CYPHER-REBELS ELECTRONIC BOOK (CEB) SEPTEMBER 05, 1994 LABOR DAY ISSUE PREMIERE ISSUE Publisher Gary Lee Jeffers A compendium of the best software & info for today's electronic privacy freedom fighters. This text may be distributed in part or in full anywhere you want. It may be given away freely or copies may be sold. CEB wants to be free & valuable. TABLE OF CONTENTS Chapter 1. PGP general. Section 2: Michael Johnson's PGP FAQ contribution Chapter 2. Steganography. "A picture is worth a thousand words." Chapter 3. Shells for PGP Section 1. David Merriman's WinPGP26.ZIP Section 2. Ross Barclay's WinFront 3.0 Chapter 4. Generally cool things. Section 1. Loompanics sources. Section 2. Viruses sources. Chapter 5. Getting the Cypherpunks' archived & indexed list. Chapter 6. Remailers & chained remailers. Chapter 7. Current problems in Crypt. CCCCCCCCCC YYYY YYYY PPPPPP HH HH EEEEEEE RRRRRRRRR CCCCCCCCCC YY YY PP PP HH HH EEEEEEE RRRRRRRRR CCC YY YY PP PP HH HH EE RR RR CCC YY YY PPPPPP HHHHHHHH EE RR RR CCC YYY PP HHHHHHHH EEEEEEE RR RR CCC YYY PP HH HH EEEEEEE RRRRRRRR CCC YYY PP HH HH EE RRRRRRR CCC YYY PP HH HH EE RRRRRR CCCCCCCCCC YYY PP HH HH EE RR RR CCCCCCCCCCC YYY PP HH HH EEEEEEE RR RR PP HH HH EEEEEEE RR RR RRRRRRRRRRR RR RR RRRRRRRRRRRRRR EEEEEEEEE RRRRRRRRRRR EEEEEEEEEEE BBBBBBBB EEEEEEEEEE SSSSSSS RRRRRRRR EEEEEEEEE BBBBBBBBBBB EE EEEEEEE SSSSSSSSS RR RRRR EEEEEEEEEE BBBBBBBBBB EEEEEEE SSSSSSSSS RRR RRRR EEEEEEEE BBBBBBBB EEEEEEE SSSSSSSS RRR RRRRR EEEEEE BBBBBB EEEEEEEE SSSSSSSSS RRRRRRRRRRRRRR EEEEEEE BBB EEEEEEEEEEE SSSSSSSSSS RRRRRRRRRRRRRR EEEEEEEEEE BB EEEEEEEEEEE SSSSSSS RRRRRRR RRRR EEEEEEEEEE BBB EEEEEEEEEEEEEE SSSSSSSSSSSSS RRR RRRRR EEEEEEEEEEEE BBBBB EEEEEEEEEEEEEEE SSSSSSSSSSSS RRRRR RR EEEEEEEE BBBBBBB EEEEEEEEE SSSSSSSSSS RR RRRRR EEEEEE BBBBBBBBB EEEEEEE SSSSSSSSSS RR RRRRR EEEEEE BBBBBBBBB EEEEEEE SSSSSSSSSS RRR RRRRRR EEEEEEEEEEE BBBBBBBB EEEEEEEEEEEE SSSSSSSSSSS RRRR RRRRRRR EEEEEEEEEEEEE BBBBBBB EEEEEEEEEEEEE SSSSSSSSSSSS PPPPPPPPPPP GGGGGGGGG PPPPPPPPPPP PPPPPPPPPPP GGGGGGGGG PPPPPPPPPPP PPP PP GGG PPP PP PPPPPPPPPPPP GGG GGGGGGG PPPPPPPPPPP PPPPPPPPPP GGG GGGGGGG PPPPPPPP PPP GGG GG PPP PPP GGGGGGGGGGGGG PPP PPP GGGGGGGGGGGG PPP Chapter 1. PGP general. PGP is Pretty Good Privacy from Phil Zimmermann. It is currently the best available encryption available to civilians at large. Zimmermann is the programmer on the original PGP versions but now, apparently, just guides other programmers in making improved versions. PGP uses two encryption algorithms: RSA for its Public Key powers & IDEA for its bulk encryption. The advantages of PGP over other crypt/decrypt systems are: 1. RSA algorithm. Allows users to communicate without needing a secure channel to exchange keys. - PUBLIC KEY ENCRYPTION. 2. The program system has been very well done & has huge development support. 3. It has huge popularity. 4. Security is guaranteed with distribution of source code & public investigation. 5. Its free. 6. Both RSA & IDEA are "STRONG" algorithms. MIT,s PGP 2.6 has the blessing of Zimmermann. PGP 2.6 ui is believed to have Zimmermann's approval because he has not attacked it. It is believed that Zimmermann will not endorse the ui version due to possible legal problems. Section 2: Michael Johnson's PGP FAQ contribution From: Michael Paul Johnson <mpj@netcom.com> Subject: Where to get the latest PGP (Pretty Good Privacy) FAQ To: cypherpunks@toad.com -----BEGIN PGP SIGNED MESSAGE----- WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) (Last modified: 11 August 1994 by Mike Johnson) WHAT IS THE LATEST VERSION? There is more than one