1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Pgp for beginners

Discussion in 'Black Hat SEO Tools' started by BLVAL, Jul 16, 2012.

  1. BLVAL

    BLVAL Newbie

    Mar 13, 2012
    Likes Received:
    integrating PGP

    I believe that a source of difficulty and frustration for PGP absolute beginners is that there is so much documentation available from so many sources (with most of it being long, detailed and complex) that many of them give up .... and this is a defeat for us all. A scythe needs to be taken to all of this information on their behalf.
    I've recently progressed from being a PGP absolute beginner to just a beginner and I think that absolute beginners need simple, concise information that they HAVE to know INITIALLY without being given lots of reasons or explanations. As someone else said, 'absolute beginners need an ABC'. It's when absolute beginners have gained more experience that they can find out why things are done in a certain way and how to do more complex things IF THEY WANT TO. It's then that they can read Phil Zimmermann's (the author of PGP) documentation and it's then that they can look, with understanding, at many of the other excellent sources of advice that are available. So, until you've passed the absolute beginner stage, just do what I tell you!
    I refer to a number of other web sites in this document. Thanks to them for making PGP adoption easier. Now, let's get started.

    To download PGP, go to pgpi which is the home page for International PGP users. Click on the 'Download Wizard' in the 'Download the Latest Version' section. For legal reasons, if you are from Canada or the USA, you must download the US version. Otherwise, you must download the International version. Select your operating system and licensing (freeware if PGP is for personal use) and then click 'Show Latest Version'. Please note that, contrary to popular belief, the International version is NEVER weaker than the US version and it sometimes has advantages. (There is a FAQ on this site that gives the differences between the International and official US versions.) And now download PGP (which will take 15-100 minutes with a 28.8k modem depending on the PGP version selected).
    Go to skuz and print out this site. BUT, don't do anything other than print it out. The Pig_Vomit printout gives information on how to set up PGP and the basics of using it. Go through it but bear the following in mind. In 'Configuring and Creating a Key Pair', you are referred to other web sites about pass phrases. At this time, just read my section 4 below instead but, when you have more experience, go and read the pass phrase sites recommended by Pig_Vomit. And when you actually create your keys, on a modern Pentium PC it will probably take about 10 minutes to generate a 4096 bit DH/DSS key pair and less than a minute to generate a 2048 bit RSA key. So, go through the Pig_Vomit instructions now.
    Although terrific, I think that there are 4 things that the above sites do not explain in clear, simple, succinct terms and they are covered in sections 3 - 6 following.

    PGP is basically used for 4 things.
    • a) Encrypting a message or file so that only the recipient can decrypt and read it. The sender, by digitally signing with PGP, can also guarantee to the recipient, that the message or file must have come from the sender and not an impostor. (So you can send a coded, signed e-mail to your lover and ONLY your lover will be able to decode it and your lover will KNOW that the e-mail came from you.)
    • b) Clear signing a plain text message guarantees that it can only have come from the sender and not an impostor. In a plain text message, the text is readable by anyone (i.e. is 'plain') but a PGP digital signature is attached. So, Alice posts some comments about black holes to one of the sci.astro news groups. She mustn't encrypt the comments because she WANTS people to read them. But Alice wants anyone with PGP to know that it was her who posted the comments - so Alice digitally signs the posting with PGP. nb Alice and all other PGP users can subsequently prove that she posted the comments. Be careful about what you put in signed postings as it is difficult to deny, later, that the contents of a message were sent by you!
    • c) Encrypting computer files so that they can't be decrypted by anyone other than the person who encrypted them. (So, you CAN stop your family reading your poetry.)
    • d) Really deleting files (i.e. overwriting the content so that it can't be recovered and read by anyone else) rather than just removing the file name from a directory/folder. (So, you can obliterate offensive stuff from your PC.)

    As I said above, the Pig_Vomit site refers you to other web sites about pass phrases. At this time, just read this section. (nb Public and secret keys are explained in 'How It Works' in your Pig_Vomit printout.)
    A pass phrase will protect your secret key in case it gets stolen or someone gets access to your computer. In either case, if you have a pass phrase, nobody apart from you can decrypt messages or files meant for you (i.e. created using your public key) and nobody else can sign messages pretending to be you because PGP users can spot this.
    If you don't use a pass phrase, you're not taking security seriously. You're an absolute beginner, so do what you're told: use a pass phrase!
    Make up your pass phrase by choosing 6 random words from a dictionary with at least 25,000 words in. Your pass phrase could then be safe for millions of years! Put blanks between the words if you want to or just run all the words together. If any of the 6 words start with a capital letter, replace by the lower case letter: it's easier to remember and type if you do. If you want to, you can change your pass phrase every 6 months or year (eg on your birthday). Whatever you do, make sure you can remember your pass phrase - see your Pig_Vomit printout for the reasons.

    Read section 3b again. Your PGP signature is different for EVERY message you sign because PGP does a calculation on the message using your secret key (which is unique to you). As every message is different, the signature is different too so you can't cut and paste signatures from one message to another.
    Note that the signature proves that the message came from the sender but it does not prove that the sender created the text in the message. eg if I clear sign the text of Hamlet, you still won't believe that I 'wrote' it.
    If the signature on a clear signed message checks out then that's fine. But if a clear signed signature DOESN'T check out, it MAY still have come from the person it appears to have come from. The reason is that the clear signed message is copied to an e-mailer and if the message is reformatted in or by the e-mailer (eg word wrapping happens such that a word is moved from the end of one line to the beginning of another line), the signature WON'T check out because the message has changed between being PGP signed and being transmitted/received. However, it is SAFEST to treat the message with the failed signature as being from an impostor.

    Using Windows based PGP can be a security risk. This is because your pass phrase, your key and your message plain text might be left in the Windows swap file thus compromising security if someone else has or gains access to your computer. If you can't cope with yet another thing to grasp at this time, skip the next paragraph!
    A simple solution for Windows 95/98/NT users is to download BCWipe from jetico This can be used to securely overwrite the contents of the swap file a number of times (eg 7 times). Windows 3.1 users can download ZAPSWAP (part of the WIPEUTIL set of routines) from sky to securely overwrite the swap file. Or, of course, you can use DOS versions of PGP: PGP2.6.3i or PGP5.0i for International users; PGP2.6.2 or PGP5.0 for Canadian/USA users. All of the products mentioned here are free for personal use.

    • a) Ignore people who confuse the word 'beginner' with the word 'stupid': you ARE an absolute beginner; you are NOT stupid.
    • b) Keep reading the following news groups:
      • alt.security.pgp
      • comp.security.pgp.announce
      • comp.security.pgp.discuss
      • comp.security.pgp.resources
      • comp.security.pgp.tech
      • sci.crypt
    • c) Practise using PGP. There are some people (i.e. not everyone) in the above groups who won't mind helping you getting to know PGP. Failing that, learn PGP by using it with a friend. Another way is for you to set up on your computer another PGP user called Fred. So, generate a public/secret key pair for Fred - he need only have a small key (512 bits) and a simple pass phrase (eg 'fred'). You can then send messages backwards and forwards between you and Fred which gets you used to things. eg You can send encrypted messages and clear signed messages and check things are working.
    • d) In your own time, take a look at the following information sources. They are more detailed and more complex but also more enjoyable when you've grasped the basics.
      • Phil Zimmermann's documentation that comes with PGP
      • pgp (excellent detail)
      • many, many other sources: eg try using search engines on PGP