Copy Link
Add to Bookmark
Report

Keep Out magazine Volume 1, Number 1

First issue of electronic privacy magazine. Keep Out features an interview with author of PGP Philip Zimmermann, an introduction to encryption and a review of off-line mail-reader to PGP shells.

eZine's profile picture
Published in 
Keep Out
 · 2 years ago

-----BEGIN PGP SIGNED MESSAGE-----

Keep Out
Volume 1, Number 1
August/September 1994

In this Issue

  • An Interview with Philip Zimmermann, author of Pretty Good Privacy
  • A Review of PGP/Off-Line Mail-Reader Shell Programs
  • Beginners: How Pretty Good Privacy Works

Preface To The Electronic Edition

By John Schofield, Publisher

This electronic version of Keep Out is being released to publicize the issues and people discussed in this issue, and to bring more publicity to Keep Out.

Although Keep Out is a subscription- and advertising-funded magazine, there will always be a free, electronic version of Keep Out. This information is too important to limit to those who can afford a subscription.

Since Keep Out does have bills that need to be paid, this electronic version will be released roughly one month after the paper version, to encourage people to subscribe.

If you would like to receive a free sample issue of Keep Out, with no strings attached, simply send your postal address to ac086@lafn.org, or to "Keep Out" at 1:102/903@Fidonet.Org, call (voice) (818) 345-8640, or mail it to:

Keep Out Sample Issue
P.O. Box 571312
Tarzana, CA 91357-1312

If you enjoy Keep Out, either in the electronic or printed versions, I strongly encourage you to subscribe. Subscriptions only cost $15 per year, for six full issues of electronic privacy information. Foreign subscriptions are a little more expensive, at $25, to cover the increased mailing costs. See the advertisement at the end of this file for more information on subscribing to Keep Out.

Publisher's Note

By John Schofield, Publisher

I have been interested in codes and ciphers since I was a child, simply because, like secret passages and tree-houses, codes were neat. I was not interested in abstract concepts like civil liberties or freedom when I read about the history of cryptography as a child. (I just knew it was fun.) I still think cryptography is fun--but now that I am older, I recognize the true importance of cryptography in maintaining freedom.

The United States remains one of the most free countries in the world. However, there seems to be a relentless trend here towards reduction of personal liberties, in the name of practical goals like fighting crime.

Elsewhere in the world, civil liberties are even more endangered, or simply do not exist.

In this environment, electronic privacy becomes vastly more important.

There are many resources available to people interested in cryptography--for example ALT.SECURITY.PGP and the Cypherpunks mailing list on the Internet, or the PUBLIC_KEYS echo on Fidonet.

However, for technology to fulfill its potential to liberate people, it can not--and must not--be limited to any particular group of people.

Information on cryptography, on anonymity, on anything else that can keep Big Brother from peeking in your keyhole must be made available to as many people as possible.

That is where Keep Out comes in. I want Keep Out to publish the most complete, accurate, and up-to-date information possible about the multiple worlds of cryptography, civil liberties, electronic anonymity, digital cash, and everything else that could possibly affect your privacy.

There aren't many staff members here at Keep Out, and our budget is laughable. It is a big task we have before us. But we're going to do our damnedest here. I want to be able to tell my kids, if I ever have any, that I did my best to preserve freedom, and liberty, and the Constitution--to do good, in short.

I hope you'll stay along for the ride.

Keep Out Policy Statements

Mission Statement

Electronic Privacy will become increasingly important in each of our lives as computers and telecommunications bring people closer together.

Keep Out is dedicated to the idea that everyone has the ability and the right to decide their own destinies. That no one should decide what people read or write or whom they talk to.

New technologies exist that make it a great deal easier than in the past to monitor whom people talk to and what they say and do.

Keep Out's mission is to investigate ideas and products that make it harder to monitor and control people, and to popularize those ideas and products by making them easier to understand and use.

Through this, Keep Out aims to preserve the existence of individual liberty and freedom in the USA and the world.


Advertising Policy

Keep Out reserves the right to refuse an advertisement if the advertisement advocates illegal activities. Keep Out reserves the right to refuse an advertisement if, in the opinion of the Keep Out Editorial Board, the advertisement would tend to mislead Keep Out readers. Keep Out's editorial content is completely independent of its advertising.


Letter Policy

Letters should be brief (shorter than 300 words) and will be printed exactly as received. Letters must be signed and include a valid mailing address and telephone number. Pseudonyms and initials will not be used, but names may be withheld by request upon approval of the Keep Out Editorial Board. Keep Out will not publish letters that are libelous. In addition, Keep Out will not publish as letters literary endeavors, publicity releases, poetry or anything the Keep Out Editorial Board decides is not a letter. Because of space limitations, it may not be possible to print all letters received; the Keep Out Editorial Board reserves the right to print only those letters it deems most of interest to Keep Out readers.


