The purpose of this document is to guide the user who is new to PGP through the installation process and provide an example of how to use PGP. I will assume that the reader knows how to use WinZip or WinRar to open an archive and extract files. I'm not in any way trying to replace the PGP documentation, this is simply an installation walkthrough and intro to the basic use of PGP. I strongly recommend that all users read the PGP documentation for a more thorough understanding of encryption in general and this software in particular.
The first question that a lot of people have is "What is PGP?". Good question. PGP stands for "Pretty Good Privacy" and is a security program created by Phillip Zimmerman. PGP uses the concept of public and private key pair encryption. This means that any pgp key has two parts. One is a 'public' key that may be freely distributed to anyone. The other is the 'private' key that only the owner has. If you want to send a message that only Joe can read, you would encrypt it using Joe's public key. When his public key is used to encrypt a message, Joe's private key is the only way to decrypt it. Since that private key is kept in a secure place on his hard drive behind a firewall and is further protected by a passphrase that only he knows, this can make for very high security. Combine this with decent key sizes and sophisticated encryption algorithms and you have a publicly available to anyone software package that is capable of what is called "Strong" encryption, similar to what military and intelligence communities use.
It is also useful for sending private information to more than one person. If when the message or file is encrypted, the public keys of ALL recipients are used to encrypt it, then each of them can use their own private key to decrypt it. This way there is never any need to share a password to something or have more than one person use the same set of keys. All that is needed is for the sender to have the public keys for everyone who is supposed to receive the message or file.
For those who intend to use JBN2 Anonymous email software there are two versions of PGP that can be used. Version 2.6.2 is an older MS-DOS command line program. It has the advantage of being smaller and a lot quicker to install. Because it is older, it is limited to RSA type key pairs and cannot process files encrypted and / or signed with the newer DH/DSS key pairs. Also, being a command line program, it does not have a Graphic User Interface like most software does today. If a person is only going to use it for JBN2, then version 2.6.2 is totally acceptable, since JBN2 has features built in that allow it to use pgp262 as a utility sub-program.
Version 6.5.8 is a fully modern Windows 9.x package that features both RSA and DH/DSS key pairs and full integration into the Windows environment, making it instantly accessible. It can be used to sign and / or encrypt text or binary files, and also has a feature built in to allow interacting with public key servers. It too can be used by JBN2 in an almost completely transparent manner. Here I will concentrate on version 6.5.8 because of it's ease of use in applications other than JBN2.
The first step of course is to download PGP. Do this by opening your web browser and pasting this address into the location bar: http://www.pgpi.org/cgi/download.cgi?filename=PGPFW658Win32.zip
Follow your browser's procedures to save the file PGPFW658Win32.zip on your computer. This file is about seven and one half megabytes long, so unless you are connected by DSL, be prepared for it to take a while.
While you are waiting for the download, click the 'Start' button on the Windows task bar, then click 'Programs', from there click 'MS-DOS Prompt'. When the DOS box appears, type the following commands:
C:\WINDOWS>cd \
C:\>md pgptemp
C:\>exit
This will create a temporary directory on your hard drive that you will use when the download is finished. When the download finishes, you will need to use Winzip or some other zip utility to open the file. Extract the files in the archive into the directory you just created: C:.
Close the zip program and double click on 'my computer', then double click on the icon for your [C] drive. From there double click on the folder 'pgptemp'. It should have four files in it:
Whatsnew.htm
setup.exe
Whatsnew.txt
Setup.exe.sig
Double click on setup.exe to start the PGP installation program.
- The welcome message will appear. Click <Next>
- Next the license screen will appear. Click <Yes>
- The 'What's New' screen is now showing. Click <Next>
- The 'User Information' screen appears. Fill in the Name and Company fields and click <Next>
(*Note* You can put something like 'None' in the company field if you prefer.)
- The next screen is where you have the chance to change the default destination folder. I personally recommend that you don't make any changes because there is no real reason to. Click <Next>
- This is the 'Select Components' Screen. Here you can choose which parts of the PGP package you wish to install. It will show a list like this one:
PGPNet Virtual Private Networking
PGP Qualcomm Eudora plugin
PGP Microsoft Exchange plugin
PGP Microsoft Outlook Express plugin
PGP Command Line
PGP Users Guide.
At this point the computer will shutdown and restart so that system changes that were made by the installation can take effect.
(Note: As of this writing DH/DSS keys are beginning to come into use on some remailers, but for the time being RSA keys are better for compatibility with more remailers)
Another thing to remember is that if a passphrase is lost or forgotten, it can NEVER be recovered! Calling the Tech support folks at Network Associates won't help. There is absolutely NO way to recover a lost passphrase except to remember it!
With this in mind, we'll use a simple one for this test key: 'test passphrase' (without the quotes and with the space, both words in all lowercase). Type it into the passphrase box and again into the confirmation box and click <Next>. If the entries in the passphrase and confirmation boxes are not the same, you will be prompted to try again.
