PGP (Pretty Good Privacy)

PGP is a Public Key Encryption program written by Phil Zimmerman,
ported to the QL by Johnathan Hudson, and has become the standard
encryption program for private citizens.  PGP has gained
notariety and popularity over the last few years.  Because of
U.S. Export laws that treat encryption schemes as munitions, PGP
has caused quite a stir in the computer and legal worlds.  Phil
Zimmerman had been under a Federal investigation to see if he
broke export laws when PGP was distributed via the Internet.
Some countries are not happy with the ordinary citizen having the
capability of very secure encryption.  Countries like encryption
that they can break.  This was demontrated in the US with the
introduction of the Clipper chip, where a federal agency keep the
"backdoor keys" to everybodys secret keys.


Public Key Encryption Basics

Most people are familiar with what is known as private key
encryption, that is, you use a password to encrypt data and use
it again to decrypt the data.  This all works fine except when
you want someone to decrypt it.  You must somehow send that
person your private key, and still keep it private.

Public key encryption (PKE) is based on having two keys, one
public and one private.  If you encrypt with one key, say your
private, you can only decrypt with the other key, your public.
This allows you to publish one key and keep the other as a close
guarded secret.

If you want to send a private message to a person and make sure
that only that person to read it, you would encrypt the message
in their public key.  The only way to decrypt the message is to
use the recievers private key, which means that only they could
decrypt the message.  This will also work to keep files private
on your computer.  Encrypt with your public key and only you can
decrypt it.

If you want to put a digital signature on a message, you would
encrypt it with your private key.  Anyone decrypting it using
your public key would know that only you could have encrypted it.
There are also digital signatures that keep the text of the
message in the clear, but guarentees the text will go unchanged.


UnZipping PGP

PGP version 2.3 (589K zipped) and 2.6 (688K zipped)  have both
been ported to the QL.  This article is based on 2.6.  To unzip
PGP26_ZIP you will need a ED disk.  I tried to unzip to HD but I
ran out of disk space.  If you don't have an ED disk drive, you
should be able to specify which files you want unzipped with
UNZIP.  The program unzips with two hard subdirectories (ala Gold
Card).  I don't know how it will unzip of your QL does not
support hard subdirectories.

The key files are PGP and PUBRING_PGP.  The rest of the files are
supporting documentation and source code.  Once you create your
own public and private keys, other files will be created.


Using PGP

PGP has been directly ported from the MS-DOS or Unix version, and
they  are very command line driven.  There is not nice front end
to PGP for the QL.  You will need to have TKII to use command
line arguments.  When running PGP you will run it like this:

   exec pgp;"-xx"

where -xx is one of the many command line options.

The advantages of directly porting to the QL are:

1.  Once you learn PGP on the QL, you already know it for MS-DOS
and UNIX.  Of course this also works the other way.  If you have
learned PGP using MS-DOS or UNIX, you know how to use it on the
QL.

2.  All prompts and program information is exactly the same as
the MS-DOS and UNIX versions.  Any books or articles showing PGP
screens will work for the QL.

In fact, there is a book for PGP.  It is "PGP: Pretty Good
Privacy" written by Simson Garfinkel and published by O'Reilly
and Associates.  It is THE book for PGP, it's use and history.
Since my office had a copy of the book, I used it to learn who to
use PGP on the QL.


Creating Your Own Keys

Once you unzip PGP you will first want to create your own public
and private key set.  This is done using the -kg option.

   exec pgp;"-kg"

Once a window pops up with some initial information, you will get
to choose what type of PGP key you want.  You can have a 512-bits
(less secure but fast), 768-bit (medium speed, good security),
and 1024-bits (highest security but slow).  I choose 512 bits,
primarily because I had nothing much to hide and I wanted
something fast.

You then get to type in a user id for your public key.  When you
give your public key, this is how you want your name to go with
it.  The documentation suggests your name plus an e-mail address.
So, I went with "Timothy C. Swenson ."

Next you are prompted to hit keys so that PGP can generate 624
random numbers.  Just hit some keys until you see the number
count down to 0.  If you hit too many, don't worry.   If you see
a question mark pop up it just means that you hit the keys too
fast.

Now the program will generate your public and private keys.  On a
Gold Card this took about 4-5 minutes.  On a regular QL, this may
take a while.  Once the program is done, your two keys are
written to disk.


Managing PGP Keys

Before I go into how to encrypt with PGP I want to talk about how
to manage PGP keys.  When you created your own set of keys, PGP
saved the keys to two files; SECRING_PGP and PUBRING_PGP.  PGP
keeps all keys in rings (key rings, get it).  Each ring is just a
binary file that stores all of the keys.  Typically the file
SECRING_PGP will only contain your secret key (because you really
should not know somebody else's) and PUBRING_PGP will contain
your public key plus any public keys you wish to add.