Privacy Statement

Keep Out's mailing list will not be released to anyone for any reason. All information about Keep Out subscribers is confidential.


Contact Information
Internet: ac086@lafn.org.
Fidonet: "Keep Out" at 1:102/903.0
Voice: +1-818-345-8640
BBS/FAX: +1-818-342-5127
Postal Mail: Keep Out
P.O. Box 571312
Tarzana, CA 91357-1312.

Keep Out magazine is published bimonthly by Keep Out, founded by John Schofield. Copyright Keep Out 1994. All rights reserved by Keep Out. Reproduction without permission is prohibited. Keep Out is not responsible for unsolicited materials. Printed in the USA.

Keep Out Staff Roster

Publisher and Editor In Chief: John Schofield
Associate Editor: Matthew A. Carey
Copy Editor: Amy K. Hood
Consultant: Julie Bailey
Consultants and Patron Saints: Don Adler and
Michael Bendgen

Cover art by Matthew A. Carey

Layout for the printed version of Keep Out was done on a 486dx-50/2, using Microsoft Windows 3.1 and Microsoft Word 6.0a. Output was done on a Compaq Pagemarq 20.

Advertisement

Pretty Good Privacy(tm)

  • Privacy ViaCrypt PGP is the perfect tool for anyone who values the privacy of their proprietary or sensitive information.
  • Strength ViaCrypt PGP is the strongest privacy program available to the civilian world.
  • Interoperability All versions of ViaCrypt PGP are completely interoperable.
  • Control With ViaCrypt PGP you are in complete control of your privacy. YOU create your keys. YOU decide who to trust.


Versions available for Macintosh, DOS/Windows and UNIX.

ViaCrypt(tm) PGP(tm) is the world's most popular and secure software program for e-mail and file privacy. ViaCrypt PGP is fully licensed for personal, commercial, and government use.

Single User Prices:

  • ViaCrypt PGP for Windows (Sept.) $124.98
  • ViaCrypt PGP for MS-DOS $99.98
  • ViaCrypt PGP for Macintosh (Sept.) $124.98
  • ViaCrypt PGP for UNIX $149.98
  • ViaCrypt PGP for WinCIM/CSNav $119.98


ViaCrypt
2104 West Peoria Avenue
Phoenix, Arizona 85029

Orders: (800) 536-2664
Information: (602) 944-0773
FAX: (602) 943-2601
Internet: viacrypt@acm.org
CompuServe: 70304,41

Pretty Good Phil;
The story of Philip Zimmermann, author of Pretty Good Privacy

By John Schofield, Publisher

Philip Zimmermann is an entrepreneur. Like most entrepreneurs, he risked a lot in order to reap a big reward. Unlike most entrepreneurs, though, his risk was not only financial. And the reward he reaped had little to do with money.

In December of 1990, Zimmermann began developing Pretty Good Privacy (PGP), a data encryption program that today is in wide use around the world.

Human rights groups in Central America, political opposition groups in Burma and the Tibetan government in exile are all using PGP to protect their privacy, along with many thousands of individuals in the United States and abroad, Zimmermann said.

Zimmermann, who received his bachelor's degree in computer science from Florida Atlantic University in 1978, said he developed PGP because he was concerned about the government having too much power to invade people's privacy.

"I was concerned about the information age bringing about an imbalance of power between government and individuals in the area of privacy."

Zimmermann, 40, said he was specifically concerned about Senate Bill 266, a proposed 1991 law that would have suggested that manufacturers put backdoors in communications products. The bill did not pass, but a similar bill mandating backdoors has been introduced this year.

Senate Bill 266 said that manufacturers should "ensure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law." This would apply to, among other things, telephones, computers with modems, and faxes.

"I had hoped to make some [encryption] product some time that I could sell commercially, but when I saw this legislation I abandoned my hopes for making money from it and got into a race against time to get it out to inoculate the body politic," said Zimmermann, who lives in Boulder, Colo.

Zimmermann said he considers PGP "the most important thing I've done. It may be the most important thing I'll ever do in my career." But privacy is not the first big battle Zimmermann has fought.

In the 1980's, Zimmermann was an anti-nuclear weapons activist and, "taught a class on military policy a couple of times, did a lot of public speaking in churches and schools, was a policy advisor to some US Senate and House races. And I did get arrested twice at the Nevada nuclear test site."

Zimmermann said his experience fighting against nuclear weapons has "given me a perspective of speaking truth to power. It's made me more aware of government abuses. It taught me to stand up for what's right, taking a principled stand and sticking with it. It can be hard to stick to your position in the face of very powerful forces."