Congratulations! You have just completed successful installation of PGP v6.5.8 and created your first set of PGP keys. Now we'll walk through a few quick examples of how to use it.
Example:
For this example you'll need to open Notepad and type a few lines of text.:
this is a test message,
encrypted with pgp using Test User's public key
adios.
When you're finished, click on the padlock icon in the system tray. Select 'Current Window' and then select 'Encrypt & Sign'. The text in the Notepad window will all be selected and then the 'Key Selection Dialog' will appear. Select the key you just created ("Test User <testuser@domain.com>") and drag it down to the Recipients list and click <OK>
Next you will be prompted to enter the passphrase for the signing key. Note that if you had more than one key pair, you would be able to choose which one to use as the signing key from the list in this window. For now of course, you only have the one key so enter the passphrase for it and click <OK>.
After a few seconds the text that you had in Notepad will be replaced. The resulting message will look like this:
-----BEGIN PGP MESSAGE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
hQEMA+C7envFYmALAQf/YMlqlvE7jYFqNyTMQXAv6p2PrGc94Nyrbviva+OJJxUB
dzfCqCgvBN6k07O/lDdSXXfS4hibsviNizr3iAe4AfmjERbQTyT4OzfILLOB9Wrk
6Fvq3W035p+rHF9gTcflA1F0oxymwGF22J9QXHsoFUdkU43rfCFkp/nuBWAMY5dU
3Snlq403WionmLqbzMK6uZ6ItbKncPWYE62P2x44WUFdBi82TI8E126YLztwtotO
K0Tam+Ew5t9g0CS9+cU9gJV+GdTWFiCVs+Gt3EvbrE2suIL6jCOPGL3OrB/pQbV7
mtlZ8360i7OoxpT7ShCB4yGCVMpjG7EW+j080Mx5+KUBiOpXa7WFvbg5HWC5iIWm
iauq+UG2WUz+53NauJqcCp/LAHyw4inVuAbYojKjKjCJodv5O6KPtg86e3rCoe7A
KMorDefZd+Uuu3bLzCQgZQYabEalJN+QLa8N4axdvlcF4ZLF9CciOZXWcBL33wI+
wLMIwR06/bUllUw+rPJzFYU0qXpaUkbEpAFgz2ocGsgQ1ORwtZX/qqGMfzleyW+6
oWdLZSM2VhYw1gVuPCcg1sf1RXEAQ/AwI9JWITRgwDUXY+7QE/nAkd0AGGoJkF//
ZlsQVyDMRyK6zkzNWM8b00AxtXshAEgEvulhdm13g/aiMzgCzTWBSjm2F5/7N5Xb
AGUPQW76IEOM4XUaBbAzC8i4nLEfvccO50urUIzt8OC/JkR4haCdtMFswQUuzZ36
UesUCXpoQTGE89hPW3CSd41ddCOc5IllQZVqwVuIG8XkwzBsXIpG1lIe+5AA+dK2
FyvGBbSkdwh72gPzXRYc9AFT4Rqr8tK1rsod0+tho2DzZZW2gVS0wHrB
=FfuE
-----END PGP MESSAGE-----
You can now use copy and paste to drop this message into an email, or save the file and attach it to an email or save it on disk. You could even print it out and send it by postal mail (though i'd hate to be the guy who had to type that thing in! Even one error would make it impossible to decrypt it! This message could be posted anywhere, in any public message board or newsgroup with total confidence that no matter how many people saw it, only the person or persons whose public keys were used to create it would be able to read it's content.
Later on, Test User needs the information that was encrypted in the text file. So open the file in Notepad and click on the padlock icon. Select 'Current Window' and then select 'Decrypt & Verify'
PGP will select all of the text in the Notepad window and after a second the 'enter passphrase' window will appear. Here PGP informs us that the message was encrypted to Test User's key. Had it been encrypted to more than one key, any of them could have been used to decrypt it. In this case of course we'll enter the passphrase for Test User's key and click <OK>
PGP churns for a few seconds and a Text Viewer window appears with the following text in it:
*** PGP Signature Status: good
*** Signer: test user <testuser@domain.com>
*** Signed: 7/23/02 9:06:06 PM
*** Verified: 7/23/02 9:14:59 PM
*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
this is a test message,
encrypted with pgp using Test User's public key
adios.
*** END PGP DECRYPTED/VERIFIED MESSAGE ***
On this window there is a <Copy to Clipboard> button that allows you to copy the content of the decrypted message and paste it into another file. In this case, we won't bother, instead click <OK> to close the text viewer. You will notice that the content of the Notepad file is unchanged, and would stay that way unless we had chosen to copy the decrypted message and paste it into Notepad.
This same procedure can also be used in an email client or word processor. If you have trouble with the 'Current Window' option on the PGP menu, you can also highlight the text you want to work with and then use Copy or Cut to put it into the Windows clipboard and then choose 'Clipboard' instead of 'Current Window' on the PGP padlock icon. They both have the same options on them.
