Pretty Good Privacy (PGP)


What To Do

  1. Log into tanner and verify that your account is configured to use the PGP version located in /opt/local/bin (see instructions above).

  2. To see a quick command usage summary for PGP, just type in the command
        pgp -h
  3. Let's get ready to generate your own pair of private and public keys. PGP will try to place these keys in a directory called .pgp off your home directory, so we must create this directory first:
        mkdir ~/.pgp
    Note that, if the directory .pgp does not exist in your home directory, PGP will abort execution. Check that the directory has been successfully created by typing in
        ls -a
    The option -a stands for "all", so that all files (including the hidden files) get listed. Your directory .pgp should appear in the list.

  4. Generating your own key pair. To generate your own pair of public and secret keys, use
        pgp -kg
    PGP will display a menu of recommended key sizes (low commercial grade, high commercial grade, or "military" grade) and prompt you for what size key you want, up to over a thousand bits. The bigger the key, the more security you get, but you pay a price in speed.

    It also asks for a user ID, which means your name. It is a good idea to use your full name as your user ID, because then there is less risk of other people using the wrong public key to encrypt messages to you. It would also help if you put your email address in after your name, as in

        Mirela Damian <>
    PGP also asks for a "pass phrase" to protect your secret key in case it falls into the wrong hands. Nobody can use your secret key file without this pass phrase. The pass phrase is like a password, except that it can be a whole phrase or sentence with many words, spaces, punctuation, or anything else you want in it. Don't lose this pass phrase! You will need it later every time you use your secret key. The pass phrase is case-sensitive, and should not be too short or easy to guess. It is never displayed on the screen. Don't leave it written down anywhere where someone else can see it, and don't store it on your computer. If you don't want a pass phrase (BAD idea), just hit Enter at the pass phrase prompt.

    The public/secret key pair is derived from large truly random numbers derived mainly from measuring the intervals between your keystrokes with a fast timer. PGP will ask you to enter some random text to help it accumulate some random bits for the keys. When asked, you should provide some keystrokes that are reasonably random in their timing, and it wouldn't hurt to make the actual characters that you type irregular in content as well.

    It may take a few seconds for your keys to be generated. The generated key pair will be placed on your public (pubring.pgp) and secret (secring.pgp) rings that have been created in your .pgp directory. Check the contents of your .pgp directory:

        ls ~/.pgp 
    You should see the two key rings and the random seed used in generating the keys. To view the contents of a ring (pubring.pgp, for instance) type in
        pgp -kv yourid ~/.pgp/pubring 
    Here yourid is the user identifier (or part of the user identifier) you used when creating your keys. Make sure you remember both this identifier and the pass phrase associated with your keys. Alternately, you could simply try
        pgp -kv
    This command displays all public keys available to you.

  5. Adding a key to your ring. Download the instructor's PGP public key (or copy damian.asc from /mnt/a/mdamian/html/PGP) to your current working directory and add it to your public key ring:
        pgp -ka damian.asc
    PGP will complain the key has not been certified (digitally signed by a Certification Authority), and it will give you a chance to certify it yourself. You will need your pass phrase for this. Go ahead and answer yes to all the questions that follow.

  6. Removing a key from your ring. This is just an informative step; you don't need to execute it, unless you want to repeat the previous step. To remove a key from the public ring key:
        pgp -kr userid
    Here userid is the user ID associated with the key you wish to remove (you can find it out by displaying the key info with pgp -kv).

  7. Download this signed question (or copy question.asc from /mnt/a/mdamian/html/PGP) and verify the integrity of the instructor's signature using
        pgp question.asc -o question
    Recall that the signature is a digest (hash) of the message, encrypted with the sender's private key. PGP verifies it by decrypting it with the sender's public key, and recomputing the message digest. If the two match, the signature must be valid.

  8. Signing your message. Write your answer to the question in a text file (call it answer) and sign it using your private key:
        pgp -sta answer -u yourid
    Note the use of the following options: -s to sign the file; -t to have the output include the original text in readable (unencrypted) format; and -a to create an output answer file.

    This command creates a signed message answer.asc comprised of the original text and your digital signature, ready to send through an email system. Your secret key to create the signature is automatically looked up in your secret key ring via yourid. You will be asked for your pass phrase to unlock your private key - this is the same as the passcode you used to generate your keys.

    This step is used to AUTHENTICATE you as the writer of the message, and to guarantee INTEGRITY of your message (it does not provide PRIVACY). To verify the authenticity of your message, the recepient will need a copy of your public key, so let's append one to your message.

  9. Appending your public key to the message. Extract your public key from your public ring (again, in ASCII format) using
        pgp -kxa yourid keyname ~/.pgp/pubring

    This command copies the key specified by yourid from your public ring to the specified keyname (pick any name you wish) file. This is particularly useful if you want to give a copy of your public key to someone else (as we do here).

    Your public key will be extracted in the file keyname.asc. Append (copy and paste) this key at the end of your signed report (answer.asc).

  10. Encrypting your message. At this point, your report should include your answer to the instructor's question in plaintext format, your digital signature, and your public key. To guarantee PRIVACY of your message, you need to encrypt it using the recipient's public key (in this particular case, your instructor's public key). If you check your public ring file (using pgp -kv), you will see that the userid for the instructor's public key is mdamian, so you may encrypt your file using the command
        pgp -ea answer.asc mdamian

    The result is answer.asc (encrypted signed answer, overwrites the signed answer). Check out the contents of this file:

        less answer.asc
    You should see something similar to
    -----BEGIN PGP MESSAGE-----
    Version: 2.6.2
    -----END PGP MESSAGE-----
    Notice that the message is unreadable; only the instructor will be able to decrypt your message using her secret key.

    To verify the correctness of your work, the instructor will decrypt your message with her secret key, extract your public key from the message, and check your signature using your public key.

  11. Ready to send! But you don't need to, since this lab won't be graded :-)