<pre>
http://www.guckes.net/eindhoven2014/talk+workshop.mutt+gpg.txt
http://www.guckes.net/eindhoven2014/talk+workshop.mutt+gpg.txt.html (color)
http://www.t-dose.org/speakers/sven-guckes

Latest change: Fr Okt 24 14:42:23 CEST 2014

= EVENT =

  T-DOSE:  Technical Dutch Open Source Event!
  http://www.t-dose.org Sat+Sun 2014-10-25+26
  Rachelsmolen 1, 5612 Eindhoven, Netherlands
  http://osm.org/go/0Eusc4CBJ-?way=150553268
  http://tinyurl.com/eindhoven-fontys-t-dose

= DESCRIPTION =

this is the script for both the talk and the workshop about
the mailer mutt in combination with the encryption software gpg.

= AUTOR =

Sven Guckes mailto:t-dose-2014@guckes.net
crypto keys: 1024R/57F77F09 8000R/0185391B

the fingerprint of old key:
.________________________________________________________________________.
|pub   1024R/57F77F09 1995-01-30                                         |
|      Key fingerprint = 11 28 37 E2 CB 46 72 67  9E 8E 22 18 DA F9 C0 96|
|uid                  Sven Guckes <pgp@guckes.net>                       |
|uid                  Sven Guckes                                        |
`------------------------------------------------------------------------'

fingerprint of new key:
.__________________________________________________________________________.
|pub   8000R/0185391B 2014-03-11                                           |
|      Key fingerprint = 32CE 5648 6E6D 6D6D 33E5  3A38 EAB9 7F20 0185 391B|
|uid                  Sven Guckes <keysigningparty@guckes.net>             |
`--------------------------------------------------------------------------'

= SCHEDULE =

the entry in the schedule:

url:        http://www.guckes.net/eindhoven2014/talk+workshop.mutt+gpg.txt
title:      Email with mutt+gpg (talk+workshop)
date-submit: Submitted by guckes on 31 August, 2014 - 23:48
Author:     Sven Guckes
Duration:   3h
date+time:  Sat Oct25 14-17h Track6

= TALK =

duration: 42mins

Goal:
Show how this mailer looks like.
"how does it feel to use this mailer?"

the first part is a feature show about mutt and gpg.
which means you'll see quite a few features
of mutt *live* in my personal account.

this is just a *show* of features.
so i won't explain the keys i type.

by the way, mutt (as all good programs)
offer the feature of "key binding",
ie you can assign any internal command/function to any key.
so you can always have it "your way".

but i will explain all this in the workshop later on..

= START =

Please use this textpad for feedback:
https://events.titanpad.com/31

feedback welcome!  mailto:tdose2014@guckes.net

= Mailbox =

Display some of the email in my mailbox (using the "limit" command):

  ~g - limits to all signed    mails
  ~G - limits to all encrypted mails
  ~k - limits to all mails with a key

mind you: there is only *one* indicator:
  S -> Signature is *good* (tested)
  P -> PGP encrypted
  s -> signed
  K -> Key is attached

design comment:
there is only *one* character shown -
and the last tested feature wins.
see also: file "hdrline.c" "case 'Z':"

two characters would be nicer,
ie one for encryption and
another one for a signature,
eg "es" for "encrypted+signed".

= Keys =

* How does a key actually look like?
$ gpg -a --export $MYKEY | less
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v1
  [leer]
  .......
  cNSPb3soTU8Jkub6LCKMoK5u9bmcwNgVOw==
  =s91U
  -----END PGP PUBLIC KEY BLOCK-----

= Messages =

* How does an encrypted messages look like?
  -> edit_message -> header, body, encoding.

* Header:
  Content-Type: multipart/encrypted;
  protocol="application/pgp-encrypted";
  boundary="123456789012345678901234567890123"

* Body:
  This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
  --123456789012345678901234567890123
  Content-Type: application/pgp-encrypted
  Content-Description: PGP/MIME version identification
  |
  Version: 1
  |
  --123456789012345678901234567890123
  Content-Type: application/octet-stream; name="encrypted.asc"
  Content-Description: OpenPGP encrypted message
  Content-Disposition: inline; filename="encrypted.asc"
  |
  -----BEGIN PGP MESSAGE-----
  Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
  Comment: GPGTools - https://gpgtools.org
  |
  qgNKnAr7dI9k
  =8pez
  -----END PGP MESSAGE-----
  |
  --123456789012345678901234567890123--

* Display in mutt's "pager":
  (unfiltered view with ":unset display_filter")
TODO

* Display of a "good signature":
  "PGP message successfully decrypted."

