Let’s use PGP and TAILS: A Beginner’s Guide

Let’s Use TAILS

(The Amnesic Incognito Live System)

TAILS is an operating system designed for security. PGP is a specific encryption program, which was invented in 1991 by Phil Zimmerman, whose many versions became interoperable under a standard called OpenPGP. GnuPG, also known as GPG, is an implementation of PGP.  If you are using GPG on TAILS, you are using PGP.

In order to ensure the confidentiality of data during transmission, to ensure its integrity, to prove that a message is authentic, and to decrypt confidential data send to you:

(1) Choose a USB

You are going to use TAILS as a live system on a USB.  Live system means that the operating system is on your USB and it will only run in the RAM of your computer.  You want to make your computer boot from your live USB and not from your computer’s hard drive.

Note that some USBs are not compatible with TAILS:

  • SanDisk Cruzer Edge 8GB
  • SanDisk Cruzer Extreme USB 3.0 16GB, 32GB and 64GB
  • SanDisk Cruzer Fit USB 2.0 8GB, 16GB, and 32G
  • SanDisk Cruzer Force 8GB
  • SanDisk Cruzer Glide 4GB, 8GB and 16GB
  • SanDisk Cruzer Switch USB 2.0 8GB and 32GB
  • SanDisk Cruzer USB 3.0 64GB
  • SanDisk Cruzer Blade 4GB, 8GB, and 32GB
  • SanDisk Cruzer Facet
  • SanDisk Cruzer Orbiter 32GB (hangs at installation time but boots fine afterwards)
  • SanDisk Ultra 16GB, 32GB

(2) Download TAILS 

You can use any computer to do this.  Firefox will allow you to verify your download using an add-on, which is very convenient.

If you are not familiar with TAILS, watch this outstanding video by the Center for Investigative Journalism in London:

They offer the  best instruction available anywhere about how to set up TAILS and use GnuPG.

 

(3) Verify your download.  This must be done.

Here is a video that will tell you exactly how to do it:

(4) Choose a computer on which to use TAILS

Start with a computer to hand and make sure to set your copy of TAILS to “disable all networking” whenever you create files or perform encryption/decryption.  This is the standard way to use TAILS.

If you wish to go to an extremely high level of security, dedicate one computer that never gets online, has never been online, cannot get online–ideally with no wireless antenna, no network interface card, no hard drive, no audio/microphone ports–that you will use to run your live USB with “disable all networking” checked every time. As with the standard setup, you will store your keys on an encrypted partition using a passphrase. You will also use the encrypted partition to store revocation certificates.  A netbook will do nicely as this sort of base computer.  Flashing its CMOS is not a bad idea before you start.

(5) Learn the difference between symmetric and asymmetric encryption

 

 

(6) Create keys

In PGP, the certification key is used to sign sub-keys and to sign the keys of other people.  You want to create a (C) certification key first, and then move on to an (E) encryption key and (S) signing key.  You can also create an authentication key (A), which has special purposes.  The C key is often called the master key.

You will have some decisions to make about public key algorithms, symmetric algorithms, hashes, key sizes, and compression, but those are easy.

Generally, you do not want to use one key for everything:  CSEA.  This may open you up to attack.  Think of that certification key as your identity and protect it as such.  It can stay valid forever.  Your encryption and signing keys are recommended to have a lifetime of 2 years or so.  You can change them out.  You can save your old keys if you need to. If you have files that were encrypted with an E key, then you will need that particular key.

That certification key (C) binds itself to your E and S keys.  You only need one E and one S in most cases.  If you start to use multiple E and S keys, that can cause problems.  Gpg will usually default to the latest key you created.

(7)  Generate revocation certificates. 

You want to escrow that certificate, probably on a piece of paper, and store it away from your device is a secure place such as a safe.  If you lose your confidential device, you can revoke your keys–no one can assume your identity.

(8) Set the preferences for how your keys will function.

That is done in the configuration file.

That’s It!  You are ready to use PGP.

 

 

 

 

Advertisements
Featured post

Cryptogeddon: Will Quantum Computing Kill Public Key Cryptography?