latest version. Pick one or more of the following that best suits your computer, patent restrictions, and export restrictions. Some countries (like France) may also restrict import or even use of strong cryptography like PGP. |-----------------|--------------|-------------|---------------------| | Platform(s) | Countries | Allowed Use | Latest Version | |-----------------|--------------|-------------|---------------------| | DOS, Unix, | USA & Canada | Commercial | Viacrypt PGP 2.7 | | or WinCIM/CSNav | | Personal | | | | | Research | | |-----------------|--------------|-------------|---------------------| | DOS, Unix, Mac, | USA & Canada | Personal | MIT PGP 2.6 | | OS/2, others | | Research | | |-----------------|--------------|-------------|---------------------| | DOS, Unix, Mac, | Most of the | Personal | PGP 2.6ui | | OS/2, others | world except | Research | ui=unofficial | | | the USA. | | international | |-----------------|--------------|-------------|---------------------| | Mac Applescript | Most of the | Personal | MacPGP 2.6ui v 1.2 | | | world except | Research | | | | the USA. | | | |-----------------|--------------|-------------|---------------------| | Mac Applescript | USA | Research | MacPGP 2.6ui v 1.2 | |-----------------|--------------|-------------|---------------------| | Amiga | Most of the | Personal | Amiga PGP 2.3a.4 | | | world except | Research | | | | the USA. | | PGPAmi23a_4.lha | |-----------------|--------------|-------------|---------------------| | Amiga | USA | Personal | Amiga PGP 2.6 0b0.6 | | | | Research | | |-----------------|--------------|-------------|---------------------| | Atari | Most of the | Personal | Atari PGP 2.3a | | | world except | Research | | | | the USA. | | | |-----------------|--------------|-------------|---------------------| | Atari | USA | Research | Atari PGP 2.3a | |-----------------|--------------|-------------|---------------------| | Any of the | Countries | Commercial | Any of the above | | above | where IDEA | Personal | | | | is not | Research | | | | patented and | | | | | cryptography | | | | | is not | | | | | restricted. | | | |-----------------|--------------|-------------|---------------------| Note: there are other versions available, but these are either old, or outside of the mainstream PGP project. Look for new versions from one of three sources: Viacrypt (Commercial), MIT (North American freeware), or mathew@mantis.co.uk (the unofficially non-designated holder of the unofficial international version that parallels what Philip Zimmermann and the rest of the PGP development team is doing in the USA. Note that the MIT PGP 2.6 is illegal to export from the USA or Canada, but using it outside of the USA and Canada for noncommercial use is not illegal in most countries. In spite of the best efforts of MIT and the other primary developers and distributors of PGP not to violate the International Traffic in Arms Regulations, MIT PGP 2.6 is available on some of the same sites listed for PGP 2.6ui, below. The noncommercial use restriction comes from both the RSAREF license and the patent on the IDEA cipher in Europe and North America. WHAT IS ALL THIS NONSENSE ABOUT EXPORT CONTROLS? For a detailed rant, get ftp://ftp.csn.net/mpj/cryptusa.zip The practical meaning, until the law is corrected to make sense, is that you are requested to get PGP from sites outside of the USA and Canada if you are outside of the USA and Canada. If you are in France, I understand that you aren't even supposed import it. Other countries may be worse. WHAT IS THE "TIME BOMB" IN MIT PGP 2.6? As a concession