Encrypting Email Communications Using GpG4win – A beginner Guide (Part 1)

This Guide has been published on hakin9.org Info-Sec Magazine issue number 5 / 2014 , you can check it here: https://hakin9.org/hybrid-analysis/

 

 

 

 

In this guide, I am going to describe how to install and use GpG4win encryption software. First, we will define this tool, its components and will give a brief description of how the asymmetric encryption works.

GpG4win enables users to securely transport emails and files with the help of encryption and digital signatures. Encryption protects the contents against an unwanted party reading it. Digital signatures make sure that it was not modified and comes from a specific sender.

GpG4win supports both relevant cryptography standards, OpenPGP and S/MIME (X.509). And it is the official GNU Privacy Guard (GnuPG) distribution for Windows. GnuPG is free and open source software for both commercial and personal use.

What will you learn in this Tutorial?

In this guide, you will learn the following:

• Understand the concept of public /private key pair (asymmetric cryptography)
• Use GpG4win encryption program to encrypt/ decrypt messages using MS outlook

What should you know before?

• Understanding of working Windows OS and its main functions
• How to configure MS outlook to add new email account

GpG4win Tools

GpG4win installer (version 2) contains the following tools in Table 1:

BUT before we talk about how to use GpG4win, we need first to understand the cryptographic system it uses and how it differs from other methods.

Cryptography Systems

Mainly, we have two types of Cryptography systems:

• Secret key cryptography (symmetrical encryption),
• Public key cryptography (Asymmetrical encryption).

In cryptography, a key is a piece of information used by an algorithm to alter information, making this information scrambled and only visible to people who have the corresponding key to recover the information.

In secret key cryptography, both the sender and receiver must use the same key to encrypt and decrypt the message as in Figure 1 (this is why we call it symmetrical encryption). This imposes a security risk as we need to deliver the key to the recipient of the message in a secure way to make him able to decrypt the message. If an intruder catches the key, he will be able to decrypt the secret message and thus compromise the whole system.

Figure 1: Demonstration of Secret key cryptography system

In Public key cryptography, we use two keys, one for encryption and the second for decryption. We can distribute the public key everywhere without compromising the private key. A user will use his friend public key to encrypt the message; the receiver will use his private key (which should be kept secret) to decrypt this message. Although the keys are different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plain text or to verify a digital signature; whereas the private key is used to decrypt ciphertext or to create a digital signature. Messages encrypted with a public key can only be decrypted using the same private key pair.
This method is far more secure than the symmetric cryptography, as the sender and receiver can exchange their public keys using any communication method while keeping their private keys secret to decrypt the messages received.

Let us demonstrate how public key cryptography works using this simple example:

• Rima wants to communicate secretly with Nihad, so Rima encrypted the message using Nihad’s public key (which he made available to everyone through his website OR on his email signature) and she sent the encrypted message to Nihad.
• When Nihad received the encrypted message, he used his private key to decrypt the message so he can read it.
• If Nihad wants to send an encrypted reply to Rima, he will use her public key to encrypt the message and send it to her.
  

  Figure 2: Demonstration of Asymmetric Cryptography – Public & Private Key pair

• When Rima receives Nihad’s reply, she will use her private key to decrypt the message so she can read it.

Digital Signature

After we have learnd how public/private key pair works, we need a method to make sure that the person who send us the encrypted message is whom he pretended to be. For example in our last demonstration, we said that if Rima wants to send a secure message to Nihad she should encrypt it using Nihad’s Public key, and Nihad will use his private key to decrypt the received message.

However, how can Nihad make sure that this message was sent from Rima, what if another person (Jessy for example) sent him the message pretending to be Rima! Here comes digital signature role in authenticating the sender of the message.

