Date: Sun, 20 Feb 1994 17:46:34 -0800
From: [email protected] (Xenon)
Subject: "Here's How to MacPGP!" guide

Here's the latest version (2.7) of my "Here's How to MacPGP!" guide, to
replace /info-mac/info/macpgp-guide-18.txt.

Hey Mac user, having too much fun? Don't want your plans made public?
You're sending e-mail on "postcards" if you don't have the free public key
encryption program PGP. You heard about it in the news; here's your easy
guide to getting and using it. It will get non-Mac users started too.

-=Xenon=- <[email protected]>

Send mail to [email protected] with Subject "Bomb me!", for my "Here's How
to MacPGP!" guide (this document) and Gary Edstrom's PGP FAQ. If you
received this unexpectedly, it means I found your post on Usenet or
elsewhere asking about PGP, or I have made a mistake. People can now get
these by anonymous ftp to netcom.com in /pub/gbe and /pub/qwerty as well.

-=Xenon=-

Note: Don't try to get MacPGP from the ftp site soda.berkeley.edu, since
it is mislabelled as being a Mac BinHex file, but it happens to also
be Unix gzipped, without being labelled as such (no .gz at the end). They are
being slow about fixing this.

Also: ViaCrypt should be coming out with a licenced MacPGP version. I
suggest you buy it when it is available. It would be nice to get over
this patents stigma.

Archie search for macpgp2.3 ftp sites, done 2-20-94:

Host athene.uni-paderborn.de
   Location: /unix/network/security
          FILE -rw-r--r--     422851  macpgp2.3.cpt.hqx
Host cs.huji.ac.il
   Location: /pub/security/pgp/2.3A
          FILE -r--r--r--     422851  macpgp2.3.cpt.hqx
Host ghost.dsi.unimi.it
   Location: /pub/security/crypt
          FILE -rw-r--r--     422851  macpgp2.3.cpt.hqx
Host isy.liu.se
   Location: /pub/misc/pgp/2.3A
          FILE -rw-r--r--     422851  macpgp2.3.cpt.hqx
Host ftp.luth.se
   Location: /pub/mac/appl/encryption
          FILE -rw-r--r--     422900  macpgp2.3.cpt.hqx
Host ftp.cc.adfa.oz.au    (131.236.1.2)
   Location: /pub/security/pgp23
     FILE    -rw-r--r--  422885  macpgp2.3.cpt.hqx

-----BEGIN PGP SIGNED MESSAGE-----

Hey Mac user you're sending e-mail on "postcards" if you don't have PGP.
You heard about it in the news; here's....

How to MacPGP:
Version 2.7 (Feb. 19, '94)

PGP will encrypt files so not even crazy people with supercomputers can
decrypt them. You write e-mail on a word processor, encrypt it using a
someone's public key, and send it off. They use their private key to
decrypt it. Public keys are just that; give yours out freely. Once a person
encrypts a message with your public key, not even they can read it again.
Only you, using your private key. Phil Zimmerman's PGP is the grassroots
alternative to the Clipper Chip, which gives the government your secret
key. I will send the PGP FAQ and this guide to anyone who sends mail to
[email protected] with Subject "Bomb me!".

[Non-Mac users: READ THIS, and the "PGP FAQ" by Gary B. Edstrom (available
on alt.security.pgp or ftp to netcom.com in /pub/gbe in parts as
pgpfq*.asc)! A beginner's guide like this one by Out and About
<[email protected]> called "DOS PGP Guide" exists (ftp to ftp.eff.org
in /pub/EFF/Policy/Crypto as pgpstart.tutorial). Answers to questions (not
in the FAQ) are available on the Usenet group alt.security.pgp. If you
don't have Usenet, mail questions to [email protected]
(or @anon.penet.fi) and ask for e-mailed replies. There are versions for
DOS (and friendly add-on interfaces), Windows, Unix, VAX/VMS, Atari ST,
Amiga, OS/2, Archimedes and others. Get "The Big Dummy's Guide to the
Internet" as shown below.]

