PGP In a Nutshell 2.5

by Jeremiah S.Junken (jjunken@nations.ucs.indiana.edu)

Editing Crew:
Gary Kline (kline@tao.thought.org)
Peter Simons (simons@peti.gun.de)

This text is Coprighted to its author, 6/1994. This may be re-distributed in any manner, so long as it remains unaltered and no profit is gained by it directly or indirectly, or by any package in which it is included!

The PGP team, Fred Fish have permission to include it in their releases, as does the EFF, CPSR, and any news service.

You are permitted to reformat this document as needed so long as you stay within the rest of the requirments of the license.

I humbly ask you to notify me when/if you add this file to any archive, WWW site, CD-ROM, BBS, etc.

Nutshell, text Version 2.7 (Not related to PGP Version number)


Getting Started with Phil Zimmermann's Pretty Good Privacy (PGP) Software

This document could easily be titled "PGP for dummies", but I like doing things differently. Nonetheless, this document should get the "dummy" from point A to the finish line without much trouble. Even if you're one of the gurus who entire computing experience borders making you an acolyte to the computer god, I think you'd still be well served to read this.

This document is in no way meant to supplant the documentation provided by Mr. Zimmermann, but rather as a plain-english quick-reference for those who'd rather get down to business than screw around with intricacies. My belief is that you should learn the essential basics and dive in straight away. The finer points will grow on you, and you learn them as you go.

Remember that security is only as good as the people who know the codes, so under no circumstances tell anyone your password or write it down where it might be found. Be aware of shoulder-surfers (people who can't keep their eyes off the keyboard when you're entering passcodes they're not intended to know)..

You probably got this because you wanted to avoid the BS associated with huge, detailed manuals. After all, you didn't get PGP for an education, you got it to do something. With this in mind, I've written this to be easy to understand so you can get started. However, you should remember that if you do not use PGP correctly and bypass steps, you risk not only your own security, but anyone who communicates with you and possibly more. For that reason, you should see the recommended reading order immediately below the table of contents and ultimately go through the whole guide!

It would be a very good idea to print up the whole thing so you can reference it while actually using the software!

The Following is a table Of contents. Don't be afraid. Just follow the order I recommend immediately below it; nothing will blow up :)


Table of Contents

Environment

Considerations for using PGP in different situations, what you need to know to make PGP secure, etc.

Environment: Plaintexts
Environment: Residual Data
Environment: Environmental Variables
Environment: Password Echo
Environment: Shared Systems
Environment: Your Password

Getting Started

The things you need to know to use PGP

Getting Started: Generating Keys
Getting Started: Decrypting Messages
Getting Started: Encrypting, Adding Keys
Getting Started: QUICK REFERENCE
Getting Started: "Stupid" Questions

PGP Applied
This is a extremely brief reiteration you should read several times!
Advanced PGP

Master PGP and make it REALLY work for you!

Advanced PGP: Authentication
Advanced PGP: Certification
Advanced PGP: Key Editing
Advanced PGP: Copying Secret Keys

Paranoia

Unlikely surveillence possibilities

Paranoia: Electromagnetic Inference Interception
Paranoia: Hard Disk Reading
Paranoia: Remote Video Monitoring
Paranoia: Linetap
Paranoia: Modifications

Correspondance Information
How to reach me
PGP Distribution Information
Notes
General Notes on text, etc.
PGP Supplementary Stuff
PGP related programs, etc.

Recommended Reading Order:

  1. Getting Started,
  2. Environment,
  3. Advanced PGP,
  4. PGP Applied.

Unless you sell cocaine or plot to overthrow a government, PARANOIA is not really important :) :)

Environment

When you sit down in front of your terminal and use PGP, you are doing so to ensure your security and privacy. You can't cover all bases, obviously, you're only human, but you can minimize the chance for security leaks and thusly, the compromise of your privacy.

Environment, in this text, is a reference to your computer, and the physical area in which your computer exists.

Environment: PLAINTEXTS

When you use PGP, you first write a document containing the message you want to encrypt. This document you are writing is not encrypted, and while it's not encrypted, it's vulnerable to being read. So, you encrypt it and send it to your destinations. Pretty simple. Of course, this document can still be read! How? Did you delete the original? You must. Or, use PGP's Conventional Cryptology option and encrypt the original with a password so you read it when you need it.

Environment: RESIDUAL DATA

If you use MS-DOS 5.0 or better, you should be familiar with the UNDELETE command. If you were to write a plaintext, encrypt it, delete the original plaintext and mail it, the plaintext can still be undeleted. Even if you don't have an undelete command, you should be aware that there are some out there, and if someone really wanted to, they could recover the plaintext. This is true of any platform that uses any sort of disk technology, everything from Macintosh or an IBM to the largest mainframes. Not just hard disks, but floppies too!

There are several ways to avoid this. For MS-DOS, there exists a NUKE command. This command writes over the file with 1's, 0's, 1's, then deletes it. In that way, it's not possible to recover it. This is Department of Defense Standard.

