[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mr. Newbie...



At 05:35 PM 7/13/95 -0400, The Gate wrote:
>
>	Okay folks, here comes Mr. Newbie.
>
>	Duh...How can I figure out how to use pgp. Is there a good place 
>to learn the background and basics in a step-by-step easy to understnad 
>way? Duh... I think I wanna know...

The documentation that comes with PGP isn't bad; read the pgpdoc1 and
pgpdoc2 files.
(If you buy ViaCrypt, you get them in nice spiral-bound manuals, but it's
basically
the same stuff.)  Here's an overview of the basics:
- RSA public-key encryption lets you create a public encryption key which you
can publish, so that other people can encrypt files that can only be decrypted
with your private key.  It also lets you sign files by decrypting them with your
private key, which other people can check by encrypting with your public key
to get the original message (or a hash of it) back.  What makes this
mathematically
cool is that it does it in a way that takes exponentially long amounts of time
to find your private key from the public key, so anybody who wants to crack
a reasonably
long key needs to run a big hairy computer for about the age of the planet
to do so,
but you can do decryption reasonably fast because you already know the
private key,
and the same algorithm works well for both encryption and digital signatures.

- RSA encryption isn't very fast, so most real programs that use it encrypt the
file with a conventional crypto algorithm (PGP uses IDEA) using a randomly
chosen
session key, and encrypt the session key with RSA; it's a lot faster.

- The problem with public-key encryption is that anybody who wants to send
you a message needs to be sure they've really got _your_ public key instead
of a key that some Bad Guy published saying "Here's Alice's public key -
trust me!".
Since RSA can do digital signatures, PGP uses them to create a "Web of Trust",
where you can sign a message saying "Here is Alice's key, signed Bob",
and anybody who's got a good copy of your key (and trusts you) will know they've
got a good copy of Alice's key.  If they didn't get a copy of your key directly
from you, they may have a message saying "Here's Bob's key, signed Carol",
or maybe they got that and Carol's key, signed by Dave, and they know Dave
personally so they've checked it with him.  How big a Web of Trust can you
trust?
Well, you probably need more security if you're running a revolution than if
you're trying to find out if a Usenet article is genuine or bogus, so PGP lets
you choose, but the default is 4 levels deep.

- OK, so how do you get PGP? - there's an occasional publication on the net
that tells you where, but you can get it from ftp.ox.ac.uk by ftp with no
hassle.
Inside the US, you want version 2.6.2 for non-commercial use, and you have
to buy
ViaCrypt's licensed version if you want to sell services using it.  Outside
the US,
the version's something like 2.6.2i or something ending in i.  3.0 will be out
"Real Soon Now", probably in 1995, but it's hard work.  Versions are available
for DOS, Mac, Unix, and a few less popular OSs.  ViaCrypt has a special
Windows version;
the rest of us Windows users can either run it from DOS or use a front-end
program
like Private Idaho (ftp.eskimo.com/joelm/) or WinPGP, available from popular
FTP sites.
If you're using the Unix version, it's assumed you know how to read readme files
and compile using Make; DOS folks get binary as well as source and
documentation.
Unix folks will notice that the command line has this ugly DOS feel to it :-)

- So you've got it installed and you've read the documentation, and messed with
the config.txt file if you didn't like the default options, and now
you want to do something.  Type "pgp -h" to get help, or "pgp -k" to get help
with keys for a reminder.  Then type "pgp -kg" to generate a key - you
probably want a 768-bit or 1024-bit key for normal use, unless you're
paranoid or
have a slow computer.  Because RSA keys are long strings of binary data that
are hard for humans to remember, PGP stores them in a file, encypted with IDEA,
and will prompt you for a "passphrase" for the encryption.  Make it something
long and complicated enough to be secure, but easy for you to remember without
writing it in a yellow sticky-note, and not blatantly obvious.  You'll need to 
use it any time you decrypt a file somebody else sent you, or sign a file you're
sending to someone else.  You'll also need a name - typical format looks like
        Bob Dobbs <[email protected]>
which has your name and email address.  Most of the time you'll just use an
abbreviation and let pgp figure it out.  To send your key to someone else,
once you've generated it, type "pgp -kx Dobbs filename" and it'll create a file
you can mail somebody else which will let them encrypt stuff to you.

To decrypt a file you got from someone else, type "pgp filename",
which will do the right thing for decryption, checking signatures,
receiving new keys, etc.  To encrypt a file to someone else, type 
"pgp -e filename theirname" and pgp will create a file called filename.asc
(or filename.pgp if you don't have the ascii-armor option set, which you
should.)
To sign a file to send somebody, type "pgp -s filename", which will do the same,
and there are various options you should read in the manual.
#                                Thanks;  Bill
# Bill Stewart, Freelance Information Architect, [email protected]