Encrypt messages on the XMPP / Jabber network using PGP
In this article, I will describe in detail how to use encryption when sending messages over XMPP-based networks using the GnuPG package. Shows the procedure for generating key pairs under Windows, installing keys in the Psi client, checking the signed presence, sending an encrypted message.
What may need to encrypt messages?
Messages are encrypted using a public key cryptosystem . Without going into details, the essence of the encryption system is that there is a pair of keys and some procedure that can convert the message with one key so that the inverse transformation can be performed only with the help of another key. One of these keys is called private and is kept secret, while the other, on the contrary, is called open and is distributed freely. Thus, by encrypting a message with a public key, you can be sure that only the owner of the private key will read it, on the contrary, by signing something with his key, the author gives confidence to the recipient of the message in his authorship.
You can combine these two procedures and then the content will be known only to two persons with the appropriate keys. This is clearly shown in the picture:
At the moment, it is impossible to recover a private key from the public key in the near future.
')
As an encryption system, we will use the open source GnuPG package (hey, do not run away, this is also under Windiows, and there is a very user user :) and the Psi client. I am sure that in other clients the procedure is similar. I took the implementation under windows, because most users still use it, and I think that the unixoids themselves will be parsed. In * nix, kgpg can be recommended as a convenient key management tool.
I assume that you already have a jabber client, it is configured and there is a connection to the network.
For Windows users, a specially created software package gpg4win , which greatly facilitates the work with GPG. Download gpg4win lite from the official site , select the necessary components and install.
After installation, run WinPT Key Manager. When you first start the utility will offer to create a key pair. This is a very important step. The key is your passport on the Internet, check carefully the name and address, it is very desirable not to lose it and do not forget the password from it. Restoring the private key will no longer be possible, you will have to generate a new one. Each private key is encrypted with a password. This is necessary in order that even if someone takes possession of your key, the attacker could not use it, it is useless without a password. The program is suggested to save the key and this is correct.
So, you have generated a key pair. Now in the WinPT menu you need to select Key -> Export ... Thus, you will receive a * .asc file that will contain something like:
This is your public key, it can be sent to friends and colleagues with whom you are going to exchange messages. It is natural to exchange keys preferably via an encrypted channel or tritely rewritten to a CD-R / USB flash drive. You can also place your public key on your website or in the habr profile. I will not go into details, but the key exchange is quite a fun procedure, see the Web Of Trust and Key signing party
So, now I have to say Psi, that I need to use the key. We launch Psi, go to the account settings, there in the details tab, click "select the openPGP key" and specify our key.
After selecting a key and reconnecting to the network, Psi will request a password from the private key:
You are now connected to the network and your status is signed. That is, those who have your public key know that you are at the computer.
Let's say you exchanged keys with someone, but by giving up your public key and received someone's public key. Now you need to bind the key to a specific account. To do this, go to WinPT, go to key-> import, then select the file with the key of the desired person. Everything, the public key is imported into the system. It should be said that Psi reads the state of the keys only at startup, so that after we have added a new key, we must restart Psi. We right-click on the desired contact and select "Assign OpenPGP key", assign its key to the contact. Now we can verify the electronic signature of our contact:
A green line indicates that the contact has logged in with the correct key and you have its public key. If the line is black, it means that the status of the client is signed, but you do not have his key or the key is incorrect, so it’s unknown who is behind the computer.
Now all that is needed is to open a new chat window and click the lock icon. There will be a reconciliation of keys and, if everything is in order, the system will display a message stating that the conversation is encrypted. After that, you can communicate calmly without worrying that the conversation will be intercepted on the way.
The last message in encrypted form looks like this:
You can be sure that in the next 50 years, no one can read this.
So, as you can see, encrypting messages on the fly is very simple, for the end user practically nothing changes, and the reliability of the system increases. Maybe this will encourage someone to switch to xmpp / jabber.
But you should always remember:
Thank you for your attention, I hope it was interesting. :)
Motivation
What may need to encrypt messages?
- Since the XMPP network is federated and everyone can set up their own node, the question of trust in the administrator of this server is raised. The server can be broken, the admin himself can add data, etc.
- XMPP is gaining popularity as an intracorporate exchange. Maybe the server does not have access to the Internet, but no one is immune from the arrival of Party-van with a mask show inside
- Digital signature improves identification reliability. That is, you know for sure that at that moment the person who gave you the key is sitting at the computer, and not the one who broke his account or used his lack of it at the computer
A bit of theory
Messages are encrypted using a public key cryptosystem . Without going into details, the essence of the encryption system is that there is a pair of keys and some procedure that can convert the message with one key so that the inverse transformation can be performed only with the help of another key. One of these keys is called private and is kept secret, while the other, on the contrary, is called open and is distributed freely. Thus, by encrypting a message with a public key, you can be sure that only the owner of the private key will read it, on the contrary, by signing something with his key, the author gives confidence to the recipient of the message in his authorship.
You can combine these two procedures and then the content will be known only to two persons with the appropriate keys. This is clearly shown in the picture:
At the moment, it is impossible to recover a private key from the public key in the near future.
