7.1.1.3 Checksum in common use
At the beginning of this paragraph, we explained how checksum ensure the
integrity of a piece of information: this statement is true, however, as long as
you’re the only one who generated it or if the checksum origin for the counter-
verification cannot be manipulated. The checksum,
as we observed it, acts as a
file fingerprint but doesn’t guarantee the origin of the checksum you’re going to
use for the comparison. If someone manages to violate a website and the hosted
files, they wouldn’t mind too much changing the checksum in the page, would
they?
Using hashes without any digital signature may be useful only to verify your
personal data, since they can be only altered by external attacks. In this case, the
owner will adopt the right measures to keep safe the original checksum and
compare
it when needed, but they cannot use it as a stamp or seal to guarantee
the integrity verification of a file. For the time being, then, no tool is available
yet to verify if what we want to download from the web is exactly what we
expect – we will return to this topic on the chapter about PGP/GPG for data
integrity.
7.2 Data Encryption
Now we should be informed enough about navigation and using anonymity
tools on Internet. What we’re still lacking is a good preparation of the workspace
and a minimal knowledge of the tools we can use to
leave no traces pointing to
our activities on our computer. Imagine you are a Silk Road 3.0 (or the current
version) user or a member of any community where the subscription itself could
put you in serious trouble... you certainly don’t want to be identified by anyone,
aren’t you? Keep in mind that NSA caught dozens of drug dealers and customers
through their user names and passwords on Silk Road.
Curious is the fact that, after all the precautions taken, the computer
formatted,
TOR freshly installed,
a brand new Bitcoin wallet and whatnot, one
still gets caught, because their password contained their cellphone number. No
joke. Since we already mentioned the secure protocols, we know the importance
of message encryption. This operation is applicable both to the connection and
the silent data, as well as to the messages we share with other users (friends,
family, sellers, etc.).
7.2.1 PGP, Pretty Good Privacy
When it comes to data encryption, we cannot avoid mentioning PGP (
Pretty
Good Privacy) a tool that encrypts, decrypts and signs text, emails, files and
directories to improve your documents safety. It works as follows: the user who
wants to encrypt the message will create two keys – one public and one private.
The
public key allows anyone to send you an encrypted message, while the
private one is the only key that unlocks the message created by the public key,
allowing you to read it.
This is essentially the encryption behind most of the IT communications: the
public/private system is also known as
Asymmetric Encryption (or Diffie-
Hellman), while using a single key (using PGP anyway) is defined as
Symmetric
Encryption.
If you lose the private key in PGP, consider the protected
information as lost for good.
7.2.2 GPG, GNU Privacy Guard
The GNU Privacy Guard (from now on, GPG) tool suite is available for
Windows, macOS, Linux and BSD. It was created as a free alternative to PGP,
from
which it inherited the OpenPGP encryption standard. Let’s then consider
the GPG as a free alternative to PGP, the software which created the standard
used by GPG to work. Besides the
CLI version, GPG
[84]
is also available as:
-
GPGTools
[85]
, a tool suite for macOS
-
GPG4Win
[86]
, a client for Windows
-
gpg4usb
[87]
, a version designed to run only on USB (Windows and Linux)
-
… and many more!
GPG is available by default in many GNU/Linux distros. If you prefer the UI
mode, you can use seahorse (the same used by Tails). From now on, we will use
the
terminal quite often, since the UI is intuitive enough. All file operations can
be done using the right button, then selecting the items available according to the
situation. In case of doubt, you should first learn the command line procedure,
then try with the UI mode.
7.2.2.1 Understanding the public/private key
We explained the difference between the private and the public key above, so
there’s no need to reiterate it; that’s enough to understand how they work.
Summarizing:
-
The private key must remain a secret, it’s yours and you shouldn’t
share it
with anyone.
-
The private key must remain a secret, it’s yours and you shouldn’t share it
with anyone.
To simplify, the relationship between the private and the public key is:
a
Do'stlaringiz bilan baham: 
