Pretty Good Privacy (PGP)


How can you encrypt and send a file to someone so that this person can decrypt it upon receipt, but no one else can decrypt it? One way would be to encrypt the file using the crypt command and then send the file via e-mail, having informed the recipient of the encryption key so that the recipient can decrypt the file. This is awkward, since you need to transmit the encryption key to the recipient separately from the message. For example, you could give the intended recipient the key in person, call this person on the phone to provide the key, or mail the key in a separate e-mail message (which is not terribly secure).

A better solution to this problem is provided by public-key cryptography In public-key cryptography there are separate encryption and decryption keys, and knowing an encryption key does not permit someone to determine (using a reasonable amount of computing resources) a decryption key With public-key cryptography you only need to look up the public key of the intended recipient in a public directory to encrypt a file that will be sent to this person.

Public-key cryptography was invented in the 1970s and began to be used in practice in the early 1980s. Public-key cryptography was introduced to the UNIX world when Philip Zimmerman implemented it in his Pretty Good Privacy (PGP) system, a system designed to encrypt e-mail, as well as other files, in the early 1990s. In the following years, PGP became extremely popular and was available for wide range of UNIX variants, including Linux, as well as for Windows PCs. In the mid-1990s, the U.S. government claimed that Zimmerman was violating export rules for cryptosystems by distributing PGP worldwide, leading to serious legal problems for Zimmerman and for PGP. After much controversy, the case against Zimmerman was finally dropped in 1996. Afterward, Zimmerman started a new company to produce new versions of PGP. However, because of the widespread use of different versions of PGP developed by different teams who had licensed PGP code, the need for a PGP standard became pressing. The Internet Engineering Task Force (IETF) has developed, and continues to develop, the OpenPGP standard. The OpenPGP standards specifies a protocol for encrypting and signing e-mail messages and for certificates used to securely exchange encryption keys.

Both commercial and noncommercial implementations of OpenPGP have been developed. We will briefly address the most popular of these, the GNU Privacy Guard (GPG) after we discuss PGP.

Obtaining and Installing PGP

You can obtain a freeware version of PGP at http://www.pgpi.com. You can download PGP 6.5 for AIX, HP-UX, Linux, and Solaris, and you download PGP source code for UNIX from this site. (This international site supports a wizard that can be used to download the appropriate version of PGP for your location and your operating system. Note that it is not allowed for someone outside of the United States to download PGP from a site in the United States.) If you intend to use PGP for commercial purposes, you can buy it from the PGP Corporation (http://www.pgp.com). A variety of products are also available that incorporate PGP into applications, such as sending e-mail and making voice calls over the Internet.

Downloading and installing PGP software is rather complicated. If you use a variant of UNIX other than AIX, HP-UX, Linux, or Solaris, you will have to compile programs to install PGP on your system. We will not cover how to do that task here. Rather, we refer you to a good reference, such as the book Practical PGP Privacy by Simson Garfinkel, for step-by-step instructions you can follow for downloading PGP and installing it on your machine. Instead, we will concentrate on how you can use PGP once it is installed and working on your system.

Configuring PGP

Before using PGP (assuming that it is installed on your system), you will need to create a special directory for PGP. Furthermore, you should set the value of a new environment variable, PGPPATH, to this directory First, create a subdirectory .pgp in your home directory, using the command

 $ mkdir .pgp

and then add the following line to your .profile:

 $ PGPPATH=/home/logname/.pgp; export PGPPATH

with logname replaced by your own logname. Next, you will need to generate your public encryption key, and the corresponding private decryption key To do this, you use the command

 $ pgp -kg

When you enter this command, PGP will prompt you for four different types of information.

First, you will be asked to select a key size. As long as you have a relatively fast machine, you should choose 1024 bits. (Messages are more secure when a larger key size is used, but the larger the key size, the longer it will take to encrypt and decrypt messages.)

Next, you will be prompted for a user ID for the key, which is the name that you and other people will use to refer to this key Usually, a user ID for a key is the name of a user followed by the user’s e-mail address enclosed in angle brackets, such as

 William J. Clinton <president@whitehouse.gov>

Once you have entered the user ID for the key, you will also be prompted for a pass phrase, which you will use to access your secret key As your pass phrase you should select a string of ASCII characters that you can easily remember but that should be difficult for someone else to figure out or guess, such as a string of nonsense words.

Caution 

If you forget your pass phrase, you will not be able to use your secret key.

Finally, PGP will ask you to do random typing so that it can generate some random numbers. PGP uses the timing to your keystrokes to generate these numbers, so it does not matter what you type. After you have finished responding to all these prompts, PGP generates the public encryption key and the corresponding private decryption key Generating these keys may take your system more than a minute, depending on how fast your system is, and the length of the key that you requested.