"I worked pretty hard on [the arms race]. But now the world has changed, issues have changed, and I've moved on to other things. When I worked on the nuclear freeze, I was one person out of a million. So I was, relatively speaking, not as effective in the general scheme of things. But on this issue, which is not as important, perhaps as the one from that time, my ability to impact the issue is much, much higher."


Costs of Writing PGP

Zimmermann paid a heavy price for writing PGP.

For six months, he worked on little else, devoting most of his days to his unpaid work on PGP.

"I came within inches of losing the house," Zimmermann said. "I blew my credit record to hell. I was late on a lot of bills. It just pretty much wiped me out. In fact, I still can't get a credit card even today, three years later, because it would be declined because of what happened then."

Zimmermann, who was born in Camden, New Jersey but grew up in south Florida, said he was "a recluse" while writing PGP, working on it during "all of my waking hours, except for eating and taking a shower and that sort of thing."

"Entrepreneurs often miss mortgage payments in the hopes of getting rich. But I didn't do it for that, I did it for political reasons," Zimmermann said. In the end though, PGP has helped Zimmermann financially.

"Now it turns out that as a consultant in cryptography it's much easier for me to find clients because I'm pretty well-known these days. It's helped my consulting work."


Crime and Punishment?

Now that Zimmermann is recovering from the financial damage that writing PGP did to him, he faces possible criminal charges relating to PGP that are much more serious than money troubles.

Zimmermann is being investigated by the U.S. Attorney's office and U.S. Customs for possible violations of State Department regulations on exporting strong cryptographic products.

The State Department's International Traffic in Arms Regulations (ITAR) regulate the export of munitions from the United States. These regulations, intended to keep the United States from arming its enemies, cover nuclear and conventional weaponry, as well as cryptography.

Steven Shefler, chief assistant United States attorney for Northern California, had no comment about the Zimmermann case, "other than the fact that it's under investigation."

Philip Dubois, Zimmermann's lead defense attorney, said he does not know exactly what theory of prosecution the government will pursue, if it ever does.

It would be a serious first amendment issue, "if their argument is that simply permitting his program to be freely distributed in the United States by electronic means is the same as exporting the software," Dubois said.

"Borders are pretty meaningless with the current information networks," Dubois said. He added that the Massachusetts Institute of Technology (MIT), which released the latest version of PGP, "took all reasonable precautions to keep the new release of PGP from being exported from their site, and we have reason to believe [their version of] PGP had reached Europe within hours of its release."

Dubois said he thinks the investigation is taking place in Northern California instead of Colorado, where Zimmermann lives, because, "the location of the investigation is unimportant. Whoever exported [PGP] likely reached in from outside the United States to get it."

Zimmermann is understandably worried about the investigation.

"Any time you're under criminal investigation you have to be concerned about it, whether you are guilty or innocent. You know, some people might think that if you're innocent you don't have anything to worry about, but that's not true. I think the innocent worry more than the guilty."

Trevor Burke, a supervisory criminal investigator with United States Customs' San Jose office, refused to confirm that an investigation of Zimmermann was taking place.

"We won't be able to help with any information whatsoever relative to any information on any investigation of a Mr. Phil Zimmermann," Burke said.

Zimmermann, "did not do any exportation of PGP. Anyone could have exported PGP," Dubois said.

Zimmermann has established a legal defense fund operated by Dubois to help pay for his legal expenses.

"I'm not indicted, but it still costs me legal defense fees. I need contributors to help me out with this. It's like having cancer without medical insurance," Zimmermann said. Zimmermann described his defense team as very strong.

Although other people occasionally help Zimmermann, Dubois said, the core team consists of Ken Bass, who was a Justice Department lawyer under President Carter, Curtis Karnow, a former federal prosecutor who has been published in Wired magazine, and Eben Moglen, a law professor at Columbia University who was a clerk to U.S. Supreme Court Justice Thurgood Marshall. All except Dubois are working for free, Zimmermann said.

Zimmermann strongly believes the State Department regulations are unjust.

"I think they're suppressing free speech. I don't think they're appropriate for a democracy. Plus, they're futile. Cryptography is something that people in foreign countries know how to do already. We have to import cryptography into this country because the domestic availability of it is suppressed by these laws," Zimmermann said.


The Future of PGP

Despite his fears, Zimmermann was eager to talk about the future of PGP.

"There's a lot of good, really important features for [PGP version] 3.0," he said.

One feature Zimmermann mentioned is a graphical user interface (GUI), "wrapped around it the way it's supposed to be. Not some external GUI shell that is kind of glued to it, but [an integrated] GUI the way God intended GUIs to be." Zimmermann said there would be multiple versions of PGP, with the GUI being limited to Windows and Macintosh versions at first.

