textfiles/uploads/diz-usp2.txt

[Underground Security Paper no. 2]

Encrypting Email Communiques

v 1.0

By: DIzzIE [antikopyright 2007]

This is the second Underground Security Paper designed to further
empower you to give yourself some semblance of electronic privacy. If
you haven't done so, go read over USP no. 1: Encrypting your Instant
Messaging Conversations
(http://forum.rorta.net/showthread.php?t=576). And yes, I'm well
aware that there are a few other guides on encrypting emails already
out there, but they are either outdated or don't mention all of the
shit that I want to mention. So here we go, first we'll go over a few
ways to encrypt emails if you have steady access to the same computer
(i.e. your laptop or home desktop), and then I'll mention some
options for encrypting emails from public terminals using free
webmail providers.

Nota Bene: If you're a little fuzzy about this whole 'public key
cryptography' thingamajig (don't worry, so am I), it may behoove you
to take a quick gander at the respective Wikipedia article on the
subject (http://en.wikipedia.org/wiki/Public-key_cryptography) so
that shit like 'public/private keypair' will make slightly more sense
as you read this guide.

In a nutshell, what you'll be doing is generating a set of two keys,
or a key pair, one public and one private. The public key you make
public (duh) by giving it out to all of your contacts, posting it on
your website, and so on. The private key you keep--you guessed it--
private, and protected with a strong and salted passphrase (we'll get
to that later in the text). The sender of the email encrypts the
email being sent to you using your public key, and only you can then
decrypt the email using your private key. Likewise you use your
contact's public key to encrypt the emails you send to zir, and z
must use zir private key to decrypt the emails that you send to zir.
Now then, let's explore your various encryption options...

Option I: Encrypting Emails on a Stationary Computer Part One --
Thunderbird & GnuPG

If you have steady access to a computer on which you can install
software, this is the option to use. It offers much more flexibility
and security than any of the other options in that it is not tied to
any specific email provider or any specific operating system;
furthermore, your key management is done locally, not on any sketchy
third-party server. If you have some of the tools discussed herein
already installed (Thunderbird, GnuPG, Enigmail), you can of course
skip over the steps that tell you to install them ;).


   1. Install Mozilla Thunderbird
(http://www.mozilla.com/thunderbird/), which is a free, open-source,
multi-platform email client that you'll be using to fetch, read, and
send your emails in lieu of whatever client, web-based or otherwise,
that you currently may be using.

   2. Configure Thunderbird to fetch emails with your existing email
account. Open Thunderbird, go to File>New>Account, select Email
Account, and follow the Account Wizard to completion. You'll need the
address of your mail provider's POP/IMAP server to retrieve emails
and the address of an SMTP server to send emails. Search through all
of the readme files and help documentation of your email provider to
find the necessary server addresses to put into Thunderbird.

      If you're using certain crippled webmail accounts like Yahoo
or Hotmail, you'll need to run a third party program like YPOPs! for
Yahoo Mail (http://ypopsemail.com/) or the Thunderbird WebMail
extension (http://webmail.mozdev.org/) for Yahoo, Hotmail, and so on
(there are various other options such as FreePOPS
(http://www.freepops.org/) floating around as well; try them all out
and pick your favourite). Both of these programs have detailed
installation/setup instructions on their websites, so I won't bother
repeating them here. If you have a Gmail account, instructions for
configuring Thunderbird are here
(http://mail.google.com/support/bin/answer.py?answer=38343).

      If this seems like too much of a headache, you may find it
easier to try the browser plugins mentioned below in Option II
(though they may be significantly less secure, thus I strongly
recommend you stick with Option I).

      Nota Bene: Be sure to give Thunderbird and any of the other
related programs you install the ability to access the Internet in
your firewall and/or setup your router to forward all necessary ports
(default POP3 TCP port is 110, Secure POP3 (POP3S) is 995, and
default SMTP port is 25, though your mileage may vary).

   3. Install GnuPG (http://www.gnupg.org/download/). This is the
free, open source encryption suite that will provide the backbone for
encrypting/decrypting your emails. You can either grab the source
code and compile it yourself, or download a precompiled binary for
your OS (for instance, Windows users will probably go with
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.7.exe - the latest
compiled binary for Windows at the time of this writing).

