prepared
by
Bernard
John Poole, MSIS
with
Netiva Caftori, DA
Pranav
Lal, International Management Institute, New
Delhi, India
Robert A. Rosenberg , RAR Programming Systems Ltd., Suffern, NY, USA
This article is translated into Russian by Fedor Mironov: Drawing tutorials blog
This article is translated into German by Philipp Egger
While
you're waiting.... Where did PGP come from and how does it work?
Step
2: Unzipping and installing the PGP software
Step
3: Setting up (Creating) your Public and Private PGP keys
Step 4: Changing your Passphrase
Step 5: Distributing your Public Key
Step
6: Making your Public Key available through a certificate server
Step 7: Obtaining and Adding someone else's Public Key to your keyring
Step 8: Using the PGP encryption software to send and receive secure e-mails
Step 10: PGP Signing your own unencrypted e-mails
Step 11: Weaving the Web of Trust--Signing someone else's Public Key
Step 12: Using the PGP encryption software to protect (encrypt) your personal documents
Step 13: Using PGP to Wipe files from your disks
Step 14: Useful PGP Options you should know about
Private
individuals should think seriously about doing the same thing. The
fact that you're reading this tutorial indicates that you agree.
A little paranoia is not a bad thing; it makes sense to take whatever means
are available and within reason to protect yourself from people prying
into your private affairs.
A
word of warning to beginners to encryption. The PGP program, notwithstanding
its user-friendly graphical user interface, may take some getting used
to here and there. At the USENIX Security Symposium in 1999, Alma
Whitten & J. Tygar published a paper entitled "Why Johnny Can't encrypt"
in which they point out some of the usability problems associated with
the software. The paper is available at www.sims.berkeley.edu/~alma.
With
this in mind, our tutorial aims to help you get over the initial hurdles
at least so you can be up and running using the software without much difficulty.
The features of PGP introduced in this tutorial are all you need to know
to use the program to protect your privacy in the normal run of affairs.
But bear in mind that to become a power user of PGP--one who takes advantage
of the full suite of encryption protections--you will need to invest some
time in reading the Manual that accompanies the program. The Manuals
for each version of PGP can be downloaded from the PGP International web
site at http://www.pgpi.org/doc/guide/.
On
the next web page, you'll be asked to answer a few simple questions.
You have to answer Yes to all the questions as a way for you to
declare that you won't misuse the software once you've downloaded it.
Read each of the questions carefully before selecting Yes as your
answer. Then click on the Submit button.
On
the next web page, click on the first download link under PGP Freeware
v6.5.8 (Windows 95/98/NT/2000).
You'll be prompted now to decide if you want to open the software right
away or download it (Save it) to your computer hard drive. You want
to Save this file to disk, so make sure this option is selected
in the File Download dialog box, then click on OK.
Now
you have to tell your browser where you want to save the PGP program.
Be sure to select a location on your hard drive where later you'll be able
to easily find the zip file of the PGP software, then click on the
Save
button. The download will take a while, depending on the speed of
your connection to the web.
Encryption
makes this possible, and one of the strongest encryption tools available
to us today is PGP.
Phil Zimmermann invented PGP because he recognized that cryptography "is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone." You can read Phil Zimmermann's fuller explanation as to why you need PGP. In the development of PGP, Zimmermann was greatly assisted by his knowledge of the long history of cryptography. Like Sir Isaac Newton, Zimmermann was able to achieve what he achieved because he "stood on the shoulders of giants" who went before him.
How
does PGP work?
OK,
here goes; put your thinking cap on... If this gets overly technical
for you, and your eyes start to glaze over, don't worry about it.
It's nice if you can understand what's going on with Public and Private
Key encryption, but it's not necessary right away. You'll understand
it better as you start to use it and as you interact with others who use
it and can explain what's going on. For now, it's sufficient to just
follow the sets of numbered steps carefully in order to learn the skills
required to use PGP. But read over what follows and understand it
as best you can.
When
you have successfully completed Step 3 of this tutorial, you'll have created
two
keys to lock and unlock the secrets of your encoded information.
A key is a block or string of alphanumeric text (letters and numbers
and other characters such as !, ?, or %) that is generated by PGP at your
request using special encryption algorithms.
The
first of the two keys you'll create is your Public Key, which you'll
share with anyone you wish (the tutorial also will show you how you can
put your Public Key on an international server so that even strangers could
send you encrypted data if they wanted). Your Public Key is used
to encrypt--put into secret code--a message so that its meaning
is concealed to everyone except you
Then there is your Private Key, which you'll jealously guard by not sharing with anyone. The Private Key is used to decrypt--decode--the data (messages and so forth) that have been encrypted using your Public Key. This means that the message encrypted (encoded) using your Public Key can only be decrypted (decoded) by you, the owner of the corresponding Private Key.
The designation of one of the two keys (Key1, say) as Public and the other (Key2) as Private is purely arbitrary since there is no functional difference between the two. PGP chooses one to act as the Public Key and designates the other as the Private Key. If it chooses to designate them in the other order (Public=Key2 and Private=Key1), it would make no difference. This is because when either key is used to encrypt something, the other will act as the corresponding decrypting key to convert the encrypted data back into its original form. This capability is at the heart of the "Signing" process mentioned in Steps 8 through 10 below.
Public
and Private Key encryption solves one of two major problems with older
methods of encryption, namely that you had to somehow share the
key with anyone you wanted to be able to read (decrypt) your secret
message. The very act of sharing the key meant that some untrustworthy
so-and-so could intercept it--and frequently did. Which meant your
code was practically useless.
The
second major problem with older methods of encryption was the relative
ease with which the code could be broken. Codes have to be
incredibly complex if they're to foil the attempts of astute humans to
crack them. This is all the more the case today when we have increasingly
powerful computers to do the dirty, "brute force," work of trying every
conceivable combination of key possibilities for us. PGP, and
other similar encryption systems, use a key that is really--well--astronomically
large, meaning that the number of binary bits (1s and 0s) used to create
it has an astronomically large number of possible combinations and the
actual decimal (base 10) value they represent is--well--huge. Unlike
earlier encryption methods, the security of PGP encryption lies entirely
with the key. Earlier encryption methods relied on "security through
obscurity" (ie: keeping secret the method used to do the encryption).