Another way is to run a Disk-Defragmenter after the file is deleted. This will also overwrite the residual data.

Environment: ENVIRONMENTAL VARIABLES

In PGP, there is an option to set your passphrase as an Environmental Variable. In MS-DOS, this could be in your AUTOEXEC.BAT. In AmigaDOS, your startup-sequence or one if it's children. In UNIX C-shell, your .login. This is a terrible mistake to set it in a batch file, because anyone could read that file and your passphrase would be plainly visible, unencrypted, and therefore available to the intruder. However, if you set it in a batch file, it's already in memory, and PGP could be used by whoever was sitting in front of the computer without any problems.

Solution: Do not set a PGPPASS Environmental variable. Ever. For any reason.

Environment: PASSWORD ECHO

There is an option to echo the password when you type it in. By default, PGP does not show what you type so that someone looking over your shoulder could not see it. They could still watch your fingers on the keyboard.

Solution: Do not set Password echo on. It's not rude to ask someone not to watch when you enter a password.

Environment: SHARED SYSTEMS

Shared Systems are bad news for security, Period. I've been on the hacking side, and the side of the Hacked, and quite simply, a shared system = Privacy Risk. Remember that the operator (ROOT on a Unix System) or a clever hacker could easily see a dump of system memory and hence, your passphrase while PGP is decrypting.

The TEMP directory ( /tmp in UNIX ) is another problem. PGP could store it's swap files there. You'd be best off to edit the PGP Config.txt (PGP.config on Amiga) and define the TEMP directory to be your home directory. Also make sure you have the privileges set so that others cannot read your home directory

(In Unix: chmod . og-rwx ; chmod . u+rwx. If this command syntax is incorrect, see the NOTES sections immediately below the Table of Contents..)

Type the following to make your home directory private:
chmod 700 /home/users/smith,
if Smith was your home path. An easier way to do this is to type:
chmod 700 ~
, ~ means your home directory.

There's also the umask command, which you should look up with the "man" command.

If you use a mail system such as ELM that creates a tempfile in the /tmp before mailing, it's better to write your message with Emacs before you start in mail,

emacs newmessage.txt

then encrypt it (pgp -ea newmessage.txt) then mail it with pipe redirect:

mail user < newmessage.txt.asc

and that way, any temp files created would be encrypted, and hence, useless to the peeping intruder!

If you'd like to see some more security concerns, see the PARANOIA section at the tail-end of this file!

Environment: YOUR PASSWORD

When you select your password, you should not use anything easy to guess, like the name of a spouse, a nickname, a favorite sports team, or something even worse like your last name backwards. The technique I use for generating passwords which are easy to remember but next to impossible to guess is to think back to your elementry school years, think of the best time you had during that period in your life, or something you had then that you really loved, and use that as a passphrase.

For example's purposes, we'll use my favorite toy of that time, which was ROBOTIX robot toy construction set. (That, or my Commodore 64 :-) )

The passphrase 'robotix' might be in a dictionary or something that someone might try. So, you might add a few random characters: 'ro_b&ot|><', and maybe the year of your birth. '19ro_b&ot|><75'. That would be damned near impossible to guess, whereis 'robotix' is unlikely to be guessed, it's still possible.

Of course, it's a passphrase not a password, so it could be: "When in the course of human events..." you could change that to: "\\/h3|\| |n th3 k0urS3 uhv H\///.A|\| 3\/3|\|T5..," or something.

Another huge mistake a lot of people make is mumbling their passwords, especially in efforts to remember them. That is a critical mistake. So, if you think what you're typing, make sure your mouth isn't doing the thinking!

The point of this thing is that unless your password is only in your head and encrypted on your secret ring, it's vulnerable. Put yourself in the position of someone who wants to learn your password, and think of every possible, even ridiculous thing you would try.


Getting Started

This section is a jumpstart from ignorance into competent usage of PGP.

Read carefully and follow instructions step-by-step!

Getting Started: GENERATING YOUR KEYSET

Okay. In order for someone to send you mail, they'll need your Public Key. You have to create that yourself. When you create it, it creates your Secret Key (which is password protected) and a Public Key. The Public Key is used by others to encrypt data to you. Once encrypted with your Public Key, your SECRET Key, and only your secret key can decode the information.

So Let's do it!

type: pgp -kg

It will prompt you for several things. One is your ID line, or what people will see that identifies the key as yours from the human perspective.

Yourname <your email address>

That's the general convention, but some people like to use a witty comment instead of an Email Address. It's entirely up to you.

For example, Peter Simons is Peter Simons <simons@peti.GUN.de>

Another option will be Key Size. Pick the largest option (1024-bit key). It might take a while (As long as 5 minutes) to generate the key on most modern machines, but this is YOUR SECURITY we're talking about, not waiting on a laundry dryer. (On older machines, it could be as long as an hour, but it will never take that long to decrypt a message.. usually no more than 5 minutes. I use a very old computer, and it doesn't take more than 40 seconds to encrypt or decrypt for a 1024bit key.. but then again, I use an AMIGA!)