   4. Install Enigmail (http://enigmail.mozdev.org/download.html).
Enigmail is an extension for Thunderbird that will allow you to
easily use GnuPG to encrypt/decrypt your emails within Thunderbird.
(If you have *.xpi files set to usually open with Firefox, save the
xpi file, open Thunderbird, go to Tools>Add Ons>Install, and go to
the directory where you saved the Enigmail xpi file.) Be sure to
install GnuPG prior to installing Enigmail.

   5. You'll now need to put the finishing touches on Enigmail by
generating a key-pair and tweaking a few settings (don't worry,
you're almost done :)). Reopen Thunderbird and you should now see an
OpenPGP menu at the top. Click on OpenPGP>Key Management and the
OpenPGP Wizard dialogue should pop up.

         1. Hit 'No' to exit the wizard (we'll be generating a key-
pair that is stronger than the one generated automatically by the
wizard, so we'll have to do this manually).

         2. In the OpenPGP Key Management window click on
Generate>New Key Pair. Select the Account you want to generate the
key-pair for in the drop-down dialogue, and leave 'Use generated key
for the selected identity' selected.

         3. This step is the most important step as it creates the
passphrase for accessing your private key. Aside from common sense
rules like making sure your passphrase is unique (i.e. not something
you also use to sign into your instant messengers or your webmail or
forum accounts) and contains mixed-characters including capitals,
numbers, and other <|-|/-\r@(73r5, you should also make sure that
your passphrase is of sufficient length (30+ characters is a good
start, or in other words the bare minimum).

            Furthermore, be sure to sufficiently salt your
passphrase (if you picked a particular quote that you like, don't put
in the quote verbatim but mix up the spelling a bit so as to deviate
from the standard accepted spelling by adding a few random characters
here and there and so on. For instance, instead of mysecretpassphrase
try ||\/||ysss3|<r377p@55frraeyz).

            Devote ten minutes a day for a week to commit your
passphrase to memory, and then destroy any existent recorded evidence
of the passphrase. Rehearse your passphrase periodically in your head
so that you don't forget it. If you nonetheless fear that you will
forget the passphrase store a copy of it in a clandestine location
away from your home, being sure that it has no identifiable markings
that would allow it to be traced back to you should it be found at a
later date by an undesirable third party.

         4. In the 'Key expiry' area below the Passphrase field, set
the duration you want your key to last. Remember that while 5 years
(the default) may seem like a lot of time, when your key expires
you'll have to go through the trouble of redistributing your public
key to everyone all over again. On the other hand, if you are
communicating with a small number of individuals to whom you can
regularly give out public keys, it would behoove all parties involved
to generate new keys on a regular monthly or even weekly basis.

            In other words, change your keys often for added
security, but also weigh the hassle involved in redistributing your
keys and picking a new passphrase for each key.

         5. Click the Advanced tab and change the key size from the
default 2048 to 4096 bits. Change key type from DSA & El Gamal to
RSA. You can find a variety of information online espousing the
virtues of RSA versus DSA and vice versa. I prefer RSA due to the
simple fact that DSA was designed by a then-NSA employee, while RSA
was designed by three professors. Though academia is of course deeply
intertwined with government interests, RSA may still be the so-called
lesser of two evils due to that one notch of separation from the
government. At any rate, irrespective of whatever encryption
algorithm you select, be sure to bump the key size up to 4096 bits.
Recent news (http://arstechnica.com/news.ars/post/20070523-
researchers-307-digit-key-crack-endangers-1024-bit-rsa.html) shows
that 1024 bit keys are ever-closer to being cracked.

         6. Now open a movie or two in a video player (re: the
little message saying 'actively browsing or performing disk-intensive
operations during key generation will replenish the 'randomness pool'
and speed-up the process'), and then hit Generate key and wait for
your key-pair to generate.

         7. After the key pair has successfully generated you will
be asked if you want to create a revocation certificate, hit Yes and
save the certificate to an external medium (not your hard drive) that
you can then store in a secure remote location (not your home and not
where you're keeping your passphrase). If you have doubts about your
ability to securely and remotely store the revocation certificate, do
not create one. Remember that if anyone gets a hold of your
certificate they can then make your key invalid, forcing you to have
to explain to your contacts why "you" are suddenly using a new key,
which will in turn cast a shadow of doubt over your supposed identity.