to the RSA patent holders (in return for endorsement of the legality of the freeware MIT PGP 2.6), MIT placed an inducement in MIT PGP 2.6 to encourage upgrade from the alledgedly patent-infringing PGP 2.3a to the MIT version. The nature of this inducement is a change in a packet ID byte that causes PGP 2.3a and earlier to reject messages created by MIT PGP 2.6 after 1 September 1994. Altering MIT PGP 2.6 to bypass this annoyance (though technically an easy change to the LEGAL_KLUDGE), invalidates the blessing of Public Key Partners on the licence of MIT PGP 2.6. Therefore, it is a bad idea. On the other hand, it is trivial to hack PGP 2.3a to accept these packets, and that (plus a few other bug fixes) is essentially what PGP 2.6ui is. None of the versions of PGP greater than 2.3 have problems reading the old packet ID values, so for maximum compatibility, the ideal is to write the old value and accept either value. Unfortunately, this time bomb has a negative effect on Viacrypt PGP 2.4, as well, which never infringed on anyone's patents. Viacrypt's solution was to issue PGP 2.7, which, by default acts just like MIT PGP 2.6, but has a config.txt option (explained in the release) that allows compatibility with both PGP 2.4 and PGP 2.6. Naturally, this also allows compatibility with PGP 2.3a. The time bomb is annoying for those who still wish to use PGP 2.3a, and for those who use Viacrypt PGP 2.4 and don't want to spend US$10 to upgrade to Viacrypt PGP 2.7, but considering the magnitude of the concession made by Public Key Partners in legitimizing the freeware PGP for use in the USA, it was worth it. ARE MY KEYS COMPATIBLE WITH THE OTHER PGP VERSIONS? If your RSA key modulus length is less than or equal to 1024 bits (I don't recommend less, unless you have a really slow computer and little patience), and if your key was generated in the PKCS format, then it will work with any of the mainstream PGP versions (PGP 2.3a, Viacrypt PGP 2.4, MIT PGP 2.6, PGP 2.6ui, or Viacrypt PGP 2.7). If this is not the case, you really should generate a new key that qualifies. Philip Zimmermann is aware of the desire for longer keys in PGP by some PGP fans (like me), but wants to migrate towards that goal in an orderly way, by first releasing versions of PGP in for all platforms and for both commercial (Viacrypt) and freeware (MIT) flavors that ACCEPT long keys, then releasing versions that can also GENERATE long keys. He also has some other neat key management ideas that he plans to implement in future versions. WHAT ARE THE KNOWN BUGS IN PGP? These are the most annoying: MIT PGP 2.6 -- the function xorbytes doesn't. Replace the = with ^= to fix it. The effect of this bug is that RSA keys aren't quite as random as they should be -- probably not a practical problem, but worth fixing if you are going to compile the code yourself. MIT PGP 2.6 -- DON'T SET PGPPASS when editing your keys, because if you do, and if you don't change your pass phrase, the key is lost. (If this happens, rename your backup keyring files to the primary files before you do anything else). PGP 2.6ui -- Conventional encryption -c option doesn't use a different IV every time, like it is supposed to. (PGP 2.3a had this problem, too). WHERE CAN I GET VIACRYPT PGP? Versions are available for DOS, Unix, or WinCIM/CSNav Commercial software. Call 800-536-2664 to order. If you are a commercial user of PGP in the USA or Canada, contact Viacrypt in Phoenix, Arizona, USA. The commecial version of PGP is fully licensed to use the patented RSA and IDEA encryption algorithms in commercial applications, and may