Setting Up Pine for PGP

by Bill Roach

zzroac@washburn.edu

Introduction

Encryption technology can provide Internet users with secure communications and validation of message authenticity. PGP (pretty good privacy), developed by Philip Zimmerman, includes both of these services. The license under which the ACC is providing access to PGP restricts its use to personal, non-commercial applications. ACC policy prohibits commercial use of the ACC facilities. Users who need to use encryption and signature validation in a commercial context need to purchase an appropriately licensed product and use it somewhere other than the ACC.

The ACC has installed PGP (Pretty Good Privacy) for the use of Washburn faculty and staff; however, ACC staff will not be available to support the use of this software. PGP users at Washburn will need to help one another. The Usenet group comp.mail.pine frequently contains useful discussions of the use of PGP in conjunction with the Pine e-mail program. The official documentation for PGP is accessible on line at Washburn. However, PGP users will probably find it convenient to purchase some documentation. The following books meets that need:

William Stallings, Protect Your Privacy: A Guide for PGP Users Prentice Hall: Englewood Cliffs, NJ, 1995 ISBN 0-13-185596-4 $14.95

Philip R. Zimmerman, The Official PGP User's Guide MIT Press: Cambridge, 1995

ISBN 0-262-74017-6 $14.95

Both books are paperbacks. They are likely to be special orders at most bookstores.

On-line documentation is available as follows:

Directory File

/usr/local/lib/pgp pgp.hlp

/usr/local/lib/pgp/source.d doc

Note: the file "doc" is quite long. Printing it does not produce a satisfactory set of documentation because 1) it is not indexed, 2) it does not include the useful graphics in the books listed above, and 3) it is not paginated for printing.

Verifying the Integrity of PGP

To use PGP with confidence, users should verify the integrity of the copy of PGP that they are going to use. Users who purchase commercial version of PGP like ViaCrypt can carry out this verification. Apparently, that is not so for the shareware version of PGP.

Before the Pine Setup

Create the directory .pgp in the user's home directory. When the ACC set up PGP for faculty and staff use, part of the set up determined required name for the user's PGP files. Thus someone using these direction to setup Pine at another installation would need to determine the name of the appropriate user directory. The required command is

mkdir .pgp

The dot at the start of the directory name means that it is invisible. The user can list all files and directories, visible and invisible, with the command

ls -a | more

The user needs to setup some files on this directory before doing the Pine setup. The required files and their functions are listed below:

display.csh a script file used as part of the signature validation process

encrypt logical name for encrypt command

pgpsign logical name for the sign command

pubring.pgp public key ring

randseed.bin seed for a pseudorandom number generator

secring.pgp secret key ring

PGP will not allow the user to set up the required files unless it is able to verify that the user has access to the on-line documentation file "doc." Move to the appropriate directory with the command:

cd /usr/local/lib/pgp/source.d

Then type

pgp -kg

to start the process of generating a key. PGP will prompt the user to pick a key grade:

1) low commercial grade (512 bits): known to be breakable, but it takes some effort,

2) high commercial (768 bits): breakable before breakfast by NSA types,

3) military grade (1024 bits): still breakable by NSA types, but it requires significant effort.

It takes longer to generate a higher grade key, but the effort is expended only once. It takes less than 15 seconds to generate a 1024 bit key on the server. Thus it seems appropriate to always select a grade 3 key. PGP will then prompt the user for his/her name and address which should be supplied in the following format:

John Q. Public <zzpublic@washburn.edu>

PGP will ask the user for a pass phrase to determine who will be allowed to access the user's encryption key. Note that just having access to the user's account will not give access to the user's PGP private key or anything encrypted with it. Observe the following rules in picking a pass phrase:

1. Pick a phrase that is easy for the user to remember;

2. Pick a phrase that the user can type correctly most of the time;

3. Pick a phrase that is difficult for others to guess (no birth dates or family names).

A short, but not to familiar quote, supplemented with a number or special character, should do nicely.

At one point in this process, PGP asks the user to enter some keystrokes. When the user has typed enough, PGP indicates that it has enough information. PGP uses the timing of the keystrokes to set up the random number seed in the file randseed.bin

The PGP documentation recommends that the user sign his/her key. The command for doing so is:

pgp -ks zzpublic@acc.washburn.edu

The user will be required to produce the pass phrase to be allowed to sign the key. Users sign their keys will have an extra file pgpsign.bak in the directory ~/.pgp

The user needs to copy the file display.csh to the directory ~/.pgp This file contains a script used in process of validating signatures. Mark the file display.csh as executable.

chmod u+x ~/.pgp/display.csh

A copy of display.csh is shown at the end of this documentation.