It will ask for a passphrase. A "passphrase" is password, but it's longer. It can be a whole sentence, or just a few letters. Remember to make it something you can remember easily, but not something easily guessed. When I've helped friends generate passwords, I usually tell them to try and remember a really fun time they had with a friend, and pick a word that describes the situation, then the friend's name, and use either.

For a good password, you might want to look at the section in the very beginning on passwords!

The most secure passwords are random strings of both letters and numbers like: az193095=-evce2 or something. Whatever you choose make sure you can always remember it, and that no one is likely to guess it.

It will ask for random keystrokes, and indicate a number showing the number remaining for you to enter at the bottom of the screen. Why? Nothing is more unique than the timing between sets of keystrokes from one person to another.

A computer could not possibly generate a set of numbers as random and haphazard as these timing values. Since it's been established that PGP is effective and it knows what it's doing, humor it. Type reasonably slowly. PGP will indicate that you've entered enough with a Beep and a message saying "-Enough, thank you."

A series of periods and pluses will show up at the bottom of the screen. These are of no concern to you, they're just progress indicators.

They look like this:

....+++ ....++++ ........+++++

When it's finished, you need to "extract" your public key from the public key ring in ASCII format so that you can mail it to the people who will use it (or pass it on diskette, or however you transmit it.) This is accomplished by typing:

pgp -kxa YourId keyfile pubring.pgp

So, For Gary Kline to get his key into a mailable file called "mykey.asc", he'd do:

pgp -kxa kline mykey.asc pubring.pgp

As a side note, there are Environmental variables, specificly, PGPPATH, where you define the location of your Secret and Public Keys.

Is MS-DOS: SET PGPPATH="C:\PGP" (assuming PGP and it's files are in C:\PGP)

In AmigaDOS: setenv PGPPATH SYS:PGPAmiga

In UNIX C-Shell, setenv PGPPATH $HOME/pgp

In UNIX BASH, export PGPPATH="~/pgp"

Otherwise, you have to specifiy full path names in the commands, so in Gary's case, if he didn't set those variables, it would look like:
pgp -kxa kline@tao.thought.org mykey /home/kline/.pgp/pubring.pgp

A file called mykey.asc will be created, and viola! Your friends will add that keyfile to their own public ring and be able to mail you messages securely!

Getting Started: DECRYPTING MESSAGES

Once your friends have your key and mail you a message with PGP encryption, you will need to save that message to a file. Assuming you've done that, and the PGP encrypted message is in a file called newmsg1.txt, we'll go through the motions.

pgp -d newmsg1.txt

PGP will ask for your secret passphrase. If entered correctly, PGP will decrypt it. It may ask you a few questions, answer them appropriately (ie: DO you want to overwrite file with file, etc.) Just answer them according to your wishes.

Now, using an editor or text viewer, you can read the message. If there is extraneous garble at the top, it means the person that sent the message signed it with the PGP key. Nothing is wrong, just ignore the garble. (This rarely occurs.)

Now, after reading the message, you should delete it. There's no security in the message once it's decrypted.. anyone could read it just as you did. You can keep the encrypted version if you tell PGP not to overwrite it in the decryption process, and decrypt it when you need to refer to it.

Here's a small excercise you can try right now if you've generated you keyset:

edit newmsg1.txt
(replace edit with the name of your editor, and write a short message to yourself.)
pgp -ea newmsg1.txt
(encrypt the message. When PGP asks for the userID, specifiy your own.)
type newmsg1.asc
(You can use cat or more in leiu of type depending on what kind of computer you have.)
delete newmsg1.txt
(delete the original plaintext. In Unix, replace delete with rm, in MS-DOS, with del)
pgp -d newmsg1.asc
(PGP will prompt you for your password.)
type newmsg1.txt
(Or whatever filename you and PGP give the decrypted message. See type command substituitions on the previous instance of type)

Getting Started: ENCRYPTING MESSAGES, USING OTHER PEOPLE'S KEYS TO DO SO.

The first step is to obtain the public key of the person you intend to mail.. PGP is a two-way street and requires both people to have the software and have exchanged keys in order to communicate properly.

Once you have isolated their public key in a file, type:

pgp -ka keyfile [keyring]

where keyfile is the file containing their key.

(Remember: Once you add their key, you'll not need to do it again!)

PGP will ask you if you want to certify the key. If you are certain this key came from who it says it's from and you believe that, then yes, you want to certify it. (If you don't certify it, PGP will always ask you if you're sure you want to use it each time you do!)

It will prompt you again, for verification, then ask for your secret passphrase. This is so no one but you can certify which keys you can trust for you. (There is a way to transfer trust, read the full documentation for more information on that..)

Once it's entered, the key is added to your public keyring and you'll never need to add it again.

