Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ================================================================================
- PGP Startup Guide - DOS Version
- v1.0
- (93/11/28)
- Out and About
- ================================================================================
- Contents
- ========
- Section 1 - Intro
- <1.0> What the hell is this document?
- <1.1> What the hell is PGP?
- Section 2 - Obtaining It
- <2.1> BBSs
- <2.2> America Online
- <2.3> CompuServe
- <2.4> InterNet
- <2.5> Setting it up
- Section 3 - Using It
- <3.1> Generating a Key
- <3.2> Keys & keyrings
- <3.3> Keyservers
- <3.4> Signing
- <3.5> Encrypting
- <3.6> Other useful commands
- Section 4 - Miscellaneous
- <4.1> Legal Issues
- <4.2> ViaCrypt
- <4.3> Version History
- <4.4> Everything Else
- ================================================================================
- Section 1 - Intro
- <1.0> What the hell is this document?
- This document is an intro to PGP on MS-DOS machines. It's designed for a
- first-time user of PGP, and will get them through finding the program;
- getting the program; and, finally, using the program in a basic way. In
- other words, a good way to get more people using PGP.
- <1.1> What the hell is PGP?
- PGP is a cryptography system that allows you to send data to other people
- with what amounts to excellent security. The important point about PGP,
- though, is that you never have to meet the person you're sending encrypted
- information to. This might not make sense at first, but this capability is
- essential to the benefits PGP can provide.
- Traditional encryption techniques have one key. The two people meet first,
- and exchange this key; then, afterwards, one encrypts the data with the key,
- sends it to the other person, who uses the same key to decrypt it. Simple,
- eh?
- Well, PGP can do that, but it can also do something else, called public-key
- encryption. This means that you encrypt a document with somebody's "public
- key" - which is freely distributed - and *only they* will be able to decrypt
- it, with their corresponding private key. Nobody else can. Not even you,
- right after you've encrypted it with their public key.
- Some people may wonder why PGP is necessary. Some people probably don't
- care. However, the two of us work remote in a distributed environment - our
- modems are our connection to the office, and anytime we're sending sensitive
- data through any kind of network, we're risking somebody else grabbing a
- copy. With PGP, that's no longer an issue.
- Additionally, we're always sure that documents come from where they were
- supposed to, since it's impossible to forge the digital "signatures" that
- PGP creates. For example, nobody knows who the two of us really are - the
- anonymous server takes care of that. However, once you've got our public
- key, you'll know that anything verified by that key came from us - without
- ever meeting either of us. Thus, by coupling the anonymity of the InterNet
- and the authentication of PGP, we can be anonymous, yet readily - and
- reliably - identified. Cool, eh?
- The only potential problems with public-key systems is verifying the public
- keys you have; see below, as well as the PGP documentation, for help on
- this.
- Section 2 - Obtaining It
- <2.1> BBSs
- PGP is probably available on some local BBSs in your area. If your local
- BBS lacks it, here's some info from the PGP docs:
- ================================================================================
- The GRAPEVINE BBS in Little Rock Arkansas has set up a special
- account for people to download PGP for free. The SYSOP is Jim Wenzel,
- at jim.wenzel@grapevine.lrk.ar.us. The following phone numbers are
- applicable and should be dialed in the order presented (i.e., the
- first one is the highest speed line): (501) 753-6859, (501)
- 753-8121, (501) 791-0124. When asked to login use the following
- information:
- name: PGP USER ('PGP' is 1st name, 'USER' is 2nd name)
- password: PGP
- PGP is also widely available on Fidonet, a large informal network of
- PC-based bulletin board systems interconnected via modems. Check
- your local bulletin board systems. It is available on many foreign
- and domestic Fidonet BBS sites.
- In New Zealand, try this (supposedly free) dial-up BBS system:
- Kappa Crucis: +64 9 817-3714, -3725, -3324, -8424, -3094, -3393
- Source and binary distributions of PGP are available from the Canadian
- Broadcasting Corporation library, which is open to the public. It has
- branches in Toronto, Montreal, and Vancouver. Contact Max Allen, at
- +1 416 205-6017 if you have questions.
- For information on PGP implementations on the Apple Macintosh,
- Commodore Amiga, or Atari ST, or any other questions about where to
- get PGP for any other platform, contact Hugh Miller at
- hmiller@lucpul.it.luc.edu.
- ================================================================================
- <2.2> America Online
- As of a few days ago, PGP is also available on America Online. If you have
- any specific information on where PGP is available on AOL, please send it to
- us; we'll include it in a future version of this document.
