How to do End-to-End Encryption using GPG4USB (Part 2)

by Palloy

Part 1 described how to use the basic functions of GPG4USB – the minimum to get up and running. However the application can do more than that, including coping with situations where some other entity is trying to interfere with things.

The problem

Suppose someone sends an email to you, purporting to come from me, but actually coming from them and giving incorrect information. (Faking the From field in an email is easy – it is the basis of much spam and phishing attacks, as I’m sure you already know.) So how do you know the message actually came from me?
And how do you know that the message hasn’t been tampered with on its way from me?

The solution

The solution is to add something to the message that is based on my Private Key, which only I have access to.

That “something” is called my Digital Signature, and GPG4USB generates it for you at the same time as your Private and Public Keys. I won’t try to explain how it does it- just be assured that it is foolproof so long as you don’t lose the privacy of your Private Key.

Signing your message

And because the signature is wrapped around (and effectively includes) the message, it also ensures the message hasn’t been changed from the original while in transit.

So the process starts off like before, you type your message into GPG4USB:

Then make sure your checkbox is checked, and click on Sign.
This wraps your Digital Signature around your message:

Then continue as before with: check the Recipient, Encrypt, Select All, Copy, Paste into email, Send.

When the Recipient gets the email, as before, they Select All, Copy, Paste into GPG4USB, Decrypt,
and seeing the message is signed, they will click on Verify:

The green verification message at the bottom indicates that I really sent the message, it hasn’t been changed along the way, and that the Recipient isn’t going to find themselves mugged by The Mob out the back of the Silhouette Club and sent to sleep with the fishes.

On a more mundane level, this is the way that you can be sure that a software update is the real thing, from the real software developers. All Linux software has this Digital Signature Verification process built in automatically for every component of the system.

Encrypting Files

Another thing GPG4USB can do is encrypt files.

Check the box for the Recipient, and Click on File then Encrypt File, and a new window will open where you can either type in the location of the input (clear text) file, or you can click on the “…” button and navigate to the file. If you leave the output (encrypted) filename blank, the new filename will be the input filename plus “.asc”. This might not be such a good idea if the file is called “leaked_government_doc.pdf” as “leaked_government_doc.pdf.asc” is still a bit of a giveaway, even if it can’t be decrypted.

The encrypted file can be sent as an email attachment, or by any other means.

I think you can guess what the Recipient has to do with the file, yes, File then Decrypt File.

Conclusion

By keeping the encryption/decryption process separate from the actual sending of the message, you are not only keeping all your key details away from other applications having access to them, but also you can use ANY messaging application, not just email.

This makes GPG4USB the ideal application to use for end-to-end encryption. And if the WhatsApp service has to be withdrawn because of Government regulations, you can still keep your privacy.

In fact if this became the standard way of doing encryption, Governments would realise how pointless their regulations are.

Advertisements