How to Encrypt Your Email and Keep Your Conversations Private

How to Encrypt Your Email and Keep Your Conversations Private.

This article discusses (has screen shots):
Getting Started: How PGP Encryption Works, and What You'll Need (great diagram)
Step One: Install GnuPG and Enigmail to Generate Your Keys
Step Two: Configure Thunderbird or Postbox to Encrypt Your Messages
Step Three: Configure Mailvelope for Your Webmail

The following article may seem to advise otherwise than the above article, but contains a few nuggets of information that indicate where some limited progress is being made in achieving more secure email:

If You Want Secure E-Mail, Just Don't Write It or Send It.

Note: I disagree that people don't care about privacy despite what Radu Sion, a computer scientist and security expert at Stony Brook University, says in the article.

-- Tom

 

Thanks for the links.

I'm not sure how SilentCircle worked, but, assuming that it was PGP-based, what kind of key is he talking about? With the "exchange cryptographic keys with each person they want to e-mail with" I guess public key.

There's no problem if they store both private and public key in their servers as long as they don't know the password. I mean, a private key without the password is useless, so, as long as they don't store it they could not decrypt any messages even if they were forced to.

 

But if they have the private key, then decryption takes place on their server (unless they used a Java applet, but lets not go down that rabbit hole)...meaning all they had to do was capture the pass phrase, or capture the decrypted content when it was sent back to the user. Very possible if they were served an NSL for their SSL/TLS cert in the future.

Then there is the possibility that they may have been forced to use an ADK (Additional Decryption Key) or add themselves as a recipient (Encrypt To Self).

You are correct that without the pass phase, a private key is useless...but *with* the private key, you have reduced decryption difficulty by 50%.

I agree that having your private key with a third party isn't the 'doom and gloom' that it is made out to be...but man do I feel better having it securly stored locally.

(Caveat - I don't know exactly how Silent Mail worked, so the above may be completely wrong)

PD

 

Yep, I totally agree with you, I would never trust a third party on keeping my private key. In fact, I keep myself all my GPG private keys.

What you just said reminds me to the case of Hushmail I think (I'm not sure if it was Hushmail). They captured some user password just to give all his data to the US Government.

The thing is that the paragraph I quoted got me a little bit confused, that's why I was asking and also, I was assuming that SilentCircle webmail / app / whatever was "malware" free.

 

I'm just starting to learn about asymmetric and symmetric encryption in my SEC 280 course. Correct me if I'm wrong, but this is how I interpret public key cryptography:

Asymmetric encryption, requires more resources to store and encrypt/decrypt data. Considered more secure because it uses a private and public key pair, but not idea for bulk data such as media.

Symmetric encryption, requires fewer resources to store and encrypt/decrypt data. Is considered less secure because it uses a matching shared key between users. Like keeping a secret, fewer people that know, the better.

Most companies today implement both encryption methods, based on the type of data being sent/received. Asymmetric encryption is used in the exchange of shared keys (symmetric) between users. At which point, symmetric encryption is used for the bulk of data being sent because it faster. With exception to confidential and sensitive information such as the transfer of credentials, tokens, etc.

PGP also implements both encryption methods, based on the types of data being sent/received. E-mails, instant messages, etc. generally do not send bulk content such as media, and instead plain text. So asymmetric encryption is implemented more often in the transmission of secure e-mails, chats, etc.

-----------------

Keeping in mind that my textbook provides a very basic overview of cryptography, than wouldn't allowing silent circle to handle the exchange of keys imply that they handle both asymmetric and symmetric encryption for users. Since they would need to generate a private/public key pair to exchange any shared keys between users. How is this any different from any other service online? I was under the impression that a decentralized approach would be necessary for secure communication. The only way I could see this working is if silent circle acts as man in the middle. They generate a separate private/public key pair for each party, but transmit the same shared keys. This would effectively break any trail between users 1 and users 2, since the private key could not be used as evidence against either users. The only party liable would be silent circle. Even so, this seems counter productive, since users would probably be better off generating and managing their own keys. Plus silent circle would still be able to log and decrypt any data being shared. Am I missing something?

 

Thanks for your detailed explanation Techwiz . I have studied only very basic concepts of criptography such as RSA algorithm, private / public key cryptography... so I'm not an expert, but what you suggest makes sense for me. The idea of SilentCircle acting as a man in the middle would explain how they were able to decrypt user's data.