PGP In a Nutshell 2.5, by Jeremiah S.Junken (jjunken@nations.ucs.indiana.edu)

This text is Coprighted to it's author, 6/1994.
This may be re-distributed in any manner, so long as it remains unaltered and no
profit is gained by it directly or indirectly, or by any package in which it is
included!

The PGP team, Fred Fish have permission to include it in their releases, as does
the EFF, CPSR, and any news service.

Correspondance Information at the Extreme bottom of this document!

Nutshell, text Version 2.5 (Not related to PGP Version number)

Special thanks to Peter Simons for proofreading and editing!
--------------------------------------------------------------------------------

Getting Started with Phil Zimmermann's Pretty Good Privacy (PGP) Software

This document could easily be titled "PGP for dummies", but I like doing things
differently.  Nonetheless, this document should get the "dummy" from point A to
the finish  line  without  much  trouble.  Even if you're one of the guru's who
entire computing experience borders making you an  acolyte to the computer god,
I think you'd still be well served to read this.

This document is in no way meant to supplant the documentation provided  by  Mr.
Zimmermann, but rather as a plain-english quick-reference for those who'd rather
get down to business than screw around with intricacies. My belief is  that  you
should learn the essential basics and dive in straight away.  The  finer  points
will grow on you, and you learn them as you go. Remember  that  security  as  is
only as good as the people who know the codes, so under  no  circumstances  tell
ANYONE your password or write it down where it  might  be  found.  Be  aware  of
shoulder-surfers (people who can't keep their eyes off the keyboard when  you're
entering passcodes they're not intended to know)..

You probably got this because you wanted to avoid the BS associated  with  huge,
detailed manuals. After all, you didn't get PGP for an education, you got it  to
DO something. With this in mind, I've written this to be easy to  understand  so
you can get started. However, you should remember that if you  do  not  use  PGP
correctly and bypass steps, you risk not only your own security, but anyone  who
communicates with you and possibly more. For that reason,  you  should  see  the
recommended reading order immediately below the table of contents and ultimately
go through the whole guide!

It would be a VERY good idea to print up the whole thing so you can reference
it while actually using the software!

The following is a Table Of Contents. Don't be afraid. Just follow the order
I recommend immediately below it and nothing will blow up :)

I'd like to thank:

Peter Simons, especially, the man who ported PGP to the Amiga and is
  responsible for a zillion programs of merit for the Amiga's networking
  end.

Phillip Zimmermann
  For coding PGP in the first place

And the many people who sent back a lot of positive feedback on this beast,
and offered help and suggestions on bringing this to full fruitation.

Table of Contents:
------------------

Environment
 Considerations for using PGP in different situations, what you need to know
 to make PGP secure, etc.

Environment: Residual Data
Environment: Environmental Variables
Environment: Password Echo
Environment: Shared Systems
Environment: Your Password

Getting Started
 The things you need to know to use PGP

Getting Started: Generating Keys
Getting Started: Decrypting Messages
Getting Started: Encrypting, Adding Keys
Getting Started: QUICK REFERENCE
Getting Started: "Stupid" Questions

PGP Applied
 This is a extremely brief reiteration you should read several times!

Advanced PGP
 Master PGP and make it REALLY work for you!

Advanced PGP: Authentication
Advanced PGP: Certification
Advanced PGP: Key Editing
Advanced PGP: Copying Secret Keys

Paranoia
 Unlikely surveillence possibilities

Paranoia: Electromagnetic Inference Interception
Paranoia: Hard Disk Reading
Paranoia: Remote Video Monitoring
Paranoia: linetap
Paranoia: modifications

Correspondance Information
 How to reach me
PGP Distribution Information


Recommended Reading Order:

Getting Started, Environment, Advanced PGP, PGP Applied.

Unless you sell cocaine or plot to overthrow governments, PARANOIA is not really
important :) :)


Notes:

   This revision contains extra information on authentication and certification
that I skimmed in the previous version out of lazyness.

   I've had two comments regarding my mention of UNIX commands. When I say UNIX,
I'm referring to the command syntaxes used in the version  of  UNIX  running  on
NeXT machines running NeXTstep 3.1 or higher. This is a BSD derivative  that  is
similar to anything running BSD4.2 or higher, NetBSD, Linux, etc. If  you  don't
know what you're system's running, you should be able to get information on  any
standard command's syntax with the 'man' command. For  example:  'man  ls'  will
give information on the arguments and syntax for the directory listing command.

   The author,  Jeremiah  Junken, is  currently  18  years of age,  lives in the
ass-backwards  town of  Bloomington, Indiana, in the  midwestern  United States,
is a stringent conservative and a supporter of CPSR and the EFF.

   An  avid  Amiga user,  Mr. Junken  enthusiasticly  supports  the  efforts  of
Mr. Peter Simons, who ported PGP 2.3a to the Amiga, composes music  and develops
exceptionally lame software :) :)
--------------------------------------------------------------------------------

Environment

  When you sit down in front of your terminal and use PGP,  you are  doing so to
ensure your  security and  privacy. You can't cover all bases, obviously, you're
only human,  but you can  minimize the chance for security leaks and thusly, the
compromise of your privacy.

Environment, in this text, is a reference to your  computer,  and the   physical
area in which your computer exists.



