Back to "computer_topics"
 
 

Content:

1. Short description and name of binaries
2. Usage: how to start, how to use it
3. Some concepts and working principles
4. Link to a page with many useful links for
   Public Key Infrastructure and Certification Authorities.

Description:

pgpe	Encrypting a file
pgpv	de-crypt and Verify
pgps	sign messages
pgpk	creates your personal keys. Management of Public and Personal keys
pgp.cfg	configuration file in default directory ${HOME}/.pgp

Back to "Content"

Create your private and public keys

deneb:ballisti:[ballisti]:638 %	pgpk -g
Cannot open configuration file /home/sirius67/ballisti/.pgp/pgp.cfg
Choose the type of your public key:
  1)  DSS/Diffie-Hellman - New algorithm for 5.0 (default)
  2)  RSA
Choose 1 or 2: 2

Pick your public/private keypair key size:
  1)   768 bits- Commercial grade, probably not currently breakable
  2)  1024 bits- High commercial grade, secure for many years
  3)  2048 bits- "Military" grade, secure for the forseeable future
Choose 1, 2 or 3, or enter desired number of bits
(768 - 2048): 2


You need a user ID for your public key.  The desired form for this
user ID is your FULL name, followed by your E-mail address enclosed in
<angle brackets>, if you have an E-mail address.  For example:
  Joe Smith <user@domain.com>
If you violate this standard, you will lose much of the benefits of
PGP 5.0's keyserver and email integration.

Enter a user ID for your public key:
     Ray E. Ballisti <ballisti@ifh.ee.ethz.ch>

Enter the validity period of your key in days from 0 - 999
0 is forever (and the default): 0

You need a pass phrase to protect your private key(s).
Your pass phrase can be any sentence or phrase and may have many
words, spaces, punctuation, or any other printable characters.
Enter pass phrase: 
Enter again, for confirmation:
Enter pass phrase: 
...******** .............................................*******
Keypair created successfully.

If you wish to send this new key to a server, enter the URL of the server,
below.  If not, enter nothing.

deneb:ballisti:[ballisti]:639 %	

Create your own configuration file (see man pgp.cfg) or just create an empty file to avoid the error messages seen in the above example:
touch ~/.pgp/pgp.cfg

Adding a public key (of somebody else) to your collection (keyring)

Suppose that the mail message with the key in it is stored in the file "chiave_di_david"

sirius:ballisti:[ballisti]:490 % pgpk -a chiave_di_david
Cannot open configuration file /home/sirius67/ballisti/.pgp/pgp.cfg

Adding keys:

Key ring: 'chiave_di_david'
Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x8BA09AE7 1999-05-13 ---------- DSS             Sign & Encrypt 
sub  1024 0x5601C347 1999-05-13 ---------- Diffie-Hellman                 
uid  David Schweikert 

1 matching key found

Add these keys to your keyring? [Y/n] y

Keys added successfully.
sirius:ballisti:[ballisti]:491 % 

Encript a message

pgpk -l

In the example from before this will gives:

deneb:ballisti:[ballisti]:660 %	pgpk -l
Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x8BA09AE7 1999-05-13 ---------- DSS             Sign & Encrypt 
sub  1024 0x5601C347 1999-05-13 ---------- Diffie-Hellman                 
uid  David Schweikert 

sec+ 1024 0x0B2DE9DB 2000-03-03 ---------- RSA             Sign & Encrypt 
uid  Ray E. Ballisti 

2 matching keys found

Now you can encrypt your text using the command

pgpe -r "mail_addr_of_recipient" file_name

which will create a file file_name.pgp that you can then send by mail

Example:

deneb:ballisti:[ballisti]:661 %	pgpe -r schweikert@acm.org provisorisch
  1024 bits, Key ID 8BA09AE7, Created 1999-05-13
   "David Schweikert "
WARNING: The above key is not trusted to belong to:
David Schweikert 

Do you want to use the key with this name? [y/N] y

Creating output file provisorisch.pgp

You can then for instance send this file as attachment.

Back to "Content"

Some concepts and working principles

More about for instance in : ftp://ftp.pgpi.com/pub/pgp/2.x/doc/pgpdoc1.txt

Diffie-Hellman/DSS is the new encryption algorithm used in this version of the PGP package. It is not compatible with the old RSA

Public key cryptosystem allows people to exchange files or messages with privacy, authentication, and convenience.

Privacy means that only those intended to receive a message can read it.

Authentication means that messages that appear to be from a particular person can only have originated from that person.

Convenience means that privacy and authentication are provided without the hassles of managing keys associated with conventional cryptographic software.

Important: no secure channels are needed to exchange keys between users!

In conventional cryptosystems, such as the US Federal Data Encryption Standard (DES), a single key is used for both encryption and decryption.  This means that a key must be initially transmitted via secure channels so that both parties can know it before encrypted messages can be sent over insecure channels.

In public key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key (also frequently called a private key).  Each key unlocks the code that the other key makes. Knowing the public key does not help you deduce the corresponding secret key.  The public key can be published and widely disseminated across a communications network. 
This protocol provides privacy without the need for the same kind of secure channels that a conventional cryptosystem requires.

Anyone can use a recipient's public key to encrypt a message to that person, and that recipient uses her own corresponding secret key to decrypt that message.  No one but the recipient can decrypt it, because no one else has access to that secret key.  Not even the person who encrypted the message can decrypt it!

Message authentication is also provided.  The sender's own secret key can be used to encrypt a message, thereby "signing" it.  This creates a digital signature of a message, which the recipient (or anyone else) can check by using the sender's public key to decrypt it.  This proves that the sender was the true originator of the message, and that the message has not been subsequently altered by anyone else, because the sender alone possesses the secret key that made that signature.  Forgery of a signed message is infeasible, and the sender cannot later disavow his signature!!

These two processes can be combined to provide both privacy and authentication by first signing a message with your own secret key, then encrypting the signed message with the recipient's public key. The recipient reverses these steps by first decrypting the message with her own secret key, then checking the enclosed signature with your public key.  These steps are done automatically by the recipient's software.

The "secure shell" works on the same principles:

Because the public key encryption algorithm is much slower than conventional single-key encryption, encryption is better accomplished by using a high-quality fast conventional single-key encryption algorithm to encipher the message.  This original unenciphered message is called "plaintext".  In a process invisible to the user, a temporary random key, created just for this one "session", is used to conventionally encipher the plaintext file.  Then the recipient's public key is used to encipher this temporary random conventional key.  This public-key-enciphered conventional "session" key is sent along with the enciphered text (called "ciphertext") to the recipient.  The recipient uses her own secret key to recover this temporary session key, and then uses that key to run the fast conventional single-key algorithm to decipher the large ciphertext message.

Back to "Content"