- <2.3> CompuServe
- Officially, it's not available on CompuServe, but try GO IBMFF and use the
- File Finder on the keyword PGP; usually some forum still has it sitting
- around, despite CIS's management trying their best to get rid of it.
- <2.4> InterNet
- If you're on the InterNet, the easiest way to dig up a copy of PGP is to ask
- an "archie" server for the location. Borrowing from Xenon's excellent
- directions, find yourself an InterNet account, and telnet over to
- archie.internic.net. Log in with a username of "archie", and at the prompt,
- type "prog pgp23a.zip". You'll get a list of sites and directories, a la:
- ================================================================================
- Host soda.berkeley.edu (128.32.149.19)
- Last updated 09:50 4 Nov 1993
- Location: /pub/cypherpunks/pgp
- FILE -rw-r--r-- 320168 bytes 08:09 3 Jul 1993 pgp23a.zip
- Host isy.liu.se (130.236.1.3)
- Last updated 08:14 3 Nov 1993
- Location: /pub/misc/pgp/2.3A
- FILE -rw-r--r-- 422851 bytes 10:58 19 Sep 1993 pgp23a.zip
- ================================================================================
- Close archie by typing "bye", then ftp to one of the above sites. Use
- "anonymous" for the user name, and your e-mail address as a password. Type
- "cd
- ", where
- is the directory listed in the archie listing for
- the site you're ftping to. Type "binary", which sets the binary mode on.
- Then type "get ", where is the filename listed by
- archie. Finally, type "bye" to get back to your email system.
- Get the file from your email system to your PC; this varies so much from
- site to site that you'll need somebody local to help.
- <2.5> Setting it up
- Once you've got it on your PC, unzip PGP into its own directory. You'll
- also need to set two environment variables for PGP to be happy. One, TZ,
- sets the time zone for the system; here are some examples from the PGP docs:
- For Amsterdam: SET TZ=MET-1DST
- For Arizona: SET TZ=MST7 (Arizona never uses daylight savings time)
- For Aukland: SET TZ=NZT-13
- For Chicago: SET TZ=CST6CDT
- For Denver: SET TZ=MST7MDT
- For London: SET TZ=GMT0BST
- For Los Angeles: SET TZ=PST8PDT
- For Moscow: SET TZ=MSK-3MSD
- For New York: SET TZ=EST5EDT
- Then set PGPPATH to the location you've unzipped PGP into; for example:
- SET PGPPATH=C:\PGP
- READ THE DOCS! What follows from here is a good way to get started, but
- there are a number of issues raised in the documentation that *must* be
- known for safe and reliable operation!
- Section 3 - Using It
- <3.1> Generating a Key
- PGP works on the principle of "public-key" encryption. This means that
- every key has two parts: a secret part you keep close to your heart, and a
- public part you scatter to the winds. The two have some mysterious,
- mathematical relationship that Einstein couldn't understand, but for our
- purposes all that matters is that the public part can decrypt things
- encrypted by the secret part, and vice versa. Thus, the first step in using
- PGP is to generate your key. Type:
- PGP -kg
- Select a key length; the bigger, the more secure. Most people use 1024
- bits, and it isn't that much slower. Following this, PGP will ask you for
- your user name. For example:
- Out and About
- |-----+-----| |----------+----------|
- | |
- | +----------+ Email Address, in <> brackets
- +-----------------------------+ User Name, plain text
- Please follow this pattern; since a lot of people are starting to use their
- PGP keyrings with their friend's PGP keys as their email directories,
- keeping things relatively constant is a Good Thing.
- It'll then ask you for a "pass phrase." This pass phrase is *very*
- important. What PGP does, to insure that your secret key is used only when
- authorized, is encrypt the secret key data with this "pass phrase," so that
- only if the pass phrase is known will the secret key work. As with most
- kinds of password, this should not be something easily guess. Differing
- from most passwords, though, is that this phrase can pretty much be any text
- you want, with long lengths encouraged. Use random characters interspersed
- with text, like hey1me$for*turkeys^clinton. Don't use famous quotations, or
- anything easily guessed, since this pass phrase is what keeps your secret
- key secure.
- The program will then want some number of random keystrokes. This probably
- sounds silly, but it's actually very important. Computers can generate
- pseudorandom numbers, but truly random numbers are impossible - computers
- are fancy calculators, and randomness comes hard. So, PGP wants some
- keystrokes - which it times - to derive some truly random numbers for
- generating the keys.
- Then it generates the key. Go have lunch while this is happening; it's
- probably the most boring interface yet come up with by any programmer,
- unless you enjoy periods and plus signs. A lot. Especially if you have a
- slow machine.