  [-- PGP output follows (current time: So 31 Aug 2014 02:22:22 CEST) --]
  gpg: Signature made Fri Aug 31 01:11:11 2014 CEST using RSA key ID DEADBEEF
  gpg: Good signature from "FIRSTNAME LASTNAME (some comment) <user1@domain1>"
  gpg:                 aka "FIRSTNAME LASTNAME (some comment) <user2@domain2>"
  [-- End of PGP output --]

  [-- The following data is PGP/MIME encrypted --]
  ...
  [-- Attachment #1 --]
  [-- Type: text/plain, Encoding: quoted-printable, Size: 1.2K --]
  ...
  [-- End of PGP/MIME encrypted data --]

== INLINE vs PGP/MIME ==

INLNE messages have *no* indication in the header
and are therefore not recognized unless you do
a search in the body of all mails.  but this
can take quite a lot of time in big folders..

So - please use PGP/MIME -> indication in the header.

= Sending =

"send menu":

Type ESC+k for "attach-key" to attach a key as a file.
Type 'P' for "pgp-menu" - and you'll see:

    PGP (e)ncrypt, (s)ign, sign (a)s, (b)oth, or (c)lear?

* (e)ncrypt - encrypt the message with recipient's pubkey.
* (s)ign    - sign    the message with sender's    seckey.
* sign (a)s - sign with a given key (read: not the default seckey)
* (b)oth    - do both: encrypt *and* sign

Terminology:
* Data - are files or email messages.
* pubkey vs seckey:
    pubkey: for ENcrypting  ("lock")
    seckey: for DEcrypting  ("key")
* Digital Signatures:
  seckey = used for signing, requires passphrase to unlock
  pubkey = used to verify signatures (of others)
            and to lock/encrypt data *to* them

= Debates =

* Generation of a key pair (pubkey+seckey) is required.
  those who offer no key (pubkey), cannot participate.
* no key -> no confidentiality.  noone can send you anything confidential.
* should you encrypt only the most important messages?  NOOOO!
* "and when the other do not want to participate?" - well, let 'em send postcards then.
* "it's useless. totally irrelevant." - it is not.  advantage in time. (Zeitvorteil)
* who is this *really* message from?  digital signatures!
* those who will encrypt only when they finally have a reason - might already have lost.

Further items:
* Keyserver = Telephone directory.  know your keyID!
* Attacks!  eg man-in-the-middle (aka MITM)
  anyone can create a key with your name and his email address
* Key Signing Party: human <-> key
* Web of Trust (WoT) - just a *graph*; *no* info on human trust
* Cryptoparties - let's talk about Crypto!

= Future =
* Use of Crypto should become common knowledge
* all Operating Systems should be shipped with crypto tools
* Encryption is *not* a crime.  it's free use of mathematics.
* Freedom might be given to you, but you must actually fight to keep it
* "encrypt all data!"

= Workshop =

more after the break, in the workshop.

= WORKSHOP =

duration: one to three hours.
(now with explanation to keys, filenames, etc)

target audience:
"advanced", ie participants should know a text editor (any editor) *well*.
as well as have a command of command line tools, like cd, mv, rm, ls, etc.
The knowledge of the "piping" principle is definitely advantageous, eg:
  $ echo a quick email | mail -s "email fast" user@domain

Preparation of notebook (at home):
Install the programs mutt and gpg, an editor and a shell.
recommended editors: elvis,nvi,vim; jed,jove,emacs; nano
recommended shells:  bash, ksh, tcsh, zsh

example:
    $ sudo apt-get install gpg mutt nano vim zsh

Preparation of server:
Create accounts for participants.