Set up the logical (mnemonic) names to reference the encrypt and sign commands as follows:

ln -s /usr/local/bin/pgp ~/.pgp/encrypt

ln -s /usr/local/bin/pgp ~/.pgp/pgpsign

Pine Setup

At the system prompt, type

pine

Type

s for the setup menu

c for configuration setup

Use the <space> bar and down arrow to move down about three pages to the configuration setup item "display filters". Type

?

and read the help message for this item. Type

a

to enter a new value, then

_LEADING("-----BEGIN PGP")_ ~/.pgp/display.csh

which will activate PGP if a message contains a line that starts with (or has a leading character string of)

"-----BEGIN PGP". Either an encrypted or a clear-signed message will activate PGP. PGP will prompt the user for the pass phrase. Responding with the appropriate pass phrase will allow the user to view a decrypted version of the current message.

Move to the item "sending filters" and read its help message by typing

?

Type

a

to add the value

~/.pgp/pgpsign -fast

which serves as the user's clear-sign filter. Because Pine displays only the application name not the parameter, using the original word "pgp" can be confusing at times. The symbolic links set up above using the "ln" command make it obvious to the user for what purposes PGP is used in this and the next filter.

Then type

a

to add another value like this:

~/.pgp/encrypt -feast _RECIPIENTS_

which serves as the user's encryption filter. The public key of the recipient of the e-mail will be used by PGP to encrypt the outgoing mail. The user has already set up his/her own public key in the directory "~/.pgp".

Type

e

to exit from the setup menu, and

y

to confirm the changes. This is another part of the procedure that is vulnerable to typos. Deleting nonworking filters and re-inputing them proved more successful than editing them. The user has completed the setup of PGP and Pine. Test out the setup by signing and encrypting some e-mail to yourself and trying to display them upon receipt..

The procedure above puts the sending filters in optional positions. Thus they are not used as the first choice when the user sends e-mail after composing it. If the user hits return in response to the prompt "sending message unfiltered ?", none of the filters will be used, and your message will be plain text.

If the user plans to sign all messages by default, the user should make sure pgpsign is the first filter in his/her configuration menu, and then turn on the option "compose-send-offers-first-filter" in the configuration menu. The user can select encryption as the first choice in a similar fashion.

No matter how the user configures Pine for PGP, he/she is allowed to choose a filter for each message. Just use

^p

or

^n

to scan through the available filters. Sending an unfiltered message is one of the choices.

Sample PGP Session in Pine

Compose your message as you normally would. Type

^x

when you are ready to send the message. Pine will prompt you

Send message (unfiltered)?

If the user types

y

the message will be sent to the recipient unencrypted. If the user types

n

the message will not be sent to anyone. If the user types

^n

the user will be prompted

Send the message (filtered thru "encrypt")?

If the user types

y

PGP will require the user to produce the pass phrase and type the ID of the recipient, say John Q. Public. John Q. Public's public key must be on the user's public key ring for the user to be able to successfully send an encrypted message to John Q. Public. If the user instead types

^n

again, the system will prompt

Send message (filtered thru "pgpsign")?

If the user types

y

PGP will require the user to produce the pass phrase. The user may move back and forth through the options by typing ^p or ^n.

Other correspondents will send the user mail encrypted with his/her public key. To read that mail, the user will be required to produce the pass phrase. Encrypted messages look as follows:

-----BEGIN PGP MESSAGE-----

Version: 2.6.2

hIwDSvjuCz3fsgEBA/9kZXBvU0qrurwuOhEzP7laY5d04cD8hmETHyeTLcl2yS4b

gIS0+6JvmbQlgqQC+kXXwU/9rjxvrt5VUu1TaJ3Z0RdSZWCE+yVQIs6jCvhsrI4U

HTISiywSwrdMm7grU1rmMC5OMX+XZmSsWZTcSiQVRDz/R6sznTz7XVIDdn5NcqYA

AAKjcsskaYZ73jSbNzwLDWM26t1vYIlofZ+blLK5NIBStv7fY75Ju+mPIStFgn6+

IKfiVnTHqeGke00Qk6qG+C00FOxG6RAEg5ut5o/Y+rQv4Au2LverTIDG10QPislg

Uzvd3r3weRju73i2e9+BUAdTFcGoTdZ/SOUBCrbR8+jTLJnfJWscSvSd5u8gkNIa

o78L2fcbuwCYnqlIuhmxATfKYnPtshC9K0R7CCrNbOqe3t4jN5ltywoQ/weKc2/R

2xcXNH2xocCE6WEBvAxpUm7V5eLY76nwiFMqq3FgQhIOuG3ZstBDFxnsHyJALPU4

7X6AriD5xtuYeePuh67dOpc2835oZLcd8kFJvn3MbjsCpLGJ4H5y93n+wm1J1bnF

tu+T9KiMNktt4Pnj+rVOpTBQ6kDLikok6WOTAwuC/wfAZffDMSf/dlJKAA7Z4Ebv

A2ULveWY

=isUY

-----END PGP MESSAGE-----

A Text Version of the User's Public Key

User's can exchange public keys in many ways. Some of these methods involve sending the correspondent a text version of the user's public key. To produce a text version of the user's public key, type

pgp -kxa zzpublic@acc.washburn.edu mykey

This will result in a text version of the user's key in the ascii (text) file mykey.asc. Bill Roach's public key looks like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: 2.6.2

mQCNAzHZjRsAAAEEAJua+YF4VBHbVSEqvmtQbRypFWRQMdM+W8ElJ4jarC5pneZ4 CWGj5DZyYjNGmNHBhv+PJZODumo+olH1GvcWeg+kF0K07tchI4HYjW48n/2u4El0 nE7UtHAtfxoNqtzRoJs0H9dQapIgiFf0hikkFviEuuORSx9TTEr47gs937IBAAUR tCFCaWxsIFJvYWNoIDx6enJvYWNAYWNjLnd1YWNjLmVkdT6JAJUDBRAx5RfrSvju Cz3fsgEBARBZA/wMjC870ZsA7EtHnK1TTYWhdQ0Vgb/kccG+6ArBjUtXR4nzgvRx wHq2B3hwHOHWQo8nc2uSihMwwvzrvYrkfB4kSTR70A6QNO0sjk0dBr7IregRrhBn dXPQ812/oe3E2u9TfeC3WPIPn7Nfvs3HsartEgZPAtDa5mDr/fj2GPGIjg== =INdd

-----END PGP PUBLIC KEY BLOCK-----

Publishing Public Keys and Retrieving Public Keys from Key Server Databases

Most of the books on PGP recommed using SLED. Stable Large Email Database. The advantage of publishing your public key on SLED and restricting yourself to correspondents whose public keys are published on SLED is that SLED validates its subscribers. The y are who they say they are. Users who do not rely on SLED should not presume that correspondents have accurately identified themselves. SLED reqiures a $10 signup fee and a $5 maintenance fee to be part of its database.

To learn about obtaining a correspondents public key from SLED at no charge, send e-mail to info@Four11.com No subject or contents are necessary. Four11.com will respond with information on retrieving public keys and joining SLED.

MIT maintains a free key server which anyone may join. PGP keyservers across the country are linked so that what is published on the MIT PGP key server is published on all of the rest. This free server does not attempt to check the identity of prospect ive users. To check out the MIT PGP key server send e-mail to pgp-public-keys@pgp.ai.mit.edu The subject of the e-mail should be help The e-mail message will have no text. To publish the user's key on the MIT PGP database, send e-mail to pgp-public-keys@pgp.ai.mit.edu The subject of the e-mail should be add The text of the e-mail will be the text (ascii) version of the user's public key, e.g.,

