by Jeremiah S.Junken (jjunken@nations.ucs.indiana.edu)
This text is Coprighted to its author, 6/1994. This may be re-distributed in any manner, so long as it remains unaltered and no profit is gained by it directly or indirectly, or by any package in which it is included!
The PGP team, Fred Fish have permission to include it in their releases, as does the EFF, CPSR, and any news service.
You are permitted to reformat this document as needed so long as you stay within the rest of the requirments of the license.
I humbly ask you to notify me when/if you add this file to any archive, WWW site, CD-ROM, BBS, etc.
Nutshell, text Version 2.7 (Not related to PGP Version number)
This document could easily be titled "PGP for dummies", but I like doing things differently. Nonetheless, this document should get the "dummy" from point A to the finish line without much trouble. Even if you're one of the gurus who entire computing experience borders making you an acolyte to the computer god, I think you'd still be well served to read this.
This document is in no way meant to supplant the documentation provided by Mr. Zimmermann, but rather as a plain-english quick-reference for those who'd rather get down to business than screw around with intricacies. My belief is that you should learn the essential basics and dive in straight away. The finer points will grow on you, and you learn them as you go.
Remember that security is only as good as the people who know the codes, so under no circumstances tell anyone your password or write it down where it might be found. Be aware of shoulder-surfers (people who can't keep their eyes off the keyboard when you're entering passcodes they're not intended to know)..
You probably got this because you wanted to avoid the BS associated with huge, detailed manuals. After all, you didn't get PGP for an education, you got it to do something. With this in mind, I've written this to be easy to understand so you can get started. However, you should remember that if you do not use PGP correctly and bypass steps, you risk not only your own security, but anyone who communicates with you and possibly more. For that reason, you should see the recommended reading order immediately below the table of contents and ultimately go through the whole guide!
It would be a very good idea to print up the whole thing so you can reference it while actually using the software!
The Following is a table Of contents. Don't be afraid. Just follow the order I recommend immediately below it; nothing will blow up :)
Considerations for using PGP in different situations, what you need to know to make PGP secure, etc.
Environment: Plaintexts
Environment: Residual Data
Environment: Environmental Variables
Environment: Password Echo
Environment: Shared Systems
Environment: Your Password
The things you need to know to use PGP
Getting Started: Generating Keys
Getting Started: Decrypting Messages
Getting Started: Encrypting, Adding Keys
Getting Started: QUICK REFERENCE
Getting Started: "Stupid" Questions
Master PGP and make it REALLY work for you!
Advanced PGP: Authentication
Advanced PGP: Certification
Advanced PGP: Key Editing
Advanced PGP: Copying Secret Keys
Unlikely surveillence possibilities
Paranoia: Electromagnetic Inference Interception
Paranoia: Hard Disk Reading
Paranoia: Remote Video Monitoring
Paranoia: Linetap
Paranoia: Modifications
Recommended Reading Order:
Unless you sell cocaine or plot to overthrow a government, PARANOIA is not really important :) :)
When you sit down in front of your terminal and use PGP, you are doing so to ensure your security and privacy. You can't cover all bases, obviously, you're only human, but you can minimize the chance for security leaks and thusly, the compromise of your privacy.
Environment, in this text, is a reference to your computer, and the physical area in which your computer exists.
When you use PGP, you first write a document containing the message you want to encrypt. This document you are writing is not encrypted, and while it's not encrypted, it's vulnerable to being read. So, you encrypt it and send it to your destinations. Pretty simple. Of course, this document can still be read! How? Did you delete the original? You must. Or, use PGP's Conventional Cryptology option and encrypt the original with a password so you read it when you need it.
If you use MS-DOS 5.0 or better, you should be familiar with the UNDELETE
command. If you were to write a plaintext, encrypt it, delete the original
plaintext and mail it, the plaintext can still be undeleted. Even if you don't
have an undelete command, you should be aware that there are some out there,
and if someone really wanted to, they could recover the plaintext. This is true
of any platform that uses any sort of disk technology, everything from Macintosh
or an IBM to the largest mainframes. Not just hard disks, but floppies too!
There are several ways to avoid this. For MS-DOS, there exists a NUKE
command.
This command writes over the file with 1's, 0's, 1's, then deletes it. In that
way, it's not possible to recover it. This is Department of Defense Standard.
Another way is to run a Disk-Defragmenter after the file is deleted. This will also overwrite the residual data.
In PGP, there is an option to set your passphrase as an Environmental Variable.
In MS-DOS, this could be in your AUTOEXEC.BAT
. In AmigaDOS, your
startup-sequence or one if it's children. In UNIX C-shell, your .login. This is a
terrible mistake to set it in a batch file, because anyone could read that file
and your passphrase would be plainly visible, unencrypted, and therefore
available to the intruder. However, if you set it in a batch file, it's already
in memory, and PGP could be used by whoever was sitting in front of the computer
without any problems.