Another important change Zimmermann mentioned is giving everyone two pairs of keys. One pair would be used exclusively for digital signatures, and the other pair would be used solely for encryption and decryption.

"Here's what would happen. You would collect signatures on your public key that is used for checking your signatures. But you would not collect signatures on your other public key, used for encrypting messages. There would be one and only one signature on your public key that people would use for encrypting things. And that signature would be made with your signature key."

In current versions of PGP, users have only one pair of keys. These keys are multi-purpose, used for both encrypting and signing.

The change to two pairs of keys that Zimmermann describes would have several advantages over the current system.

One problem with the current system is related to how keys are verified. You collect people's digital signatures on your key. Each signature helps to verify that the key actually belongs to you, and not to some impostor.

The problem comes when you want to change your key.

"If you had reason to believe that your secret key may have been compromised or soon will be compromised by duress--and duress is something that I'm pretty familiar with--then you could revoke it and reissue a new one," Zimmermann said.

Deleting the old key prevents any of your old encrypted messages from being decrypted.

With Zimmermann's new system you would not have to go through the painstaking process of gathering signatures on your new key all over again.

"This means that you can revoke and reissue new encryption keys on a routine basis without having a major disruption. With the system in place now you'd have to go back and get everyone who signed your old key to sign your new key," Zimmermann said.

Another major change Zimmermann envisions is allowing people who are not the owners of keys to issue revocation certificates.

A revocation certificate is a signed statement that can not be forged, made by the key's owner, that tells PGP that the key is not to be trusted. It could be used, for instance, if a secret key were accidentally made public or when the key's owner no longer has the secret key necessary to read messages encrypted with the public key.

Right now the only one who can revoke a key is the person who created the key. That creates problems if the secret key has been lost or destroyed, because then it is impossible to generate a revocation certificate.

In PGP 3.0, revocation certificates would work on the same system as key signatures. Anyone can generate a revocation certificate for anyone else, but if the person who generated the certificate is not trusted, the certificate is ignored.


VoicePGP

Zimmermann is also working on VoicePGP, a product that will allow real-time encryption of telephone conversations using personal computers.

VoicePGP, which will be available for free, together with multimedia hardware available for a few hundred dollars, will turn personal computers into secure, untappable telephones. Anyone tapping the line would hear only gibberish.

"We're making progress slowly [on VoicePGP] because there's no funding," Zimmermann said.

Zimmermann plans to put the encryption routines in after the other work on VoicePGP is done to avoid breaking any export regulations.

"I don't know how I'm going to put it in. I'll either put it in off-shore, have someone else put it in off-shore or put it in here and publish it as a book. There are three or four different plans. They all have to be done so there are no laws broken."

* * *

Three years after Zimmermann released PGP, it continues to change people's preconceptions about privacy. Without PGP, the multiple worlds of anonymous remailers, digital cash and data encryption may not have been as popular as they are. PGP introduced many people to the idea of electronic privacy. There is now a team of people working on PGP, making sure it continues to grow and improve as it has in the past.

And PGP's creator? Right now, Philip Zimmermann is "pretty much saturated with trying to stay out of prison and still save the world."

Philip Zimmermann's Legal Defense Fund

Philip Dubois
2305 Broadway
Boulder, CO 80304

Voice: (303) 444-3885
Internet: dubois@csn.org

Send checks and money orders payable to "Philip Dubois" to the address above. Credit card donations are accepted through encrypted e-mail or at the telephone number above.

How to get a copy of PGP

*If you live in the USA or Canada

By modem:
The Ferret BBS in Arkansas at (501) 791-0125. Log in as PGP USER
with a password of PGP.

The Sprawl BBS in California at (818) 342-5127.
The Catacombs BBS in Colorado at (303) 772-1062.
Exec-Net BBS in New York at (914) 667-4567.

Over the Internet:

To get PGP 2.6 from the Massachusetts Institute of Technology, telnet to net-dist.mit.edu, log in as getpgp and answer the questions. Then FTP to net-dist.mit.edu and change to the hidden directory you learned about in the telnet session.

Commercial Version:

If you want a version of PGP that can be used for commercial purposes, contact Viacrypt Inc. at (602) 944-0773. They sell a completely licensed version of PGP that is legal for use in the USA and Canada.

*If you live outside the USA and Canada

By Modem:
No information available

Over the Internet:
For source code to PGP 2.6ui:
ftp://ftp.demon.co.uk/pub/pgp/pgp26uis.zip
ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp26uis.zip

For DOS PGP 2.6ui executables:
ftp://ftp.demon.co.uk/pub/pgp/pgp26uix.zip
ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP.pgp26uix.zip

Matthew@mantis.co.uk and Michael Paul Johnson (mpj@netcom.com)
contributed greatly to this list.

