Thursday, December 11, 2014

In the beginning...

The FOSS Outreach program has officially started!

I have to laugh a little about myself. A few days ago I was hoping that I could jump in and start doing something wonderful. As I started asking questions about the system, one of the first things I noticed was that I didn’t understand the product. Sure, the basic idea is GNOME Keysign is a tool to sign keys without the use of a key server. Back in October when I began learning about what this meant I had a simplistic view on OpenPGP. If you want to send a “secret” message you need to have a way to encrypt the cleartext to ciphertext and then back to cleartext. If you’re like me, you might start to imagine someone with a strong background in mathematics and cryptography drinking copious amounts of redbull and staying up all night fighting the war on cyber crime.  Yes, take that <insert current global enemy here>. Unfortunately this might make you want to slowly back away, but sending encrypted emails is much easier than you might imagine. The encryption algorithms run quietly behind the scenes while you’re blissfully unaware of the poor souls who probably spent their 20s working on cryptography. The “key” (hee haw!) to encryption is having the key necessary to lock and unlock the encryption. Simple enough, but how do you securely send this key to your friends? If they live near you could pedal your bike over and tell them what it is. However, this doesn’t work for people who live outside of your town or someone that you’ve never met. To solve this solution, you have an asymmetric keypair. One key is your private key that you never give out to anyone while the second is a public key that you can shout out to the world on the rough top while someone is filming for the next viral youtube hit. Okay, you probably don’t want to do that since part of protecting your data is conservatism, but the point is, you shouldn’t be able ascertain the private key from the public key. The neat thing about the keypair is that if one is used to encrypt a document and the other can decrypt that same document, you know that those two keys are part of the same keypair. This is great because it solves another problem; how do I know the encrypted document is sent by the correct person? Well, because the public key can only decrypt it if it’s part of the keypair for the private key. However, what if I’ve never met this person? Now we can start talking about keysigning and it’s advantages. My public key is part of a digital certificate that also includes certificate information, such as my user id, and one or more digital signatures. Others sign my key with a digital signature, which authenticates my public key. So if I know Adam and trust him, and Adam knows Betty and trusts her, ergo I can trust Betty. The more signatures I have on my public key, the more it can be “trusted.” All of this seams fairly reasonable and logical. After downloading the GnuPG package, I easily made myself a couple of keypairs and was off to protecting my personal data. Eazy Piezy.

One of the things that I failed to grasp was why. I pity the poor NSA analyst who has the misfortune to read any of my emails. They must be incredibly boring and riddled with aggravating grammatical mistakes. However, as mundane as they are, they are part of my data that I want to keep protected. I wouldn’t let officers inspect my house whenever they wanted. Whether you avidly follow the news or not, Snowden has become a household name, usually associated with the discovery that the government is encroaching on our civil liberties more and more. OpenPGP is a set of encryption protocols that gives the individual the ability to encrypt their documents with the aforementioned keypairs. I’m a bit of a lazy person and I can rationalize myself out of encrypting my meaningless one-line email, but I do want to insure that I have the choice to encrypt my data if I want. Here is the call to arms. If no one encrypts their emails or cares about encrypting their emails, it makes it that much easier for the government to take away this option. Here’s an analogy, most people I know have a password on their phone. Could you imagine the uproar if congress tried to initiate a bill that revoked this feature on phones? It wouldn’t happen. A good resource is written by Phil Zimmerman here,

The problem with the previous block of information is that it provides the background for GNOME Keysign, but it doesn’t tell us specifically why it does what it does and more of the technical details of the program. Again, Keysign is a tool to sign keys without the use of a keyserver. Why would you want to do that? Well, part of that answer is that the unique key fingerprint sequence of numbers and letters are overlapping between users, which can lead to downloading the wrong public key from the key server. Keysign circumvents this problem my downloading key information from a local network. When I start up Keysign I immediately see a user-friendly GUI with two tabs, Keys and GetKeys, which represents the client and server sides of the program. If I proceed with Keys as in I want someone to sign my key, Keysign fetches my fingerprint and encodes it in a QRcode image. You can choose to transfer your key fingerprint by transferring the actual sequence or by scanning the QRcode. Underneath the GUI the program is publishing my key information to the local network. If instead, I choose to GetKeys as in I want to sign someone’s key, I can either enter in the fingerprint manually or scan the QRcode. The program then grabs the key information from the local network and then adds it to my temporary keyring. It then signs it with my digital signature and sends this information back to the email associated with that public key to insure that the signature is going to the intended email of the person whose key I just signed.  Viola, signed keys!

Sadly, it took quite a bit for me to figure all of this out, which is why I felt like I needed to make light of myself for thinking that I would just, you know, start solving issues from the get-go. Lucky for me, the other participants of the program have expressed that they are all in a similar situation, which relieved some of my concerns about my own performance. Strength in numbers, right? Hopefully, my next post will involve a more profound inspection of the inner workings of the project. J