This is a very interesting article on a salient point in information security.  It is even readable.  Bruce Schneier insists that one-time pads are not the future of cryptography.  Sometimes one wonders.

The Impact of Quantum Computing on Present Cryptography

Spoiler:

Screenshot from 2018-06-05 01-04-16

Here is an interesting quote from the conclusion:

“The consequence of this technological advancement is the absolute collapse of the present public key algorithms that are considered secure, such as RSA and Elliptic Curve Cryptosystems. The answer on that threat is the introduction of cryptographic schemes resistant to quantum computing, such as quantum key distribution methods like the
BB84 protocol, and mathematical-based solutions like lattice- based cryptography, hash-based signatures, and code-based cryptography.”
Featured post

Internet Security For the Absolute Beginner

We want to use the internet without sacrificing our privacy.  In order to do that, it seems that one needs to have worked at the NSA in cyber for thirty years.

In America, a herd mentality reigns.  Because of pervasive advertising, people are lulled into believing that communications products from Google and Apple are safe and appealing.  They are certainly not always safe, even though a lot of people use them.  Apple phones are wonderful for being controlled remotely, and Google’s Android phone is inherently unsecure.  In fact, it is a big, fat joke to think that either type of phone can be rendered secure.

Their apps come from all over the place, and there is a lot of tracking. Sorry to say, the purpose of that phone is to gather your information!  It is very difficult to check the integrity of most Google apps. Therefore, it is not just Google who is collecting your coveted data.  Try calling one of those app providers for customer service:  you’ll be speaking to someone in Bosnia, Turkey, etc. Security and privacy are not emphasized at all; in fact, they are constantly, blithely undermined.  Those in the herd are not supposed to complain, and the less they know the better.

There is a lot of deception going on.  Data is money, and they want your data.  It has gotten so bad that tracking blockers such as Ghostery and AdBlock Plus have actually become tracking tools (only limiting obtrusive ads).  People go to Ghostery and AdBlock Plus to limit tracking, but they only enable it.  All roads lead to Google, and they are depending on you being uninformed. But the good news is that people like the EFF have reacted, and a real tracking blocker is now available:  Privacy Badger.

Mobile devices are inherently unsecure unless extraordinary measures are taken.  Just in the news is a story about how mobile devices in China are being injected with malware by fake phone towers.  Passwords and banking information are being stolen and exfiltrated by SMS. There is no end to how your phone can be attacked and owned, and your information stolen. If you want a secure phone, then get a small old-school device with no camera, no apps, and no social media.  The amount of information that an attacker is going to get out of you is lessened greatly.

If you know someone who does cyber offense for a living and you ask for his of her personal email address, then you might get a wince:  “I don’t do email.”

If you know someone who does cellular offense for a living and ask for security advice about mobile phones, then you might get this:  “Your phone? Lose it.”

So, the question of our time:  how does a person live in this collection-platform world?  First, you need to do a security assessment.  You need to know what level of security is right for you.  And you need to know what security products actually work.  We have already talked about Ghostery.  This is not only the era of fake news:  this is the era of fake security products that compromise your data, which is valuable.

The purpose of this website is to inform people about real information security.  Our emphasis is on how to use encryption.  There are very few clear explanations that enable an absolute beginner to use encryption well–that is, so that it works.  If you stick  to our site, you will gain assurance about your activity on the internet, and you can know that your information and privacy are really protected.  For the absolute beginner, we have to start from his or her viewpoint, and go step by step, clearly.  These sorts of explanations are largely missing from the internet today, even though they are sorely needed.

First, we will go over general principles, and then in subsequent posts we will do step-by-step actions (for using PGP, for creating an air-gapped system, for compressing files, for using symmetric encryption, for storing information securely, etc.) involving specific operating systems and software.

For All Internet Users

There is no such thing as absolute security on the internet, but you can take precautions.

 

Step 1: Don’t Do Encryption on Your Mobile Device

A. We are not going to depend on a mobile device to secure our information.  Despite all the hype, all the advertising with smiling inter-racial volleyball matches on the beach with pretty girls in bikinis, those phones are designed to collect your information and turn you into another uninformed, schmendricked consumer. If you must have a phone, go old-school and use it for phone calls and SMS only.  All of that information is completely open to collection.

