moderators notes -- authored by swartz@archive.umich.edu and brecher@archive.umich.edu [The following description of PGP was submitted anonymously. While PGP is a very important crytography tool, this description fails to mention that there is considerable controversy over the legality of using MacPGP in the US. While this description of PGP is archived here, the MacPGP program will not be available in these archives.] [... MacPGP may be in violation of United States patents. If you are in the United States and do not know whether you have the right to use this software, do not assume that you do. Neither the Macintosh archives at the University of Michigan (mac.archive.umich.edu) nor its administrators can assume any responsibility or liability for legal expenses, fines, jail time, or any other loss that you may suffer from illegal use of MacPGP. The inclusion of this document at mac.archive.umich.edu in no way indicates an endorsement of its contents by the administrators of that archive.] Date: Sun, 20 Feb 1994 17:46:34 -0800 From: qwerty@netcom.com (Xenon) To: macgifts@sumex-aim.stanford.edu Subject: "Here's How to MacPGP!" guide Here's the latest version (2.7) of my "Here's How to MacPGP!" guide, to replace /info-mac/info/macpgp-guide-18.txt. Hey Mac user, having too much fun? Don't want your plans made public? You're sending e-mail on "postcards" if you don't have the free public key encryption program PGP. You heard about it in the news; here's your easy guide to getting and using it. It will get non-Mac users started too. -=Xenon=- Send mail to qwerty@netcom.com with Subject "Bomb me!", for my "Here's How to MacPGP!" guide (this document) and Gary Edstrom's PGP FAQ. If you received this unexpectedly, it means I found your post on Usenet or elsewhere asking about PGP, or I have made a mistake. People can now get these by anonymous ftp to netcom.com in /pub/gbe and /pub/qwerty as well. -=Xenon=- Note: Don't try to get MacPGP from the ftp site soda.berkeley.edu, since it is mislabelled as being a Mac BinHex file, but it happens to also be Unix gzipped, without being labelled as such (no .gz at the end). They are being slow about fixing this. Also: ViaCrypt should be coming out with a licenced MacPGP version. I suggest you buy it when it is available. It would be nice to get over this patents stigma. Archie search for macpgp2.3 ftp sites, done 2-20-94: Host athene.uni-paderborn.de Location: /unix/network/security FILE -rw-r--r-- 422851 macpgp2.3.cpt.hqx Host cs.huji.ac.il Location: /pub/security/pgp/2.3A FILE -r--r--r-- 422851 macpgp2.3.cpt.hqx Host ghost.dsi.unimi.it Location: /pub/security/crypt FILE -rw-r--r-- 422851 macpgp2.3.cpt.hqx Host isy.liu.se Location: /pub/misc/pgp/2.3A FILE -rw-r--r-- 422851 macpgp2.3.cpt.hqx Host ftp.luth.se Location: /pub/mac/appl/encryption FILE -rw-r--r-- 422900 macpgp2.3.cpt.hqx Host ftp.cc.adfa.oz.au (131.236.1.2) Location: /pub/security/pgp23 FILE -rw-r--r-- 422885 macpgp2.3.cpt.hqx -----BEGIN PGP SIGNED MESSAGE----- Hey Mac user you're sending e-mail on "postcards" if you don't have PGP. You heard about it in the news; here's.... How to MacPGP: Version 2.7 (Feb. 19, '94) PGP will encrypt files so not even crazy people with supercomputers can decrypt them. You write e-mail on a word processor, encrypt it using a someone's public key, and send it off. They use their private key to decrypt it. Public keys are just that; give yours out freely. Once a person encrypts a message with your public key, not even they can read it again. Only you, using your private key. Phil Zimmerman's PGP is the grassroots alternative to the Clipper Chip, which gives the government your secret key. I will send the PGP FAQ and this guide to anyone who sends mail to qwerty@netcom.com with Subject "Bomb me!". [Non-Mac users: READ THIS, and the "PGP FAQ" by Gary B. Edstrom (available on alt.security.pgp or ftp to netcom.com in /pub/gbe in parts as pgpfq*.asc)! A beginner's guide like this one by Out and About called "DOS PGP Guide" exists (ftp to ftp.eff.org in /pub/EFF/Policy/Crypto as pgpstart.tutorial). Answers to questions (not in the FAQ) are available on the Usenet group alt.security.pgp. If you don't have Usenet, mail questions to alt.security.pgp@news.cs.indiana.edu (or @anon.penet.fi) and ask for e-mailed replies. There are versions for DOS (and