Get a Unix e-mail account (student or commercial) with internet access, and
a modem. GET A COPY OF THE FREE MAC PROGRAM STUFFIT EXPANDER (you NEED it,
not just BinHex!). Log into your e-mail account. If you are stuck in a
menu-driven place, figure out how to "escape to Unix" which will give you a
$ or % prompt. Welcome to the internet. Let's find PGP. Type 'telnet
archie.internic.net', login as 'archie', and type 'prog macpgp2.3'. A list
of sites around the world having PGP will appear. Type 'bye'. One of the
sites it gave me was:

Host isy.liu.se    (130.236.1.3)
Last updated 08:14  3 Nov 1993

Location: /pub/misc/pgp/2.3A
 FILE  -rw-r--r-- 422851 bytes  10:58 19 Sep 1993  macpgp2.3.cpt.hqx

This archie server is fast, rarely overloaded, but limited. Another is
archie.sura.net. Trying this site may fail but gives a list of other sites
(and a hint to try 'qarchie' at this site). Do archies at night (same for
ftp). You want a macpgp2.3 that ends in .hqx (or try leaving out the .gz
when you do 'get' below, OR use 'binary' instead of 'ascii' below, then
'gunzip macpgp2.3.cpt.hqx.gz' in your account). Hqx (BinHex) is a way to
code Mac stuff as text. The .cpt is a Mac compression method, as are .sit
or .sea. The lists from other servers will be longer. I will use the above
macpgp2.3.cpt.hqx at site isy.liu.se as an EXAMPLE.

Type 'ftp isy.liu.se', login as 'anonymous' and use an e-mail address as
the password. For fun type 'ls -l'. You are in their hard disk's main
directory and this is what's on it. Lines starting with 'd' are directories
that you can move into using 'cd' ('cd ..' to backup). (During ftp use 'get
filename "|more"' if you want to read a text file called "filename"; 'q' to
stop). Based on the archie search, type 'cd /pub/misc/pgp/2.3A', and again
'ls -l'. There it is! Type 'ascii', 'get macpgp2.3.cpt.hqx', and wait; it
is being transferred to your account. When you get the ftp> prompt type
'bye'. Back to e-mail and the hard part. Type 'ls -l' to see it.

Find out how to DOWNLOAD a text file from your account to your desktop.
[Try 'kermit', 'set file type text', 'send macpgp2.3.cpt.hqx', and initiate
a receive in your software (set to do kermit transfers). Or 'sz
macpgp2.3.cpt.hqx' (with software set to zmodem)]. Drag this file onto the
icon of Stuffit Expander. MacPGP2.3 will appear. In your account 'rm
macpgp2.3.cpt.hqx' will remove it.

You naughty thing. PGP on another Mac. Print the documentation. It is
indeed cryptic. Better is the help feature of MacPGP2.3 itself, which is
also printable. Start PGP. Make yourself a public/private key pair with
'Generate key', select '1024' ("slow" is only key generation), leave the
'17' alone, and enter a name. Your secret key is really a long file that
you will never have to manually type in, but you have to remember a "pass
phrase" to use it (and keep others from using it if they steal your secret
key). Check 'Show pass phrase' and enter a very memorable, very obscure
sentence. Don't use all normal words! Make up tricks like "Pile?driver" or
"Here1we2go3you2stupid1bozo." Type away as requested to make some random
numbers. Wait. You can see your public key with 'View keyring' on
pubring.pgp. DON'T FORGET YOUR PASS PHRASE! Writing it down is better than
a slight chance of forgetting it.

Sign your own key to prevent others from changing its ID: 'Certify key',
select pubring.pgp, select your own key, and again your own key. This is
also how you sign other people's public keys [then extract it as shown
below to send to them, so they can add ('Add keys') your signature to their
public key]. Once you have a circle of friends who have signed each other's
keys, you have a trusted network. If someone mails you a key signed by
someone in this network, you can better trust it. There is no way for
someone to forge your friend's signature on that key unless they stole your
friend's secret key AND knows its pass phrase. [You need the public key of
a friend to verify ('Check signatures') a signature they have placed on a
key.]