B. We are going to use a laptop, desktop, or netbook that we connect to the internet.  The next step, for those who need a very high level of security, is to set up an air-gapped device that never has, and never will, touch the big collection platform that we all love, the internet.

Step 2: Get Rid of Windows and Use a Linux-based Operating System

C. We are going to use a Linux-based operating system.  They are inherently more secure.  We are going to choose a flavor of Linux that we like, and we have several good choices. Over-the-top security claims about Linux-based OSs are mistaken.  But using a flavor of Linux can your security.

  1.  TAILS is best
  2.  Fedora is very good
  3.  Ubuntu is good
  4.  Puppy is good

D. We must wipe the computer that will receive our new operating system.

E.  We must verify the integrity of the Linux-based operating system ISO file that we download.  We must also make sure that it came from the place we think it came from.

 

Step 3: Be Aware of the General Security Principles for Everyone (What Must be Done)

A lot of bad stuff depends on you being uninformed.  For example, that the U.S. Constitution has been subverted.

A.  Use a Linux-based operating system that you verified, but don’t get over-confident.  This is just a step in the right direction, not a cure-all.

B. If we put the OS on the hard drive, as opposed to running it as a live system (on a USB, for example), we must encrypt the full hard drive, or, at least, our home folder

C. And we must use a real password, one that is at least 24 characters long; uses as much of the full range of letters, numbers, and symbols as possible, etc.  Password management is one of the worst problems in information security, and it had not yet been fixed–until now.  We are going to show you how to do this the easy way.  Full disclosure:  we are getting a patent for this and it is going to be a product for sale. There will also be a free version.

D. Applications are a huge threat vector.  We need to keep an eye on them, harden them, update them properly, and make sure that we don’t maintain applications that we never use.  Some operating systems make this easier than others.  AppArmor or SELinux are important tools in this effort.

E.  We must harden and configure our BIOS.

F.  We must properly configure, manage, and use a firewall

G.  We must make sure our display locks after a certain period, and that a password is required to re-open it.  Yes, that can be inconvenient, but convenience is the enemy of security.

H.  We must check for rootkitsChkrootkit is not easy to understand, and it can give false positives. Using chkrootkit properly starts with verifying it after download. Getting a baseline reading of chkrootkit results is important for tracking changes.

I. We must limit and manage the connections of our device to the internet.  We need to turn off remote control and manage how our computer operates its listening services.  External ports that are not needed do not need to be listening.

J. It is important to know who to turn to when you have questions about your operating system or an application.

K. We must not use root permission when it is not needed.

L.  We must make sure that our system is updated, especially for security.  Fedora is especially good at this.  TAILS also does a very good job.

Step 4: Set it Up for Security

 

Step 5: Choose a VPN and a Commercial Email Provider

A.  A good VPN is one that is not based in the United States, sorry to say, and has a minimum of logging, uses strong encryption, has its own DNS servers and a NAT firewall, and has good customer service.  Expressvpn used to be a very good choice, but it no longer is because they put the Google collection suite on your phone. VyprVPN is a good choice. Make sure to connect to a server that is not in the U.S., Canada, Australia, New Zealand, or Great Britain.  It is often useful to connect to a server in a time zone that has low traffic (between midnight and six in the morning, their time). The best choice by far is ProtonVPN.

B.  A good commercial email provider is one that is not based in the United States, sorry to say, nor in Canada, Australia, New Zealand, or Great Britain., and it is uses strong encryption end-to-end.  Protonmail is an excellent choice. Protonmail is end-to-end encrypted, security conscious, and based out of the inside of a mountain in Switzerland. Tutanota is a good choice. It does not track you either, and it is based out of Germany.

Step 6: Let’s Choose a Browser

A. That is easy.  Go with Mozilla Firefox, and take advantage of their security and privacy add-ons.  Be careful, though, of the poisoned pills:  some add-ons do the opposite of what they purport to do.  This is a pathetic situation, but your information is valuable, and a lot of tricks are being played against decent people.

