PGP Startup Guide - DOS Version
v1.0
(93/11/28)
Out and About
================================================================================
Contents
========
Section 1 - Intro
<1.0> What the hell is this document?
<1.1> What the hell is PGP?
Section 2 - Obtaining It
<2.1> BBSs
<2.2> America Online
<2.3> CompuServe
<2.4> InterNet
<2.5> Setting it up
Section 3 - Using It
<3.1> Generating a Key
<3.2> Keys & keyrings
<3.3> Keyservers
<3.4> Signing
<3.5> Encrypting
<3.6> Other useful commands
Section 4 - Miscellaneous
<4.1> Legal Issues
<4.2> ViaCrypt
<4.3> Version History
<4.4> Everything Else
================================================================================
Section 1 - Intro
<1.0> What the hell is this document?
This document is an intro to PGP on MS-DOS machines. It's designed for a
first-time user of PGP, and will get them through finding the program;
getting the program; and, finally, using the program in a basic way. In
other words, a good way to get more people using PGP.
<1.1> What the hell is PGP?
PGP is a cryptography system that allows you to send data to other people
with what amounts to excellent security. The important point about PGP,
though, is that you never have to meet the person you're sending encrypted
information to. This might not make sense at first, but this capability is
essential to the benefits PGP can provide.
Traditional encryption techniques have one key. The two people meet first,
and exchange this key; then, afterwards, one encrypts the data with the key,
sends it to the other person, who uses the same key to decrypt it. Simple,
eh?
Well, PGP can do that, but it can also do something else, called public-key
encryption. This means that you encrypt a document with somebody's "public
key" - which is freely distributed - and *only they* will be able to decrypt
it, with their corresponding private key. Nobody else can. Not even you,
right after you've encrypted it with their public key.
Some people may wonder why PGP is necessary. Some people probably don't
care. However, the two of us work remote in a distributed environment - our
modems are our connection to the office, and anytime we're sending sensitive
data through any kind of network, we're risking somebody else grabbing a
copy. With PGP, that's no longer an issue.
Additionally, we're always sure that documents come from where they were
supposed to, since it's impossible to forge the digital "signatures" that
PGP creates. For example, nobody knows who the two of us really are - the
anonymous server takes care of that. However, once you've got our public
key, you'll know that anything verified by that key came from us - without
ever meeting either of us. Thus, by coupling the anonymity of the InterNet
and the authentication of PGP, we can be anonymous, yet readily - and
reliably - identified. Cool, eh?
The only potential problems with public-key systems is verifying the public
keys you have; see below, as well as the PGP documentation, for help on
this.
Section 2 - Obtaining It
<2.1> BBSs
PGP is probably available on some local BBSs in your area. If your local
BBS lacks it, here's some info from the PGP docs:
================================================================================
The GRAPEVINE BBS in Little Rock Arkansas has set up a special
account for people to download PGP for free. The SYSOP is Jim Wenzel,
at jim.wenzel@grapevine.lrk.ar.us. The following phone numbers are
applicable and should be dialed in the order presented (i.e., the
first one is the highest speed line): (501) 753-6859, (501)
753-8121, (501) 791-0124. When asked to login use the following
information:
name: PGP USER ('PGP' is 1st name, 'USER' is 2nd name)
password: PGP
PGP is also widely available on Fidonet, a large informal network of
PC-based bulletin board systems interconnected via modems. Check
your local bulletin board systems. It is available on many foreign
and domestic Fidonet BBS sites.
In New Zealand, try this (supposedly free) dial-up BBS system:
Kappa Crucis: +64 9 817-3714, -3725, -3324, -8424, -3094, -3393
Source and binary distributions of PGP are available from the Canadian
Broadcasting Corporation library, which is open to the public. It has
branches in Toronto, Montreal, and Vancouver. Contact Max Allen, at
+1 416 205-6017 if you have questions.
For information on PGP implementations on the Apple Macintosh,
Commodore Amiga, or Atari ST, or any other questions about where to
get PGP for any other platform, contact Hugh Miller at
hmiller@lucpul.it.luc.edu.
================================================================================
<2.2> America Online
As of a few days ago, PGP is also available on America Online. If you have
any specific information on where PGP is available on AOL, please send it to
us; we'll include it in a future version of this document.
<2.3> CompuServe
Officially, it's not available on CompuServe, but try GO IBMFF and use the
File Finder on the keyword PGP; usually some forum still has it sitting
around, despite CIS's management trying their best to get rid of it.