- Finally, PGP will beep, and you've got a public and a secret key, stored on,
- logically enough, a public and a secret keyring. Which, of course, brings
- us to keyrings.
- BUT WAIT!! Before you touch the next section, execute the following
- command:
- PGP -ks
- Where is some part of your user ID that you typed in above. You'll
- have to type in that damn pass phrase - you did remember it, didn't you? -
- and PGP will sign your key with your key. While this probably sounds
- redundant, it actually plays a very important part in assuring that your key
- remains unmolested. Nothing worse than molested keys ...
- <3.2> Keys & keyrings
- We mentioned keyrings above. Well, if you've got keys in real life,
- keyrings are a good place to put them. PGP keys aren't any different.
- PGP, by default, has two keyrings: public and secret. Since you've already
- generated a key pair, you've got one public and one secret key - the two
- matching parts of your key. These are stored on two keyrings; logically,
- there's a public one (stored in PUBRING.PGP), and a secret one (stored in
- SECRING.PGP). The public keyring also will eventually contain keys for your
- friends and such; the material on it is desiged for public distribution. The
- SECRING.PGP file, on the other hand, is *very* valuable. With that file and
- your pass phrase, anybody can sign documents with your "electronic"
- signature, and decrypt things sent to you. Don't let it out of your sight;
- while your pass phrase does protect the contents of the secret ring to a
- certain extent, keeping the file secure is just as important as keeping the
- pass phrase secret.
- Since public keys can be distributed freely, they can be obtained from
- keyservers (see below), among many other places. The PGP distribution
- includes one called KEYS.ASC, which includes the public keys of the authors
- of PGP. As a first exercise, let's add it to your public keyring with this
- command:
- PGP -ka KEYS.ASC
- PGP will ask if you want to certify any of the keys you've just added. Say
- "no"; certification means you know for sure that the key belongs to a user.
- If you later get keys from friends who hand them to you personally, you can
- say "yes" when you add their keys, telling PGP you know the keys really
- belong to who they claim to.
- To view the contents of your public keyring, use this:
- PGP -kv
- And wham! A list appears, one line for each key on your ring. You'll
- notice your key down at the bottom, along with a list of the authors. Each
- line starting with "pub" represents one distinct key; note that keys can
- have more than one name or email address attached to them.
- The anonymous key for the two of us can be found at the bottom of this
- document. You'll need it on your public keyring in order to verify this
- document in a later section. Save the chunk of text to a file, then tell
- PGP to add it with a similar command to what we used to add the authors'
- keys:
- PGP -ka
- Of course, you're not always going to be adding keys; you'll need to extract
- yours, as well as other people's when you sign them. To extract any public
- key from your keyring in the above format, use the command:
- PGP -kxa
- Where is some unique part of their name or email address. For example,
- to create a copy of your public key to pass around to your friends, type:
- PGP -kxa MYKEY.ASC
- Where is some part of the name or email address you used when creating
- the key. The file MYKEY.ASC - which will look very similar to our key above
- - can be easily put in email messages, text editors, posted on bulletin
- boards, everything. Distribute it far and wide; this will help prevent
- other people from trying to distribute fake public keys in your name.
- <3.3> Keyservers
- Keyservers are a muy bueno invention to spread public keys faster than the
- SR-71 used to fly. Basically, keyservers are a group of computers that
- maintain a massive (800+K, last I checked) public keyring with thousands of
- keys on it. You can query this server to get a specific person's public
- key, either to send something to them, or to verify one they've already sent
- to you. Here's some info, which shows regularly in alt.security.pgp. Check
- there for the latest info:
- ================================================================================
- Each keyserver processes requests in the form of mail messages. The
- commands for the server are entered on the Subject: line.
- To: pgp-public-keys@pgp.iastate.edu
- From: johndoe@some.site.edu
- Subject: help
- Sending your key to ONE server is enough. After it processes your
- key, it will forward your add request to other servers automagically.
- For example, to add your key to the keyserver, or to update your key if it is
- already there, send a message similar to the following to any server:
- To: pgp-public-keys@pgp.iastate.edu
- From: johndoe@some.site.edu
- Subject: add
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: 2.2
- -----END PGP PUBLIC KEY BLOCK-----
- COMPROMISED KEYS: Create a Key Revocation Certificate (read the PGP
- docs on how to do that) and mail your key to the server once again,
- with the ADD command.
- Valid commands are:
- Command Message body contains
- - - ---------------------- -------------------------------------------------
- ADD Your PGP public key (key to add is body of msg)
- INDEX List all PGP keys the server knows about (-kv)
- VERBOSE INDEX List all PGP keys, verbose format (-kvv)
- GET Get the whole public key ring (split)
- GET userid Get just that one key
- MGET regexp Get all keys which match /regexp/
- LAST days Get the keys updated in the last `days' days
- - - ------------------------------------------------------------------------
- Internet connected sites:
- pgp-public-keys@pgp.mit.edu
- Derek Atkins
- warlord@MIT.EDU
- FTP: pgp.mit.edu:/pub/keys/public-keys.pgp
- pgp-public-keys@phil.utmb.edu
- John Perry
- perry@phil.utmb.edu
- FTP: phil.utmb.edu:/pub/pgp/public-keys.pgp
- pgp-public-keys@demon.co.uk
- Mark Turner
- mark@demon.co.uk
- FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp
- ================================================================================
- <3.4> Signing
- By signing a key, you're stating to the world that you know that the key in
- fact does belong to the name shown. The benefit of this is that, if you
- know the "introducer" - the person who's signed a public key you're going to
- use - can be trusted with handling keys, then you don't necessarily have to
- verify the key itself. While this can easily descend into a complex tangle
- of what exactly qualifies as "signing," for the purposes of this
- introduction, you sign a key like this:
- PGP -ks
- You'll be prompted for your pass phrase - we honestly hope you've remembered
- that thing damn well by now - and PGP will "sign" the key for you. Then,
- extract that person's public key - which will now include your signature -
- and send it to them. They can add it to their public keyring, and they'll
- suddenly gain the benefit of your signature. This means that if they're
- communicating with somebody who doesn't know them, but knows you, the third
- person can use your signature to verify the key's validity.
- If somebody else signs your key and sends it back to you, use the PGP -ka
- command (mentioned above) to add the amended key back onto your public
- keyring. PGP will recognize that just a signature has been added, and will
- append that to your keyring, meaning that the next time you extract your
- public key, that signature will go along with it.
- To see signatures on your keyring, use a modified version of the view
- command we used before:
- PGP -kvv
- <3.5> Encrypting
- Heh. And you thought all we were ever going to talk about was keys and
- crap, right? You'll be happy to know that PGP is pretty good at its primary
- mission in life - encryption. The most simple form is this:
- PGP -e
- Where is the file to encrypt, and is the target user who's
- going to decode it. This'll create another file called .pgp, which is
- the encrypted text. Send it off, and the other user will be able to decode
- it. When you receive an encrypted file back, simply type:
- PGP
- And PGP will figure out that it needs to decrypt the file, and do so.
- Now, you think you're set, because you've encrypted a file, right? Well,
- there's only one flaw in this grand strategy: while only one person in the
- world can decrypt that file, that person won't have any assurance of where
- the file came from. That's where digital signatures come into the picture.
- A digital signature irrevocably identifies whatever you're sending as having
- come from you. A very nice thing to have. Best of all, it's easy as sin to
- do. Just add one character to the command line you used above:
- PGP -es
- You'll be prompted for your pass phrase (getting good at typing that in
- yet?), and then PGP will first sign the document with your secret key -
- allowing it to be verified with your public key on the other end - and then
- encrypting it with the other person's public key, so only their secret key
- can decrypt it.
- You can also just sign a document; this allows the document's source to be
- verified, without any sort of encryption. A good example is what you're
- reading right now. Save it to a file, and type:
- PGP
- Where, of course, is the name of the file you saved this document to.
- It'll work for a few seconds, then say (hopefully) it's got a good signature
- from us. It'll then produce a non-signed version, which contains the
- original message text; if the signature was good, that text is the same as
- what we originally put out, and you know it came from us.
- <3.6> Other useful commands
- There are two other commands you should probably know.
- First, there's the Radix-64 switch, which tells PGP to produce files which
- can be emailed, UUEncoded-style, through mail networks. To do this, you
- just add an "a" to whatever you're sending, a la:
- BEFORE: PGP -es example.txt Mary
- AFTER: PGP -esa example.txt Mary
- The output will be sent to example.asc; furthermore, it'll be convienently
- split into chunks the mailers can handle, it the file is long enough. We
- used this switch already, above, for extracting keys, since the ASCII
- format, for something the size of keys, is far more versatile than a binary
- representation.
- Second, there's clearsigning; this means you add your signature, but leave
- the document readable, which was what we did for this document. To do this:
- PGP -sta +clearsig
- Which will produce a file called .asc, containing the document, with a
- signature at the end.
- Section 4 - Miscellaneous
- <4.1> Legal Issues
- Oh yeah - PGP is illegal, at least if you live in the US and Canada. Why?
- PGP makes use of the RSA public-key algorithm, developed at MIT with tax
- dollars. The US Government then allowed a company out in California to
- patent this algorithm; thus, if you're using this product in the US or
- Canada, you're likely violating that patent. See the next section on how to
- get around this. Also, if you know anything about the situation, please
- send us email on how we can get the goverment to use tax dollars to develop
- technology, then hand exclusive implementation rights to us. This would be
- a most excellent thing to have happen.
- If you're out of the US or Canada, using PGP is not a problem, since the
- patent laws don't apply; just *don't ask a friend in the US or Canada to
- send you a copy*. Thanks to the US Government's enlightened export
- restrictions, PGP is considered to be munitions, meaning that you could get
- sacked with serious shit if you either import or export it to/from the US
- and/or Canada, including posting over the InterNet, or any other
- international information service. That's why Phil Zimmerman's being
- investigated by the San Jose customs office right now. Yep, our tax dollars
- hard at work.
- <4.2> ViaCrypt
- However, all is not lost for US users. A company called ViaCrypt in Arizona
- is selling a properly licensed version of PGP which, for all practical
- purposes, is completely compatible with v2.3a. Here's a small blurb:
- ================================================================================
- ViaCrypt, Inc., will begin shipping ViaCrypt PGP today, 1 November 1993.
- ViaCrypt PGP is a commercial public-key encryption package which is
- based on, and virtually identical with, the freeware program known as
- PGP, or `Pretty Good Privacy.' (The source code is in fact identical to
- that of the freeware version 2.3a of PGP, with the exception of the RSA
- encryption module, which is one ViaCrypt developed in-house after
- acquiring a license for the algorithm from PKPartners. In addition,
- ViaCrypt incorporates a few bug fixes. The private-key crypto algorithm
- is IDEA, as in freeware PGP, for which ViaCrypt has obtained a license
- from Ascom-Tech AG of Zurich.)
- ================================================================================
- Contact info:
- ViaCrypt
- 2104 W. Peoria Ave.
- Phoenix, AZ 85029 USA
- 602-944-0773 (Voice)
- 602-943-2601 (FAX)
- 70304.41@compuserve.com (Netmail)
- <4.3> Version History
- 93/11/28 v1.0 Initial Version
- <4.4> Everything Else
- Please let us know if you find any problems with this document or have any
- questions about it; we can be reached at an50928@anon.penet.fi as long as
- that anonymous server remains up. Let's hope it does, because otherwise
- you'll have one damn hell of a time finding us. If this document helps you,
- by all means pass it on to every person you know, and maybe a few you don't.
- Post it on lots of BBSs, all over the place, ad naseum. Tell everybody you
- know to start using PGP, because the more people use PGP, the less we all
- have to worry about a President Orwell.
- ================================================================================
- Contents Copyright (C) 1993 by Out and About. Assuming you could figure out
- who and where we are, that might mean something, but hey ...
- - -----BEGIN PGP SIGNATURE-----
- Version: 2.3a
- iQCVAgUBLPgwgXv2tR+FRQuZAQFBvgP/c5VY0QBkZhOZhFGH1lfpCpfc/tT6FrNw
- dae81c049wNj4jORq1eodm2pn8ObgrmK6qb5CQS2CST27fBD1wtnGvyyisvfYtqa
- yaYs2qBBEwkURZI7M6kjCdL1snaQ14ScfYLQiBH0jqle+uORsHeke429NG0fr6oa
- zVlyOqFvMQs=
- =Hl80
- - -----END PGP SIGNATURE-----
- Here's our key:
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: 2.3a
- mQCNAiztdHkAAAEEAL3VO4LItnVBwLGZi6Hux2MoWkpqDE4gZtSGu2NAgE6zaT+6
- B8NibIwCPxL+8qfeS36BqvZ3GbSOI0SJldUc9sXZeNHsB7RnLgUTmA9mLoaDeL7k
- IHXKpk2uc1CuzLawaY9WDflnntumfhD7p7JReoI7/PZPSzR813v2tR+FRQuZAAUR
- tCVPdXQgYW5kIEFib3V0IDxhbjUwOTI4QGFub24ucGVuZXQuZmk+iQCVAgUQLO12
- SXv2tR+FRQuZAQELzgP9FADqM3zy7P8BxPFK7oIxlf8+e1TtYmM1aA+1zHeu0kp9
- Sxk5IgydAZmBCVihu78V+oaG+7+gTwqCc3MHJoEpmsrK+E6hsZYW1EWW4tUDisRe
- uSICYLOdqaWOGzIdBXJX3NZEYyA4bv7dHd+VEESNQrDbQDqHD7+tLVwQtqZEQ5o=
- =QQEg
- - -----END PGP PUBLIC KEY BLOCK-----
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement