electronic commerce : using pgp electronic commerce prof. sheizaf rafaeli cryptography: using pgp i....

Electronic Commerce : Using PGP

Electronic CommerceProf. Sheizaf Rafaeli

Cryptography: Using PGP

I. Generating and managing keys

• Listing, extracting and sending keys

• Adding, and removing keys

• Key signing and the web of trust

II. Encrypting files

• Encrypting with signature

III. Decrypting files

IV. PGP options





Note: To use PGP while using “pine” you may begin at the <pine> menu and then type:

"!"

This will put you at in the UNIX shell



Generating a Key

1. To create your PGP directory, at the UNIX prompt type:

mkdir .pgp

2. To start up the PGP software, at the UNIX prompt, type:

pgp -kg [Key generation]

3. Choose a key size. For faster operation, choose

"1" (512 bits)

For more secure operation, choose

“3" (1024 bits)



4. Enter a user ID that your key will be known by - use

Firstname Lastname <[email protected]>

(You should use your name and username)

5. Your private key will be encrypted so that if it is lost, someone else cannot use it

You must type in a passphrase that will be used to encrypt your password

The passphrase can be as long as you want, and can include punctuation

6. The computer will generate some random number to use to create the keys

Wait until the system responds that the keys have been generated



You see:

ezmail% mkdir pgp

Type 'exit' to return to Pine.

ezmail% pgp -kg

Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses (c) 1990-1994 Philip Zimmermann,

Phil's Pretty Good Software. 11 Oct 94 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government.

Current time: 1998/02/03 21:59 GMT

I won’t repeat this again



And:

Pick your RSA key size:

1) 512 bits- Low commercial grade, fast but less secure

2) 768 bits- High commercial grade, medium speed, good security

3) 1024 bits- "Military" grade, slow, highest security

Choose 1, 2, or 3, or enter desired number of bits: 1



You see:

Choose 1, 2, or 3, or enter desired number of bits: 1

Generating an RSA key with a 512-bit modulus.

You need a user ID for your public key. The desired form for this user ID is your name, followed by your E-mail address enclosed in <angle brackets>, if you have an E-mail address.

For example: John Q. Smith <[email protected]>

Enter a user ID for your public key: Sheizaf Rafaeli <[email protected]>



You see:

You need a pass phrase to protect your RSA secret key.

Your pass phrase can be any sentence or phrase and may have many words, spaces, punctuation, or any other printable characters.

Enter pass phrase: XXXXXXXXXXXX

Enter same pass phrase again: XXXXXXXXXXXX

Note that key generation is a lengthy process.



Then you see:

We need to generate 240 random bits. This is done by measuring the time intervals between your keystrokes. Please enter some random text on your keyboard until you hear the beep:

0 * -Enough, thank you.

....**** ........****

Key generation completed.



Listing the keys in your keyring

To list the keys in your (public) keyring, type:

pgp -kv [Key view]

To list the keys in your public keyring with just signatures, type:

pgp -kvv [Key view verbose]

To list the keys in your public keyring with signatures and levels of trust displayed, type:

pgp -kc [Key check]



You see (-kv)

ezmail% pgp -kv

Pretty Good Privacy(tm) 2.6.2 - ...the U.S. government.


Key ring: '/home/u3/sheizaf/.pgp/pubring.pgp'

Type bits/keyID Date User ID

pub 512/7E3E525D 1998/02/09 infosoc <[email protected]>

pub 512/897B0849 1998/02/08 Sheizaf Rafaeli <[email protected]>

2 matching keys found.



You see (-kvv):

ezmail% pgp -kvv

Pretty Good Privacy(tm) 2.6.2 ...U.S. government.


Key ring: '/home/u3/sheizaf/.pgp/pubring.pgp'

Type bits/keyID Date User ID

pub 512/7E3E525D 1998/02/09 infosoc <[email protected]>

sig 897B0849 Sheizaf Rafaeli <[email protected]>

pub 512/897B0849 1998/02/08 Sheizaf Rafaeli <[email protected]>

This key is signed by me



Extracting a key from your keyring

This takes a key from your keyring and puts it in a file, which you can send to someone via e-mail

1. To extract a key from your keyring, type:

pgp -kxa email@address -or- userID filename (optional) [Key extract armored]

where email@address or userID is the e-mail address or userID of the key that you want to extract from your keyring (usually your own!)

