Sent Private Key Block instead of Certificate

I created an openPGP certificate and wanted to practice using it with “Adele”. I exported the certificate and attached it to the message to Adele. When I received the reply I looked at the attachment that I sent and it said it was a private key block! So apparently I sent my private key thinking it was the certificate. This is somewhat disturbing so I was wondering if anyone has a clue as to what went wrong.

I have gone over the instructions several times and while the most obvious things are clearly explained, really important things like this don’t seem to be covered at all.

Just follow up info to my original question. I didn’t send the secret key I attached the Certificate. I created the “Certificate” with Kleopatra and the interface suggested that the document was created to be made public. That is what I attached to the email I sent to “Adele” but it contained only my secret key. I hardly see how that should be made public. There were no options given to create a public or secret key so I assumed that the Certificate would only contain the public key. I have used computers since the early days of DOS and am not entirely ignorant of the lay of computerland. It seems the software interface would take into account the dangers of this kind of thing and include a warning or option or something to prevent this kind of thing happening.

OK, Mea Culpa. I have exported the certificate again several times and when I read it the only thing that is contained is my public key. So somehow I must have made a mistake in the file I attached.

If you want to practice with a real person, see my offer in thread ‘If you need practice’ dated 31st October.

Willliam, this is a duplicate of my message to you in a different thread, just to make sure that you get it.

Hi William,

I was watching these posts by e-mail with mild interest until I noticed the phrase “I am trying to use this for secure journalistic purposes…”, when alarm bells began to ring. I can appreciate that it is essential that you figure this out, and are able to help your correspondents do so as well, and that you are sure you’ve got it right.

So first, as “Nippon Bill” points out, the security of your e-mail depends absolutely on keeping your secret,or private, key exactly that - secret and private. Only your public key is to be sent out across the Web, uploaded to a keyserver, or otherwise distributed to your correspondents. When you eventually establish the key-pair that you will actually be using seriously, as opposed to the one you are experimenting with now, you need to back it up securely somewhere, i.e. on a disk/flash drive in a safe. Otherwise if your PC expires or crashes, you may finish up with an archive of e-mails that you can’t read any more. And if your computer is compromised, your keypair may be stolen from it, so the backup file should be securely erased from your computer once you have it safely stored elsewhere. (Ideally you should have two backups in separate places. Yes, OK, so I’m paranoid. If you’re a journalist, so should you be.)

To learn how to communicate securely, using secure e-mail, I used the combination of the Mozilla Thunderbird e-mail client and its add-on, Enigmail (with GPG4win installed beforehand, which I guess you’ve already done). I thoroughly recommend that you do the same. There is an excellent manual on Enigmail, written by one Daniele Raffo of the Enigmail team, which takes you through the whole process, including a short section on Adele the robot. It’s so good that I actually sent Daniele an (encrypted) e-mail congratulating him on it, and received a very modest (encrypted) reply. You can find it here: https://www.enigmail.net/documentation/handbook.php. I downloaded the PDF and put it on my tablet, and continually refer to it, as well as the GPG4win compendium PDF. If I were you I would read the two in conjunction.

For Gmail webmail, you can use Mailvelope, which also uses OpenPGP encryption, so your keys also work with it, although you may have to import them separately into Mailvelope’s keyring - not sure, I’ve only just started using it, but overall it is simple enough. See website here: http://www.mailvelope.com/. For the Chrome browser you can install the Mailvelope extension from the Chrome Webstore, but for Firefox you need to download the latest extension beta from the Github project website - don’t worry, it works fine.

After you have gone through Raffo’s manual and tried Enigmail, come back and ask if you have any further problems. There are one or two fine tweaks that you might want to know about, but they only become relevant later.

If you decide that you just want to send encrypted text via Gmail without using the more secure methods of fully-encrypted e-mail, there is a way of doing that, via Chrome, here:
http://refugeeks.com/secure-streak-a-chrome-extension-to-encrypt-your-gmail-emails/.
I made a comment on the site about the security of the encryption (which looks good - the encryption, not the comment).

For general encryption of sensitive documents on your computer, I recommend Truecrypt, here:
http://www.truecrypt.org/

And recommended reading on computer security is anything by Bruce (Trust the Math) Schneier. (https://www.schneier.com/)

A few remarks:

• Truecrypt is non-free software. (See the wikipedia entry why. You’d better try an alternative that is Free Software. E.g. DiskCryptor).
• I have doubts that mailvelope is end-to-end security, Most other browser solutions will not be either. But you want end-to-end security.
• If you do not trust your browser or email application, you can always just use Gpg4win and only work on attachments. That is a conservative choice. It maybe less comfortable than an email or web mail integration, but it is likely to be more secure.

1. Truecrypt is freeware. Wikipedia: “Freeware (portmanteau of “free” and “software”) is software that is available for use at no monetary cost or for an optional fee,[1] but usually (although not necessarily) closed source with one or more restricted usage rights.”

Truecrypt is also “source-available” software, in that the source code is available for public viewing. However, Truecrypt is not considered to be “open-source software” by the Open Source Initiative. Wikipedia: “The TrueCrypt License has not been officially approved by the Open Source Initiative and is not considered “free” by several major Linux distributions (Arch Linux,[60] Debian,[61] Ubuntu,[62] Fedora,[63] openSUSE,[64] Gentoo[65]), mainly because of the distribution and copyright-liability restrictions.”