Advertisement

Chatterbox! BBS
LA's Best Entertainment BBS!

(818) 718-1600
8-n-1

  • 11+ GIGABYTES OF FUN!
  • DATING AND MATCHMAKING
  • NATIONWIDE FAX SERVICE
  • 12 CD ROM's ON-LINE
  • OVER 80,000 LIBRARY FILES
  • THOUSANDS OF PHOTOS (ADULT, ETC.)
  • INTERNET ACCESS (chatrbox.com)
  • RIP-VGA GRAPHICS-USE YOUR MOUSE!
  • MULTI-USER GAMES (D&D, CHESS, SCRABBLE, MANY OTHERS)

CHATTERBOX! BBS - Your REST STOP on the INFORMATION SUPER HIGHWAY!

HAVE YOUR OWN INTERNET ADDRESS WITHIN MINUTES OF CALLING.

28.8K HIGH SPEED ACCESS NOW AVAILABLE

Off-Line Mail-Readers and PGP; A Match Made in Heaven or Hell?

By Matthew A. Carey, Associate Editor

Algorithms, prime numbers, factoring. Words like those make cryptography as intelligible to the average user as the encrypted messages PGP produces.

The mystifying nature of cryptography is one of the biggest challenges to its popularity.

Off-line reader/PGP interface programs have made encryption real for me. And I suspect that I am not the only one.

What follows is a review of four such programs. I gave each of these programs as critical an evaluation as I possibly could. One or two of the programs may have taken a bruising.

Before we get to the program reviews, I would like to mention that I think that the authors of these programs should feel proud of their roles in the cryptography movement.

Just attempting to write an off-line reader/PGP interface is a quiet triumph in the battle to bring privacy to everyday people.

But still, now that these beasts have been born, they must be pitted against each other so that the fittest may survive and pass its bits on in the brutal quest for Ubercode.

I used these programs on a Compaq ProLinea 4/33 with the Bluewave off-line mail-reader. The operating system was DOS 6.2.

PGP 2.5 and 2.6 were released while I tested these programs, but I chose to use PGP 2.3a under the assumption that the off-line reader interfaces were written for it. Having no prophetic knowledge of what changes would be made in PGP should not be held against the writers of these interface programs. In any case, these programs are generally compatible with later PGP versions.

============================= 
AutoPGP version 2.0beta5
(c) 1993, 1994 Felix Shareware
Shareware $10
By Stale Schumacher (staalesc@ifi.uio.no)
Available from: http://www.ifi.uio.no./~staalesc/AutoPGP or from the
Sprawl BBS at (818) 342-5127.
=============================

AutoPGP uses a creative method to run PGP on off-line mail.

It opens each outgoing mail packet and checks it for directives that the user places in the individual messages.

For instance, to sign a message, at the beginning of the message, you would enter [PGP SIGN BOB], and AutoPGP will automatically sign the message with Bob's key.

For incoming mail, AutoPGP opens all QWK packets and looks for PGP messages. It puts every key it finds on the user's key ring, checks every signature and decrypts every encrypted message for which the user has a secret key.

This is an exceptionally good way for someone to interface PGP with their off-line mail-reader if they are not interested in the specifics of cryptography, only the security it provides. It is possible, using this program, to never again see a single bit of PGP-encrypted text, or ever have to type out a PGP command.

AutoPGP supports QWK-format message packets, as well as several formats not as widely used as QWK.

There are one or two habits that the user may have to change to be able to use this program. I am used to executing a macro from Bluewave to get to my terminal program. Using AutoPGP forces the user to exit the mail-reading program before uploading mail, so that AutoPGP can execute the directives.

Using AutoPGP also means having to keep a list of the directives nearby, on paper or perhaps in a memory resident notepad.

A nice thing about AutoPGP is that it allows the user to insert files into a message, something none of the other programs reviewed here can do.

Entering [ADD FILE c:\location\filen.ame] in the message will cause AutoPGP to load the file, whether it is ASCII or binary, insert it into the message and ASCII armor it so it can be sent as e-mail. This can be very convenient for sending files over networks. These files can also be encrypted and signed using AutoPGP's directives.

This program is useful for file insertion, and is also more fun to use than the other three programs. For anyone who is already closing their off-line reader before sending their mail, AutoPGP is a good program to interface PGP and off-line readers.

Registration is $10 after a 30-day trial period. The documentation claims that AutoPGP will cease to function if it is not registered by the time the trial period ends.

Registration also includes free upgrades, e-mail support and removal of shareware reminder notices.

