Packetizer Labs

PGP Primer (PGP 2.6)

I. What is PGP?

PGP (Pretty Good Privacy) is a "public key/private key" encryption program. This software will allow you to take any file and encrypt it so that nobody can read the file except the person who has the "key" to decrypt it. The software uses some very complicated mathematical operations in order to perform the encryption. The encryption is so good, in fact, that nobody (or government) has been successful in cracking keys larger than about 326 "bits". The reason is the way "public key/private key" systems work.

Unlike many methods of encrypting data, which have a single "key" to encrypt and decrypt data, the "public key/private key" systems have two keys. One key, the "public key", can be given to anyone. When someone wants to encrypt a file for you, they will use your "public key" to encrypt the data. There is absolutely no way to decrypt the data using the public key. When you receive the file, you use your "private key" (or "secret key") to decrypt the message. Along with your "secret key", you have a pass phrase that must be supplied in order for the key to operate. This allows you to transfer or store confidential files securely.

II. Generating your "keys"

In order to use PGP, you must generate your "keys". Here are the steps:

  1. Create a directory in your home directory called ".pgp". You can do this by issuing the command "mkdir .pgp" when you log in.
  2. Type "pgp -kg" to generate your keys.
  3. The program will ask you the RSA key size. Choose the level of security you want. Tip-- the higher the number of bits, the higher the security.
  4. PGP will ask you for a user ID. This is typically something like "John Doe ". You put your name first, then your e-mail address within "<>".
  5. You will then be asked for a pass phrase. This is like a password, but you can make it a sentence with spaces, etc. The longer the pass phrase, the harder it will be for someone who may steal you "secret key" to use it against you.
  6. You will then be asked to type on the keyboard. This is just so that PGP can get some random numbers to work with. It doesn't matter what you type-- just pound on the keyboard until it tells you "thank you."

Now, look at your "public key ring". Type "pgp -kv". You will see your public key. Notice the date/time of creation and the "keyID". The "keyID" is a number that is very unlikely to be generated twice. Of course it will, but perhaps 1 in four billion tries. It is often a good idea to check that keyID to make sure nobody has tampered any of your public keys. Nobody can really tamper with your private key and get away with it because they will not know your password.

III. Signing your public key

Now, I would suggest that you "sign" your public key. In fact, you should sign every public key you add to your keyring. The reason is so that you can try to monitor tampering. To sign your key, type "pgp -ks userid" (userid is your login initials, name, or something in the user ID line you told PGP in step 4 of section II). Follow the prompts to sign the key. It will ask you for your pass phrase. Now type "pgp -kvv" (note there are two v's). This command will show your public keys and all signatures. You will notice that the "sig"ned lines have the keyID of the signer. If you always sign your public keys and you notice that the keyID of the signature is not yours, someone may have tampered with your public keys!

The reason this is important is, suppose you communicate with "Joe" and I somehow gain access to your public key ring and replace the key for "Joe" with one I created. Well, I probably have a secret key for the fake "Joe", so if you generate an encrypted file with the fake "Joe", I can read it! However, there's no way I can sign the fake "Joe" key using your real secret key because I do not know your pass phrase. So, if you issue "pgp -kvv" and see a missing signature or the wrong keyID value (ie, not yours), you know someone may have tampered with it.

IV. Sending your public key to someone else

In order for someone to send you an encrypted file you can decrypt, they must have your public key. To get this, type "pgp -kxa userid" (again, userid is your login initials, name, or something in the user ID line you told PGP in step 4 of section II). PGP will ask you what file you want to store the key in. Type a file name with ".asc" on the end. For example, "Joe" might create a file called "joe.asc". Now, you can mail this file to someone and they can add it to their public key ring.

NOTE: If you read through the pgp manuals, you will see that "pgp -kx" will also do the job that "pgp -kxa" will do. However, the later is generally easier to send to other people and computer systems.

V. Adding someone's public key to your key ring

If you have a file with someone's public key in it, you can add it to your key ring with a command like "pgp -ka filename", where filename is the name of the file containing the key. Once PGP adds the key to your ring, SIGN IT! You follow the same steps outlined in III, except you will sign the new key you just added rather than your own. Another security step you might want to take is check what the other person's keyID value is ("pgp -kv" will show you) and confirm with them that that is their keyID. This will prevent you from adding a key to your ring someone sent you forged as someone else.

VI. Encrypting a file

To encrypt a file for yourself or someone else, all you have to do is type "pgp -e filename userid", where filename is the name of the file and userid is the user you want to be able to decrypt the file (this could be you). PGP will create a file with the same name, ending with ".pgp". Now, for security, you might want to delete the original file. What you will be left with is an encrypted file only the user you wanted can read.

VII. Decrypting a file

When you receive an encrypted file, you can decrypt it (if it is destined for you) using the command "pgp filename". PGP will ask you for your pass phrase, and if you enter it correctly, the file will be decrypted. It will create a new file without the ".pgp" on the end. If you receive a file that is a PGP encrypted file, but doesn't end with .pgp, you might want to consider changing the name so that it does. Otherwise, you will be prompted for a filename.

VIII. Some cautions

  1. Be sure not to forget your pass phrase. Without it, there's no way a file encrypted with your public key can be decrypted.
  2. Never give anyone your secret key (I didn't even tell you where or how to get it as you may have just thought! There's a reason!)
  3. When encrypting/decrypting, PGP will never automatically remove the file it used to encrypt/decrypt. If you are encrypting a file for yourself, you will probably want to make sure you remove the original "plain text" file. It does no good to have an encrypted file sitting beside a readable copy!
  4. Always sign your public keys!
  5. Don't take any wooden nickels.
  6. Verify the "keyID" of a user's public key with them via phone or personal contact. As I mentioned, there is a remote possibility two keys can have the same keyID, but remote is the operative word.

IX. Miscellaneous commands

When decrypting a file, if you know it is something you can just scroll on your screen, you might want to issue "pgp -m filename". This will send it to your screen one page at a time.

To remove a key from your public key ring, use the command "pgp -kr userid"

For create more portable/mailable encryption files, you might want to encrypt using the command "pgp -ea file....". The "a" will create an "ascii" file that is more easily transmitted. This doesn't compromise security, and mail programs can handle it better sometimes. This is especially important if you are sending the file to someone who does not have a mail program that will support "attached documents" and you must put the PGP file in as part of your mail message text. When you create a file in this manner, PGP will create a file called "filename.asc" instead of "filename.pgp".