Environment: PLAINTEXTS

  When you use PGP, you first write a document containing the message  you  want
to encrypt. This document you are writing is not encrypted, and while  it's  not
encrypted, it's vulnerable to being read. So, you encrypt it and send it to your
destinations. Pretty simple. Of course, this document can still  be  read!  How?
DID YOU DELETE THE ORIGINAL? You must. Or,  use  PGP's  Conventional  Cryptology
option and encrypt the original with a password so you read it when you need it.



Environment: RESIDUAL DATA

  If  you use  MS-DOS 5.0 or better,  you  should be familiar with the  UNDELETE
command.  If you  were to  write a  plaintext,  encrypt it,  delete the original
plaintext and mail it, the  PLAINTEXT CAN STILL BE UNDELETED.  Even if you don't
have  an  undelete command,  you should be aware  that there are some out there,
and if someone REALLY WANTED TO, they could recover the plaintext.  This is true
of ANY platform that uses any sort of disk technology, everything from Macintosh
or an IBM to the largest mainframes. Not just hard disks, but floppies too!

  There are several ways to avoid this. For MS-DOS, there exists a NUKE command.
This  command  writes over the file with 1's, 0's, 1's, THEN deletes it. In that
way, it's not possible to recover it. This is Department of Defense Standard.

  Another way is to run a Disk-Defragmenter after the file is deleted. This will
also overwrite the residual data.



Environment: ENVIRONMENTAL VARIABLES

  In PGP, there is an option to set your passphrase as an Environmental Variable.
In MS-DOS, this could be  in  your  AUTOEXEC.BAT.  In  AmigaDOS,  your  startup-
sequence or one if it's children. In  UNIX  C-shell,  your  .login.  This  is  a
TERRIBLE mistake to set it in a batch file, because anyone could read that  file
and your  passphrase  would  be  plainly  visible,  unencrypted,  and  therefore
available to the intruder. However, if you set it in a batch file, it's  already
in memory, and PGP could be used by whoever was sitting in front of the computer
without any problems.

Solution: Do not set a PGPPASS Environmental variable. Ever. For ANY reason.



Environment: PASSWORD ECHO

  There is an option to echo the password when you type it in.  By default,  PGP
does not show what you type so that someone looking over your shoulder could not
see it. They could still watch your fingers on the keyboard.

Solution: DO NOT set Passworrd echo on. It's not rude to ask someone not to
watch when you enter a password.



Environment: SHARED SYSTEMS

  Shared  Systems are bad news for  security, Period.  I've been on the  hacking
side, and the  side of the  Hacked, and quite  simply, a shared system = Privacy
Risk.  Remember  that the  operator  (ROOT on a Unix System)  or a clever hacker
could easily see a dump of system memory and hence, your passphrase while
PGP is decrypting.

  The  TEMP  directory ( /tmp in UNIX ) is another problem. PGP could store it's
swap files there.  You'd be best off to  edit the  PGP Config.txt (PGP.config on
Amiga) and define the  TEMP  directory to be your home directory. Also make sure
you have the privileges set so that  others cannot read your home directory

(In Unix: chmod . og-rwx ; chmod . u+rwx. If this  command syntax is  incorrect,
see the NOTES sections immediately below the Table of Contents..)

  If you use a mail system such as ELM that  creates  a  tempfile  in  the  /tmp
before mailing, it's better to write your message with Emacs before you start in
mail,

emacs newmessage.txt

then encrypt it (pgp -ea newmessage.txt) then mail it with pipe redirect:

mail user < newmessage.txt.asc

  and that way, any temp files created would be encrypted, and hence, useless to
the peeping intruder!

  If you'd like to see some more security concerns,  see the PARANOIA section at
the tail-end of this file!

Environment: YOUR PASSWORD

  When you select your password, you should not use anything easy to guess, like
the name of a spouse, a nickname, a favorite sports  team,  or  something   even
worse like your  last  name  backwards.  The  technique  I  use  for  generating
passwords which are easy to remember but next to impossible to guess is to think
back to your elementry school years, think of the best time you had during  that
period in your life, or something you had then that you really  loved,  and  use
that as a passphrase.

  For  example's  purposes,  we'll use my favorite toy of that time,  which  was
ROBOTIX robot toy construction set. (That, or my Commodore 64 :-) )

  The passphrase 'robotix' might be in a  dictionary or  something that  someone
might try.  So,  you might add a few random characters: 'ro_b&ot|><',  and maybe
the year of your birth.  '19ro_b&ot|><75'.  That would be damned near impossible
to guess, whereis 'robotix' is unlikely to be guessed, it's still possible.

  Of course,  it's a  passPHRASE  not a  passWORD, so it could be:  "When in the
course of human events..." you could change that to: "\\/h3|\| |n th3 k0urS3 uhv
H\///.A|\| 3\/3|\|T5..," or something.

  Another HUGE mistake a  lot  of  people  make  is  mumbling  their  passwords,
especially in efforts to  remember them.  THAT is a critical mistake. So, if you
think what you're typing, make sure your mouth isn't doing the thinking!


--------------------------------------------------------------------------------
This section is a jumpstart from ignorance into competent usage of PGP.

Read carefully and follow instructions step-by-step!



Getting Started: GENERATING YOUR KEYSET

  Okay. In order for someone to send you mail, they'll need your Public Key. You
have to create  that  yourself.  When you create it, it creates your  Secret Key
(which is password protected) and a Public Key. The Public Key is used by others
to encrypt data to you.  Once encrypted with your Public Key, YOUR _SECRET_ Key,
and ONLY YOUR SECRET key can decode the information.