On location:
* sit nearest to the silverscreen.
* connect to power, then to the net.
* log in to your machine.
* log in to the local server (mosh or ssh).
* start a window manager in the terminal (screen,tmux).

= Work! =

gpg:
beginning:
* Generate a key pair:
  $ gpg --gen-key
* Show your key together with its fingerprint:
  $ gpg --list-key $keyID
* create a business care with your keyID and fingerprint:
TODO (show some examples)

Display:
* Keys - where are they?
  $ ls -lh ~/.gnupg/*ring.gpg
  -rw------- 1 guckes guckes 46M Aug 27 02:19 .gnupg/pubring.gpg
  -rw------- 1 guckes guckes 11K Mär 12 10:43 .gnupg/secring.gpg

* Display of my own (old) key:
  $ gpg --list-key $MYKEY
  pub   1024R/57F77F09 1995-01-30
  uid                  Sven Guckes <pgp@guckes.net>
  uid                  Sven Guckes

* Display my own key with fingerprint:
  $ gpg --fingerprint $MYKEY
  pub   1024R/57F77F09 1995-01-30
  .     Key fingerprint = 11 28 37 E2 CB 46 72 67  9E 8E 22 18 DA F9 C0 96
  uid                  Sven Guckes <pgp@guckes.net>
  uid                  Sven Guckes

* how does a key look like?
  $ gpg -a --export $MYKEY | less
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v1
  [leer]
  .......
  cNSPb3soTU8Jkub6LCKMoK5u9bmcwNgVOw==
  =s91U
  -----END PGP PUBLIC KEY BLOCK-----

* Display a key with its fingerprint:
  $ gpg --fingerprint $keyID

* Sign a key:
  $ gpg --sign-key $keyID

* Send/Upload (a list of) keys to a keyserver:
  $ gpg --send-keys $keyID1 $keyID2 ...

Demo [optional]:
* Download a key from a keyserver and verify it.
* Write a text, encrypt and send it.
* Decrypt received message. Verify signature.

= Configuration of GnuPG =

* Configuration files:
  $ ls -lh ~/.gnupg/options   # old
  $ ls -lh ~/.gnupg/gpg.conf  # new

("default" ~ "given")

* Choose a default keyserver:
  keyserver hkp://keys.gnupg.net

* Choose a default key:
  default-key 0185391B

* Encrypt always for yourself as well:
  default-recipient-self

* Turn off some nasty messages:
  no-auto-check-trustdb no-greeting no-secmem-warning

= Configuration of mutt =

* Configuration files:
  $ ls -l  ~/.muttrc  # default
  $ ls -ld ~/.mutt    # useful

* use some default configs for gpg:
  source gpg.rc

Send a message:
* Sign it
* Encrypt it
* Encrypt and sign it
* message as inline vs PGP/MIME

Show messages:
* Verifiy signatures just before reading (":set pgp_verify_sig")
* Add color to some text ("color body..")
* Use of a display_filter to correct+delete
* inline data -> test with command "check-traditional-pgp" (<ESC>P)

= Exercise =

gpg:
* use of photos in keys (photo-viewer)

mutt:
* test with several different scenarios:
  http://www.guckes.net/email_crypto_interfaces.txt

vim:
* Create files with signature ("sigdashes line" as separator)
* find all "signatures" by "cue" (using agrep)
* choose a signature (copy, undo, paste)

zsh:
* useful aliases and functions:
   gs='gpg --search-keys'
 gpgh='gpg --help|$PAGER'
glist='gpg --list-keys --with-fingerprint'
grecv='gpg --recv-keys'
gsend='gpg --send-keys'
gsign='gpg --sign-key'
gsigs='gpg --list-sigs'
TODO: add functions

= MATERIAL =

When there is a functional local net with
a good connection to the outside internet
then every participant only need his own machine
and can use mosh or ssh to some server with mutt and gpg.

is there a test server which can be used for workshops?
if not then we might bring a server for the local net
which should have all the services required:

  SERVIETTE - a small event server
     pad: https://guckes.titanpad.com/31
  mailto: serviette-list (at) guckes.net
    list: http://mailman.guckes.net/mailman/listinfo/serviette-list-guckes.net