The methods used to do PGP encryption are known and documented. It
is PGP's selection of the complex keys used to do an encryption that makes
it next to impossible to crack.
The size of the key can be increased whenever necessary to stay one step ahead of advances in technology. Time alone will tell if PGP can stand the test of time, but for now it's one of the best encryption technologies you'll find.
If
you would like to read the history of encryption and understand the origins
of Zimmermann's PGP program, an excellent account is given in Simon Singh's
CODE BOOK (Doubleday, New York, NY, 1999). Find out more about PGP
at the International PGP home page.
The CryptoRights Foundation is another
good website for information regarding privacy issues. You might
also like to join the PGP-BASICS
User group where you can find speedy and informed answers to questions
that might arise as you get started using PGP. Once you're more experienced
with the program, you can join the PGP
Users Mailing List so you can keep in touch with issues related to
privacy.
Follow the Wizard's step-by-step directions, clicking on the Next button as you go along. The first three screens contain info about PGP (licensing, etc.). Read them before clicking on the Next button.
The 4th screen asks you to enter your name and the name of the company you work for. Next you're asked to confirm the folder where you want the PGP Wizard to install the program. Unless you have other ideas, accept the default for this item.
Keep your wits about you on the next screen, which asks you which PGP components you want to install. You do NOT need to install PGPnet Virtual Private Networking, since for most people it's unnecessary and, as Steve Kinney points out, it can create nasty network configuration problems. So Deselect this item by removing the check mark next to it before clicking on the Next button.
On each of the ensuing screens, read what the Wizard has to say. When asked, accept the defaults and let the Wizard do all the setup for you. [Note to Screen Reader users:If you choose the custom install, then you will get a tree view that lists the components that are going to be installed. Use the intermediate arrow keys to move through the list. You may have to specially label the checked and unchecked icons. Use the spacebar to check and uncheck each item. After you have clicked next, you will be presented with a read only edit box that lists the components that you have selected. Be sure to review this list before proceeding. This list is also very handy in case your screen reader does not recognize the checked and unchecked icons or, even if it does, it may not read them in tandem with the item as you arrow through the tree view.]
Once
the PGP software is installed, you will have to reboot your system.
PGP will prompt you to go ahead and Restart.
After your system has been restarted, you are ready to create your Public and Private Keys.
Now that you have the PGP software installed on your computer, you need to create a Public and Private Key pair. This you can do at any time. Remember as you complete the steps that follow that your Public Key is so-called because you will willingly share it with others so that they can use it to send you secret information. Your Private Key is so-called because it alone will decode any information encoded with your Public Key. As long as you alone have knowledge of your Private Key, your privacy is assured. Here are the steps to follow:
The
PGP Key Generation Wizard now asks you to enter your name and e-mail
address. Do this now. You can use any name you like and
it's a good idea to use a genuine e-mail address so you can take advantage
of the PGP feature which will look up the correct key for you when you
are writing to a particular correspondent. Click Next when
you're done entering your name and e-mail address.
Now
the PGP Key Generation Wizard asks you to select a key type.
Accept the default (Diffie-Hellman/DSS) and click Next.
The PGP Key Generation Wizard next asks you to specify a size for your new keys. Again accept the default (2048 bits, which will give you a key so large that it would be well nigh impossible to figure out even by the most powerful computer in the world) and click Next.
[Note
to Screen Reader users:The
PGPkeys window consists of a tree list control. It is advisable that
you classify this control to its standard equivalent. Use the intermediate
arrows to navigate among the various key pairs. It may happen that
your screen reader yields no speech as you navigate using the intermediate
arrows. If this is the case, you can then use the mouse. If
using Window Bridge 2000, use item pad. Other screen readers name this
feature differently. Also, enable the msaa identification for buttons,
check boxes, radio buttons and combo boxes. Enable, too, the identification
of color. In Window bridge 2000, this is the attribute sensor.]
Now the PGP Key Generation Wizard asks you when you want your key pair to expire. Accept the default (Key pair never expires) and click Next again.
The PGP Key Generation Wizard now asks you to enter a Passphrase. Think about this before you proceed. Choose a Passphrase that has at least eight (8) characters (that's a minimum of 8 characters as a requirement), with a mix of upper and lowercase letters or other characters. The greater the mix of characters and the longer the Passphrase, the better. As Herb Kanner explains, "The size of the Passphrase, and the inclusion of mixed case and non-alphabetics is to increase the difficulty of a brute force attack on your Passphrase." So, if you use a longer Passphrase (Herb's is 15 characters long, and Bernie's is 33!!) even if someone used a supercomputer, it would take an intolerably long time for it to try all combinations till it hit on your Passphrase. If you'd like to read more about this important subject of Passphrases, take a look at The Passphrase FAQ. Arnold G. Reinhold's DiceWare Passphrase HomePage is another excellent resource.
Enter
your Passphrase once you've decided what it will be, hit Tab,
and re-enter it for confirmation. Then click Next again.
If
you have entered an inadequate Passphrase, the PGP Wizard will warn
you and ask you to go back and re-enter another Passphrase.
But if all is well, the PGP Key Generation Wizard will now go ahead and
generate
your key pair. You may be prompted to move your mouse around
or hit random keys on the keyboard to help the Wizard create a more secure
key. Click Next when the Wizard has finished generating
your key.
You'll now be asked if you want to send your new Public Key to a server where others around the globe can find it and use it when they want to encrypt data they wish to send you. This is optional, so click in the box only if you wish to do this, then click on Next once more.