Key Rings and Key Servers

PGP uses key rings to store keys. You store your private secret decrypting key (or keys, if you have more than one) on one key ring and your public encrypting key and those of other people on another key ring. By default, your private secret key ring is kept in the file secring.pgp, and your public key ring, in pubring.pgp (although you can use other names for these files if you wish).

When someone else sends you a public key by sending a file containing it, you must add it to your key ring before you can encrypt messages using this key You do this using the command of the form

 $ pgp -ka file 

For example, to add Alice’s public key, which she sent you in the file alice.pgp, to your public key ring, you use the command

 $ pgp -ka alice.pgp

You can view the keys on any of your public key rings using the command

 $ pgp -kv keyring 

For example, to view the keys on your secret key ring, you simply provide the name of your secret key ring, such as

 $ pgp -kv secring.pgp

Someone who wants to send you a message encrypted with your public key must have access to this key The easiest way to give someone your public key is to copy your public key ring (after all, it is just a file). However, you probably should be more careful with this file, since whoever has this view can find out who your e-mail correspondents are.

A better method to give someone your public key is to extract your public key from your public key ring so that it can be shared. To do this, you use a command of the form

 $ pgp -kx userid keyfile 

where userid provides enough information to uniquely identify your key (such as just your name as described previously) and keyfile is the name of the file that will contain your public key For example, the command

 $ pgp -kx rosen rosen.pgp

would extract the public key of the user rosen, putting it in the file rosen.pgp. You provide the file keyfile (in this case, rosen.pgp) to people who will want to send you encrypted messages that you will be able to decrypt.

Another way to publicize your public key so that other people can use it is to send it to a public key server. A public key server acts as a repository of PGP public keys for many different people. A public key server performs the public service of accepting public keys from anyone and allowing anyone to access these keys. Another nice thing about public key servers is that they are interconnected. When you send a key to one of these public key servers, it automatically sends the key on to other public key servers.

You can access a PGP key server via the web at http://pgp.mit.edu/ or http://keyserver.veridis.com:11371/index.html. You can also use an e-mail-based PGP key server; go to http://www.uk.pgp.net/pgpnet/email-key-server-info.html for more information about this option.

Encrypting Files

To encrypt an ASCII file, such as a text message, using the public key of the intended recipient of the file, use a command of the form

 $ pgp -e file userid 

For example, to send the file memo.txt to Alice (who is a user already on your public key key ring), use the command

 $ pgp -e memo.txt Alice

This will produce a file memo.pgp, which is an encrypted version of memo.txt, encrypted using Alice’s public key Note that memo.pgp will be a binary file, so if you intend to use e-mail to send this file as text, you should also convert the encrypted file to ASCII. This can be done automatically using the -a option. For example,

 $ pgp -ea memo.txt Alice

encrypts the file memo.txt using Alice’s public key and converts the file into ASCII.

PGP also provides the -t option, used to ensure that text messages sent via e-mail to different types of systems have the appropriate line endings. (This is necessary, since on UNIX systems lines end with a line feed, on Macintosh systems lines end with a carriage return, and on Windows systems lines end with a carriage return and a line feed.) For example, to send the e-mail message message.txt to Alice, you should use

 $ pgp -eat message.txt Alice

Secure Signatures

You can use the -s option to automatically attach a signature to your message. This signature is encrypted using the same key that you use as your secret decrypting key For example, you can use the command

 $ pgp -sea memo.txt Alice

to send an encrypted version of the file memo.txt, encrypted with Alice’s public key and with a signature attached encrypted with your secret key, all converted into ASCII. When you enter this command, PGP will prompt you for your pass phrase. This is necessary, since your secret key must be accessed to produce your signature.

Decrypting Files

When you receive a file from someone else that was encrypted using your public key, you can decrypt it using a command of the form

  $ pgp file 

For PGP to decrypt this file, it needs to know your secret key. You will be asked by PGP for your pass phrase for your secret key PGP will attempt to decrypt the message using your key and will verify the secure signature of the sender, if the message has been signed, using the public key of the sender.

Advanced PGP Features

There is an extensive community of people who use PGP on a regular basis. We have only briefly introduced PGP here. If you intend to become a regular user of PGP, you will want to set up a PGP configuration file. You will also want to learn how to certify the validity of keys and of signatures. You will also want to learn how to revoke keys. And you will want to learn about levels of trust and how these are handled with PGP. For coverage of these and related topics, consult the references on PGP listed at the end of this chapter.




UNIX. The Complete Reference
UNIX: The Complete Reference, Second Edition (Complete Reference Series)
ISBN: 0072263369
EAN: 2147483647
Year: 2006
Pages: 316

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net