Mac OS X Security Part Five: Email Encryption

Last week we tweaked a few things for security in some Mac OS X email programs. Today we look at encryption of email messages. As they say, don't write in email anything you wouldn't have printed on the front page of the New York Times. Good idea.

Security works two ways. Together with virus scanning, good security settings in an email program help keep trouble from getting in. You can also encrypt your own messages and attachments before they go out, although the recipient needs the same tools at the other end to decode it all. My favorite package is PGP, which is now being ported to OS X in a package called Mac GNU Privacy Guard under the GNU license, or GPG for short. It uses a public and private keys exchange mechanism. You really need someone with it or the original PGP installed to bounce practice messages back and forth until you get the hang of it. I have PGP experience with Eudora for Windows and Mac, into which PGP integrated well. But these OS X versions are all command line stuff at this point. No compile of the graphical PGP appears to exist presently for OS X, at least on the official site. A related product is the unix utility called MD5 for verifying file signatures. It is included in The Coroner's Toolkit (TCT). This is not for the faint of heart. We're delving into serious unix stuff here. You might like to peruse the GNU Privacy Manual before getting too involved.

Speaking of MD5, I believe you will want to know what this is and how it works. Old unix hands will be familiar with it already. MD5 stands for Message Digest version five. This command-line application produces a hash string from a given file, usually an archive destined for downloading, but it could be any file. The hash string is published somewhere, typically either on the originating web site or in a readme file. A user runs MD5 on the newly-downloaded file, and compares the resulting hash string to the published one. If the two are identical, then the user can be confident that his download is also identical to the original one on the web site. If not, then it's either corrupt or a different version from the original, and should not be used. First, you need to obtain MD5. There is a question of how you run MD5 on the MD5 downloadable archive before you have MD5 installed, but I'll leave that issue aside for the moment. There is also an installation choice, either the MD5 binary or the source. I chose to make it myself, and it runs fine. You can do this too. Place the single md5 executable into /usr/bin as user root, and it will be accessible everywhere. To do this, open a Terminal window and (assuming you were working on your desktop) type sudo cp desktop/md5 /usr/bin. The syntax to use MD5 is simply md5 filename. MD5 returns a string, which you visually compare to a published string. If you yourself were publishing, you'd write the string on your web site next to the download link. That's it!

Let's suppose you're foolhardy enough to jump into the GPG fray at this point. Check the How To from the Mac GNU Privacy Guard site at SourceForge. To recap, you need the following items:

MD5 to verify your download signatures;
The Easy Install GnuPG for Mac OS X from MacGPG;
The Read Me.rtf file from the expanded archive;
The Entropy Gathering Daemon, basically a pseudo-random number generator.

Then you need to need to go through these steps, based on Read Me.rtf:

Unpack or compile MD5 into its single executable, and copy into /usr/bin as root;
Check your download file with the syntax md5 ezgpg1.0.6r1.tar.gz for example;
Install EGD, using instructions (copy and paste into Terminal) in its included readme;
Expand the Easy Install GnuPG 1.0.6r1 archive with StuffIt, if this didn't happen automatically;
Rename the Easy Install GnuPG 1.0.6r1 to simply GnuPG for your convenience;
Open a Terminal session and set the default to this folder like so: cd desktop/GnuPG;
Type sudo tar -xzf installgpg1.0.6r1.tar.gz -C / to unpack and install GnuPG;
Type gpg to run GnuPG for the first time;
Type ~/.gnupg/entropy to start EGD if you haven't done so already;
Move into your home folder like so: cd ~;
Add this line ~/.gnupg/entropy to your .login file using vi or pico;
Type man gpg for the cook's tour (press spacebar);
Copy over any existing PGP keys following Read Me.rtf;
Clean up the install folders;
Browse the GPG documentation, referenced in the man pages;
Finish up with a cold beer.

Most of this is in the documentation. I reiterate it only so that you can have a checklist next to you. I live by lists.

If all of this boggles your mind - and even if it doesn't -, then check out PuzzlePalace from the author of BrickHouse for OS X. PuzzlePalace is an excellent choice for encrypting files before sending them, or even for secure archiving purposes. It is a graphical drag and drop that works. While you cannot secure actual email text, you certainly can write a message in TextEdit and secure it before attaching it to an outgoing email message. Assuming you don't do this too often, this technique would be manageable. The encryption process requires a passphrase. While no particular suggestions are given for one, you might choose to agree on a passphrase with your correspondent, and use it each time. The trick here is how you share your passphrase with that individual without anybody else snooping. Thus the Achilles' heel of passphrase security. But it beats plain text over the internet any day.

For now, PuzzlePalace may be your best bet. The latest PGP, which integrates nicely with mailer software in several operating systems, isn't available for OS X. It's obvious that GnuPG is intended to be the way to go in OS X. But it remains a command-line affair for now. It isn't at all obvious to me how it can integrate with Apple Mail or Eudora or anything other than Pine. I am certain that a graphical interface for it will be available shortly. Meanwhile, you can generate some keys and encrypt and decrypt your files at a Terminal prompt, using the gpg -e recipient filename and gpg -d filename commands respectively. Then, like PuzzlePalace, you can attach them to a normal email message.

For your browsing pleasure, here are some additional references on the subject that you might find helpful.

Description of GPG;
Description of MD5;
Essential Security Tools;
Graphical interface for GnuPG;
Certicom SSL+;
PGP International.

Cryptography is a cutting-edge field. As personal privacy is disappearing faster than any doomsayer a decade ago might have predicted, there is a superlative rationale for doing encryption today. Like it or not, passphrases and public and private keys will be in our daily vocabulary soon enough. So enjoy the ride! Next time, we'll consider desktop security in the Mac OS X environment. Ciao.