= TODO =

passphrase:
when entering a passphrase:
you might have entered it with a typo?
type CTRL-G to abort - and try again!

passphrase:
still using a passphrase to another key?
use "forget-passphrase" to clear it.
you will be prompted for a new passphrase
when it is needed again.

troubleshooting:
  gpg: WARNING: message was not integrity protected
TODO

= Links =

Wikipedia:
* http://de.wikipedia.org/wiki/PGP/MIME
* http://de.wikipedia.org/wiki/S/MIME
* http://de.wikipedia.org/wiki/PGP/INLINE
* http://de.wikipedia.org/wiki/OpenPGP
* http://de.wikipedia.org/wiki/GNU_Privacy_Guard
* http://de.wikipedia.org/wiki/Pretty_Good_Privacy

Wikis:
* http://wiki.debianforum.de/GnuPG

Docs:
* https://www.gnupg.org/documentation/howtos.html

Articles:
* http://codesorcery.net/old/mutt/mutt-gnupg-howto
* http://dev.mutt.org/trac/wiki/MuttGuide/UseGPG
* http://jasonwryan.com/blog/2013/07/20/gnupg/
* http://www.infodrom.org/~joey/Writing/freeX/mutt-gpg/
* http://www.kubieziel.de/computer/gpg-mutt.html
* http://www.spocom.com/users/gjohnson/mutt/

* http://www.guckes.net/agrep/
* http://www.guckes.net/sig/

= To Add =

== Adding Keys from webpage ==

adding a key from a webpage to your keyring:
  $ wget -O - $URL | gpg --import
example: URL=http://samthetechie.com/files/key.asc

receiving test data from a mailing list:
  $ wget ftp://lists.gnu.org/coreutils/2014-09
  $ mutt -f 2014-09

adding missing keys from a list of signatures:
  $ gpg --list-sigs $key | grep not.found | grep -o '[0-9A-F]\{8\}' | gpg --recv-keys
  example1: key=felix(at)fefe.de
  example2: key=57E37087
(should add this as a function to my zsh setup.
 it#s just missing a good name ;)

== Toggle INLINE and PGP/MIME ==

the Encrypt+Sign Interface:

  Security: Sign, Encrypt (PGP/MIME)
  PGP (e)ncrypt, (s)ign, sign (a)s, (b)oth, (i)nline format, or (c)lear?

the 'i' toggles this to:

  Security: Sign, Encrypt (inline PGP)
  PGP (e)ncrypt, (s)ign, sign (a)s, (b)oth, PGP/M(i)ME format, or (c)lear?

use 'a' ["sign (a)s"] to choose one of your private keys for signing:

 [__input] Sign as: 0185391b
 [display] sign as: 0x0185391B

enter your pgp passphrase to unlock your secret key:

 Enter PGP passphrase:

mind you - no echoing of any characters.
someone looking over your should never be able
to see how fast or how many keys you type.
every one of these observations can be
an attack to guess your passphrase!

use a screen filter to make it
hard to look at your screen.
ask people to back off when
you enter a passphrase.

== Piping ==

importing an attached key by piping the message to gpg:
  |gpg --import RET

a response would look like this:

  gpg: key 0185391B: "Sven Guckes <keysigningparty@guckes.net>" 1 new signature
  gpg: Total number processed: 1
  gpg:         new signatures: 1
  Press any key to continue...

== Key Stats ==

http://pgp.cs.uu.nl/stats/57F77F09.html
http://pgp.cs.uu.nl/stats/0185391B.html

== Checking Signature ==

  $ gpg --verify mutt-1.5.23.tar.gz.asc mutt-1.5.23.tar.gz
  gpg: Signature made Wed Mar 12 17:28:18 2014 CET using RSA key ID 3DBDDC68
  gpg: Good signature from "Brendan Cully <brendan@cs.ubc.ca>"
  gpg:                 aka "Brendan Cully <brendan@kublai.com>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
. Primary key fingerprint: 1768 3D40 3386 05D1 F663  34C7 2228 2C8A 3585 3032
.      Subkey fingerprint: 0A15 8D86 E823 3240 916B  FC50 51E4 D24F 3DBD DC68

</pre> <!-- vim: set ft=sven: EOF -->