16 Comments

Summary:

When it comes to secure online communication you can choose to secure the message, protect the identity of the messenger or both. These techniques for iOS and OS X devices will help ensure that your message gets to its intended recipient, and only that recipient.

Sending secure messages, know also as cryptography, has been a part of our collective history for thousands of years. At its most basic, a key is used to change the message from readable text into something that is illegible. Then once sent, the recipient uses a key to transform the illegible message back into a form that is readable again. Anyone that intercepts the message while in transit will not be able to read it without the key.

caesar cipher

A simple example of such a technique is the alphabetic letter replacements used in a child’s decoder ring. In fact it is the basis of what is known as the Caesar Cipher, which was one of the earliest known forms of cryptography used by the Roman emperor Gaius Julius Caesar. One of the challenges inherent in using a single key to both encrypt and decrypt a message is getting the key to both the sender and the receiver securely. Once the key has been compromised, then all communications can be deciphered and read by anyone holding the key.

The basics of Pretty Good Privacy

Enter Pretty Good Privacy or PGP for short. PGP uses what is known as public key cryptography. This allows one to publish their public key to the world while keeping their private key secret. Anyone with access to the public key can then encrypt information that only the owner of the private key, also refereed to as the secret key, can decrypt. With PGP, others will use your public key to encrypt a message that they send to you, and in turn you will use others’ public keys to encrypt messages that you send to them.

public key encryption

It may be best to think of the process of sending encrypted messages in reverse. You must have a desire to receive encrypted messages, not send them. So rather than think of it like “I want to encrypt my message before I send it,” you need to think of it as “I need to encrypt their message before they receive it.” Since only a private key can be used to decrypt a message, it is very important that everyone protect their private key. For that reason access to one’s private key is protected by what is known as a passphrase, or simply put, a very long password.

OpenPGP solutions for OS X

OpenPGP is the standard that PGP technologies like GnuPG, an open source implementation of PGP, use to ensure that they work with other technologies that implement OpenPGP. GPGTools (Free, Mac), which is based on GnuPG, is one such tool that makes sending and receiving encrypted messages on OS X as easy as sending and receiving unencrypted messages. It does so by installing a plugin to Apple Mail.

Sending a GPGMail Message

Download and install GPGTools – After downloading and installing the latest release of GPG Suite from gpgtools.org (which has been updated for OS X Mavericks and is backward compatible to 10.7), you will need to create both a public and a private key for the email address at which you would like to receive encrypted messages.

Create a public and private key – For the Apple Mail plugin to work properly, it is important that you create a private and public key for an email address that you are using in Apple Mail. During this process you will be asked to provide your passphrase. This passphrase will keep others from using your private key. Once completed, you are ready to receive your first encrypted email.

Publish your public key – To make your public key easy for others to find, you can upload it to a Keyserver. Keyservers exist as a sort of online directory of public keys. You can search a keyserver using someone’s email address. If that email address has a public key on the keyserver, then you can download it and send encrypted messages to that email address.

Share and collect public keys – If you do not what to publish your public key on a keyserver, you can manually export your public key and decide how best to distribute your public key to those you want to receive encrypted messages from. Before anyone can send you an encrypted message, they must have access to your public key.

Sending encrypted email – From this point forward, when you send an email message to someone for whom you have a public key, you will have the option to encrypt the message you send to them. Simply press the button on the email to encrypt the message. The GPGTools plugin for Apple Mail will search your list of public keys for one associated to the email address matching the recipient of the message.

OpenPGP solutions for iOS

On iOS the options are not quite as elegant. oPenGP ($3.99, Universal) and iPGMail ($1.99, Universal) are two products that will both encrypt and decrypt your OpenPGP messages. Each does a good job at managing your public keys and encrypting messages.

Sending an oPenGP Message

Importing keys – Both products offer Dropbox integration for management of you public key files. They can search keyservers for public keys as well as use iTunes to sync your collection of public keys. So getting your collection of public and private keys onto your iOS device is a straightforward process.

Receiving secure messages – Neither of the apps are actual mail clients. You will need to copy and paste your encrypted messages from the iOS Mail app in order to decrypt a message. This process can be tedious when the encrypted text is embedded in the body of the email message and not sent as an attachment. Both apps support the automatic decrypting of any encrypted file sent to the app via iOS’s “Open in…” capability.

Sending secure messages – Sending secure messages is much easier than receiving them, as each app has the ability to send an email directly from within the app. In both apps, you select the recipient of the message, type your message, encrypt and send. You can also encrypt a message to be sent via iMessage or any other form of communication by copying the encrypted text to the clipboard.

Design vs function – Choosing which of the two apps is best has been a challenge. oPenGP at first seemed to have a cleaner design and as a result was a little easier to use. But as I have sent more and more secure messages, the mechanics of iPGMail have started to grow on me and now feel more natural. One thing that iPGMail does that oPenGP does not is generate a public and private key.