This does not alter the statement that the software is freely available for public use.

Although vulnerabilities have been found in the application of Truecrypt to full-disk encryption (which are generally shared by other disk-encryption software), all efforts to break the basic encryption in law enforcement actions have so far failed.

2. I cannot speak to the overall security of the Mailvelope solution. However, Mailvelope maintain that their application encrypts the e-mail body to OpenPGP standards, and Gmail transports it over SSL encryption (https). It will be decrypted from its SSL form on arrival at the Google servers, but will remain encrypted as an OpenPGP message. It will, or should, then be re-encrypted to be transported over SSL to its destination.

It may not be perfect, but it is probably as near end-to-end encryption as you are going to get for webmail. Ultimately the decision comes down to whether you trust Mailvelope or not. It may be reassuring to find independent reviews for it on the Web.

3. The best solution remains Thunderbird/Enigmail/GPG4win, or S/MIME with Outlook or another S/MIME-compatible e-mail client. S/MIME requires you to have a PKI e-mail certificate, but these are freely available from CAcert.org, Comodo, and TrustCenter.

I would endorse JM Ward’s observations regarding the use of Thunderbird with the Enigmail add-on. Enigmail’s documentation is good as is their forum if you have any difficulties.

I would add further that Enigmail has a very good key manager which (with GPA and Kleopatra) gives you a third gui for generating and managing keys. Furthermore, Enigmail’s key manager is the only one of these 3 gui’s to take you through a revocation certificate generation after creating a new key pair. That is a very useful alternative to the command line.

JM Ward also sums up pretty well the situation with Truecrypt. Personally, I have no knowledge of Mailvelope. I would suggest avoiding Outlook since users seem to experience a load of problems (at least compared with Thunderbird users).

CaCert certainly provides x509 certificates for S/MIME in a user friendly way but I have yet to succeed in using them easily with Kleopatra. X509 certs slow down my Kleopatra and renders it practically useless. I suspect that there is some insufficiency in the documentation with Kleopatra / Gpg4win regarding x509 use in Windows7 64 bit that prevents me from setting it up correctly. But previous requests for support on this forum have not lead to a usable answer. For the present, I stay on gpg use.

Regarding your remark about the secret key being stored on your computer in \user\app data, these key rings are not easily exploitable without your secret pass phrase. In any case, the general remark remains valid that if someone else has physical access to your computer, it isn’t your computer any-more.

Philip,

I have the same problem as you regarding X.509 certificates and Kleopatra; that’s why I suggested using them with Outlook or another e-mail client. It is a bit tricky setting up S/MIME with Outlook; typically for Microsoft, this less-used facility is well hidden, several layers deep in Options. There is also a nasty bug when using Comodo certificates, for some reason, which hangs Outlook 2010. Microsoft has issued a hotfix for this.

As you say, using Outlook with OpenPGP is more problematic, although the latest GpgOL does seem to work. However, I have had success with the Outlook Privacy Plugin, here: http://code.google.com/p/outlook-privacy-plugin/. This looks like a well-executed project; the plugin works very well with OpenPGP, but does not support encryption with PGP/MIME. (But then, does anyone actually use PGP/MIME?).

Regarding Mailvelope, apparently the team have recently had the software put through a security audit, and made changes with the advice of the audit team (see their Security page). This is encouraging; you seldom see this kind of verification declared by freeware producers. (Apparently Truecrypt will soon be going through a similar audit).

One weakness that was pointed out with respect to Mailvelope used with Gmail was that Gmail is reliably reported to make multiple copies of your plaintext even as you are typing it. This means in general that if you type rude remarks about someone, then erase the message and rewrite it politely, then encrypt it, the rude remarks remain on file on Google’s servers, as plaintext, ready to be subpoena’d! Mailvelope has corrected this by providing a separate text-entry window for your message which is not accessible by the Gmail web-page code.

Mailvelope can also be configured for Outlook.com and other webmail providers. Because of the attitude of openness about Mailvelope, I would tend towards trusting it, certainly above most similar software.

I
JM : thankyou for the additional remarks about mailvelope and Outlook. I have the impression that S/MIME is very much a poor relation when it comes to encryption support. I’m leaving x509 / Kleopatra on the back burner for the present with the expectation that I’ll get it sorted later.

In the meantime, gpg works fine for me with Thunderbird / enigmail. I have no use (or great faith) in cloud services nor in webmail and the stories about gmail do nothing to encourage me to change that opinion.

Philip,

Re cloud services: I have no confidence in cloud services based in the US; however there is a European provider called Wuala (https://www.wuala.com/), which enables encryption/decryption on the client computer. They claim not to be able to decrypt data on their servers, which are based in the EU (Switzerland, Germany, France), and their software engineering is associated with ETH University, Zurich. Accordingly, I have 25 GB of storage with them.

There is a US equivalent, Bitcasa, but they are rather evasive about the possibility of decryption on their servers under subpoena, and as they can provide streaming media to a web application not running any form of extension, I doubt their security.

JM : if I had to use a cloud service, it would be European rather than US based and preferably European with no significant US presence. At present European data protection seems to be of a higher standard although always under siege from business lobby groups. Encryption on the client computer would be the only way to retain any control.