|
|
| Previous | Table of Contents | Next |
This section contains a step-by-step example showing how to use PGP. It assumes that the user already has a working PGP program. Many of the details are left for later sections; this is only a quick explanation of what to do and in what order.
The first step in using PGP is obtaining a PGP binary. Binary distributions are available for platforms such as DOS and Mac. However PGP is only available in source code for Unix and some other systems. As a result, users must compile PGP themselves before it can be used. PGP 2.6.2 has been ported to many operating systems, and it builds cleanly on most Unix systems. MIT provides information regarding the use and availability of PGP on their web site at http://web.MIT.edu/network/PGP.html. This chapter will focus mainly on this particular version of PGP.
A few items should be collected before PGP is used. You will be able to use PGP after you have done the following:
The PGP program depends on some system state to operate. On most platforms, the system state is an environment variable—the PGPPATH environment variable—that tells PGP where to look for its other files.
An environment variable is usually set upon system startup or user initialization depending upon the system in use. On a DOS system, for example, the PGPPATH variable can be set in CONFIG.SYS as follows:
set PGPPATH=C:\PGP
When using a Unix system, the means to set the environment variable is dependent upon the shell in use. When using the Bourne Shell, PGPPATH is set as follows:
PGPPATH=/home/user/.pgp; export PGPPATH
When using the C Shell, PGPPATH can be set using setenv, as follows:
setenv PGPPATH /home/user/.pgp
If you want to keep PGP special files in a special directory, you need to set PGPPATH to point to that directory. PGP will look in the appropriate place for its configuration and data files. By default, PGP will use the current working directory to hold all data files unless PGPPATH is set.
Note: The exception is in Unix: PGP will use the .pgp subdirectory of the user’s home directory, $HOME/.pgp. This directory must be created by the user. PGP will not create this directory and will print an error if it does not exist.
Next, you need to decide on a pass phrase to use. The pass phrase should be hard to forget and difficult to guess. This pass phrase will be your key to PGP, and knowledge of the pass phrase allows others to create and access messages as if they were you. Think of the pass phrase as the PIN on a bank card; access to a bank account depends entirely on the security of the PIN and access to the bank card. The difference is that there are many more ways to obtain the PGP equivalent of the PIN and bank card than there are in the physical version, but the threat to the user data security can be the same.
The best pass phrases are relatively long and complex. They should contain uppercase and lowercase letters, and each pass phrase should contain some numeric or punctuation characters. A sentence of 8–10 words is long enough to be impossible to guess but short enough that most people should be able to remember it. One way to come up with a sentence is to look in the dictionary at random and combine 8–10 words with articles and punctuation to make a coherent sentence. Once created, this sentence then becomes the pass phrase.
A long pass phrase should be used because it is more difficult to guess a long pass phrase and it is also more difficult to create a program to try every possible pass phrase. For example, if a pass phrase were only eight characters long, it would be simple to write a program to try all eight-character pass phrases. Moreover, this cracking program would run in a reasonably short amount of time.
Assume, for example, an eight-character pass phrase using only letters and numbers. This would mean there are 2×1014 possible pass phrases. Assuming one million checks per second, it would take 2×108 seconds, or just under seven years. However, it is still best to choose longer pass phrases to help protect against these attacks.
The first step in using PGP is to generate a PGP Key. PGP uses these keys when performing operations to secure messages. It is important that you choose an appropriate name for your PGP key and that you choose a memorable pass phrase when creating the key.
Warning: When generating a key it is important to remember the pass phrase. The pass phrase is used to lock the secret portion of the key when it is created, and is later used to unlock the key. A forgotten pass phrase cannot be recovered by anyone.
~> mkdir .pgp ~> pgp -kg Pretty Good Privacy(tm) 2.6.2 - Public-Key Encryption for the Masses. (c) 1990-1994 Philip Zimmermann, Phil’s Pretty Good Software. 11 Oct 94 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government. Current time: 1995/11/14 08:12 GMT Pick your RSA key size: 1) 512 bits- Low commercial grade, fast but less secure 2) 768 bits- High commercial grade, medium speed, good security 3) 1024 bits- “Military” grade, slow, highest security Choose 1, 2, or 3, or enter desired number of bits: 3 Generating an RSA Key with a 1024-Bit Modulus. You need a user ID for your public key. The desired form for this user ID is your name, followed by your e-mail address enclosed in <angle brackets>, if you have an e-mail address. For example: John Q. Smith <12345.6789@compuserve.com> Enter a user ID for your public key: Ruth Thomas <tara@mail.Free.NET> You need a pass phrase to protect your RSA secret key. Your pass phrase can be any sentence or phrase and may have many words, spaces, punctuation, or any other printable characters. Enter pass phrase: Enter same pass phrase again: Note that key generation is a lengthy process. We need to generate 784 random bits. This is done by measuring the time intervals between your keystrokes. Please enter some random text on your keyboard until you hear the beep: 0 * -Enough, thank you. .......**** ....................................................... ..**** Key generation completed.
Listing the public key ring would give this output:
Type bits/keyID Date User ID pub 1024/D0C6326D 1995/11/14 Ruth Thomas <tara@mail.Free.NET>
| Previous | Table of Contents | Next |