• Home
  • Internship Summary

Internship summary of Evyn Faure and Maël Lemoine

blog-thumb

Our Internship Experience at the Foopgp Association

We are two first-year BTS SIO (Computer Services for Organizations) students in Gap. As part of our training, an internship is mandatory to advance to the second year. We were fortunate to complete this internship at the Foopgp association, from May 27, 2024, to July 5, 2024. Here is a detailed and enriching account of our formative experience:

Skills and Technologies Used

During our internship, we worked with various technologies and tools, greatly enriching our learning and practical experience:

OpenPGP

logoopenpgp

OpenPGP is a cryptographic standard used, for example, for encryption, authentication, and email signature.

Public Key

  • Function:

    • The public key is used to encrypt messages intended for a specific recipient.
    • It can also be used to verify the digital signature made by the holder of the corresponding private key.

  • Distribution:

    • The public key is freely shared with anyone who wishes to send an encrypted message to the private key holder.
    • It can be published on public key servers or sent directly to correspondents.

  • Security:

    • The public key cannot decrypt messages; only the corresponding private key can do that.
    • It allows for nearly unforgeable digital signatures and avoids using passwords for authentication.

Private Key

  • Function:

    • The private key is used to decrypt messages encrypted with the corresponding public key.
    • It is also used to digitally sign messages, proving the sender’s identity and the message’s integrity.

  • Confidentiality:

    • The private key must be strictly protected and not shared.
    • It is often password-protected for an added layer of security.

  • Security:

    • If the private key is compromised, an attacker could decrypt messages intended for the private key holder and sign messages pretending to be them.
    • It is crucial to store the private key in a secure place and back it up appropriately.

To learn more about OpenPGP

Pgpid

logopgpid

PgpId is a software suite that allows creating, saving on physical media, and retrieving unique digital identities based on the OpenPGP (Pretty Good Privacy) standard, which can be used to:

  • Sign your digital data.
  • Encrypt and decrypt your data and digital communications.
  • Authenticate yourself with digital services.
  • And soon vote and pay (features currently being developed by some free software communities, including the Foopgp association).

In summary, pgpid helps manage and use PGP keys for secure digital usage.

Within the association, Jean-Jacques implemented this innovative system. It works as follows: when you create your digital identity , it is split into three separate QR codes. These QR codes are then printed for practical use.

To access your digital identity, simply scan these three QR codes. Once scanned, the main private keys associated with your OpenPGP certificate are reconstructed. They can then be uploaded to security keys like YubiKey or Nitrokey .

These security keys allow the use of the private keys of your digital identity without allowing any direct access to them. Each use may require a PIN code. After three consecutive incorrect PIN attempts, the key locks. It can be unlocked with another code (PUK); otherwise, it erases its data. You will then need to reset it to restart the QR code scanning.

Here is an example of the QR codes used:

qrcode1 qrcode2 qrcode3

YubiKey

visuelyubikey

The YubiKey is a hardware security device used to protect access to online accounts. We learned to use it to enhance the security of our authentications . This tool showed us the importance of hardware security in protecting sensitive data.

code_clepgp_mael

Nitrokey

visuelnitrokey

NitroKeys offer a comprehensive and secure solution to protect digital identities and sensitive data. Their use significantly enhances the security of systems and information while remaining practical and accessible to users. They are almost identical to the YubiKey .

Evolution

logoevolution

Many of these applications and tools were unknown to us, such as Evolution . This internship allowed us to acquire new skills and enrich our knowledge, particularly about PGP keys, which we found particularly interesting.

Below is an image of Evolution with the PGP signature and encryption highlighted in red: Evolution

You select them by opening the options and checking ‘Sign with PGP’ and ‘Encrypt with PGP’. Evolution

K9 Mail

logok9mail

K-9 Mail is an open-source email client for Android, recognized for its advanced features and user privacy. Created by Jesse Vincent, the application was integrated into the Thunderbird family in 2022. This collaboration aims to enhance K9mail with features like better account setup, folder management, and synchronization with Thunderbird on the desktop. K9mail will gradually be renamed Thunderbird on Android (K-9 Mail) (The Thunderbird Blog) (K-9 Mail).

For more details, visit the official K-9 Mail website and the Thunderbird blog .

In the application, we will use a YubiKey in this example. First, you need to click on “Use a security token.” Then, when the key is scanned, it will be verified.

k9mail k9mail

To send an encrypted email, just click on the padlock at the top right.

k9mail

And to read encrypted emails via OpenKeychain , a message will appear:

k9mail

GitHub

logogithub

On GitHub , we hosted our portfolios (Mael’s portfolio , Evyn’s portfolio ) and added our PGP and SSH keys. This allowed us to understand the importance of version control and key security. GitHub also helped us collaborate effectively on various projects.

Codeberg

logocodeberg

We used Codeberg preliminarily,

as the association is migrating to this source code management system. We also added our PGP and SSH keys there. Codeberg, an open-source alternative to GitHub, gave us insight into different source code management platforms.

Here is an example of our configuration: Clé PGP et SSH Codeberg Maël

Hugo

logohugo

The association’s website is developed with Hugo , a static site generator in Go. We learned this language to modify, add, or remove various elements on the site. Hugo allowed us to create static web pages while introducing us to the basics of programming in Go.

Shell

logoshell

The association primarily uses GNU/Linux, which led us to frequently use the shell. We enhanced our scripting skills , acquired during our BTS courses. The shell proved to be a powerful tool for automating repetitive tasks and efficiently managing Linux systems.

Learn more about the shell .

Dolibarr

logodolibarr

Dolibarr is an open-source management software ideal for associations and SMEs. It allows for managing memberships, members, donations, events, and accounting simply and efficiently. Working with Dolibarr gave us valuable insights into business management and the importance of integrated management tools.

Summary

This early stage of our internship has been an extremely enriching experience for us. We not only learned to use new tools and technologies but also gained a better understanding of security practices and project management in a professional environment.

Personal Opinion

Maël : PGP keys, which were unknown to me before, greatly impressed me as they enhance security while simplifying it. The Go language also fascinated me with its power and simplicity. This internship offered me valuable practical experience and motivated me to explore these technologies further.

Evyn : During this internship, I was involved in various tasks, such as modifying the website using programming languages I was unfamiliar with, and getting acquainted with PGP keys and related aspects like encrypted emails, all while using Debian, an operating system I had barely used before. This internship allowed me to develop essential skills and better understand the challenges of computer security.