Now, assuming you've just added Jane Doe's Public key to your keyfile and would like to mail her a message, you'd type:

pgp -ea filename User_Id

Where filename is the message file, and User_Id is that of Ms. Doe, so something like:

pgp -ea doemsg.txt Jane

If there's more than one Jane in your public key file, but only one Doe, you'd type:

pgp -ea doemsg.txt Doe

and pgp would produce a file called doemsg.asc ( or doemsg.txt.asc on UNIX systems.)

Done! You'd simply mail doemsg.asc to Jane Doe, and she'd decrypt it with her secret key.

Getting Started: PGP QUICK REFERENCE

Below are all the basic commands for PGP. Once you're familiar with basic use, read through the manual and use what's below as a reference, like a cheatsheet.

Remember: When making any sort of outfile that you intend to mail (ie: creating encrypted mail messages) remember to add the -a extension.. (pgp -kx should be pgp -kxa, and pgp -e should ALWAYS be pgp -ea), otherwise, the output is unmailable binary data which will appear to be a bunch of random characters that cannot be extracted properly on most systems!!

Key management functions:

If you want to extract your public key to mail to someone:

pgp -kxa User_Id mykey [keyring]

Where User_Id = the first unique pattern of letters in your ID signature (ie: If your signature is Joe Blow <blowj@big.u.edu>, then myid = joe) the result will be a file called mykey.asc, which you can mail to people:

mail user@host < mykey.asc

Getting Started: "STUPID" QUESTIONS

I say "stupid" in quotes because the only stupid question is the one you didn't ask! If you knew everything, you wouldn't be reading this, and it's here to be helpful, not confusing!

Statement: pgp -ea file User_Id

Explanation: The file is the message to encrypt. The User_Id is the person you intend to send it to, in this example. -e means encrypt. a means ASCII output, presumably for mailable text.

When you specify a User_Id, you don't have to type the whole ID... in fact, most systems won't let you. PGP only needs a non-ambiguous clue.

Peter Simons' ID is <simons@peti.GUN.de>

For example, if I write a message to Peter Simons, I can say "Peter", "Pete", "Simons", "Simon", "Simo", "peti.gun" or anything in his ID that isn't in another ID. If there a Simon Jackson in my public keyring, I should say Peter, because there are two occurrences of "Simon". If there's a Peter Jennings in my public ring also, I should say "peti.gun", since that's unique to Peter Simon's ID.

Statement: Why isn't all output just ascii in the first place?

Because sometimes you would want BINARY output for one reason or another. Binary output produces a smaller file, so if you were putting the file onto a disk rather than mailing it,it would be a good idea to just use the binary mode. It's also used for things like STEALTH and stenography, which we won't go into here.

Statement: Why can't I encrypt with a secret key?

Because if you did, then anyone with your public key could decode it, assuming it were possible at all.

Statement: If someone has my public key, can they figure out my password or hack my mail?
Absolutely not! That's the whole point to PGP in the first place!

PGP APPLIED

As the Environment section implies, there's more to using PGP than enciphering Email. PGP is a way of doing things, not just a program. As I've stated before, and feel a need to emphasize, if you don't use PGP correctly, you risk more than your privacy.

Every element of PGP exists for a reason, and some parts that may seem irrelevant are actually important, maybe critical to certain privacy purposes.

Phil and his crew did not spend as much time as they did and PGP itself did not become as popular with everything from grass roots radicals to major conservatives to cryptographic experts for it's health... it became that way because PGP offers all these features.

Keep this all in mind when you begin to think something in here is trite or tedious. It's there for a reason, and that reason is your privacy!


Advanced PGP

This part of this text assumes you're now familiar with PGP, and comfortable with using it routinely. Whether you are or are not, you should read it, but if it seems to complicated, don't worry about it just yet!

Advanced PGP: AUTHENTICATION

So now you're comfortable with using PGP. You can encrypt, decrypt, make and add keys and all that good stuff. So now I throw you a curve-ball. How do you know that you are encrypting a message to me instead of someone else?

Roleplaying time! You have this key, which came in a message from me to you, and when you add it to your keyset, my name came up in the ID with my Email address. Okay. So you're ready to send me a message. Wait right there!

As you should know, it's quite possible to forge Email, or get someone's account password! So, then, it's possible that you have a charlitan key! Someone could have easily generated a key with the same ID tag I have, broke into my account and mailed it to you, then all my incoming mail from you they would divert, read, re-encrypt with my real key and send it to me... and neither of us would know!

PGP solves that, too. Easily. Go back to key generation, briefly, and recall the keystrokes PGP asked for. There is no way anyone could do it like you did, and it's doubtful you could, either! When you generated that key, a part of it was the "fingerprint", which is totally unique to your key. Even if you lost your key and generated another one that looked the same, it's fingerprint would be totally different.

So, before you encrypt things to someone, you should compare the fingerprint on the key you have with the one they have over the phone or in person. Then you would know you have the proper key and not a charlitan!