To change your Passphrase, here's all you do:
The
recipient of your Public Key will have to have PGP installed on their own
computer if they want to be able to add your Public Key to their keyring
and use it to encrypt the data they want to send you. Likewise, you
must have anyone else's Public Key on your keyring in PGPKeys if you want
to send them encrypted data. This is a bit tricky to understand at
first, but think about it. Anyone who uses PGP has two keys, a Public
Key and a Private Key. Your Public Key is used by other people to
encrypt information they want to send you so no one else but you can know
what the information contains. When you receive an encrypted message
from someone (could be any kind of data, not just text), you use your Private
Key to decrypt it. The neat thing is that you're the only person
who can decrypt the secret message because you're the only person who has
the Private Key, with the Passphrase that unlocks it (unless you share
your Passphrase and Private Key with someone else, which would defeat the
purpose of PGP!).
If
you want to, you can put your Public Key on one or more servers that form
an international server chain. Effectively, this makes your Public
Key available to anyone anywhere who would like to exchange secure communications
with you. Step 5 below explains how to do this.
To include your Public Key in an e-mail message, here's all you do:
Start a new message in your e-mail editor, in the To: box enter the e-mail address of the recipient, and type a subject header such as "My Public Key".
Now click or tab to put the editing cursor anywhere in the body of the e-mail, Paste your Public Key (Edit/Paste or control-V) into the body of the e-mail, and send it.
In
the PGPKeys window, among the list of keys you see there, click
on the icon representing your Public Key. This is the key
you want to post to the certificate server at MIT.
Now
pull down the Server menu, select Send to and then select
the link to the MIT server at http://pgpkeys.mit.edu:11371.
PGP
will now access the server for you and post your Public Key there.
Drag
to select from -----BEGIN
PGP PUBLIC KEY BLOCK----- all the
way down to -----END
PUBLIC KEY
BLOCK-----.
Then copy it (Edit/Copy or control-C)
Open
PGPkeys by selecting
Start/Programs/PGP/PGPkeys
or by clicking again on the PGPtray icon in the lower right corner
of your screen and selecting PGPkeys in the pop up menu.
In the PGPkeys window, paste the Public Key you wish to add to your keyring (Edit/Paste or control-V).
Netiva Caftori's Public Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
mQGiBDp1yy0RBADVlyDewVwltBs7HnHCG3bXlVUODFkn/00TdbM2SPnOAIkj4giB
ylOP7Mg+Hr5y7FIBvmPWx06In6JjNQiSbpshP5YHv57UfE79nEJdWuSTQt/7j7IJ
GkHYtBRHQMIAHMgT8IB5d3gFq52jSa8hw/ixMP09a0Rw8RP9+kOE4s9UrQCg/zVH
IHswdc/mb50PjdeXwnjxQbkD/3lJYEzz8eUlFHB4rVaC1yRi21Lypf0DIMfQg5j9
xBxY4odFJKyf22PeuAjp9roURRIbGIkIGH8eXF+Mav9OqEdD80JbEn1hZuaLk1RF
k1XJjmFRdKXz+Q7JmRdbs3zXXav2cYwalgzEXT5kuXuNlThLTnLoEFop8Hl3xM4/
PdqMBACkkHb07vPY5l429tdXqL00lE6LedlBW4FLjI534QgselsrUxq5U5y0Wg1Z
//a66l5QkyaMrpsHKfkLHdaPOVCs/WeG6eLwD/cUBEM1Y9Yb5DaB0njdZB3Yxcm8
W23hpKjDanb7SbaSA16gBIWRlvrB/qU+MZAj+EXRDJmwMJq2y7QjbmV0aXZhIGNh
ZnRvcmkgPG5ldGl2YWNAb25lYm94LmNvbT6JAE4EEBECAA4FAjp1yy0ECwMCAQIZ
AQAKCRDFpFclYzXzSwiRAJ0S3djCkJJPUalRyE+vWnfnhvJmDgCfTEBN2N6GlGWO
mrOg1tQlZoWbd5q5Ag0EOnXLLRAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65
Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09
jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brw
v0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiN
jrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrK
lQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH+wVFKD3A
FEdEBHqDZuKjLdLJIKHk4gloKeQ60R9NLLFynfIgSvgsii5uWLY9+gZ2FIGnP3Yc
GxZH1HASv+pG1sw0MnhutxZui3E3Mt69Uv1KTlTGYkfS+mXBw4Qr7hXavCkF45we
f/9Qlj6hSKVjy4YcewdvpopM9S4gVcBq+EdTp1negsCyj3YhFiEo0JEL40mnoHX7
HudJBbiBmknmBZOjxzBBeDPcu7fWV/LDCWiFoGg9uWy2KOcIt7sNXVJbukbSGYg2
hzOB2JPaqCqI5+4YfUCumNLd0lktT7S1V3/6xszEnybQL7tMtmrZZFAFHFAwLNPA
bLxdF/b26GbrTT+JAEYEGBECAAYFAjp1yy0ACgkQxaRXJWM180ttbQCg98c40J41
iXkP9CuqGR0LBJ46VNAAnj+5dH9N226fBp5TN0rAyxwBveTK
=0VvA
-----END
PGP PUBLIC KEY BLOCK-----
Bernie Poole's Public Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
mQGiBDrlpg0RBADQIOANoihULVTQ3sddrU7XObaNMtgFY7fEpybl0fqQStPyqXHY
nMdeHQQA/d9vEviuN5kbLXW2m1Zf67mAajDc8jP/lElYQg8lv8C6XXBkVH/7i7gC
mFteHDbXCsh8Eqwh2okC3frYPpAx1I0z1VtmOGz2jFfxjVBNfuuBPhaRHQCg/0v8
TEi/i/vY7ALLMPcPCAnPgk8EAMKlb/mBTqbahBjCBWx/CLpEQQ/qVDQmlEk/BBKz
ms6t0OQXtqwcf5+kxre2Xf3XDYRYZPL9mS5oSjSLk2vma+5/Z59Xg39tWke7GULs
hle9wA8Bta/ak6t3fxCr/4MyS2BSpYsIfA+6AlPAs2rOF7EX6jOZkfhHvyS1jCBV
4Y0jA/0VoX+TaDNDZotbMT5INGMkIQS9PD8B3/ynjRdRnDpjOIVscEp0A2tyZ853
9w7TkiVoFtBg5XcM5H1j9FZBfhPg/aZGz0ofJlnvhxGiNVUE2Zxr1PwftTFUJUBu
7RqnliUsYCL00aFoEDXIJ4T18dB8a/KO9Jh520+RXOUOMe0G4rQkQmVybmllIFBv
b2xlIDxiZXJuaWVwb29sZUB5YWhvby5jb20+iQBOBBARAgAOBQI65aYNBAsDAgEC
GQEACgkQ+JGoqOuWpYh1fQCffB+5AYS1tGBpTBn8ILTGfJNZfkkAmwYgG8PbHJKG
MR2ip6RXYxqk6HfUuQINBDrlpg0QCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFu
uUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89
PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa
8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/9fLWJk
MxqlKPuP4nfcDXxjYu5yYrtgTxnEA8LjwHILFHC6dS+TruOBehDWWq07PEihRVdK
3vY/oOSV70Du4yO2/siau4xUNhrP2dw1AKgDW1gNvQbeXYuxhs7vKDQGHDgYhUKm
z5E6hX5Z3HesujXnHWe8NtTqa1gM+SP3LF6oFkzTpuIoogRRULy6HUbis1v+Um4i
WI1EXchfauNwy6IzFYOTw41MExKtDyxTLjzBz/PfsncQc2zWpFAih8ZcqQkiOg8B
a+h7xp0hrPzXT0ewxb3aiELI+2oq6m0uwprWJE09REWgwe78gRwbiwlPDH4P/uL9
/tUA2PaCPaEkM7+EiQBGBBgRAgAGBQI65aYNAAoJEPiRqKjrlqWIZv0AoK/IfMGB
Pk7ZKtEr64R8NAArXBoQAJ9E90U+eHZzVN9jG/MVuJKwiNRYZw==
=xI2U
-----END
PGP PUBLIC KEY BLOCK-----
Pranav Lal's Public Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
mQGiBDr9VmoRBADK8ZX4gTXSsOPo/y+eMv/G55y9tfZfh2tTXsIRVSloRwMN0DBD
36yjWfh3xM0Bfa7z57i5gKdjT95sVokKplbTUcMGNoJQZ4h8TWgvr2Wf2FX0U6Bl
0/cm/9iWHh0jolW2Su6WVLznbknL93Pv6ejxfT/LspKvbnQTBOl3/29CZQCg/xFC
5IVVsNP3Aqe7/fHWps10dmUD/3zq1Bhr6VG+xhZ1yKtRkpMJUX5n/2CSvGpqJrxv
vQUW++9KK5MzApMk9DXbPPyvEP8W6Gl4iOVuXyNoEPBpxu38jF2E9sH+I5llzvl9
Gm+wa0Yz6T5qz0DVrxYTgpVAsBnQsJXOoZEqMPnF4fC/Ba2RfnzpwFCjnGqvZsUc
v+3tA/wLc8yBk6mbBYzb3OKBp2y1RGZcN+52U2hTq18/OKT9CGFCrgHLAFi+Y7iK
5hfErXzUUxRJ/m3LqoUTmtPZy+nst+I/IxpmVKNoeMGXT5VcLyy8KU85Q5zz/AAp
x/QRFPJK8aNfzphBXX3g1NBt1Z/0Kz+JHxXyq16U5nNI4eYEnbQgUHJhbmF2IExh
bCA8cHJhbmF2QHNvZnRob21lLm5ldD6JAFgEEBECABgFAjr9VmoICwMJCAcCAQoC
GQEFGwMAAAAACgkQ2E+b6PepG8MJFgCgo8OYI3c8YzfelRdCkPoZzkwCC8gAn27S
Wzb2PjGpeYlJsIYz1t6IixyHuQINBDr9VngQCAD6WhaZlHBHGQN6I0rzIaiEjCz2
IhMAdxipnXV2yn9m6+nrBdA22pMT8ca9dNk66OCSlDTElADuzKQq+CtZrkaMq3I1
AIj5twGGJr7TtIIg03OqZsdAbX0rdcu5HAflqPnc+TIiMij/fyp+NYtRmIIDJd4+
ld0gmnTjzBEEFpaA6FdzUJxAyMltJYUMjfwJNNb7ExXzvQswb6CDI9o0gct+gasy
TzqLhv/GMvqzAcOHANF0Mqtxg1kr3qVE4xN7bxvFdYpnpieJR7fc/RoYGQN+zqt1
fFQwRx5o4S8JGDku9AXhThIeyF9j4JJVfVlQgAY/Sh+nrhV2DpiIAaJhnXuPAAIC
CADzBVhZ6B76lEKLjh0A49iNSxGRHQiWt4ZNZ2Ru+DELeqhIa/hCzpwiXZQkJGL3
FuSHkhuoIKbYRpPBx9kgA+TgjmMHZObxAhT0ZCYjhBPSxFCgm080Gp+A5lR6a4gV
V7uKTtsY/6OQVgjo94sdu2nr3FPW2UIuuMsSzthuXRG3mTe+6fypwjPivlFgOZb7
hRvWnRgG03zEGuIirp3C8PtI6iJyd89npLYWZ93Z5Zu+gT00dLyCMoeToCN0VPZy
tLcFbAoMflYvaRTBpVKYCGDXq6GbMg00egHpbpnOKQCG3rGZg2vsmwke7UViB3kj
l3JevhU1XTu7wsH+WeC8tiFEiQBMBBgRAgAMBQI6/VZ4BRsMAAAAAAoJENhPm+j3
qRvDLisAoNb8Dg2RYuMVciB59pAWAd8geaz5AKD1Y6WL0QRQ//dERubgm/Aq17eE
ig==
=A47s
-----END
PGP PUBLIC KEY BLOCK-----
Bob Rosenberg's Public Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Personal Privacy 6.5.8
mQGiBDYehAsRBAD9Mmgv7gV3JsMQ0sMLWjk9zX4O07h2XHUow0P5hTIL+lEtcjBn
W6152pufGD0cZjEdVHctH9x/nTOoUdcepTLyIHoLVD+MboepvlizEvqfCQNWEadH
BRE3fzSMqxWTl9nAQyXjqDBi+M92mswMQXUNqhg7cxk50Aymb2rQFoc1PwCg/0mu
fQgQ0UmNTKWfovuGhxKV0/8D/1luI30t5sb4DHFB4mgY9an0r0PtSYdHU3M5jrIx
kbHnWPYtydKNWkhBOncZJOnARAQ6q9SzmdoS9bzVIf0FXAVB3TG7IqgkaxXzkCAw
xkyrcxLjuT0GAbFg3t0kAqzsVnmIgfTCCycg/Xfnn+0Nak0Q06yHtOsPz2g8xhYa
K0MDBACIPH5tpJekxd+fZtF4dHqEotrXPcslPECi3BZELAEsntoAHRS/hYtQUFFZ
7bls3/wdMYX9etlxUbfUXhdxtuxJnpT2S0VoVI4h53cnAAhe8jzCOK5qVBUXSsjX
gYgD03BcXfwM4pMIpxbk+5i+oE5E0w2hIH9sfKFbgLHBaj0ZxLQyUm9iZXJ0IEEu
IFJvc2VuYmVyZyA8Ym9iLnJvc2VuYmVyZ0BkaWdpdHNjb3JwLmNvbT6JAEsEEBEC
AAsFAjYehAsECwMCAQAKCRCnsU6BJsi/YQuOAKC8K2jIl841wmyzLE2EXxE9u1Hw
XACg3X9G1Ad9jNGOkGVOLugXnxE36FS5Aw0ENh6ECxAMAMwdd1ckOErixPDojhNn
l06SE2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitDYMPj6NYK/aEoJguuqa6z
ZQ+iAFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZCLQI2wSbLaF6dfJgJCo1+
Le3kXXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDa
AadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z
4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBY
K+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WM
uF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmW
n6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6UwybwACAgwAyBlC3K4DLlAq
KOf/gzd0YoazkUyx6qte4IF/wTw/wg9wK7mDqab75zAN1DxcsmpJLaPmWAFu2rWd
U1UqeB5+hnpnrYhFkxzL+TnOa9ckI9S33iLjFPCU185FZJNlVlcgclLeog5DSzCV
TjgUeOEMsSUn5d4a7DSkHPfT8TBMlNPQBTuJGGC15H8cCC+2QmWUuLNkq90z6MR+
E5JOajj6z/7qOvfL4SOVPtQxvF5iz2zduapxGgTz4UqeVwA1X7HkXx7Cumdipg0S
Wn63j4IiHHoU4hDyanEkLX32l5PfhaQ8zfpztcy1TxaKXPPtgOGFNDCMo+dG6HfQ
AO2qsL5rDdvgu9hLeCkHaxVDgCKZ4XZ5T9SgL8v3UKep8JomEFt1kdq4KCBJ/gS/
EvXEbnj6Vs63pYtrKgoWxGCCqva8/fqUAfvsX+llGDLBCWLreMTDPisj4fXmJS7h
Cbdg4bSMbVzRUWLNQ/wJbRhR7eeMcP7vrT/q6rx3eL3QCD5cIOCiiQBGBBgRAgAG
BQI2HoQLAAoJEKexToEmyL9hzEIAoL1BDnbaEbsiFPdGsIOz302dNRNCAKCpB9tr
K5MB6twgr+Ww52xyQf6xww==
=BBVS
-----END
PGP PUBLIC KEY BLOCK-----
If your friend or friends have a Public Key (or Keys) already posted to a certificate server, you can go get it yourself. Here are the steps to do this:
In the search dialog box, type the name of the person whose key you are looking for and hit OK. PGP will go to the international certificate server and find the key or keys for you (many people have more than one Public Key on the certificate server). If a Public for your friend exists on the certificate server, you'll soon see it displayed on your screen.
Click on the Public Key you want so as to highlight it, and then copy it (Edit/Copy or control-C).
Go
back to your PGPkeys window where you see all the keys on your keyring.
If one of the keys is highlighted by default, click anywhere off the list
of keys to make sure no key is currently selected.
Finally, in the PGPkeys window, paste the Public Key you wish to add to your keyring (Edit/Paste or control-V).
First, the encryption process.
In the PGPtray pop-up menu, select Current Window, then in the Current Window sub menu, select Encrypt & Sign. This will bring up the PGPtray Key Selection dialog box where you should see the list of Public Keys including that of the person or persons to whom you wish to send your message. [Note to Screen Reader users: This dialog has 2 list boxes and a couple of buttons. Use the intermediate arrows to navigate among the keys and then double click. The key of choice must appear in the second list box. You can tab to this list box and verify that the key is really there. Also, ensure that the movement of the mouse is synchronized with the highlight focus. You can verify this by comparing the output when you arrow to a key and reading the line at the mouse. The two outputs should be the same.]
Note: The Private Key is kept in a file called the Private Keyring. It is encrypted with your selected passphrase so even if, somehow, someone gets access to your Private Keyring, it will be unusable without access to the Passphrase to decrypt the Key for use. Every time PGP needs access to the Private Key (to Decrypt an Encrypted Message or to Sign an Outgoing Message or someone's Public Key) the Passphrase will need to be re-entered. By default, PGP will remember [cache] your Passphrase for two Minutes so that you do not have to re-enter it if needed more than once within this time frame. However, two minutes isn't much time and the odds are you'll need to re-enter your passphrase every time unless you change this default. Step 14 explains how to do this, along with warnings about how to use the cache wisely and without risk.
Double click on the Public Key of the person to whom you wish to send your message (this selects the key and moves it to the recipients box just below). When you have made your selection, click on OK.
You will be prompted to enter your Passphrase. Type it in carefully, then hit OK. If you did everything correctly, the message will be converted to unintelligible gobbledygook (aka "ciphertext", as it's called in the world of cryptography). [Note to Screen Reader users: Your screen Reader may start reading the encrypted message. You may want to mute the speech.] The ciphertext will look like the following:
qANQR1DBwk4DepqGz+tv7awQC/sGOyvgkqLDEz3QOc4AkDuoTVl9O2y7X260NR47
w77OngPn3z/01yEpVDmkfrpdXKYmVhylICPg1yvNYTyx6EW5LIOYt1yuxLc+bjKS
piwrBdCxz5+VT8z9IQz7BNu75GBP5YMJyhZUgwFRDahPITz0ziqL9nBZeUX27PGL
ZIc32bm/18zLwbLUZi4CSPlnc9PzXTeubwnsaC0ZU1PT+WokkhPRxPrgBHLU/rMj
zqOoh2/dXGMUFY7F0zitGw1jcj+jIf49hpzPZ5oWChZQjnQdREZgaRenx3jRomol
BnT0KgGk+cBp8BIM65DyoYdMKE878n+ngTgIYUYkBLnYXfQv9pgagPlQUgmMWSK/
zRkLS3PpKJFTv629iBXKKDeCteqD4668TRty3N1sEXaFbpMZtaNWJvqlXpbbrAkO
rvKAxMq9gpA+asf6415NSX29FT4uv4D7FWF3fp2e9it8c30//9yKXQ8pJb0vfz8B
vZCwIO1me371DScIwI2D8/8EHzQMALxye7O/tpDW3BEU+NEqsHM2nXdebKl7mPk8
5voUyYZb3vz3PQHNJ+Jg14KybK8Jn7KGji19nHFgFtHN0Qoz4e5aTlZtMksWDaX+
dT6xfrKBo5wOaQHGAX3NHBAMTCqUoZajsGxsc+dQ/WB7Qw4qdZjmLtzj35HcF7s0
5RwOWZ2F9cqSj0b994llaT9zo2jXs5ZM/fAZUBPsCp55EFpe52NFKJgyJY92mYi0
1SK26VMNMdHdp4zHWZdNkhPPG0EgDsz1g+EtY6YXWQYwIKPnQUivf5mhDdhPmWK6
sAR4D7s2Vgqs2gQnvuFxpkDMc5l2rMTAE5+x228SpMPau27BDxBDKLw1i6ak23C+
l2qmiqQg0qeSFy2o7+HmyKWCENl2V84N8eLhoE+iyXj5fL2UvMlqVJePTT76Rz6p
+tD/15JYZo/8uAxIBivaB7P7k2Bqu0bmrCD4wdSKOLzhScxAj15Dtu0kWgEKGs80
VgTMu2iQLtphN7oObhWzUIf9O3MlqMnBCiOp4VFGebnJcDvullUB4OYZD6ZLIecN
8BsqsVlqawJbtWpmRf8973Yg2bicP0ISCwFaoDvR8C+wb3h9nJ9EZeO/mZGjJweR
A6yXK7wyp6JHnvACwFhUkTno7nrdq8cDaG4ssolsUSKnON87ycLFWq/mNs9fhqzF
Y3y7Q4f7hA4EL83+bxc4YGqzirWHeVXetZdft018+0Oz2Au8gRG5AVd+DX+xlr56
mJlkrlzYWG7HuEl8CRS7rAZHgRAIV3I7WDeNEYyBQNt/MfzUQY9+BmbtCsTlOnda
j8IkiL0QIW/9ZyvifxpvzKGKhxdXoqJWVSXLKHGk1qvY9epgw7QWk15crlti0Q4+
aDXvNieN9imk3UNQe2rncqzIKlbxasjparCKXiErQGFjldtTLrZcf7KjNOJuVG9J
HoOZC39ur8rkVrgWuSzrvzhpeQl0VlmdviZpocErZYPtnDQGgA3TbXX4lXoMiM1a
bOxTskUcgIBzN2L9nNfIhVaxJxMd3260SpJxElJ27V6Be97Q+YX4TF9xlH4zWFM3
NpGg1iXWNRb4VSwPE2+ZEiKirrlMsgXxfZNvAy3bAuSm0b1u7Isa/Jjab96DHff6
5g5K
=WRFH
-----END
PGP MESSAGE-----
Now send the message just as you would normally do.
Next, the decryption process.
Click once more on the PGPtray icon in the lower right corner of your screen. [Note to Screen Reader users: If you have enabled the hotkeys, then just hit control+shift+d or whatever hotkey you have assigned to this function].
In the PGPtray pop-up menu, select Current Window, then in the Current Window sub menu, select Decrypt & Verify. This will bring up the dialog box asking you to enter your Passphrase.
Type your Passphrase into the PGP Enter Passphrase dialog box that pops up on the screen, and hit OK. The decrypted message will come up in a new window for you to read. If you wish to keep the decrypted version, you can copy it and paste it into a word processor of your choice before saving it to disk. The decrypted message will look like the following (Note that the message is now readable and the signature has been verified):
*** Signed: 06/30/2001 at 00:51
*** Verified: 06/30/2001 at 00:52
*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
This is a sample of what the above Encrypted&Signed message looks like
after it has been decrypted and the signature has been successfully
verified. Since the Public Key that was used to encrypt this text belongs
to Robert Rosenberg, only he can decrypt the message to extract this
message. An Encrypted&Signed message is a Clear Signed Message (such as the
sample in Step 10 below) prior to the Encrypt Stage and after the Decrypt
Stage. While it is possible to just Encrypt a message, it is usual to also
sign
it to prove its origin.
***
END PGP DECRYPTED/VERIFIED MESSAGE ***
That's
all there is to it. To find out about the many other features of
the PGP program, check out the Manual that was originally downloaded with
the software. It's a .pdf file which will print out beautifully
on your printer so you can read it at your leisure over a nice cup of tea
:) Well, maybe you'll need something a bit stiffer to help you figure
it all out... [Note to Screen Reader users:To
read the manual, you will need the Acrobat Reader accessibility plug in.
You can download it from the Adobe web site
or try sites like http://www.blindprogramming.com.I
use Window Bridge 2000 as my screen reader. Wherever possible, I
have tried to be generic. Where I have used Window Bridge terminology,
I have done my best to explicitly state so.
On
a technical note: The actual encryption/decryption is NOT being done
with the Public/Private keys of your recipient(s) but with a special one-time
key that is generated for use in this specific encrypt & sign
operation. Every time you do an encrypt & sign, a new
one-time key is generated. Unlike the Public/Private key pairs where
anything encrypted with one key needs the other key to do the decrypt,
these one-time keys have the ability to decrypt anything that they encrypt
(hence its being known as a Symmetric Key). When you encrypt
any data, this one-time key is used to do the actual encryption.
The Public key of each recipient is then used to encrypt the one-time key
and added to the encrypted text created with the one-time key. Thus
what results is a list of recipients with the one-time key supplied encrypted
with each person's Public Key along with the common copy of the one-time
key encrypted ciphertext. This format allows a message to be sent
to multiple people at the same time yet allow each to use his or her own
Private Key to read it. The decrypting process involves the recipient's
PGP Program scanning the list of encrypted one-time keys looking for the
copy that was encrypted with their Public Key. This copy is then
decrypted with the Private key to recover the one-time key which then can
be used to do the actual decrypting. The Signing/Verification actions
that occur during an encrypt & sign and decrypt & verify
are covered in Step 10 below and occur prior to the encryption itself
and after the corresponding decrypting of the data.
Click to put a check mark in the small box next to Always encrypt to default key, then click on OK.
The signing is only needed if you need to do the real world linking. The Signing of an Email serves an additional purpose beyond showing that the message was written by the owner of the key, namely that the message has not been altered between the time the owner signed it and the time you verify the signature. So long as the Signature verifies, you know that the message has not been altered. The verification also shows when the message was signed; thus it shows the latest time that it could have been written. This is only in theory since there is no way to prove the validity of the time stamp. In other words: Was the user's computer set to the correct time and what time zone were they in?. When the proof of the accuracy of the time of creation is important, there needs to be some external function applied (such as a Digital Notary signing the message or Digital Signature). Ways in which this can be done is beyond the scope of this tutorial. The actual signing process works as follows:
Upon receipt (or after decrypting, if the message is not clear signed but was encrypted&signed), the Digital Signature is then decrypted with the recipient's Public Key (remember that Encryption with a Private Key allows Decrypting with the corresponding Public Key) to recover the Message Digest.
The message itself is then fed through the Hash Function to produce another Message Digest.
If the two Message Digests match, this proves not only that the message has not been altered but that it was signed by the Key Owner (otherwise the decrypt of the Signature would not have recovered the correct Message Digest and control information to compare with the newly created copy).
This
is a sample of what a Clear Signed Message looks like:
-----BEGIN PGP SIGNED MESSAGE-----
Hash:
SHA1
This
is a sample of a clear signed message. Note that it can be read even if
you do not have PGP or verify the signature. Doing the Verify is only needed
if you want to verify that it was written by who it claims to be from and/or
that it has not been altered after being signed.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
iQA/AwUBOzJwnqexToEmyL9hEQLCPACePdnPEau8VKKcxsD78ysTlWbgHFUAmwZe
mx/Q+qWDRsftiGGjeImc4tjL
=cFLq
-----END
PGP SIGNATURE-----
And
this is what the clear signed message looks like after being verified:
*** PGP Signature Status: good
*** Signer: Robert A. Rosenberg <bob.rosenberg@digitscorp.com>
*** Signed: 6/21/01 at 18:09
*** Verified: 6/21/01 at 18:11
***
BEGIN PGP VERIFIED MESSAGE ***
This
is a sample of a clear signed message. Note that it can be read even if
you do not have PGP or verify the signature. Doing the Verify is only needed
if you want to verify that it was written by who it claims to be from and/or
that it has not been altered after being signed.
***
END PGP VERIFIED MESSAGE ***
When
you sign someone else's Public Key, you are verifying that it belongs to
the person who claims to own it. You are stating that you know this
individual and that the key really belongs to him or her. As it states
in the PGP dialog box for signing a key: "By signing the selected user
ID(s), you are certifying based on your own direct first-hand knowledge
that the key(s) and attached user ID(s) actually belong to the identified
user(s)." Then, before signing, you're asked to remember if you received
the key in a secure manner (you know where it came from) or if you have
verified the fingerprint with the owner. The dialog box includes
the owner's fingerprint so you could, if you wanted to, go over the fingerprint
with the owner in person ideally, or at the very least over the phone,
just to make sure everything's kosher.
In
this way, you are able to give a key greater authenticity. Under
normal circumstances, you may think it unnecessary to validate someone
else's key in this way. You might even think it seems like overkill.
But suppose someone were to masquerade as someone else (say, as you) and
put a Public Key in that person's (or your) name on an internationally
available certificate server. Then suppose that other people were
to encrypt messages using that Public Key, thinking the message could be
decrypted and read only by the person they THINK they're sending it to
(say, you). All the masquerader has to do now is intercept those
messages and easily decrypt them because the masquerader has the Passphrase
and corresponding Private Key.
As
Nick points out above, there are two ways to sign someone else's
Public Key. There is a non-exportable signature, which is
good
for communication between familiar friends who already know and trust
each other informally. Then there is an exportable signature,
based on careful, if necessary face-to-face identification and verification,
which is a much stronger form of reassurance about the integrity of
the owner of the Public Key.
The
important rule of thumb is this: Never, ever sign someone else's
Public Key with an exportable signature UNLESS you are able
to say categorically that you know who he or she is and have a strong assurance
that he or she will not belie your trust. If you follow this rule
of thumb, you will be able, over time, to build up your own personal
Web of Trust while extending the larger, global Public Key encryptionWeb
of Trust. The GNU
Privacy Handbook has an excellent section on Trust, Validity and the
concept behind the Web of Trust.
Here then are the simple steps to sign someone else's Public Key. First as a non-exportable signature:
In the pop up menu, select the item Sign.... Immediately PGP presents a dialog box which lists the key you wish to sign, along with its fingerprint (a long string of hexadecimal characters). The text in the dialog box advises you to ensure that the key you are about to sign was given to you in a secure manner, and if you're not absolutely sure, you should verify the fingerprint with the owner of the Public Key. At the very least, unless you are quite sure the key belongs to the person who owns it, you should phone the individual and have them repeat to you the characters of the fingerprint by way of validation.
You'll notice a small check box next to "Allow signature to be exported" and you are advised that "others may rely upon your signature." DON'T check this box if all you want to do is add a non-exportable signature to the Public Key.
Click on OK to complete the non-exportable signing of the Public Key.
In the pop up menu, select the item Sign.... Immediately PGP presents a dialog box which lists the key you wish to sign, along with its fingerprint (a long string of hexadecimal characters). The text in the dialog box advises you to ensure that the key you are about to sign was given to you in a secure manner, and if you're not absolutely sure, you should verify the fingerprint with the owner of the Public Key. For an exportable signature, this means literally meeting with the individual face-to-face and verbally and/or visually validating that the Public Key you wish to sign with an exportable signature really and truly belongs to the person to whom you believe it belongs. This might sound like overkill, but the fact is that an exportable signature has absolutely no value without this face-to-face guarantee.
You'll notice a small check box next to "Allow signature to be exported" and you are advised that "others may rely upon your signature." For an exportable signature, check this box before you click OK to complete to exportable signature of the Public Key.
Select PGP in the pop-up menu and then you'll see the sub-menu option to Encrypt the document you've highlighted. Click on Encrypt.
Now you're presented with the Key Selection dialog box. Double click on your own Public Key (or drag it down to the Recipients box below) and click on OK. PGP has now created a second, encrypted, version of the document with a .pgp extension.
All you need do now is delete the original, non-encrypted document, so that all you have left on your disk is the encrypted file which only you can read. Do this right away by right clicking on the original and selecting Delete from the pop-up menu.
Now Right click on any document you have highlighted in the list of files you selected (in the right hand side of the Exploring window) and you'll see the new item (PGP) in the pop-up menu.
Select PGP in the pop-up menu and then you'll see the sub-menu option to Encrypt the document(s) you've highlighted. Click on Encrypt.
Now you're presented with the Key Selection dialog box. Double click on your own Public Key (or drag it down to the Recipients box below) and click on OK. PGP will now go ahead and create a second, encrypted, version of each of the files or documents you selected.
All you need do now is delete the original, non-encrypted documents, so that all you have left on your disk are the encrypted files which only you can read. Do this right away. The original documents still should be selected as a block, though if they aren't, just click on the Type header at the top of the Explore window to sort the files as encypted and non-encrypted. Now, with all the originals selected (highlighted), right click on any one of them, then select Delete from the pop-up menu.
Deleting
files on your disks raises another issue, which you can learn about in
the next section...
Right click on the Dummy document and select the option in the pop-up menu to Wipe the file. Simple as that. PGP writes a bunch of random data to the place on your disk where the Dummy file was saved, effectively removing all trace of the original data. Neat, huh?
As mentioned above in Step 8, every time PGP needs access to the Private Key (to Decrypt an Encrypted Message or Sign an Outgoing Message or someone's Public Key) the corresponding Passphrase will need to be re-entered. By default, PGP will remember--cache-- your Passphrase for two minutes so that you do not have to re-enter it if needed more than once within this time frame. A cache (which means "hidden" or "hiding place" in French) is a small area on your disk used by the computer to store data it needs to access quickly and frequently. PGP's Passphrase caches are used to save you time by temporarily holding your Passphrases (you may have more than one) after you've typed them a first time in a session at the computer. Unfortunately, two minutes is too short a time frame for most users, with the result that it's usually necessary to re-enter the Passphrase every time. This is no problem if your Passphrase is short and easy to enter; but a short, simple Passphrase defeats the purpose of PGP which encourages the use of suitably large and complex Passphrases in order to foil attempts at cracking them, as explained above in Step 3 above.
Click on the PGPtray icon in the lower right corner of your screen and select Options... in the pop-up menu.Make sure the General tab is selected in the Options dialog box and notice the Passphrase caching options related to Single Sign-On.Increase the default amount of time you want your Passphrase cached. If you normally are at your computer for an hour or more, you might increase the time to one hour, for example. If you always log off when you leave your computer, you might select the option to cache your Passphrase while logged on.
The simplest way to do this is to use the quick keyboard (hotkey) command: control-F12. Hold down the control key while you press the F12 key.The important thing is to err on the side of safety. Don't cache your passphrase for a long period of time because if someone comes to your computer while you're away from the machine, your encrypted information will be able to be read if that person knows how to use PGP. Depending on your circumstances (are you concerned that someone nearby might check out the contents of your computer?) you should get into the habit of purging your Passphrase caches whenever you leave your computer unattended. Better safe than sorry.
Task | HotKey |
Purge Passphrase Caches | control-F12 |
Encrypt Current Window | control-shift-e |
Sign Current Window | control-shift-s |
Encrypt & Sign Current Window | control-shift-c |
Decrypt & Verify Current Window | control-shift-d |
© Bernie Poole, Netiva Caftori, Pranav Lal, Bob Rosenberg, 2001-2018. All rights reserved. / poole@pitt.edu, ncaftori@neiu.edu, pranav@softhome.net, robert.rosenberg@rarpsl.com / Revised September 7, 2018