Subject: MJRB-XTRA: MC_O7 >>Security and Encryption - Part 1<<
This lesson and the next are authored by Noel Bell
and are his contribution to the course. I
wish to thank Noel for his excellent articles.
-- Prof --
MJRB-XTRA: MC_O7 >>Security and Encryption - Part 1<<
-----BEGIN PGP SIGNED MESSAGE-----
*****************************************************************
OVERVIEW
*****************************************************************
Part 1.
Introduction.
Public Key Encryption.
PGP.
Which version to use?.
Where to get it from?.
Part 2.
How to set up PGP.
Prove that your copy is genuine.
Install PGPn123.
Sign a message.
Encrypt and Decrypt a message.
Publishing your key - the key servers.
Further information.
The Legal Bit.
*****************************************************************
INTRODUCTION
*****************************************************************
As we use e-mail and electronic communication more and more to
talk to other people and to pass business and financial
information, the need to protect our privacy becomes more
important. We would not consider sending our credit card details
on the back of a postcard when making an order, so why should we
send an e-mail with the same details, which is accessible to any
relatively unsophisticated hacker. How many of you have clicked
the wrong button on your mail client and sent a message to the
wrong person ? (or worse still, to a complete mailing list!) In
the same way that we would enclose a snail-mail order with our
financial details in a sealed envelope, we should also enclose
our e-mail order in some form of sealed envelope which cannot be
opened or read by others apart from the intended recipient. It is
easy to scan electronic mail for keywords, and intercept those of
interest. International telegraphic messages are believed to be
already scanned in such a manner by various government
intelligence services. It has also been seen recently that
hackers seem to have no problems plundering web-sites and
electronic mailboxes, making it a simple matter to steal orders
with credit card details.
Over the years, many governments, including the USA, have made
great attempts to ban the use of strong crytography by private
citizens, as it restricts the ability of intelligence services
to monitor mail (electronic or otherwise).
There was a time when encryption was only available to
governments and the military because of the technology required.
Research over the last few years, including the development
of Public Key Cryptography, have now made strong encryption
available to anyone with a computer, be it a mainframe, PC,
Macintosh, or any one of several other popular home computers
with various operating systems.
There is also at times a need to be able to authenticate an
e-mail message with a signature, as we do at present in
snail-mail, by signing a letter. For example, This lesson is
electronically signed by me, and can be proven to have come only
from me, and the body of the lesson between the line which says:
"-----BEGIN PGP SIGNED MESSAGE-----" and the line which says:
"-----BEGIN PGP SIGNATURE-----" can be shown to be unaltered. The
good news is that by the end of this lesson, you will be able to
check that yourself.
*****************************************************************
PUBLIC KEY ENCRYPTION
*****************************************************************
I don't wish to get involved in the mathematics of cryptography,
which is an extremely complex subject. I don't intend either,
apart from the most general of descriptions, to try and explain
the internal workings of any encryption programme. I consider
that best left to the experts, so I'll restrict this to what we
need to know to use crypto safely. My mathematical ability is
pathetic anyway. :-) A good description of the internal workings
of PGP is given in Appendix II of the PGP FAQs. (See below)
There are several forms of conventional (or symmetrical)
encryption available at present, most of which require the use of
a password (or pass phrase) to encrypt and then to decrypt a
message. These suffer from one fundamental weakness. As the same
password is required both to encrypt the message and to decrypt
it, the sender needs a secure method of sending the password to
the recipient, so the sender might as well just send the
recipient a message by the same secure route. How, for example,
would you send me an conventionally encrypted e-mail, as you
have probably never met me?
Public Key Encryption (asymmetric encryption) requires two
mathematically linked keys (linked by the two prime factors of a
VERY large number). Public Key Encryption is, therefore, the
process of encrypting (or mixing) a message with one key (the
PUBLIC key) which can only be decrypted by it's corresponding
other key (the SECRET key). As the public key cannot decrypt
anything, it can therefore be published anywhere, and can be made
publicly available. (More about this later). One of the things
the user has to do at the early stages of installing a public key
encryption programme is to create his or her own "key pair".