         8. Exit out of the Key Generation window to get back to the
Key Management window and, right-clicking on your newly generated
key, select Export Keys to File. Be absolutely sure to click 'No' in
response to the question that pops up asking you if you want to
include your secret key. Open the resulting .asc file in a text
editor and double check to make sure that only our public key is
included. You can now send this public key to all of your contacts,
as well as posting it on your own website and/or on that of a public
key server (in case of the latter, right click on the key again and
select 'Upload Public Keys to Keyserver', but I strongly advise
against doing so).

            Nota Bene: I don't particularly recommend uploading your
key to a public keyserver as I don't like the idea of even my public
key bouncing around on some third-party server, not to mention that
it may be possible to determine relationships between people by
comparing all signatures tied to a key by performing a Verbose Index
search for keys on a given key server. This is a significant blow to
your privacy.

         9. Exit out of the Key Management window and, clicking on
OpenPGP again, this time go to Preferences and check 'Display expert
settings'). In the Sending tab, be sure to check 'Add my own key to
the recipients list', 'Re-wrap signed HTML text before sending' and
'Always trust people's keys.' The other options are optional, and you
can mouse over them to get a little more information about each one.
Alternatively, more information on Enigmail configuration is
available here: http://enigmail.mozdev.org/configure.html. Come to
think of it, the first three options are also entirely optional, but
will make Enigmail/Thunderbird run a little more smoothly.

        10. Under the Advanced tab, be sure to uncheck 'Add Enigmail
comment in OpenPGP signature' as this comment field tends to
sometimes interfere with successful decryption of the message in
Enigmail/Thunderbird when included in the sender's message. The other
features are optional. Hit OK to save your modified preferences and
get back to the main Thunderbird window.

   6. Now that you've finally set all the shit up (phew!) it's time
to take it for a test run by sending yourself an encrypted email.

         1. Hit the Write icon (or press Ctrl-N) to open a new email
window, and enter your email address in the To field. Enter a sample
message and press the little triangle next to the OpenPGP icon to
select 'Encrypt Message' (or press Ctrl-Shift-P) (Sign Message should
already be checked, though do check it if it isn't).

         2. Hit Send (or press Ctrl-Return), enter your passphrase,
and hit OK.

         3. In the main Thunderbird window, click on Get Mail (or
press Ctrl-Shift-T) and locate the message that you just sent
yourself (sort the emails by date or by sender or search for the
subject to make it easier to find).

         4. Double click on the message and if you have
'Automatically Decrypt/Verify Messages' selected under the OpenPGP
menu, you should now be prompted for your passphrase. Otherwise,
select the email and hit the Decrypt button, and enter your
passphrase. You should now see your decrypted message in plaintext.

   7. Now let's try sending someone else an encrypted email. Get a
contact to generate a key pair and obtain zir public key. Z can
either send you the public key manually, upload it to a website, or
upload it to one or more of the public keyservers (see end of Step
5.h -- uploading to public key servers is not advised). Yet another
alternative would be for your contact to send zir public key as an
email attachment to you along with the initial message so that you
will be able to encrypt your response.

         1. In case your contact uploaded the key to a keyserver
(which if you recall, may not be a good idea) go to OpenPGP>Key
Management>Key Server>Search for Keys>select the Keyserver to which
your contact uploaded zir key, and enter the contact's Key ID
prefaced by 0x (for example 0xSC4TL0V3 wherein SC4TL0V3 is the Key
ID, which your contact can find by going to OpenPGP>Key Management).
Hit OK and then OK again once the public key has been found to import
it into your keyring.

         2. If, on the other hand, you're being smart and safe and
importing the public key manually, go to
OpenPGP>KeyManagement>File>Import Keys from File>and find the key. If
the key has a .asc extension, you should be able to find it using the
default file type 'GnuPG Files'; however, if you saved the file as
.txt or what have you, be sure to select 'All files' in the 'files of
type' drop-down area or you won't be able to see the key file. Once
you've found your contact's public key, hit open and OK to import the
public key into your keyring.