be used in corporate environments in the USA and Canada. It is fully compatible with, functionally the same as, and just as strong as the freeware version of PGP. Due to limitations on ViaCrypt's RSA distribution license, ViaCrypt only distributes executable code and documentation for it, but they are working on making PGP available for a variety of platforms. Call or write to them for the latest information. The latest version number for their version of PGP is 2.7. Upgrade from Viacrypt PGP 2.4 to 2.7 is free if you bought version 2.4 after May 27, 1994, otherwise the upgrade is US$10. Viacrypt's licensing and price information is as follows: ViaCrypt PGP for MS-DOS 1 user $ 99.98 ViaCrypt PGP for MS-DOS 5 users $ 299.98 ViaCrypt PGP for MS-DOS 20 users or more, call ViaCrypt ViaCrypt PGP for UNIX 1 user $ 149.98 ViaCrypt PGP for UNIX 5 users $ 449.98 ViaCrypt PGP for UNIX 20 users or more, call ViaCrypt ViaCrypt PGP for WinCIM/CSNav 1 user $ 119.98 ViaCrypt PGP for WinCIM/CSNav 5 user $ 359.98 ViaCrypt PGP for WinCIM/CSNav 20 users or more, call ViaCrypt If you wish to place an order please call 800-536-2664 during the hours of 8:30am to 5:00pm MST, Monday - Friday. They accept VISA, MasterCard, AMEX and Discover credit cards. If you have further questions, please feel free to contact: Paul E. Uhlhorn Director of Marketing, ViaCrypt Products Mail: 2104 W. Peoria Ave Phoenix AZ 85029 Phone: (602) 944-0773 Fax: (602) 943-2601 Internet: viacrypt@acm.org Compuserve: 70304.41 WHERE CAN I GET MIT PGP? MIT PGP is Copyrighted freeware. Telnet to net-dist.mit.edu, log in as getpgp, answer the questions, then ftp to net-dist.mit.edu and change to the hidden directory named in the telnet session to get your own copy. MIT-PGP is for U. S. and Canadian use only, but MIT is only distributing it within the USA (due to some archaic export control laws). 1. Read ftp://net-dist.mit.edu/pub/PGP/mitlicen.txt and agree to it. 2. Read ftp://net-dist.mit.edu/pub/PGP/rsalicen.txt and agree to it. 3. Telnet to net-dist.mit.edu and log in as getpgp. 4. Answer the questions and write down the directory name listed. 5. QUICKLY end the telnet session with ^C and ftp to the indicated directory on net-dist.mit.edu (something like /pub/PGP/dist/U.S.-only-????) and get the distribution files (pgp26.zip, pgp26doc.zip, pgp26src.tar.gz, MacPGP2.6.sea.hqx, and MacPGP2.6.src.sea.hqx). If the hidden directory name is invalid, start over at step 3, above. File names (shortened file names are for DOS BBS distribution): pgp26doc.zip - documentation only pgp26.zip - includes DOS executable & documentation pgp26src.zip - source code pgp26src.tar or pgp26src.tar.gz - source code release for Unix and others macpgp26.hqx or MacPGP2.6.sea.hqx - Macintosh executable & documentation macpgp26.src or MacPGP2.6.src.sea.hqx - Macintosh source code mcpgp268.hqx or MacPGP2.6-68000.sea.hqx - Macintosh executable for 68000 pgp26os2.zip - OS/2 executable (may not be on the MIT archive) RSA and IDEA algorithms licenced for personal and noncommercial use. Uses RSAREF, which may not be modified without RSADSI permission. Contains "time bomb" to start generating messages incompatible with PGP 2.3 and 2.4 on 1 September 1994 as an incentive for people to not use PGP 2.3a in the USA, which RSADSI claims infringes on their patents. Mac versions are not yet Applescriptable. This version is not intended for export from the USA and Canada due to the USA's International Traffic in Arms Regulations and Canada's corresponding regulations. You can also get MIT PGP 2.6 from: ftp.csn.net/mpj ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/pgp26.zip ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/pgp26src.zip ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/pgp26os2.zip ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/pgp26src.tar.gz ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/mac MacPGP2.6.sea.hqx MacPGP2.6.src.sea.hqx MacPGP2.6-68000.sea.hqx ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/amiga/ pgp26-amiga0b0.6-000.lha pgp26-amiga0b0.6-020.lha pgp26-amiga0b0.6-src.lha amiga.txt See ftp://ftp.csn.net/mpj/README.MPJ for the ??????? See ftp://ftp.csn.net/mpj/help for more help on negotiating this site's export control methods. ftp.netcom.com/pub/mpj ftp://ftp.netcom.com/mpj/I_will_not_export/crypto_???????/pgp/pgp26.zip ftp://ftp.netcom.com/mpj/I_will_not_export/crypto_???????/pgp/pgp26src.tar.gz ftp://ftp.netcom.com/pub/mpj/I_will_not_export/crypto_???????/pgp/ MacPGP2.6.sea.hqx ftp://ftp.netcom.com/pub/mpj/I_will_not_export/crypto_???????/pgp/ MacPGP2.6.src.sea.hqx MacPGP2.6-68000.sea.hqx See ftp://ftp.netcom.com/pub/mpj/README.MPJ for the ??????? See ftp://ftp.netcom.com/pub/mpj/help for more help on negotiating this site's export control methods. TO GET THESE FILES BY EMAIL, send mail to ftp-request@netcom.com containing the word HELP in the body of the message for instructions. You will have to work quickly to get README.MPJ then the files before the ??????? part of the path name changes again (several times a day). ftp.eff.org Follow the instructions found in README.Dist that you get from one of: ftp://ftp.eff.org/pub/Net_info/Tools/Crypto/README.Dist gopher.eff.org, 1/Net_info/Tools/Crypto gopher://gopher.eff.org/11/Net_info/Tools/Crypto http://www.eff.org/pub/Net_info/Tools/Crypto/ COMPUSERVE The NCSA Forum sysops have a library that is available only to people who send them a message asserting that they are within the U. S. A. This library contains PGP. I have also seen PGP 2.6 in some other places on Compuserve. Try searching for PGP26.ZIP in the IBMFF forum for up-to-date information on PGP in selected other areas. The last time I tried a search like this, PGP 2.6 was found in the PC World Online forum (GO PWOFORUM) new uploads area, along with several PGP shells and accessories. I've also heard that EUROFORUM caries PGP 2.6ui, but have not confirmed this. Compuserve file names are even more limited than DOS, so the file names to look for are PGP26.ZIP, PGP26S.ZIP (source code), and PGP26D.ZIP (documentation only). Colorado Catacombs BBS Mike Johnson, sysop Mac and DOS versions of PGP, PGP shells, and some other crypto stuff. Also the home of some good Bible search files and some shareware written by Mike Johnson, including DLOCK, CRYPTA, CRYPTE, CRYPTMPJ, MCP, MDIR, DELETE, PROVERB, SPLIT, ONEPAD, etc. v.FAST/v.32bis/v.42bis, speeds up to 28,800 bps 8 data bits, 1 stop, no parity, as fast as your modem will go. Use ANSI terminal emulation, of if you can't, try VT-100. Free access to PGP. If busy or no answer, try again later. Log in with your own name, or if someone else already used that, try a variation on your name or pseudonym. You can request access to crypto software on line, and if you qualify legally under the ITAR, you can download on the first call. Download file names: pgp26.zip (DOS version with documentation) pgp26src.tar (Unix version and source code) pgp26doc.zip (Documentation only -- exportable) macpgp26.hqx (MacPGP executables, binhexed .sea) macpgp26.src (MacPGP source, binhexed .sea) mcpgp268.hqx (MacPGP executables, binhexed .sea for 68000 processor). (303) 772-1062 Longmont, Colorado number - 