Get our free book (in Spanish or English) on rainwater now - To Catch the Rain.

Encryption method: MOST

From Appropedia
Revision as of 18:16, 28 May 2013 by Wijnen (Talk | Contributions) (Initial edit)

(Difference) ← Older revision | Latest revision (Difference) | Newer revision → (Difference)
Jump to: navigation, search

MOST Encryption method

This page describes how, when and why encrypted communication is used within the MOST group. Feel free to adopt these procedures for other projects. When editing this page, please only claim a different workflow if this has been adopted by the MOST group, or clearly mark it as a proposal.

Why do we want to use encryption?

We're developing appropiate technology, which means that our results will be as accessible as possible. We publish our hard- and software as open source, free for anybody to use. Still, we want to be able to use private means of communication in some cases. This deserves an explanation.

One reason is that in science, publication in journals is important. If we would make our results available for download in advance, we run the risk that other people will claim them and get a paper from our work. We do not want this, so our results must be kept secret until publication.

Another reason is that we may want to discuss matters which really are private. It may be about family or health issues, for example. Sending e-mails with such information without encryption is like sending them on a postcard, and displaying it in the postoffice before it gets delivered. With encryption, the only thing that is displayed is the sender and receiver; it is like putting the message in a sealed envelope.

When do we use encryption?

One problem with communication is that many threads are being mixed into each other. While talking about one subject, it's natural to add a comment about another. Therefore, to prevent accidentally disclosing information that should be kept private, all e-mail communication must be encrypted.

Additionally, for sharing files which are too large to attach to an e-mail, or which we want to keep in a central place, we use a private revision control system which can only be reached through encrypted connections.

How does encryption work? A very short introduction

The technique we use is called public-key-encryption. The technique can be used for encrypting and signing (explained in a moment). With this system, every user needs to generate a so-called key-pair, consisting of a public key and a private key. The public key is published to all other people. The private key is kept strictly private. The encryption then uses mathematical algorithms on those keys and messages.

Encryption

Encrypting a message is done using the message and a public key. The result of the encryption is a block of data which is unreadable. The original message can be extracted from this data by using the private key which corresponds to the public key that was used. This means that anybody can create the encrypted message (because everybody has the public key), but only the person owning the private key can decrypt and read it. This is what encryption wants to achieve.

Signatures

Signing a message is done using a message any your private key. The result is an extra block of data, which can be shown in combination with the message and the corresponding public key, to be created with that private key. So this signature is cryptographic proof that can be checked by anyone, that the message was signed by the person with access to the private key. This is what we want a signature to mean.

So summarizing: a private key can be used to decrypt and sign messages, a public key can be used to encrypt a message and verify a signature.

How do we use encryption? A step by step guide to set it up

There are many ways to set up encryption. It's fine if you choose to use a different method. This is a procedure which works as simple as possible on Michigan Tech's campus network. If you have improvements which make things easier (without making them less secure), please let us know. Below is a step by step guide for computers which you maintain (as opposed to the MTU admins).

Setting it up on your MTU account

  1. Set up your e-mailaccount in Thunderbird. This is as easy as clicking the "use existing account" button, then entering your name, e-mail and (ISO) password, and tell Thunderbird to sort it out.
  2. Create your key-pair with gnupg.

To be finished

Setting it up on your own computer

  1. Install Mozilla Thunderbird, the Enigmail plugin and gnupg (Windows/Mac) on your machine. On GNU/Linux, install with your package manager instead of using the previous links. On Debian, note that Thunderbird is called Icedove.
  2. Set up your e-mailaccount in Thunderbird. This is as easy as clicking the "use existing account" button, then entering your name, e-mail and (ISO) password, and tell Thunderbird to sort it out.
  3. Insert the USB stick with your key.
  4. Set up gnupg to look for your keys on your usb stick instead of its normal location. How to do this differs per operating system.
    • On GNU/Linux, you want to make a symbolic link in your home directory named ".gnupg" (note the period at the start) which points to the place where your key is, probably somewhere under /media/. If a directory with that name already exists, you should remove it. But take care; it may contain keys you don't want to lose. If you're not sure, rename it instead of removing.
    • On Windows, set the environment variable GNUPGHOME to the directory on the USB drive.
    • On a Mac, probably any of the above works, but I don't know how to do that; please add this information here if you do.

To be finished