         3. Now that you have your contact's public key imported, go
ahead and send zir an encrypted email. Repeat Step 6.a to compose
your test message, but this time when you hit Send, select the
Recipient(s) for Reception in the window that pops up by placing a
check next to your contact's key and hitting OK. Put in your
passphrase and wait for Thunderbird to say 'message successfully
delivered.'

         4. Your contact should now check zir inbox to find your
encrypted message and then click the Decrypt button, input the
passphrase to zir private key, and then successfully view the email
you just sent. Now get your contact to send you an email encrypted
with your public key so that you can practice decrypting it using
your private key. If you have no immediate contacts to test
encryption with, make another email account and send encrypted emails
between your two accounts.


Nota Bene: Encrypted email is also a great way to send encrypted
file attachments. When composing your message, click the Attach
button and select your file(s), then when clicking Send simply select
'encrypt each attachment separately', and your entire attachment will
now be encrypted (and can be decrypted by selecting the attachment,
right-clicking and selecting either 'Decrypt and Open' or 'Decrypt
and Save As'). Though do bear in mind that the name of your
attachment will not be encrypted, so My_Sisters_Snuff_Reels.avi may
not be the best idea for a filename ;).

And there you have it! You should now be able to send and receive
encrypted emails and everything that entails (generate strong key
pairs, import/export keys, generate revocation certificates, and so
on and so forth).

Option II: Encrypting Emails on a Stationary Computer Part Two --
Web/Broswer-Based Options

In case Option I seems way too overwhelming or you just can't seem
to get one of the necessary add-ons to work, there are a couple other
web/browser-based options that you can employ to encrypt your email.
I neither trust nor recommend any of them (though I haven't tried
them out either), and am only listing them here in case you need to
send encrypted email urgently, and don't have the time to go through
the elaborate setup of Option I (or you can't get I to work). Though
it will probably take you just as long to setup these options (and
get your recipient to do the same) as it would for you to setup
Thunderbird/GnuPG in Option I in the first place. Thus, if you can't
get Option I to work, you're better off trying the webmail options
presented in Option III below.

~ Freenigma (http://www.freenigma.com/) is a Firefox extension that
integrates into popular web-based email options like Hotmail and then
allows you to generate your keypair/encrypt your email within the
browser using the ordinary web-based Hotmail/Yahoo/whatever page.
Freenigma currently doesn't work with anyone who doesn't also have a
Freenigma account and doesn't encrypt attachments. All key-management
is furthermore done server-side which means you apparently can't
import/generate keys on your own. You can find further setup
information here: http://www.simplehelp.net/2006/08/26/how-to-encrypt-
your-email-using-freenigma/. Not recommended.

~ Gmail Encrypt
(http://www.langenhoven.com/code/emailencrypt/gmailencrypt.php) is a
Greasemonkey script that adds encryption functionality to Gmail
accounts. Both the sender and the recipient will apparently have to
be Gmail users. Again, not recommended unless none of the other
options are feasible in your situation.

Option III: Encrypting Emails on Public Terminals (Using Free
Webmail Providers)

Setting up Thunderbird/GnuPG is great assuming that you have a
computer of your own to set everything up on (or access to a computer
that has enough permissions enabled to be able to install software on
it). But what to do if you don't? Until you jack a passed out college
kid's laptop at the local college library, you can use a couple
webmail options that have encryption capabilities.

~ Hushmail (http://www.hushmail.com/) provides a free encrypted
email service with various limits (for instance you're given only 2
Mb of storage, and are required to log into your account every three
weeks or lose the account). The nice thing about Hushmail is that it
allows you to export your private/public key pair so that others can
send you encrypted emails using, say, Thunderbird (or another webmail
option like Mailvault, see below), and that you can use your private
key to read encrypted emails using other clients as well. To export
your keys, log into your Hushmail account, click on Preferences and
then Export Encryption Keys.

Public keys can also be imported by uploading them to Hushmail's own
keyserver. Instructions for doing so appear at the bottom of this
page, https://www.hushmail.com/help.php?subloc=pgp&l=454, under 'How
can a Hushmail user send secure email to a PGP user?' What this means
is that you can send encrypted email to contacts who do not have
Hushmail accounts but are using encryption with another client (like
Thunderbird).