So Let's do it!

type: pgp -kg

  It  will prompt you for several things. One is your ID line,  or  what  people
will see that identifies the key as yours from the humn perspective.

Yourname <your email address>

  That's  the general convention,  but some people like to use a  witty  comment
instead of an Email Address. It's entirely up to you.

  Another option will be Key Size. Pick the largest option  (1024-bit  key).  It
might take a while (As long as 5 minutes) to generate the  key  on  most  modern
machines, but this is _YOUR SECURITY_ we're talking  about,  not  waiting  on  a
laundry dryer. (On older machines, it could be as long as an hour, but  it  will
never take that long to decrypt a message.. usually no more than  5  minutes.  I
use a very old computer, and it doesn't take more than 40 seconds to encrypt  or
decrypt for a 1024bit key.. but then again, I use an AMIGA!)

  It will ask for a passphrase. A "passphrase" is password, but it's longer.  It
can be a whole sentence, or just a few letters. Remember to  make  it  something
you can remember easily, but not something  easily  guessed.  When  I've  helped
friends generate passwords, I usually tell them to try and remember a really fun
time they had with a friend, and pick a word that describes the situation,  then
the friend's name, and use either.

  For a good password, you might want  to  look  at  the  section  in  the  very
beginning on passwords!

  The most secure passwords are random strings of both letters and numbers like:
az193095=-evce2 or something. Whatever you  choose  make  sure  YOU  can  ALWAYS
remember it, and that no one is likely to guess it.

  It will ask for random keystrokes, and indicate a number  showing  the  number
remaining for you to enter at the bottom of the screen.  Why?  Nothing  is  more
unique than the timing between sets of keystrokes from one person to another.  A
computer could not possibly generate a set of numbers as random and haphazard as
these timing values. Since it's been established that PGP is effective  and   it
knows what it's doing, humor it. Type reasonably slowly. PGP will indicate  that
you've entered enough with a Beep and a message saying "-Enough, thank you."

  A series of periods and pluses will show up at the bottom of the screen. These
are of no concern to you, they're just progress indicators.

They look like this:

....+++ ....++++ ........+++++

  When it's finished,  you need to "extract" your public key from the public key
ring in ASCII format so that you can mail it to the  people who will use it  (or
pass it on floppy disk, or however you transmit it.)  This  is  accomplished  by
typing:

pgp -kxa YourId keyfile pubring.pgp

  Assuming your ID is John Doe, and you want to put the key in a file called
"mykey", you'd type: pgp -kxa John mykey pubring.pgp

  A file called mykey.asc will be created, and viola! Your friends will add that
keyfile to their own public ring and be able to mail you messages securely!



Getting Started: DECRYPTING MESSAGES

  Once your  friends have your key and mail you a message with  PGP  encryption,
you will need to save that message to a file. Assuming you've done that, and the
PGP  encrypted  message is in a file called 'newmsg1.txt',  we'll go through the
motions.

pgp -d newmsg1.txt

  PGP will ask for your key's secret  passphrase. If entered correctly, PGP will
decrypt it.  It may ask you a few questions,  answer them appropriately  (ie: DO
you want to overwrite file with file,  etc.)  Just answer them according to your
wishes.

  Now,  using an editor or text viewer,  you can read the message.   If there is
extraneous garble at the top,  it means the person that sent the message  signed
it with the PGP key.  Nothing is wrong,  just ignore  the  garble.  (This rarely
occurs.)

  Now, after reading the message, you should delete it.  There's no security  in
the message once it's decrypted.. anyone could read it just as you did.  You can
keep the encrypted version if you tell pgp not to overwrite it in the decryption
process, and decrypt  it when you need to refer to it.



Getting Started: ENCRYPTING MESSAGES, USING OTHER PEOPLE'S KEYS TO DO SO.

  The first step is to obtain the public key of the person you intend to  mail..
PGP is  a two-way street and requires  both people to have the software and have
exchanged keys in order to communicate properly.

Once you have isolated their public key in a file, type:

pgp -ka filename

where filename is the file containing their key.

(Remember: Once you add their key, you'll not need to do it again!)

  PGP will ask you if you want to certify the key.  If you are CERTAIN  this key
came  from  who it  says it's from and you believe that,  then YES,  you want to
certify it. (If you don't certify it, PGP will always ask you if you're SURE you
want to use it each time you do!)

  It  will  prompt  you  again,  for verification,  then  ask  for  your  secret
passphrase.  This is so no one but  you can certify which keys you can trust for
you.  (There is a way to transfer trust,  read the  full  documentation for more
information on that..)

  Once it's entered,  the  key  is added to your public keyring and you'll never
need to add it again.

  Now,  assuming you've just added  Jane Doe's  Public key to your   keyfile and
would like to mail her a message, you'd type:

pgp -ea filename userid

  Where  filename  is  the  message  file,  and  userid  is  that of Ms. Doe, so
something like:

pgp -ea doemsg.txt Jane

  If there's more than one Jane in your public key file, but only one Doe, you'd
type:

pgp -ea doemsg.txt Doe

  and pgp would produce a file called 'doemsg.asc' ( or 'doemsg.txt.asc' on UNIX
systems.)

  Viola!  Done.  You'd simply mail doemsg.asc to Jane Doe,  and she'd decrypt it
with her secret key.



