-----BEGIN PGP SIGNED MESSAGE----- THE BEGINNER'S GUIDE TO PRETTY GOOD PRIVACY Version 1.1 (April 13, 1995) by Bill Morton This version is for the following users: PGP 2.6.2 or 2.6i Table of contents: I. The beginner's guide to pretty good privacy. A. Table of Contents B. Information about this edition. C. DISCLAIMER D. Permisson to distribute. II. Introduction. A. Hello there! B. Definitions C. Of front ends and easy approaches D. The PGP command line. E. Playing for perfection III. Some installation tips. A. Where to install it. B. Of drives and directories C. Generating a secret key IV. Key Management. A. Sign your own public key. B. Extracting a public key C. Adding a public key to your public key ring. D. Key verification. E. Signing someone else's key F. The use of Secret Keys and Public Keys. V. Preparing a text for encryption. A. The basics VI. Encrypting a text. A. Basic encryption B. ASCII armor C. Signing a ciphertext D. Wiping and deleting a file E. A Brief note on file extensions VII. Mailing a ciphertext. A. Cut and paste B. File size C. Enclosing a file VIII. Decrypting a ciphertext. IX. Editing the config.txt and autoexec.bat files. A. AUTOEXEC.BAT B. CONFIG.TXT C. Congratulations! X. Some other interesting PGP uses A. Signing and clear-signing B. Other kinds of files C. Signature certificates D. The -c option XI. Some ways to get into trouble A. Improper keyring security B. Accepting uncertified keys C. Plaintext insecurity D. Spy stuff E. When NOT to use PGP. XII. Conclusion. B. Information about this edition. This document was written with the DOS user in mind. If you use a Mac or another operating system you will find it necessary to adapt some of the practises described here to your situation. However, no matter what system you use you can read this document and benefit from it. This text is provided in ASCII format without page breaks or any other printer characters inserted. Thank you William Evans for your diligent proof reading and suggestions which have been heeded, mostly. C. DISCLAIMER You have been asked to read the documents which came with your PGP package, especially the volume of ESSENTIAL TOPICS and you should do this at the first possible moment. This document will attempt to introduce you to the basic use of PGP; the basic concepts of key management, and the basic concepts of text security. This is to get you "up and running" in PGP as safely as possible. Perhaps after a few days of PGP use you will be able to go back to the original documentation and read it more clearly. Until then use this BEGINNER'S GUIDE. HOWEVER, neither the author of this document, or any of its distributors are liable for any loss, damage, or breach of security which results from your failure to understand and use PGP properly. D. Permisson to distribute and other legal stuff. This document may be freely distributed under the following conditions: This document, THE BEGINNER'S GUIDE TO PRETTY GOOD PRIVACY, may be distributed by any electronic means; e-mail, ftp archive, Web page, BBS file, floppy disk. The author reserves all rights to any hard copy distribution. Individual users may make a hard copy for their own private use. When distributing this edition of THE BEGINNER'S GUIDE TO PRETTY GOOD PRIVACY, the attached PGP signature must remain attached and the PGP signed document and the signature must remain unaltered. To obtain my public key to verify the signature on this document please e-mail me: wjmorton@nbnet.nb.ca Don't send me any money! If you find that this document has made your use of PGP easier then all I ask is that you help one other person to begin using PGP. Finally, the mention of any copyrighted software in this document does not imply an endorsement of PGP by the software authors. II. Introduction. A. Hello there! Welcome to the wonderful world of encryption. You have decided for whatever reason to use encryption to protect your e-mail and other data stored or transmitted electronically. Good decision. Many people think that people who encrypt their e-mail have "something to hide." Well they do. Just like you they choose to keep their private thoughts to themselves and share them only with the people with whom they choose to share them. Or, just like you, they have information which they wish to e-mail or store that needs to be hidden from business competitors or even competitors in their own office. The beginning of this document is going to be rather terse. We will begin by defining a few terms and introducing a few concepts and then get right down to installing PGP and using it. For those of you out there who are real sticklers for technical precision I would advise you to tune out right now. If you want hard core information read the PGP documentation. As a general rule, if a description given below is brief that's because the technical nuts and bolts are described in the documents and if you want to know why I'm telling you to do something then read the documents. If a description is long and it seems like I'm hammering the same point over and over it's because it's a really important point. Usually it something that's also described in detail in the PGP