In a story told through the ages, it is said that a special messenger was tasked with sensitive private data in his hands. He compressed the content of the message to a phrase and using special chants hashed it. Flying swiftly, he crossed the length of a strait, before he was attempted to be intercepted. He realized the (wo)man-in-between attack was a threat to the security of the message and hacked his way past the impediment. Always on the alert, he dodged identical decoys of the actual recipient before locating the intended target via publicly known key identification marks (of the receiver).
He went on to display the private insignia that acted as an authentication of the sender and could only be understood by the correct receiver. This allowed the protocol behind the messenger to proceed further and convey (decrypt) the actual uncompressed & confidential message before carrying back another crisp (read compressed) message from the receiver to the sender. That was a quick lesson on the lofty standards of message encryption, sender-receiver authentication and confidentiality from ancient history!
This ancient tale is a written proof that illustrates how important message encryption skills were to seal trust and help wage some very important wars, since time immemorial. While the task may seem routine to the lazy eye, the messenger has to be the best in class to keep up to the crucial task.
Some of you will surely recognize the above story from the legend of Ramayana. My point being, how much significance we associate with a protocol (messenger or medium) which (or who) can follow Pretty Good Privacy standards to a Tee!
This post is intended to those who seek to understand the very basics of email/ messaging encryption. The mathematical nuances behind RSA public key algorithm can make this learning appear more complex than necessary; also, I honestly don’t think I can do justice to that! Furthermore, for most users, stuffing in words like “hashing”, “protocol” and “encryption” may make the learning curve seem too steep even with a tale like the one above.
While I don’t boast to have any scales to define the average user’s intelligence, I do wish to explain a series of steps, that is in fact publicly available (albeit in a scattered manner). Following these can be definitely done without facing any sort of technical hang-over whatsoever.
The short version
This image condenses what is expected of a Public Key Cryptography, that makes the backbone of the PGP program.
In essence, Encryption scrambles messages so that, only someone with a key (or a tremendous amount of computing horsepower, or knowledge of how to exploit an encryption weakness) can decode them (Source: CNET)
Summary: You will need to create an id & publish it to the world and keep a password safe (much like a new email id sign-up), you will identify your favorite email/ messaging client, find the messaging address of your friends who are signed up as well & send your message using this client. Where is the complication in this?
The long version
Generate Your Keys (Register): Know that a key will help to uniquely identify yourself in the digital world. Obtain your keys from an open source tool/ software. I am aware of GPG Suite by GPG Tools and this website to generate your first PGP key. Your private key is your own - hash it, store it, save it some place safe. Show off your public key wherever you feel comfortable with.
Publish your id (Complete sign-up): A point to note is that you will be recommended to provide an email address while generating your PGP keys. You can opt to update/ upload your earlier generated public key to server. That’s because your email address will be included as public information in your public PGP key & acts like an easy unique tag that can help identify you. More on this under “Receive a message”.
Get an email client: Identify a PGP compliant email client. If you consider plugins, that includes literally hundreds of them out there! You may chose to begin here.
Find your favorite messaging client: Begin using end-to-end messaging apps like Signal.
Explore mailbox settings: Your mail client/ online service might support both 1 and 2 password logins. If so setup the 2nd password used for decryption purposes.
Send a message: When you send a message, your recipient(s) public key will be imported by third-party PGP software and hashed together with message body. Ensure that attachments get encrypted as well.
Receive a message: Remember you linked your email id to your public key. So, your friend does not need to know your entire public key to send message or email you every time. They can conveniently look it up in the public information data where you have uploaded it before. They can now go ahead and compose email to you as is normally done.
Read your message: When you are receiving the encrypted message, it can only be decrypted with your private key which would be available with you or uploaded securely in your email client.
Much more than meets the eye: There are implications of using PGP keys beyond what is described above. For instance, online privacy should NOT be a term that gets associated with “hiding under the hood”. You can expect others to respect your privacy and, yet, be open and digitally verified. Ideally, you should never be subjected to trusting others blindly on the web. Likewise, you shouldn’t be needing to scream every time you publish an original content or media online. It should be fairly easy to prove it with a cryptographic timestamp. Try a public key cryptography service like Keybase.
- If your recipient does NOT use similar PGP standards, the content would appear gibberish to them.
- Implementations of PGP are known to have vulnerabilities. But do note that the standard itself is fairly robust and has been battle tested for decades without seeing any significant issues.
- Simple tasks like auto-fill of email addresses might be possible should you chose to go all-in on data privacy and go to the extent of encrypting your contacts.
In case you are wondering why a necessity is there to complicate the ease of sending everyday email/ message, I hope this post helped clarify that that sending encrypted messages aren’t more difficult than sending insecure messages. I admit that I am spellbound behind all the engineering that goes towards:
- Developing a composer that predicts what your next words would be.
- Building the infrastructure for a mailbox that is willing to stretch to unlimited capacity with every ticking second.
- Putting together a messenger that seemingly makes communication so simple that it is now considered a safe place by everyone in the family & friends to share their most private thoughts!
I was guilty of being one of those who never thought that an entire ecosystem will be built around “my data; my privacy”! I figure, it eventually boils down to how much significance you attach with that mundane data of yours; the information that you have been taught to undervalue so much is, in fact, the fodder for all the big sharks out there!
Will you feel a bit flushed, if you email your friend about your vacation plans and (before he/ she could even respond) begin to get some random phone calls from holiday agents? Or can you avoid acting nonplussed when you post a pic of your child today on social media, only to see ads of baby food following you everywhere?
If you feel happy about the above prospects, congrats! Maybe you are capable of doing some smart business using the social media and advertising tools available today. But what I care about is the level of control being handing over to conglomerates, who act as doorkeepers & unfaithful watchdogs that don’t account for the visitors being let into your life.
There’s no end to standing on the wet sand if you are waiting for the last wave. While you finally get the feel of sinking in the sand, maybe then you realize the sea has one purpose - to claim the land tide-by-tide, bit-by-bit…