Solution: Do not set a PGPPASS
Environmental variable. Ever. For any reason.
There is an option to echo the password when you type it in. By default, PGP does not show what you type so that someone looking over your shoulder could not see it. They could still watch your fingers on the keyboard.
Solution: Do not set Password echo on. It's not rude to ask someone not to watch when you enter a password.
Shared Systems are bad news for security, Period. I've been on the hacking side, and the side of the Hacked, and quite simply, a shared system = Privacy Risk. Remember that the operator (ROOT on a Unix System) or a clever hacker could easily see a dump of system memory and hence, your passphrase while PGP is decrypting.
The TEMP
directory ( /tmp
in UNIX ) is another problem. PGP could store it's
swap files there. You'd be best off to edit the PGP Config.txt
(PGP.config
on
Amiga) and define the TEMP
directory to be your home directory. Also make sure
you have the privileges set so that others cannot read your home directory
(In Unix: chmod . og-rwx ; chmod . u+rwx
. If this command syntax is incorrect,
see the NOTES sections immediately below the Table of Contents..)
Type the following to make your home directory private:
chmod 700 /home/users/smith
,
if Smith was your home path. An easier way to do this is to
type:
chmod 700 ~
,
~ means your home directory.
There's also the umask command, which you should look up with the "man" command.
If you use a mail system such as ELM that creates a tempfile in the /tmp
before mailing, it's better to write your message with Emacs before you start in
mail,
emacs newmessage.txt
then encrypt it (pgp -ea newmessage.txt
) then mail it with pipe redirect:
mail user < newmessage.txt.asc
and that way, any temp files created would be encrypted, and hence, useless to the peeping intruder!
If you'd like to see some more security concerns, see the PARANOIA section at the tail-end of this file!
When you select your password, you should not use anything easy to guess, like the name of a spouse, a nickname, a favorite sports team, or something even worse like your last name backwards. The technique I use for generating passwords which are easy to remember but next to impossible to guess is to think back to your elementry school years, think of the best time you had during that period in your life, or something you had then that you really loved, and use that as a passphrase.
For example's purposes, we'll use my favorite toy of that time, which was ROBOTIX robot toy construction set. (That, or my Commodore 64 :-) )
The passphrase 'robotix' might be in a dictionary or something that someone might try. So, you might add a few random characters: 'ro_b&ot|><', and maybe the year of your birth. '19ro_b&ot|><75'. That would be damned near impossible to guess, whereis 'robotix' is unlikely to be guessed, it's still possible.
Of course, it's a passphrase not a password, so it could be: "When in the course of human events..." you could change that to: "\\/h3|\| |n th3 k0urS3 uhv H\///.A|\| 3\/3|\|T5..," or something.
Another huge mistake a lot of people make is mumbling their passwords, especially in efforts to remember them. That is a critical mistake. So, if you think what you're typing, make sure your mouth isn't doing the thinking!
The point of this thing is that unless your password is only in your head and encrypted on your secret ring, it's vulnerable. Put yourself in the position of someone who wants to learn your password, and think of every possible, even ridiculous thing you would try.
This section is a jumpstart from ignorance into competent usage of PGP.
Read carefully and follow instructions step-by-step!
Okay. In order for someone to send you mail, they'll need your Public Key. You have to create that yourself. When you create it, it creates your Secret Key (which is password protected) and a Public Key. The Public Key is used by others to encrypt data to you. Once encrypted with your Public Key, your SECRET Key, and only your secret key can decode the information.
So Let's do it!
type: pgp -kg
It will prompt you for several things. One is your ID line, or what people will see that identifies the key as yours from the human perspective.
Yourname <your email address>
That's the general convention, but some people like to use a witty comment instead of an Email Address. It's entirely up to you.
For example, Peter Simons is
Peter Simons <simons@peti.GUN.de>
Another option will be Key Size. Pick the largest option (1024-bit key). It might take a while (As long as 5 minutes) to generate the key on most modern machines, but this is YOUR SECURITY we're talking about, not waiting on a laundry dryer. (On older machines, it could be as long as an hour, but it will never take that long to decrypt a message.. usually no more than 5 minutes. I use a very old computer, and it doesn't take more than 40 seconds to encrypt or decrypt for a 1024bit key.. but then again, I use an AMIGA!)
It will ask for a passphrase. A "passphrase" is password, but it's longer. It can be a whole sentence, or just a few letters. Remember to make it something you can remember easily, but not something easily guessed. When I've helped friends generate passwords, I usually tell them to try and remember a really fun time they had with a friend, and pick a word that describes the situation, then the friend's name, and use either.
For a good password, you might want to look at the section in the very beginning on passwords!
The most secure passwords are random strings of both letters and numbers like: az193095=-evce2 or something. Whatever you choose make sure you can always remember it, and that no one is likely to guess it.
It will ask for random keystrokes, and indicate a number showing the number remaining for you to enter at the bottom of the screen. Why? Nothing is more unique than the timing between sets of keystrokes from one person to another.