Write some e-mail on a word processor and save it ('Save As') to the
desktop as TEXT ONLY (ascii) and close its window. Do 'Encrypt/Sign' on the
file. Double click on the public key you want to encrypt it with (for now
your own) and hit 'OK'. Check 'Treat source as text', 'Produce output in
ASCII format', and hit 'OK'. A file ending in .asc will be made. Don't let
the icon fool you; this is a simple text file that you can open with a word
processor. Do this. You will see,

-----BEGIN PGP MESSAGE-----
Version: 2.3

Lines of random looking text characters here.
-----END PGP MESSAGE-----

This text (lines included) can be sent by e-mail to anyone on any computer
running PGP. But since it is encrypted with your public key, let's pretend
a friend made it and sent it to you. Toss the original. In PGP, do
'Open/decrypt', and choose the .asc file. Enter your pass phrase so PGP can
use your secret key. A text file, the decrypted message, will appear. [The
System 7 Control Panel "defaultappliction" by L. D'Oliveiro will allow a
double-click to open text files to the word processor of your choice (ftp
to ftp.luth.se in /pub/mac/system/controlpanels). If you use Microsoft
Word, removing the "Text with Layout" filter from the "Word Commands" file
will kill that annoying choices window too.] When you receive a PGP
message, it will have e-mail headers, but PGP will ignore (and edit out!)
anything outside the PGP header and footers.

Shortcut: write text in a word processor, copy it to the Clipboard and have
PGP encrypt it THERE ('Clipboard' button in 'Encrypt/sign' dialog box),
then paste it into e-mail. This also works for decryption, allowing you to
paste the decrypted text anywhere. The Finder also has 'Show Clipboard', or
you can check 'Decrypt to screen only' but I do NOT recommend this feature
(fails if lines >80 characters, and crashes during saves). There is a nasty
bug in MacPGP2.3 which causes a crash if you use the Clipboard to check a
signed message and you don't have the public key to check it with. If you
get mail from someone who's key you don't have, don't use the Clipboard
feature!

[You can just paste small text blocks into e-mail. Your software should
also have a "send" feature to autotype LARGE text files to the screen. This
is what I use, but it can be tricky AND there may be no error control
(characters may get lost, ruining the message). If lines get cut wrong,
turn off word-wrapping in your account or software. More reliable is to
upload a file ('rz'; or 'kermit', 'set file type text', 'receive') and
include it in e-mail (in Unix 'mail', '~r filename' as a line in e-mail, or
use 'mail -s "Hi there!" name@site < filename'). You can view text files
with 'more filename', 'q' to stop. Flow control should be 'hardware' (in
software or modem setup string). If you RECEIVE long e-mail, use the
"capture" feature of your software when you view it, OR save it to a file
and download it. Making windows tiny lets text scroll faster. Ask questions
on comp.dcom.modems.]

Checking 'Encrypt and sign' also SIGNS a message you are encrypting.
Signatures are a trick, in that they are ENCRYPTED with your secret key,
meaning a message must be from you (unaltered) since only your public key
can decode them. If you want to SIGN NON-encrypted text, use the menu item
'Sign Only' and check 'Append clear signature'. A text file will appear
containing your readable e-mail between the header and footers of the
signature. Anyone can check that this message is from you and is unaltered
(copy to Clipboard, then 'Open/Decrypt'), if they have your public key.

[Problem with signing NON-encrypted messages: If you don't cut lines to
about 75 characters BEFORE signing, the carriage returns added on uploading
(by Unix or your software) will spoil the signature! For this I use
Drop*TextBreak by Robert Gibson (ftp to sumex-aim.stanford.edu in /info-
mac/text as drop-text-break.hqx). Another problem: certain characters may
be altered upon uploading text. Don't use smart quotes (curly symbols for '
and ") or control characters. E-mailing a message to yourself will reveal
problems (use a text comparison utility). This ONLY concerns "clearsigning"
of NON-encrypted messages.]

To send your public key to a friend do 'Extract key' with 'aciify' checked,
and name it "My public key". A text file of your public key will appear:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3

About 8 lines of random looking characters here.
-----END PGP PUBLIC KEY BLOCK-----

When you get a friend's public key, get it to your desktop (paste into
blank document and save as TEXT ONLY). Do 'Add keys', select the file, and
select pubring.pgp to add it to your public key ring. Try this with my key.
('Fingerprint key' will give you a short string of characters unique to
that key, for verbal confirmation of key origins.)

Now you can encrypt text files with their public key to send to them. You
can also send non-text files (ANY Mac file) by using 'Treat source as a Mac
file' and 'Produce output in ASCII format'. You will again get PGP text
block to send. To decrypt this, it is the same as before. Presently MacPGP
wont let you select a Macintosh folder full of stuff, so use a compression
program (Stuffit Lite or Compact Pro, shareware) to put items into one
archive file (PGP itself compresses files so make NON-compressed
archives).

