<head><title>PGP Startup Guide</title></head><pre><h1>PGP Startup Guide</h1>- -----BEGIN PGP SIGNED MESSAGE-----  Xenon (an48138@anon.penet.fi) has kindly posted an info sheet on getting  MacPGP 2.3a up and running, encouraging somebody to come along and write the  same thing for the PC version.  Well, hell, here it is.  Questions,  comments, bitches, and e-mail about this kind of stuff in general are  welcome at an50928@anon.penet.fi.  Our public key to verify the document can  be found at the end of this document, and also on keyservers all over the  damn place.================================================================================                       PGP Startup Guide - DOS Version                                     v1.0                                  (93/11/28)                                Out and About                           <an50928@anon.penet.fi>================================================================================Contents========Section 1 - Intro<1.0>  What the hell is this document?<1.1>  What the hell is PGP?Section 2 - Obtaining It<2.1>  BBSs<2.2>  America Online<2.3>  CompuServe<2.4>  InterNet<2.5>  Setting it upSection 3 - Using It<3.1>  Generating a Key<3.2>  Keys & keyrings<3.3>  Keyservers<3.4>  Signing<3.5>  Encrypting<3.6>  Other useful commandsSection 4 - Miscellaneous<4.1>  Legal Issues<4.2>  ViaCrypt<4.3>  Version History<4.4>  Everything Else================================================================================Section 1 - Intro<1.0>  What the hell is this document?  This document is an intro to PGP on MS-DOS machines.  It's designed for a  first-time user of PGP, and will get them through finding the program;  getting the program; and, finally, using the program in a basic way.  In  other words, a good way to get more people using PGP.<1.1>  What the hell is PGP?  PGP is a cryptography system that allows you to send data to other people  with what amounts to excellent security.  The important point about PGP,  though, is that you never have to meet the person you're sending encrypted  information to.  This might not make sense at first, but this capability is  essential to the benefits PGP can provide.  Traditional encryption techniques have one key.  The two people meet first,  and exchange this key; then, afterwards, one encrypts the data with the key,  sends it to the other person, who uses the same key to decrypt it.  Simple,  eh?  Well, PGP can do that, but it can also do something else, called public-key  encryption.  This means that you encrypt a document with somebody's "public  key" - which is freely distributed - and *only they* will be able to decrypt  it, with their corresponding private key.  Nobody else can.  Not even you,  right after you've encrypted it with their public key.  Some people may wonder why PGP is necessary.  Some people probably don't  care.  However, the two of us work remote in a distributed environment - our  modems are our connection to the office, and anytime we're sending sensitive  data through any kind of network, we're risking somebody else grabbing a  copy.  With PGP, that's no longer an issue.  Additionally, we're always sure that documents come from where they were  supposed to, since it's impossible to forge the digital "signatures" that  PGP creates.  For example, nobody knows who the two of us really are - the  anonymous server takes care of that.  However, once you've got our public  key, you'll know that anything verified by that key came from us - without  ever meeting either of us.  Thus, by coupling the anonymity of the InterNet  and the authentication of PGP, we can be anonymous, yet readily - and  reliably - identified.  Cool, eh?  The only potential problems with public-key systems is verifying the public  keys you have; see below, as well as the PGP documentation, for help on  this.Section 2 - Obtaining It<2.1>  BBSs  PGP is probably available on some local BBSs in your area.  If your local  BBS lacks it, here's some info from the PGP docs:================================================================================     The GRAPEVINE BBS in Little Rock Arkansas has set up a special     account for people to download PGP for free.  The SYSOP is Jim Wenzel,     at jim.wenzel@grapevine.lrk.ar.us.  The following phone numbers are     applicable and should be dialed in the order presented (i.e., the     first one is the highest speed line):  (501) 753-6859, (501)     753-8121, (501) 791-0124.  When asked to login use the following     information:               name: PGP USER        ('PGP' is 1st name, 'USER' is 2nd name)         password: PGP           PGP is also widely available on Fidonet, a large informal network of     PC-based bulletin board systems interconnected via modems.  Check     your local bulletin board systems.  It is available on many foreign     and domestic Fidonet BBS sites.           In New Zealand, try this (supposedly free) dial-up BBS system:        Kappa Crucis:  +64 9 817-3714, -3725, -3324, -8424, -3094, -3393           Source and binary distributions of PGP are available from the Canadian     Broadcasting Corporation library, which is open to the public.  It has     branches in Toronto, Montreal, and Vancouver.  Contact Max Allen, at     +1 416 205-6017 if you have questions.           For information on PGP implementations on the Apple Macintosh,     Commodore Amiga, or Atari ST, or any other questions about where to     get PGP for any other platform, contact Hugh Miller at     hmiller@lucpul.it.luc.edu.================================================================================<2.2>  America Online  As of a few days ago, PGP is also available on America Online.  If you have  any specific information on where PGP is available on AOL, please send it to  us; we'll include it in a future version of this document.<2.3>  CompuServe  Officially, it's not available on CompuServe, but try GO IBMFF and use the  File Finder on the keyword PGP; usually some forum still has it sitting  around, despite CIS's management trying their best to get rid of it.<2.4>  InterNet  If you're on the InterNet, the easiest way to dig up a copy of PGP is to ask  an "archie" server for the location.  Borrowing from Xenon's excellent  directions, find yourself an InterNet account, and telnet over to  archie.internic.net.  Log in with a username of "archie", and at the prompt,  type "prog pgp23a.zip".  You'll get a list of sites and directories, a la:================================================================================Host soda.berkeley.edu    (128.32.149.19)Last updated 09:50  4 Nov 1993    Location: /pub/cypherpunks/pgp      FILE    -rw-r--r--  320168 bytes  08:09  3 Jul 1993  pgp23a.zipHost isy.liu.se    (130.236.1.3)Last updated 08:14  3 Nov 1993    Location: /pub/misc/pgp/2.3A      FILE    -rw-r--r--  422851 bytes  10:58 19 Sep 1993  pgp23a.zip================================================================================  Close archie by typing "bye", then ftp to one of the above sites.  Use  "anonymous" for the user name, and your e-mail address as a password.  Type  "cd <dir>", where <dir> is the directory listed in the archie listing for  the site you're ftping to.  Type "binary", which sets the binary mode on.  Then type "get <filename>", where <filename> is the filename listed by  archie.  Finally, type "bye" to get back to your email system.  Get the file from your email system to your PC; this varies so much from  site to site that you'll need somebody local to help.<2.5>  Setting it up  Once you've got it on your PC, unzip PGP into its own directory.  You'll  also need to set two environment variables for PGP to be happy.  One, TZ,  sets the time zone for the system; here are some examples from the PGP docs:  For Amsterdam:    SET TZ=MET-1DST  For Arizona:      SET TZ=MST7     (Arizona never uses daylight savings time)  For Aukland:      SET TZ=NZT-13  For Chicago:      SET TZ=CST6CDT  For Denver:       SET TZ=MST7MDT  For London:       SET TZ=GMT0BST  For Los Angeles:  SET TZ=PST8PDT  For Moscow:       SET TZ=MSK-3MSD  For New York:     SET TZ=EST5EDT  Then set PGPPATH to the location you've unzipped PGP into; for example:  SET PGPPATH=C:\PGP  READ THE DOCS!  What follows from here is a good way to get started, but  there are a number of issues raised in the documentation that *must* be  known for safe and reliable operation!Section 3 - Using It<3.1>  Generating a Key  PGP works on the principle of "public-key" encryption.  This means that  every key has two parts: a secret part you keep close to your heart, and a  public part you scatter to the winds.  The two have some mysterious,  mathematical relationship that Einstein couldn't understand, but for our  purposes all that matters is that the public part can decrypt things  encrypted by the secret part, and vice versa.  Thus, the first step in using  PGP is to generate your key.  Type:  PGP -kg  Select a key length; the bigger, the more secure.  Most people use 1024  bits, and it isn't that much slower.  Following this, PGP will ask you for  your user name.  For example:  Out and About <an50928@anon.penet.fi>  |-----+-----| |----------+----------|        |                  |        |                  +----------+ Email Address, in <> brackets        +-----------------------------+ User Name, plain text  Please follow this pattern; since a lot of people are starting to use their  PGP keyrings with their friend's PGP keys as their email directories,  keeping things relatively constant is a Good Thing.  It'll then ask you for a "pass phrase."  This pass phrase is *very*  important. What PGP does, to insure that your secret key is used only when  authorized, is encrypt the secret key data with this "pass phrase," so that  only if the pass phrase is known will the secret key work.  As with most  kinds of password, this should not be something easily guess.  Differing  from most passwords, though, is that this phrase can pretty much be any text  you want, with long lengths encouraged.  Use random characters interspersed  with text, like hey1me$for*turkeys^clinton.  Don't use famous quotations, or  anything easily guessed, since this pass phrase is what keeps your secret  key secure.  The program will then want some number of random keystrokes. This probably  sounds silly, but it's actually very important.  Computers can generate  pseudorandom numbers, but truly random numbers are impossible - computers  are fancy calculators, and randomness comes hard.  So, PGP wants some  keystrokes - which it times - to derive some truly random numbers for  generating the keys.  Then it generates the key.  Go have lunch while this is happening; it's  probably the most boring interface yet come up with by any programmer,  unless you enjoy periods and plus signs.  A lot.  Especially if you have a  slow machine.  Finally, PGP will beep, and you've got a public and a secret key, stored on,  logically enough, a public and a secret keyring.  Which, of course, brings  us to keyrings.  BUT WAIT!!  Before you touch the next section, execute the following  command:  PGP -ks <id>  Where <id> is some part of your user ID that you typed in above.  You'll  have to type in that damn pass phrase - you did remember it, didn't you? -  and PGP will sign your key with your key.  While this probably sounds  redundant, it actually plays a very important part in assuring that your key  remains unmolested.  Nothing worse than molested keys ...<3.2>  Keys & keyrings  We mentioned keyrings above.  Well, if you've got keys in real life,  keyrings are a good place to put them.  PGP keys aren't any different.  PGP, by default, has two keyrings: public and secret.  Since you've already  generated a key pair, you've got one public and one secret key - the two  matching parts of your key.  These are stored on two keyrings; logically,  there's a public one (stored in PUBRING.PGP), and a secret one (stored in  SECRING.PGP).  The public keyring also will eventually contain keys for your  friends and such; the material on it is desiged for public distribution. The  SECRING.PGP file, on the other hand, is *very* valuable.  With that file and  your pass phrase, anybody can sign documents with your "electronic"  signature, and decrypt things sent to you.  Don't let it out of your sight;  while your pass phrase does protect the contents of the secret ring to a  certain extent, keeping the file secure is just as important as keeping the  pass phrase secret.  Since public keys can be distributed freely, they can be obtained from  keyservers (see below), among many other places. The PGP distribution  includes one called KEYS.ASC, which includes the public keys of the authors  of PGP.  As a first exercise, let's add it to your public keyring with this  command:  PGP -ka KEYS.ASC  PGP will ask if you want to certify any of the keys you've just added.  Say  "no"; certification means you know for sure that the key belongs to a user.  If you later get keys from friends who hand them to you personally, you can  say "yes" when you add their keys, telling PGP you know the keys really  belong to who they claim to.