============================= 
PGPBLUE version 2.0
(c) 1994
By Carl Forester
Shareware $10.00
Available from the E-mail Central BBS at (904) 836-5143
=============================

PGPBLUE has improved since the first time I gave it a spin. Now it looks as if it is actually a part of the Bluewave off-line reader, which lends more credence to its slogan "You never have to leave Bluewave again."

Which is not necessarily any more true than it was before this version, although PGPBLUE is generally a well-done piece of software.

Initial configuration for this program is quick and simple. Just answer a few questions about where you keep your spell checker, PGP and your text editor of choice.

The documentation comes as a .COM file and as a text file. This goes a long way toward making PGPBLUE user-friendly.

The main menu of PGPBLUE has a good selection of functions, signing a message, encrypting a message, or both signing and encrypting at the same time. It is also possible to configure PGPBLUE with a spell checker, which can be selected from the PGPBLUE menu.

PGPBLUE's encryption option works best of all. Simply hitting "E" from the PGPBLUE menu magically turns the plaintext message into a PGP-encrypted message. As long as the encryption is done before returning to the main Bluewave program, the tagline ends up outside of the encrypted text.

Decrypting messages is almost as smooth. Hitting "D" at the menu decrypts the message with your secret key and drops you into the text editor to read and reply to the message.

Unfortunately, the quoted lines do not get marked with the standard ">" sign most off-line mail-readers add. Adding quote markers that should have been added by the computer gets to be tedious--especially when you are doing extensive quoting.

A more important flaw with PGPBLUE is its lack of on-line configuration. All changes have to be done outside the PGPBLUE program.

Also, PGPBLUE is unable to configure the PGP command-lines, even by leaving Bluewave and editing the configuration file manually.

However, that is the only real disadvantage of PGPBLUE. It is an otherwise very pleasant program to use.

Both adding and posting keys is easy with PGPBLUE. When a PGP public key comes up in a Bluewave message, it only takes a few keystrokes by the user to import that key onto his key ring.

If you are reading mail in an area that you would like to drop your key into, activating the drop-key option creates a reply message and inserts the key automatically. You do not have to go to the "enter mail" menu in your off-line reader.

Registration for PGPBLUE is $10. Registration is required after a 45-day trial period, and removes the "NOT REGISTERED" message from the PGP Blue menu and the "<NR>" marker from the tearline.

============================= 
EZ-PGP version 1.07
(c) 1994
By John Schofield (ac086@lafn.org)
Freeware
Available from the Sprawl BBS (818) 342-5127
=============================

It is interesting how programmers choose to integrate PGP with off-line mail readers. Some opt to run PGP on mail after the reader is closed, while others run PGP on mail while the mail reader is still open.

Where PGPBLUE is placed between the mail reader and the text editor, EZ-PGP is placed between the mail reader and the spell-check program.

It is often painfully obvious that most of the people who participate in on-line discussions and write electronic mail do not use spell checkers.

In that event, EZ-PGP takes the place of the spell-checker, and uses a previously empty command line in Bluewave. For the rare users who do spell check their mail, EZ-PGP has a spell checker option, allowing the user to choose his own spell checker during configuration.

EZ-PGP was written by John Schofield, the publisher of Keep Out.

EZ-PGP is an easy way to use PGP with Bluewave and the other readers it is designed to run with. At the same time, EZ-PGP's on-line configuration options, and its easy-to-understand documentation give the program a glass-bottom-boat quality that helps the user learn and understand PGP's various commands and what they do.

This program is also relatively simple to install. It comes as an executable file, with default configurations. Much of the actual installation work is done by reading the location of PGP from the PGPPATH environment variable.

The on-line configuration seems to be designed to allow the user to change path names and filenames to fit his setup. They also allow the user to change the actual commands to PGP, to get exactly what the user wants from the encryption program.

However, the on-line configuration isn't as clean as it could be. Accidentally blanking the command line leaves the user with no record of what the command line used to be. To replace a lost command line, the user has to resort to his own memory or to sifting through the PGP documentation.

Another shortcoming of EZ-PGP is its lack of an encrypt-only command. To encrypt a message, the user is forced to also sign the message. This makes anonymity somewhat difficult.

A decrypting command would also be convenient. Decrypting is a fundamental part of using encryption, and it is only right that decrypting be given equal status to encrypting by any PGP-compatible program.

However, an especially useful component of EZ-PGP is its on-line access to the file-wiping utility. What good is encryption if the plaintext files can be undeleted? EZ-PGP makes room for the user to install as powerful a file-wiping utility as he can find. It is as easy as changing the command line.

When you first run it, EZ-PGP will set up the file-wiping program by default to use PGP's "-w" option.

There is also an option to tell the program to look for Fidonet to Internet addresses. On many Fidonet BBBs, a message is sent to the Internet by sending the message to user UUCP at a certain address (which changes depending on where the BBS is), and then having the Internet address on the first line of the message.

