EFH Pretty Good Privacy Workshop
This is material is out of date.
Table of Contents
Introduction
Electronic Frontiers Houston
Presents:
Pretty Good Privacy
(PGP)
Workshop
How to use Pretty Good Privacy
Paul Elliott
pelliott@BlackPatchPanel.com
PMB 181, 11900 Metric Blvd Ste J. Austin TX 78758-3117 (512)837-1096
It has become apparent that the data super highway is not safe. Messages
traveling the data highway can be hijacked by sinister data interlopers.
After six months of unpaid labor, in June, 1991 Philip Zimmermann released
his controversial freeware program Pretty Good Privacy (PGP). Just as Prometheus'
liver was eternally chewed by eagles for the crime of bringing fire to
mankind, Philip Zimmermann's liver was chewed by the Federal Eagle (The
U.S. Custom Service) for the alleged crime of releasing strong cryptography
to the world.
As a result of Philip Zimmermann's contribution, you can use the widely
available freeware program PGP to send electronic-mail messages to anyone
in the world, in complete privacy! In addition you can send authentication
with your messages so that the recipient can verify that the message really
came from you. You can encrypt sensitive files on your computer so that
the files remain private even if your computer and disks are stolen.
On January 14 1995, at 3:00 PM at the offices of South Coast Computing
in Houston, Texas, the Electronic Frontiers Houston and Paul Elliott presented
a Free Cryptography Workshop: How to use Pretty Good Privacy (PGP).
This workshop was designed to teach people how to use PGP effectively.
This document summarizes that workshop.
The History and Philosophy of PGP
History before PGP
In the beginning, nobody needed encryption, because no one could write!
Then, after many years of struggle, writing was invented! But there was
still no problem, because only the rulers and their trusted servants could
read or write. But, as time went on, more and more people learned to read,
and there began to be a problem with written communications, in that if
someone hostile intercepted a written document, they could read it!
This began a war between the people trying to find ever more complicated,
neat ways of scrambling messages and the people trying to figure out ways
of descrambling them. Sometimes the people scrambling messages would win,
and sometimes the people descrambling messages would win. As time went
on, this war over ciphers became intertwined with regular wars, and things
got interesting! In spite of cryptography's use in wars, cryptography
was
invented by civilians.
And it was used by civilians through out its
history.
Anyhow, the first ciphers were single key or conventional
ciphers.In
single key ciphers, there is one key that must be used by both the sender
to encrypt, and by the recipient to decrypt. The message can be decrypted
by anyone who possess this key. This leads to the key
distribution problem.There
must be some way to insure that both the sender and the recipient have
the same key. Care must be taken so that unwanted parties do not posses
this key. It is necessary to have some kind of secure channel to accomplish
this. The problem with secure channels is that they are difficult to establish
and that people are always trying to compromise them.
Then Rivest, Shamir, and Aldeman invented Public
Key Cryptographyand
the algorithm that bears their name, RSA.
The
RSA algorithm is based on the mathematics of exponentiation.
In this scheme, there are two keys, an encryption or public
key and a decryption or secret key. The Recipient creates
both keys. The encryption key is published. The decryption key is kept
secret. Thus, anyone can encrypt and send a message to the recipient, but
only the recipient can decrypt. This encryption scheme solves the key distribution
problem, since the only key that the sender needs can be published without
compromising the messages. It can be sent via any unsecured channel.
PGP is a hybrid program
Now, from your point of view of as a user of PGP, PGP behaves as if it
were a Public Key Encryption program. A you create a secret/public key
pair and publishes the public key. But internally, PGP
is a hybrid encryption program.When
PGP encrypts a file, it creates a random conventional encryption
key. It sends that key to the recipient using a header block that is encrypted
using
RSA public key encryption. Thus RSA serves as the secure
channel which is used to transmit a conventional key, solving the key
distribution problem. The bulk of the message is encrypted using a conventional
cipher, IDEA. PGP uses this scheme because
RSA encryption
is very slow, so that if the whole message were encrypted with RSA
then PGP would be too slow. IDEA is thought to be a stronger encryption
method than
RSA so this scheme does not weaken PGP.
Now, PGP stores keys in keyrings. Usually, public keys are stored
in a file called
pubring.pgp and secret keys are stored in a file
called
secring.pgp.
