PGPPretty Good Privacy
Document Revision 1.03
Last revised on 8 November, 1998
Table of Contents
Note: This FAQ is now a bit dated because of the release of post-2.6.2 versions of PGP. This FAQ covers version 2.6.2 of pgp.
What is PGP?
How do I get started? (Where do I get it, how do I use it?)
What is PGP?
PGP or Pretty Good (TM) Privacy is a high-security cryptographic software application that allows people to exchange messages with both privacy and authentication.
Privacy means that only those intended to receive a message can read it. By providing the ability to encrypt messages, PGP provides protection against anyone eavesdropping on the network. Even if a packet is intercepted, it will be unreadable to the snooper. Authentication ensures that a message appearing to be from a particular person can have originated from that person only, and that the message has not been altered. In addition to its support for messages, PGP also enables you to encrypt files stored on your computer.
Instructions to get you started
1.Get the right version of PGP
You'll need to download or purchase PGP for use on your local computer.
You may visit these sites to acquire PGP:
International version: http://www.pgpi.com
Original version: http://web.mit.edu/network/pgp.html
Commercial version: http://www.pgp.com/
I suggest the original version.
2.Install PGP on your local computer
Follow the instructions that come with the PGP distribution you have downloaded or purchased.
Each of the ZIP files is actually two nested zip files. Inside PGP262.ZIP is PGP262I.ZIP, which contains most of the files, and PGP262I.ASC, which is a PGP signature on PGP262I.ASC. If you have a previous version of PGP, you can use it to check the signature to see that the distribution has not been tampered with. Since a PGP signature protects every last bit in a file from change, a BBS adding an advertising blurb or recompressing the archive would cause PGP to report tampering. Thus, only the inner ZIP file is signed.
Create a directory for the PGP files. For this description, let's use the directory C:\PGP26 as an example, but you should substitute your own disk and directory name if you use something different. Type these commands to make the new directory:
c:Uncompress the distribution file PGP262.ZIP to the directory. For this example, we will assume the file is on floppy drive A - if not, substitute your own file location.
pkunzip -d a:pgp262
This will create the file PGP262I.ZIP and PGP262I.ASC. Unzip PGP262I.ZIP with the command:
pkunzip -d pgp262i
If you omit the -d flag, all the files in the doc subdirectory will be deposited in the pgp directory. This merely causes clutter.
Keep the PGP262I.ZIP file around. Once you have PGP working you can use PGP262I.ASC to verify the digital signature on PGP262I.ZIP. It should come from Jeffrey I. Schiller (whose key is included in keys.asc).
Setting the Environment
Next, you can set an MSDOS "environment variable" to let PGP know where to find its special files, in case you use it from other than the default PGP directory. Use your favorite text editor to add the following lines to your AUTOEXEC.BAT file (usually on your C: drive):
SET PGPPATH=C:\PGP26 SET PATH=C:\PGP26;%PATH%
Substitute your own directory name if different from "C:\PGP26".
The CONFIG.TXT file contains various user-defined preferences for PGP. For example, you can specify which of your secret keys to implicitly select for creating digital signatures. See the manual for details on how to fine-tune your PGP configuration file. The default values in that file are good enough to get you started.
Another environmental variable you should set in MSDOS is "TZ", which tells MSDOS what time zone you are in, which helps PGP create GMT timestamps for its keys and signatures. If you properly define TZ in AUTOEXEC.BAT, then MSDOS gives you good GMT timestamps, and will handle daylight savings time adjustments for you. Here are some sample lines to insert into AUTOEXEC.BAT, depending on your time zone:
Now reboot your system to run AUTOEXEC.BAT, which will set up PGPPATH and TZ for you.
3.Generate PGP keys (public and private)
On DOS systems, this is done by issuing the command
Issuing this command on a typical system yielded the following:
Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses. (c) 1990-1994 Philip Zimmermann, Phil's Pretty Good Software. 29 Aug 94 Distributed by the Massachusetts Institute of Technology. Uses RSAREF. Export of this software may be restricted by the U.S. government. Current time: 1996/09/31 23:45 GMT Pick your RSA key size: 1) 512 bits- Low commercial grade, fast but less secure
2) 768 bits- High commercial grade, medium speed, good security 3) 1024 bits- "Military" grade, slow, highest security Choose 1, 2, or 3, or enter desired number of bits:
Choose option 3, 1024 bits, for maximum security.
You will be prompted for your full name and your e-mail address:Generating an RSA key with a 1024-bit modulus. You need a user ID for your public key. The desired form for this user ID is your name, followed by your E-mail address enclosed in
, if you have an E-mail address. For example: John Q. Smith <email@example.com> Enter a user ID for your public key:
Next, you'll be prompted for a passphrase. This can include spaces, and should be a phrase you can remember easily, such as the first line of your favorite song.
IMPORTANT: DO NOT WRITE DOWN THIS PHRASE.
Enter your passphrase.
You need a pass phrase to protect your RSA secret key. Your pass phrase can be any sentence or phrase and may have many words, spaces, punctuation, or any other printable characters. Enter pass phrase: Enter same pass phrase again:
You'll then be asked to type random keys as your PGP keys are generated. You will see a series of dots and plus signs. Finally, your keys will be generated and stored in secring.pgp (your private keyring) and pubring.pgp (your public keyring).
4.Sign your key
Always sign your key. Do this with the command
5.Extract your public key in ASCII
IMPORTANT: You must extract an ASCII representation of your key, or you won't be able to mail it.
Use the command pgp -kxa
which will prompt you for a filename to use for this ASCII version of your public key. A good name might be your_user_idpubkey.asc or just pubkey.asc.
6. Register your public key and/or send it the parties you want to be able to encrypt messages to you.
IMPORTANT: Never send your secret key to anyone - the file named secring.pgp
Cut and paste the .asc file you created in step 5. You can do this by typing
and cutting and pasting the results
Or you can load the pubkey.asc file into any text editor and cutting pasting from there.
Paste the key into your preferred e-mail app and send it to whomever you wish to recieve the key, such as firstname.lastname@example.org. To register your key you should visit the MIT PGP Key Server, or some other Public Key Server.
7. Encrypt your message
On a DOS machine type the following
pgp -esa file_name recipient_name -u your_pgp_userid
To multiple recipients
pgp -esa file_name recipient_name recipient_name2 recipient_nameN -u your_pgp_userid
To wipe out the plaintext file after producing the ciphertext file, just add the -w (wipe) option when encrypting or signing a message:
pgp -seaw message.txt her_userid -u your_userid
NOTE: You do not need to use the -u switch if you only generated one set of keys, or your primary PGP user_id is the one you wish to use to sign your messages.
8. Decrypt message
You will then be prompted for your secret ket password, and if the file is signed PGP will notify you if you have the public key of the sender to check its authenticity and if it does, if the signature is good.
Additional PGP commands:
To add a public or secret key file's contents to your public or secret key ring:
pgp -ka keyfile [keyring]
To extract (copy) a key from your public or secret key ring:
pgp -kx userid keyfile [keyring]
or: pgp -kxa userid keyfile [keyring]
To view the contents of your public key ring:
pgp -kv[v] [userid] [keyring]
To view the "fingerprint" of a public key, to help verify it over the telephone with its owner:
pgp -kvc [userid] [keyring]
To view the contents and check the certifying signatures of your public key ring:
pgp -kc [userid] [keyring]
To edit the userid or pass phrase for your secret key:
pgp -ke userid [keyring]
To edit the trust parameters for a public key:
pgp -ke userid [keyring]
To remove a key or just a userid from your public key ring:
pgp -kr userid [keyring]
To sign and certify someone else's public key on your public key ring:
pgp -ks her_userid [-u your_userid] [keyring]
To remove selected signatures from a userid on a keyring:
pgp -krs userid [keyring]
To permanently revoke your own key, issuing a key compromise certificate:
pgp -kd your_userid
To disable or reenable a public key on your own public key ring:
pgp -kd userid
To specify that the recipient's decrypted plaintext will be shown ONLY on her screen and cannot be saved to disk, add the -m option:
pgp -steam message.txt her_userid
To view the decrypted plaintext output on your screen (like the Unix-style "more" command), without writing it to a file, use the -m (more) option while decrypting:
pgp -m ciphertextfile
Software which makes PGP *much* easier to use:
The Time Hack Cryptography Shack