PGP: A Simple Guide to Pretty Good Privacy Setup
David Endler
The last decade has seen an explosion of people joining the online community, unfortunately, not all of them have the best of intentions. The information highway is evolving rapidly and online privacy is beginning to take a pivotal role in its development. Today, an Internet user's privacy is vulnerable to a plethora of online attacks, so that sending messages with guaranteed secrecy has never before been such a hotly pursued goal. During the past few years, the freeware program PGP has become the de facto standard for encryption of email over the Internet. This article, the first of a two-part series, examines issues involved in the initial setup of PGP. "What is PGP?" (Pretty Good Privacy) PGP is a program that allows regular users to provide a high level of confidentiality in their email. It is somewhat controversial because it is capable of "military grade" cryptography, which means it can seriously thwart efforts by some government agencies to decrypt the mail for their own uses. Whether this is still true remains unknown to the public. Obviously the U.S. government did not like Phil Zimmermann's releasing strong cryptography to the world and tried unsuccessfully to prosecute him. Currently, PGP is throughout the Internet community for several main reasons. For beginners, the three main functions of PGP to focus on are: 1. Encryption of a message so that only the intended receiver can decrypt the message. This is the most common use with email communication. 2. Authentication by signing a plaintext message. This means putting a unique digital signature at the end of the message to guarantee that it could have only come from the sender and not an impostor. This is the most useful on newsgroups, so that others can be sure messages arriving from you are not being forged. 3. Encrypting files so that only the user can decrypt them, giving more security in leaving sensitive information exposed on a multi-user system or an otherwise accessible computer. Many people wonder whether encryption is worth the hassle. If all of these precautions seem a little paranoid, consider that it is the value of your own privacy that is at stake. Some malicious people would go to great lengths to read your private communications or forge your identity, for no better reason than the thrill. PGP can serve as a valuable protection, but ultimately it is up to you whether or not your privacy is worth it. The Version Game If you do not already have PGP on your system, choosing a version can be somewhat confusing. There are four main versions of PGP, and some of the variations have to do with U.S. export restrictions of strong cryptography. For the purposes of this article, all examples are shown with MIT PGP version 2.6.2, legally available only to those in the United States. Here are the UNIX versions we need to be concerned about: MIT PGP 2.6.2 - The official freeware release that has been developed with close supervision of Phil Zimmermann. It uses the RSAREF library, developed by RSA Inc. which makes this version illegal to export out of the United States. If you live in the United States, this version is for you. PGP 2.6.3.i - The "international" version that uses older encryption routines, which do not have the restrictions inherent in the RSAREF license agreement. It is compatible with all other PGP 2.x versions and actually fixes some of the bugs found in PGP 2.6.2. PGP 2.6ui - The "unofficial international" version of PGP, which is an older version (2.3a) with minor modifications made so that it can decrypt files encrypted with MIT PGP. PGPmail 4.0 Business Edition (Formerly Viacrypt 4.0) - The commercial version of PGP developed by Viacrypt Inc., which was acquired in July of 1996 by PGP Inc., a company started by Phil Zimmermann and others to push PGP into the commercial market. The UNIX version is basically the same command prompt driven interface as the freeware versions, but possesses some extra features for a corporate environment. See http://www.pgp.com for more information. Depending on where you live and the strength of your encryption needs, you should choose the version appropriate for you. See Mike Johnson's FAQ in Resources on where to obtain PGP. Public Key Encryption PGP relies on the RSA public key encryption algorithm for the public key services it provides. Public key encryption simply means that everyone using PGP has two separate keys, the widely distributed public key that encrypts information, and the secret key held only by the user. The general idea is that any message can be scrambled in such a way that only the intended receiver can read it. Not even the person who encrypted the information should be able to decrypt it, unless the sender and receiver happen to be the same person. Therefore, any person wanting to send you a confidential message must obtain your public key and encrypt the message using that key. After the message is encrypted, only you have the power to decrypt it using your secret key. Similarly, any message can be "signed" with your secret key. Then, the receiver can perform a check on the message using your public key to verify your identity. A digital signature is placed at the end of the message and is unique for each message and each key. The text of the message need not be encrypted as long as the assurance of my identity is established. For example, if Bob sends a message to a newsgroup signed by his secret key, everyone on the newsgroup who has Bob's public key will be able to verify his identity from the signature and still read the original message. Therefore to use PGP on the Internet, you must: 1. Make sure that everyone who might want to send you an encrypted message has your public key. 2. Obtain the public key of anyone to whom you might want to encrypt a message. 3. Above all else, keep your passphrase and secret key secure! Getting Started If you have never used PGP before, the following is a step by step tutorial for the beginner, as well as a refresher for the learned user. Assuming PGP is already installed on your UNIX system, the very first task with it is to create the directory in which PGP will store all of its files. By default this is $HOME/.pgp, and that directory must be created before we get started. For now, type the following commands from your favorite UNIX prompt:
% mkdir ~/.pgp % chmod 700 ~/.pgp
Only you should be able to look into this directory because of the security of your secret key that will be stored there. PGP is not a user friendly program, because it is a typical UNIX-style, command line program. All commands are entered by typing pgp followed by command line arguments usually prefaced by the "-" character. At any time in your prompt, you can type pgp -h or pgp -k to see the most commonly used pgp options. Before we can start encrypting and signing files, we must first create a public and secret key. Generating a public/private key pair is done by typing pgp -kg.
% pgp -kg No configuration file found. Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses. (c) 1990-1994 Philip Zimmermann, Phil's Pretty Good Software. 11 Oct 94 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government. Current time: 1997/03/05 16:41 GMT Pick your RSA key size: 1) 512 bits- Low commercial grade, fast but less secure 2) 768 bits- High commercial grade, medium speed, good security 3) 1024 bits- "Military" grade, slow, highest security Choose 1, 2, or 3, or enter desired number of bits:
In some versions, PGP can go up to 2048 bits, but for now we'll choose 3 to achieve maximum protection in our encryption. The larger the key, the longer the time needed to generate a public/private key pair. Fortunately, key generation is a one-time procedure, so the wait is a worthwhile investment. After we choose 3, PGP responds with:
Generating an RSA key with a 1024-bit modulus.
You need a user ID for your public key. The desired form for this user ID is your name, followed by your E-mail address enclosed in <angle brackets>, if you have an E-mail address. For example: John Q. Smith <12345.6789@compuserve.com> Enter a user ID for your public key:
So, now you should enter your user ID in the above form. For example, I enter:
David Endler <endler@eecs.tulane.edu>
to which PGP now responds with:
You need a pass phrase to protect your RSA secret key. Your pass phrase can be any sentence or phrase and may have many words, spaces, punctuation, or any other printable characters. Enter pass phrase:
Choosing your PGP passphrase should not be an arbitrary decision, because there are some important guidelines involved with devising it. The increasing strength of current cryptosystems means that your passphrase is more of a vulnerable target than the actual algorithms. A poor passphrase choice could represent a fundamental weakness in the PGP chain, which can be easily exploited in a basic dictionary attack (trying many variations using online dictionary words and encrypting them to see if a match occurs). First, notice that the term "passphrase" and not password is used. A passphrase can be a sentence or a really long string such as "ThIs pgP P@sspHrase." The ideal passphrase should be easy enough to remember, and yet obscure enough to evade obvious guesses like dates of birth or children's names. Remember that this is something that you will have to type over and over again, so be easy on yourself while trying to preserve a sense of security. There are a couple of online references to assist in your Passphrase creation (Grady Ward and The Passphrase FAQ). I like Grady Ward's idea of "shocking nonsense" in which your passphrase contains something so shocking, inconceivable, obscene, and possibly vulgar to a person's culture that it would be almost impossible to guess. Due to the somewhat entertaining nature of your "shocking" passphrase, it is also easy to remember. What happens if you forget your passphrase? In a word: Don't! There is no way to retrieve your secret key and you will be forced to create a new public/secret key pair and revoke your old public key all over the Internet. Once you are ready to proceed with your key generation, enter your carefully chosen passphrase. Any time after key generation that you wish to change your passphrase, you can type pgp -ke. After you enter your passphrase, PGP responds with:
We need to generate 752 random bits. This is done by measuring the time intervals between your keystrokes. Please enter some random text on your keyboard until you hear the beep: 752
The number of random bits will vary for each person and each instance, so do not worry when you notice a different amount of random bits requested. Do exactly as prompted, start hitting keys until the number (in this case 752) at the bottom decrements to 0. At this time, PGP will start to build your keys. This may take a little while depending on the speed of your system:
0 * -Enough, thank you. .**** ....................**** Key generation completed. %
The process is complete, and we have been returned to the prompt. Now, if you look in your .pgp directory, you will notice three new files: pubring.pgp (your default public key ring), randseed.bin (used by PGP in the random number generation process; do not worry about it), and secring.pgp (your default secret key ring). What is all this mention of rings? The public and private keys are stored in these files or "rings." These are file structures to which you can add many keys so you do not have to store a different file for each person's public key. For instance, when I refer to someone's "public key ring," I mean the file that holds all of their public keys in the special structure that PGP constructs. Before you can start using pgp, there are a few things you must do to protect yourself in the future. Signing Your Key Key signing is done to ensure that public keys are not forged by someone pretending to be you. The first thing you must immediately do after generating your public/private key pair is sign your public key. Signing a public key means that you are testifying electronically that the corresponding user ID is valid (i.e., that you are sure of its authenticity). Your signature on the public key ensures that no one can alter your key or user ID without detection. If you distribute your public key without a signature on it, you are making yourself vulnerable to a denial of service attack. To illustrate an example, assume that I get a copy of your unsigned key, use an editor to change the user ID field so that my email address is now listed with your name, and distribute the key widely. Now, anyone using the forged key to send you encrypted mail will actually be sending it to me, if they use the email field listed in the ID. I obviously cannot read the mail because it is encrypted, but neither can you because it was never received. Your digital signature is output from a cryptographic hash function, which takes as input your public key and the user ID string. This signature is no longer valid once the key has been tampered with, and the forgery will be detectable. Thus, we will now sign our key with the following pgp command: pgp -ks <user_id> (see sidebar on User IDs) or in my case:
% pgp -ks endler
A secret key is required to make a signature. You specified no user ID to select your secret key, so the default user ID and key will be the most recently added key on your secret keyring.
Looking for key for user 'endler': Key for user ID: David Endler <endler@eecs.tulane.edu> 1024-bit key, Key ID C778F0ED, created 1997/03/05 Key fingerprint = 72 1D 61 6A 0E 1D 5F A7 15 A6 40 69 31 F4 D0 9F READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above public key actually belongs to the user specified by the above user ID (y/N)?
Unless you are having an identity crisis, you enter "y" to which PGP responds:
You need a pass phrase to unlock your RSA secret key. Key for user ID "David Endler <endler@eecs.tulane.edu>" Enter pass phrase:
Enter your freshly concocted passphrase to unlock your secret key.
Pass phrase is good. Just a moment.... Key signature certificate added.
And now you have protected yourself against disaster. Advertising and Retrieving Public Keys The first thing to do with your public key after you sign it is to extract an ASCII text version. Once you have a text version of your public key that PGP can read, you will be able to distribute it to your potential correspondents. The command pgp -kxa <user_id> out_filename should be used to extract public keys.
For example, to extract my key I type:
% pgp -kxa endler publickey Extracting from key ring: '/home/endler/.pgp/pubring.pgp', userid "endler". Key for user ID: David Endler <endler@eecs.tulane.edu> 1024-bit key, Key ID C778F0ED, created 1997/03/05 Transport armor file: publickey.asc Key extracted to file 'publickey.asc'.
Now, you are ready to distribute your public key far and wide. There are many options for making your public key accessible to people who wish to send you encrypted email, and for retrieving their public keys as well. 1. Physical Exchange - This is the most secure means for public key exchange. Two people can get together over lunch and exchange diskettes with their ASCII formatted public keys. Some people actually organize key signing parties in which everyone brings a copy of their keys and signs them away in person. 2. Public Key Servers - A public key server is basically a giant public key ring with an interface for retrieving single keys. Anyone can query the server for a key, and anyone can also add their key to the ring. Public key servers on the Internet are interlocked so that if you send your key to one of them, it is automatically updated to the rest of the servers. For the email interface to the pgp.net Public Key servers, send a mail with a subject line of "HELP" to pgp-public-keys@keys.pgp.net, or access the URL: http://www.pgp.net/pgpnet/email-help-en.html. The automated response help docs are shown in the sidebar and are pretty self-explanatory. As the return response mentions, you can also use the WWW or ftp interface. With the ftp interface, you download the entire public ring, which is about 17 Mb currently. ftp to ftp.pgp.net:pub/pgp/keys and get the file pubring.pgp if you're interested in having all of the keys. Notice that there is no guarantee that the keys are genuine, so be careful! 3. Finger information - Many people place their public keys in some part of their finger information, almost always in the file .plan. For example, when I look up my friend Tudo Nguyen using the finger utility with the -l option, his public key comes up along with his other finger information:
% finger -l nguyent@eecs.tulane.edu [eecs.tulane.edu] Login name: nguyent In real life: Tudo Nguyen Directory: /home/nguyent Shell: /bin/tcsh Last login Thu Mar 6 10:44 on pts/26 from pegasus New mail received Fri Mar 5 01:08:51 1997; unread since Fri Mar 5 00:41:34 1997 Plan: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzMfyLkAAAEEAKReBK+wm0yVdxagisjUxjBVCsKv2g3UZipbtwg0pfLidO1s VL9T301klO1CEbI8q5OakVPaDwsfAelZb5OWcKy57/lgYWo2CGyVYOp8/3BZ7XN/ mErkni8C9kM1W1PJo5GEHRu2EyLW1CBUxDWgs8UUuBNa26YC/eQFXXSo/qfJAAUR tCVUdWRvIE5ndXllbiA8bmd1eWVudEBlZWNzLnR1bGFuZS5lZHU+iQCVAwUQMx/I 2uQFXXSo/qfJAQEfXAP/YR2Rzk/d94dDNwY5dd3UPRFTzLY1U++KkXVDCWT3+vPA ww1hWTmPmg7G0lZ13EOf63c+c7wiQc0ZJ9ieDATxWwxMnfdnjap9s3mKTaEUqdC7 FneuudAkTVtJ4ZV1Km7o9T/nc0bmHq0aakcch2RhsMqN1cdACtjVgOHJHjj+ugQ= =AxxP -----END PGP PUBLIC KEY BLOCK-----
Before I discuss one more way to exchange keys, "Key Fingerprints" deserve some mention. The fingerprint of a public key is the 128-bit MD5 hash code represented in hexadecimal. For convenience, my key fingerprint is mentioned in the byline of this article. The fingerprint of any public key is unique for all intents and purposes. Key fingerprints are extremely useful for verifying public keys and their authenticity. For example, assume that you retrieve my public key from a public key server, but you are not 100% sure that no one has tampered with it in transit to your system. Before adding the public key to your public key ring, one way to verify the key is to first determine its key fingerprint by typing:
pgp -kvc <public_key_file>
on the file containing the key you retrieved (public_key_file). You will see output like:
pub 1024/CCDB1369 1996/09/27 David Endler <endler@eecs.tulane.edu> Key fingerprint = C4 4F 9C E7 E0 99 2A D3 B1 A7 3E EA E3 0F A1 0F 1 matching keys found.
Next, you can call me on the phone, and I can recite my key fingerprint to you, or you can compare it to where it is published (this article) or some other medium that you trust. If the two fingerprints match, then you can be reasonably secure in the fact that you have an authentic public key. 4. Signature Files in Email - The fourth way to advertise your public key is to use a combination of the above methods. You can make your email .signature file look something like this:
Bob Jones System Administrator 123 Elm Street Los Angeles, CA 12345 PGP fingerprint: 74 9C 45 E0 2A D3 66 E7 EB E3 0E A4 0F 37 C4 B2 PGP public key available by fingering Bob_J@place.com
This allows people to verify your public key independently. However, the only sure way to authenticate the key is either physically or by calling the owner of the key on the phone. Adding Keys to Your Public Key Ring Now that you have seen how to effectively publish and retrieve public keys, you'll want to be able to add them to your public key ring so that you can eventually encrypt messages to those people. Assume that I retrieved my friend Tudo's public key that was shown in the example on publishing in the finger info.
% finger -l nguyent@eecs.tulane.edu > tudokey
I have stored Tudo's finger information (including public key) in the file tudokey. The command for adding a key to my public key ring is: pgp -ka <filename>. You can also type pgp <filename>, and PGP will be intelligent enough to realize it is dealing with a public key and act appropriately even though there may be other PGP irrelevant things in the file.
% pgp -ka tudokey Looking for new keys... pub 1024/A8FEA7C9 1997/03/07 Tudo Nguyen <nguyent@eecs.tulane.edu> Checking signatures... pub 1024/A8FEA7C9 1997/03/07 Tudo Nguyen <nguyent@eecs.tulane.edu> sig! A8FEA7C9 1997/03/07 Tudo Nguyen <nguyent@eecs.tulane.edu> Keyfile contains: 1 new key(s) One or more of the new keys are not fully certified. Do you want to certify any of these keys yourself (y/N)? y
If you are confident of the integrity of the PGP fingerprint, answer "y" to this question; if you are not sure, answer "n."
Key for user ID: Tudo Nguyen <nguyent@eecs.tulane.edu> 1024-bit key, Key ID A8FEA7C9, created 1997/03/07 Key fingerprint = 6E 9F 83 B4 8A C4 5C 9C 8B 1C 78 A8 51 E2 25 B0 This key/userID association is not certified. Questionable certification from: Tudo Nguyen <nguyent@eecs.tulane.edu> Do you want to certify this key yourself (y/N)? y
PGP then goes through each ID in the file and asks you if you wish to sign the key yourself, thereby adding your own certification signature to the key. If you are absolutely certain that the key is valid, enter "y", otherwise answer "no" - in this case, I just talked to Tudo a few minutes ago and am very confident that his key is valid based on the key fingerprint. Looking for key for user 'Tudo Nguyen <nguyent@eecs.tulane.edu>': Key for user ID: Tudo Nguyen <nguyent@eecs.tulane.edu> 1024-bit key, Key ID A8FEA7C9, created 1997/03/07 Key fingerprint = 6E 9F 83 B4 8A C4 5C 9C 8B 1C 78 A8 51 E2 25 B0 READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above public key actually belongs to the user specified by the above user ID (y/N)? y
If you accidentally sign a forged certificate, it will seem valid to those trusting you. Suppose you unknowingly distribute a copy of a bogus public key that you have signed. Those people who place ultimate PGP trust in you will be fooled into adding this key to their key ring since they assume you were careful when signing and verifying it. Thus PGP reconfirms your willingness to sign this key because of the ramifications to others who trust you. If your confidence is still unwavering, press "y" and enter your passphrase to sign the key:
You need a pass phrase to unlock your RSA secret key. Key for user ID "David Endler <endler@eecs.tulane.edu>" Enter pass phrase: Pass phrase is good. Just a moment.... Key signature certificate added. Make a determination in your own mind whether this key actually belongs to the person whom you think it belongs to, based on available evidence. If you think it does, then based on your estimate of that person's integrity and competence in key management, answer the following question: Would you trust "Tudo Nguyen <nguyent@eecs.tulane.edu>" to act as an introducer and certify other people's public keys to you? (1=I don't know. 2=No. 3=Usually. 4=Yes, always.) ? 3 %
Note the last question concerning trust. This issue is an integral part of PGP. The trust model in PGP is essential when exchanging keys and establishing the authenticity of a key. Trust does not necessarily reflect the character of the person whose key you are certifying. The PGP trust levels refer to how much the user thinks the owner of the public key can be trusted to "introduce" another trustworthy public key certificate. The four levels of trust (corresponding to the answers of the last question): 1. "I don't know" - There are no expressions of trust made about this public key. Basically a public key you find lying around somewhere. 2. "No" - Untrustworthy: This public key should not be trusted to introduce another, so any occurrence of this key as a signature on another public key will be ignored. 3. "Usually" - Marginal trust: This public key can be trusted to introduce another public key, but it is uncertain whether it is fully competent to do that. The number of signers needed is adjustable within the pgp config file. 4. "Always" - Full trust: This public key is fully trusted to introduce another public key. By default any public key created by you has ultimate trust, because in the end if you don't trust yourself. You can view the trust levels for each public key by typing pgp -kc. Notice the two public keys denoted by type "pub," and the people who have signed and verified the keys denoted by "sig!". The trust levels are shown below:
% pgp -kc Key ring: '/home/endler/.pgp/pubring.pgp' Type bits/keyID Date User ID pub 1024/A8FEA7C9 1997/03/05 Tudo Nguyen <nguyent@eecs.tulane.edu> sig! C778F0ED 1997/03/05 David Endler <endler@eecs.tulane.edu> sig! A8FEA7C9 1997/03/05 Tudo Nguyen <nguyent@eecs.tulane.edu> pub 1024/C778F0ED 1997/03/05 David Endler <endler@eecs.tulane.edu> sig! C778F0ED 1997/03/05 David Endler <endler@eecs.tulane.edu> KeyID Trust Validity User ID A8FEA7C9 marginal complete Tudo Nguyen <nguyent@eecs.tulane.edu> c ultimate David Endler <endler@eecs.tulane.edu> c marginal Tudo Nguyen <nguyent@eecs.tulane.edu> * C778F0ED ultimate complete David Endler <endler@eecs.tulane.edu> c ultimate David Endler <endler@eecs.tulane.edu>
Note the marginal trust characteristics. Tudo is one of my best friends, but it is a good policy to assign ultimate trust only to yourself. If at any time you want to edit the trust parameters for a key, type pgp -ke. For a full description of the PGP trust model, look at the online work of Alfarez Abdul-Rahman at:
http://www.cs.ucl.ac.uk/staff/F.AbdulRahman/docs
The procedures outlined here provide a rudimentary PGP environment that will enable you to sign electronic documents and encrypt files. I encourage you to read the materials referenced here for a more complete understanding of PGP and the ramifications of variations in its use. Next month, I will discuss processes of encrypting documents and signing email.
About the AuthorDavid Endler is a senior at Tulane University majoring in computer science with an emphasis in network security. His PGP Key fingerprint is: C4 4F 9C E7 E0 99 2A D3 B1 A7 3E EA E3 0F A1 0F, and his PGP public key may be obtained by fingering endler@studentweb.tulane.edu. He can reached via email at: endler@eecs.tulane.edu.
|