2 lines. (303) 938-9654 Boulder, Colorado number forwarded to Longmont number intended for use by people in the Denver, Colorado area. Verified: This morning. Hieroglyphics Voodoo Machine (Colorado) Jim Still (aka Johannes Keppler), sysop. DOS, OS2, and Mac versions. (303) 443-2457 For free access for PGP, DLOCK, Secure Drive, etc., log in as "VOO DOO" with the password "NEW" (good for 30 minutes access to free files). Other BBS and ftp sites do have these files, as well. I noticed that PGP26.ZIP is being distributed on FIDONET. WHERE CAN I GET PGP FOR USE OUTSIDE OF THE USA? The latest for outside the USA is the "Unofficial International" PGP 2.6 for most platforms, MacPGP 2.3aV1.2 for the Mac (although 2.6ui is under development and should appear very soon), and 2.3a.4 for the Amiga. The latest amiga version is fully compatible with MIT's PGP 2.6. Copyrighted freeware. Version 2.6ui released by mathew@mantis.co.uk. Amiga version 2.3a4 released by Peter Simons <simons@peti.gun.de> These versions do NOT use RSAREF. No RSA patent problems outside the USA, but this version is not legal for commercial or extensive personal use in the USA. IDEA licensed for presonal use only in countries where the IDEA patent holds. The freeware version of PGP is intended for noncommercial, experimental, and scholarly use. It is available on thousands of BBSes, commercial information services, and Internet anonymous-ftp archive sites on the planet called Earth. This list cannot be comprehensive, but it should give you plenty of pointers to places to find PGP. Although the latest freeware version of PGP was released from outside the USA (England), it is not supposed to be exported from the USA under a strange law called the International Traffic in Arms Regulations (ITAR). Because of this, please get PGP from a site outside the USA if you are outside of the USA and Canada. Even though the RSAREF license associated with PGP 2.6 from MIT no longer prohibits use outside the USA, it still carries the not-for-profit restriction that the original RSA code in PGP 2.6ui doesn't have. On the other hand, patents on the IDEA cipher may limit PGP use in your country to nonprofit applications, anyway. Indeed, I understand that there are some countries where private electronic mail is not legal, anyway. These listings are subject to change without notice. If you find that PGP has been removed from any of these sites, please let me know so that I can update this list. Likewise, if you find PGP on a good site elsewhere (especially on any BBS that allows first time callers to access PGP for free), please let me know so that I can update this list. Source code (gzipped tar format): * _UK:_ ftp://ftp.demon.co.uk/pub/pgp/pgp26ui-src.tar.gz * _UK:_ ftp://ftp.demon.co.uk/pub/pgp/pgp26ui-src.tar.gz.sig * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp26ui-src.tar.gz * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp26ui-src.tar.gz.sig.gz * _TW:_ ftp://nctuccca.edu.tw/PC/wuarchive/pgp/pgp26ui-src.tar.gz * _TW:_ ftp://nctuccca.edu.tw/PC/wuarchive/pgp/pgp26ui-src.tar.gz.sig.gz Source code (zip format): * _UK:_ ftp://ftp.demon.co.uk/pub/pgp/pgp26uis.sig * _UK:_ ftp://ftp.demon.co.uk/pub/pgp/pgp26uis.zip * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp26uis.sig * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp26uis.zip * _TW:_ ftp://nctuccca.edu.tw/PC/wuarchive/pgp/pgp26uis.zip Executable for DOS (zip format): * _UK:_ ftp://ftp.demon.co.uk/pub/pgp/pgp26uix.sig * _UK:_ ftp://ftp.demon.co.uk/pub/pgp/pgp26uix.zip * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp26uix.sig