B. Choose add-ons for your Firefox browser.

Congratulations! You have gone a long way to making your information life safer.  Malicious actors are not going to be able to piggy-back on Google and Microsoft products to steal from you and spy on you.   Now let’s talk about PGP.  Wait, we already did!  If you chose Protonmail, you are using state-of-the-art encryption already.  Let’s talk about PGP anyway, and encrypt some files.

Featured post

Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client

Why Johnnie Still, Still Cannot Encrypt

 

Here is an excerpt:

In our study of 20 participants, grouped into 10 pairs of participants who attempted to exchange encrypted email, only one pair was able to successfully complete the assigned tasks using Mailvelope. All other participants were unable to complete the assigned task in the one hour allotted to the study. This demonstrates that encrypting email with PGP, as implemented in Mailvelope, is still unusable for the masses.

Featured post

What is Symmetric Cryptography?

“In symmetric cryptography, the sender and the receiver use the same secret key and the same cryptographic algorithm to encrypt and decrypt data. For example, Alice can encrypt a plaintext message using her shared secret key and Bob can decrypt the message using the same cryptographic algorithm Alice used and the same shared secret key.”
That is, symmetric cryptography is what most people think of when they imagine codes and code breaking.  It is also old-school cryptography, to include one-time pads, etc.

plain text         78617 78377 50528 37726 48357 57578 31118 36868 6883

key                    13698 93797 05536 49550 66877 17941 11148 70355 7593

cipher text      81205 61064 55054 76276 04124 64419 42256 06113 3376


“The key needs to be kept secret, meaning that only Alice and Bob should know it; therefore, an efficient way for exchanging secret keys over public networks is demanded. Asymmetric cryptography was introduced to solve the problem of key distribution in symmetric cryptography. Popular symmetric algorithms include the
advanced encryption standard (AES) and the data encryption standard (3DES).”
From: The Impact of Quantum Computing on Present Cryptography,  Here
(The example is ours)
How do we manage symmetric keys?
 Screenshot-2018-6-5 How is the key shared in symmetric key cryptography

This part about key exchange is from:

If You Are Not Sure How to Set Up a Computer That Has Good Security: Mozilla Add-ons + a Good PC Setup

You only have normal information security needs, you are not an IT professional, and you want to cut through the verbiage and have a safe computer.

(1) The unpleasant fact is that you cannot absolutely secure any computer that touches the internet. But you can improve your security greatly.  A first step is to get yourself away from Windows, the most attacked operating system in the world, and one that spies on you like a professional.  Some people say this is arguable, especially when they simply like Windows, but it better to say goodbye. Go with Fedora as your operating system.  It is easy to use and it is free.  Keep in mind that Linux-based operating systems like Fedora are attacked in the same ways as Windows, but there is real benefit to cutting the cord to Microsoft.  All operating systems are somewhat mediocre.  There is nothing we can do about it at the moment.

However, if it has the name of a big American company on it, then don’t use it.  This really helps. You want to get away from Google, Microsoft, etc., as much as you can.  Let me emphasize this:  you especially must get away from Windows, Apple, and Google.  Other flavors of Linux are also good such as Ubuntu, Puppy, Mint, OpenSUSE, etc.  Puppy is easy to run in memory only.

Once you install Fedora you can use GnuPG, manage keys, install rkhunter, unhide, chkrootkit, clamav, and lynis.  It is all free.

(2) Use Mozilla as your browser and only Duckduckgo as your search engine.  Use the following Mozilla add-ons, and make sure to avoid Ghostery, which is a fraud.

This first add-on is your friend.  It stops tracking across tabs.  You can reduce much of what a company has to collect and sell about you.

Screenshot from 2018-05-21 14-37-28

This one is highly recommended for blocking trackers.

Screenshot from 2018-05-21 14-38-15

This one is dreaded by the people who track you.

Screenshot from 2018-05-21 14-38-58

Obfuscate the trail of your internet life.

Screenshot from 2018-05-21 14-39-31

Make it harder for hackers.

Screenshot from 2018-05-21 14-40-25

Those add-ons have been tested to see if they work together.  They do.