Rima can encrypt the message using her Private Key and send it to Nihad, Nihad now has to use Rima Public Key to decrypt the message, and because Rima’s private key is secret (and always should be) Nihad knows that this message is originated from Rima and not from anyone else because only Rima knows her Private Key. This is similar to a paper letter, a signature on the letter serves as a proof that this message was written by the person who signed it with his signature. Encrypting with a private key thus can be regarded as an equivalent alternative to placing one’s signature on the message. This is why it is being called creating a digital signature for the message.

In order to send the message secretly after signing it, Rima has to encrypt the message again using Nihad’s Public key and then send it to him, Nihad now has to decrypt the message using his Private key and then decrypt the result again using Rima Public key so he can read the message and also make sure it is originated from Rima.

GpG4win implements the digital signature concept by using Secure / Multipurpose Internet Mail Extension (S/MIME – X509) as in Figure 3, your key must be authenticated by an accredited organization before it can be used. The certificate of this organization, in turn, was authenticated by a higher-ranking organization and so on. Until we arrive at the so-called root certificate. This hierarchical chain of trust usually has three links:

• The root certificate
• The certificate of the issuer of the certificate (also the CA for Certificate Authority)
• Your own user certificate

A second alternative and non-compatible notarization method is the OpenPGP standard. It does not build a trust hierarchy but rather assembles a “Web of trust”. The Web of Trust represents the basic structure of the non-hierarchical Internet and its users. For example, if User B trusts User A, then User B could also trust the public key of User C, whom who does not know if this key has been authenticated by User A.

Therefore OpenPGP offers the option of exchanging encrypted data and e-mails without authentication by a higher-ranking agency. It is quite sufficient if you trust the e-mail address and associated certificate of the person you are communicating with.

Gpg4win allows for the convenient and parallel use of both methods when signing encrypted message. However, in this part of GpG4win tutorial I am going to describe the OpenGPG method only, X.509 certificate will be discussed in future parts of this article.

Figure 3: Digital Signature Using X.509 Certificate

GpG4win Installation

Now, we have a fair amount of information about how public /private key pair cryptography works and its main terminologies, it is the time to install GpG4win and begin sending encrypted messages!

• First, download Gpg4win windows installer from here < http://www.gpg4win.org/download.html >, and please note that in the time of writing the software version was “gpg4win-2.2.1.exe”, the same page holds program documentation.
• Then, double click the installer to begin installing the software, the first screen asks you to select your preferred installation language, next screen shows you the version number of the installation, click “Next” to continue, next screen shows the license agreement for using this software, click “Next” to continue,
• Finally, the next screen shows you the components associated with this software, here you can select which components you want to install as in Figure 4, in my case I will select all components to install, click “Next” to continue,

Figure 4: Select the GpG4win Components that you want to install

• Now, you will be asked by with a window to choose the installation directory, leave the default (C:\Program Files\GNU\GnuPG) and click “Next” to continue,
• Next window offers the choice to add program icons on desktop and quick lunch bar, select your preference and click “Next” to continue,
• After that, you can select where you want the program start menu folder (program shortcuts) to appears, the default is on a new folder called “GpG4win”, you are almost done now click “Install” to begin installing the software.

During program installation, a pop up message appears asking you whether you want “Claws mail” to be your default email program as in Figure 5, in my case I am using MS Outlook as my default email client, so hit “No” button to continue or “yes” if you do not have email client already installed and you want to use “Claws mail”,

Figure 5: GpG4win comes with email client, if you have one already installed hit “No” to prevent making it your default email client

Final window appears after finishing the installation asking you if you want to view the readme.txt file of the program.

Creating GpG4win Certificate

Now, we need first to create a certificate for us, this certificate will hold our key pair (private and public keys). This definition applies to both OpenPGP as well as S/MIME (S/MIME certificates correspond with a standard described as “X.509”).
Hence, open Kleopatra program using either the windows start menu OR program icon on desktop as appears in next screen:

Figure 6: Lunch Kleopatra Program to begin creating your certificate

The main Kleopatra Program interface appears, Select “File” Menu and choose the option “New Certificate” as follows:

Figure 7: Create New Certificate using Kleopatra

A pop up window will appear asking you which type of certificate you want to select; the differences and common features of the two formats have already been discussed before.
In my case, I will select the first option as follow “Create a personal OpenPGP key pair” as in Figure 8 and hit the “Next” Button to continue.