2. The computer will prompt you for a file name you use to save your public key



You’ll see:

ezmail% pgp -kxa Sheizaf sheizafkey

Pretty Good Privacy(tm) 2.6.2... the U.S. government.


Extracting from key ring: '/home/u3/sheizaf/.pgp/pubring.pgp', userid ”Sheizaf".

Key for user ID: Sheizaf Rafaeli <[email protected]>

512-bit key, Key ID 897B0849, created 1998/02/08

Transport armor file: sheizafkey.asc

Key extracted to file ’sheizafkey.asc'.



You’ll see:-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: 2.6.2

mQBNAzTeFVMAAAECAOd0Go+wiJTLZPvfMIgm/dT7KJVzA+o4Neph7Sce58KRS8SDY3+MJ9BXs65NgFo2+gpvd4ruQd72bmkyp4l7CEkABRG0J0hvd2FyZCBSb3NlbmJhdW0gPGhyb3NlbmJhQGluZGlhbmEuZWR1PokAVQMFEDTgZLZuaTKniXsISQEBnUQCANF+5c6iRahTuoa5sh8UGKG+RDethVz9C1+2nfsUMvFPLNcq7pZmH43dsSJXWtaWws9yRzi7G94pdp7MlIwEKDi0Bmhvd2FyZA===bHK8-----END PGP PUBLIC KEY BLOCK-----.



Using PINE, you can now send the key (in the form of the file <filename> to someone else

You format a message and use the <^j> to attach the file

~or~

You can open the .asc file with pico and then copy and paste the public key into an email message as text

~or~

Use Windows cut and paste commands



You can use the -f (filter) option to send your public key directly to another person

The filter option allows PGP to print the public key directly into the mail program (in our case, <pine>)

To use it, type:

pgp -kxaf your_userID | mail -s “descriptive text” [email protected]

Your public key is printed into an email message and sent to the specified address without you having to exit the UNIX shell



Adding a Key to Your Keyring

For you to be able to encrypt a document to someone else (or verify a digital signature) you must add their public key to your keyring

For you to do this, they must first extract their public key, and send it to you

You must then save it into a file and follow the instructions to add it to your keyring



1. Type:

pgp -ka filename [Key add]

where filename is the file that contains the public key that you want to add to your keyring

2. If the key is not certified, you have to decide if you want to want to certify (e.g. trust) it

You need your private key passphrase to do this

3. The selection you make from the menu determines how much trust you have in the person

This is important because it maintains and extends the “web of trust” that makes PGP work

You have just added the key in <filename> to your keyring!



Removing a key from your keyring

At the UNIX prompt, you type:

pgp -kr userID [Key remove]

where the userID is the name attached to the key

Then, when prompted, type <y> to remove the key

If you don’t recall the names of the keys in your keyring, you can see them if you type:

pgp -kv [Key view]



Key signing and the web of trust

Levels of trust

1 = I don’t know: This means that you will be prompted to certify each new public key added which has this person’s signature

2 = No: PGP will ignore certification by this person on new public keys you add

3 = Usually: A key with signatures from two “3” people is accepted

4 = Always: the key is accepted without question



To sign a key, you type

pgp -ks userID [Key sign]

Experts recommend that you sign your own public key because anyone can create keys with your userID, but only you can sign yours

To do this, type:

pgp -ks your_userID -u your_userID

A self-signed key means that others know it belongs to you



When you add a public key, you certify its validity by signing or “certifying” it

This links the userID to the public key

When you extract it and send it along, your signature goes with it

People who receive the key look at your signature and use it to trust that the key belongs to who it is supposed to

You can also manually sign keys



It is possible to change the level of trust you have assigned to a public key

To do this, type:

pgp -ke userID [Key edit]

You reduce trust if you find out that someone signs and distributes keys without really checking

You might raise levels of trust if you find out that a person really understands how the web of trust works and is careful about certifying keys



Another component of the web of trust is the “fingerprint” of a key

When a key is generated, it receives a unique identifier composed of 16 “hexadecimal” numbers

People will often provide the “fingerprint” for their public keys in their signature files so that others can make note of it

This fingerprint allows you to verify that the key belongs to the person who claims to have created it



This is an example of a public key fingerprint (it’s mine):