Protecting the messenger’s privacy

While technologies like PGP do a good a pretty good job at securing the contents of the message, they do not offer much in the way of protection for the messenger’s privacy. Sending encrypted messages using OpenPGP does not encrypt the headers of each message, which includes all of the internet traffic location information including the to and from email account information. It also does not protect the history of messages sent and received nor the account information stored on the email provider’s mail servers.

Private Swiss email accounts – If you are looking for a solution that does a pretty good job at protecting your privacy, then perhaps you need to look towards Switzerland. Given the political nature of the Swiss (or lack thereof), data centers in this neutral country are seeing more and more business lately.  One such email provider is MyKolab.com. With a data center based in Switzerland, it offers a unique privacy alternative to popular online free email services. Starting at just $65/yr for personal email only, this is certainly a good place to start.

Anonymous surfing – Taking both your security as well as your privacy one step further, you will find NeoMailbox. Offering an anonymous surfing service in addition to its secure email hosting solution, NewMailbox will also help protect the way you connect to the internet. Even if privacy is not a major concern to you personally, using a tunneling service similar to the one offered by NeoMailbox can help resolve one of the biggest security threat of our era: free Wi-Fi hotspots.  With a privacy combo pack costing around $90/yr, this product offers a whole lot more for an additional $25 annually.

Featured photo courtesy Shutterstock user Maksim Kabakou.

  1. Please add this iOS App for PGP/GPG emails:

    https://itunes.apple.com/us/app/secumail/id414328661?mt=8

    It is expensive but I use it since months and it works very reliable.

    Share
    1. I use this one only for $5 , encryption is free here and app is not expensive
      https://itunes.apple.com/us/app/im+-pro7/id725440655?mt=8

      Share
      1. Jennifer, that has nothing to do with PGP/GPG!! Please!!!

        Share
  2. Great article!

    Share
  3. PGP is not confined to mail encryption but can also be used to encrypt files – optionally without the hassle of keys but using a password instead.
    GPGTools and GPG support this and on the iOS side of things there is PRISE (https://itunes.apple.com/en/app/pgp-cloud-storage/id523487506?mt=8)

    Share
  4. what is the difference between better OTR and PGP ? Can anyone make such comparison of pros and cons ?

    Share
  5. How awesome would it be if Apple would just buy / acquihire the GPGTools guys and add this natively to OSX and iOS.

    Share
    1. S/MIME support, which is what this is, has been built-in to the OSes for years.

      Just get a certificate from a CA and install it. Done.

      Share
    2. I don’t think we can trust Apple if it says – now everything is secure

      Share
  6. to sound the cynic of this, if this cypher wanted to be cracked by Brute force how easily could it be done? i.e. if you are hiding messages the more susceptible to investigation and your message is probably not 100% un crackable. https://storageous.wordpress.com/

    Share
  7. There are solutions for email AND internet security. When the servers are located in the US or Canada they are subject to the US Patriot Act. That means that when the government (NSA, IRS, etc.) requests information on us those companies MUST comply – and all without a search warrant. This is against the US Constitution’s 4th Amendment. Check out ForHisGlory.PrivacyAbroad.com for established Swiss-based companies that ARE NOT under US jurisdiction, and provide secure email, web surfing and data storage..

    Share
    1. yeah, but when Europeans use devices that are produced by US companies? Like this story with Angela Merkel http://www.newsmax.com/Newsfront/mccain-merkel-nsa-fire/2013/11/10/id/535792

      Share
    2. I have always been under the impression that all cryptography can be cracked by brute force. I may in fact have been wrong…

      Can’t you break PGP by trying all of the possible keys?
      http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-security-questions.html#security-against-brute-force

      Theoretical limits of Brute-force attack
      http://en.wikipedia.org/wiki/Brute-force_attack#Theoretical_limits

      The creation of back doors in security, or the discovery of a ‘hole’ introduced in a particular implementation of a cryptography solution is far more likely than brute force at being the way one breaks into an encrypted message.

      That being said, it is widely believed that obtaining one’s private key and passphrase by compromising the security of the system used to decrypt messages is a much easier task.

      In the following episode of Tekzilla (Tuesday, September 10th, 2013), Hak5’s Darren Kitchen explains the great lengths he went through to ensure that the device he uses for decrypting (where he stores his private key) has not been compromised.

      http://revision3.com/tekzilla/death-of-security-darren-kitchen

      Share
      1. This was a reply to storage’s brute force question, sorry OldGlory13.

        Share
  8. I’ll be so bold to plug my own app since I use it every day on my MacBook. Free p2p file transfers with http://ricochet.it

    Coming Soon to iOS and Android as well

    Share

Comments have been disabled for this post