*****************************************************************
PGP
*****************************************************************
PGP stands for "Pretty Good Privacy", an encryption program
written by Philip Zimmermann in the USA, with the intention of
providing Public Key Encryption for the Masses. PGP has over a
period of years challenged mathematicians and cryptographers
around the world, who have so far been unable to crack PGP when
used with a lengthy key (more about keys later), and has become
the generally accepted international encryption standard. PGP was
originally published as "freeware" source code. The author's
philosophy was, that expert cryptographers and mathematicians
could then challenge, and attempt to attack any apparent flaws in
the encryption algorithms. One or two flaws were found in early
versions. The other benefit was that others people then "ported"
the software to many different operating systems. As a result,
PGP is currently available for the following platforms:
DOS (with DOS and Windows shells).
Windows 32bit (Windows NT and Windows 95) Text Mode.
OS/2.
Apple Macintosh.
Amiga.
Atari.
Archimedes.
Source code for other platforms, or just for you to examine.
PGP is described by its author as follows:
Pretty Good(tm) Privacy (PGP), from Phil's Pretty Good Software,
is a high security cryptographic software application for MSDOS,
Unix, VAX/VMS, and other computers. PGP allows people to
exchange files or messages with privacy, authentication, and
convenience. Privacy means that only those intended to receive a
message can read it. Authentication means that messages that
appear to be from a particular person can only have originated
from that person. Convenience means that privacy and
authentication are provided without the hassles of managing keys
associated with conventional cryptographic software. No secure
channels are needed to exchange keys between users, which makes
PGP much easier to use. This is because PGP is based on a
powerful new technology called "public key" cryptography.
*****************************************************************
WHICH VERSION TO USE ?
*****************************************************************
This lesson covers only the freeware versions of PGP, which are
licenced for non-commercial use. IMHO, learning to use PGP is
non-commercial, whereas using it to send business messages is
not. Again, as in the rest of the course, it is assumed that you
are running DOS (with or without Windows) on an IBM compatible
PC. Where applicable, I will try and point out (or direct you to
other references), where there are differences between DOS and
other platforms.
Firstly, the choice must be MS-DOS, Macintosh, etc. That is self-
evident. With PGP, there is another important choice. Because of
patents and US export restrictions, there are two basic types of
PGP, the US version (for use only in the USA) and the
International version (for use elsewhere in the World).
Important Note to residents of the USA.
---------------------------------------
The US Government has made it illegal in most cases to export
good cryptographic technology, and that may include PGP. They
regard this kind of software just like they regard munitions.
PGP and RSAREF (contained in the US version of PGP) may be
subject to the export laws of the USA as implemented by the US
Department of State Office of Defense Trade Controls, in
particular, ITAR (International Traffic in Arms Regulations).
Read very carefully the two files, RSALICEN.TXT and
MITLICEN.TXT which come with your copy of PGP. You must NOT
export, or make available for export from the United States,
ANY version of PGP.
To look at the realistic side of things, all non-commercial
versions of PGP are available worldwide. I didn't export them,
nor do I know anyone who has. The US government spent years
investigating PGP's author, and in the end, convinced themselves
that he didn't either. It simply cost Phil Zimmerman a small
fortune in legal fees. The cat is now out of the bag, and
available to all. In most of the world it is completely legal to
use PGP.
In a few countries, the use and/or possesion of PGP is either
illegal or frowned upon. I believe these to include Russia, the
People's Republic of China, Iraq, Iran, and France. Get the file:
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
In the same vein, do not send un-solicited encrypted e-mail to
your friend in a country which has banned PGP, or regards its
users with suspicion. You could lose a friend - to a firing
squad!
The current versions are listed below. There are minor "bugs"
in earlier versions. Some of the early versions are no longer
legal to use in the USA, because of disputes about patents. There
are incompatabilities between some early versions and recent
versions.
I urge you to use the correct version. To do otherwise may be
breaking the law.
USA Elsewhere
--- ---------
PGP 2.6.2 PGP 2.6.3i
*****************************************************************
WHERE TO GET IT FROM?
*****************************************************************
U.S. Versions.
The official U.S. PGP distribution site is:
ftp://net-dist.mit.edu/pub/pgp
Get the file README and ** READ ** it. The instructions will then
tell you to telnet to net-dist.mit.edu and log in to the "getpgp"
account, where you will have to answer some questions to ensure
that you are a permanent US resident. Then you will be given an
ftp path to retrieve your copy of the US version of PGP. The ftp
paths change half-hourly (on the hour and half-hour). Tip - Make
sure you telnet to mit.edu at 1 or 31 mins past the hour! PGP
is now available on the web. Just surf to:
http://web.mit.edu/network/pgp.html
where you can carry out the
whole procedure without telnetting and all that nausea!
