenPGP implementations available for them.
If you have not yet read my Recipe for Freedom snippet, you should do so, as it contains further rationale and links to practical things you can do increase privacy and freedom in general in this age of the internet.
One of the links in that snippet will take you to the Email Self Defence web page, which will take you through a step-by-step process to set up OpenPGP encryption and start using it for email. I recommend that you do that.
How to Verify the Integrity and Authorship of Files on this Website
Having installed and configured your OpenPGP implementation according to the suggestions under the previous heading, you are now ready to perform the simple steps required to verify the integrity and authorship of the files you download from this website.
When you download an article or other file from this website, download its signature file at the same time. Do not wait until later to download the signature file, for the simple reason that if the document or file is updated on the website, so will its signature be updated, and you will never be able to verify the old file because you do not have the old signature that goes with it. All you could do in that case would be to download the updated file and the updated signature and verify the new file only.
Once you have both the file and the signature file that goes with it
(usually named the same, but with an additional .sig extension),
then you are set to verify the authorship and integrity of the file.
The first time you verify one of my files, you will need to retrieve my public key to use in the verification process. This is a once-off thing, which you will not need to repeat. You can get this key either by downloading it directly from this website, or by obtaining it from one of the public “keyservers” that are out there.
Downloading and Importing the Key from this Website
These are the required steps:
- Go to the home page of this website, and find the link to download my public key, and download it to your computer.
- Use your keyring manager, for example, Kleopatra, to import the downloaded public key (sometimes called a “certificate”).
- Use your keyring manager to check that the fingerprint of the imported key matches the one published on my website homepage.
You can generally also use a command line to do this, if you wish. For example:
$ gpg --import some-key.asc
Obviously, these steps assume that the Torah Toolbox website has not itself been compromised, which should be a fairly safe assumption, given the fact that there would be (at the time of writing this) zero to no motivation for that to happen.
If, on the other hand, you just want to be doubly sure, and you know me personally, then call me on the phone, and I can read to you the key fingerprint for you to verify.
If you do not know me personally, you can still at least check both the website and the public keyservers, to see that they match.
Note that this key verification “problem” or weakness can only improve as more than a tiny fraction of people begin to take privacy and authentication more seriously and start using OpenPGP. This is because keys can be countersigned by other people, so building up what is usually referred to as the “Web of Trust”, where you do not necessarily have to know a person, but could know a person who knows the person, and so on.
Obtaining the Public Key from a Public Keyserver
There are only two steps required for this:
- Use your keyring manager, for example, Kleopatra, to search for and
import my public key. Search for
david@trudgett.me - Use your keyring manager to check that the fingerprint of the imported key matches the one published on my website homepage.
Using the gpg command line, you could do the same with the following
command:
$ gpg --search-keys david@trudgett.me
Obviously, the verification step assumes that the Torah Toolbox website has not itself been compromised, which should be a fairly safe assumption, given the fact that there would be (at the time of writing this) zero to no motivation for that to happen.
If, on the other hand, you just want to be doubly sure, and you know me personally, then call me on the phone, and I can read to you the key fingerprint for you to verify.
If you do not know me personally, you can still at least check both the website and the public keyservers, to see that they match.
Note that this key verification “problem” or weakness can only improve as more than a tiny fraction of people begin to take privacy and authentication more seriously and start using OpenPGP. This is because keys can be countersigned by other people, so building up what is usually referred to as the “Web of Trust”, where you do not necessarily have to know a person, but could know a person who knows the person, and so on.
Verifying a Downloaded File Against its Signature
With the .sig file and the document file in the same
folder/directory, follow these steps:
- Open your keyring manager, for example, Kleopatra, and select the option to verify a file. In Kleopatra, you may find this on the toolbar, and it is called, “Decrypt/verify…”
- Select the
.sigfile and choose “Open”.
If all goes well, you will have a message displayed to you which says that a valid signature from me (my email address) was found.
You can generally do the same thing using the command line, similar to the following example:
$ gpg --verify the-name-of-the-article.pdf.sig
and you should get results similar to:
gpg: assuming signed data in 'the-name-of-the-article.pdf' gpg: Signature made Thu 28 May 2020 09:31:29 AEST gpg: using RSA key B3F45566982B67549B1FE2865676F1279D1C2A91 gpg: Good signature from "David Trudgett <David.Trudgett@emailaddress>"
The example commands assume, of course, that you are using GnuPG.