A computer could not possibly generate a set of numbers as random and haphazard as these timing values. Since it's been established that PGP is effective and it knows what it's doing, humor it. Type reasonably slowly. PGP will indicate that you've entered enough with a Beep and a message saying "-Enough, thank you."
A series of periods and pluses will show up at the bottom of the screen. These are of no concern to you, they're just progress indicators.
They look like this:
....+++ ....++++ ........+++++
When it's finished, you need to "extract" your public key from the public key ring in ASCII format so that you can mail it to the people who will use it (or pass it on diskette, or however you transmit it.) This is accomplished by typing:
pgp -kxa YourId keyfile pubring.pgp
So, For Gary Kline to get his key into a mailable file called "mykey.asc", he'd do:
pgp -kxa kline mykey.asc pubring.pgp
As a side note, there are Environmental variables,
specificly, PGPPATH
, where you define the location
of your Secret and Public Keys.
Is MS-DOS: SET PGPPATH="C:\PGP"
(assuming PGP and it's
files are in C:\PGP)
In AmigaDOS: setenv PGPPATH SYS:PGPAmiga
In UNIX C-Shell, setenv PGPPATH $HOME/pgp
In UNIX BASH, export PGPPATH="~/pgp"
Otherwise, you have to specifiy full path names in the
commands, so in Gary's case, if he didn't set those
variables, it would look like:
pgp -kxa kline@tao.thought.org mykey /home/kline/.pgp/pubring.pgp
A file called mykey.asc
will be created, and viola! Your friends will add that
keyfile to their own public ring and be able to mail you messages securely!
Once your friends have your key and mail you a message with PGP encryption,
you will need to save that message to a file. Assuming you've done that, and the
PGP encrypted message is in a file called newmsg1.txt
, we'll go through the
motions.
pgp -d newmsg1.txt
PGP will ask for your secret passphrase. If entered correctly, PGP will decrypt it. It may ask you a few questions, answer them appropriately (ie: DO you want to overwrite file with file, etc.) Just answer them according to your wishes.
Now, using an editor or text viewer, you can read the message. If there is extraneous garble at the top, it means the person that sent the message signed it with the PGP key. Nothing is wrong, just ignore the garble. (This rarely occurs.)
Now, after reading the message, you should delete it. There's no security in the message once it's decrypted.. anyone could read it just as you did. You can keep the encrypted version if you tell PGP not to overwrite it in the decryption process, and decrypt it when you need to refer to it.
Here's a small excercise you can try right now if you've generated you keyset:
cat
or more
in leiu of type
depending on what kind of computer you have.)
rm
, in MS-DOS, with del
)
The first step is to obtain the public key of the person you intend to mail.. PGP is a two-way street and requires both people to have the software and have exchanged keys in order to communicate properly.
Once you have isolated their public key in a file, type:
pgp -ka keyfile [keyring]
where keyfile is the file containing their key.
(Remember: Once you add their key, you'll not need to do it again!)
PGP will ask you if you want to certify the key. If you are certain this key came from who it says it's from and you believe that, then yes, you want to certify it. (If you don't certify it, PGP will always ask you if you're sure you want to use it each time you do!)
It will prompt you again, for verification, then ask for your secret passphrase. This is so no one but you can certify which keys you can trust for you. (There is a way to transfer trust, read the full documentation for more information on that..)
Once it's entered, the key is added to your public keyring and you'll never need to add it again.
Now, assuming you've just added Jane Doe's Public key to your keyfile and would like to mail her a message, you'd type:
pgp -ea filename User_Id
Where filename is the message file, and User_Id is that of Ms. Doe, so something like:
pgp -ea doemsg.txt Jane
If there's more than one Jane in your public key file, but only one Doe, you'd type:
pgp -ea doemsg.txt Doe
and pgp would produce a file called doemsg.asc
( or doemsg.txt.asc
on UNIX
systems.)
Done! You'd simply mail doemsg.asc
to Jane Doe, and she'd decrypt it
with her secret key.
Below are all the basic commands for PGP. Once you're familiar with basic use, read through the manual and use what's below as a reference, like a cheatsheet.
Remember to add the 'a
' option to anything producing an outfile, or it will
output a binary that you cannot directly mail.
ie: rather than pgp -e
, use pgp -ea
The A
means produce ASCII output, which you can mail straight away.
Mailing files:
In UNIX systems, you would type: mail username < file
where file contains the output from pgp (usually file.asc)
To encrypt a plaintext file with recipient's public key, type:
pgp -e textfile her_userid [other userids]
(produces textfile.pgp)
To sign a plaintext file with your secret key:
pgp -s textfile [-u your_userid]
(produces textfile.pgp)
To sign a plaintext file with your secret key, and then encrypt it
with recipient's public key, producing a .pgp
file:
pgp -es textfile Recipient_Id [Other_Ids] [-u Your_Id]
To encrypt with conventional encryption only:
pgp -c plaintextfile
To decrypt or check a signature for a ciphertext (.pgp) file:
pgp ciphertextfile [plaintextfile]
To produce output in ASCII for email, add the -a
option to other options.
