As promised, here is the first weekly opsec discussion. The goal here is awarene

1. As promised, here is the first weekly opsec discussion. The goal here is awareness, not mastery, in the hope that monerochads can have a well rounded understanding of various opsec concepts and tools that are commonly used in conjunction with XMR. This week is PGP, i will try to keep this short and consise as to not sh1t up the general.
2.  
3. >What is PgP?
4. PGP (pretty good privacy) is an encryption standard created in 1991 by Phil Zimmermann, an American Comp sci and cryptographer. PGP provides users with communications encryption and originator verification as well as file and disk partition encryption through the use of compression, hashing, Public Key and symmetrical encryption. While it is often referred to as PGP, what people are typically using is OpenPGP, as PGP is actually owned by Symantec.
5.  
6. >Why PGP?
7. PGP is the de-facto standard for email security among those in opsec critical circles. By using PGP properly, users can have a degree of certainty that they are maintaining their confidentiality and data integrity within the hostile environment that is the internet. One thing all of us should understand is the motto "not your keys, not your crypto", and this applies to our communications security as well. There are many services that provide encrypted email and chat services, but there is often one underlying problem. You dont hold the keys. If your communcations are encrypted, but your private key is stored on some AWS server in god knows where, you are vulnerable to exploit in a similar way that custodial crypto holders are, except you may not just lose your money, but also your life or freedom depending on the severity of your threat model. By using PGP software and securing our own private keys you alone are responsible for your security.
8.  
9.  
10.  
11. <newpost>
12.  
13.  
14.  
15.  
16.  
17. >How Does It Work?
18. To explain, we will break the process in to two parts, a brief overview of Public Key Encryption, and the underlying process to encrypt each message to include symmetrical encryption.
19.  
20. >Public Key Encryption
21. PKE is an asymetric cryptographic system which uses a related pair of public and private keys held by each user. The public key is distributed to the people you wish to communicate with, while the private key is held only by you!
22. To explain the process behind the Public Key encryption we will look at a simple one way message sent from User A to User B.
23. User A wants to send an encrypted message to User B.
24. User B sends User A his public key.
25. User A uses this public key to encrypt the message he wants to send to User B.
26. The message is then sent
27. User B uses his private key to decrypt the message.
28. In this way, we can see how anyone can encrypt a message for another person utilizing the recipients public key, but only the recipient who holds the private key is able to decrypt it.
29.  
30. >Message encryption
31. Lets take a slightly closer look at how this message is encrypted, including the symmetrical key
32. User A is encrypting a message to User B
33. The message is first compressed, this reduces workload and strengthens encryption.
34. A session key (symmetrical encryption) is generated and used to encrypt the compressed, plaintext message.
35. The session key is then encrypted using User B's public key.
36. The message is now encrypted and can be sent to the receiver.
37. User B decrypts the session key using their private key.
38. The session key is used to decrypt the message back to plaintext.
39.  
40.  
41.  
42.  
43.  
44. <newpost>
45.  
46.  
47.  
48.  
49. >PGP Signed Messages (Authentication)
50. In order to verify the Time of creation, authenticity of a message and to ensure the message has not been tampered with, PGP signatures are used. Here's the basic process of how messages are PGP signed.
51.  
52. The process begins by creating a hash of the plaintext message.
53. User A uses their private key to encrypt the hash.
54. This encrypted hash is added to the bottom of the plaintext message.
55. Utilizing User A's known public key, anyone can verify the signature by decrypting it using User A's public key and comparing the hash of the signature to the hash of the plaintext.
56.  
57. >Utilization
58. If you're still reading, you might be thinking, f_ck. This is a lot of individual steps to take, rest easy. The majority of the processes we have covered are conducted by your PGP software, so have a look at a few of the most common software suites that make this possible. This part is really up to the user, research different software and find out which one suits your skill level and needs best.
59. >Kleopatra - PGP GUI for windows and linux
60. https://apps.kde.org/kleopatra/
61.  
62. >GnuPG - Strictly CLI for windows and linux
63. https://www.gnupg.org/index.html
64.  
65. >Final Words
66. While this is in no way a complete guide to using PGP, the hope here is that even low IQ anon's can have a basic understanding of how PGP works and how it can improve your opsec. Remember to secure your private key with care and good opsec is about continued attention to detail over time.
67. >https://www.openpgp.org/about/
68. >https://www.makeuseof.com/tag/pgp-me-pretty-good-privacy-explained/
69. >https://users.ece.cmu.edu/~adrian/630-f04/PGP-intro.html
70.  
71.  
72.  
73.  
74.  
75.  
76.  
77.