Table of Contents Introduction 4 Threat Model 4 Crypto Systems 5 Software You Can Trust 6 Anonymize Your Location with Tor 9 Off-the-Record (OTR) Chat 10 Service Providers and Jabber 11 OTR Clients 11 Your Key 11 Sessions 12 OTR Fingerprint Verification 13 Logs 15 “Pretty Good Privacy” (PGP) Email Encryption 16 Keypairs and Keyrings 16 Passphrases 17 Software 18 Encrypting, Decrypting, Signatures 18 PGP Isn't Just For Email 20 Identity Verification 21 Attacks 23 Tails: TheAmnesic Incognito Live System 24 PGP and Email in Tails 25 Workflow 27 A Fighting Chance 29 Freedom of the Press Foundation 3 / 29 pressfreedomfoundation.org.
Encryption Works How to Protect Your Privacy in the Age of NSA Surveillance Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
Crypto Systems We discovered something. Our one hope against total domination. A hope that with courage, insight and solidarity we could use to resist. A strange property of the physical universe that we live in. The universe believes in encryption. It is easier to encrypt information than it is to decrypt it. — Julian Assange, in the introduction of Cypherpunks: Freedom and the Future of the Internet Encryption is the process of taking a plaintext message and a randomly generated key and doing mathematical operations with the two until all that's left is a scrambled, ciphertext version of the message. Decryption is taking the ciphertext and the right key and doing more mathematical operations until the plaintext is recovered. This field is called cryptography, or crypto for short. A crypto algorithm, what mathematical operations to do and how to do them, is called a cipher. To encrypt something you need the right key, and you need the right key to decrypt it too. If the crypto software is implemented properly, if the math is sound, and if the keys are secure, all of the combined computing power on Earth cannot break this encryption. We build crypto systems that depend on problems in mathematics that we believe to be hard, such as the difficulty in factoring large numbers. Unless there are mathematical breakthroughs that make these problems easier—and the NSA is keeping them secret from the rest of the world—breaking crypto that relies on them for security is unfeasible.
Another important fact to know about encryption is that it's about much more than protecting the privacy of communications. It can be used to "digitally sign" messages in a way that proves that the message originated from the person you expected it to. It can be used to build digital currencies like Bitcoin, and it can be used to build anonymity networks like Tor.
has long had a reputation of being a secure way to communicate, has been feeding private conversations to the US government for the last five years. Skype, the Internet-based calling service, began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials, according to people briefed on the program who asked not to be named to avoid trouble with the intelligence agencies. Project Chess, which has never been previously disclosed, was small, limited to fewer than a dozen people inside Skype, and was developed as the company had sometimes contentious talks with the government over legal issues, said one of the people briefed on the project. The project began about five years ago, before most of the company was sold by its parent, eBay, to outside investors in 2009. Microsoft acquired Skype in an $8.5 billion deal that was completed in October 2011. A Skype executive denied last year in a blog post that recent changes in the way Skype operated were made at the behest of Microsoft to make snooping easier for law enforcement. It appears, however, that Skype figured out how to cooperate with the intelligence community before Microsoft took over the company, according to documents leaked by Edward J. Snowden, a former contractor for the N.S.A. One of the documents about the Prism program made public by Mr. Snowden says Skype joined Prism on Feb. 6, 2011. Proprietary software, such as much of what's released by Microsoft, Apple, and Google, has another flaw. It's much more difficult for users to independently verify that secret backdoors don't exist at the clandestine demands of the surveillance state. Though recent reports have shown that many companies hand over an unknown amount of information in response to FISA requests, none have been shown to have direct backdoors into their systems. There is other software that's more reliable in this regard. Free and open source software9 is not always user friendly and it's not always secure. However when it's developed in the open, with open bug trackers, open mailing lists, open governing structures, and open source code, it's much more difficult for these projects to have a policy of betraying their users like Microsoft has. GNU/Linux is an operating system that's composed entirely of free and open source software. Examples of GNU/Linux distributions include Ubuntu10, Debian11, and Fedora Core12. It's the most popular free software alternative to Windows and Mac OS X.
In the 1990s, when civilian cryptography was becoming popular and the US government was doing everything they could to prevent it14, the "cypherpunk" movement was born. Many pieces of software intended to bring encryption to the people grew out of that movement.
Anonymize Your Location with Tor Tor19 is a software service that allows you to use the Internet while concealing your IP address, which is, in general, a fairly accurate representation of your location. The Tor network is made up of over 3,600 volunteer servers called nodes. When someone uses the Tor network to visit a website their connection gets bounced through three of these nodes (called a circuit) before finally exiting into the normal Internet. Anyone intercepting traffic will think your location is the final node which your traffic exits from. It's important to remember that just because your connection to the Internet may be anonymous that doesn't magically make it secure. EFF has made a great visualization20 of how Tor and HTTPS can work together to protect your privacy. Like all good cryptography software, Tor is free software, complete with an open bug tracker, mailing lists, and source code21. Documentation for Tails, the live GNU/Linux distribution that forces all of the user's network traffic to go through the Tor network, has this to say about global adversaries22: A global passive adversary would be a person or an entity able to monitor at the same time the traffic between all the computers in a network. By studying, for example, the timing and volume patterns of the different communications across the network, it would be statistically possible to identify Tor circuits and thus matching Tor users and destination servers. We still don't know whether or not NSA or GCHQ counts as a global adversary, but we do know that they monitor a large portion of the Internet. It's too early to know for sure how often these intelligence agencies can defeat the anonymity of the Tor network. Even if they can, using Tor still gives us many advantages. It makes their job much harder, and we leave much less identifying data on the servers we connect to through the Tor network. It makes it much harder to be the victim of a MITM attack at our local network or ISP level. And even if some Tor circuits can be defeated by a global adversary, if enough people are getting their traffic routed through the same Tor nodes at the same time, it might be difficult for the adversary to tell which traffic belongs to which circuits. The easiest way to start using Tor is to download and install the Tor Browser Bundle23.
When Snowden was answering questions on Guardian's website24 from a "secure Internet connection", he was probably routing his traffic through the Tor network. He may have also been using a bridge25 to connect to the Tor network to make the fact that he was using Tor from his IP address less obvious to eavesdroppers. Off-the-Record (OTR) Chat Off-the-Record26 (OTR) is a layer of encryption that can be added to any existing instant message chat system, provided that you can connect to that chat system using a chat client that supports OTR, such as Pidgin or Adium27. With OTR it's possible to have secure, end-to-end encrypted conversations over services like Google Talk and Facebook chat without Google or Facebook ever having access to the contents of the conversations. Note: this is different than the "off-the-record" option in Google, which is not secure. And remember: while Google and Facebook’s HTTPS connection is very valuable for protection against your message while it’s in transit, they still have the keys to your conversations so they can hand them over to authorities. 24 Edward Snowden: NSA whistleblower answers reader questions, http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower 25 BridgeDB, https://bridges.torproject.org/ 26 Off-the-Record Messaging, http://www.cypherpunks.ca/otr/ 27 Pidgin, https://pidgin.im/; Adium, http://adium.im/ Freedom of the Press Foundation 10 / 29 pressfreedomfoundation.org.