PGP uses conventional encryption to protect secret
keys
How does PGP help you keep your secret keys secret? RSA secret and public
keys must be hundreds of bits long and they are must be chosen randomly.
This presents a problem. If PGP were to ask you, a human being, to remember
your public key, it would be incontinent, because most human beings do
not remember long strings of binary information well. You might write it
down. This would be bad, because someone might do a black bag job
on you. A black bag job is when a practical cryptoanalyst comes
to your house when your are not there with a bunch of locksmithing tools
in his black bag. He comes away with your secret key in his black
bag. The other alternative would be to store your secret key in a computer
file. But this risks someone doing a black bag job on your computer.
PGP solves this dilemma by storing both your public and secret keys in
computer files called keyrings. But, it stores your secret key encrypted
with conventional encryption. Your secret key will be protected with a
pass
phrase which you must specify every time you wish to use your secret
key. (When you decrypt a message or sign a message.) Hopefully, you will
choose your pass phrase so that it will be easy for you, as a human
being, to remember it.
PGP scrunches your pass phrase to a 128
bit cryptographic checksum, using an algorithm called MD5. (English
has a entropy of about 1 bit per character, so if you use a pass phrase
128 characters long, then all values for the checksum will be equally possible.)
This checksum is used as a conventional key to encrypt or decrypt your
secret key, using IDEA.
The upshot of all this is that your secret key is stored on a file on
your disk. Thus your disk must be carefully backed up. The secret key is
encrypted, so that you must specify a pass phrase anytime you wish to perform
an action that uses your secret key. Thus you will be asked for your pass
phrase when you wish decrypt a message, or when you wish to sign a message.
You should choose your pass phrase so that you can remember it, but no
one else can guess it.
PGP Can Authenticate Messages.
PGP can authenticate or sign messages. You can create digital signatures.
A digital signature is additional information that tends to show that a
given document really came from a given person. PGP can check digital
signatures to check if a given document for tampering.
How
does PGP authenticate a message?
What do digital signatures prove?
A PGP digital signature shows that the person who signed the document had
access to the PGP secret key and the pass phrase for the
key indicated by the signature and that the document has not been modified
since it was signed. This is different than hand writing signature authentication,
which ultimately depends on the nervous system of the signer.
Overview of PGP
PGP is not an "user friendly" Program
PGP has no menus. there are no mouse buttons to click. PGP will not paint
a fancy picture for you to look at and it will not cause sound to come
out of your computer. PGP is a unix style command line program. The direct
way to use PGP is to enter a PGP command. This command will typically include
computer filenames, key identifiers and options. Options begin with the
"-" character followed by a string of incomprehensible letters. (Except
for the Mackintosh version of PGP. Hey, I do not know anything about the
Macintrash or the Macintrash version of PGP, but you might try MacPGP
2.6.3 Home Page .)
Read the PGP documentation
However, the command pgp -h displays all the information
you need to accomplish most PGP tasks, provided you understand PGP terminology
and philosophy.
Read the documentation that comes
with PGP. There are subtle problems that you can get yourselves into
if you do not. This document attempts to give you the background to understand
the documentation.
Books on PGP
There are six books on PGP.
-
PGP Pretty Good Privacy by Simson Garfinkel
-
Protect Your Privacy A Guide for PGP users by William Stallings
-
E-MAIL SECURITY How to keep Your Electronic Messages Private by
Bruce Schneier
-
The Computer Privacy Handbook by André Bacard
-
The Official PGP User's Guide by Philip R. Zimmermann
-
PGP Companion for Windows The offical Guide to WinPGP by Peter Kent
PGP Web Pages
No one has to enter PGP commands directly.
There are a number of PGP frontend programs that give PGP a menu oriented
interface.
Some mail programs such as ELM support PGP. Some editors support
PGP extensions. There is a PGP extension to
GNUEMACS
.
There are a number of shells for the MSDOS MSDOS
program loader . There is PGP
software for the Macintosh . OS/2's EPM
editor can be extended to support PGP . There are even shells for WINDOZE.
How PGP handles text.
There are two separate problems that encryption programs have in dealing
with text. PGP has two separate solutions to these problems. It is important
that these problems and their solutions not be confused. If the solution
to one problem is used when the other solution is required, the results
will be bad.