Finally, Hushmail also lets you set a security question/answer in
the case that you need to send an encrypted email to someone who has
neither a Hushmail account (when you send emails to another Hushmail
user the emails are automatically encrypted) nor a PGP key pair. In
this case, your intended recipient will have to provide the correct
answer to your security question in order to be able to view your
email. To set the question/answer, click on Compose, and then go to
Message Options.

Keep in mind that at least in one case (US v. Tyler Stumbo -
http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.pro
d_affiliate.25.pdf) the pigs were able to obtain Hushmail email
records.

~ Mailvault (http://www.mailvault.com) is a service that is similar
to Hushmail, and which likewise allows you to import and export keys
thus enabling you to send encrypted communiques to those who aren't
using Mailvault (and likewise allows folks who don't use Mailvault to
send you emails as well). However, one of the disadvantages of
Mailvault is that its mail servers seem to be a tad erratic, in that
mail sent to Mailvault accounts at times gets bounced back as
undeliverable.

~ There are various other pseudo-secure web-based email options out
there that you can explore by doing a web search for a query along
the lines of 'free encrypted email', though do keep in mind that all
of these services are only to be used if, for whatever reason, Option
I is not feasible in your situation.

A Few Parting Tips and Reiterations (READ THIS SHIT!)

~ Always generate the largest keys the programs allow you to
generate, which is currently 4096 bits. Don't settle for the default
2048 bit key lengths.

~ Don't upload your public keys to public key servers unless
absolutely necessary (in other words, never). As mentioned in Step
5.h, when you perform a Verbose Index search for a key ID on a given
key server (for instance by going to http://pgp.mit.edu/, entering
your target's Key ID and conducting a Verbose Index search), you may
then be able to see all the signatories tied to that key and may then
be able to deduce who has likely communicated with the owner of the
given key, thus being able to map an individual's potential contacts.

~ The first time you send a contact an encrypted email, it would be
a good idea to attach a copy of your public key along with the email
so that the recipient can likewise send you encrypted email in return
(unless of course you have already provided the recipient with your
public key at an earlier juncture via another distribution channel).

~ Remember to pick a strong, salted (meaning using non-standard
vernacular) passphrase with a minimum length of 30 characters. Commit
your passphrase to memory or store it in a remote location with no
identifiable information that would allow anyone to trace it back to
you). Store your revocation certificate (if you chose to make one) at
another location (with the intention being that if the passphrase
location is compromised or forgotten, you'll still have the second
location as a fail-safe to be able to revoke your now-insecure key
pair).

~ Delete your fucking emails! (and don't keep any logs). Don't be
one of those jackasses that archives all of your emails from the past
ten years, especially in an unencrypted format. There's nothing the
pigs love more than a nice trough-full of aeon-old potentially
incriminating evidence to gorge upon as they plot your untimely
demise.

~ And finally, remember that encryption is not the same thing as
anonymity. When you send/retrieve emails your IP address is recorded
by your email provider, not to mention probably your ISP, and
(depending on the mail server) often times passed on to the recipient
as well (Hushmail and Gmail are two email providers that don't pass
along your IP to the recipient, though this doesn't mean that they
don't store it on their servers (if the double negative was
confusing, it means that they do keep IP logs of their own that
they'll be all too glad to hand over to either the pigs or anyone who
pretends to be a pig and sends them an intimidating letter). Use
anonymity tools such as Tor (http://tor.eff.org/) or the portable
Xerobank (http://xerobank.com/xB_browser.html) when on a public
terminal to help hide your IP address, along with piggybacking on a
wifi connection if at all possible (You can find various guides on
using Tor online, or expect it to be covered in a future issue of the
Underground Security Paper). Do not go to the same place at the same
times to send/read emails and be mindful of CCTV surveillance.

As usual, this text has gone on for way longer than I expected, so
time to end this shit. Email me at xcon0 @t. yahoo d.t com (Now that
I've written the guide, I can finally say that I will no longer
respond to any unencrypted emails. My public key (0xF370BFBF) is
available here: http://www.dizzy.ws/x1pub.asc.

Visit www.rorta.net & www.dizzy.ws for more knowledge.

Or, for phone sex dial 1-610-887-6072.

Enjoy!