(3)  Use ProtonVPN to encrypt your traffic through your ISP.  Also use Protonmail as your email provider.  It is really worth it.  End-to-end encryption is the way to go.  We have analyzed their PGP keys, and it all looks good. They do a superior job in email and as a VPN.

Screenshot-2018-5-21 ProtonVPN Secure and Free VPN service for protecting your privacy

There are many other add-ons which are very good to use.  HTTPS Everywhere comes to mind.

(4) You must use strong passwords. Use Diceware to generate a password/passphrase that you can depend on.

Diceware is a good way to generate a dependable passphrase.  You can also measure its strength.  The Electronic Frontier Foundation also has a list of words to use.  Here is an example of a diceware password:

rice immorally worrisome shopping traverse recharger

-notice that one should keep the spaces between words

Diceware + 

So let’s now do three things:

(1) capitalize one word   (2) insert one group of symbols  (3) insert a number

rice immorally WORRISOME shopping traverse $**))1848 recharger

It is very important to note that a truly powerful password is generated randomly, but this method of Diceware or Diceware + does create demonstrably strong passwords.

 

 

How to Delete Facebook: to Not Have and to Not Hold and Forever Do Us Part

So, you finally got tired of bambi-eyed Zuckerberg and his hyper-aggressive machine of lies and tricks whose one goal of existence is to grab your data?  Good for you.

1.  Get rid of what devices you can and wipe the ones you cannot.

2.  Delete your Facebook account–after you stick some fake information on there. Facebook does not make it easy and fast to delete your account.  They would prefer that you deactivate it.  It is not obvious at all how to delete your account.  You actually have to go through several menus such as “learn more” and one in which you request to be deleted.  They give you 14 days to decide if you really want to go.  Aw, shucks…  they love you.  Well, not really.  They love selling you as if you were a product.  Bambi/Zuckerberg is not the most honest guy on the planet, and saying adios to his deception feels good.

3.  Start with a new or wiped desktop/tower computer/laptop/notebook.  This device is going to be the one you connect to the internet.  Wipe it again.  Download the latest version of Fedora or TAILS.  Fedora is very intuitive, and you can put it on your hard drive.  Or you could start using TAILS as a live USB and leave the hard drive empty.  The point here is to use a linux-based OS that does not collect on you or otherwise link to a big company.  Puppy Slacko is also a very good option.  What is not a good option is anything with Microsoft or Google written on it.

4.  This computer is not going to be used for any social media whatsoever, except perhaps Keybase.

5.  Verify your Fedora download.  Put it on your HHD.  Purchase ProtonVPN and a Protonmail account for your email.  Their servers in Switzerland are recommended.  Use Mozilla as your browser, with the following add-ons:  TrackMeNot, uBlock Origin, Privacy Badger, HTTPS Everywhere, and User-Agent Switcher.  All of these are fun to play.  You can also use NoScript, which is actually a very good idea, but it does require some attention.  It will give you a very clear picture of how web pages are tracked, and how you can stop it.

Most importantly, you want to use the add-on for Mozilla called “Multi-account Containers”–this is easy to use, and it effectively stops tracking from website to website.

6.  In Fedora, under software, you can download and use BleachBit, to delete cookies, empty the Firefox Cache, and clean up disc space.

7.  That’s it.  From then on, avoid Facebook, avoid liking stuff on other websites, use the containers, use your VPN, and you just got your privacy back.  Spend some time to learn the details of using the add-on NoScript, a powerful tool for your browser. Again, use the containers, and make it a habit.  Congratulations!

Speaking of Security: How Can the USA Better Protect its Classified Information?

Strictly speaking, putting a label on classified information does not protect it. In fact, the appearance of protection may be one part of the problem–unless the label and the efficacious protection were to go together. As a theoretical construct, such a system looks doable.

Make the container match the level of classification.  Labels with different colors do not actually protect anything.  The strength of the container should be consonant with the level of classification of the information inside, and it could have other important features such as tracking who saw it, where it was, when it was viewed, etc.