Making the output of PGP into a mailable file (-a).
Ordinarily, a well encrypted file is not mailable. The encrypted file usually
uses characters that most mail programs will not accept. Since line terminators
occur essentially randomly in the encrypted file, lines can easily be too
long for most mail programs. PGP solves this problem with the
-a
option. This causes PGP to use the ascii radix-64 armor
for output. The resulting output limits the characters used to a set
of characters that mail programs will accept. It creates lines a reasonable
size. Thus the output file should be mailable. PGP is programmed to accept
such files, reversing the radix-64 format before decrypting. The -a
option
can be used when signing a file as well. This causes the signed file to
be in the radix-64 format. Using -a options results in output
that is about 30% larger.
The -a option can be specified by itself, without requesting
encryption or authentication. In this case, PGP is being used as a superior
uuencode/uudecode.
Different ways to represent plaintext. (-t)
Different Operating systems represent text in different ways. For example,
different end of line characters are used. The UNIX operating system uses
linefeed characters to end lines, but the MSDOS program loader uses the
carriage return linefeed combination to end lines. The Macintrash operating
system is said to use carriage returns to separate lines. These differences
mean that text files must be converted, when they move between operating
systems. If this conversion is not done, then the files will not display
or print properly. This need for text file conversion, is why the FTP(file
transfer program) needs to have binary and ascii modes, when it moves files
between operating systems. Now when PGP is asked to encrypt a plaintext
file on one operating system and decrypt it on another, then the PGP system
as a whole is being asked to move a text file between operating systems.
The same considerations apply when signing text files on one operating
system and removing the signature on another. The PGP -t
option should be specified when encrypting or signing a text file. This
will ensure that the text file conversion is done correctly. The -t
should not be used if the file contains binary data, such as executable,
some word processor files, and many data files.
Using text examples.
-
Fred wishes to encrypt a spreadsheet file (.WKS) and put it on
a floppy and mail it to his financial advisor.
Since the file is not being sent through email, the -a
option is not needed. Since the file contains binary data, the -t
option should not be used.
-
At the last minute, Fred finds that his financial advisor has an email
address and decides to email the file.
Since the file is going to be emailed, the -a option
should be specified. The original file still contains binary data, so the
-t
option should not be specified.
-
A huge text file needs to be moved to the accounting department's computer.
For security reasons, this computer is not connected to any networks, so
the file will be moved on a floppy via sneakernet.
The -t option should be used because the original file
is text. The -a option is not needed, and should not be used so
the resulting file has a better chance of fitting on one floppy.
-
Fred wishes to email an encrypted love-letter to his girl friend.
Since the plaintext is text, the -t should be used. Since
the output from PGP must go through email, the -a option should
also be used.
Starting with PGP
The first thing to do is to create a directory for PGP and its files to
live in. Unpack the
distribution
files to this directory. (If you are using PKUNZIP under the MSDOS
program loader, be sure to use the "-d" switch.)
Modify the PGPPATH and PATH variables.
PATH should
point to the directory where the PGP executable exists. PGPPATH
should point to the directory where the PGP data files are. The procedure
for doing this depends on your operating system and should be documented
in the documentation that comes with your PGP distribution. When using
the MSDOS program loader, you would modify the file AUTOEXEC.BAT.
when using OS/2 the file
CONFIG.SYS should be modified.
Generate a Secret Key/Public Key Pair
The first thing you want to do after installing PGP is to generate keys
using the -kg command. This will allow
messages to encrypted for you, and it will allow you to sign messages.
Select a Key Size.
PGP will ask you for a key size. Unless your computer is a klunker, choose
1024 bits. (If your computer is fast, and you are extremely paranoid about
the computers in the NSA's basement, you may want to create an additional
key with 2047 bits, if you have PGP 2.6. But you would not want to make
that key your primary key, because not all versions of PGP support keys
with more than 1024 bits.)
Select a Key Identifier
Choose the key identifier for the key. From the point of view of PGP, the
key identifier can be any string of characters, but to use the key identifier
with mail programs, follow the convention:
First Last <myaccount@mynode.mydomain>
Your internet mail address should be enclosed by the <> characters.
