The following will give some background on how privacy is maintained on the internet. Simple and accurate examples may include the opening scenes of Citizen 4 where the author decrypts an message from Snowden. As fanciful as this sounds, this is exactly how most of the traffic on the internet is secured. The process uses something called public-key cryptography coupled with symmetric-key algorithms. The basics of how this works are actually pretty simple to understand and I'll touch on in a bit. These forms and methods are used in much of the web traffic on the web, and even happened when you visited this site. The 's' in the 'https' for this web URL uses both of these methods to secure the connection and scramble the traffic. Now, as opposed to walking you through how 'https' (aka SSL) works, I'm going to cover a protocol called PGP "Pretty Good Privacy", it's what they use in the movies, and true to the name it is pretty good. Walking through the process will teach you enough about the mechanics for you to understand 95% of the stuff out there today.
The PGP protocol works very much in the way explained above. The only part you really see (on any protocol) is the public-key part, the rest is all done under the hood, but knowing it is there will keep you from getting confused later. The first thing that needs to be done for public-key crpyto is to make a "key", then make it "public", lets start off with what keys are.
Keys are just binary files that contain a very very very large number. That number is used to scramble or unscramble a message. The bit that interesting, is that unlike the key to your house, each key can only do one thing. One key to lock, and a different key to unlock. So when you make a public-key you actually make two keys (lock / unlock) and you give the lock key away. This is your public-key. The reason you give the lock key away is so people can lock (scramble) the message before they send it to you. Since only your unlock (private) key will unlock the message there is no danger of anyone reading the contents. Only the holder of the private-key can unlock the message. Now.. for a bit of the under-the-hood speak. Most books / articles on this stuff pretend that the public key locks the whole message, it doesn't, all it does is lock the outside, the inside is locked with a different hidden key, but more on that later.
As teased out earlier, a public key one half of a key-pair. One for locking, and one for unlocking. We give your locking (public) key away, but keep or unlocking (private) key secret. Now, if we are going to be real paranoid, the obvious question may be, "How do you keep them private". Well that is up to you, but be careful with them. There are some good methods for securing them I can speak to later, but just remember that it is something you need to be aware of... "Keep it secret... keep it safe". Enough background... now on to the good stuff.
Now that we talked about the protocol "PGP", lets talk about the program "Gnu Privacy Gaurd". GnuPG (GPG) is a bundle of software used to perform the PGP protocol. A good comparison would be that Chrome or Firefox is a bundle of software that does the HTTP protocol. The fact that the program GPG + PGP form a pattern is not an accident. Just trust that the Gnu folks like that type of tongue-in-cheek. Now there are some nice graphical tools to do this stuff, but I don't want to talk about the specific tools and would prefer to focus on the process. The command line utility will help keep us focused on the steps, so that's what I'll discuss. If your not familiar or comfortable with the windows command line, then this is a great time to learn.
Although the latest version of GnuPG is 2.1.3, the Windows package is using the older version of 2.0.27. I can get 2.1.3 running on Windows, but it is a bit beyond the scope of what I'm trying to do here. To install 2.0 we will use a bundle called Gpg4win. Don't track it's version number, I know they don't match. It's ok...
- Make a folder to hold 3 files (the installer, signature, certificate), preferably named "gpg4win" under "Documents"
- Download the signature (bkup archive) to your folder
- Download the certificate (bkup archive) to your folder
- Download the installer (bkup archive) (gpg4win-light v2.2.4) to your folder.
- Run the installer previously download, accepting defaults.
If you ever owned a computer before Windows XP, then you likely recall the command line. If you don't, fear not... it is really pretty easy. The command line is just like a form on a web site. When type an answer into a box on a form this is loosely similar to using a command line. Lets to a quick round-trip on the command line just to say you know how.
- Get a "Run" box by holding the key-combo WinKey-R. BTW.. the WinKey is next to the ALT key.
- In the "Run" box type "cmd.exe" then click the "OK" button.
- Move to your documents folder by typing
cd documentsand press Enter. - Move to your gpg4win folder by typing
cd gpg4winand press Enter. - Run away by typing
exitand press Enter
Now you can create your keys. You are going to make a public key that is required to have a name and email pasted on it. So yes... other people all over the internet will see whatever name and email you use below. Either use your real one and tough it out. Spam filters were invented for a reason. If your still squemish, then make up a fake name and email to ease your mind. Now lets get back to the command prompt. Do the steps above again if you have already exited. I'm going to assume for the rest of this post, that you are in the "gdp4win" directory mentioned above. Once you got your command line back here's the command to make keys (don't worry if it doesn't put you back at the prompt)
gpg --gen-keythis will prompt you for some information.- Enter your name and email.
This whole process discussed earlier really works best... *yawn*...