Figure 8: Certificate option dialog – we will select first option

Next dialog asks you to enter your name, email and comment; all this info will be made visible to the public as follows:

Figure 9: Entering Certificate details – comments are optional

Hit the “Next” button to continue, next screen shows a summary of the entered data, if everything is correct hit the “Create Key” button.

A pop up window appears, asking you to enter a passphrase for securing your key (use strong passwords with both big & small letters and numbers, symbols, at least 8 characters) as in Figure 10:

Figure 10: Enter a strong passphrase to protect your key

If everything is OK, the final window appears stating that Key pair was successfully created as in Figure 11 and you will be presented with your Fingerprint which is a 40 digits number and it is unique all over the world, you do not need to remember or write down the fingerprint, you can also display it later in Kleopatra’s certificate details.

Figure 11: Summary of newly created certificate

The above window (Figure 11) offers additional options. The first option allows you to make a backup of the newly created key and the second allows you to send your certificate by email to someone else using your default email client (with your new public certificate in the attachment) and the last option allows you to upload your certificate to Directory Service so all people can see it and use it to send you encrypted files/emails.

In my case, I will select the first option and make a backup of my newly created certificate and save it on my pc in “C:\Program Files/GNU/GnuPG/MyCert.gpg”. The file extension of the backup key will be as .asc OR .gpg like so in Figure 12.

Figure 12: Create a Backup of your certificate

Important-Note

If you saved the file on the hard drive, you should copy the file to another data carrier (USB stick, diskette or CD-ROM) as soon as possible, and delete the original file without a trace, i.e. do not leave it in the Recycle bin! Keep this data carrier and back-up copy in a safe place.

Now, click “Finish” in the main window to finish the key creation wizard, a new key with the name you specified will appear in Kleopatra main window under “My Certificates” tab as appears in Figure 13:

Figure 13: My new certificate appears in main Kleoptra program

By double clicks on this certificate, you can view its complete details as follows:

Figure 14: View Complete certificate Details

Furthermore, we can change both the passphrase (however, we will be asked to enter the old one) and the expire date of this certificate from within this dialog. In my case, I am making my certificate valid forever.

Send and Receive Encrypted E-mails using GpG4win

In order to send encrypted emails, you need to send your public key to the person that you are going to communicate with, to do this follow these steps:

• Open Kleopatra program

Right click on your newly created certificate (in my case, “DarknessGate certificate”) and click “Export Certificates …” as in Figure 15

Figure 15: Export your public key certificate

• Give your exported certificate a meaningful name and save it with “.asc” extension, you can open it using WordPad program as follows:

Figure 16: Viewing Certificate content using WordPad

• Now to send your public key certificate, you can open your preferred email client and copy the entire certificate file (which we already opened using WordPad) and paste it inside the email, or you can simply send it as attachment (this is the best method)

BEFORE sending and receiving messages, we need to make sure that we have the public key certificate of the person we are corresponding with and it is already imported inside our Kleopatra program , to do this follow the following steps:

•  In a previous step, we have described how to export our public key certificate from within Kleopatra to an external file with “.asc” extension and how to send it to our friend.
• In this step, we are going to reverse the operation and receive a public key certificate and import it to our Kleopatra program, so we can use it to encrypt our messages and send it to the person who owns this certificate.

Open Kleopatra program and click on “Import Certificates” button as follow:

Figure 17: Click Import Certificates to import new certificates to Kleopatra Program

• Select the certificate/file you want to import (public key certificate) and click Open; if the import was successful, a success window appears telling you this as the following Figure:

Figure 18: Success message after importing Adele.asc Certificate

• Click “Ok” to exit the window, the newly imported certificate appears in main Kleopatra program under “Imported Certificates” tap as follows:

Figure 19: The newly imported certificate appears in main Kleopatra program

Decrypting E-mails in Microsoft Outlook Express using the GpG4win Program Component (GpgOL)

There is an MS Outlook express plug-in for encrypting and decrypting emails automatically from within the Outlook email client. It supports nearly all available versions of MS outlook express versions (2003, 2007, 2010, 2013), to send encrypted emails using outlook follow these steps: (Update: 2016/09/23: In the new version of Gpg4win | The Outlook plugin GpgOL is compatible with Microsoft Outlook 2003, 2007, 2010, 2013 and 2016 (both 32 and 64bit). GpgOL supports MS Exchange Server for Outlook 2010 and higher.)

• Compose a new email in Outlook and address it to the person you are writing to (I am using Outlook 2010)
• Click on the GpgOL tap in the message bar and click the “Encrypt” button as follows:

Figure 20: Create new Email using Outlook 2010 and encrypting it using GpG4win Add -in

• After clicking the “Encrypt” button, select certificate dialog appears asking you to choose your encryption certificate and the signing type (OpenPGP OR X.509),

Figure 21: Select signing type and Encryption Certificate

• I selected to encrypt my email using OpenPGP In my case, I am sending the email using my email account which I used to create my certificate (webmaster@darknessgate.com) so it appears by default, the receiver public key certificate is also appears (Adele) as I already imported it to my Kleopatra program, click “OK” to continue, the entire message will be encrypted as follow:

Figure 22: Email encrypted (Scrambled) and ready to send

• Then, click the “Send” Button and YOU ARE DONE!!!

Remember:

I used the receiver public key certificate to encrypt the message.

How to Decrypt an Encrypted Message Sent to you?

As we mentioned before, in order for a person to send you an encrypted message, he needs first to have your public key certificate because he will use it to encrypt the message

Remember:

You should use your private key certificate to decrypt a message sent to you.

When receiving an encrypted message, follow these steps to decrypt it:

• Open the email using MS Outlook
• Go to the GpgOL tab in message Ribbon and click the “Decrypt” button

Figure 23: Click the “Decrypt” button in GpgOL tab in Outlook message to decrypt an encrypted email

• A new dialog appears asking you to enter your passphrase in order to decrypt the message, enter it and click “Ok” to see you email after being decrypted as follows:

Figure 24: Enter you passphrase to decrypt the message

• If everything was “Ok” and you entered the passphrase correctly, a success message will appears along with your email decrypted as in the following Figures:

Figure 25: Email is decrypted successfully

Making Sure you are talking With the Correct Person!

If we are going to communicate with people for the first time and you want to make sure that the public certificate you have, is really belong to them. We can check the fingerprint of their certificate as follows:

• Select the “Imported Certificates” tab in Kleopatra program and double click on any of the available certificates to view its details as in Figure 26:

Figure 26: View the Fingerprint of /Adele/ certificate by double clicking on certificate inside Kleopatra program

• Communicate with the owner of this certificate by email, phone or any other secure methods and ask him/her to send you their fingerprint, match their fingerprint with the version you have on your Kleopatra program , if both fingerprint match, this means the certificate is authentic, otherwise it is not

Conclusion

In this tutorial, we have demonstrated how to use GpG4win to encrypt and decrypt messages using Outlook 2010 through step-by-step tutorial supported with screenshot of our work.

In the coming part of this tutorial, I am going to describe more rich features of this tool directed for advanced users. So in the mean time, you may begin with encrypting/decrypting messages using this powerful tool to get used on it.

References

1. Crash course on cryptography, “Public key cryptography”, < http://www. iusmentis.com/technology/encryption/crashcourse/publickeycrypto/ >
2. “PKI (public key infrastructure)”, < http://searchsecurity. techtarget.Com /def inition/PKI >
3. “Gpg4win Compendium”, < http://www.gpg4win.org/documentation.html >