[To encrypt a file on your hard disk only, you can use the menu item
'Conventional Encryption' (and even create "self-decrypting" Mac files)
with 'Treat source as Mac file' checked. However the pass phrase in this
case is ITSELF the key used to encrypt the file, so you must be VERY
careful in typing it and remembering it (and why not use the drag-and-drop
utility Curve Encrypt by Will Kinney instead, even though it doesn't
compress files like PGP does, it can do multiple files at once; from
ripem.msu.edu in pub/crypt/other/curve-encrypt-idea-for-mac as
curve_encrypt.sea.hqx). I prefer to just encrypt such files with my public
key, again checking only 'Treat source as Mac file". The result of these is
not a text file!]

When you have PGP up and running, with a few signatures on your key, send
your public key to a keyserver. You can find most anyone's key on these
servers. See the "PGP FAQ" and the blurb in the PGP documentation for
details. (There are people who will plop your public key onto the
keyservers, even if you send it in e-mail and especially if posted to
Usenet. Be happy with your key first. You can still add new signatures to
your key on the servers by adding your the signed key to any server.) There
is also a finger server for public keys. Do 'finger [email protected]'
to check for someone's public key, and to find out what its Key ID is,
where "keyword" is part of his name or e-mail address. Then do 'finger
[email protected]', if 123456 is the Key ID.

[Bug: if you are sent a PGP message by e-mail (ascii text-format), and you
don't end the name of this text file on your Mac with .asc, PGP will ask
you if you want to replace it. If you say yes and give it another name, it
may fail to immediately update the finder views. You wont be able to see
the output file (ignore the temporary files ending in .$01 and such), but
you CAN see it in the 'Open' dialog of a word processor. Three solutions:
add .asc (or just a period!), enter a new name while you are STILL in the
decryption options dialog box (not possible if you use the drag-and-drop
feature of System 7), or LET IT OVERWRITE THE ORIGINAL TEXT FILE (you loose
any text outside the PGP message). This is not a problem with binary PGP
messages, which normally end in .pgp but don't have to.]

Realize that a PGP message tells anyone the name of the public key it was
encrypted with. On creating a new key pair with an anonymous nickname and
using an anonymous remailer (send blank mail to [email protected] or read
about remailers in the PGP FAQ), this information is removed. A commercial
Unix account is good too, as e-mail errors wont route to your LOCAL system
administrators. Netcom (408-554-UNIX) even lets you keep your real name
private (but call by phone or the sites you have telnetted in from are
told). Note though, that sending a floppy with no return address is much
more secure than using anonymous remailers on the Word Wide Wiretap, er...
internet.

Another trick is to HIDE your use of encryption. Stego by Romana Machado
(ftp to sumex-aim.stanford.edu in /info-mac/cmp) will hide text as the
least significant bit in a Mac PICT file, but this increases the size of a
message by 8-24 times. I prefer to type a message in a word processor, cut
it out, encrypt it within the Clipboard, past
e it back, save it as a real
word processor file, then BinHex that (using the Drag and Drop utility
hqxer-11.hqx by John Stiles: ftp to sumex-aim.stanford.edu in /info-
mac/cmp), and finally have my software autotype the file into e-mail. This
is fast, and it's business as usual sending BinHex encoded Mac files. This
way PGP is simply a Clipboard utility that adds encryption to a word
processor. On receiving such a file, download it, drag it onto Stuffit
Expander, and again use PGP as a Clipboard utility to decrypt it. [You may
need to put 'set escape=~' into a file called .mailrc, if your Unix system
doesn't use the normal tilde (~) escape character for e-mail, to avoid
stripping any lines out of BinHex files!]

You can set many defaults by editing the text file config.txt. 'TextMode =
on' checks 'Treat source as text'. 'Recycle_Passwords = on' means you only
have to type a pass phrase once per PGP session (but get it right the first
time!). 'Armor = on' checks 'Produce output in ascii format'. 'ClearSig =
on' checks 'append clear signature'. 'Verbose = 0' sets Quiet Mode, which I
prefer. You can always uncheck them; they are only defaults. I do NOT
recommend setting 'showpass = on' which checks 'show pass phrase', since it
leaves it on the screen! Just check 'Show pass phrase' manually to avoid
this. Even so, your pass phrase is really only safe after you have quit
MacPGP, so don't leave it running if you put a PowerBook to sleep.

