Private Messaging - Encrypted?

[fgenetics]

Is there a mod which I could install which would help me encrypt members PM's when they message each other? I know its possible in PhPBB. Please guide me on this.

ttt

if some one can give me a quote for a custom mod we will pay for this

[doogie88]

I am also interested in this, and would pay, or split the cost with original poster.

[Ziki]

Encrypt?

[doogie88]

Encrypt messages so only the reader can view the message.
I've seen one for another board where if you want to encrypt, you need to give the receiver a password to enter, to decrypt the message.

[magnus]

I don't see why you couldn't just use AES_ENCRYPT() and AES_DECRYPT() when storing/retreiving PM's -- but like doggie88 said, there would need to be a password of sorts shared between the parties. Unless the password is shared by using a medium other than the forum in question, you as the Administrator could still decrypt the message.

Sounds like fun, though. I'll kick the idea around.

[doogie88]

hushmail.com uses encryption without a password.
Ziplip.com another email services using encryption with a password.
If you wanted to take a look at them.
There is also PGP encryption where each user has a PGP key and you need their key to open the message/email.
Like I said I would pay, and they other guy would as well to cover costs.

[magnus]

There has to be a password. Whether the password is chosen by the user or randomly assigned, there's still one there. Sure, one could be randomly determined from the datestring, username, etc.. or any combination. By predetermining the string, it would then need to be stored within the DB -- thus, in my opinion, rendering encryption useless. The only true way to keep it secure is to have the parties involved share the password/key/hash amongst themselves in advance.

I assume the whole point of this is so that you, the Admin (or anyone with access to the MySQL DB), cannot read a member's PM's. Correct?

* Edit --

One way for this to happen is the sender chooses a string of characters to base the encryption off of, then that string (or decryption key) is sent to the recipient via e-mail. That way the key is not stored in the DB, and the only parties with access to it are the sender and recipient(s).

In retrospect, if there's no secure method of sharing the key externally -- encryption would be overkill and a simple PHP encode(); would basically yield the same result, as you can then decode(); the text with no need for a key.

Of course, one would then need to determine the actual usefulness of such a modification -- as I can't see people sharing things requiring that level of security over a public medium such as a vBulletin forum.

[doogie88]

Take a look at PGP if you have a minute.
Basically you set yourself up with a 'key', and you give it to friends, etc.
Then you can encrypt and send messages to eachothers.
Here is a PGP user guide... gives the basics:

Now there are some easier ways to use pgp, but this is written for those who are security minded. There are also many many other features of pgp but it would take me forever to type them all out, so this is to be used as a simple easy start up guide to serious security.

INSTALLING PGP

1. <http://www.pgpi.org/products/pgp/versions/freeware/>
2. click on the Operating system you're using
3. Dowload the version you want, i personally prefer the 6.5.8 as the 7.0.3 ++++s things up, especially if you're running 2000 Pro or XP
4. click on Download PGP 6.5.8
5. chose a place to download it from, and save it to your desktop
6. You now have a winzip file named PGPFW658Win32.zip or something of the kind on your desktop.
7. If you do not have winzip go and get it cause you're an idiot, www.winzip.com <http://www.winzip.com>
8. Double click the icon and extract the files to your desktop
9. Double click the setup icon
10. Folow the installation instructions, I do not recommend installing any of the plugins for icq, outlook, eudora or whatever.
11. You will be asked if you have an existing key or keyring tell it NO.
12. You will be prompted to make a key DO NOT MAKE A KEY AT THE TIME OF INSTALLATION!!!!!!!
13. Finish the installation and you will need to restart your computer.
14. Restart your computer
SETTING UP PGP
15. You will now have a PGP System Tray icon, on your 'startbar', it look like a little lock
16. Right click the PGP system tray icon (little lock) and select OPTIONS
17. Under the GENERAL tab make sure the following are UNCHECKED!!!
- ALWAYS ENCRYPT TO DEFAULT KEY
- FASTER KEY GENERATION
- CACHE DECRYTPION PASSPHARSES FOR
- CACHE SIGNING PASSPHRASES FOR
18. Check the warn before wiping box and increase the number of passes to 10 at least.
19. Under the EMAIL tab the only thing that should be checked is
-WORD WRAP CLEAR-SIGNED MESSAGES AT COLUMN
20. Under HOTKEYS all should be unchecked!
21. Under ADVANCED - This is Very Important!!
- under allowed algorithms make sure that IDEA is the only one checked, UNCHECK TripleDES and CAST
22. Under Trust Model make sure that only WARN WHEN ENCRYPTING TO KEYS WITH AND ADK is checked.
23. Under export format Click on COMPATIBLE
24. Now click on OK at the bottom of the window, the window will dissapear.
25. Right click the PGP system tray icon and select PGP KEYS
26. A window will pop up called PGP KEYS
27. Highlight all the keys in the window and delete them all, these are just sample keys that come with the program and just clutter things up.
28. Click on Keys at the top of the PGP KEYS window a drop down menu will pop up, Select New Key
29. A Key Generation Wizard will pop up
30. If you want to learn Click on Help and read that, if not, like most people, just click Next
31. It will ask you for a FULL NAME and EMAIL ADDRESS, Put a name in, for instance mine is E2, as for an email address this is unimportant, I personally leave it blank, unless you're using it with a plug in , which we're not, or you want people to be able to find your key on the key server, which you don't, you don't need to enter one.
32. If you do not enter an email address when you click NEXT, a window will pop up asking you if you really want to continue without entering an email address, click YES
33. Now it will ask you what type of key you want to make, Choose Diffie/Hellman-DSS, Click NEXT
34. Now it will ask you how large a key you wish to make, choose CUSTOM and type in 4096, Click NEXT
35. Now click Key Pair Never Expires, click NEXT
36. Now you must enter a passphrase, remember THERE IS NO WAY OF RETRIEVING YOUR PASSPHRASE!!!! IF YOU LOSE IT YOU'LL HAVE TO MAKE A NEW KEY AND ALL THINGS ENCRYPTED WITH YOUR OLD KEY WILL BE LOST!!!!
37. Make your passphrase something complicated and nonsensical but something you will not forget, in my book the longer the better, mine takes me about 1 min to type in.
38. Click Next, your computer will start to generate your key. Do not be worried if this seems to take forever!!! And yes I mean forever, I have friends with slower computers who have waited hours for their computer to finish making a key. Just be very very very patient, also remember we're making very large keys here 4096 bit keys!!