Getting Started: PGP QUICK REFERENCE

  Below are all the basic commands for PGP. Once you're familiar with basic use,
read through the manual and use what's below as a reference, like a cheatsheet.


  Remember to add the  'a'  option to anything producing an outfile,  or it will
output a BINARY that you cannot directly mail.

ie: rather than pgp -e, use pgp -ea

The A means PRODUCE ASCII OUTPUT, which you can mail straight away.

In UNIX systems, you would type: mail username < file

were FILE contains the output from pgp (usually file.asc)

To encrypt a plaintext file with recipient's public key, type:
   pgp -e textfile her_userid [other userids] (produces textfile.pgp)

To sign a plaintext file with your secret key:
   pgp -s textfile [-u your_userid]           (produces textfile.pgp)

To sign a plaintext file with your secret key, and then encrypt it
   with recipient's public key, producing a .pgp file:
   pgp -es textfile her_userid [other userids] [-u your_userid]

To encrypt with conventional encryption only:
   pgp -c textfile

To decrypt or check a signature for a ciphertext (.pgp) file:
   pgp ciphertextfile [plaintextfile]

To produce output in ASCII for email, add the -a option to other options.

To generate your own unique public/secret key pair:  pgp -kg

  REMEMBER:When making any sort of outfile that you intend to mail (ie: creating
encrypted mail messages)  remember to add the -a extension..  (pgp -kx should be
pgp -kxa,  and pgp -e  should _ALWAYS_ be pgp -ea),  otherwise,  the  output  is
unmailable BINARY DATA  which will  appear  to be a  bunch  of random characters
that cannot be extracted properly on most systems!!

Key management functions:

To generate your own unique public/secret key pair:
   pgp -kg

To add a key file's contents to your public or secret key ring:
   pgp -ka keyfile [keyring]

To remove a key or a user ID from your public or secret key ring:
   pgp -kr userid [keyring]

To edit your user ID or pass phrase:
   pgp -ke your_userid [keyring]

To extract (copy) a key from your public or secret key ring:
   pgp -kx userid keyfile [keyring]

To view the contents of your public key ring:
   pgp -kv[v] [userid] [keyring]

To view the "fingerprint" of a given key:
   pgp -kvc [userid] [keyring]

To check signatures on your public key ring:
   pgp -kc [userid] [keyring]

To sign someone else's public key on your public key ring:
   pgp -ks her_userid [-u your_userid] [keyring]

To remove selected signatures from a userid on a keyring:
   pgp -krs userid [keyring]

pubring.pgp = Contains your & other's public files
secring.pgp = contains your secret keys

 If you want to extract your public key to mail to someone:

pgp -kxa myid mykey pubring.pgp

  Where myid = the first unique pattern of letters in your ID signature  (ie: If
you signature is Joe Blow <blowj@big.u.edu>, then myid = joe) the result will be
a file called mykey.asc, which you can mail to people:

mail user@host < mykey.asc



Getting Started: "STUPID" QUESTIONS

  I say "stupid"  in  quotes  because  the  only  stupid question is the one you
didn't ask!  If you knew everything, you wouldn't be reading this, and it's here
to be helpful, not confusing!

Statement: Pgp -ea file userid

  Explaination: THe file is the message to encrypt. The userid is the person you
intend to send it to,  in this example. -e means encrypt.  A means ASCII output,
or mailable text.

  When you specify a USERID, you don't have to type the whole ID.. in fact, most
systems won't let you. PGP only needs a non-ambiguous clue.

Peter's ID is Peter Simons <simons@peti.GUN.de)

  For example, if I write a message to Peter Simons, I can say "Peter",  "Pete",
"Simons",  "Simon",  "Simo",  "peti.gun"  or anything in his  ID  that  isn't in
another ID.  If there a Simon Jackson in my public keyring,  I should say Peter,
because there are two occurrences of "Simon". If there's a  Peter Jennings  in
my public ring also, I should say "peti.gun", since that's unique to Peter
Simon's ID.

Statement: Why isn't all output just ascii in the first place?

  Because  sometimes  you  would want _BINARY_ output for one reason or another.
Binary output produces a smaller file,  so if you were putting  the  file onto a
disk rather than mailing it,it would be a good idea to just use the binary mode.
It's also used for things like STEALTH and  stenography,  which we won't go into
here.

Statement: Why can't I encrypt with a secret key?

  Because if you did, then ANYONE with your public key could decode it, assuming
  it was possible at all.

Statement: IF someone has my public key, can they figure out my password or hack
           my mail?

Absolutely not! That's the whole point to PGP in the first place!
-------------------------------------------------------------------------------

PGP APPLIED

  As the Environment section implies, there's more to using PGP than enciphering
Email.  PGP is a way of doing things, not just a program. As I've stated before,
and feel a need to emphasize, IF YOU DON'T USE PGP CORRECTLY, YOU RISK MORE THAN
YOUR PRIVACY.

o Environment:

  Make sure your workstation is free of shoulder-surfers, Password Echo, PGPPASS
Environmental variables,  Scripts  containing  your  password  in an unprotected
mode, or any programs that might be intercepting keyboard input.

  Residual  Information,  such as your original unencrypted documents, decrypted
mail files, and UNDELETABLE files can be as much a compromise as no PGP at all.