The following command string will produce an encrypted ASCII file (file.asc), signed with your secret key, with the recipient's public key, ready for mailing:
pgp -esa file Recipient_Id [Other_Ids ] [-u Your_Id ]
Other_Ids would be other recipiants, so you could encrypt to more than one person at a time, making seperate files encrypted to each of them.
pgp -kg
Remember: When making any sort of outfile that you intend to mail (ie: creating
encrypted mail messages) remember to add the -a
extension.. (pgp -kx
should be
pgp -kxa
, and pgp -e
should ALWAYS be pgp -ea
), otherwise, the output is
unmailable binary data which will appear to be a bunch of random characters
that cannot be extracted properly on most systems!!
Key management functions:
Note that:
pubring.pgp
= Contains your & other's public files
secring.pgp
= contains your secret keys
[keyring] by default is pubring.pgp
unless you specify otherwise.
To generate your own unique public/secret key pair:
pgp -kg
To add a key file's contents to your public or secret key ring:
pgp -ka keyfile [keyring]
To remove a key or a user ID from your public or secret key ring:
pgp -kr User_Id [keyring]
To edit your user ID or pass phrase:
pgp -ke your_userid [keyring]
To extract (copy) a key from your public or secret key ring:
pgp -kx User_Id keyfile [keyring]
To view the contents of your public key ring:
pgp -kv[v] [User_Id] [keyring]
To view the "fingerprint" of a given key:
pgp -kvc [User_Id] [keyring]
To check signatures on your public key ring:
pgp -kc [User_Id] [keyring]
To sign someone else's public key on your public key ring:
pgp -ks her_userid [-u your_userid] [keyring]
To remove selected signatures from a userid on a keyring:
pgp -krs User_Id [keyring]
If you want to extract your public key to mail to someone:
pgp -kxa User_Id mykey [keyring]
Where User_Id = the first unique pattern of letters in your ID signature (ie: If
your signature is Joe Blow <blowj@big.u.edu>, then myid = joe) the result will be
a file called mykey.asc
, which you can mail to people:
mail user@host < mykey.asc
I say "stupid" in quotes because the only stupid question is the one you didn't ask! If you knew everything, you wouldn't be reading this, and it's here to be helpful, not confusing!
pgp -ea file User_Id
Explanation: The file is the message to encrypt. The User_Id is the person you
intend to send it to, in this example. -e
means encrypt. a
means ASCII output,
presumably for mailable text.
When you specify a User_Id, you don't have to type the whole ID... in fact, most systems won't let you. PGP only needs a non-ambiguous clue.
Peter Simons' ID is <simons@peti.GUN.de>
For example, if I write a message to Peter Simons, I can say "Peter", "Pete", "Simons", "Simon", "Simo", "peti.gun" or anything in his ID that isn't in another ID. If there a Simon Jackson in my public keyring, I should say Peter, because there are two occurrences of "Simon". If there's a Peter Jennings in my public ring also, I should say "peti.gun", since that's unique to Peter Simon's ID.
Because sometimes you would want BINARY output for one reason or another. Binary output produces a smaller file, so if you were putting the file onto a disk rather than mailing it,it would be a good idea to just use the binary mode. It's also used for things like STEALTH and stenography, which we won't go into here.
Because if you did, then anyone with your public key could decode it, assuming it were possible at all.
As the Environment section implies, there's more to using PGP than enciphering Email. PGP is a way of doing things, not just a program. As I've stated before, and feel a need to emphasize, if you don't use PGP correctly, you risk more than your privacy.
Make sure your workstation is free of shoulder-surfers, Password Echo, PGPPASS Environmental variables, Scripts containing your password in an unprotected mode, or any programs that might be intercepting keyboard input.
Residual Information, such as your original unencrypted documents, decrypted mail files, and UNDELETABLE files can be as much a compromise as no PGP at all.
See the Environment section of this document
Failure to verify your keys with their supposed corresponding users is risking too much to fail to justify even a long distance phone call. What's 30 cents against the compromise of your privacy?
See the section on Authentication in this document
Don't be a dummy. A secure password is multifaceted, but rotates around one thing: You're the only one that knows it. If it's written down, easy to guess, or possible to elicit from your computer, it's not a secure password!
See the Environment section of this document
Every element of PGP exists for a reason, and some parts that may seem irrelevant are actually important, maybe critical to certain privacy purposes.
Phil and his crew did not spend as much time as they did and PGP itself did not become as popular with everything from grass roots radicals to major conservatives to cryptographic experts for it's health... it became that way because PGP offers all these features.
Keep this all in mind when you begin to think something in here is trite or tedious. It's there for a reason, and that reason is your privacy!