USING PGP

Now you have a personal key! In order to send messages to others you must have a copy of their PUBLIC KEYS, and they must have copies of your PUBLIC KEY in order to send you messages.
39. There are many ways to send you key to someone.
- As simple txt
- As an asc file
40. Sending as simple txt. Open your PGPkeys window, you see your key there, it is the one in bold. Highlight it, and press ctrl-c, or copy. Then open a windown and press ctrl-v or paste. You will now see the txt version of your public key, this is what you must send to others in order for them to be able to send you encrypted messages.
41. Sending as an asc file. Opern your PGPkeys window, highlight your key, the one in bold, click Keys at the top of the PGPkeys window, choose EXPORT, it will ask you where to save the file, tell it where and click ok. Now you have a file you can send to someone which is your public key.

RECEIVING KEYS

- As txt
- As an asc file
42. A txt key, as can be seen on the anabolicfitness.net website in the PGP Key forum, can be brought into your keyring by, highlighting it (MAKE SURE YOU HIGHLIGHT IT ALL, IF YOU MISS EVEN A LITTLE DASH PGP WILL NOT RECOGNIZE IT AS PGP INFO!!) , pressing ctrl-c or copy, then RIGHT CLICK the PGP system tray icon (little lock), selecting CLIPBOARD, then DECRYPT&VERIFY.
43. A window will now pop up with the key you're trying to receive, make sure the key you're trying to receive is highlighted then select IMPORT at the bottom of that window. That key has now been added to your keyring, you can check this by opening the PGPkeys window.
44. An ASC file. Double click the file, a window will pop up with the key you're trying to receive in it, make sure it's highlighted then choose IMPORT at the bottom of the window, the key has now been added to your keyring.
ENCRYPTING AND DECRYPTING MESSAGES
SENDING A MESSAGE
45. Type a message that you want to send to someone. Highlight that text. Press ctrl-c or copy, then RIGH CLICK on the PGP system tray icon, select CLIPBOARD, then ENCRYPT
46. The KEY SELECTION DIALOG BOX will appear, drag the keys of the recipients of your message to the recipients box of the window, there can be as many recipients as you like. Make sure the SECURE VIEWER AND CONVENTIONAL ENCRYTPION boxes are UNCHECKED!
47. Click ok, a working window will pop up, saying Encypting Clipboard.
48. Open the window where you wish to paste your encrypted message and press ctrl-v or paste. You will now see your encrypted message!!! Send away!!

RECEIVING A MESSAGE

49. In order to receive a message from someone they must have encrypted the message using your public key.
50. You can recieve a message as an asc file, if so just double click it, enter in your passphrase and click ok. That's all there is to it.
51. Receiving a mesage in txt format (most typical). Hightlight the text, make sure to highlight it all if you miss anything pgp won't recognize it. Press ctrl-c or copy, the right click the system tray icon, select CLIPBOARD THEN DECRYPT & VERIFY. You will now be asked to enter in your passphrase, if you're not propted to enter in your passphrase then the message was not encrypted with your key and you are unable to read it. Enter your passphrase and click OK.
Simple and easy.

[magnus]

I'm quite familiar with PGP.

The fact still remains the same, a key of sorts must be shared in order to decrypt the message -- whether it be a PGP_KEY or a password/key/phrase selected at the time of composing.

[doogie88]

Ya I understand that, and I understand that if it's something really high security it shouldn't be sent over VB, but I'm just looking at something for convenience, and making members feel more secure.
I was also thinking that there would be a forum where members post their PGP keys... or would this basically be an invitation to whoever wanted to read the messages, to read them as well? I mean if Mr X sends a message to Mr Y, and they both have their keys posted in the open forum, can Mr Z take both their keys, the message, and decrypt it? Or will the message only work if Mr Z has Mr X's or Y's password?