<2.4> InterNet
If you're on the InterNet, the easiest way to dig up a copy of PGP is to ask
an "archie" server for the location. Borrowing from Xenon's excellent
directions, find yourself an InterNet account, and telnet over to
archie.internic.net. Log in with a username of "archie", and at the prompt,
type "prog pgp23a.zip". You'll get a list of sites and directories, a la:
================================================================================
Host soda.berkeley.edu (128.32.149.19)
Last updated 09:50 4 Nov 1993
Location: /pub/cypherpunks/pgp
FILE -rw-r--r-- 320168 bytes 08:09 3 Jul 1993 pgp23a.zip
Host isy.liu.se (130.236.1.3)
Last updated 08:14 3 Nov 1993
Location: /pub/misc/pgp/2.3A
FILE -rw-r--r-- 422851 bytes 10:58 19 Sep 1993 pgp23a.zip
================================================================================
Close archie by typing "bye", then ftp to one of the above sites. Use
"anonymous" for the user name, and your e-mail address as a password. Type
"cd
", where
is the directory listed in the archie listing for
the site you're ftping to. Type "binary", which sets the binary mode on.
Then type "get ", where is the filename listed by
archie. Finally, type "bye" to get back to your email system.
Get the file from your email system to your PC; this varies so much from
site to site that you'll need somebody local to help.
<2.5> Setting it up
Once you've got it on your PC, unzip PGP into its own directory. You'll
also need to set two environment variables for PGP to be happy. One, TZ,
sets the time zone for the system; here are some examples from the PGP docs:
For Amsterdam: SET TZ=MET-1DST
For Arizona: SET TZ=MST7 (Arizona never uses daylight savings time)
For Aukland: SET TZ=NZT-13
For Chicago: SET TZ=CST6CDT
For Denver: SET TZ=MST7MDT
For London: SET TZ=GMT0BST
For Los Angeles: SET TZ=PST8PDT
For Moscow: SET TZ=MSK-3MSD
For New York: SET TZ=EST5EDT
Then set PGPPATH to the location you've unzipped PGP into; for example:
SET PGPPATH=C:\PGP
READ THE DOCS! What follows from here is a good way to get started, but
there are a number of issues raised in the documentation that *must* be
known for safe and reliable operation!
Section 3 - Using It
<3.1> Generating a Key
PGP works on the principle of "public-key" encryption. This means that
every key has two parts: a secret part you keep close to your heart, and a
public part you scatter to the winds. The two have some mysterious,
mathematical relationship that Einstein couldn't understand, but for our
purposes all that matters is that the public part can decrypt things
encrypted by the secret part, and vice versa. Thus, the first step in using
PGP is to generate your key. Type:
PGP -kg
Select a key length; the bigger, the more secure. Most people use 1024
bits, and it isn't that much slower. Following this, PGP will ask you for
your user name. For example:
Out and About
|-----+-----| |----------+----------|
| |
| +----------+ Email Address, in <> brackets
+-----------------------------+ User Name, plain text
Please follow this pattern; since a lot of people are starting to use their
PGP keyrings with their friend's PGP keys as their email directories,
keeping things relatively constant is a Good Thing.
It'll then ask you for a "pass phrase." This pass phrase is *very*
important. What PGP does, to insure that your secret key is used only when
authorized, is encrypt the secret key data with this "pass phrase," so that
only if the pass phrase is known will the secret key work. As with most
kinds of password, this should not be something easily guess. Differing
from most passwords, though, is that this phrase can pretty much be any text
you want, with long lengths encouraged. Use random characters interspersed
with text, like hey1me$for*turkeys^clinton. Don't use famous quotations, or
anything easily guessed, since this pass phrase is what keeps your secret
key secure.
The program will then want some number of random keystrokes. This probably
sounds silly, but it's actually very important. Computers can generate
pseudorandom numbers, but truly random numbers are impossible - computers
are fancy calculators, and randomness comes hard. So, PGP wants some
keystrokes - which it times - to derive some truly random numbers for
generating the keys.
Then it generates the key. Go have lunch while this is happening; it's
probably the most boring interface yet come up with by any programmer,
unless you enjoy periods and plus signs. A lot. Especially if you have a
slow machine.
Finally, PGP will beep, and you've got a public and a secret key, stored on,
logically enough, a public and a secret keyring. Which, of course, brings
us to keyrings.
BUT WAIT!! Before you touch the next section, execute the following
command:
PGP -ks
Where is some part of your user ID that you typed in above. You'll
have to type in that damn pass phrase - you did remember it, didn't you? -
and PGP will sign your key with your key. While this probably sounds
redundant, it actually plays a very important part in assuring that your key
remains unmolested. Nothing worse than molested keys ...
<3.2> Keys & keyrings
We mentioned keyrings above. Well, if you've got keys in real life,
keyrings are a good place to put them. PGP keys aren't any different.
PGP, by default, has two keyrings: public and secret. Since you've already
generated a key pair, you've got one public and one secret key - the two
matching parts of your key. These are stored on two keyrings; logically,
there's a public one (stored in PUBRING.PGP), and a secret one (stored in
SECRING.PGP). The public keyring also will eventually contain keys for your
friends and such; the material on it is desiged for public distribution. The
SECRING.PGP file, on the other hand, is *very* valuable. With that file and
your pass phrase, anybody can sign documents with your "electronic"
signature, and decrypt things sent to you. Don't let it out of your sight;
while your pass phrase does protect the contents of the secret ring to a
certain extent, keeping the file secure is just as important as keeping the
pass phrase secret.
Since public keys can be distributed freely, they can be obtained from
keyservers (see below), among many other places. The PGP distribution
includes one called KEYS.ASC, which includes the public keys of the authors
of PGP. As a first exercise, let's add it to your public keyring with this
command:
PGP -ka KEYS.ASC
PGP will ask if you want to certify any of the keys you've just added. Say
"no"; certification means you know for sure that the key belongs to a user.
If you later get keys from friends who hand them to you personally, you can
say "yes" when you add their keys, telling PGP you know the keys really
belong to who they claim to.
To view the contents of your public keyring, use this:
PGP -kv
And wham! A list appears, one line for each key on your ring. You'll
notice your key down at the bottom, along with a list of the authors. Each
line starting with "pub" represents one distinct key; note that keys can
have more than one name or email address attached to them.
The anonymous key for the two of us can be found at the bottom of this
document. You'll need it on your public keyring in order to verify this
document in a later section. Save the chunk of text to a file, then tell
PGP to add it with a similar command to what we used to add the authors'
keys:
PGP -ka
Of course, you're not always going to be adding keys; you'll need to extract
yours, as well as other people's when you sign them. To extract any public
key from your keyring in the above format, use the command:
PGP -kxa
Where is some unique part of their name or email address. For example,
to create a copy of your public key to pass around to your friends, type:
PGP -kxa MYKEY.ASC
Where is some part of the name or email address you used when creating
the key. The file MYKEY.ASC - which will look very similar to our key above
- can be easily put in email messages, text editors, posted on bulletin
boards, everything. Distribute it far and wide; this will help prevent
other people from trying to distribute fake public keys in your name.
<3.3> Keyservers
Keyservers are a muy bueno invention to spread public keys faster than the
SR-71 used to fly. Basically, keyservers are a group of computers that
maintain a massive (800+K, last I checked) public keyring with thousands of
keys on it. You can query this server to get a specific person's public
key, either to send something to them, or to verify one they've already sent
to you. Here's some info, which shows regularly in alt.security.pgp. Check
there for the latest info:
================================================================================
Each keyserver processes requests in the form of mail messages. The
commands for the server are entered on the Subject: line.
To: pgp-public-keys@pgp.iastate.edu
From: johndoe@some.site.edu
Subject: help
Sending your key to ONE server is enough. After it processes your
key, it will forward your add request to other servers automagically.
For example, to add your key to the keyserver, or to update your key if it is
already there, send a message similar to the following to any server:
To: pgp-public-keys@pgp.iastate.edu
From: johndoe@some.site.edu
Subject: add
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.2
-----END PGP PUBLIC KEY BLOCK-----
COMPROMISED KEYS: Create a Key Revocation Certificate (read the PGP
docs on how to do that) and mail your key to the server once again,
with the ADD command.
Valid commands are:
Command Message body contains
- - ---------------------- -------------------------------------------------
ADD Your PGP public key (key to add is body of msg)
INDEX List all PGP keys the server knows about (-kv)
VERBOSE INDEX List all PGP keys, verbose format (-kvv)
GET Get the whole public key ring (split)
GET userid Get just that one key
MGET regexp Get all keys which match /regexp/
LAST days Get the keys updated in the last `days' days
- - ------------------------------------------------------------------------
Internet connected sites:
pgp-public-keys@pgp.mit.edu
Derek Atkins
warlord@MIT.EDU
FTP: pgp.mit.edu:/pub/keys/public-keys.pgp
pgp-public-keys@phil.utmb.edu
John Perry
perry@phil.utmb.edu
FTP: phil.utmb.edu:/pub/pgp/public-keys.pgp
pgp-public-keys@demon.co.uk
Mark Turner
mark@demon.co.uk
FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp
================================================================================
<3.4> Signing
By signing a key, you're stating to the world that you know that the key in
fact does belong to the name shown. The benefit of this is that, if you
know the "introducer" - the person who's signed a public key you're going to
use - can be trusted with handling keys, then you don't necessarily have to
verify the key itself. While this can easily descend into a complex tangle
of what exactly qualifies as "signing," for the purposes of this
introduction, you sign a key like this:
PGP -ks
You'll be prompted for your pass phrase - we honestly hope you've remembered
that thing damn well by now - and PGP will "sign" the key for you. Then,
extract that person's public key - which will now include your signature -
and send it to them. They can add it to their public keyring, and they'll
suddenly gain the benefit of your signature. This means that if they're
communicating with somebody who doesn't know them, but knows you, the third
person can use your signature to verify the key's validity.
If somebody else signs your key and sends it back to you, use the PGP -ka
command (mentioned above) to add the amended key back onto your public
keyring. PGP will recognize that just a signature has been added, and will
append that to your keyring, meaning that the next time you extract your
public key, that signature will go along with it.
To see signatures on your keyring, use a modified version of the view
command we used before:
PGP -kvv
<3.5> Encrypting
Heh. And you thought all we were ever going to talk about was keys and
crap, right? You'll be happy to know that PGP is pretty good at its primary
mission in life - encryption. The most simple form is this:
PGP -e
Where is the file to encrypt, and is the target user who's
going to decode it. This'll create another file called .pgp, which is
the encrypted text. Send it off, and the other user will be able to decode
it. When you receive an encrypted file back, simply type:
PGP
And PGP will figure out that it needs to decrypt the file, and do so.
Now, you think you're set, because you've encrypted a file, right? Well,
there's only one flaw in this grand strategy: while only one person in the
world can decrypt that file, that person won't have any assurance of where
the file came from. That's where digital signatures come into the picture.
A digital signature irrevocably identifies whatever you're sending as having
come from you. A very nice thing to have. Best of all, it's easy as sin to
do. Just add one character to the command line you used above:
PGP -es
You'll be prompted for your pass phrase (getting good at typing that in
yet?), and then PGP will first sign the document with your secret key -
allowing it to be verified with your public key on the other end - and then
encrypting it with the other person's public key, so only their secret key
can decrypt it.
You can also just sign a document; this allows the document's source to be
verified, without any sort of encryption. A good example is what you're
reading right now. Save it to a file, and type:
PGP
Where, of course, is the name of the file you saved this document to.
It'll work for a few seconds, then say (hopefully) it's got a good signature
from us. It'll then produce a non-signed version, which contains the
original message text; if the signature was good, that text is the same as
what we originally put out, and you know it came from us.
<3.6> Other useful commands
There are two other commands you should probably know.
First, there's the Radix-64 switch, which tells PGP to produce files which
can be emailed, UUEncoded-style, through mail networks. To do this, you
just add an "a" to whatever you're sending, a la:
BEFORE: PGP -es example.txt Mary
AFTER: PGP -esa example.txt Mary
The output will be sent to example.asc; furthermore, it'll be convienently
split into chunks the mailers can handle, it the file is long enough. We
used this switch already, above, for extracting keys, since the ASCII
format, for something the size of keys, is far more versatile than a binary
representation.
Second, there's clearsigning; this means you add your signature, but leave
the document readable, which was what we did for this document. To do this:
PGP -sta +clearsig
Which will produce a file called .asc, containing the document, with a
signature at the end.
Section 4 - Miscellaneous
<4.1> Legal Issues
Oh yeah - PGP is illegal, at least if you live in the US and Canada. Why?
PGP makes use of the RSA public-key algorithm, developed at MIT with tax
dollars. The US Government then allowed a company out in California to
patent this algorithm; thus, if you're using this product in the US or
Canada, you're likely violating that patent. See the next section on how to
get around this. Also, if you know anything about the situation, please
send us email on how we can get the goverment to use tax dollars to develop
technology, then hand exclusive implementation rights to us. This would be
a most excellent thing to have happen.
If you're out of the US or Canada, using PGP is not a problem, since the
patent laws don't apply; just *don't ask a friend in the US or Canada to
send you a copy*. Thanks to the US Government's enlightened export
restrictions, PGP is considered to be munitions, meaning that you could get
sacked with serious shit if you either import or export it to/from the US
and/or Canada, including posting over the InterNet, or any other
international information service. That's why Phil Zimmerman's being
investigated by the San Jose customs office right now. Yep, our tax dollars
hard at work.
<4.2> ViaCrypt
However, all is not lost for US users. A company called ViaCrypt in Arizona
is selling a properly licensed version of PGP which, for all practical
purposes, is completely compatible with v2.3a. Here's a small blurb:
================================================================================
ViaCrypt, Inc., will begin shipping ViaCrypt PGP today, 1 November 1993.
ViaCrypt PGP is a commercial public-key encryption package which is
based on, and virtually identical with, the freeware program known as
PGP, or `Pretty Good Privacy.' (The source code is in fact identical to
that of the freeware version 2.3a of PGP, with the exception of the RSA
encryption module, which is one ViaCrypt developed in-house after
acquiring a license for the algorithm from PKPartners. In addition,
ViaCrypt incorporates a few bug fixes. The private-key crypto algorithm
is IDEA, as in freeware PGP, for which ViaCrypt has obtained a license
from Ascom-Tech AG of Zurich.)
================================================================================
Contact info:
ViaCrypt
2104 W. Peoria Ave.
Phoenix, AZ 85029 USA
602-944-0773 (Voice)
602-943-2601 (FAX)
70304.41@compuserve.com (Netmail)
<4.3> Version History
93/11/28 v1.0 Initial Version
<4.4> Everything Else
Please let us know if you find any problems with this document or have any
questions about it; we can be reached at an50928@anon.penet.fi as long as
that anonymous server remains up. Let's hope it does, because otherwise
you'll have one damn hell of a time finding us. If this document helps you,
by all means pass it on to every person you know, and maybe a few you don't.
Post it on lots of BBSs, all over the place, ad naseum. Tell everybody you
know to start using PGP, because the more people use PGP, the less we all
have to worry about a President Orwell.
================================================================================
Contents Copyright (C) 1993 by Out and About. Assuming you could figure out
who and where we are, that might mean something, but hey ...
- -----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQCVAgUBLPgwgXv2tR+FRQuZAQFBvgP/c5VY0QBkZhOZhFGH1lfpCpfc/tT6FrNw
dae81c049wNj4jORq1eodm2pn8ObgrmK6qb5CQS2CST27fBD1wtnGvyyisvfYtqa
yaYs2qBBEwkURZI7M6kjCdL1snaQ14ScfYLQiBH0jqle+uORsHeke429NG0fr6oa
zVlyOqFvMQs=
=Hl80
- -----END PGP SIGNATURE-----
Here's our key:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a
mQCNAiztdHkAAAEEAL3VO4LItnVBwLGZi6Hux2MoWkpqDE4gZtSGu2NAgE6zaT+6
B8NibIwCPxL+8qfeS36BqvZ3GbSOI0SJldUc9sXZeNHsB7RnLgUTmA9mLoaDeL7k
IHXKpk2uc1CuzLawaY9WDflnntumfhD7p7JReoI7/PZPSzR813v2tR+FRQuZAAUR
tCVPdXQgYW5kIEFib3V0IDxhbjUwOTI4QGFub24ucGVuZXQuZmk+iQCVAgUQLO12
SXv2tR+FRQuZAQELzgP9FADqM3zy7P8BxPFK7oIxlf8+e1TtYmM1aA+1zHeu0kp9
Sxk5IgydAZmBCVihu78V+oaG+7+gTwqCc3MHJoEpmsrK+E6hsZYW1EWW4tUDisRe
uSICYLOdqaWOGzIdBXJX3NZEYyA4bv7dHd+VEESNQrDbQDqHD7+tLVwQtqZEQ5o=
=QQEg
- -----END PGP PUBLIC KEY BLOCK-----