  See the Environment section

o Authentication:

  Failure to verify your keys with their supposed corresponding users is risking
TOO MUCH  to  fail to justify even a long distance phone call.   What's 30 cents
against the compromise of your privacy?

  See the section on Authentication for information

o Secure Password

  Don't be a dummy.  A secure  password is multifaceted,  but rotates around one
thing: You're the only one that knows it.  If it's written down,  easy to guess,
or possible to elicit from your computer, it's not a secure password!

  See the Environment section

  Every  element  of  PGP  exists  for  a  reason,  and some parts that may seem
irrelevant are actually important, maybe  CRITICAL  to certain privacy purposes.
Phil and his crew did not spend as much time as they did and PGP itself did  not
become  as  popular  with  everything  from  grass  roots  radicals   to   major
conservatives to  cryptographic  experts for it's health..  it became  that  way
because PGP offers all these features.

  Keep this all in mind when you begin to think something in here  is  trite  or
tedious. It's there for a reason, and that reason is YOUR PRIVACY!

-------------------------------------------------------------------------------
Advanced PGP

  This  part of this text assumes you're now familiar with PGP,  and comfortable
with using it routinely. Whether you are or are not, you should read it,  but if
it seems to complicated, don't worry about it just yet!



Advanced PGP: AUTHENTICATION

  So now you're comfortable with using PGP.  You can encrypt, decrypt,  make and
add keys and all that good  stuff.  So now I throw you a curve-ball.  How do you
KNOW that YOU are encrypting a message to ME instead of someone else?

  Roleplaying time!  You have this key,  which came in a message from me to you,
and  when  you  add  it to your keyset,  my name came up in the ID with my Email
address. Okay. So you're ready to send me a message. WAIT RIGHT THERE!

  As you should know,  it's  quite  possible  to forge  Email,  or get someone's
account  password!   So, then,  it's possible  that you  have a  charlitan  key!
Someone  could  have  easily  generated a key with the same ID tag I have, broke
into my account and mailed it to you,  then all my  incoming  mail from you they
would divert, read, re-encrypt with my real key and send it to me..  and neither
of us would know!

  PGP solves that, too. Easily. Go back to key generation,  briefly,  and recall
the keystrokes PGP asked for.  There is no way anyone could do it like  you did,
and it's doubtful you could,  either! When you generated that key,  a part of it
was the "signature", which is totally unique to your key.  Even if you lost your
key and generated  another one that looked the same,  it's  signature  would  be
totally different.

  So, before you encrypt things to someone,  you should compare the signature on
the  key  you have with the one they have over the phone or in person.  THEN you
would know you have the proper key and not a charlitan!

  The  signature is also referred to as a fingerprint,  and  can  been  seen  by
invoking the command:

pgp -kvc userid keyringfile (ie: pgp -kvc peter pubring.pgp)

  There is also a way to "sign" a file. With this done,you can send an encrypted
file,  such as a letter containing technical data,  sign it,  and if ANYTHING is
changed, PGP will know it and warn you.

  This is done with pgp -sb filename. (pgp: -sb technote.txt)

  This can come in handy for making sure no one changes  instruction  manuals to
PGP itself, and more.



Advanced PGP: CERTIFICATION

  When  you  add a  key to your keyset,  PGP asks you if you want to certify the
key.. do you KNOW that the key belongs to who you say it does? Do you trust that
person to give you keys that are authenticated? This is certification.

  If Joe Blow hands you a floppy disc you watched him copy his key onto, you can
be reasonably sure it's Joe Blow's key. So yes, you'll certify that.  Of course.
BUT.. If Joe Blow hands you a disk with other people's keys on it,  do you trust
that he checked those keys out  reasonably  well to make sure they're authentic?
In other words,  you can trust Joe Blow with his own key,  but do you trust him
to give you keys? If yes, how much? Always? Sometimes? Maybe? Never?

  These are levels of trust. If you trust Joe Blow,and Joe Blow trusts John Doe,
then it's possible that also John Doe is giving you keys, indirectly.

  It's always best to get the key from the person themselves,  check it out with
them and do it that way,  but it's not  always  possible,  either for reasons of
time quantity of work, and this is where Certification comes in.  It's generally
a  wise idea  to think things through as if it were a chess game,  or setting up
dominos.


Examples:

Joe Blow you trust. John Doe you don't. Therefore, you SOMETIMES trust Joe
Blow.

Joe Blow you don't trust. Therefore, you NEVER trust anything he certfiies.

Joe Blow you trust, John Doe you trust, Therefore, you USUALLY trust Joe Blow.


The only person PGP should understand you to trust fully is YOURSELF, and when
you generate a key, that's the default setting.




Advanced PGP: KEY EDITING

Okay. You're Peter Simons. You key reads:

Peter Simons <simons@peti.GUN.de>

But, you moved. Now you're Peter Simons, root@k-rad.elite.org.

  You CAN edit your key's  ID line without it messing up encryption.  It's quite
simple.  You can use this function to also change your password should you  feel
the desire to do so (YOU SHOULD CHANGE YOUR PASSWORD EVERY MONTH MINIMALLY!)

pgp -ke simon

PGP would prompt you on editing options, first being the ID line and then
being the password.

You should note that once you change it and lock in the change, PGP will
remember the old ID and refer to it as an ALIAS. This way, it's more clear
that it is the same key to other users.

People can always use the new or old key to encrypt to you, whether you
change the ID and/or the password, however, they'll see the old ID unless you
give them the copy of the new public key (pgp -kxa yourname mykey pubring) as
if it were new.



Advanced PGP: COPYING SECRET KEYS, USING PGP IN TWO PLACES

Let's say you're like me. You go to a University, and you use PGP offline most
of the time, but.. once in a while, you use PGP online. In order to use the
same key, you'll need to copy your SECRET keyring, secring.pgp, and put a copy
of it where you intend to use it. If it's avoidable, you shouldn't do it, but
sometimes it's not. keyrings are interchangeable.. that is.. they work on
different computers regardless of whether it's a NeXT, an Amiga, a Mac or an
IBM.. or anything else.

In some cases, you might need to DISTRIBUTE a secret key, such as in a
political organization or something. It's generally best to have a "data
treasurer" for that sort of thing, but if you HAVE to do it, then it's done
the same way a public key is, except for the keyring specified.

pgp -keyid secretkeyfile secring.pgp

Remember that if you distribute it over mail, you would be a total fool to
distribute it in the same message as it's password, and an even bigger idiot
if you didn't encrypt the mail to the user you intended to send it to!


--------------------------------------------------------------------------------


PARANOIA: General Security Problems

Warning: The things presented in this segment of the document are surveillence
techniques employed by various government, private and espionage organizations
around the world. These are not likely to be employed to read your mail to your
best friend, unless you happen to be conspiring to launch a nuclear missile.

Please don't lose any sleep over this.



PARANOIA: Electromagnetic Interference Interception

Every electrical device, from digital wristwatches and toasters to televisions
and mainframe computers generate electromagnetic interference. There are devices
that measure this energy, and in some circumstances can interpret it into being
able to tell what a given device is doing.

A computer's monitor is controlled by a signal send from the video card to
the monitor (electromagnetic interference.) A remote device, carefully tuned in
on this signal, could reproduce the image on your monitor remotely for the
purpose of taping or monitoring.

The same is true with a computer keyboard. Whenever you press a key, a certain
signal is sent to the computer, different from other signals sent by other keys.
A device like the one described above could essentially carbon copy all of your
keypresses into a recorder and everything you type could be reproduced.

If you want a working example of this concept, look at a typewriter ribbon
(especially those found in IBM Selectric series typewriters.) If you look
carefully and fill in the spaces mentally, you can see everything the unwary
typist has typed. On the selectric, spaces aren't shown on the ribbon, since
the space prints nothing and would be a waste of ribbon to advance the ribbon
when you hit it. (Same with Tab, Return, etc.)



PARANOIA: Hard disk reading

If you format your hard drive so that there is no data on it at all, it is
still possible to pick up trace magnetic signals where readable data and
the previous formatting existed. With special equipment, the contents of your
hard drive could be totally reconstructed, despite the formatting.

The solution is straight forward: Department of Defense standard Data Deletion,
which was described in the beginning. It overwrites the file 3 times with 1's
and 0's before deleting, so the residual data is not usable in any scheme.

PARANOIA: Remote Video Monitoring

Obviously it's possible for someone to videotape your computer screen and/or
your fingers on the keyboard. This is a standard tactic. This is avoided
somewhat by positioning the computer where neither the keyboard or the monitor
is visible through a window, and that there is no reflection visible either,
as could be seen in the user's glasses, a mirror, a glossy poster, chrome on
furniture, etc.



PARANOIA: Linetap

If you were to use PGP on a remote system, your modem line could be compromised
by buffering the signal transparently into another computer and thusly
reproducing the entire terminal session. For that reason, it's better to use PGP
offline and upload encrypted texts.



PARANOIA: Modifications

There is no way to tell if PGP has been modified unless you get the distribution
package from it's creators, or get the source code, carefully examine it, and
compile it yourself. Even then, it's possible to have a compiler that recognizes
security applications and creates a "backdoor".

The more common scenario is straight-forward: Someone modifies the source on
a shared system and gets a dump of everything you've done with PGP on that
system. The chance of this is somewhat eliminated by compiling your own copy
on the system, or better, simply use your own copy offline!

--------------------------------------------------------------------------------

Correspondance:

This was written entirely by Jeremiah S.Junken, save the key-reference chart
which was taken from PGP 2.2 UNIX.

In the event of Address change or the like, I refer correspondance to
Peter Simons, the Author of PGPAmiga and the maintainer of the PGPAmiga
mailing list.

Please address correspondance related to this to me. Although Peter is a great
guy who knows PGP intimately and loves helping people out with it, he's also
extremely busy :), so keep that in mind before you mail him specifically!

always read alt.security.pgp if you need more information, and/or subscribe
to the PGPAmiga mailing list! (contact Peter Simons)



PGP Distribution Information:

PGP is found in compiled form for Amiga, MS-DOS, Macintrash and, (I THINK..)
Atari ST. The C language source code is also available.

FTP to SODA.BERKELEY.EDU (don't be a hoser)...