Signing or encrypting a message with PGP would normally put the "-----BEGIN PGP SIGNED MESSAGE-----" line on the first line of the message, and move the Internet address down.

With this capability enabled, EZ-PGP will remove the Internet addresses (up to 10) from the message, and return them to the top line after PGP signs the message.

This may not be useful to everyone, but it is available. This option can also be left on without interfering with other mail.

EZ-PGP is currently free for use by anyone, and the author said in the documentation that it will always remain free for non-corporate use.

============================= 
Fixrep version 2.0
(c) 1994
By Jeffrey F. Bloss
Freeware
Available on the Game Room BBS at (814) 587-6348
=============================

Fixrep is an attempt at interfacing PGP and any off-line mail- reader that just does not work. The basic idea is that the user can set up a macro in the Qedit text-editor to call up Fixrep, which will call up PGP and encrypt or decrypt the text that is being edited. Fixrep requires that you use Qedit as your text editor in your off- line mail-reader.

The problem is that the macros do not quite work. I set this program up to work with Bluewave. It took me a long time and I needed a lot of help just to get the macros to call up Fixrep. Once that part was working, Fixrep was unable to find the temporary files it created.

It might be possible to get Fixrep to work, but it would require a great deal of tinkering and testing. With other programs on the market that are easier to set up and do a lot more, it is not really worth the effort.

However, once this program is up and running, it might have some flexibility that allows the user more control over their encryption. If you are the type of person who likes to spend lots of time trying to make things work, then this might be a good program to play with.

But, for all practical purposes, Fixrep does not do anything worthwhile.

* * *

Except for Fixrep, all of these programs were functional and relatively easy to use. Their main differences were their available options and their approach to getting the job done.

Deciding which one to use should be based on what you need from PGP. The strengths of PGPBLUE are that it is easy to install and use, and is user friendly. However, it does not have on-line configuration and costs $10 to register.

EZ-PGP is configurable for any file-wiping program, has on-line configuration and has no registration fee. It does, on the other hand, lack an encrypt-only option and a decrypt option. Neither is it especially user friendly.

AutoPGP is fun to use and includes a file insertion feature. However, AutoPGP is not entirely easy to use, and is only compatible with QWK packets.

I wish there was one program that had a combination of all of the above programs' strengths. If I could find a shareware program that included on-line configuration, versatile encrypt and decrypt options, file wiping configurability, user friendliness and file insertion capabilities, it would be my application of choice for interfacing PGP with my off-line reader.

In the meantime, I'll just have to keep the above programs installed on my hard drive.

Matthew Carey is the editor in chief of a community college newspaper in Los Angeles. He is also the founder of Vision Temple, a not-for- profit media-research society. E-mail him at ac118@lafn.org.

Beginners: How PGP Works

By John Schofield, Publisher

The most important development in the world of cryptography happened quietly some 16 years ago. Now, that development, public- key encryption, promises to revolutionize the world of privacy.

Before you can understand public-key encryption, you need to understand some of the background of cryptography--the science of hiding messages.

Almost all the different methods of hiding messages can be grouped into two main classes--secret-key and public-key systems.


In the Beginning

One of the simplest types of secret-key system is called the Caesar cipher. A cipher is simply a method of hiding the content of a message so that the message can later be reconstructed.

In the Caesar cipher, each letter is exchanged for another letter x letters down in the alphabet. For instance, suppose the "key" to a particular message was three. Then every letter would be replaced with the character three letters down.

Then "A" in the original message would be replaced by a letter three down in the alphabet--"D." "B" would be replaced by "E," and so on. If there is not enough "room" to go three letters down--for instance if you wanted to add three to "Y"--you simply wrap around to the beginning of the alphabet. Thus, three letters down from "Y" is "B."

The process of turning the readable plaintext into the seeming gibberish of the cyphertext message is called encryption. The process of making the cyphertext readable again is called decryption.

In a Caesar cipher with a key of three, "CAT" would translate as "FDW."

However, a cipher this simple is very easy to break--there are only 26 possible keys, so it would be very easy to simply try each key until you got a readable message.


The Modern World of Secret Keys

Ever since the Caesar cipher, secret-key systems have been getting more and more complicated.

The most common modern secret-key system is the Data Encryption Standard (DES).

The DES, developed by the United States government, is commonly used for commercial encryption and for non-secret government communications. It is not considered strong enough to use for classified government messages.

The DES is much harder to break then the Caesar cipher, but it suffers from the same weakness all secret-key systems suffer from-- the need to transmit the key.

Until both the sender and the receiver have copies of the same key, secure communication is impossible.