Key fingerprint = DD DB 14 3D 5E 95 FD A0 7B E3 9A AA 91 F0 05 F4

To see the fingerprint of the keys in your public keyring, type:

pgp -kvc [Key view check]

The “fingerprint” will be listed after each key in your public keyring











IV. PGP options



Encrypting a file to someone else

To encrypt and sign a file named <filename> to someone whose email address is <email@address>, you type:

pgp -eas filename theirID@their_address -u yourID

The extension “e” encryptq with a specified public key

The extension “a” applies ASCII armor to the file (making a binary file readable as text)

The extension “s” uses a secret key to sign the file

The extension “u” tells PGP which secret key to use

This file appears in encrypted form



You will have to enter your passphrase in order to digitally sign (e.g. encrypt with your private key) the file

The encrypted file is saved as filename.asc (where filename is the name of the original file)

To view this file, you can type:

pico filename.asc

~or~

more filename.asc (this command will not allow you to make changes to the file)

You can now use <pine> to mail this document to the intended recipient as an attachment



And, using pico, we see:

-----BEGIN PGP MESSAGE-----Version: 2.6.2

hEwDbmkyp4l7CEkBAf4izmZs4LTfWgiyr3t4//efsP8kCrQ7Tx7Cc/djoK4ZytF/nEIT5CUCx3AQCKUZA+gKcUR5Fp4f8zJfz1aHnyM6pgAAASwp/X0fbk4upFpr5r30ps+BAgwgCffkuApcoKHnt+R+lFyDYlarQpkXpS/Tw8Zc5rZBA/deuGnekdlIS4o4huw2BigCWCmiQOZeLLZmmcJIjaNkEV+dEWAJufysZOZXMVq2I4Fd4QvThQFObc3iPC7KzMbkAEsj7WXb+t8/o3ltQBVSEgDBP+m/GbQe8+s2CJutC3w+EQ5GBNCCcgBUZ7X/eEdqtN50U+KD/uZNNXSEOQ1BpmzPihV7O9qMTZGCfDt3lh9jMEctfZd5IzpNOs/Y6y+m357olx1yx7lfq+77rNK3qtBonTBjNCeFk1xhRA09KVwHp0V+gGGpsyPAtpNu1qUeQ247x0W7Z/FQn3Nwb2LJVmQb7sNsBI2izCRi+LAtfbCc2c4aPr/tzjU==VIXw-----END PGP MESSAGE-----



Other ways to use PGP in the UNIX shell:

To send mail directly from the UNIX shell, use:

ezmail% mail their_email@address < file.asc

To encrypt and send a message from the UNIX shell, use:

ezmail% pgp -eatf their_userID < file> | mail their_email@address



6. To compose, encrypt, and send the message from the UNIX shell, use:

ezmail% pgp -eatf their_userID | mail their_email@address

Note: you must have the public key belonging to the person at <email@address> in order to encrypt a document to that person

You’ll see a blank line - that’s where you begin typing

When you’re done, press:

^D



Using [ezmail% pgp -eatf their_userID | mail their_email @address], you see:

ezmail% pgp -eatf infosoc | mail [email protected]

Pretty Good Privacy(tm) 2.6.2 - ...the U.S. government.


Here's another way to send encrypted messages directly from the UNIX shell. The use of the <-eatf> option combined with the <|> pipe option makes this possible.

^D

Key for user ID: infosoc <[email protected]>

512-bit key, Key ID 7E3E525D, created 1998/02/09 Text that I typed

How to stop



To sign a plaintext file with your secret key, type:

pgp -sta filename -u your_userID

The extension “s” is the command to sign with a secret key

The extension “t” saves the file in a text format

The extension “a” applies ASCII armor to the file (making a binary file readable as text)

The extension “u” tells PGP which secret key to use

Although the text can be read, the digital signature is encrypted

PGP must be used to verify the signature



And, with pico, you see:

-----BEGIN PGP SIGNED MESSAGE-----

This is a test message. It will be encrypted with your public key and you will need your private key to decrypt and read it. This is a demonstration of the way in which PGP protects the integrity and authenticity of your files.