This part of this text assumes you're now familiar with PGP, and comfortable with using it routinely. Whether you are or are not, you should read it, but if it seems to complicated, don't worry about it just yet!
So now you're comfortable with using PGP. You can encrypt, decrypt, make and add keys and all that good stuff. So now I throw you a curve-ball. How do you know that you are encrypting a message to me instead of someone else?
Roleplaying time! You have this key, which came in a message from me to you, and when you add it to your keyset, my name came up in the ID with my Email address. Okay. So you're ready to send me a message. Wait right there!
As you should know, it's quite possible to forge Email, or get someone's account password! So, then, it's possible that you have a charlitan key! Someone could have easily generated a key with the same ID tag I have, broke into my account and mailed it to you, then all my incoming mail from you they would divert, read, re-encrypt with my real key and send it to me... and neither of us would know!
PGP solves that, too. Easily. Go back to key generation, briefly, and recall the keystrokes PGP asked for. There is no way anyone could do it like you did, and it's doubtful you could, either! When you generated that key, a part of it was the "fingerprint", which is totally unique to your key. Even if you lost your key and generated another one that looked the same, it's fingerprint would be totally different.
So, before you encrypt things to someone, you should compare the fingerprint on the key you have with the one they have over the phone or in person. Then you would know you have the proper key and not a charlitan!
The fingerprint is also referred to as a fingerprint, and can been seen by invoking the command:
pgp -kvc User_Id keyringfile
(ie: pgp -kvc peter pubring.pgp
)
There is also a way to "sign" a file. With this done, you can send an encrypted file, such as a letter containing technical data, sign it, and if anything is changed, PGP will know it and warn you.
This is done with pgp -sb filename
. (pgp -sb technote.txt
)
This can come in handy for making sure no one changes instruction manuals to PGP itself, and more.
When you add a key to your keyset, PGP asks you if you want to certify the key... do you know that the key belongs to who you say it does? Do you trust that person to give you keys that are authenticated? This is certification.
If Joe Blow hands you a floppy disc you watched him copy his key onto, you can be reasonably sure it's Joe Blow's key. So yes, you'll certify that. Of course. But... If Joe Blow hands you a disk with other people's keys on it, do you trust that he checked those keys out reasonably well to make sure they're authentic? In other words, you can trust Joe Blow with his own key, but do you trust him to give you keys? If yes, how much? Always? Sometimes? Maybe? Never?
These are levels of trust. If you trust Joe Blow, and Joe Blow trusts John Doe, then it's possible that also John Doe is giving you keys, indirectly.
It's always best to get the key from the person themselves, check it out with them and do it that way, but it's not always possible, either for reasons of time quantity of work, and this is where Certification comes in. It's generally a wise idea to think things through as if it were a chess game, or setting up dominos.
Examples:
The only person PGP should understand you to trust fully is yourself, and when you generate a key, that's the default setting.
Okay. You're Peter Simons. You key reads:
Peter Simons <simons@peti.GUN.de>
But, you moved. Now you're Peter Simons, root@k-rad.elite.org.
You can edit your key's ID line without it messing up encryption. It's quite simple. You can use this function to also change your password should you feel the desire to do so.
pgp -ke simon
PGP would prompt you on editing options, first being the ID line and then being the password.
You should note that once you change it and lock in the change, PGP will remember the old ID and refer to it as an alias. This way, it's more clear that it is the same key to other users.
People can always use the new or old key to encrypt to you, whether you
change the ID and/or the password, however, they'll see the old ID unless you
give them the copy of the new public key (pgp -kxa yourname mykey pubring
) as
if it were new.
Let's say you're like me. You go to a university, and you use PGP offline most
of the time, but.. once in a while, you use PGP online. In order to use the
same key, you'll need to copy your secret keyring, secring.pgp
, and put a copy
of it where you intend to use it. If it's avoidable, you shouldn't do it, but
sometimes it's not. keyrings are inter-compatible. That is, they work on
different computers regardless of whether it's a NeXT, an Amiga, a Mac or an
IBM, or anything else.
In some cases, you might need to distribute a secret key, such as in a political organization or something. It's generally best to have a "data treasurer" for that sort of thing, but if you have to do it, then it's done the same way a public key is, except for the keyring specified.
pgp -kxa User_Id SecretKeyFile secring.pgp
Remember that if you distribute it over mail, you would be foolish to distribute it in the same message as it's password, and even more foolish if you didn't encrypt the mail to the user you intended to send it to!
Warning: The things presented in this segment of the document are surveillance techniques employed by various government, private and espionage organizations around the world. These are not likely to be employed to read your mail to your best friend, unless you happen to be conspiring to launch a nuclear missile.
Don't lose any sleep over this.
Every electrical device, from digital wristwatches and toasters to televisions and mainframe computers generate electromagnetic interference. There are devices that measure this energy, and in some circumstances can interpret it into being able to tell what a given device is doing.
A computer's monitor is controlled by a signal send from the video card to the monitor (electromagnetic interference.) A remote device, carefully tuned in on this signal, could reproduce the image on your monitor remotely for the purpose of taping or monitoring.
The same is true with a computer keyboard. Whenever you press a key, a certain signal is sent to the computer, different from other signals sent by other keys. A device like the one described above could essentially carbon copy all of your keypresses into a recorder and everything you type could be reproduced.
If you want a working example of this concept, look at a typewriter ribbon (especially those found in IBM Selectric series typewriters.) If you look carefully and fill in the spaces mentally, you can see everything the unwary typist has typed. On the selectric, spaces aren't shown on the ribbon, since the space prints nothing and would be a waste of ribbon to advance the ribbon when you hit it. (Same with Tab, Return, etc.)
If you format your hard drive so that there is no data on it at all, it is still possible to pick up trace magnetic signals where readable data and the previous formatting existed. With special equipment, the contents of your hard drive could be totally reconstructed, despite the formatting.
The solution is straight forward: Department of Defense standard Data Deletion, which was described in the beginning. It overwrites the file 3 times with 1's and 0's before deleting, so the residual data is not usable in any scheme.
Obviously it's possible for someone to videotape your computer screen and/or your fingers on the keyboard. This is a standard tactic. This is avoided somewhat by positioning the computer where neither the keyboard or the monitor is visible through a window, and that there is no reflection visible either, as could be seen in the user's glasses, a mirror, a glossy poster, chrome on furniture, etc.
If you were to use PGP on a remote system, your modem line could be compromised by buffering the signal transparently into another computer and thusly reproducing the entire terminal session. For that reason, it's better to use PGP offline and upload encrypted texts.
There is no way to tell if PGP has been modified unless you get the distribution package from it's creators, or get the source code, carefully examine it, and compile it yourself. Even then, it's possible to have a compiler that recognizes security applications and creates a "backdoor".
Although there are lots of ways to lessen the likelyhood of tampering, it's a game of Better Mousetrap, Smarter Mouse.
The more common scenario is straight-forward: Someone modifies the source on a shared system and gets a dump of everything you've done with PGP on that system. The chance of this is somewhat eliminated by compiling your own copy on the system, or better, simply use your own copy offline!
This was written entirely by Jeremiah S.Junken, with a few additions by Gary Kline and the key-reference chart which was taken from PGP 2.2 as compiled on the Indian NeXT cluster, UCS of IU Bloomington.
In the event of address change or the like, I refer correspondence to Peter Simons, the author of PGPAmiga and the maintainer of the PGPAmiga mailing list.
Please address correspondence related to this to me. Although Peter is a great guy who knows PGP intimately and loves helping people out with it, he's also extremely busy, so keep that in mind before you mail him specificly!
Always read alt.security.pgp if you need more information, and/or subscribe to the PGPAmiga mailing list! (contact Peter Simons)
I'd like to thank:
PGP is found in compiled form for Amiga, MS-DOS, Mac, and, (I THINK..) Atari ST. The C language source code is also available.
FTP to SODA.BERKELEY.EDU (don't be a hoser)... /pub/cypherpunks/pgp
there you will find several versions, and compiled versions for Amiga, Macintrash, MS-DOS, etc., as well as other cool things.
net-dist.mit.edu (Source, MS-DOS executables)
src.doc.ic.ac.uk (Source, Amiga, MS-DOS, Macintrash)
ftp.luth.se (Amiga /pub/aminet/util/crypt)
wuarchive.wustl.edu (Everything)
man
command. For example: man ls
will
give information on the arguments and syntax for the directory listing command.
Remember that PGP needs your help and support to continue to exist and be able to be used. At this point, the United States and other world governments are opposed to secure cryptography and are trying to make it's use illegal. With this in mind, I urge you to FTP to ftp.eff.org, and check out the /alerts directory, and grab some information on the Electronic Frontieer Foundation. The EFF is, essentially, the first activist/civil liberties group that deals only with the electronic world, (the Internet, etc..).
Also, the author of the original version, Phillip Zimmerman has acumulated some expenses keeping himself out of jail due to the legal entanglements and contraversy surrounding PGP. If you would care to help this man who has put his freedom on the line to help insure yours, you are encourages to make a donation, ANY donation to his legal defense fund. Mailings go to his lawyer.
Phillip Zimmerman Legal Defense Fund
c/o Phillip Dubois, Attorney at law.
2305 Broadway
Boulder, Colorado
80304
United States of America.
Jeremiah's Key:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a.3 mQCNAi3+N/sAAAEEAKg5XtFem9nMlzU9LxwHTWqvsPaESFjkyxTPtX5YLj5ugvQr 8l8hgXqXwdG8415ZbJNMYP9qRA5u44NNCGhEDIljkj4E5w4CB3JXu/GruaZ+1zAO 9hCAYzajenfCeM2Y3xSO2eiN4nuHWzwV0EW2y1mGD0EXspBRpEVyiiRQvPXpAAUR tDM8SmVyZW1pYWggUy5KdW5rZW4+IGpqdW5rZW5AbmF0aW9ucy51Y3MuaW5kaWFu YS5lZHU= =WT8H -----END PGP PUBLIC KEY BLOCK-----
Peter's Key:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a.3 mQCNAiyg9DgAAAEEAMnWa12Ub+g8uzR/GByKjpMiNsHZygQ4pw2Bjix+WjyEVsHH JV8DRqdnYBs+MPrhvou1dDXEkhC64lklC23xlawI2yaXBtKadKgEEOdKLF9tVibP SFqgxT/TNw1l0cDDeCkeQmSXtY2/MpK0tXCRAvFb/dnaHkKDew9HL1s0103BAAUR tCFQZXRlciBTaW1vbnMgPHNpbW9uc0BwZXRpLkdVTi5kZT6JAFUCBRAtsEbiIfI/ FvoHHfkBAYp4AgCn8M8fUp4AWyGpbra+kSy200LMX6z2kR8cSYfnbqo7DQzJnBGM LPuDz08J3bCj8HXdy2zXZr6FgMJy8PwnBXS0iQBVAgUQLbsqO5vaUYPwhBsRAQFA zQIAhxJafc2vxF6FQ7+BR73GU0E3uPSOZzbQfkU/7RFlp4iuOjA5cB1DQyv0IqHN P8VGQi0aubGR4kh5OGw1vnrp54kAlQIFEC1muGWtei73+sUbeQEBCB0D/2JJ/rnB pXdKCKcsTzwQuH6TjofkYvDjL+Y2QZ0X+nziYgAyuGSOMo9KfP9exv7y+Al6e/ve 2NrfC4aBKLJPqqaDw/Mpmu7VN7qRSMPYYnBz7PMnn9FMyq5KorRFHQm3D83M90D5 ff+fi0X5xWJiI/cEdFFnskX4gcp+cDoCqvfEiQBVAgUQLVVp0v2YSvmy1vClAQEH RAIAyElndiq8/yu42bzGGgImJV91xViZN0RV/ogH0k+rPJRgHcdTwHHrw8AoIMXp rfxRRYWsaIXCpE/zE3k/yXaao4kAVQIFEC1Utjzlc12j2z/KwQEB9y8B/05B0rVS h8T2Sqg/fhwNvsHYgljZMnR88UpJLkqrBPoZVFJnqTPO0/minYeSHwSeTTqn7BuD 48FJZloTEQKpuEuJAFUCBRAtU+s6ERkJHPqUz38BAVi0Af4mE/oIbeU7UKViul/z 0Tcw4sQ+vTVBIs83BudsWk32Pxcas80E+++HRHyAhHrqO1swdCvpfT7DDrbxJ+Ti frqLiQBVAgUQLN/aRLVpsU3/KyuPAQEWegIA1quUkJ6hlOZ+jO7Fh+VW7bxk5xdQ k4SYlcqiw4r10gkktYOUvkQ9o+mL8rHtrObV7bSeD9eYwlory2mo10p9WYkAVQIF ECzfpSDiivn9aZDvXQEBsr8B/RSPPjgsrz/GObDCvoXKnADP1gOnqPF9AN+JIMPT ov935pnMrfajTBvMktrpGKp2RxqoOUykOe3bhthREDhpkRCJAJUCBRAtUvWsE3I3 96iLPhkBAa0qA/wMIiIxTabG8wfifPFI+ddni05vrH2i+luft0vJ7IPsaI78UQLY d1j8ClyultEheHwbu5rPhKyT3r0qNCdNgt/ldKgZlfIakJHxyhYsjimr5C0JWzz8 HtqzI4IgUnJB9ew3Bm9gtOem/+jcq7oGqDjAN6zDzUxlbYvYEAP9bLAp6okAlQIF EC1S7wHQ+XRbkhtylQEBa8MD+wSClbilT1wdK5TRdAnzSTqQY0VeO/oruKAO7BgL ZgWxRFqF0rrTet1E2Xp1uk2rtHOKCSdVMRkwk2xv6O8n254AUb2b1y7QeE/wjBHo +r7FPt6fPiy+MVxPr3YhLjIN2pOr1XBGxDO9hsfvWVXGp/rQrIYYtS3vthsVDsy/ FvyriQCVAgUQLVNPm0hfqy8j2SvjAQF26wQAjM2ejxovriRtifTXhCZ/D8KUZJP+ 8w97lDryk0yuTZWR7ICMDxpXpdL+4JrewnjOL7SWwXMw48wQvEBBU3nAsrEHMoA4 