In the case of paper, instead of merely having a file on a desk, one could have a file that is a container which offers different levels of protection and also records metadata.  It might look like a file, but it would be more secure:  papers won’t fall out, the location of the file could be tracked very easily.

Electronic files with varying levels of encryption, physical security, and information collection capabilities, might be better than having loose papers and terabytes of downloadable information floating about.

Security is Relative, not Absolute

Many security products promise the moon and stars with ridiculous statements such as “stop hackers” and “100% safe”–which are misleading at best and dirty lies at worst. No one likes to be uncomfortable about security, but the truth is very uncomfy indeed:  there is no such thing as absolute security in information security, especially on the leakiest of untight and unwieldy ships, the U.S.S. Internet.

Kleptography is the new reality, and kleptotrojans in random number generators/compilers/key generators are a lethal threat.  What is kleptography you ask?  Kleptography is using encryption to steal everything on your computer without your knowing.

Getting on the internet means being open to the delivery of kleptographic tools.  Almost as bad, we now have the internet of things (IoT), another series of threats.  What is the solution?  For the information that you want to keep private, you must go off-line.  If your life depends on it, air gapping is the only solution.  If you are using a computer, as you probably are at this moment, everything on that computer is up for grabs.  That is fine, as long as you know it and you don’t mind that what is on there can be lifted very easily.

But there is strong security and near-absolute security for all levels of information.  We can have a high expectation of privacy, anonymity, or both, with good products and best practices.

Using a product such as Protonmail for your email provider is an instance of employing strong security to ensure privacy.  Encrypting a file off-line with a symmetric cipher such as CAMELLIA256 and hashing it with SHA512, and sending that over Protonmail would be even better.  Using a one-time pad, encrypting it with an appropriate public key or a symmetric cipher, and sending that over an end-to-end encrypted provider like Protonmail is near-absolute security (NAS).  NAS is as good as it gets. Done properly, such a message will remain unter vier Augen, and will have never really existed once the key to the one-time pad is destroyed.

That said, one must be careful to be aware and to follow the laws that apply to cryptography in your area.  For example, in Thailand it is illegal to destroy keys.  In Thailand, you can use symmetric keys, but you must keep a copy because that is the law.  Find out what the laws are for cryptography in your jurisdiction.

Can One Use Numbers as a One-Time-Pad Key? (a question at Cryptography Stack Exchange)

Yes, you can use numbers as a one-time-pad key. In fact, the CIA used to do it all the time, as did many.

When you use numbers the plaintext becomes letters by referring to a conversion table such as the venerable “Tapir” used by the STASI.

enter image description here

Here the addition will be modulo 10. Vernam Cipher, or the one-time pad (OTP), can also be done modulo 2:

SENDING


message: 0 0 1 0 1 1 0 1 0 1 1 1 … pad: 1 0 0 1 1 1 0 0 1 0 1 1 … XOR ————————— cipher: 1 0 1 1 0 0 0 1 1 1 0 0 …

RECEIVING


cipher: 1 0 1 1 0 0 0 1 1 1 0 0 … pad: 1 0 0 1 1 1 0 0 1 0 1 1 … XOR ————————— message: 0 0 1 0 1 1 0 1 0 1 1 1 …

Or it can be done modulo 26 (with English letters, for example):

Plaintext: DARLING THE NIST CURVES HAVE BEEN COMPROMISED AND MY RANDOM NUMBER GENERATOR HAS A KLEPTOGRAPHIC BACKDOOR I FEEL SAD

Key: NLQVT ZBOFW MFAVS RJMDE PGNEX GGQMU VOFNE PBWXT ICDWK VEEYL EGVWS ZRDKD IDJGO HWKFF MBEGA KEUNQ BEYDO


Ciphertext: QLHGB MHHMA ZNSOU LAHHW WGIIY KKDOI HDWBQ XTAAT VFPUB VRHMX RAHXW QXHXH ZDCUF OWCFP XFTZO QVUCX JGZDQ MUYBN VQUZE RBR

Here is one example of what a CIA one-time-pad key looked like during the Cold War:

enter image description here

Create a free website or blog at WordPress.com.

Up ↑