January 10, 2005

Securing Thunderbird email with OpenPGP

Author: Daniel Rubio

Email is commonly used in business today, yet only a small percentage of users take the time to guarantee their email is sent in a secure and
confidential manner. If you're not part of that elite group, read on to learn how to setup OpenPGP with
the Mozilla
mail component.OpenPGP is a patent-free encryption scheme based on the same security architecture as the commercial version of PGP, which has been available since the early 90's. Thunderbird uses OpenPGP through the GnuPG implementation -- developed by the Free Software Foundation -- for
interpreting and sending digitally signed and encrypted messages.

The first step in setting up Thunderbird with OpenPGP is to have GnuPG installed on your system. The majority of Linux distros include this package in their official
release. Query for it on your system be entering the following command: which gpg. If it's not found, or if you are using a different operating system like Windows or MAC, then you will need to download and install it.

The cornerstone to GnuPG's security -- and hence OpenPGP -- are key pairs. Made up of a private and a public key, they are used throughout the security loop by both sender and receiver, as we will observe in the rest of this article.

To create a key pair using GnuPG, enter gpg --gen-key at the command line. You will be prompted with a series of questions, such
as the encryption algorithm, key size -- which will reflect the encryption strength -- your name, email address and a passphrase. Using the default answers is generally sufficient. Just keep in mind that your passphrase will be your means to access the key pair and confirm your identity locally. The actual key pairs you generate will be stored in your user home directory under .gnupg if you are using Linux, or under another specific GnuPG directory if you are using Windows or MAC.

Once you have created your key pair, it's time to configure Thunderbird to use them. In order to simplify the deployment of OpenPGP within
Thunderbird, a special plug-in named Enigmail can be used. Download this plug-in and install it using the Tools--Extensions menu in Thunderbird. Then exit Thunderbird and restart it. You will then be prompted for the initial configuration settings.

The first task is setting the path in which GnuPG is installed. By default this is /usr/bin/pgp on Linux. You will also be able to indicate special flags to be used when invoking GnuPG, and to allow Thunderbird to recall your passphrase for a certain length of time each session. This to avoid re-typing the security credential every time you send an encrypted -- or a digitally signed -- message. The other tabs provided on this initial windows setup offer more advanced features, which we will not explore now. You can modify them later from the Enigmail--Preferences menu.

We are now ready to send an email using OpenPGP. Compose a message and select the OpenPGP icon atop the composer, a pop-up window will offer
you three choices: Sign Message, Encrypt Message & Use PGP/MIME. We will explore the first two in the following paragraphs.

The simplest and most non-intrusive manner of assuring security is signing your messages. This process guarantees that even if some users
are ill-equipped to fulfill their part of the security chain -- as we will further outline -- you can guarantee integrity to others.

Signing a message places a fingerprint onto the body of your message -- an actual text fragment -- which is generated from your private key.
This fingerprint can later be correlated by the recipient of the message, using the public key of your key pair. This is why you make the public key readily available. In the event someone tries to forge a signed message pretending to be you, or tampers with your mail enroute, your recipient need to perform a check against your public key to detect such activity.

Enigmail checks signed messages automatically upon receipt, and informs you if the signature doesn't match the public key. The reason signing a
message is so non-intrusive, is that you don't force all your recipients to verify the signature. If the recipients wish to do so, they can obtain your public key and verify that the message is authentic. If they don't wish to do so, the message can still be read.

The actual publication of your public key can be done several ways. The simplest being to send it -- the public key -- to your contacts. You
can also publish your public key information on a centralized database,
like Keyserver.net . This allows your contacts to obtain the key themselves, without having to
send it to each of them individually. You can use GnuPG or Enigmail to create a text version of your public key. In Enigmail, select the OpenPGP Key Management option for exporting it to a text file. In GnuPG you can use the following command line sequence :
gpg --armor --export my@email.com, where my@email.com is the email used for creating the key pair.

Since being able to correlate signed messages with public OpenPGP keys is part of receiving secure messages, Enigmail also offers the possibility to import all the public keys of your contacts. You'll need to have the public key of anyone you wish to send encrypted messages.

If you opt to encrypt a message with OpenPGP, you will be prompted through a pop-up window to select the public key of your intended recipient. Once it has been encrypted with a public key, only the
holder of the complementary private key can read it. Contrary to signing a message, encrypting an email requires that both parties be involved in
the security process.

Once you are comfortable using these OpenPGP alternatives with Thunderbird, you can set default behaviours from the Enigmail-Preferences menu. If you administer multiple email accounts, each will require its own key pair, since the email address is a part of the basis for the generation of your keys.

If you use Thunderbird as your email client, hopefully you will now begin using OpenPGP as described here to ensure yourself a more secure email environment.

Daniel Rubio is the principal consultant at Osmosis Latina, a firm
specializing in Enterprise Software development, training and consulting
based in Mexico.


  • Security
Click Here!