GPGrelay   
[ Download ] [ Localisation ] [ Setup ] [ Development ] [ FAQ ]


Page-Navigation
 Overview
 What is PGP-MIME?
 What is GPGrelay?
 What means inlined PGP?
 Why should I encrypt my mail?
 SourceForge
 Pay attention...
 eMail


GPGrelay
GPGrelay-Logo GPGrelay is a little relaying server which interferes SMTP- and POP3-Communication that way, that transmission of emails will be signed and/or encrypted on the fly using GnuPG (The GNU Privacy Guard) with your default email-program.



Caution!
This Program is not meant to be the security overkill, in fact it even makes secure communication a little bit more insecure, but it enables all email-clients to use GPG for secure mail-transfer over the internet (so eavesdropping should only be possible from the local machine).

Therefore is it not recommended that you use this program on a machine where many users have access-privilege!


This program is OpenSource & Free (as anything concerning security on the internet should be).
This program is released under the GNU General Public License (GPL)!

I don't know why I did it, I don't know why I enjoyed it, and I don't know why I'll do it again."
(Bart Simpson)


What is GPGrelay?
Overview

GPGrelay is, as indicated by its name a local relaying server.
It works completely transparent for your Email-Client as well as for the remote Server.

Now, if you want to send emails encrypted, GPGrelay encrypts them and sends the encrypted mail to the SMTP-Server.
If you receive an encrypted mail, GPGrelay does the decryption for you - so your Email-Client never sees any encrypted mails, which is quite a nice feature when your Email-Client (like Outlook Express) is not capable of handling those mails.

But this also means, if an eavesdropper has access to your local environment, where Emails are stored decrypted, he can easily get access to them!
But on the other hand: If an eavesdropper really is present in your local Site, he could probably setup some mechanism (Trojan Horses come to mind) to get your Keyring and the Passphrase you use...


Why should I encrypt my mail?
This is an excerpt from "The comp.security.pgp FAQ"
You should have read this FAQ completely if you're not familiar with public-key encryption, because it's also valid in most cases for GnuPG (so replace PGP in the following excerpt with GnuPG)!

1.2Why should I encrypt my mail? I'm not doing anything illegal!
You should encrypt your e-mail for the same reason that you don't write all of your correspondence on the back of a post card. E-mail is actually far less secure than the postal system. With the post office, you at least put your letter inside an envelope to hide it from casual snooping. Take a look at the header area of any e-mail message that you receive and you will see that it has passed through a number of nodes on its way to you. Every one of these nodes presents the opportunity for snooping. Encryption in no way should imply illegal activity. It is simply intended to keep personal thoughts personal.

Xenon <an48138@anon.penet.fi> puts it like this:
  • Crime? If you are not a politician, research scientist, investor, CEO, lawyer, celebrity, libertarian in a repressive society, investor, or person having too much fun, and you do not send e-mail about your private sex life, financial/political/legal/scientific plans, or gossip then maybe you don't need PGP, but at least realize that privacy has nothing to do with crime and is in fact what keeps the world from falling apart. Besides, PGP is FUN. You never had a secret decoder ring? Boo!
    -Xenon (Copyright 1993, Xenon)


Pay attention
excerpt from the RFC2015: MIME Security with Pretty Good Privacy (PGP):

3.Content-Transfer-Encoding restrictions
Multipart/signed and multipart/encrypted are to be treated by agents as opaque, meaning that the data is not to be altered in any way [1].

Take note, that GPGrelay does not handle those multiparts in an opaque way!
GPGrelay generates such an PGP-MIME-Mail when sending and destroys that structure when it sees one incoming.
This means, it takes incoming mails (eg. relayed for an SMTP-Server or POP3-Server) and does the magic transformation, so that the outgoing Mail changes into proper PGP-MIME-Format and incoming PGP-MIME-Mails become normal multipart-mails.

This means, the used Email-Client doesn't see anything concerning multipart/signed or multipart/encrypted!


What is PGP-MIME?
Here are two schematic block-diagrams that explain the concept of PGP-MIME graphically:

  
Structure of a normal Mail (MIME)     Structure of an encrypted Mail (PGP-MIME)
Structure of a normal Mail
(MIME)
    Structure of an encrypted Mail
(PGP-MIME)
  


As you can see, the encrypted version does not lose any information concerning the MIME-Structure of the original mail, esp. any attachment is encrypted as well!

Another thing you should be aware of is, that the normal Mail-Header is not encrypted, this also includes the subject of the mail (same applies for inlined PGP-Blocks).

And don't confuse PGP-MIME with S/MIME! They are not the same!

More details about PGP-MIME can be gathered from RFC 3156 "MIME Security with OpenPGP" which revises RFC 2015 "MIME Security with Pretty Good Privacy (PGP)". Both are OpenPGP-Extensions to RFC 1847 "Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted".

In case you want to know OpenPGP in detail, then these RFCs are for you: RFC 2440 "OpenPGP Message Format". It builds on the foundation provided in RFC 1991 "PGP Message Exchange Formats"


So what about the "Inlined"-Option in GPGrelay?
Within the Inlined-Mode GPGrelay does not construct an PGP-MIME-Wrapper for an Email, which is much more like the way many plugins for email-clients work:
It's just a simple OpenPGP-Message inside a normal plaintext email.

To give more detail: First it takes the body, reverts the character-encoding (eg. from quoted-printable back to 8bit) and encrypts it normally (say like the way WinPT does with Data on the Clipboard). Then it reapplies the character-encoding (eg. from 8bit back to quoted-printable).
This is then also done for all Attachments (if there are any).

To compare this with PGP-MIME: PGP-MIME requires just ONE encrypted block for the whole mail and also keeps the original character-encoding and attachments, this also allows to easily send and receive HTML-Mail without corrupting anything and without an complex decrypt-procedure.
On the contrary: When using the inlined variant, then for every part the character-encoding has to be reversed, GPG has to encrypt it and the character-encoding has to be reapplied. You can easily see that this adds extra complexity which leads to poorer performance.
And it also allows an attacker to remove/modify an attachment (e.g. with some previously signed/encrypted attachment of a different mail) - whereas PGP-MIME will protect against.

To sum it up: Try to avoid Inlined-PGP! Only use it if your correspondence-partner cannot handle PGP-MIME.


SourceForge
This project is also hosted on
SourceForge.net Logo sourceforge.net


You should use the forums provided by SourceForge to ask for help, track bugs or generally discuss about GPGrelay.

There is also a GPGrelay-Mailing-List available there!
I strongly recommend it for discussion about GPGrelay!
SourceForge-Mailinglist : gpgrelay-talk

Any email to me or entry in the guestbook are still welcome!


   GPGrelay   
[ Download ] [ Localisation ] [ Setup ] [ Development ] [ FAQ ]




Contact
.tSCc.
  tscc.atari.org
 
  
dynaCore   andreas_john@tesla.inka.de
 
andreas john
schulzenstr. 36
76771 hördt



[ Home ] [ Tesselation ] [ Others ] [ Guestbook ]