PGP uses a number of command line options (all beginning with -k)
that let you manage keys.  To get a summary of these options
execute PGP with just a -k option and it will list all of them.
A few of the important ones are:

-kv  View public keys in PUBRING_PGP
-kg  Generate your own keys (we just did that).
-ka  Add a key to either ring.
-kr  Remove a key from either ring.
-ke  Edit your User ID or Pass Phrase (password).
-kx  Extract a copy of your public key from the public key ring.

To show how some of this works, lets extract your public key from
your public key ring so that you can give it to somebody.  You do
this by using the -kx option:

   exec pgp;"-kx swenson tswenson"

This will extract the public key with the ID of "swenson" and put
it in the file "tswenson_pgp".  Now I can give this file to
anybody.  Remember that this file is still a binary file.  If you
want to extract an ASCII version use the -kxa option.  This makes
it easy to send via e-mail.

Now lets say were are somebody else and we want to add "my"
public key to our key ring.  We can do this using the -ka option.
We can add either binary or ASCII public keys with this option.

   exec pgp;"-ka tswenson_pgp"

This adds the public key in the file "tswenson_pgp" to the
current public key ring (PUBRING_PGP).  If we have a specific
name for our public key ring (say one for each department of a
company) we would add the name of that file right after the name
of the incoming file.


Encrypting with PGP

Now comes the core of the program, encrypting files.  You can
encrypt files for keeping or for sending secure messages.  The
difference is who the recipient is, since you will be encrypting
the file/message with the recipient's public key.  If you are
encrypting for yourself, you are the recipient.  If you are
sending the file via e-mail or disk, then the other person is the
recipient.  Either way the command line is the same:

   exec pgp;"-e file.txt recpient"

where file.txt is the file you want to encrypt and recpient is
who is going to get the file.If it was encrypting a message for
myself the command line would be:

   exec pgp;"-e file.txt swenson"

Since the resulting file will can be a binary file, using the
-eat option will make sure that the end encrypted file is in pure
ASCII so that it can be sent via e-mail.


Decrypting with PGP

Now that you've encrypted a file, lets figure out how to decrypt
it.  PGP does not require any command line options for decrypting
files.  And since it is assumed that you will be decrypting files
encrypted with our public key, PGP knows to decrypt with your
secret key.

   exec pgp;"file.txt"

This tells PGP to decrypt the file file.txt.  PGP looks up your
secret key in your secret key ring.  PGP can trust that file, but
it does not trust who executed it.  You will need to enter your
pass phrase (password) to let PGP know that you are who you say
you are.  This keeps other people from trying to decrypt your
files on your computer.


Digtal Signatures

Digitally signing your files is nothing more than encrypting a
file file your secret key.  Then when a person decrypts the file
sucessfully with your public key, they know that you encrypted
it.  In PGP, this is altered slightly.  When you sign a file, a
small PGP signature section is added to a file and it acts as
your signature.  The rest of the file in left un-encrypted.  When
signing a file, you do have the option of  encrypting it.

To sign a text message, you exec PGP like this,

   exec pgp;"-sta file.txt"

You will need to supply your pass phrase to sign the file.  The
resulting file will be called file.asc.  The -S option is for
signing, the T tells PGP that the input is a text file, and the A
tells PGP to make the output file ASCII.

To verify a digital signature, exec PGP like this,

   exec pgp;"file.asc"

PGP will work through the file and see the digital signature
section and verify the digital signature.  If any change is made
to the file after it was signed, the verify will come back as
invalid.  A form of checksum is done on the file to make sure
that any changes to the file will be noticed.


Conclusion

PGP give the QL user military-level encyption.  Anything you
encrypt is going to be safe.  I have not yet found a need for
encypting any of my data, but if I ever do, it is nice to know
that PGP is there.  But I can see a use for my using digital
signatures.  Since computer text is so easy to fake.  Posting a
document to the Internet means that anybody can alter it and pass
it along as yours.  Adding a few key "not"'s can really alter the
meaning of a statement.  Having a digital signature on the
document will foil any attempt to forge or spoof something I've
written.  This may not be important now, but if I am going to
post something as my "official" word on something, having the
digital signature give a greater level of confidence in not
having the message altered.
This article has only scratched the surface of what PGP can do.
Read the PGP documentation or pick up a copy of the PGP book to
learn more about the full capabilities of PGP.

    Source: geocities.com/svenqhj