SCOUG OS/2 For You - May 1995
PGP - Pretty Good Privacy Secrets
by Dave Watson
People have always tried to keep them. Whispers. Secret handshakes.
Secret decoder rings. Ciphers.
And people have tried to find them. Spies. Electronic bugs. Cryptanalysis.
Early twentieth century politicians decried the use of code breakers,
declaring that "gentlemen don't read others' mail." Now governments and
businesses spend huge sums to keep their secrets, and to peek at yours.
You might have some secrets. If you don't, please read this anyway, in
case you get some secrets later on. Once upon a time we used envelopes and
sealing wax and entrusted our messages to trusted couriers. Laws evolved
to protect these messages. Today the postman delivers advertising and we
send a lot of our messages over unprotected circuits.
Your secrets need help
This article will introduce you to powerful tools to help OS/2 users and
their friends keep their secrets safe. I'll touch on some important
politics in the conclusion, but this article will focus on the mechanics
of using PGP and a helpful utility from Gibbon Computer Products. Both
have a very reasonable price - free - and are quite easy to install and
use.
First, a little about cryptography - the technology of codes. One simple
code dates back at least to ancient Roman times. The Caesar cipher
associates letters of the alphabet in two rows (A corresponds to A, B to
B, etc). Then one row is shifted one or more places to the right. The
shift is your algorithm and the number of places you shift becomes the
"key." If the key is 3, for example, then A now corresponds to D, B to E,
and so on. Windows becomes ZLQGRZV and probably encounters a JSI (that's
a GPF).
There are a lot of simple ciphers like this available today, many of which
are touted as "proprietary" so you can't tell how weak they are. These
weak ciphers are routinely cracked by smart people for entertainment. They
should be avoided unless your objective is only to keep people out of your
files who aren't very smart. Mary, Queen of Scots was executed after
offending the queen of England in a message protected with a very weak
cipher. Of course, she had also married her cousin.
Modern ciphers are much more complex. An important characteristics is the
type of key - private or public. With private keys, which date back at
least 4000 years, all parties to a document share the same key to lock and
unlock files. The difficulty here is protecting the exchange of keys.
A new method called public key encryption was first published in 1976 and
now is used in many commercial encryption applications. This uses a pair
of mathematically related keys. You give everyone your public key, which
others can use to encrypt files to send to you. Only you can decipher
these files, using your secret key. You can also use your secret key to
"sign" files, which others can verify with your public key to determine
whether the document is really from you. The difficulty here is validating
that the public key alleged to be yours is indeed yours, and not that of
some counterfeiter intending to intercept your mail!
PGP combines two methods
PGP was written in 1991 using both private key and public key encryption.
When you encrypt a file, it uses a relatively new algorithm called IDEA
using a randomly generated private key. IDEA is much faster than public
key encryption, and appears to be very strong. This "session key" is
attached to the encrypted message and encrypted with the RSA public key
method, using the published key of whoever you want to send the secret
message to. When they receive it, they decrypt the session key with their
own PGP secret key, and use the session key to decrypt the message.
PGP provides for a distributed key certification where keys can be
"signed" by others. If you find a signature you trust on someone's key,
you can be more confident it's genuine. All of this is handled nearly
automatically by PGP.
One of the important characteristics of good encryption is the length of
the key. Digital Encryption Standard (DES) is a popular private key
encryption method which has been in use for nearly two decades It uses a
56-bit key. It was cracked last year using a clever ganging of a bunch of
computers over the internet. This means that NSA and possibly some big
companies can crack your DES codes, too. Many DES implementations include
a "triple DES" feature which is probably pretty safe for a few more years,
but it is painfully slow. On the other hand, PGP's IDEA algorithm uses a
128-bit key, which would take a very long time to crack using all the
present day computers in the world... unless someone finds a loophole!
The greatest vulnerability, though is choosing a poor pass phrase or not
protecting it properly. If you're interested, the PGP documentation or
several good books will help, but even years of study and great
intelligence probably won't make you very good at it. This is very
specialized stuff, folks.