/pub/cypherpunks/pgp

there you will find several versions, and compiled versions for
Amiga, Macintrash, MS-DOS, etc., as well as other cool things.

net-dist.mit.edu (Source, MS-DOS executables)
src.doc.ic.ac.uk (Source, Amiga, MS-DOS, Macintrash)
ftp.luth.se      (Amiga  /pub/aminet/util/crypt)
wuarchive.wustl.edu (Everything)

Jeremiah's Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a.3

mQCNAi3+N/sAAAEEAKg5XtFem9nMlzU9LxwHTWqvsPaESFjkyxTPtX5YLj5ugvQr
8l8hgXqXwdG8415ZbJNMYP9qRA5u44NNCGhEDIljkj4E5w4CB3JXu/GruaZ+1zAO
9hCAYzajenfCeM2Y3xSO2eiN4nuHWzwV0EW2y1mGD0EXspBRpEVyiiRQvPXpAAUR
tDM8SmVyZW1pYWggUy5KdW5rZW4+IGpqdW5rZW5AbmF0aW9ucy51Y3MuaW5kaWFu
YS5lZHU=
=WT8H
-----END PGP PUBLIC KEY BLOCK-----


Peter's Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a.3

mQCNAiyg9DgAAAEEAMnWa12Ub+g8uzR/GByKjpMiNsHZygQ4pw2Bjix+WjyEVsHH
JV8DRqdnYBs+MPrhvou1dDXEkhC64lklC23xlawI2yaXBtKadKgEEOdKLF9tVibP
SFqgxT/TNw1l0cDDeCkeQmSXtY2/MpK0tXCRAvFb/dnaHkKDew9HL1s0103BAAUR
tCFQZXRlciBTaW1vbnMgPHNpbW9uc0BwZXRpLkdVTi5kZT6JAFUCBRAsq+a4VC9v
HTPtL1kBAaS9Af9DTMrtPRI54LGkQ2bCS3eTaIVKv1KcBOn9uTuHQhoKIK0m+wlZ
qgOUvKUKEko9S91wssnpZ2JbCPrtnSN6nuBfiQCVAgUQLeUUjo5GAWiQvcrtAQHE
VgP/Q+23c0pdBXXLmT/DMokhckzBHLv93RzHm9SpJrFCzeIRYb+OhjUhcWFYPxuN
/n4K8EE6oakEjrH7T1lMDXudy9Q8zmsPXvT8BmobrwcRaVmIAMVAZv+G9/VKRNs0
WqYQH1BkG94DPq9QFMKu3j0zkXZpwM9ibWHF/rvjYEaCsJmJAFUCBRAtuyo7m9pR
g/CEGxEBAUDNAgCHElp9za/EXoVDv4FHvcZTQTe49I5nNtB+RT/tEWWniK46MDlw
HUNDK/Qioc0/xUZCLRq5sZHiSHk4bDW+eunniQCVAgUQLWa4Za16Lvf6xRt5AQEI
HQP/Ykn+ucGld0oIpyxPPBC4fpOOh+Ri8OMv5jZBnRf6fOJiADK4ZI4yj0p8/17G
/vL4CXp7+97Y2t8LhoEosk+qpoPD8yma7tU3upFIw9hicHPs8yef0UzKrkqitEUd
CbcPzcz3QPl9/5+LRfnFYmIj9wR0UWeyRfiByn5wOgKq98SJAFUCBRAtVWnS/ZhK
+bLW8KUBAQdEAgDISWd2Krz/K7jZvMYaAiYlX3XFWJk3RFX+iAfST6s8lGAdx1PA
cevDwCggxemt/FFFhaxohcKkT/MTeT/JdpqjiQBVAgUQLVS2POVzXaPbP8rBAQH3
LwH/TkHStVKHxPZKqD9+HA2+wdiCWNkydHzxSkkuSqsE+hlUUmepM87T+aKdh5If
BJ5NOqfsG4PjwUlmWhMRAqm4S4kAVQIFEC1T6zoRGQkc+pTPfwEBWLQB/iYT+ght
5TtQpWK6X/PRNzDixD69NUEizzcG52xaTfY/FxqzzQT774dEfICEeuo7WzB0K+l9
PsMOtvEn5OJ+uouJAFUCBRAs39pEtWmxTf8rK48BARZ6AgDWq5SQnqGU5n6M7sWH
5VbtvGTnF1CThJiVyqLDivXSCSS1g5S+RD2j6Yvyse2s5tXttJ4P15jCWivLaajX
Sn1ZiQBVAgUQLN+lIOKK+f1pkO9dAQGyvwH9FI8+OCyvP8Y5sMK+hcqcAM/WA6eo
8X0A34kgw9Oi/3fmmcyt9qNMG8yS2ukYqnZHGqg5TKQ57duG2FEQOGmREIkAlQIF
EC1S9awTcjf3qIs+GQEBrSoD/AwiIjFNpsbzB+J88Uj512eLTm+sfaL6W5+3S8ns
g+xojvxRAth3WPwKXK6W0SF4fBu7ms+ErJPevSo0J02C3+V0qBmV8hqQkfHKFiyO
KavkLQlbPPwe2rMjgiBSckH17DcGb2C056b/6NyrugaoOMA3rMPNTGVti9gQA/1s
