At 05:35 PM 7/13/95 -0400, The Gate wrote:

Okay folks, here comes Mr. Newbie.

Duh...How can I figure out how to use pgp. Is there a good place to learn the background and basics in a step-by-step easy to understnad way? Duh... I think I wanna know...

The documentation that comes with PGP isn't bad; read the pgpdoc1 and pgpdoc2 files. (If you buy ViaCrypt, you get them in nice spiral-bound manuals, but it's basically the same stuff.) Here's an overview of the basics: - RSA public-key encryption lets you create a public encryption key which you can publish, so that other people can encrypt files that can only be decrypted with your private key. It also lets you sign files by decrypting them with your private key, which other people can check by encrypting with your public key to get the original message (or a hash of it) back. What makes this mathematically cool is that it does it in a way that takes exponentially long amounts of time to find your private key from the public key, so anybody who wants to crack a reasonably long key needs to run a big hairy computer for about the age of the planet to do so, but you can do decryption reasonably fast because you already know the private key, and the same algorithm works well for both encryption and digital signatures. - RSA encryption isn't very fast, so most real programs that use it encrypt the file with a conventional crypto algorithm (PGP uses IDEA) using a randomly chosen session key, and encrypt the session key with RSA; it's a lot faster. - The problem with public-key encryption is that anybody who wants to send you a message needs to be sure they've really got _your_ public key instead of a key that some Bad Guy published saying "Here's Alice's public key - trust me!". Since RSA can do digital signatures, PGP uses them to create a "Web of Trust", where you can sign a message saying "Here is Alice's key, signed Bob", and anybody who's got a good copy of your key (and trusts you) will know they've got a good copy of Alice's key. If they didn't get a copy of your key directly from you, they may have a message saying "Here's Bob's key, signed Carol", or maybe they got that and Carol's key, signed by Dave, and they know Dave personally so they've checked it with him. How big a Web of Trust can you trust? Well, you probably need more security if you're running a revolution than if you're trying to find out if a Usenet article is genuine or bogus, so PGP lets you choose, but the default is 4 levels deep. - OK, so how do you get PGP? - there's an occasional publication on the net that tells you where, but you can get it from ftp.ox.ac.uk by ftp with no hassle. Inside the US, you want version 2.6.2 for non-commercial use, and you have to buy ViaCrypt's licensed version if you want to sell services using it. Outside the US, the version's something like 2.6.2i or something ending in i. 3.0 will be out "Real Soon Now", probably in 1995, but it's hard work. Versions are available for DOS, Mac, Unix, and a few less popular OSs. ViaCrypt has a special Windows version; the rest of us Windows users can either run it from DOS or use a front-end program like Private Idaho (ftp.eskimo.com/joelm/) or WinPGP, available from popular FTP sites. If you're using the Unix version, it's assumed you know how to read readme files and compile using Make; DOS folks get binary as well as source and documentation. Unix folks will notice that the command line has this ugly DOS feel to it :-) - So you've got it installed and you've read the documentation, and messed with the config.txt file if you didn't like the default options, and now you want to do something. Type "pgp -h" to get help, or "pgp -k" to get help with keys for a reminder. Then type "pgp -kg" to generate a key - you probably want a 768-bit or 1024-bit key for normal use, unless you're paranoid or have a slow computer. Because RSA keys are long strings of binary data that are hard for humans to remember, PGP stores them in a file, encypted with IDEA, and will prompt you for a "passphrase" for the encryption. Make it something long and complicated enough to be secure, but easy for you to remember without writing it in a yellow sticky-note, and not blatantly obvious. You'll need to use it any time you decrypt a file somebody else sent you, or sign a file you're sending to someone else. You'll also need a name - typical format looks like Bob Dobbs <jrd@slack.com> which has your name and email address. Most of the time you'll just use an abbreviation and let pgp figure it out. To send your key to someone else, once you've generated it, type "pgp -kx Dobbs filename" and it'll create a file you can mail somebody else which will let them encrypt stuff to you. To decrypt a file you got from someone else, type "pgp filename", which will do the right thing for decryption, checking signatures, receiving new keys, etc. To encrypt a file to someone else, type "pgp -e filename theirname" and pgp will create a file called filename.asc (or filename.pgp if you don't have the ascii-armor option set, which you should.) To sign a file to send somebody, type "pgp -s filename", which will do the same, and there are various options you should read in the manual. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com