THIS POSTING HAS BEEN UPDATED AND SUPERSEDES THE PREVIOUS POSTING FROM MAY 21st, 2023.
CURRENT GUIDANCE DOCUMENT IS DATED 25 MAY 2023.
Sorry for any inconvenience, but further research shows numerous vulnerabilities with RSA keys, and Eliptical Curve keys are significantly more secure for our purposes.
Delete previous AmRRON Actual GPG key from your Key Manager. New Key should be labeled AmRRON Actual (ECC). Look for the one with ‘ECC’
Eliptical Curve PGP keys are MORE SECURE, and significantly smaller in size
ECC key = 648 bytes
RSA 1024 Key = 1,100 bytes
How can you be sure that a file received from ‘AmRRON National’ is authentic? Hopefully you’ve been practicing authentication using the Check Sum Hash for the weekly AIB, posted on the sidebar of the website. But what if the internet is down, or the AmRRON website is off line for some reason (power outage, hacking, cyber attack, etc.)? How do you authenticate when we’re grid down?
What if you received an “official” AmRRON Call To Action over the radio, which read “…overthrow the government NOW, patriots!”
- Right away, something obviously doesn’t seem right. This is definitely not something members would ever expect to see being sent out over the air by AmRRON.
- You want to confirm that it is not authentic traffic, and that someone is spoofing AmRRON members’ call signs, so you can stop further distribution of the erroneous traffic, AND so you can alert others, including (and especially) AmRRON National and the regional HF Net Control Stations. Basically, EVERYONE will alert everyone else.
For those of you concerned about COMSEC (and you should be), you may have noticed something new under the Check Sum Hash in the website side bar.
Special attention to: “Download the (AmRRON Actual) AmRRON PGP public key. “
The downloadable/printable PDF document below will walk you through setting up and using the GPA app (Windows, Linux, MAC, etc.) for verification of authenticity of AmRRON Traffic being sent using FEC (Forward Error Correcting) modes. All AmRRON members are encouraged to download the AmRRON Actual public key. Even if you don’t know how to use it yet. At least you’ll have it in hand.
You can download the AmRRON Actual (ECC) Key HERE or from the sidebar. IT MUST BE THE AMRRRON ACTUAL (ECC) key. If it is not accompanied by the ‘ECC’, it is an obsolete key. Sorry for the inconvenience. Use your browser menu to locate ‘Save Page As’, and ensure that the ‘.txt’ or ‘Plain Text’ file option is displayed. Then, read through the PGP-GPG Signature Verification General Guidance document (below).
This is perfectly legal, and the FCC has commented on the use of PGP/GPG for signed certificates. Title 47, Part 97.113(a)(4) prohibits “…messages encoded for the purpose of obscuring their meaning…”. Verification certificates do not hide the meaning of the message in any way. They simply verify that the sender has used a password to digitally sign a file to ensure it is actually from the stated author/sender.
NOTE FOR WINDOWS USERS: On the download page at GnuPG.org, scroll down until you see the ‘Windows’ version. It’s not GPA for Windows, but rather ‘Gpg4win Full featured Windows version of GnuPG’. It will install Kleopatra (that’s the Windows version of GPA) to interface with GnuPG. It has the same features, although laid out slightly differently than GPA.
ALSO: See the ‘Additional Help Tips for Kleopatra’ by Tango-05 (below)
Additional Kleopatra help tips:
1. In Kleopatra, keys in the list which are boldface are ones you have a private key for, so be careful about which key you send to others. Highlight your key and select the ‘Export’ toolbar button (or right-click and select “Export” on the popup menu. It will create a file with a “_public.asc” suffix so you know that is your public key. This exported “_public.asc” file is what you send to others.
It’s also a good idea to back up your private key in case your PC crashes. Without a backup, your public key is useless without the private key, which would be forever lost. Highlight your boldfaced key, right-click and select ‘Backup secret key’. This is like the Export option above, but will export a file with a “_SECRET.asc” file. Take this file and store it in a veracrypt folder or other safe spot off your PC. Never give it to others.
This is also how you can copy or move your keys to another PC. Install GnuPG/Kleopatra and select Import. Import both your own “_public.asc” and “_SECRET.asc” files. Then re-import public keys from others and you’re back in business.
One last note… ECC (Eliptical Curve) format keys are not compatible with the old gpg4usb app. No big deal, all that is it built into the Notepad section of Kleopatra. To sign a block of text….
1. Click on the Notepad toolbar button.
2. In the Notepad tab, type or paste in your text to sign.
3. In the Recipients tab, un-check the Encrypt options, make sure “sign as” is checked and your key selected.
4. Click the “Sign Notepad” button. The contents of the Notepad tab will be modified with a signature block.
5. Once signed, the text can no longer be tampered with. It will return “Invalid signature” if altered.
5. Use the “Decrypt / Verify Notepad” to decrypt a message or verify a signed block of text you received from others, or just to confirm blocks you signed.
Gnu Privacy Assistant is not available for 64bit Windows 10. What other program can I use?
If you scroll down on the Download page, you’ll find ‘Windows Gpg4win Full featured Windows version of GnuPG’. It will download Kleopatra (that’s the Windows version of GPA). It has the same features, although laid out slightly differently than GPA.
Glad to see the use of the GPG signature function. An isolated operator can receive and now confirm the signing station is genuine WITHOUT AN INTERNET CONNECTION, assuming they make the time to have the appropriate keys.
Haar! de Popeye
Is there a version for MAC?
Apparently there is, at: https://github.com/algertc/homebrew-kleopatra4mac
However, I use Linux primarily (and a Windows machine), so I cannot provide a review or testimony to how well it works on Mac.
-JJS