PGP for the Workstations
PGP (Pretty Good Privacy) is a high security cryptographic software
application available for workstations, Macs and windows 3.0 PC's here
at SDSC. This is an attempt to simplify the use of PGP on the workstations.
More detailed, and very entertaining, documentation is provided with pgp.
You may also see an SDSC sample session ,
the faq for the newsgroup alt.security.pgp or Dan Drobnis' webography from his
8/4/97 talk on pgp.
In very simplified form typing
pgp -feast Rich -u Nancy < message | mail rich@sdsc.edu
will encrypt the file "message" so that only Rich can read it and will
authenticate that the message arrived unchanged from Nancy. There's a
bit more to it than this however, so you'll have to read the rest of
this message anyway. Sorry.
PGP can provide both encryption and authentication capabilities. Each
can work independently of the other, or they may be used together. They
are useful, among other things, for exchanging e-mail messages, for
signing/authenticating usenet postings, or for encrypting any document such
as a word-processing or spreadsheet file for secure storage or
transmission.
To get started, a user will need to generate both a public
and a secret PGP key for use in the encryption. Simplified, encryption
will allow anyone with a given user's public key to encrypt a message
to that user. The given user and only that user may then decrypt the
message using his or her own secret key.
Authentication works a bit in reverse. The sender uses his or her own
secret key to encrypt a message, thus "signing" the message. The
recipient can then use the public key of the sender to verify that this
is who the message came from, and that the message has not been altered.
Keys themselves must also be signed, verifying that they have not been
tampered with. It is very important that you sign your own public key,
as unsigned keys may be editted by anyone. The
Networking and Security group at SDSC will sign keys for
SDSC staff and make them available at ftp://ftp.sdsc.edu/pub/security/pgp-keys.
Simply mail your signed key to our key server:
To: pgp_sign@sdsc.edu
Subject: add
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
public key characters are here
-----END PGP PUBLIC KEY BLOCK-----
One may then practice by encrypting and decrypting messages to oneself.
/usr/local/apps/pgp/bin/pgp -h will give a short summary of pgp commands.
There is a man page also, but it's a bit lengthy. Here is a brief
description of the necessary commands for encryption and authentication.
- pgp -kg
-
- Generates your own unique public/secret
key pairs
- pgp -ks yourUserID -u yourUserID
- This signs your own key as you. This
step is very important due to a bug in
PGP which allows anyone to edit an
unsigned key
- pgp -ka keyfile [keyring]
- Will add someone's public key to your
key ring (located in $HOME/.pgp/pubring.pgp)
- pgp -kv
- Lists the contents of your public key ring
- pgp -e textfile Rich
- Creates and encrypted file, textfile.pgp
to "Rich", whose public key (in your
keyring) you are using to encrypt the file.
- pgp -s textfile [-u Nancy]
- Signs a plain text file with Nancy`s secret
key, so that recipient can verify that the
message came from Nancy by using her public
key. Without the -u option the first key
on your secret key ring
($HOME/.pgp/secring.pgp) is used. Brackets
indicate an optional field and do not need
to be typed in.
- pgp -es textfile Rich [-u Nancy]
- Signs a file from Nancy (can be
authenticated that it came from Nancy with
Nancy's public key) and encrypts the file
with Rich's public key (only Rich can
encrypt it using his secret key).
Three more options which you will probably use in most cases are the
-t and -a flags. The -t option is necessary if you are sending text
files to someonme on a different computer system. This option will correctly
translate end of line characters in text files whether you are on a UNIX
machine, a Mac or a PC.
The -a option will produce an encrypted file in ASCII, necessary for sending
the file via e-mail. As e-mail file sizes are many times limited to 50
kbytes, pgp will break the encrypted file into small enough chunks labelled
.as1, .as2, etc. No special flags are required for decryption.
The -f option will allow filters from standard input and standard output.
Now to put the whole thing together:
pgp -feast Rich -u Nancy < message | mail rich@sdsc.edu
will mail the text file "message" to Rich, encrypting and authenticating it.
pgp -feast Rich -u Nancy | mail rich@sdsc.edu
will put you right into mail, allowing you to type a message. End the
session with a ^D.
Conventional encryption (without keys) is also available and is useful
when the same person will be doing the encryption and decryption.