Select a pass phrase to protect your secret key
Choose your pass phrase according to the following rules:
-
Choose a pass phrase you can remember.
-
Choose a pass phrase that can not be guessed.
-
at least 128 characters.
-
can not be deduced from your personal history.
-
is not found in literature or popular culture.
-
Do not use your pass phrase for any other function.
PGP will ask you to type some text on your keyboard.
PGP needs to make itself unpredictable, so that a hostile cryptanalist
can
not predict what it is doing. To do this it is necessary for PGP to get
some
random
numbers
. It is difficult to get random numbers in a computer program,
because computers and operating systems are designed to be predictable.
To create random numbers, PGP will ask you to type some text on your computer.
PGP creates the random numbers by measuring the timing of your keystrokes.
It does not matter what you type, but do not use the autorepeat feature
of your keyboard if it has one.
Sign your own key.
You should
always sign your own public key. This is why the more modern
versions of PGP will automaticly self-sign your key when it is created.
The following command will sign the key my-key-identifier:
pgp -ks my-key-identifier -u my-key-identifier
Adjust the file CONFIG.TXT.
You may wish to adjust the file
CONFIG.TXT
to conform to your personal preferences. You can study the file PGPDOC2.TXT
that comes with your PGP distribution to know how to do this. If you have
more than one secret key, you may wish to set the configuration variable
MYNAME
to be your default secret key.
Extract your public key.
To allow others to send you encrypted messages, you must give them your
public key. To do this, you must extract your public key to a file:
pgp -kx my-identifier file
If you must send your public key thru email, you will
want to add the -a option.
pgp -kxa my-identifier file
Add a key to your public key ring.
When someone sends you their public key, you can add it to your public
key ring.
pgp -ka file
Encrypt a file.
After you have added a public key to your keyring, you can encrypt a message
using that key.
pgp -e file key-identifier
You may need to add the -a and/or -t
options to insure that
text is handled properly.
Decrypt a file.
To decrypt a file, use the simple:
pgp ciphertextfile
This command will also check digital signatures if any. To display a file
a screenful at a time use the
-m option.
Authentication
PGP can sign file creating digital signatures:
pgp -s textfile -u my-key-identifier
You may need to add the -a and/or -t
options to insure that
text is handled properly.
Authentication can be combined with encryption, creating an encrypted,
signed file.
pgp -es textfile their-key-identifier -u my-key-identifier
This will create a file that the owner of their-key-identifier can
decrypt and signed by my-key-identifier. The encryption is done
after the signature, so that a person who can not decrypt the file can
not tell who signed the file.
Create a clear signed message.
Suppose you wish to post a message to a USENET newsgroup. You want
to sign the message, so that people can check its signature with PGP, but
you want the text of the message to be readable by people that do not have
PGP. You want to create a clear signed message:
pgp +clearsig=on -sat textfile -u my-key-identifier
Be careful not to enter clear signed messages into FIDONET systems
without the permission of the sysop. Most of FIDONET is extremely
authoritarian, and does not allow encrypted or signed messages. Although
we can laugh at the rigid orthodoxy of FIDONET, we should respect
the property rights of the sysops.
Create detached signatures.
You can create a signature certificate in a separate file:
pgp -sb textfile -u your-key-identifier
These certificates can be checked by specifying both the certificate and
the original file to PGP.
pgp certificate-file original-file
Detached certificates can be used to sign an executable file, without modifying
the file so that it remains executable.
Miscellaneous PGP commands
Special PGP commands that do not really fit anywhere.
Wipe a file.
When a file is deleted under most operating systems, the data in the file
is not necessarily destroyed. Usually, the directory entry that points
to the blocks of the file is removed and the blocks of the file are returned
to the disk's free space. It is possible that someone could recover the
data of the file. There are the famous "undelete" programs that function
under the MSDOS program loader. When PGP wipes a file, it overwrites the
data so that the data is DEAD, DEAD, DEAD and can never be recovered.
pgp -w datafile
The -w option can be used when encrypting a file to wipeout the plaintext
after encrypting.
pgp -esatw plaintextfile their-key-identifier -u my-key-identifier
PGP and pipes.
If your operating system supports pipes, you can cause PGP to take its
input or output from a pipe by specifying the
-f
option. (If you do not know what a pipe is, do not worry about it. You
can get along without pipes, and perhaps your operating system does not
support them.)
Restoring the original plaintext file name.
To cause the decrypted file to have its original filename, use the -p
option.
pgp -p ciphertextfile
PGP and conventional encryption
If you are encrypting a file to your self, you can avoid fooling around
with keyrings by using conventional encryption:
pgp -c plaintextfile
PGP will ask for a pass phrase to use as a key. The pass phrase will be
required to decrypt the file.
Publish your public key(s)
You need to publish your public keys, so that people who have not previously
contacted you can send you encrypted messages and check your signatures.
To publish your public keys, you should use a
PGP
public keyserver
. These key servers are used by sending them email
commands.
These commands are described by the file
KEYSERV.DOC that comes
with the PGP distribution.
To publish your public key, first extract the key as a
radix-64
file.
pgp -kxa my-key-identifier file
Email the resulting file to a public key server with subject "add". It
is only necessary to send your public key to one public key server. They
are like small town gossips. They all talk to each other. To tell one is
to tell them all.
To get somebody else's public key from a public key server, send a null
email message to a server with subject
get key-identifier.
The mail server will mail you back a radix-64 encoded key file, which you
can add to your public keyring.
pgp -ka keyfile
The
list of keyservers
changes from time to time.
FLASH now you can access public key servers through the World
Wide WEB at
the University
of Paderborn.
The public key servers make no checks to insure that a given keys in
its database actually came from the person indicated by the key identifier.
This determination is your responsibility.
Things to do with keys.
You can remove keys from your keyring with the -kr option.
pgp -kr key-identifier
You can revoke keys, declaring that the keys have "gone bad" and should
not be used:
pgp -kd key-identifier
This will produce a revocation certificate, which should be sent to the
public
key servers to declare that the key has gone bad. Remember your pass phrase!
You can not revoke a key without the pass phrase.
You can edit keys:
pgp -ke key-identifier
This will allow you to edit the pass phrase or key-identifier of a secret
key, and it will allow you to change the
trust parameters
of a public key. You might want to change your key identifier, when your
name, or your internet mail address changes. Whenever you change a key
identifier, you should always
sign
your new public key.
pgp -ks my-key-identifier -u my-key-identifier
So how do I know this key is good?
How do we know that a given key actually belongs to the person indicated?
A fraudulent key can be created to trick us into accepting bad signatures.
It could be used to trick us into encrypting a message that the wrong person
can decrypt. It is possible to forge an email message, so we can not necessarily
trust that the email message that brought us a public key was not fraudulent.
As we have seen, the public keys servers do not check
that the keys stored in their databases are correct.
The first and most basic way of checking a public key is to contact
the owner directly. You could call the owner on the phone, and ask the
owner if the key you have really belongs to him. Then if you recognized
him by voice, you could be sure you had the right key. But how would you
know that you and the key owner were talking about the same key? He could
have a key with key identifier and you could
have a fraudulent key with the same key identifier. How would you check
this? The answer is the -kvc option:
pgp -kvc key-identifier
This will cause pgp to print a fingerprint that looks like this:
Key ring: 'E:\PGPDATA\pubring.pgp', looking for user ID "paul.elliott".
Type bits/keyID Date User ID
pub 1024/D4849879 1994/01/29 Paul Elliott (standard 1024 bit key)
Key fingerprint = F6 C7 33 D8 64 07 46 D7 FD 67 53 80 CE 7E 0B C8
Paul Elliott
The key fingerprint of a given key is designed to be unique. If two people
get the same key fingerprint for a given key, then they know that they
are dealing with the same key. Key fingerprints can be used to verify the
validity of keys over the phone. We now pass on to more indirect methods
of checking the validity of keys.
Key Signatures
Key signatures are used to transfer the knowledge of the "goodness" of
a given key from one person to another. Let us do a thought experiment.
Suppose that Judy has received a key from Fred through email, and she needs
to verify that it is really Fred's key. She does not know how to contact
Fred directly, but she has a friend, Sally, who does. She already has Sally's
valid key. She (Judy) could get Sally to send her a PGP signed message
like this:
-----BEGIN PGP SIGNED MESSAGE-----
Dear Judy,
I know of my own personal knowledge that the key
with key fingerprint:
F6 C7 33 D8 64 07 46 D7 FD 67 53 80 CE 7E 0B C8
Really does belong to Fred!