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: 2.6.2

mQCNAzHZjRsAAAEEAJua+YF4VBHbVSEqvmtQbRypFWRQMdM+W8ElJ4jarC5pneZ4 CWGj5DZyYjNGmNHBhv+PJZODumo+olH1GvcWeg+kF0K07tchI4HYjW48n/2u4El0 nE7UtHAtfxoNqtzRoJs0H9dQapIgiFf0hikkFviEuuORSx9TTEr47gs937IBAAUR tCFCaWxsIFJvYWNoIDx6enJvYWNAYWNjLnd1YWNjLmVkdT6JAJUDBRAx5RfrSvju Cz3fsgEBARBZA/wMjC870ZsA7EtHnK1TTYWhdQ0Vgb/kccG+6ArBjUtXR4nzgvRx wHq2B3hwHOHWQo8nc2uSihMwwvzrvYrkfB4kSTR70A6QNO0sjk0dBr7IregRrhBn dXPQ812/oe3E2u9TfeC3WPIPn7Nfvs3HsartEgZPAtDa5mDr/fj2GPGIjg== =INdd

-----END PGP PUBLIC KEY BLOCK----- Updating the User's Public Key ring

The user should always authenticate a public key before using it. Method's of authenticating public keys are discussed in the PGP documentation cited above. If the user has a text version of a correspondent's public key in a text file friendkey.asc, that public key can be added to the user's public key with the command:

pgp -ka friendkey.asc

PGP will required the user to produce the pass phrase and certify that he/she has verified that the public key does indeed belong to the user indicated. When sending encrypted mail to that corespondent, the user will have to produce the pass phrase and give the correspondent's id.

If a correspondent makes his/her key available on his.her .plan file, the user can acquire the key by using the finger command:

finger newfriendid@stateu.edu | pgp -fka

The output of the finger command is pipelined into pgp, and the key corresponding to newfiendid is automatically added to the user's keyring. Note this command does not work at Washburn and many other installations where the finger command has been partially disabled.

Backing Up

Losing the files on the user's ~/.pgp directory implies losing the ability to decrypt messages sent to the user. Thus users should back up the contents of the ~/.pgp directory. Since all of the files on this directory are relatively short ascii files, backup should not take too long.

Incompatibility

The implementation of PGP at Washburn is Version 2.6.2 of PGP. Version 2.6 of PGP is not fully compatible with versions 2.3 and 2.4. Versions of PGP are upward compatible, but not downward compatible. Thus Washburn PGP users will be able to decrlupt message and use keys generated by users of PGP 2.3 and 2.4, but users of versions 2.3 and 2.4 will be unable to use keys or decrypt messages generated by PGP 2.6.2 at Washburn.

Mac, Unix, and Dos versions of PGP can communicate with one another. Since all text is encrypted in ascii format, messages can be freely interchanged with users of PGP on other kinds of hardware.

Changing the User's Pass Phrase

The user may want to change his/her pass phrase from time to time to enhance its mnemonic quality or to assure security. To do so, type

pgp -ke userid

where userid is the user's id on the secret key ring. PGP will prompt the user for the current pass phrase, and the user will be allowed to edit the information on the secret key ring, including the pass phrase.

Errors and Omissions

The instructions given above will allow faculty and staff to setup Pine for use with PGP. They have been tested out, and they work. However, the result is not perfectly "clean." The user will receive some error messages about not having the appropriate file permissions to complete the requested operation. Simply hit return, and the system will work. Any user who can "fix" the problem should send the fix to Bill Roach, zzroac@washburn.edu so that this documentation can be updated. This document is an expansion of a document on the web page of Jie Yuan.
Submit email comment  to Bill Roach

Appendix: display.csh

#!/bin/csh

pgp

echo "\n\nPress [RETURN] to continue" >/dev/vt100

exit 0

# This script is obtained from comp.mail.pine newsgroup

# To use it for Pine 3.92 or newer version, you should: (1) Make it

# executable (chmod +x filename). (2) Launch Pine, and get into the

# Setup-Configuration menu. (3) Go down the menu 3 pages and find the

# display-filter option. (4) Add Value: _LEADING("-----BEGIN PGP")_

# /usr.../display.csh, where "/usr...csh" is the path to this script.

# Exit from the configuration menu and confirm the change. That's it.

# You should see the complete dialog with PGP before a PGP mail is

# decrypted and that is the whole purpose of using this script.

                                                           School of Business Home Page  |  Washburn Home Page


[ WU Home ] [ Directory ] [ A-Z Index ] [ Sitemap ] [ Contact WU ] [ Statements & Disclosures ] [ Accessibility ] [ Search ]
© 2014 Washburn University, 1700 SW College Ave, Topeka, Kansas 66621 (785) 670-1010
Contact webmaster@washburn.edu with questions or comments.