In another example, the same message could have simply been 'signed' with a unique digital signature that could assure that the message was from the person who claimed to write it and that it had not been altered in any way. Simply 'signing' a message is done in the same manner as the previous example with the exception that instead of choosing 'Encrypt & Sign' you chooose 'Sign'.
So the message:
this is a test message,
signed with pgp using Test User's public key
adios.
After it is 'signed', looks like this:
this is a test message,
signed with pgp using Test User's public key
adios.
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQEVAwUBPT4oB+C7envFYmALAQG9swgAo1+IKwaObHsPHd43ekD6wZYEJ8xl6qfR
AZp86aRCj3Pg49mS1BU2Yiq6QJPM0QTn7yCh2dWdr/1SvBvXavBvQfSmJTN4VU+j
IcNoHsZqmpnWhuLnoeQ9/HqCOWw50NcY1wU/1CTZYKT/D0ZqgP9eyonn9kf0JOGz
9PT/AK7MM+BFuO6CzTl0lXc0To3VPzRA87WU8IjTfEf/UGNWn3iysl6z/TQSKo1w
zq5EP7endZIPy6aal8B6buB6ql24s0bcklFALj6Ux4HIjjh6IEfd5kiJjtJPiArd
/xeY0fw0G39RpI5SrlhZNUCRR4m1wmQZX1d2L9Y9yoVjb2dq5xCDMA==
=oBys
-----END PGP SIGNATURE-----
Now if you take this message and select 'Current Window' and 'Decrypt & Verify' on the PGP padlock icon, the text viewer will pop up again with the following in it:
*** Signer: test user <testuser@domain.com>
*** Signed: 7/23/02 11:07:35 PM
*** Verified: 7/23/02 11:09:57 PM
*** BEGIN PGP VERIFIED MESSAGE ***
this is a test message,
signed with pgp using Test User's public key
adios.
This shows that Test User did indeed sign this message, and the fact that it's status is good indicates that the message has not been altered since it was signed. If it had changed by even one character, the PGP Signature Status would be 'bad'. This means that while the message was sent "In the clear" (which means 'Not Encrypted'), if the status is good, then we know that the message has not been altered. (as an experiment, go back to the message that you signed and change one character or add even a single space to it and then try to 'Decrypt & Verify' it. The Signature Status will be bad)
When a message is signed you are assured that the signer's ID is the same as who it claims to be. This is because unlike encrypting a message, the signer's private key is used to sign the message and then thier public key is used to verify that signature. Since only the signer would have access to the private key and only they would know the passphrase for it, then a good signature status shows that the message is valid and came from the signer.
Now if anyone is going to be able to send encrypted messages to Test User, they have to be able to obtain the public key. One of the most common ways is to send the public key to a key server that people can search for the key. The other is to export the public key to a text file and give it out to anyone who might need to send encrypted messages.
Uploading to Key Server:
Make sure that you are connected to the Internet for this. Click on the PGP padlock icon, and select 'PGPKeys'. When the window opens select your key and click the right mouse button. Select 'Send To' and then select 'http://pgpkeys.mit.edu:11371' You'll see a progress indicator and then a message letting you know that the key has been uploaded. (*Note* If you try this with the 'Test User' key you will find that it's already on the server because lots of people have done the 'Test User' thing)
The other way to distribute public keys is to export them into a file and send them to other so that they can import them into their keyrings.
Export public key:
Once again open PGPKeys and select your key. Click the right mouse button and select 'Export'. A 'Export Key to file' box will open. Select the folder you want to save it in. You will notice that the filename is already set to a default of: 'test user.asc'. Make sure that the box "Include Private Keys" is NOT checked, and click <Save>. You can now close PGPKeys.
Importing keys:
Open PGPKeys and select 'Keys' on the main menu, then select 'Import'. Move to the folder where the key you want to import is saved, select it and click <Open>. PGP will read the file and then present a box where you can select which of the keys that it found you want to import into your keyring. Select the key you want and click <Import>. PGP will add the selected keys to your keyring. Close PGPKeys. You can now use the newly imported key to send messages to the owner of the key.
Getting keys from the keyserver:
Open PGPKeys and select 'Server' on the main menu. Click 'Search' and the search window will open. Set the "Search for keys on" dropdown box to 'http://pgpkeys.mit.edu:11371'. If you were looking for my public key then you would then set the search to "User ID", "Contains", "Edward Langenback", then click <Search>. PGP will spend some time communicating with the keyserver and will finally return my public key. To make sure this is the correct one (there are some old ones of mine out there that I don't use anymore), right click on it and select 'Key Properties'. On the 'General' tab of the property sheet you'll see the following information:
ID: 0xB9E76C70
Type: DH/DSS
Size: 4096/1024
Created: 6/29/03
Expires: Never
Cypher: CAST
Click <Close> on the property sheet and then right click on the key again. Click <Import to Local Keyring> and my public key is now on your keyring. Close the search box and then close PGPKeys. It is now possible to send a message that only I can read, by using my public key to encrypt it.
With just a little practice, you will find that using PGP is really quite easy and the security that it makes available is more than worth the time to download it and learn how to use it.