-----BEGIN PGP SIGNATURE-----Version: 2.6.2

iQBVAwUBNsHjoqiNX5P7lAgZAQGG3QIAh8ZlL4aK/VsdqENFHzTbnYWCWE6bC4E4u+SwL99Q3AT8wlTlteabXkpNTz4sgIiwpu5XlxW+gj4eJEDaYZ7oDA===vYVw-----END PGP SIGNATURE-----











IV. PGP options



Decrypting a File

When you receive the file, you save it to the UNIX shell, where you will then decode it

1.To decrypt an encrypted file called “filename” (e.g. encrypted with your public key), you type:

pgp filename.asc

Or whatever the file extension is

2. You will have to type in the password to your secret key

3. If you are able to decrypt the file properly, PGP will tell you the filename of the decrypted file

4. You can then view this file with the UNIX <more> command or edit it with the <pico> word processor



You type “v” to move to the viewer and you see:1 0 lines Text/PLAIN

2 ~489 bytes Text/PLAIN, "decrypt this!"

Then you type “s” to save the message to a file in your <home> directory

1 0 lines Text/PLAIN 2 ~489 bytes Text/PLAIN, "decrypt this!"

Copy attachment to file in home directory: test.asc



Then, to decrypt and read the message, you go back to the main menu and UNIX shell typing “!” from the main Pine menu

You see:


ezmail% ls

Mail somefile.txt test.asc

Text another.txt prop.txt


ezmail%

The one we want!



Decrypting and checking signatures

After saving the message to your <home> directory, type:

pgp filename.asc -o filename [Output]

The second <filename> is optional and will name the file after it is decrypted

Note that the verification of the signature is done automatically during encryption, and depends on you having the senders public key in your pubring.pgp keyring



Decrypting a message and leaving the signature in it

You type:

pgp -d filename [Decrypt with signature]

You are left with a plaintext message that has the encrypted signature at the bottom

This can be useful if you want to send the message to a third party and allow them to also verify the signature











IV. PGP options



IV. PGP options

-e = Encrypt with a public key

-a = ASCII armor

-s = Sign with your secret key

-t = Converts PGP files into text files

-f = Filter will write the file to standard file output

-o = Output will specify the name for a decrypted file

-w = Wipes or erases the original plaintext file



Here's a quick summary of PGP v2.6 commands.

To encrypt a plaintext file with the recipient's public key:

pgp -e textfile her_userid

To sign a plaintext file with your secret key and encrypt it in ACSCII form with her public key:

pgp -eas textfile her_userid [-u your_userid]

To sign a plaintext file with your secret key and have the output readable to people without running PGP first:

pgp -sta textfile [-u your_userid]



To sign a plaintext file with your secret key, and then encrypt it with the recipient's public key:

pgp -es textfile her_userid [-u your_userid]

To decrypt an encrypted file, or to check the signature integrity of a signed file:

pgp ciphertextfile [-o plaintextfile]

To decrypt a message leaving the signature intact:

pgp -d ciphertextfile

To create a signature certificate that is detached from the document:

pgp -sb textfile [-u your_userid]



To detach a signature certificate from a signed message:

pgp -b ciphertextfile

To view the decrypted plaintext output on your screen (like the Unix-style "more" command), without writing it to a file, use the -m (more) option while decrypting:

pgp -m ciphertextfile

To specify that the recipient's decrypted plaintext will be shown ONLY on her screen and cannot be saved to disk, add the -m option:

pgp -steam message.txt her_userid

To recover the original plaintext filename while decrypting, add the -p option:

pgp -p ciphertextfile



Key management:

To generate your own unique public/secret key pair:

pgp -kg

To add a public or secret key file's contents to your public or secret key ring:

pgp -ka keyfile [keyring]

To extract (copy) a key from your public or secret key ring:

pgp -kx userid keyfile [keyring]

~or~

pgp -kxa userid keyfile [keyring]



To view the contents of your public key ring:

pgp -kv[v] [userid] [keyring]

To view the "fingerprint" of a public key, to help verify it over the telephone with its owner:

pgp -kvc [userid] [keyring]

To view the contents and check the certifying signatures of your public key ring:

pgp -kc [userid] [keyring]

To edit the userid or pass phrase for your secret key:

pgp -ke userid [keyring]



To edit the trust parameters for a public key:

pgp -ke userid[keyring]

To remove a key or just a userid from your public key ring:

pgp -kr userid [keyring]

To sign and certify someone else's public key on your public key ring:

pgp -ks her_userid [-u your_userid] [keyring]

electronic commerce : using pgp electronic commerce prof. sheizaf rafaeli cryptography: using pgp i....

Documents