PGP is much easier to use than to describe
Unzip it to a directory and run it from an OS/2 command prompt. A few
environment variables should be set in the CONFIG.SYS file to fine tune
the program. The installation instructions are for DOS, but work quite
well for OS/2 - just edit CONFIG.SYS where the instructions say
AUTOEXEC.BAT. The only OS/2 guidance is a six-line statement that a flaw
in the compiler tools (EMX) for OS/2 makes it unable to handle daylight
savings time. I haven't figured out why that would be important yet.
One of the first things you should do is to generate your key. PGP gives
you all the necessary prompts, including creating your pass phrase which
protects your secret key. Choose carefully because this is how you
protect the whole setup. It should be long, but something you can remember
exactly without writing it down. Once you have created a public key, you
can send it to your friends and wait for them to send you encrypted files!
The Gibbon shell helps a lot
The tedium of a command line application is softened considerably by the
elegant shell from Gibbon Computer Products. It installs easily as a menu
bar item in the EPM Enhanced Editor. All those command line options are
reduced to a pull down menu that handles your encryption, decryption and
key management effortlessly. You have to do several steps to install,
including writing a REXX program (2 lines), but the instructions are clear
and accurate. It has a couple of security flaws, like leaving your unencr
ypted file out on your disk, unprotected. The instructions describe easy
solutions in case your disk is vulnerable to snoopers.
I found another shell, PGPAMP, on the CES bulletin board. It requires
VREXX which I deleted when I installed VXREXX. AMP wouldn't start, and I
didn't take time to troubleshoot it, assuming it really wants VREXX. If
anyone gets it running, or finds other shells they like, please post your
findings on the CES board!
So how do you get these products? For personal use, the source is MIT but
some other places also distribute it. It is cool to point the WebExplorer
to http://web.mit.edu/network/pgp-form.html, click some boxes on a form
promising to behave, and it downloads. This gives you the program, the
documents and the source code. But, no OS/2.
I got the OS/2 version of PGP with the Gibbon shell by ftp from:
ftp.gibbon.com
in file: /pub/pgp/pgp262o2.zip
There is a little bit of a dance there, where they check that you have a
US address and then give you a path to a hidden directory with a
garbage-looking name, which is good for an hour. They claim to have a web
server at www.gibbon.com but I haven't gotten in yet. Also, they have a
slow modem and only permit five connections, so plan to be patient.
Oh, yeah, the politics
First of all, it's legal. You may have heard of the government's interest
in constraining powerful encryption. The Clipper technology was intended
to replace DES and permit government representatives to keep your keys so
they can read your mail. Clipper seems to have been put aside due to vocal
resistance by a lot of people. The author of PGP, Phil Zimmerman, is
currently the subject of a federal grand jury concerning the export of
early versions of this product. Strong encryption is considered
"munitions" by federal law, and PGP is considered strong enough to fall
under the protection of this law. If you export it, you can be liable for
a million dollar fine and ten years in prison, with probably only Windows
computers available.
At all legitimate download sites, you'll be asked to promise that you're a
citizen and will not let your copy be exported. If you have friends
overseas, they can find a compatible version, 2.6.2ui, available in those
countries which don't have their own concerns about their citizens'
private affairs. You can use your copy freely within our borders, and can
quite legally exchange encrypted files with your friends at home and
abroad.
Finally, there is the matter of intellectual property rights. Mr Zimmerman
has arranged for the source code for PGP to reside in the public domain
for non-commercial purposes. A commercial version, Viacrypt, is available
for most platforms. However, the public key encryption, RSA, is patented
by a small California company called Public Key Partners. They have
permitted free non-commercial license for version 2.6 in the US. If you
have an earlier version, you should get rid of it - it's illegal and it
won't work with 2.6.2 anyway. Also, the 2.6.2ui overseas version violates
the RSA patent in the US, so you shouldn't use that here either.
Confused?
Get a copy of PGP and try it out. You'll get good documentation which
clarifies a lot of this, and you'll get the hang of it quickly just by
trying it out. Questions? Post them to me on the CES board, and I'll try
to help you out.
The Southern California OS/2 User Group
P.O. Box 26904
Santa Ana, CA 92799-6904, USA
Copyright 1995 the Southern California OS/2 User Group. ALL RIGHTS
RESERVED.
SCOUG is a trademark of the Southern California OS/2 User Group.
OS/2, Workplace Shell, and IBM are registered trademarks of International
Business Machines Corporation.
All other trademarks remain the property of their respective owners.
|