The receiver would be just as baffled as any eavesdropper if he did not have the key.

If an eavesdropper were to get a copy of the key, he would have complete access to the messages of the sender--messages would be as easy for the eavesdropper to read as they are for the receiver.

Thus, the sender and receiver have to be very careful in how they transmit the key. Not only do they have to ensure that the key is not garbled, but they have to make sure nobody else gets a copy of the key.

In practice, this often means face-to-face meetings or trusted couriers. This is awkward, since it has always been possible to meet face-to-face to exchange information securely.

It is this drawback in single-key encryption that caused the development of a new technology for encryption, the concept of public keys.


The Revolution: Public-Key encryption

Public-key systems are a leap forward in encryption that eliminates the main problem of single-key encryption--transmitting the key securely.

In public-key encryption, the sender and receiver each generate two keys--a public key and a private key.

The public key is used to encrypt messages, and the private key is used to decrypt them. Knowing the public key tells an eavesdropper nothing about the private key.

That's why public-key systems are so revolutionary. You don't care who gets a copy of your public key. You want as many people as possible to have copies of your public key.

A public key is good only for encryption. The private key is used for decryption only. Thus, there is no need for a secure method of sending the key, and no need for a face-to-face meeting.

Since your private key never leaves your computer, it is much harder for a potential eavesdropper to get a copy of it. Rather than simply intercepting a message containing the key, the eavesdropper would have to break into your house or office and copy the key from your computer.

Let's say Alice wants to send a message to Bob. First, Alice needs a copy of Bob's public key, because the public key is used for encryption. Bob posts his public key somewhere in a public place, where anyone can get it. Alice picks up Bob's public key there (as does anyone else who wants it) and encrypts a message to him.

When Bob wants to read the message, he decrypts it using his private key, which never left his computer.

When he wants to send a message back to Alice, he uses the her public key to encrypt the message.

Alice will decrypt the message with her private key, and read the message.


Under the Hood: Pretty Good Privacy

Pretty Good Privacy (PGP), written by Philip Zimmermann, is the most widely used public-key encryption program available today.

[Ed. note: See Keep Out's interview with Zimmermann in this issue.]

PGP uses the RSA public-key method. RSA got its name from the last names of its inventors--Ron Rivest, Adi Shamir and Leonard Adleman.

Because the RSA method of doing encryption is secure but very slow, PGP actually uses both public (two-key) and secret (one-key) systems.

First, PGP encrypts the message using IDEA, a fast one-key encryption method that is very secure. Then PGP includes the key to the IDEA-encrypted message in the message packet, and encrypts the IDEA key with RSA. That way PGP gets the benefit of fast IDEA encryption and the benefits of public-key systems, like not needing a secure method of transmitting keys.

The IDEA keys PGP uses are randomly generated each time a message is encrypted.

Now you should know the basics of how PGP works, and little bit about encryption in general. In the next issue, we will learn more about how PGP works, including digital signatures and encrypting to more than one person, and then we'll take a look at how you can set up PGP on your own system.

Advertisement

Keep Out and the Sprawl:
A perfect combination

(818) 342-5127 (300-14,400 BPS)
(818) 342-5118 (300-28,800 BPS, subscribers only)
(818) 345-8640 (voice)

The Sprawl is Keep Out's home BBS. You can choose from a huge selection of encryption software, encryption text files, and information on electronic and conventional privacy.

Full Fidonet access is available, along with Internet e-mail and newsgroups. The Sprawl is your inexpensive link to the world.

Access to the Sprawl is FREE, but subscribing gets you access to the second line, unlimited downloads, three hours a day, and the ability to send Internet e-mail and Fidonet Netmail. A one-year subscription to the Sprawl costs $20. A six-issue (one-year) subscription to Keep Out magazine is $15. If you subscribe together, it's only $25.

That's a $10 savings over buying them separately! We can not accept credit cards, but checks or money orders payable to "Keep Out" are welcome.

Keep Out/The Sprawl
P.O. Box 571312
Tarzana, CA 91357-1312

End-Of-File

-----BEGIN PGP SIGNATURE----- 
Version: 2.7
Comment: Call 818-345-8640 voice for info on Keep Out magazine.

iQCVAwUBLxWJU2j9fvT+ukJdAQFKQwP/eHcW6MKMbH9hLPpTBsolearDg5uMdvpE
pPhjgBFTb6jZHmkcRE7I1qfcJqcWOtmT+FcaSUkWoK3M0a5youtiS1fbXtGqfNID
+CZugCkvg9/VG45zQu/RGmx5L0XwYmtYHf40exJRqS6emRbasQCVAytYVStQ/4Xj
Vy4IjjtUN3A=
=nkUL
-----END PGP SIGNATURE-----

next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT