Resources for the global digital safety training community.
PGP is one of the more difficult digital safety topics to train on effectively, especially if faced with time constraints. How you ultimately decide to sequence this section is up to you, but we’ve outlined the following points as elements of understanding the basics of PGP.
You may choose to use the story of Glen Greenwald being contacted by Edward Snowden, and then asked to use PGP in their subsequent communications, as an example of:
This may or may not be a “case study” that is very persuasive for your audience and illustrates some of the common issues with PGP. If so, ask participants what they know about this aspect of the story, and then add more context to segue into further information about PGP.
You can also start by asking participants general knowledge and/or awareness questions, such as:
If you conducted the Romeo and Juliet - An Encrypted Love Story activity, you can reiterate various aspects from the story and pair them with what you’re about to cover, including private key, public key (“lockbox”), keyserver (“lockbox-tree”), etc.
A third option is asking participants what, in their opinion, makes something “secure.” Document their responses in order to illustrate how their answers illustrate concepts associated with making something indeed “secure” or “more secure”:
Keep the answers to these questions documented on flipchart paper. Re-visit them after you’ve gone over PGP, in order to highlight how “regular email” cannot reliably provide Confidentiality, Integrity, or Authenticity because of who can access it, whether or not you use SSL. Compare this to PGP, when used correctly by both parties, and illustrate how it can provide Confidentiality, Integrity, and Authenticity.
Define HTTPS and SSL if you haven’t done so already in the training or during the previous activity - you may consider covering the basics of HTTPS & SSL with the We Are The Internet activity if you have not done so already:
In addition, everything we do once we login can be “seen” between us and the webmail server, including emails we read and write, contact information, and more.
Emails, chat conversations and instant messages always go through someone we don’t know because of how the Internet works.
Even a “secure connection” to an email service (for example, utilizing HTTPS with SSL) cannot protect the content of your email from the person or company who runs that email service.
The most secure way to protect your communications is through end-to-end encryption:
But you can table these issues for now, to then highlight their importance later on.
This protocol is interchangably called PGP or GPG - the prime difference is that PGP was formally sold to Symantec, who now licenses its use as a paid platform, so most people use the free version called GPG.
We recommend not using PGP unless you completely trust Symantec, and anyone who Symantec may give your private key to - the use of GPG, as a free equivalent with the same functionality, is highly advisable.
PGP/GPG is based on Public Key Cryptography, which is also known as Asymmetric Cryptography.
Symmetric Cryptography is much more challenging and harder to secure, since both sender and receiver need to be able to share their common key to each other. This can be a special challenge if both sender and receiver cannot communicate securely with each other in the first place.
Part of the “magic” of Public Key Cryptography is that it allows users to publicly publish their public keys for others to use, to send them messages or other types of data, since anything encrypted with that public key can only be decrypted and read by the person who has that private key.
Confidentiality is similar to something being “secret.” It means that only you and the sender have access to it; in the case of PGP, it means only you (the recipient) and the sender can read the plaintext, unencrypted version of an encrypted email. How do we know this?
Authenticity means that something is verified to be from or by whom it says it is from. In the case of PGP, this means that a message, document, or anything else signed or sent encrypted using PGP, has been sent by the person claiming to have sent it.
Not confirming that the identity of the sender or receiver is authentic is another error that PGP cannot fully prevent on its own, which is why authenticating others’ keys via the fingerprints of their keys is crucial.
Explain that the full Key Fingerprint is a unique identifying string that is generated with each new keypair, and consists of 10 sets of 4 alphanumeric characters each; the Key ID is a shorter version of this (containing 0x and then the last 8 characters of the full key ID).
8EF3 5BB8 8738 1EEB 87D8 CA4C 207B FB95 91A6 38BE (10 sets of 4 characters)
0x91A638BE (0x plus the last 8 characters of the full Key Fingerprint)
People’s identities can be spoofed by creating a key for an email address that looks like (but is not the same as) the person its pretending to be, using their name or other identifying features. This is usually a hostile third party who has a) gotten a copy of that recipient’s private key, or b) has spoofed the recipient’s identity and fooled the sender who did not authenticate that recipient’s private key correctly.
PGP was invented by Phil Zimmerman in 1991, so that he and others could securely access and send information over the internet using end-to-end encryption. This meant that even if it was intercepted, it could not be read without a users’ private key. Until this point, robust end-to-end encryption was proprietary and secret, primarily used and controlled by large companies and governments in order to communicate and send information securely.
Since the 1970s, there had been struggles between governments, academia, and companies about who could and who should be able to use encryption aside from governments. Robust encryption was not widely available for the average citizen, and the export of cryptographic systems was tightly regulated and controlled. Zimmerman made PGP available online for anyone to use, and published the source code so anyone could see how it worked. He also made it free.
In 1993, Zimmerman was targeted in a criminal case by the US Government for “exporting munitions without a license”. This is because PGP was a tool for communicating secretly, and high-quality cryptographic systems were considered weapons of war in the eyes of the US Government (as well other governments). Robust cryptography that could not be “broken” by governments was a very valuable commodity, and governments liked being able to access any communications they could. Allowing PGP to be freely available to anyone in the world was considered threatening the the US government, who were constantly trying to break other country’s cryptography systems and build stronger versions of their own.
The investigation into Zimmerman continued throughout the 1990s in the US, with the criminal investigation officially ending in 1996. The US export regulations regarding cryptography were substantially liberalized through a number of court cases and changes to the regulations - Zimmerman’s case was one of many during the “Crypto Wars” in the US during this time. The freedom for the average citizen to use “government-grade” cryptography to encrypt their communications was a crucial step for civil liberties online.
Related capabilities involving encryption, such as encrypting hard drives and encrypting connections to servers (such as when using online banking or other services), expanded the possiblities of what could be done online without the fear of having one’s sensitive information intercepted or accessed without authorization.
For the sake of demonstration, you may want to show participants the header of an unencrypted or encrypted email to show what it looks like and contains.
Even though PGP take some practice and assistance to use at first, everyone can learn to use it. It is the only way to ensure that the emails (and any attachments) are truly encrypted end-to-end, so that they cannot be read even if they are intercepted by a hostile third party or are accessed by a mail service provider.