0Mfxfgal8benmgnWJzkI7sgozU/+6eq9APqC39/ePDYyUr8qo+46HlKW4e+rod1M tQiIaQelgR8V2beJAFUCBRAtUvhac5JDRKnQpMMBARgWAf46hG/L6tZ4AuP9jK1f 41AFG5xW5qb0o9ylMWDAR7pJRWknFOLR+NJ9rsguZYTCUYMImxi79nolyyDPJjDr nl2NiQBVAgUQLVNKMXmMGAx7t12JAQGR2QH8DMLIptuojGjKTiHGvlilh9zVwhnH r0XSbBBKzx4sTD3FDrBfO7DjRbbP0NnTrlaNyaG1IYwZEbXqsa5EuCEAU4kARQIF EC1S8y91nsSrAn0L2QEBR+gBfj9WKNWGhJ7v1djo/gklSfDR86MgaV7AlXK26okR dhYZ96ugDuzM0/f1Sm4itKbtookAlQIFEC0y75F76nchDdGcwQEBXNgEAJGIC+9+ 51FPKHczyZQ130mug7v91UxFYou2xeb4MYy+w/3Gp7QiWZFL/Mk8YTzECHuHdIZQ 7LCBQlOS+XOEZ2wbjv8w7JiRU6tTgywj305tX2c0KPCgEuEcT4EioM+rAn7HLm82 Hy/9jzSJK76I54VataY0xO5XCnEn2Z1PDWS+iQCVAgUQLKtBN61MOADdzRPBAQHL yAQAxPm8IDVl5lt8IqVL7BCFeHq95VO/hXlb/6XY3cJFIj7goCK0zkFluTxaBH0V 5cH1cRnedIxVYihB4CXT7UXIriSETfvP6cL4XV4u3oaOVkiccw6BvHmFnSSgm8wQ v6CxMkPQMfLR8Tn2rZn3O2ffKRB8nFLiiwThfPKUc9NPYlaJAJUCBRAs7468OxwH hXg8g/EBAViMBACWap0CD/iX+kaFsyBtHF4qpq8XO1lzTGuHI7Z/HaOwxyEuPeOX JbM+7pbhRyzRQ7nhyhEQ27hF3wsD07IKSaE6QMFHtObOBmGYPIHkBCGyvlmh545r N+KNCJkDM9GQ6UgDEwieoTYjNju5lNrxNlco0eJ2lhzB6gE/Iu8ml1LxZ4kAlQIF ECzlQrTSJ29yPs8yJQEBgAUEAIYrigbBZ8ocSJCNyb2F39QVMV/kkQM+Gm3UU4tb GrB2f/yW+wB8xgu5VHEBCALN3GoJZ5Jo58oDKEICKJy0CIBxUYGTaTTTaTdCOX2i qgfFbdglzQJ5O1oc8I57KKL20DgW6zxCS0lVUCfB7K1F90mqIDkxLEFGwvjqeGVu lmG5iQCVAgUQLMOaw6Da852xEaRBAQFTSAP/WeEmX6CCYnxtPweReQbiOPH0e15H RA05gFGn8xOrGV4SQ+SN3qHVkDbEos3QCNPO2EN68PwSXHmpqSERR9aro29SSeu5 rBRoujODI/pVEesZGJlafgXljmBKMNEBbkJo8Av0Iig6nLEPJ1BoSTrWLGBPAx5O L/W9UIg3fT7/JZuJAFUCBRAspUMs6phj4SBVVVcBAc13AfwPq4zYjTX1wNaJPXvc Gie43TXNVVTDFQM0SQaMJCUggVgpLLpCExGHy8eZVNLHT/oXUNDMub62y9tI/62s zG54iQBVAgUQLLPH5MXXeS9/02OBAQEeVgIAm/QuutqE/PEDU7cALELs8dDKS/2i G0ixgP5INdQtusRxRPOTLJr7obmiehxCdpMZlmSqYQ+Sxocl7ePBkuDLkIkAlQIF ECyokzreJzX92ofAxwEBUMgEAIOmc4aobPOPX3STKiwqif/Yad4vBzrGMCXyhEz6 86o5C3C3TjVNapDz673Lt3vsDv4gwfEKfIPkO2qa0Mnw1HIlko3Ep3PBpRNXmkQl WmstBT1b4//NbqImb301OUi88ZDrbA7ECpRQkpbJlLjKB6YMuX9Vhmw/goSl+5L2 r1DciQBFAgUQLKhZdBddOICR7WnVAQFhMAF9F66RpmQSiBYYQKwLfwcWQvZTDMvY 7/2voVdW0SvkLyigvjPPSih1KRg8NqW7QGr8iQBVAgUQLKRhFIGIYXUhejq5AQFA qAH+OE0BRKa2D6a22GPqHQKqLJi+H/2PkCWh5jvDfnl5FnuBG51k1GlkPI+qSY/f YoS9CZ+/EBAwn4UwIeB6vTcn6A== =rJ6m -----END PGP PUBLIC KEY BLOCK-----
His key's bigger than mine! :-)
06/29/1994
Meine Homepage
UNIX-AG Homepage