friendly add-on interfaces), Windows, Unix, VAX/VMS, Atari ST, Amiga, OS/2, Archimedes and others. Get "The Big Dummy's Guide to the Internet" as shown below.] Get a Unix e-mail account (student or commercial) with internet access, and a modem. GET A COPY OF THE FREE MAC PROGRAM STUFFIT EXPANDER (you NEED it, not just BinHex!). Log into your e-mail account. If you are stuck in a menu-driven place, figure out how to "escape to Unix" which will give you a $ or % prompt. Welcome to the internet. Let's find PGP. Type 'telnet archie.internic.net', login as 'archie', and type 'prog macpgp2.3'. A list of sites around the world having PGP will appear. Type 'bye'. One of the sites it gave me was: Host isy.liu.se (130.236.1.3) Last updated 08:14 3 Nov 1993 Location: /pub/misc/pgp/2.3A FILE -rw-r--r-- 422851 bytes 10:58 19 Sep 1993 macpgp2.3.cpt.hqx This archie server is fast, rarely overloaded, but limited. Another is archie.sura.net. Trying this site may fail but gives a list of other sites (and a hint to try 'qarchie' at this site). Do archies at night (same for ftp). You want a macpgp2.3 that ends in .hqx (or try leaving out the .gz when you do 'get' below, OR use 'binary' instead of 'ascii' below, then 'gunzip macpgp2.3.cpt.hqx.gz' in your account). Hqx (BinHex) is a way to code Mac stuff as text. The .cpt is a Mac compression method, as are .sit or .sea. The lists from other servers will be longer. I will use the above macpgp2.3.cpt.hqx at site isy.liu.se as an EXAMPLE. Type 'ftp isy.liu.se', login as 'anonymous' and use an e-mail address as the password. For fun type 'ls -l'. You are in their hard disk's main directory and this is what's on it. Lines starting with 'd' are directories that you can move into using 'cd' ('cd ..' to backup). (During ftp use 'get filename "|more"' if you want to read a text file called "filename"; 'q' to stop). Based on the archie search, type 'cd /pub/misc/pgp/2.3A', and again 'ls -l'. There it is! Type 'ascii', 'get macpgp2.3.cpt.hqx', and wait; it is being transferred to your account. When you get the ftp> prompt type 'bye'. Back to e-mail and the hard part. Type 'ls -l' to see it. Find out how to DOWNLOAD a text file from your account to your desktop. [Try 'kermit', 'set file type text', 'send macpgp2.3.cpt.hqx', and initiate a receive in your software (set to do kermit transfers). Or 'sz macpgp2.3.cpt.hqx' (with software set to zmodem)]. Drag this file onto the icon of Stuffit Expander. MacPGP2.3 will appear. In your account 'rm macpgp2.3.cpt.hqx' will remove it. You naughty thing. PGP on another Mac. Print the documentation. It is indeed cryptic. Better is the help feature of MacPGP2.3 itself, which is also printable. Start PGP. Make yourself a public/private key pair with 'Generate key', select '1024' ("slow" is only key generation), leave the '17' alone, and enter a name. Your secret key is really a long file that you will never have to manually type in, but you have to remember a "pass phrase" to use it (and keep others from using it if they steal your secret key). Check 'Show pass phrase' and enter a very memorable, very obscure sentence. Don't use all normal words! Make up tricks like "Pile?driver" or "Here1we2go3you2stupid1bozo." Type away as requested to make some random numbers. Wait. You can see your public key with 'View keyring' on pubring.pgp. DON'T FORGET YOUR PASS PHRASE! Writing it down is better than a slight chance of forgetting it. Sign your own key to prevent others from changing its ID: 'Certify key', select pubring.pgp, select your own key, and again your own key. This is also how you sign other people's public keys [then extract it as shown below to send to them, so they can add ('Add keys') your signature to their public key]. Once you have a circle of friends who have signed each other's keys, you have a trusted network. If someone mails you a key signed by someone in this network, you can better trust it. There is no way for someone to forge your friend's signature on that key unless they stole your friend's secret key AND knows its pass phrase. [You need the public key of a friend to verify ('Check signatures') a signature they have placed on a key.] Write some e-mail on a word processor and save it ('Save As') to the desktop as TEXT ONLY (ascii) and close its window. Do 'Encrypt/Sign' on the file. Double click on the public key you want to encrypt it with (for now your own) and hit 'OK'. Check 'Treat source as text', 'Produce output in ASCII format', and hit 'OK'. A file ending in .asc will be made. Don't let the icon fool you; this is a simple text file that you can open with a word processor. Do this. You will see, -----BEGIN PGP MESSAGE----- Version: 2.3 Lines of random looking text characters here. -----END PGP MESSAGE----- This text (lines included) can be sent by e-mail to anyone on any computer running PGP. But since it is encrypted with your public key, let's pretend a friend made it and sent it to you. Toss the original. In PGP, do 'Open/decrypt', and choose the .asc file. Enter your pass phrase so PGP can use your secret key. A text file, the decrypted message, will appear. [The System 7 Control Panel "defaultappliction" by L. D'Oliveiro will allow a double-click to open text files to the word processor of your choice (ftp to ftp.luth.se in /pub/mac/system/controlpanels). If you use Microsoft Word, removing the "Text with Layout" filter from the "Word Commands" file will kill that annoying choices window too.] When you receive a PGP message, it will have e-mail headers, but PGP will ignore (and edit out!) anything outside the PGP header and footers. Shortcut: write text in a word processor, copy it to the Clipboard and have PGP encrypt it THERE ('Clipboard' button in 'Encrypt/sign' dialog box), then paste it into e-mail. This also works for decryption, allowing you to paste the decrypted text anywhere. The Finder also has 'Show Clipboard', or you can check 'Decrypt to screen only' but I do NOT recommend this feature (fails if lines >80 characters, and crashes during saves). There is a nasty bug in MacPGP2.3 which causes a crash if you use the Clipboard to check a signed message and you don't have the public key to check it with. If you get mail from someone who's key you don't have, don't use the Clipboard feature! [You can just paste small text blocks into e-mail. Your software should also have a "send" feature to autotype LARGE text files to the screen. This is what I use, but it can be tricky AND there may be no error control (characters may get lost, ruining the message). If lines get cut wrong, turn off word-wrapping in your account or software. More reliable is to upload a file ('rz'; or 'kermit', 'set file type text', 'receive') and include it in e-mail (in Unix 'mail', '~r filename' as a line in e-mail, or use 'mail -s "Hi there!" name@site < filename'). You can view text files with 'more filename', 'q' to stop. Flow control should be 'hardware' (in software or modem setup string). If you RECEIVE long e-mail, use the "capture" feature of your software when you view it, OR save it to a file and download it. Making windows tiny lets text scroll faster. Ask questions on comp.dcom.modems.] Checking 'Encrypt and sign' also SIGNS a message you are encrypting. Signatures are a trick, in that they are ENCRYPTED with your secret key, meaning a message must be from you (unaltered) since only your public key can decode them. If you want to SIGN NON-encrypted text, use the menu item 'Sign Only' and check 'Append clear signature'. A text file will appear containing your readable e-mail between the header and footers of the signature. Anyone can check that this message is from you and is unaltered (copy to Clipboard, then 'Open/Decrypt'), if they have your public key. [Problem with signing NON-encrypted messages: If you don't cut lines to about 75 characters BEFORE signing, the carriage returns added on uploading (by Unix or your software) will spoil the signature! For this I use Drop*TextBreak by Robert Gibson (ftp to sumex-aim.stanford.edu in /info- mac/text as drop-text-break.hqx). Another problem: certain characters may be altered upon uploading text. Don't use smart quotes (curly symbols for ' and ") or control characters. E-mailing a message to yourself will reveal problems (use a text comparison utility). This ONLY concerns "clearsigning" of NON-encrypted messages.] To send your public key to a friend do 'Extract key' with 'aciify' checked, and name it "My public key". A text file of your public key will appear: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 About 8 lines of random looking characters here. -----END PGP PUBLIC KEY BLOCK----- When you get a friend's public key, get it to your desktop (paste into blank document and save as TEXT ONLY). Do 'Add keys', select the file, and select pubring.pgp to add it to your public key ring. Try this with my key. ('Fingerprint key' will give you a short string of characters unique to that key, for verbal confirmation of key origins.) Now you can encrypt text files with their public key to send to them. You can also send non-text files (ANY Mac file) by using 'Treat source as a Mac file' and 'Produce output in ASCII format'. You will again get PGP text block to send. To decrypt this, it is the same as before. Presently MacPGP wont let you select a Macintosh folder full of stuff, so use a compression program (Stuffit Lite or Compact Pro, shareware) to put items into one archive file (PGP itself compresses files so make NON-compressed archives). [To encrypt a file on your hard disk only, you can use the menu item 'Conventional Encryption' (and even create "self-decrypting" Mac files) with 'Treat source as Mac file' checked. However the pass phrase in this case is ITSELF the key used to encrypt the file, so you must be VERY careful in typing it and remembering it (and why not use the drag-and-drop utility Curve Encrypt by Will Kinney instead, even though it doesn't compress files like PGP does, it can do multiple files at once; from ripem.msu.edu in pub/crypt/other/curve-encrypt-idea-for-mac as curve_encrypt.sea.hqx). I prefer to just encrypt such files with my public key, again checking only 'Treat source as Mac file". The result of these is not a text file!] When you have PGP up and running, with a few signatures on your key, send your public key to a keyserver. You can find most anyone's key on these servers. See the "PGP FAQ" and the blurb in the PGP documentation for details. (There are people who will plop your public key onto the keyservers, even if you send it in e-mail and especially if posted to Usenet. Be happy with your key first. You can still add new signatures to your key on the servers by adding your the signed key to any server.) There is also a finger server for public keys. Do 'finger keyword@wasabi.io.com' to check for someone's public key, and to find out what its Key ID is, where "keyword" is part of his name or e-mail address. Then do 'finger 0x123456@wasabi.io.com', if 123456 is the Key ID. [Bug: if you are sent a PGP message by e-mail (ascii text-format), and you don't end the name of this text file on your Mac with .asc, PGP will ask you if you want to replace it. If you say yes and give it another name, it may fail to immediately update the finder views. You wont be able to see the output file (ignore the temporary files ending in .$01 and such), but you CAN see it in the 'Open' dialog of a word processor. Three solutions: add .asc (or just a period!), enter a new name while you are STILL in the decryption options dialog box (not possible if you use the drag-and-drop feature of System 7), or LET IT OVERWRITE THE ORIGINAL TEXT FILE (you loose any text outside the PGP message). This is not a problem with binary PGP messages, which normally end in .pgp but don't have to.] Realize that a PGP message tells anyone the name of the public key it was encrypted with. On creating a new key pair with an anonymous nickname and using an anonymous remailer (send blank mail to help@anon.penet.fi or read about remailers in the PGP FAQ), this information is removed. A commercial Unix account is good too, as e-mail errors wont route to your LOCAL system administrators. Netcom (408-554-UNIX) even lets you keep your real name private (but call by phone or the sites you have telnetted in from are told). Note though, that sending a floppy with no return address is much more secure than using anonymous remailers on the Word Wide Wiretap, er... internet. Another trick is to HIDE your use of encryption. Stego by Romana Machado (ftp to sumex-aim.stanford.edu in /info-mac/cmp) will hide text as the least significant bit in a Mac PICT file, but this increases the size of a message by 8-24 times. I prefer to type a message in a word processor, cut it out, encrypt it within the Clipboard, paste it back, save it as a real word processor file, then BinHex that (using the Drag and Drop utility hqxer-11.hqx by John Stiles: ftp to sumex-aim.stanford.edu in /info- mac/cmp), and finally have my software autotype the file into e-mail. This is fast, and it's business as usual sending BinHex encoded Mac files. This way PGP is simply a Clipboard utility that adds encryption to a word processor. On receiving such a file, download it, drag it onto Stuffit Expander, and again use PGP as a Clipboard utility to decrypt it. [You may need to put 'set escape=~' into a file called .mailrc, if your Unix system doesn't use the normal tilde (~) escape character for e-mail, to avoid stripping any lines out of BinHex files!] You can set many defaults by editing the text file config.txt. 