Previous

Nitty gritty walk through of using PGP with S/key

A: Setup phase

  1. Chose a machine on which to install PGP
  2. Install pgp.
  3. Read the fine manuals that come with PGP.
  4. Make a PGP directory.
  5. Generate a keyset.
  6. Send your public key to BWH.
  7. Get BWH public key.
  8. Get a call from BWH to fingerprint keys.
  9. Get signed list of BWH collaborators PGP keys.

B: Usage phase

  1. 1. Mail a signed request for a new s/key to Adam.
  2. 2. Get an encrypted, signed set of one time passwords sent back to you.
  3. 3. on your local pc/mac/workstation:
  4. 4. Decrypt the password set and print it.
  5. 5. Delete any temporary files.

This document is interspersed with the unix way to do things. The unix version of PGP uses the same commands as the dos version. Mac users have a menu version, so just ignore the pgp -foo things, and find the right menu option.

A: Setup phase

A0. Chose a machine on which to install PGP.
There are two factors to consider in deciding what machine to run PGP on, who controls it, and how local it is to you.

The machine must, must, MUST be local to you. The further you are from the CPU, the more opportunities exist to intercept your passphrase. If you telnet to BWH, we spend a lot of time making sure our machines are safe, but the network between you and us is not. There are people listening. If your passphrase is intercepted, all you have left is the secrecy of your secret key.

Since you want to protect your secret key, it is wise not to store it on a unix machine. Someone else has, or could get, root access to the machine without you knowing. If you have a PC or mac in your home or office, the home machine is the best choice. (Today, people are unlikely to break into your home to steal your secret key. They might steal your computer, but its probably not so they can break into the Brigham.) An office machine is also a reasonable choice. Store your secret key on a floppy if the machine is used by several people.

A1. Install pgp.
See 'Getting and installing PGP', which was sent to you along with the other letters. If you need step by step instructions, let me know.
A2. Read the fine manuals that come with PGP
Always a good idea, an especially good idea with PGP, which is complex system with some potential pitfalls. http://www.pegasus.esprit.ec.org/people/arne/pgp.html See the PGP hypertext documentation.

Theres is also a page full of links to a list of PGP Documentation pages.

A3. Make a PGP directory.
Unix
Create a directory, ~/.pgp for your keys to live in. Add a line to your .login to set up the PGPHOME enviroment variable, and protect the directory with chmod to prevent others from looking at your keys.
mkdir ~/.pgp chmod 700 ~/.pgp add to .login: setenv PGPPATH ~/.pgp (theres no comparable set of actions for Dos/Macs)

A4. Generate a keyset
You'll then generate the keyring with pgp -kg. This requires a bit of time, about 10 minutes. I reccomend that you generate a 1024 bit key, because it will be more secure and there is little reason not to. Choose a passphrase that you can remember, because there is NO way to recover your passphrase if it is lost.

A5. Send your public key to BWH
Since the public key can be known to anyone, theres no reason to worry about who sees it on its way to the BWH. To get your public key in a mailable form, use pgp -kxa, and copy the resulting text file into your favorite mailer. Don't forget to include the 'Begin' and 'End' lines.

A6. Get BWH public key
You'll need our public key. Use pgp -ka on this text to add our keys.
A7. Get a call from BWH to fingerprint keys.
Someone you know at the Brigham, who will recognize your voice will call to fingerprint your key. Fingerprinting is a means of digesting the key so that a short list of letters can be compared, instead of trying to read off the entire key. To get a key fingerprint, use pgp -kvc (userid). -kvc (without a userid) will produce the entire list.
A8. Get signed list of BWH collaborators PGP keys.
Once we've fingerprinted your key, & you've fingerprinted ours, we'll send you a signed list of BWH collaborators and their public keys, in case you'd like to send stuff to anyone that you normally would not want to send through internet mail.

B: Usage phase

1. Mail a signed request for a new s/key to Adam.
There are several good front ends to PGP that prevent you from needing to remember options. For the Mac, theres stuff done by the Mac Crypto Interface project. Let me know if you know where the pages went. On the PC side, I'm still looking for a good page. A couple of pages I've found include:

2. Get an encrypted, signed set of one time passwords sent back to you.

All use of PGP should be on your desktop

All use of PGP should be done on your desktop machine. If your desktop machine is a unix box, use the who, w or finger commands to find out who is logged on. If no one else is logged on, it is much safer to run PGP on your unix machine. It is better to run on a mac or PC, as those do not provide networking facilities for other people to be remotely running programs the way unix machines do.

4. Decrypt the password set and print it.

5. Delete any temporary files that might be on disk.

© Copyright 1994 Adam Shostack. All rights reserved.

Previous