Read the manual and the Usenet groups alt.security.pgp, alt.privacy and
talk.politics.crypto. If MacPGP ever freezes hold down the option, command,
and escape keys to force it to quit. Get a program to erase data from your
hard disk after you "empty" the Trash and a replacement for the Trash
itself (FlameFile by Josh Goldfoot does both; ftp to mac.archive.umich.edu
in /mac/util/security as flamefile1.38.cpt.hqx). Get "The Big Dummy's Guide
to the Internet" by Adam Gaffin and Joerg Heitkoetter (ftp to ftp.eff.org
in /pub/Net_info/Big_Dummy, as the text file bigdummy.txt). Get "Anonymity
FAQ" (ftp to rtfm.mit.edu, in /pub/usenet/news.answers/net-anonymity, in
four parts) and "Privacy and Anonymity FAQ" (in
/pub/usenet/news.answers/net-privacy, in three parts) by L. Detweiler. If
you find PGP hard to use, live with it; new versions will arrive. I know
nothing about non-Mac PGP. Go figure; don't ask me. I don't care about you.
I just want more people to use PGP so I can hide my wonderfully important
messages in the noise of your boring ones ;-).

[If you get tired of the tiny scrollable list of keys when you select a
public key for encryption, open a COPY of MacPGP2.3 with ResEdit (ftp to
ftp.apple.com in /dts/mac/tools/resedit as resedit-2-1-1.hqx) and open
DLOG, #129, set 'MiniScreen' in the menu bar to the size of your screen,
and resize the little window to make it taller. Double click on it, then
move the buttons to the bottom, after dragging a rectangle around them to
select them. Make the selection box taller now too. Quit. Now you will get
a full-sized scrollable box which shows many more keys at once. Do NOT
distribute this modified form of MacPGP.]

Note that PGP is very controversial, both legally (patent rights and export
laws) and politically (as a tool it empowers individuals to ensure their
own right to privacy). Despite this it is becoming the standard encryptor.
It may change the world.

Comments on when and where I should post this and suggestions as to content
are invited. I see too many "How do I get PGP?" inquiries needing real
answers, and too many copies of PGP added to unused novelty collections.
POST THIS EVERYWHERE. Please do not alter it. (Copyright Xenon, 1994).

-=Xenon=-  <[email protected] or slower, [email protected]>

My key (remove the '-' and 'space' from the lines, added on signing this
document):
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3

mQCPAizgA+EAAAEEAMzQAf9ff0q9tVD5oBxtVlPYAito4RBM+hJvX4irXzYgJWsA
Fhc4b/RfLcbGQVHwm0Q74cp/KhijXqGeLE2Tk62x04u1mjfBevoOHUltOOWxrIbU
y6ros1cThAzVL03lkh6OHR3DbfUJWld9WtmamGWFGHYvt1WSagSzG6zrQn1RABEB
AAG0BVhlbm9uiQCVAgUQLPj9XgSzG6zrQn1RAQEvhwP8Cpm7gxR1mkgnGA8TPHXo
vyjiUKpoXJlbMizz/yKzIHfPXDqKq9bcEz15mS5t7Jl9ZFBKs+n39D79lbB5ZLcn
2qKuT5f+A9+++3bCcFlqRQqoHMzRfhIPCDYY5XNDLpR+vsUadxrC8N200qpvLvpL
Wb7LQ+hXkrskvFwpJErIS1Y=
=bZeo
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.3

iQCVAgUBLWe8UASzG6zrQn1RAQEq7wP9E0T733caOhgi6lBoVu1ThRdywl6dMopD
U+OBnM5EXgHtkmUKMIdUmL/AY9Jv7y/QwsfjziTXr0po5XaGH0vOI4tDm4+o3c6u
5gyE412XeGs5JqZxdIQcopp5XwboQGhDLjZqua3sFq0tl0OJRVea1K8jJGof1ISf
are5gyKQ3vo=
=GSbx
-----END PGP SIGNATURE-----

You are viewing proxied material from gopher.floodgap.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.