'TextMode = on' checks 'Treat source as text'. 'Recycle_Passwords = on' means you only have to type a pass phrase once per PGP session (but get it right the first time!). 'Armor = on' checks 'Produce output in ascii format'. 'ClearSig = on' checks 'append clear signature'. 'Verbose = 0' sets Quiet Mode, which I prefer. You can always uncheck them; they are only defaults. I do NOT recommend setting 'showpass = on' which checks 'show pass phrase', since it leaves it on the screen! Just check 'Show pass phrase' manually to avoid this. Even so, your pass phrase is really only safe after you have quit MacPGP, so don't leave it running if you put a PowerBook to sleep. Read the manual and the Usenet groups alt.security.pgp, alt.privacy and talk.politics.crypto. If MacPGP ever freezes hold down the option, command, and escape keys to force it to quit. Get a program to erase data from your hard disk after you "empty" the Trash and a replacement for the Trash itself (FlameFile by Josh Goldfoot does both; ftp to mac.archive.umich.edu in /mac/util/security as flamefile1.38.cpt.hqx). Get "The Big Dummy's Guide to the Internet" by Adam Gaffin and Joerg Heitkoetter (ftp to ftp.eff.org in /pub/Net_info/Big_Dummy, as the text file bigdummy.txt). Get "Anonymity FAQ" (ftp to rtfm.mit.edu, in /pub/usenet/news.answers/net-anonymity, in four parts) and "Privacy and Anonymity FAQ" (in /pub/usenet/news.answers/net-privacy, in three parts) by L. Detweiler. If you find PGP hard to use, live with it; new versions will arrive. I know nothing about non-Mac PGP. Go figure; don't ask me. I don't care about you. I just want more people to use PGP so I can hide my wonderfully important messages in the noise of your boring ones ;-). [If you get tired of the tiny scrollable list of keys when you select a public key for encryption, open a COPY of MacPGP2.3 with ResEdit (ftp to ftp.apple.com in /dts/mac/tools/resedit as resedit-2-1-1.hqx) and open DLOG, #129, set 'MiniScreen' in the menu bar to the size of your screen, and resize the little window to make it taller. Double click on it, then move the buttons to the bottom, after dragging a rectangle around them to select them. Make the selection box taller now too. Quit. Now you will get a full-sized scrollable box which shows many more keys at once. Do NOT distribute this modified form of MacPGP.] Note that PGP is very controversial, both legally (patent rights and export laws) and politically (as a tool it empowers individuals to ensure their own right to privacy). Despite this it is becoming the standard encryptor. It may change the world. Comments on when and where I should post this and suggestions as to content are invited. I see too many "How do I get PGP?" inquiries needing real answers, and too many copies of PGP added to unused novelty collections. POST THIS EVERYWHERE. Please do not alter it. (Copyright Xenon, 1994). -=Xenon=- My key (remove the '-' and 'space' from the lines, added on signing this document): - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mQCPAizgA+EAAAEEAMzQAf9ff0q9tVD5oBxtVlPYAito4RBM+hJvX4irXzYgJWsA Fhc4b/RfLcbGQVHwm0Q74cp/KhijXqGeLE2Tk62x04u1mjfBevoOHUltOOWxrIbU y6ros1cThAzVL03lkh6OHR3DbfUJWld9WtmamGWFGHYvt1WSagSzG6zrQn1RABEB AAG0BVhlbm9uiQCVAgUQLPj9XgSzG6zrQn1RAQEvhwP8Cpm7gxR1mkgnGA8TPHXo vyjiUKpoXJlbMizz/yKzIHfPXDqKq9bcEz15mS5t7Jl9ZFBKs+n39D79lbB5ZLcn 2qKuT5f+A9+++3bCcFlqRQqoHMzRfhIPCDYY5XNDLpR+vsUadxrC8N200qpvLvpL Wb7LQ+hXkrskvFwpJErIS1Y= =bZeo - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLWe8UASzG6zrQn1RAQEq7wP9E0T733caOhgi6lBoVu1ThRdywl6dMopD U+OBnM5EXgHtkmUKMIdUmL/AY9Jv7y/QwsfjziTXr0po5XaGH0vOI4tDm4+o3c6u 5gyE412XeGs5JqZxdIQcopp5XwboQGhDLjZqua3sFq0tl0OJRVea1K8jJGof1ISf are5gyKQ3vo= =GSbx -----END PGP SIGNATURE-----