The fingerprint is also referred to as a fingerprint, and can been seen by invoking the command:

pgp -kvc User_Id keyringfile (ie: pgp -kvc peter pubring.pgp)

There is also a way to "sign" a file. With this done, you can send an encrypted file, such as a letter containing technical data, sign it, and if anything is changed, PGP will know it and warn you.

This is done with pgp -sb filename. (pgp -sb technote.txt)

This can come in handy for making sure no one changes instruction manuals to PGP itself, and more.

Advanced PGP: CERTIFICATION

When you add a key to your keyset, PGP asks you if you want to certify the key... do you know that the key belongs to who you say it does? Do you trust that person to give you keys that are authenticated? This is certification.

If Joe Blow hands you a floppy disc you watched him copy his key onto, you can be reasonably sure it's Joe Blow's key. So yes, you'll certify that. Of course. But... If Joe Blow hands you a disk with other people's keys on it, do you trust that he checked those keys out reasonably well to make sure they're authentic? In other words, you can trust Joe Blow with his own key, but do you trust him to give you keys? If yes, how much? Always? Sometimes? Maybe? Never?

These are levels of trust. If you trust Joe Blow, and Joe Blow trusts John Doe, then it's possible that also John Doe is giving you keys, indirectly.

It's always best to get the key from the person themselves, check it out with them and do it that way, but it's not always possible, either for reasons of time quantity of work, and this is where Certification comes in. It's generally a wise idea to think things through as if it were a chess game, or setting up dominos.

Examples:

The only person PGP should understand you to trust fully is yourself, and when you generate a key, that's the default setting.

Advanced PGP: KEY EDITING

Okay. You're Peter Simons. You key reads:

Peter Simons <simons@peti.GUN.de>

But, you moved. Now you're Peter Simons, root@k-rad.elite.org.

You can edit your key's ID line without it messing up encryption. It's quite simple. You can use this function to also change your password should you feel the desire to do so.

pgp -ke simon

PGP would prompt you on editing options, first being the ID line and then being the password.

You should note that once you change it and lock in the change, PGP will remember the old ID and refer to it as an alias. This way, it's more clear that it is the same key to other users.

People can always use the new or old key to encrypt to you, whether you change the ID and/or the password, however, they'll see the old ID unless you give them the copy of the new public key (pgp -kxa yourname mykey pubring) as if it were new.

Advanced PGP: COPYING SECRET KEYS, USING PGP IN TWO PLACES

Let's say you're like me. You go to a university, and you use PGP offline most of the time, but.. once in a while, you use PGP online. In order to use the same key, you'll need to copy your secret keyring, secring.pgp, and put a copy of it where you intend to use it. If it's avoidable, you shouldn't do it, but sometimes it's not. keyrings are inter-compatible. That is, they work on different computers regardless of whether it's a NeXT, an Amiga, a Mac or an IBM, or anything else.

In some cases, you might need to distribute a secret key, such as in a political organization or something. It's generally best to have a "data treasurer" for that sort of thing, but if you have to do it, then it's done the same way a public key is, except for the keyring specified.

pgp -kxa User_Id SecretKeyFile secring.pgp

Remember that if you distribute it over mail, you would be foolish to distribute it in the same message as it's password, and even more foolish if you didn't encrypt the mail to the user you intended to send it to!


PARANOIA: General Security Problems

Warning: The things presented in this segment of the document are surveillance techniques employed by various government, private and espionage organizations around the world. These are not likely to be employed to read your mail to your best friend, unless you happen to be conspiring to launch a nuclear missile.

Don't lose any sleep over this.

PARANOIA: Electromagnetic Interference Interception

Every electrical device, from digital wristwatches and toasters to televisions and mainframe computers generate electromagnetic interference. There are devices that measure this energy, and in some circumstances can interpret it into being able to tell what a given device is doing.

A computer's monitor is controlled by a signal send from the video card to the monitor (electromagnetic interference.) A remote device, carefully tuned in on this signal, could reproduce the image on your monitor remotely for the purpose of taping or monitoring.

The same is true with a computer keyboard. Whenever you press a key, a certain signal is sent to the computer, different from other signals sent by other keys. A device like the one described above could essentially carbon copy all of your keypresses into a recorder and everything you type could be reproduced.

If you want a working example of this concept, look at a typewriter ribbon (especially those found in IBM Selectric series typewriters.) If you look carefully and fill in the spaces mentally, you can see everything the unwary typist has typed. On the selectric, spaces aren't shown on the ribbon, since the space prints nothing and would be a waste of ribbon to advance the ribbon when you hit it. (Same with Tab, Return, etc.)

PARANOIA: Hard disk reading

If you format your hard drive so that there is no data on it at all, it is still possible to pick up trace magnetic signals where readable data and the previous formatting existed. With special equipment, the contents of your hard drive could be totally reconstructed, despite the formatting.

The solution is straight forward: Department of Defense standard Data Deletion, which was described in the beginning. It overwrites the file 3 times with 1's and 0's before deleting, so the residual data is not usable in any scheme.