- pgp -c textfile
- Encrypts a file.
- pgp textfile.pgp [-o filename]
- Decrypts a file, with the option to rename
it.
IMPORTANT POINTS:
Maintain physical control of both your public key ring and your secret key.
Keep them on a home system or on a write-protected, removable disk which
you keep with you. Keep back up copies of your secret key, as losing this
will make all copies of your public key useless. Note: This depends upon
your level of paranoia. You may only want to keep your secret key off line.
A "PGP Quick Reference", suitable for framing, follows. This was taken
from Volume I of the PGP(tm) User's Guide.
PGP Quick Reference
===================
Here's a quick summary of PGP commands.
- To encrypt a plaintext file with the recipient's public key:
- pgp -e textfile her_userid
- To sign a plaintext file with your secret key:
- pgp -s textfile [-u your_userid]
- To sign a plaintext ASCII text file with your secret key, producing a
signed plaintext message suitable for sending via E-mail:
- pgp -sta textfile [-u your_userid]
- To sign a plaintext file with your secret key, and then encrypt it
with the recipient's public key:
- pgp -es textfile her_userid [-u your_userid]
- To encrypt a plaintext file with just conventional cryptography, type:
- pgp -c textfile
- To decrypt an encrypted file, or to check the signature integrity of a
signed file:
- pgp ciphertextfile [-o plaintextfile]
- To encrypt a message for any number of multiple recipients:
- pgp -e textfile userid1 userid2 userid3
--- Key management commands:
- To generate your own unique public/secret key pair:
- pgp -kg
- To add a public or secret key file's contents to your public or
secret key ring:
- pgp -ka keyfile [keyring]
- To extract (copy) a key from your public or secret key ring:
- pgp -kx userid keyfile [keyring]
- or: pgp -kxa userid keyfile [keyring]
- To view the contents of your public key ring:
- pgp -kv[v] [userid] [keyring]
- To view the "fingerprint" of a public key, to help verify it over
the telephone with its owner:
- pgp -kvc [userid] [keyring]
- To view the contents and check the certifying signatures of your
public key ring:
- pgp -kc [userid] [keyring]
- To edit the userid or pass phrase for your secret key:
- pgp -ke userid [keyring]
- To edit the trust parameters for a public key:
- pgp -ke userid [keyring]
- To remove a key or just a userid from your public key ring:
- pgp -kr userid [keyring]
- To sign and certify someone else's public key on your public key ring:
- pgp -ks her_userid [-u your_userid] [keyring]
- To remove selected signatures from a userid on a keyring:
- pgp -krs userid [keyring]
- To permanently revoke your own key, issuing a key compromise
certificate:
- pgp -kd your_userid
- To disable or reenable a public key on your own public key ring:
- pgp -kd userid
--- Esoteric commands:
- To decrypt a message and leave the signature on it intact:
- pgp -d ciphertextfile
- To create a signature certificate that is detached from the document:
- pgp -sb textfile [-u your_userid]
- To detach a signature certificate from a signed message:
- pgp -b ciphertextfile
--- Command options that can be used in combination with other
command options (sometimes even spelling interesting words!):
- To produce a ciphertext file in ASCII radix-64 format, just add the
-a option when encrypting or signing a message or extracting a key:
- pgp -sea textfile her_userid
- or: pgp -kxa userid keyfile [keyring]
- To wipe out the plaintext file after producing the ciphertext file,
just add the -w (wipe) option when encrypting or signing a message:
- pgp -sew message.txt her_userid
- To specify that a plaintext file contains ASCII text, not binary, and
should be converted to recipient's local text line conventions, add
the -t (text) option to other options:
- pgp -seat message.txt her_userid
- To view the decrypted plaintext output on your screen (like the
Unix-style "more" command), without writing it to a file, use
the -m (more) option while decrypting:
- pgp -m ciphertextfile
- To specify that the recipient's decrypted plaintext will be shown
ONLY on her screen and cannot be saved to disk, add the -m option:
- pgp -steam message.txt her_userid
- To recover the original plaintext filename while decrypting, add
the -p option:
- pgp -p ciphertextfile
- To use a Unix-style filter mode, reading from standard input and
writing to standard output, add the -f option:
- pgp -feast her_userid outputfile
For more information contact support@sdsc.edu