Pretty Good Privacy (PGP)

Contents

• Introduction
• Encrypting a File
• Decrypting a File
• Managing Keyrings
  • Generating Your Public/Private Key Pair
  • Publishing Your Public Key
  • Adding People to Your Public Keyring
  • Viewing Your Public Keyring
• Using PGP with Pine
• Using PGP with Elm
• Terms and Stuff

Introduction

PGP (Pretty Good Privacy) is a public key encryption package to protect E-mail and data files. It lets you communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. It's well featured and fast, with sophisticated key management, digital signatures, data compression, and good ergonomic design. If you really want to learn how to use it properly, it's best to read the full documentation that comes with the system located at turing:/usr/local/src/pgp262/doc/pgpdoc[12].txt. This is a "quick start" guide and reference manual; it is necessarily incomplete, and assumes you are already familiar with most of the basic concepts, including the concepts behind public key cryptography.

Encrypting a file

There are a couple of ways to encrypt a file using pgp. If you just want to protect your data from prying eyes this can be done by incanting pgp -c <some file> on the command line. The pgp program will ask you to provide and verify a pass phrase and will then encrypt the file using standard cryptographic techniques and save it as <some file>.pgp. Don't forget your pass phrase! If you forget it there is absolutely no way to decrypt your file.

The second way to encrypt a file is appropriate if you are sending a message to someone and you have their public key. This can be done by incanting pgp -ea <some file> userid on the command line, where userid is the id of the person you are sending the message to (see Managing Keyrings for more information on public keys and ids). This produces a file <some file>.asc which can only be decrypted by the recipient. This file is in ASCII radix-64 format and is suitable for transmission via email.

You may also wish to sign files when encrypting them so that their recipients know that you are the originator of the files. To sign a file when you encrypt it incant pgp -eas <some file> userid on the command line. This will produce a file <some file>.asc in ASCII radix-64 format which, in addition to being encrypted, has also been signed using your private key. Anyone with your public key may now verify that you are the originator of the file.

Decrypting a File

To decrypt a file simply incant pgp <some file> on the command line. Pgp takes care of the rest, looking up public keys and private keys from your keyring as necessary. If necessary pgp will prompt you for your secret key pass phrase to decrypt the file. Providing the appropriate pass phrase will result in pgp supplying you with the decrypted file.

Managing Keyrings

Generating Your Public/Private Key Pair

This first thing you need to do is to generate your private/public key pair. This is done by incanting pgp -kg. Pgp will then prompt you for the size of key you want... the bigger the key the stronger the encryption. If you are running pgp on Turing there is no reason not to choose military grade encryption. The military strength key is 1024 bits in length, making it virtually impossible to crack by brute force. If you are running pgp on slower machines you can still choose military grade encryption but it will slow things down. If you find the slowdown intolerable you can always use one of the commercial grades of encryption instead.

After choosing the size of your key you will be asked to supply a user ID. I recommend using your full name and email address as this makes it less likely that people will sign messages using the wrong key. For instance, my id is Glenn Gebhart <glenn@turing.cs.hmc.edu>

Pgp will then ask you to supply a pass phrase for use with your secret key. Remember your pass phrase! The passphrase is used to ensure that only you can sign messages with your secret key or decode messages which are coming to you.

The last step is the actual key generation. Because this needs to be a random process (if it weren't people could reverse-engineer the process and make encryption meaningless) pgp will ask you to type random text for awhile. It uses the intervals between keystrokes to generate really big random numbers from which your public/private key pair are derived. So type away, and when you've typed enough pgp wil generate your public/private key pair and stick each on the appropriate keyring.

Publishing Your Public Key

Probably the first thing you'll want to do after you've generated your private/public key pair is to publish you public key. First you'll need to get an easily transportable copy of your public key. To do this incant pgp -kxa on the command line. Pgp will ask you to supply a user id and a filename. For the user id type in the id you suplied when generating your public/private key pair (i.e I would type Glenn Gebhart). After supplying the user id and filename pgp will save your public key to the file you specified in ASCII radix-64 format.