The procedure is obviously not foolproof, as you can get the U.S.
Versions and a lot more from ftp.pgp.net (see the next paragraph)
anyway. Lots of add-ons and extras are available from the
ftp.pgp.net site.
International Versions.
The official International site in Norway is becoming very busy
due to the popularity of PGP, so a new site "ftp.pgp.net" has
been set up. This is a conglomeration of several European sites
where the information is mirrored identically. Just go to:
ftp://ftp.pgp.net/pub/pgp and get the file README.html which is
an ascii file (Watch the capitalisation). This will give you all
the information you need to find the directory for your
particular operating system. Alternatively surf to:
http://www.pgp.net/pgpnet/
which has links to the various
different versions, and the various DOS or Windows and OS/2
shells. There are also add-ons available at the same site for the
more popular e-mail clients. Most of them can be found from:
ftp://ftp.pgp.net/pub/pgp/utils/README.html
Comparisons between Versions.
Both the International and the U.S. versions are equally secure.
The difference is purely based on U.S. patent legislation.
Non-English speakers.
Standard PGP comes with English (US), German, Spanish and French
language support. PGP can speak other languages as well! Get the
file: ftp.pgp.net/pub/pgp/language/README.html . Documentation
is also available in some other languages. Get the file:
ftp.pgp.net/pub/pgp/doc/README.html for full details.
All Users.
You will also need the PGP-FAQ file which does not come in the
distribution. This FAQ is regularly updated and posted monthly to
all comp.security.pgp newsgroups, The latest version is always
available from the following locations:
http://www.pgp.net/pgpnet/pgp-faq/
Hypertext version, in tree form for easy browsing.
http://www.pgp.net/pgpnet/pgp-faq/faq.html
Hypertext version, one document for offline reading.
http://www.pgp.net/pgpnet/pgp-faq/pgpfaq.txt
Text version, one document.
*****************************************************************
NEXT LESSON
*****************************************************************
In the next lesson, we will discuss how to install PGP, which
requires a little bit (not a lot) of DOS ability, and then how to
install a Windows "shell" or "front end". My favourite Windows
shell for PGP is "PGPn123" ($15 Shareware), which is published in
the file: pn123e17.zip . It would be worthwhile finding and
obtaining this before you start the next lesson.
By the end of the next lesson, you will be up and running with
PGP, easily sending and receiving encrypted and signed messages
to each other.
In the mean-time, read Sections 3.8 to 3.12 of the PGP-FAQ, and
try and make up a good "pass-phrase".
+--------------------------------------------------------------+
| Noel Bell Email: EJNBell@pobox.com |
| Home Page: http://pobox.com/~ejnbell/ |
| Finger EJNBell@pobox.com for PGP public key , or ftp from: |
| ftp://users.aol.com/EJNBell/EJNBell.asc KeyID: 1024/20015B9D |
| Fingerprint: 9E A7 36 69 3A 66 49 CB 74 FA 6C 5F 28 37 9A 76 |
+--------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: latin1
iQCVAgUBMqD22rZiCXUgAVudAQG0HgQAtrrsEKB6lhoNc6v/ZQ7NomuSfSyOsy1/
6HEYslcZ2Qol0v6veX/xW32NL2hN9KHjs64o9l65Lmh81uhhrf2YlBXWY7PFOmlO
5C1VVRRaWNZVJoO1iCk/q9/JLfiDcTFdMUFHPDPa5ixYPMrVS7uafSwUFcYSBWga
WTbAhdrsYzM=
=19fr
-----END PGP SIGNATURE-----
Robert R. Behrens
MJ & RB Computing
5 Lakeshore Drive
Bellingham, Ma. 02019
(508) 883-2652
rbehrens@kersur.net
rbehrens@world.std.com
http://www.kersur.net/~rbehrens
=============================================================================
Reference.COM has begun archiving MJRB-TRAINING as of: Jan. 30, 1997
Searchable archives for the list is available at:
http://www.reference.com/cgi-bin/pn/listarch?list=MJRB-TRAINING@world.std.com
=============================================================================
To unsubscribe from this list, send E-mail to majordomo@world.std.com
with the message UNSUBSCRIBE MJRB-TRAINING
Contact owner-mjrb-list@world.std.com or rbehrens@kersur.net
if you have problems.
=============================================================================
WEB PAGE: http://www.kersur.net/~rbehrens
=============================================================================