Sunday, February 10, 2013

Absolutely secure chat, email and file transfer

In the name of anti terrorist, we all are naked to the government, not just at airport security checks, but at the front of your computer too when you email or send a text message or file to someone. After some research, I've found the only absolutely secure method for encrypting your content before you send it to someone. I have not found a clean and straight tutorial about it, so here we go.

Initial Setup

Download "gpg4win-1.1.4.exe" from here. The latest version does not work in my case.

Double click on it to install and the only options you should check are GnuPG2 and GPA. After installation, simply open GPA and everything is straightforward.


First thing first, you'll need to create your key pair with key manager's key generation wizard. Name and email can be fake if you prefer, but you should make them easy for your friends to recognize you. Never forget your password, you need it whenever you decrypt anything!


Open GPA, highlight your key and export your key as a *.asc key file. Email this file to your partner.


Ask your partner to do the same as above and email you his/her *.asc key file.

Once you received the *.asc file from your partner, open GPA and import it. Your partner should do the same, i.e, import the *.asc file that you sent to him/her.

From now on, you two no longer need to do above again and you're ready to share encrypted content. Do the same with other partners.

Hint: only the receiver needs to send his/er key to the sender so that the sender can encrypt the content with the key. The receiver does not need sender's key but must remember his/er own password for decryption. So, again, never forget your password!

Send a File

To send a file, drag the file into GPA's file manager. Select "Encrypt", check the key(s) of your partner(s) and an encrypted file will be generated. You can then email this encrypted file to your partner(s) or upload it to somewhere, secure or insecure, for them to download.


Once s/he received the encrypted file, drag and drop it into GPA's File Manager, select "Decrypt". S/he will be prompted for password, use the one when s/he created hi/her own key, not yours, and both of you should never give your password to anyone.

Email and Messaging

You type your email and message as usual. Once you've written everything, select and cut the entire text. Open GPA's Clipboard, Encrypt. Go back to your email/message and paste, you'll see something like this:


Go ahead and click the send button. Once your partner received your message, s/he copy above weird text and open GPA's Clipoboard, Decrypt. Now paste to Notepad and s/he'll see the original text:


Some notes

There are many such software, but they all have some problems. For example, Retroshare is very difficult to connect to the other party; they should have added a button to email your IP and port to the other party, but NAT is still a problem.  ZeZebra posts a link to a server, defeating your privacy. With TrueCrypt and many other such tools, you have to send a passcode to the receiver, then how do you send the passcode securely? Chicken and egg.

With the procedure described above, there is no 3rd party involved and no any password exchange. Even if a 3rd person has got the encrypted content, s/he cannot do anything about it, even if s/he also has your public keys. You should never expose your private (secrete) key, but even if someone somehow stole your private key, s/he still need the password to decrypt. Nothing can be securer than this.

The only thing be careful: when one party receives a key, make sure to verify it with each other. For example, if you received a key looks like from me (KoT <xxx@gmail.com>), you must verify it with me before you send out anything serious. Because, anyone can generate a key that looks like from "KoT <xxx@gmail.com>". Each key has an unique fingerprint, you may verify that or checksum.

During installation, you may select some other features, such as GPGee that allows shell integration so you can conveniently right click on a file and encrypt it. You may also try the latest version of GPG4Win V2, see if it works for you.

You may export your private key and import it on your other computers, don't create a new private key for another computer. If you want to use a different ID for some other people, then you create another private key just for them.


An abstract in Chinese

绝对安全地传送电邮、短信和文件

这里介绍的加密方法没有任何第3方的介入也不需要交换密码,可以用于任何用途,比如QQ等。

双方都要安装GPG4Win 1.1.4,安装时选GnuPG2和GPA这两项就够了。双方都要用GPA的钥匙管理器产生一个自己的钥匙,然后把这个钥匙输出。可以用电邮、QQ等任何方式把这个输出的钥匙送给对方。注意这是公开的钥匙(public key),千万不要暴露你的密匙(Private Key)。

然后双方就可以用对方的钥匙来加密,加密后的东西只有对方能还原,所以可以用任何不安全的方式送给对方,比如通过电邮和QQ等,别人就是拿到了也没用。文件加密很方便,把文件拖到GPA的文件管理器就行了,然后选加密,问你钥匙用哪个时,用对方给你的那个。然后会生成一个*.PGP文件,把这个文件用任何你喜欢的方式送给对方,比如电邮和QQ等。对方收到后,把它拖到文件管理器里,解密,就成了。

如果使用QQ来说私密闺话的话,先像平常一样的写QQ短信,写好了先不要送出去,把内容复制一下。打开GPA的写字板,黏贴,加密,然后再复制和黏贴回QQ,这时就可以发送了。对方收到QQ短信后,复制,打开GPA的写字板,黏贴,解密,就可以看原来的内容了。

唯一需要小心的是,当某一方收到一个钥匙的时候,要跟对方核实一下确实是他(她)的。否则你往这个钥匙送东西的时候就送到歹人那里去了,而且歹人是能打开的,因为这个钥匙是歹人用自己的密匙输出的。每个钥匙都有自己的指印,双方可以用它或校验和来核实。

10 comments:

  1. 多于两方能用吗?加密后的文件会比原件大许多吗(%)?谢谢。

    ReplyDelete
    Replies
    1. 可以把一个文件加密给多方,只要把他们的钥匙都选上就是了。加密后的文件的尺寸不会加大,只是加入了钥匙而已,而钥匙文件是非常小的几行文字而已。

      Delete
  2. If you send your key file by email, then your or your ftiend's ISP may also save a copy on their server.

    ReplyDelete
    Replies
    1. That's the public key, no risk. With a public key, all they can do is to encrypt something for you, cannot decrypt anything. To decrypt anything, one must use a private key and its password.

      Delete
  3. 用这种方法加密的文件不会crash吗?我能不能只保留一份加了密的文件而销毁所有其他备份?谢谢。

    ReplyDelete
    Replies
    1. 任何文件都可能corrupt,加密文件corrupt之后可能就完全不能复原。万一忘了密码,文件也就永远丢失了。

      Delete
  4. Can I use one private key on more than one of my computers?

    ReplyDelete