PARANOIA: Remote Video Monitoring

Obviously it's possible for someone to videotape your computer screen and/or your fingers on the keyboard. This is a standard tactic. This is avoided somewhat by positioning the computer where neither the keyboard or the monitor is visible through a window, and that there is no reflection visible either, as could be seen in the user's glasses, a mirror, a glossy poster, chrome on furniture, etc.

PARANOIA: Linetap

If you were to use PGP on a remote system, your modem line could be compromised by buffering the signal transparently into another computer and thusly reproducing the entire terminal session. For that reason, it's better to use PGP offline and upload encrypted texts.

PARANOIA: Modifications

There is no way to tell if PGP has been modified unless you get the distribution package from it's creators, or get the source code, carefully examine it, and compile it yourself. Even then, it's possible to have a compiler that recognizes security applications and creates a "backdoor".

Although there are lots of ways to lessen the likelyhood of tampering, it's a game of Better Mousetrap, Smarter Mouse.

The more common scenario is straight-forward: Someone modifies the source on a shared system and gets a dump of everything you've done with PGP on that system. The chance of this is somewhat eliminated by compiling your own copy on the system, or better, simply use your own copy offline!


Correspondance

This was written entirely by Jeremiah S.Junken, with a few additions by Gary Kline and the key-reference chart which was taken from PGP 2.2 as compiled on the Indian NeXT cluster, UCS of IU Bloomington.

In the event of address change or the like, I refer correspondence to Peter Simons, the author of PGPAmiga and the maintainer of the PGPAmiga mailing list.

Please address correspondence related to this to me. Although Peter is a great guy who knows PGP intimately and loves helping people out with it, he's also extremely busy, so keep that in mind before you mail him specificly!

Always read alt.security.pgp if you need more information, and/or subscribe to the PGPAmiga mailing list! (contact Peter Simons)

I'd like to thank:

Peter Simons
Especially, the man who ported PGP to the Amiga and is responsible for a zillion programs of merit for the Amiga networking.
Gary Kline
Who's enthusiasm, assistance, and insightful editorial commentary have made this a much better document.
Phillip Zimmerman
For coding PGP in the first place.
And the many people who sent back a lot of positive feedback on this beast, and offered help and suggestions on bringing this to full fruition.

PGP Distribution Information

PGP is found in compiled form for Amiga, MS-DOS, Mac, and, (I THINK..) Atari ST. The C language source code is also available.

FTP to SODA.BERKELEY.EDU (don't be a hoser)... /pub/cypherpunks/pgp

there you will find several versions, and compiled versions for Amiga, Macintrash, MS-DOS, etc., as well as other cool things.

net-dist.mit.edu (Source, MS-DOS executables)
src.doc.ic.ac.uk (Source, Amiga, MS-DOS, Macintrash)
ftp.luth.se (Amiga /pub/aminet/util/crypt)
wuarchive.wustl.edu (Everything)


Notes:


PGP Supplementary Stuff

Stealth
A "Stenography" program which strips RSA headers and indentifying crypto signatures so PGP encrypted material may be passed of as GIF images and/or sounds, or imbedded within such files.
PGPSendMail
A SendMail replacement for Amiga (being ported to UNIX as this document is being written) that provides streamlined ciphering features fully integrated with any mail system. (THANKS PETER!!)
iSpell
A spell-checking program anyone using PGP should have to check texts before they're enciphered. Versions exist for MS-DOS, Amiga, UNIX (as Source code ), etc.
PGP FrontEnds
There are tons of little utilities for Windows, etc. that add a GUI to PGP. I've seen half a dozen for MS-DOS, so if you like point'n'click convenience, you might considering trying to find one of these.

Remember that PGP needs your help and support to continue to exist and be able to be used. At this point, the United States and other world governments are opposed to secure cryptography and are trying to make it's use illegal. With this in mind, I urge you to FTP to ftp.eff.org, and check out the /alerts directory, and grab some information on the Electronic Frontieer Foundation. The EFF is, essentially, the first activist/civil liberties group that deals only with the electronic world, (the Internet, etc..).

Also, the author of the original version, Phillip Zimmerman has acumulated some expenses keeping himself out of jail due to the legal entanglements and contraversy surrounding PGP. If you would care to help this man who has put his freedom on the line to help insure yours, you are encourages to make a donation, ANY donation to his legal defense fund. Mailings go to his lawyer.

Phillip Zimmerman Legal Defense Fund
c/o Phillip Dubois, Attorney at law.
2305 Broadway
Boulder, Colorado
80304
United States of America.


