In the discussion about governmental surveilance, telecommunications data retention, and fighting terrorism in Germany everybody, not only citizens of Germany, should be aware of that also your email communication is affected. Not only the connection data (who correspondet with whom when) is concerned, but also, based on the so called TKÜV all providers with more than 1000 customers/accounts have to implement a special interface for government agencies to divert the contents of email communication and save it there. Even if you, like German Minister of the Interior Dr. Wolfgang Schäuble, can say that you are “decent” (german: anständig), for sure nobody is pleasured knowing that potentially every single email could be saved and analyzed by strangers without his knowledge.
What possibilities do you have to prevent the acquisitiveness of the state? Simple answer: encryption! Encryption techniques are known for thousands of years, e.g. the Caesar cipher, and was enhanced continuously with new, more secure methods, until today. The maxim is: A cryptographic method mustn’t rely on the knowledge of the used algorithm. A method is reckoned as secure if the encryption cannot be cracked even if the used algorithm is known!
For email encryption asymmetric methods are used, that means to encrypt and decrypt a message different keysets are needed. A user willing to communicate securely needs to have a pair of keys consisting of a puclic and a private key. The public keys are exchanged between the communication partners. On sending the message is encrypted with the sender’s private key and the recipient’s public key. The recipient can decrypt the message using his own private key and the sender’s public key. Security of this method grounds on the safety of the private keys of sender and recipient.
To use email encryption some prerequisites have to be fulfilled:
- keys have to be generated
- support for the specific method in the preferred email client
There are two different email encryption methods available:
- S/MIME: security of a message (sender and recipient are really the persons they claim to be) is guaranteed by a central instance called certificate authority. To get a key you have to legitimate yourself using some sort of ID check (e.g. personal meeting and ID verification using passport) to the authority. Finally you’ll receive a key pair which’s validity is stored at the authority. On encryption and decryption the validity of all used keys (even those of all used certificate authorities) is guaranteed using certificate chain checks.
- PGP and it’s free counterpart GnuPG: In contrast to S/MIME there’s no central authority for PGP and GnuPG which checks the authenticity of the key owner. Rather the identity is checked personally in the user community. Specific data like key fingerprint and identity is checked between the two communication partners. If all is correct, the two partners sign their public keys one another and thereby establish a trust relationship. Advantage of this method is that you can trust specific users and don’t have to trust all users of a specific certificate authority.
To use encryption with GnuPG on your Mac the software GnuPG has to be installed. There are different was to do that:
- via MacPorts:
hermes:~ eddie$ sudo port install gnupg
- via Fink:
hermes:~ eddie$ fink install gnupg
- via an installation package (pkg file) from MacGPG:
MacGPG provides, sometimes not always current, packages for a simple install of GnuPG on your Mac.
If you already use one of the package managers MacPorts or Fink the installation using these is advised. If not use MacGPG as you needn’t compile additional software.
Furthermore there’s a plugin for OS X’s System Preferences to configure GnuPG through a graphical interface. Also there’s a utility for key management (adding, signing, creation of keys) called GPG Keychain Access is available at the website for download.
There exist differen solutions for the different email clients:
- If you use Thunderbird import the plugin EnigMail. Included is a utility to manage you keys.
- For Apple’s Mail there is a plugin called GPGMail contributed by Stéphane Corthésy. At the moment there is only a beta version (d51) available for Mac OS X Leopard (Mac OS X.5). I use Apple Mail exclusively, the plugin ran very stable and I encountered no problems so far. Management tools for the keychain are not provided by the plguin. You have to use the command line or other management software.
- Mulberry, which has become open source by now, has support for PGP/GnuPG already included. Here also no utilities for key management are provided.
All three email clients support S/MIME by default. You only have to import your certificates to use S/MIME encryption.
The usage of GnuPG with the different clients and key management will be topic in some of the next articles here at mac.partofus.org.
Zusammenfassung der Links
- http://de.wikipedia.org/wiki/TKÜV
- http://www.taz.de/index....mp;dig=2007/02/08/a0169
- http://en.wikipedia.org/wiki/Caesar_cipher
- http://en.wikipedia.org/wiki/S/MIME
- http://en.wikipedia.org/wiki/Pretty_Good_Privacy
- http://de.wikipedia.org/wiki/GNU_Privacy_Guard
- http://www.macports.org
- http://fink.sf.net
- http://macgpg.sourceforge.net/
- http://enigmail.mozdev.org/
- http://www.sente.ch/software/GPGMail/
- http://www.mulberrymail.com
Leave a Reply