')
Instruments
As an encryption system, we will use the open source GnuPG package (hey, do not run away, this is also under Windiows, and there is a very user user :) and the Psi client. I am sure that in other clients the procedure is similar. I took the implementation under windows, because most users still use it, and I think that the unixoids themselves will be parsed. In * nix, kgpg can be recommended as a convenient key management tool.
I assume that you already have a jabber client, it is configured and there is a connection to the network.
Step one, download software and generate private and public keys
For Windows users, a specially created software package gpg4win , which greatly facilitates the work with GPG. Download gpg4win lite from the official site , select the necessary components and install.
After installation, run WinPT Key Manager. When you first start the utility will offer to create a key pair. This is a very important step. The key is your passport on the Internet, check carefully the name and address, it is very desirable not to lose it and do not forget the password from it. Restoring the private key will no longer be possible, you will have to generate a new one. Each private key is encrypted with a password. This is necessary in order that even if someone takes possession of your key, the attacker could not use it, it is useless without a password. The program is suggested to save the key and this is correct.
So, you have generated a key pair. Now in the WinPT menu you need to select Key -> Export ... Thus, you will receive a * .asc file that will contain something like:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (MingW32)
mQGiBEmINMURBACJDeTglDCoq5HQ4bU6yFzqCTfYbCEjkNlMmvJK+5zesKVJhohK
LZ6oiCZaGt5B8rfY1qvJvgIQNvWOsp63lviPSTamndlmlDeTOXbqc21iEE6E9mOS
.....
This is your public key, it can be sent to friends and colleagues with whom you are going to exchange messages. It is natural to exchange keys preferably via an encrypted channel or tritely rewritten to a CD-R / USB flash drive. You can also place your public key on your website or in the habr profile. I will not go into details, but the key exchange is quite a fun procedure, see the Web Of Trust and Key signing party
Step two, add your key to Psi and import contact public keys
So, now I have to say Psi, that I need to use the key. We launch Psi, go to the account settings, there in the details tab, click "select the openPGP key" and specify our key.
After selecting a key and reconnecting to the network, Psi will request a password from the private key:
You are now connected to the network and your status is signed. That is, those who have your public key know that you are at the computer.
Let's say you exchanged keys with someone, but by giving up your public key and received someone's public key. Now you need to bind the key to a specific account. To do this, go to WinPT, go to key-> import, then select the file with the key of the desired person. Everything, the public key is imported into the system. It should be said that Psi reads the state of the keys only at startup, so that after we have added a new key, we must restart Psi. We right-click on the desired contact and select "Assign OpenPGP key", assign its key to the contact. Now we can verify the electronic signature of our contact:
A green line indicates that the contact has logged in with the correct key and you have its public key. If the line is black, it means that the status of the client is signed, but you do not have his key or the key is incorrect, so it’s unknown who is behind the computer.
Step three. Exchange encrypted messages
Now all that is needed is to open a new chat window and click the lock icon. There will be a reconciliation of keys and, if everything is in order, the system will display a message stating that the conversation is encrypted. After that, you can communicate calmly without worrying that the conversation will be intercepted on the way.
The last message in encrypted form looks like this:
< message from ="ivlis_test@jabber.ru/Psi" type ="chat" xml:lang ="ru-RU" to ="ivan@ivlis.com/WorkF53B8E96" id ="aaf8a" >
< body > [: , .] </ body >
< active xmlns ="http://jabber.org/protocol/chatstates" />
< x xmlns ="jabber:x:encrypted" >
hQEOA/CjxWiKTl51EAP9HaQ8nzTtjUECqiO+1lcJRciUJrOLkgFr/KTqjvOmEgvx
rtF4TCCjpBMElbVbjY+yYmV6F8IWMweRlU4olzDFfdbJYO/TGWq+22s3jIvhWI+e
7bfMn7qVcnDD7GsGxU8norUqjKHQmYvwdAwHBDdbf/AD0qqAvb7jK+1X1NXyeioD
/3lxyWobgoiCt165OwZu/G2osiDQlMTtzt/W198tzfpKoJURaUNkwhFJeOp3rgr0
77frKDbIO6IRloyHx1xL3kRZNEBOVJO5AYdflH0Z756wPt+mGpZ29vzbdt40hkwu
rHjnYEDJhj1oJkoRpesIgiPQxmXpbsRGrAcKQr2f4e3d0lgBCkkivC27qPEM0eFO
TQnVww+RGczA+VHRbpXCRvLx4fcle9qSEM0xgdkae7IWJXBQRVEootOqdNJz49G8
FPakyAsBoZ2XvrEqW+r6hXvLYrKGBYO2cI3F
=ysML </ x >
</ message >
* This source code was highlighted with Source Code Highlighter .You can be sure that in the next 50 years, no one can read this.
Conclusion
So, as you can see, encrypting messages on the fly is very simple, for the end user practically nothing changes, and the reliability of the system increases. Maybe this will encourage someone to switch to xmpp / jabber.
But you should always remember:
- Encryption does not cancel the head. Keep your password from the keys secret, make behind keyloggers, viruses and other things.
- it
Thank you for your attention, I hope it was interesting. :)
Source: https://habr.com/ru/post/50982/
All Articles