Jeremiah's Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a.3

mQCNAi3+N/sAAAEEAKg5XtFem9nMlzU9LxwHTWqvsPaESFjkyxTPtX5YLj5ugvQr
8l8hgXqXwdG8415ZbJNMYP9qRA5u44NNCGhEDIljkj4E5w4CB3JXu/GruaZ+1zAO
9hCAYzajenfCeM2Y3xSO2eiN4nuHWzwV0EW2y1mGD0EXspBRpEVyiiRQvPXpAAUR
tDM8SmVyZW1pYWggUy5KdW5rZW4+IGpqdW5rZW5AbmF0aW9ucy51Y3MuaW5kaWFu
YS5lZHU=
=WT8H
-----END PGP PUBLIC KEY BLOCK-----

Peter's Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a.3

mQCNAiyg9DgAAAEEAMnWa12Ub+g8uzR/GByKjpMiNsHZygQ4pw2Bjix+WjyEVsHH
JV8DRqdnYBs+MPrhvou1dDXEkhC64lklC23xlawI2yaXBtKadKgEEOdKLF9tVibP
SFqgxT/TNw1l0cDDeCkeQmSXtY2/MpK0tXCRAvFb/dnaHkKDew9HL1s0103BAAUR
tCFQZXRlciBTaW1vbnMgPHNpbW9uc0BwZXRpLkdVTi5kZT6JAFUCBRAtsEbiIfI/
FvoHHfkBAYp4AgCn8M8fUp4AWyGpbra+kSy200LMX6z2kR8cSYfnbqo7DQzJnBGM
LPuDz08J3bCj8HXdy2zXZr6FgMJy8PwnBXS0iQBVAgUQLbsqO5vaUYPwhBsRAQFA
zQIAhxJafc2vxF6FQ7+BR73GU0E3uPSOZzbQfkU/7RFlp4iuOjA5cB1DQyv0IqHN
P8VGQi0aubGR4kh5OGw1vnrp54kAlQIFEC1muGWtei73+sUbeQEBCB0D/2JJ/rnB
pXdKCKcsTzwQuH6TjofkYvDjL+Y2QZ0X+nziYgAyuGSOMo9KfP9exv7y+Al6e/ve
2NrfC4aBKLJPqqaDw/Mpmu7VN7qRSMPYYnBz7PMnn9FMyq5KorRFHQm3D83M90D5
ff+fi0X5xWJiI/cEdFFnskX4gcp+cDoCqvfEiQBVAgUQLVVp0v2YSvmy1vClAQEH
RAIAyElndiq8/yu42bzGGgImJV91xViZN0RV/ogH0k+rPJRgHcdTwHHrw8AoIMXp
rfxRRYWsaIXCpE/zE3k/yXaao4kAVQIFEC1Utjzlc12j2z/KwQEB9y8B/05B0rVS
h8T2Sqg/fhwNvsHYgljZMnR88UpJLkqrBPoZVFJnqTPO0/minYeSHwSeTTqn7BuD
48FJZloTEQKpuEuJAFUCBRAtU+s6ERkJHPqUz38BAVi0Af4mE/oIbeU7UKViul/z
0Tcw4sQ+vTVBIs83BudsWk32Pxcas80E+++HRHyAhHrqO1swdCvpfT7DDrbxJ+Ti
frqLiQBVAgUQLN/aRLVpsU3/KyuPAQEWegIA1quUkJ6hlOZ+jO7Fh+VW7bxk5xdQ
k4SYlcqiw4r10gkktYOUvkQ9o+mL8rHtrObV7bSeD9eYwlory2mo10p9WYkAVQIF
ECzfpSDiivn9aZDvXQEBsr8B/RSPPjgsrz/GObDCvoXKnADP1gOnqPF9AN+JIMPT
ov935pnMrfajTBvMktrpGKp2RxqoOUykOe3bhthREDhpkRCJAJUCBRAtUvWsE3I3
96iLPhkBAa0qA/wMIiIxTabG8wfifPFI+ddni05vrH2i+luft0vJ7IPsaI78UQLY
d1j8ClyultEheHwbu5rPhKyT3r0qNCdNgt/ldKgZlfIakJHxyhYsjimr5C0JWzz8
HtqzI4IgUnJB9ew3Bm9gtOem/+jcq7oGqDjAN6zDzUxlbYvYEAP9bLAp6okAlQIF
EC1S7wHQ+XRbkhtylQEBa8MD+wSClbilT1wdK5TRdAnzSTqQY0VeO/oruKAO7BgL
ZgWxRFqF0rrTet1E2Xp1uk2rtHOKCSdVMRkwk2xv6O8n254AUb2b1y7QeE/wjBHo
+r7FPt6fPiy+MVxPr3YhLjIN2pOr1XBGxDO9hsfvWVXGp/rQrIYYtS3vthsVDsy/
FvyriQCVAgUQLVNPm0hfqy8j2SvjAQF26wQAjM2ejxovriRtifTXhCZ/D8KUZJP+
8w97lDryk0yuTZWR7ICMDxpXpdL+4JrewnjOL7SWwXMw48wQvEBBU3nAsrEHMoA4
0Mfxfgal8benmgnWJzkI7sgozU/+6eq9APqC39/ePDYyUr8qo+46HlKW4e+rod1M
tQiIaQelgR8V2beJAFUCBRAtUvhac5JDRKnQpMMBARgWAf46hG/L6tZ4AuP9jK1f
41AFG5xW5qb0o9ylMWDAR7pJRWknFOLR+NJ9rsguZYTCUYMImxi79nolyyDPJjDr
nl2NiQBVAgUQLVNKMXmMGAx7t12JAQGR2QH8DMLIptuojGjKTiHGvlilh9zVwhnH
r0XSbBBKzx4sTD3FDrBfO7DjRbbP0NnTrlaNyaG1IYwZEbXqsa5EuCEAU4kARQIF
EC1S8y91nsSrAn0L2QEBR+gBfj9WKNWGhJ7v1djo/gklSfDR86MgaV7AlXK26okR
dhYZ96ugDuzM0/f1Sm4itKbtookAlQIFEC0y75F76nchDdGcwQEBXNgEAJGIC+9+
51FPKHczyZQ130mug7v91UxFYou2xeb4MYy+w/3Gp7QiWZFL/Mk8YTzECHuHdIZQ
7LCBQlOS+XOEZ2wbjv8w7JiRU6tTgywj305tX2c0KPCgEuEcT4EioM+rAn7HLm82
Hy/9jzSJK76I54VataY0xO5XCnEn2Z1PDWS+iQCVAgUQLKtBN61MOADdzRPBAQHL
yAQAxPm8IDVl5lt8IqVL7BCFeHq95VO/hXlb/6XY3cJFIj7goCK0zkFluTxaBH0V
5cH1cRnedIxVYihB4CXT7UXIriSETfvP6cL4XV4u3oaOVkiccw6BvHmFnSSgm8wQ
v6CxMkPQMfLR8Tn2rZn3O2ffKRB8nFLiiwThfPKUc9NPYlaJAJUCBRAs7468OxwH
hXg8g/EBAViMBACWap0CD/iX+kaFsyBtHF4qpq8XO1lzTGuHI7Z/HaOwxyEuPeOX
JbM+7pbhRyzRQ7nhyhEQ27hF3wsD07IKSaE6QMFHtObOBmGYPIHkBCGyvlmh545r
N+KNCJkDM9GQ6UgDEwieoTYjNju5lNrxNlco0eJ2lhzB6gE/Iu8ml1LxZ4kAlQIF
ECzlQrTSJ29yPs8yJQEBgAUEAIYrigbBZ8ocSJCNyb2F39QVMV/kkQM+Gm3UU4tb
GrB2f/yW+wB8xgu5VHEBCALN3GoJZ5Jo58oDKEICKJy0CIBxUYGTaTTTaTdCOX2i
qgfFbdglzQJ5O1oc8I57KKL20DgW6zxCS0lVUCfB7K1F90mqIDkxLEFGwvjqeGVu
lmG5iQCVAgUQLMOaw6Da852xEaRBAQFTSAP/WeEmX6CCYnxtPweReQbiOPH0e15H
RA05gFGn8xOrGV4SQ+SN3qHVkDbEos3QCNPO2EN68PwSXHmpqSERR9aro29SSeu5
rBRoujODI/pVEesZGJlafgXljmBKMNEBbkJo8Av0Iig6nLEPJ1BoSTrWLGBPAx5O
L/W9UIg3fT7/JZuJAFUCBRAspUMs6phj4SBVVVcBAc13AfwPq4zYjTX1wNaJPXvc
Gie43TXNVVTDFQM0SQaMJCUggVgpLLpCExGHy8eZVNLHT/oXUNDMub62y9tI/62s
zG54iQBVAgUQLLPH5MXXeS9/02OBAQEeVgIAm/QuutqE/PEDU7cALELs8dDKS/2i
G0ixgP5INdQtusRxRPOTLJr7obmiehxCdpMZlmSqYQ+Sxocl7ePBkuDLkIkAlQIF
ECyokzreJzX92ofAxwEBUMgEAIOmc4aobPOPX3STKiwqif/Yad4vBzrGMCXyhEz6
86o5C3C3TjVNapDz673Lt3vsDv4gwfEKfIPkO2qa0Mnw1HIlko3Ep3PBpRNXmkQl
WmstBT1b4//NbqImb301OUi88ZDrbA7ECpRQkpbJlLjKB6YMuX9Vhmw/goSl+5L2
r1DciQBFAgUQLKhZdBddOICR7WnVAQFhMAF9F66RpmQSiBYYQKwLfwcWQvZTDMvY
7/2voVdW0SvkLyigvjPPSih1KRg8NqW7QGr8iQBVAgUQLKRhFIGIYXUhejq5AQFA
qAH+OE0BRKa2D6a22GPqHQKqLJi+H/2PkCWh5jvDfnl5FnuBG51k1GlkPI+qSY/f
YoS9CZ+/EBAwn4UwIeB6vTcn6A==
=rJ6m
-----END PGP PUBLIC KEY BLOCK-----

His key's bigger than mine! :-)

06/29/1994


Meine Homepage
UNIX-AG Homepage


Impressum