documents but it's probably a point where if you make a mistake you will compromise the security of PGP and probably get yourself into trouble. B. Definitions PGP: Pretty Good Privacy, a program developed by Philip Zimmermann which uses public key encryption. It enables two people to communicate by e-mail, whether interoffice or intercontinental, with the greatest probability that no one but the sender and the receiver can read the text. Plaintext: The actual message, text, data, program, GIF file, or whatever. It can be read, run or viewed by anyone. PGP can encrypt any type of data but for the purposes of this document we will refer to the plaintext as a text or message. Ciphertext: What the plaintext looks like after it is encrypted. Unreadable, unrunable, unviewable except by the person with the key to decrypt it. Encryption: Taking plaintext and turning it into ciphertext. Decryption: Taking ciphertext and turning it into plaintext. Text editor: A plain vanilla ASCII text editor is unlike a word processor. You can encrypt word processor files but you should be aware of some of the security drawbacks. Word processors use swap files and automatic back-up files to make it almost impossible for you to lose your text. This is a good thing unless you don't want people to read your text, either by accident or on purpose. For example, this document is being written with MS- Word. When I quit for the night and save the uncompleted manuscript in the file PGPBEGIN.DOC MS-Word automatically saves a copy in PGPBEGIN.BAK. If I work on this document for more than a few moments MS-Word also saves the file in an autoback-up file in case the power goes off. Also, whenever I edit the file MS-Word saves chunks of this file in case I want to undo my edits. This is great for making sure I don't lose my text, terrible for security. Certainly I could go through my entire hard disk and delete each file but even then a simple DOS command like UNDELETE could bring them back to life. So for the purposes of PGP security always use a text editor like MS-Editor that comes with MS-DOS and then use the -w command option with PGP. (More about this later.) Public Key: This is the part of PGP which is used to encrypt text. This is the key that you give to other people so that they can send ciphertext to you which only you can read. Secret Key: This is the part of PGP which is used to decrypt text. This is the key which allows you and only you to read the ciphertext that was made by your public key. It is protected by your pass phrase. Key id: A hexadecimal number assigned to each key generated which may be used instead of the user id to identify a key. Key Fingerprint: A long string of hexadecimal numbers which is diplayed when you use the PGP command: pgp -kvc john The key fingerprint is used to authenticate PGP public keys. User id: This is also attached to the secret and public keys when the keys are generated. It is the name (and e-mail address) of the person to whom the key belongs. Public Keyring: A file called pubring.pgp where you keep your public key and the public keys of the people to whom you want to send ciphertext. Secret Keyring: A file called secring.pgp where your secret key (or keys) is stored. Command line: A line typed at the DOS prompt which sets a program in action. C. Of front ends and easy approaches In this document I will not be detailing how to physically install PGP on your machine. The central focus of this document is enabling you to use PGP with the greatest ease with the greatest security. And now a word about "front ends." The term "front end" (sometimes referred to as a "shell") refers to a program which acts as an easy user interface for another program . Front ends have been designed for the Amiga, MS-Windows, Macintosh, and MS-DOS environments and to work with various e-mail and newsreader programs. The advantage to using a front end program is that PGP becomes easier to use. The major disadvantage, from the aspect of learning PGP, is that front ends hide the operation of PGP from the user. If you learn to use PGP from the command line and develop some understanding of what is going on, you are less likely to make a mistake which will compromise the effectiveness of PGP and your security. Later you may wish to take advantage of one of the front ends which are available. That can be your decision. However, I believe that after you work your way through the following document you will find PGP so easy to use that you won't need to make it any easier. D. The PGP command line. The PGP command line is simple to construct because it is made up of some basic parts. A PGP command line that you will encounter later in this document looks like this: pgp -seatw intro.doc John -u Mary Right now it may look like gibberish but by the time you read one third of this document you will understand the simplicity of the command line. For now let's look at the parts and give them general names and describe each part's use. "pgp" These letters start Pretty Good Privacy. They will be the first three characters that you type every time you use PGP. "-seatw" The command options. There are a variety of command options