Security Advancements at the Monastery

“Civilization is the progress toward a society of privacy. The savage’s whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men.” — Ayn Rand

The battle to define the rights of the individual verses the rights of society creates an interesting conflict in the security world. An interesting case which is a classic tale in the development of the Internet is that of Phil Zimmermann. Phil is the creator of Pretty Good Privacy (PGP), an email encryption software package. To quote from Phil’s site:

originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread worldwide. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc.

Under US export regulations, cryptosystems using keys larger than 40 bits were then considered munitions. Phil was charged with “munitions export without a license” since PGP used keys 128 bits and larger.

Where it gets really interesting is in how Zimmermann challenged these regulations. He published the source code of PGP in a hardback book, via MIT Press. This allowed anyone to scan the pages, create the source code, and build the application. While “munitions export” was restricted, the export of books is protected by the First Amendment. In congressional hearings, Zimmermann read letters he had received from people in oppressive regimes whose lives had been saved by PGP. This contributing greatly to the public awareness of the value of encryption and the work of Phil Zimmermann.

The case also brought up some interesting legal questions. Sure, the publication of the source code in a book was a legal maneuver, but where is the line between speech and source code? The other night I was at BestBuy trying to return a game DVDs. It was a gift, and turned out to be too violent for my nephews. Now I was told that I could not because of federal regulations. The idea being that I might have taken the game home, copied it, and was now trying to return it. BestBuy was claiming that federal regulations would not allow them to take the game back. Now, I understand from a business perspective not accepting the games back; but claiming federal regulations? In the case of PGP, if someone in China downloaded PGP from the MIT site, was Phil Zimmermann responsible? If I choose to break the law and copy the game, would BestBuy be responsible? What about NetFlix, BlockBuster, WalMart, etc.?

Discussing legal issues is not the reason for my post. I wanted to do a writeup on installing FireGPG. FireGPG is a Firefox extension which provides an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG. The GNU Privacy Guard (GnuPG) is a free replacement for PGP. A commercial version of PGP was released after the Federal criminal investigation ended in 1996. There is also a OpenPGP. The current version of FireGPG is 0.4.7. Now the version is very important for the FireGPG team has just fixed a XSS vulnerability. Roee Hay, from IBM, had posted the vulnerability descriptiono his blog, “(FireGPG) Browser-based XSS.” In version 0.4.6, the issuer name was not sanitized or validated against malicious input. To quote Roee, “If the issuer name (which is provided with the public key) contains a malicious JavaScript, it will be executed under Gmail’s context!. An XSS under Gmail allows the attacker to impersonate to the victim by controlling his mailbox, steal his cookies and so on.”

I have installed FireGPG on Linux, OpenBSD, Mac OS X, and Windows XP. I have heard that FireGPG does work on Windows Vista. The installation is fairly straight forward, no matter what OS you are using:

1. Install GnuPG, the free software version of the OpenPGP privacy standard.

For Mac OS X, you would want to install Mac GnuPG. For Windows, you will need WinPT.

2. Optionally, under Unix you might want to install a graphical front-end for GnuPG.
3. Generate a pair of keys.

On non-Windows systems, this comes down to issuing the command from the command line (unless you have a GUI interface setup): gpg –gen-key. Under Windows, open WinPT. WinPT will complain about the lack of key pair and allow you to “Have WinPT to generate a key pair.”

4. Install the Firefox add-on.

Once you have installed the FireGPG extension, and restarted Firefox, you are ready to encrypt text in any web pages. Many postings have focused on Gmail. With reason; FirePGP integrates well with Gmail adding additional buttons when you compose a message. These buttons include “Sign,” “Sign and send,” “Encrypt,” “Encrypt and send,” “Sign an encrypt,” and “Sign, encrypt and send.” FireGPG will also work in sending and receiving encrypted messages with AOL / Netscape, HotMail, and Yahoo WebMail service. With any web pages you can highlight text and encrypt in two ways. First, select the text, and then click the right mouse button. You will now see a FirePGP selection option. Second, select the text and use the available commands under the Tools -> FireGPG menu. Under the FirePGP selection, you can further select “Sign,” “Verify,” “Encrypt,” “Sing and encrypt,” “Decrypt,” “Import,” “Export,”Text editor,” and “Options.” Borrowing from Dmitri Popov post:

The above instructions are about how to install the required software. To exchange secure email, you are going to have to exchange public keys. Some people will put their public key on their website. I have seen it even include in email signature. To export the public key into a text file using WinPT, choose Key->Export. The key can then be exchange however you wish. Under Unix, you will need to issue a few commands.

1. Export Public key

$ gpg --armour --export abbot@securitymonks.com > abbot_pub.asc

2. Exchange public key with those who will be receiving your encrypted emails.
3. Recipients will need to import this file.

$ gpg --import abbot_pub.asc

4. Recipient should verify that the key was imported correctly by listing keys in their keyring.

$ gpg --list-keys

For more details, especially concerning particular operating system instructions and using gpg, please review the following posts:

• Add Some Hefty Crypto To Gmail with FireGPG by Michael Calore
• Quick Guide to Configuring GnuPG on your Mac (OS X) by Carlos Granier-Phelps
• Encrypt and sign Gmail messages with FireGPG by Dmitri Popov
• Encrypt Files in OS X by Theron Parlin
• Seahorse, Gmail and FireGPG by Flossgeek
• Encrypt your messages with FireGPG by Yatish Suvarna
• GnuPrivacyGuardHowto by ScottKitterman
• Getting started with GnuPG

Michael W. Lucas has published a very good book, “PGP & GPG: Email for the Practical Paranoid.” If you would like to preview the book, it is available on Google Books.

Update: After doing this post, on 01/14/2008 Adrian Crenshaw at IronGeek.com posted video instructions on “Using GPG/PGP/FireGPG to Encrypt and Sign Email from Gmail.” The tutorial does a very nice job of showing how to use GPG and the FireGPG plug-in to encrypt and decrypt messages in Gmail.