Essay: The Encrypted Citizen

Keep reading or » JUMP DIRECTLY TO THE NEXT CHAPTER: 10 – Structural Integrity (Part I)

We have gone boldly where nobody has gone before, and into that vast dark we stumble is this continuum of information: the Internet. Our everyday lives become less simple by the minute, but more faceted, more social, more interconnected, and certainly more determined—as some people have discovered when their Internet social networks overwhelm their own drive as social butterflies.

With this increasingly strange medium of sociability comes a vast variety of glimpses of our future and some warnings from our past. At no time in our history have we been so able to simply reach out and engage one another; and with that engagement we discover both empowerment and danger.

In this age it’s easy to forget that our personal correspondence is less protected, our diaries are not always stored locked in our desk, and our very lives could be cracked open like eggshells and their data drank by unseen evils without our knowing. If this were our physical selves we would simply use lock and key, iron-sided safe boxes, angry slavering guard dogs and the like.

But this is the Internet.

And on the Internet, where privacy is a thin screen between us and prying eyes, encryption is our friend.

People in glass houses

When you are surfing the Internet, pinging IMs back and forth, zinging e-mails about, chatting on IRC, tweeting on Twitter, and tripping over your drama feet on Facebook every move you make is visible in one way or another. Everything you do can be seen by someone and that someone is not always your intended recipient. Be it the corporation or webmaster who runs the web page that you’re using or someone sitting outside your window sniffing your wireless out of the air, it’s possibly not something you want going on.

So, being that the Internet is a lot like living in a glass house, how exactly do we pull the shades?

Most of our correspondence on the Internet is inane, we could care less if someone sees our tweets talking about how we’re frustrated with baking muffins tonight; but some messages might have a very personal nature—or a particularly risqué nature, like nude photos being sent to our beaus—and we’d rather that such private things stayed private.

We do this by packaging our private stuff into boxes that can only be unlocked by people with the proper keys.

And to do that we need a key and lock maker. So introduces the big mover and shaker of the encryption world: encryption software.

Pretty Good Privacy

PGP or Pretty Good Privacy is a wonderful invention that is ever-evolving but yet still one of the best ways for a neophyte such as yourself to dip into the wonderful world of privacy on the Internet. Invented by Philip Zimmerman in 1991, PGP has withstood the test of decades to become one of the eminent forms of encryption used by private individuals—such as myself—for e-mail and just general mayhem.

I run Linux as my primary operating system, but I realize that most of my readers will probably run Windows, so I’m going to mention the product that will work on Windows systems: GnuPG. I am not going to go into specifics in this essay, but if you want to get started and get an idea of how this free product works take a look at one of the HOWTOs.

Setting up encryption does depending on creating a set of keys (public and private) so there is a bit of a learning curve when it comes to first timers; but if you happen to know a geek who can ease this transition, I’d suggest that you use them. Assuming, of course, you’re not a geek yourself.

Once you’ve gotten a PGP setup, with your keys jingling on your hard drive, you can enjoy the strange spy-noir-like world of having some sort of actual mystery on the Internet.

Public and private keys

Modern privacy encryption uses a public-private key setup. I am not going to go into any great depth here, but I think the gist of how it functions might elucidate everyone into why we do it the way we do.

Basically, keys consist of two types: public and private. As you might suspect, the public key is released into the wild and handed out willy-nilly for everyone to see and use. As you can imagine, this key isn’t that useful for keeping things private (but it does have other uses); whereas the private key is kept secret, to yourself, and never handed out. In fact, should your private key be compromised anything that you encrypt will be in big trouble. So keep it safe.

In order to send a private message you reach out, grab the public key of your intended recipient and then encrypt with that key. Let’s call this intended person Frog. I use Frog’s public key to encrypt some dazzling message about meeting her at the MU to eat at The Pitchfork or something else. Once encrypted with Frog’s public key, only that key’s pair—Frog’s private key—is capable of decrypting the message. I send that message to Frog and she uses her private key to decrypt it. Viola.

However, should someone intercept that message en route, say by my brother Zane. He will only see a bunch of gibberish. And, because he doesn’t have Frog’s private key (I hope) he cannot decrypt the message without going to great pains.

If Frog wants to reply to me, to give me a time, she simply needs to use my public key to encrypt the return message; which, upon receipt on my end, I can use my private key to decrypt it. Viola again.

This is the core of this sort of encryption mechanism. The production of public-private key pairs; distributing the public keys so that friends can encrypt stuff for us, and keeping private keys safely stowed on our persons.

Friend or foe, authentication and its uses

Once you’ve made your public and private keys you want to distribute them. But, you also want to be able to use them to verify your identity. Here is a use of private keys that isn’t just for decrypting stuff. Just like your public key, your private can encrypt things. However, when you encrypt something with your private key, anyone with your public key can decrypt it—and since that key is public, anyone can decrypt it.

The outcome of this, of course, is the fact that only you should have your private key! Therefore, anything that you encrypt with your private key, that can only be decrypted by your public key, proves that it was encrypted by you.

This is referred to as signing.

By using my private key to sign documents and correspondence I can prove their authenticity as being from me.

Of course, there are things to be aware of about authenticating keys themselves. This is done by means of signing other people’s keys with your own, but I will get into that in a different article.

Keeping electronic correspondence private between friends

As you’ve already seen in the public-private key interchange for communication, encryption can be used to keep correspondence private. In fact, a number of scandals in recent memory about politicians could have been readily avoided had they only thought about encrypting their messages when using web e-mail services like Yahoo! and Gmail.

For anyone interested in being able to encrypt their e-mail correspondence with friends, which is a good way to break into the use of encryption to protect your privacy, I suggest the e-mail client Thunderbird and a plug-in called Enigmail—it already works with your GnuPG installation on Windows so if you’ve got that under control you’ll be sending secret messages in no time at all.

In fact, in order to contact me you must encrypt your e-mails with my public key otherwise they will simply be rejected.

For most correspondence between friends you might be using a public-private key setup where you openly distribute your public key, much like I did, but if you want to have more intimate conversations you might think of producing a special pair of keys that are only used between you and that specific friend. Such as my example with Frog. When we both came to college here at ASU, she and I produced new public-private keys, signed each others keys, and we do not distribute the public keys in this set to anyone but each other. We reserve them only for communication between ourselves of particularly sensitive nature.

For everything else, I use my generic key.

Of course, you can produce public-private key pairs for any context that you desire. While this can certainly spin wildly out of control, for the more obsessive it provides a mechanism for you to control the usage of specific keys for specific contexts—and if something were to go wrong with one of your keys (say a private key was compromised) you can revoke that one easily and not lose others.

Keeping a private diary, or financial records, or electronic legal records

Encryption also has specific, personal applications beyond mere communication such as keeping sensitive information private in the case of physical breach. Say you’re working on a project with sensitive information, or you want to keep certain parts of your life private from someone who has access to your computer, or you have particularly damning documents that you need to keep close on your computer. If that computer were to be stolen—even if you had kept it locked up in a safe or safe deposit box—suddenly all that would be out in the open.

Not so easily if it were encrypted!

The number one killer of corporate security is the laptop. Well, not so much the laptop, but laptop theft. These little machines are easily purloined due to their small footprint, and generally extremely expensive. This makes them lucrative targets for opportunistic thieves. Often these thieves do not know nor expect sensitive documents—e.g. financial files, invoices, databases of credit card numbers—to be present on the hard drive, but a tech savvy thief can do more damage to a corporation or person by also selling those.

By encrypting this information and only decrypting it when it needs to be accessed or updated it reduces the chances that the physical loss of the media will also become catastrophic loss of privacy.

Think about it. This even has some implications for the fourteen-year-old girl in all of us: encrypt your private journal so that your little brother (Zane!) doesn’t break into your computer and try to read it.

Be an encrypted citizen

These are just a few reasons to invest some time in encryption. While it does add some extra obstacles to your everyday life—much like locking your door or desk drawer—it can save you much pain and loss of sanity later in the day.

And if that isn’t enough, you can enjoy sending secret messages to your friends.

Resources

• GnuPG, a good client for Windows and Linux that implements OpenPGP;
• Enigmail, a plugin for Thunderbird;
• Public-key cryptography, information Wikipedia.