sCnqiQCVAgUQLVLvAdD5dFuSG3KVAQFrwwP7BIKVuKVPXB0rlNF0CfNJOpBjRV47
+iu4oA7sGAtmBbFEWoXSutN63UTZenW6Tau0c4oJJ1UxGTCTbG/o7yfbngBRvZvX
LtB4T/CMEej6vsU+3p8+LL4xXE+vdiEuMg3ak6vVcEbEM72Gx+9ZVcan+tCshhi1
Le+2GxUOzL8W/KuJAJUCBRAtU0+bSF+rLyPZK+MBAXbrBACMzZ6PGi+uJG2J9NeE
Jn8PwpRkk/7zD3uUOvKTTK5NlZHsgIwPGlel0v7gmt7CeM4vtJbBczDjzBC8QEFT
ecCysQcygDjQx/F+BqXxt6eaCdYnOQjuyCjNT/7p6r0A+oLf3948NjJSvyqj7joe
Upbh76uh3Uy1CIhpB6WBHxXZt4kAVQIFEC1S+FpzkkNEqdCkwwEBGBYB/jqEb8vq
1ngC4/2MrV/jUAUbnFbmpvSj3KUxYMBHuklFaScU4tH40n2uyC5lhMJRgwibGLv2
eiXLIM8mMOueXY2JAFUCBRAtU0oxeYwYDHu3XYkBAZHZAfwMwsim26iMaMpOIca+
WKWH3NXCGcevRdJsEErPHixMPcUOsF87sONFts/Q2dOuVo3JobUhjBkRteqxrkS4
IQBTiQBFAgUQLVLzL3WexKsCfQvZAQFH6AF+P1Yo1YaEnu/V2Oj+CSVJ8NHzoyBp
XsCVcrbqiRF2Fhn3q6AO7MzT9/VKbiK0pu2iiQCVAgUQLTLvkXvqdyEN0ZzBAQFc
2AQAkYgL737nUU8odzPJlDXfSa6Du/3VTEVii7bF5vgxjL7D/cantCJZkUv8yTxh
PMQIe4d0hlDssIFCU5L5c4RnbBuO/zDsmJFTq1ODLCPfTm1fZzQo8KAS4RxPgSKg
z6sCfscubzYfL/2PNIkrvojnhVq1pjTE7lcKcSfZnU8NZL6JAJUCBRAsq0E3rUw4
AN3NE8EBAcvIBADE+bwgNWXmW3wipUvsEIV4er3lU7+FeVv/pdjdwkUiPuCgIrTO
QWW5PFoEfRXlwfVxGd50jFViKEHgJdPtRciuJIRN+8/pwvhdXi7eho5WSJxzDoG8
eYWdJKCbzBC/oLEyQ9Ax8tHxOfatmfc7Z98pEHycUuKLBOF88pRz009iVokAlQIF
ECzvjrw7HAeFeDyD8QEBWIwEAJZqnQIP+Jf6RoWzIG0cXiqmrxc7WXNMa4cjtn8d
o7DHIS4945clsz7uluFHLNFDueHKERDbuEXfCwPTsgpJoTpAwUe05s4GYZg8geQE
IbK+WaHnjms34o0ImQMz0ZDpSAMTCJ6hNiM2O7mU2vE2VyjR4naWHMHqAT8i7yaX
UvFniQCVAgUQLOVCtNInb3I+zzIlAQGABQQAhiuKBsFnyhxIkI3JvYXf1BUxX+SR
Az4abdRTi1sasHZ//Jb7AHzGC7lUcQEIAs3caglnkmjnygMoQgIonLQIgHFRgZNp
NNNpN0I5faKqB8Vt2CXNAnk7WhzwjnsoovbQOBbrPEJLSVVQJ8HsrUX3SaogOTEs
QUbC+Op4ZW6WYbmJAJUCBRAsw5rDoNrznbERpEEBAVNIA/9Z4SZfoIJifG0/B5F5
BuI48fR7XkdEDTmAUafzE6sZXhJD5I3eodWQNsSizdAI087YQ3rw/BJceampIRFH
1qujb1JJ67msFGi6M4Mj+lUR6xkYmVp+BeWOYEow0QFuQmjwC/QiKDqcsQ8nUGhJ
OtYsYE8DHk4v9b1QiDd9Pv8lm4kAVQIFECylQyzqmGPhIFVVVwEBzXcB/A+rjNiN
NfXA1ok9e9waJ7jdNc1VVMMVAzRJBowkJSCBWCksukITEYfLx5lU0sdP+hdQ0My5
vrbL20j/razMbniJAFUCBRAss8fkxdd5L3/TY4EBAR5WAgCb9C662oT88QNTtwAs
Quzx0MpL/aIbSLGA/kg11C26xHFE85MsmvuhuaJ6HEJ2kxmWZKphD5LGhyXt48GS
4MuQiQCVAgUQLKiTOt4nNf3ah8DHAQFQyAQAg6Zzhqhs849fdJMqLCqJ/9hp3i8H
OsYwJfKETPrzqjkLcLdONU1qkPPrvcu3e+wO/iDB8Qp8g+Q7aprQyfDUciWSjcSn
c8GlE1eaRCVaay0FPVvj/81uoiZvfTU5SLzxkOtsDsQKlFCSlsmUuMoHpgy5f1WG
bD+ChKX7kvavUNyJAEUCBRAsqFl0F104gJHtadUBAWEwAX0XrpGmZBKIFhhArAt/
BxZC9lMMy9jv/a+hV1bRK+QvKKC+M89KKHUpGDw2pbtAavyJAFUCBRAspGEUgYhh
dSF6OrkBAUCoAf44TQFEprYPprbYY+odAqosmL4f/Y+QJaHmO8N+eXkWe4EbnWTU
aWQ8j6pJj99ihL0Jn78QEDCfhTAh4Hq9Nyfo
=rgw5
-----END PGP PUBLIC KEY BLOCK-----

His key's bigger than mine! :-)

06/29/1994