What Is This?
This book is about learning to protect data with encryption. It’s a combination primer, story, guide, and handbook on how to use Gnu Privacy Guard (GnuPG) encryption software to protect data in motion (messages or files being sent over the Internet), followed by a brief discussion of how to protect data at rest by using full disk encryption (FDE) on modern operating systems (OSes).
You will learn to use cryptography in a practical way: to encrypt and to decrypt a message or file, to validate a digitally signed message or file, to manage encryption keys, and to work securely with encryption tools.
That means how and why to do it, but not how it works. If you are interested in the science and engineering aspects of how cryptography works--algorithms, acronyms, standards, and specifications--there are many good resources for learning about those topics online1. Online is also where you’ll find the best information about installing encryption software, because online is where it’s most likely to be up-to-date.
The objective here is to get started doing encryption, not to know why it works or where it came from. However, just for the record--and to make sure we’re on the same page--here is a brief summary of what cryptography is and what it can do.
What Is Cryptography?
Cryptography is the science/practice of “writing in secret” (“crypto”=“secret,” “graphy”=“writing”). Cryptographic functions are generally defined as algorithms or protocols, rules that govern how data is processed to turn plaintext (unencrypted data) into ciphertext (encrypted data).
What Can Cryptography Do?
Encryption is what most people think about when they think about cryptography: taking plaintext and turning it into what looks like gibberish, a.k.a. ciphertext.
Done right, encryption protects private data by making it difficult (in some cases almost impossible) for an attacker to uncover plaintext. Depending on circumstances--such as whether the user creates a strong passphrase2 or whether the user is careful about leaving information vulnerable on their computer--it may be next to impossible--or trivially easy--for an attack to succeed, depending on a user’s choices.
The goal of using encryption is to make it harder for others to uncover our secrets. The idea is that whatever amount of expertise and computer time is needed to break our encryption should cost more than the perceived value of the information being decrypted.
Basic Cryptographic Functions
Modern cryptography depends on three types of functions:
Single-key or symmetric encryption algorithms use one (“single”) key for both encryption and decryption. “Symmetric” means the encryption and decryption processes are reverses of each other. I must share the secret passphrase with anyone I want to be able to decrypt my encrypted data.
Public key or asymmetric encryption algorithms use a pair of keys: the public key and the private key. “Asymmetric” means that the process of encryption with the public key can only be reversed (decrypted) by using the private key (and vice versa). If you want to send me an encrypted message, you must have my public key--and only someone who has access to my private key (presumably, just me) can decrypt messages encrypted with my public key.
Hash functions accept plaintext data of any length and produce a fixed-length hash. These functions are sometimes called message digests or one-way encryption functions; the fixed-length hashes they produce appear to be random data. When correctly implemented, the hash value serves as a kind of digital fingerprint and can be used to verify that data received has not been modified in transit: the slightest change to the plaintext produces a completely different hash result.
Cryptographic processes combine some or all of these functions in various ways for different results. For example, secure web sites store hashes of passphrases--not the passphrases themselves. When you create a passphrase, the web site hashes it and saves the hash value. Every time you log in, the web site hashes your passphrase and compares the result to the hash value stored in the database. Wrong passphrase => wrong hash, user not authenticated. Correct passphrase => correct hash, user authenticated. Even if an attacker breaks into the web site database, he can’t recover your passphrase.
Likewise, public key encryption software combines public key and single-key encryption: the actual data is encrypted with single-key encryption, and only the encryption key is actually public key encrypted. This saves time: public key encryption takes more computer cycles and thus a long file might take minutes or even hours to public key encrypt--especially troublesome if the same data must be encrypted for more than one recipient (more than one public key).
Does “Secret” Mean the Same as “Private”?
A secret key and a private key are both meant to be “secrets” in the sense that I don’t tell them to anyone3. My private key, though, is for me only. It’s private! No sharing at all, or I’ve lost control over my public key pair, and that means two things follow: first, I can no longer assert that anything digitally signed with my private key actually originated from me (my digital signature can’t be trusted anymore), and second, whoever has my private key can now read any messages encrypted to my public key (all data encrypted with that key is no longer secure).
A public key pair consists of a public key (the opposite of secret/private since it is meant to be published), and a private key (“secret” in that it’s a key meant to be kept secret by its owner). That’s for public key encryption, a.k.a. asymmetric encryption, a.k.a. two-key encryption: private keys and public keys, in pairs.
The confusion sneaks in when discussing symmetric encryption, a.k.a. single-key, shared-key, or one-key encryption4; what some writers call a secret key may refer to the private half of a public key pair (private key), and what they call a private key sometimes refers to a secret key used for symmetric encryption.
It should go without saying that I will be using these terms unambiguously and urge others to do the same: private implies public key; secret implies a single key.
What Else Do I Need?
To get started doing encryption requires relatively little:
a modern computer (desktop, notebook, or netbook should all work) running an OS on which GnuPG will run (which is most of them),
an Internet connection (highly recommended, though not technically mandatory),
The right motivation--the reason you want to learn to do encryption--is critical. There’s not much point in learning to do cryptography if you have no reason to do it other than because it’s interesting or cool, but a good reason is a great motivator as well as a great incentive for doing cryptography correctly. A “good reason” is any reason that motivates you--and your motivation is entirely your own business.
What OS Should I Use?
To start, use whatever computer and OS you like best--or whatever you’re stuck with. There are versions of GnuPG that run on your OS, and working on your preferred/usual OS will help make it easier to get started.
Once you become comfortable using GnuPG, however, consider investing some time in learning to use it on a good Linux distribution: most GnuPG activity and development is done on Linux, and it is easier to use GnuPG on Linux than on commercial OSes. Most modern Linux distributions include GnuPG, so there is no need to install any software, and most Linux distributions can be live booted which means they can be booted from a DVD/CD or thumb drive, allowing you to use Linux on almost any system without installing anything.
How Do I Do All This Stuff?
Just because this is a book, we don’t have to pretend the Internet doesn’t exist.
If you have any questions about how to do things described here, answers are usually a few keystrokes away at your favorite search engine. Though I could have filled up hundreds of pages with instructions on how and why to use Linux, how to burn a live-boot DVD, how to use a text editor, or the history of open source software--in a book about doing cryptography--I thought it would be better to focus on using GnuPG to do cryptography.
1Fundamentals of Cryptography (http://crypto.loshin.com/2012/11/20/fundamentals-of-cryptography/) has links to some good introductory cryptography articles.
2Passphrase and not password; passphrase implies longer and more complicated. See http://crypto.loshin.com/2013/01/17/passphrases-vs-passwords/ for more.
3That is, except when I use a secret key to do symmetric (single-key) encryption and want to share the encrypted data with someone else. Then, I have to share the secret with the person I’m communicating with.
4Some writers, unfortunately including many people who are considered experts, use the term private key to describe the secret key used in symmetric encryption, or the term secret key to describe the private key of a public key pair. This can be quite confusing, but GnuPG is most often used for public key cryptography, so assuming that private=secret can minimize confusion.