Sincerely, Sally
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBL3r/vfBUQYbUhJh5AQFvMQQAkE+UtvtKKNseHblNs5uccRTISXrEdkl9
QjeYtagh9Qs=
=VqdW
-----END PGP SIGNATURE-----
Judy can run this message through PGP to verify that it really came
from Sally. She can check the fingerprint against the fingerprint she has.
If the fingerprints match, and she trusts Sally, then
she can be sure that the key really is Fred's key.
It is never necessary to actually send or create messages like the above.
PGP supports the same functionally through the concept of "Key signatures".
When one signs a key, one is essentially creating a message like the above,
and attaching it to the key itself on the key ring! Then, when a key is
extracted
from a keyring, and sent to someone else, and added
to another keyring, the "key signature" goes with it! Thus key signatures
propagate from user to user in the same way that keys do. To sign a key:
pgp -ks the_key_id_you_are_signing -u the_key_doing_the_signing
Whenever you sign a key, you should re-send the key to the
public
key servers so that other PGP users can use the signature to determine
the validity of the key. You can view the signatures that are attached
to a key using the -kvv option.
pgp -kvv key_identifier
Who Do I trust?
When PGP uses a key for encryption or signing, it determines if
in PGP's opinion, the key can be trusted. If PGP does not
trust the key, it will print an message warning you that the key is not
to be trusted. You can tell PGP to use the key anyway. PGP
determines trust on the basis of signatures from trusted keys. When you
add
a key to your public keyring you are asked if the key can be trusted to
introduce other keys. If a PGP notes a signature from a trusted key, it
tends to trust the key bearing the signature. You can change the trust
parameters on a key using the -keoption.
pgp -ke key_identifier
Trust is not transitive.
If you trust a person, you do not necessarily trust everyone that that
person trusts! You can believe that the person you trust is naive and that
therefore the persons that he trusts is not necessarily trustworthy.
Thus the PGP configuration option
CERT_DEPTH
should be set to 2.
Furthermore, you should not expect other people to trust your inferences.
If you infer that a given key is good on the basis of key signatures,
you should not sign that key. You should only sign
a key when you know of your own personal knowledge that a key is valid.
When to use PGP.
Always, use PGP when the person you are corresponding with has it.
This establishes that you are a regular PGP user. It asserts your
right to use PGP. If you make it a habit to always use PGP
then you will not draw attention to any sensitive messages you might wish
to send.
Use conventional encryption.
Use conventional encryption, the -c option, when
you are encrypting files to yourself. This avoids the RSA algorithm
and is slightly stronger. It avoids the necessity to muck around with keyrings.
PGP encrypted files are identifiable.
Every PGP encrypted file contains header information that identifies
it as a PGP encrypted file, even to someone who can not decrypt
it. If you wish it to remain a open question if your encrypted file is
in fact encrypted, you should use a raw conventional or symmetric cipher.
You can remove the PGP headers from an conventionaly encrypted PGP
using a program called
stealth.
Protect your right to use encryption.
There have been recent rumblings about government plans to outlaw private
strong encryption. I believe in the right to use encryption for a number
of reasons:
-
As a member of EFH, I am for free speech in cyberspace and am for the advance
in network culture that PGP represents.
-
As a member of the Libertarian Party,
I oppose any unnecessary governmental interference in our lives.
-
As a supporter of the right To keep and bear arms, I wish the people to
be armed with powerfull weapons, such as PGP.
Read my rant opposing the regulation of private cryptography.
It is very well to support the right to private encryption, and everyone
can do so for their own reasons, but what can be practically done to protect
the right to use encryption?
-
Use a defensive formulation when discussing the uses of encryption. Choose
examples that show encryption being used for good and against evil. Even
though other more controversial uses of encryption are possible, the widespread
availability of legal encryption is progressive and we need to be careful
to talk that way.
-
Take political action. You can contact your political representatives and
inform them of your views on the issue of strong encryption.
-
Spread the use of encryption. Make PGP commonly available. Upload it to
BBSes. Teach other people how to use PGP. Get many powerful people routinely
using PGP and other strong encryption, so that it becomes politically impossible
to ban it.