After that its really up to you how you publish your key. Some people put their key in their .signature files so that all outgoing email/Usenet messages have a copy of their key. I put my key in my .plan file so when people finger glenn@turing.cs.hmc.edu they can get a copy of my key.

Adding People to Your Public Key Ring

Start by getting a copy of the person's public key. The easiest way to do this is to figure out how/where they are publishing it and just snag a copy (see Publishing Your Public Key for ideas on where you might be able to get a copy). Once you have a copy of the public key handy just incant pgp -ka <keyfile> on the command line, where <keyfile> is the file containing the public key.

Viewing Your Public Keyring

To view the contents of your public keyring simply incant pgp -kv on the commandline. This will show you all the people whose public key you have. This is especially useful for when you want to send someone a message but can't remember their ID.

Using PGP with Pine

Pine has built in filtering capabilities which can be used to automate pgp activity. To get pgp to work with pine follow these simple steps:

1. Launch pine
2. From the main menu hit 's' and then 'c'. This will take you to pine's setup menu
3. Find and highlight the display-filters line
4. Hit 'a' and add the following line verbatim: _LEADING("-----BEGIN PGP")_ /usr/local/bin/pgp_display.csh. When you receive a pgp-encrypted message this filter will be trigger. It will prompt you for you pass phrase if necessary and then the unencrypted text will be displayed in pine as normal.
5. Find and highlight the sending-filters line.
6. Hit 'a' and add the following line verbatim: /usr/local/bin/pgp -feast _RECIPIENTS_. From now on you will have the option to send mail using pgp.
7. Hit 'e' to exit and they 'y' to confirm the changes you made.

Receiving encrypted mail is a no-brainer. Just supply your pass phrase when you are prompted. Sending mail is a little more complicated. Once you are done composing a message you will see a line that says "Send mail (unfiltered)?" If you hit return the mail will be sent without using pgp. This should be used if you don't have a public key for one or more of your recipients. If you have public keys for all of your recipients then hit ^n until the line reads "Send mail (pgp)?". At this point hit return or answer yes and you will send out signed and encrypted mail to all recipients.

You'll have problems if the address you are sending to can't be matched to any of the user ids in your public key ring even if you have a public key for that person. I haven't been able to figure out a workaround for this so you'll just have to be careful in choosing the addresses you send to.

Using PGP With Elm

We have a version of elm on Turing which has pgp functions. To enable these function first follow the directions below:

1. Get a copy of /usr/local/src/elm2.4.ME+.43/doc/elmrc.samp and rename it to ~/.elmrc
2. Append the following lines to the bottom of ~/.elmrc
   • showpgppreamble = ON
   • usepgppass = ON
   • pgp = /usr/local/bin/pgp

Now you can actually use elm with pgp support. First lauch the pgp-enabled version of elm by incanting elm-pgp on the command line. Messages which are pgp encoded will show up with a 'P' next to them when you are viewing your mailbox. To read these messages highlight them and press return as per normal. You will be prompted to supply your pass phrase. Having done so you will be able to read the message as usual.

To send pgp encrypted messages start by composing the message in the normal fashion. When you get to:

    Please choose one of the following options by parenthesized letter:
                  e)dit message, edit h)eaders, s)end it, or f)orget it. 
    

Hit 'p'. This will bring up the pgp menu which will offer you options to encrypt and/or sign the message. Choose the appropriate option and then correct the "To:" field if necessary. If you chose to sign the message you will be prompted for you pass phrase. Supply the pass phrase as normal and you will be returned to the edit/send/forget prompt. From here you can send the message.

Terms and Such

decrypt

The reverse of encrypt

encrypt

To scramble a message in a hopelessly complicated way, rendering it unreadable to anyone except the intended recipient of the message.

private key

One of two keys used in public key cryptosystems. This key is known only to the user and can be used to sign outgoing messages and decrypt incoming messages.

public key

The other key used in public key cryptosystems. This key can be published and widely disseminated across a communications network and is to encrypt messages for the key's owner.

Copyright (c) HMC Computer Science Department. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License.''