Nitty gritty walk through of using PGP with S/key
- Chose a machine on which to install PGP
- Install pgp.
- Read the fine manuals that come with PGP.
- Make a PGP directory.
- Generate a keyset.
- Send your public key to BWH.
- Get BWH public key.
- Get a call from BWH to fingerprint keys.
- Get signed list of BWH collaborators PGP keys.
- 1. Mail a signed request for a new s/key to Adam.
- 2. Get an encrypted, signed set of one time passwords sent back to you.
- 3. on your local pc/mac/workstation:
- 4. Decrypt the password set and print it.
- 5. Delete any temporary files.
This document is interspersed with the unix way to do things.
The unix version of PGP uses the same commands as the dos version.
Mac users have a menu version, so just ignore the pgp -foo things, and
find the right menu option.
There are two factors to consider in deciding what machine to
run PGP on, who controls it, and how local it is to you.
The machine must, must, MUST be local to you.
The further you are from the CPU, the more opportunities exist to
intercept your passphrase. If you telnet to BWH, we spend a lot of
time making sure our machines are safe, but the network between you
and us is not. There are people listening. If your passphrase is
intercepted, all you have left is the secrecy of your secret key.
Since you want to protect your secret key, it is wise not to
store it on a unix machine. Someone else has, or could get, root
access to the machine without you knowing. If you have a PC or mac in
your home or office, the home machine is the best choice. (Today,
people are unlikely to break into your home to steal your secret key.
They might steal your computer, but its probably not so they can break
into the Brigham.) An office machine is also a reasonable choice.
Store your secret key on a floppy if the machine is used by several
See 'Getting and installing PGP', which was sent to you along
with the other letters. If you need step by step instructions, let me
Always a good idea, an especially good idea with PGP, which is
complex system with some potential pitfalls. See the
PGP hypertext documentation.
Theres is also a page full of links to a list of PGP
chmod 700 ~/.pgp
add to .login: setenv PGPPATH ~/.pgp
(theres no comparable set of actions for Dos/Macs)
- Create a directory, ~/.pgp for your keys to live in. Add a
line to your .login to set up the PGPHOME enviroment variable, and
protect the directory with chmod to prevent others from looking at
You'll then generate the keyring with pgp -kg. This requires
a bit of time, about 10 minutes. I reccomend that you generate a
1024 bit key, because it will be more secure and there is little
reason not to. Choose a passphrase that you can remember, because
there is NO way to recover your passphrase if it is lost.
Since the public key can be known to anyone, theres no reason
to worry about who sees it on its way to the BWH. To get your public
key in a mailable form, use pgp -kxa, and copy the resulting text file
into your favorite mailer. Don't forget to include the 'Begin' and
'End' lines. Mail to Adam
You'll need our public key. Use pgp
-ka on this text to add our keys.
Someone you know at the Brigham, who will recognize your voice
will call to fingerprint your key. Fingerprinting is a means of
digesting the key so that a short list of letters can be compared,
instead of trying to read off the entire key. To get a key
fingerprint, use pgp -kvc (userid). -kvc (without a userid) will
produce the entire list.
Once we've fingerprinted your key, & you've fingerprinted
ours, we'll send you a signed list of BWH collaborators and their
public keys, in case you'd like to send stuff to anyone that you
normally would not want to send through internet mail.
There are several good front ends to PGP that prevent you from
needing to remember options. For the Mac, theres stuff done by the
Mac Crypto Interface project. Let me know if you know where the pages
went. On the PC side, I'm still looking for a good page. A couple of
pages I've found include:
All use of PGP should be done on your desktop
machine. If your desktop machine is a unix box, use the who, w or
finger commands to find out who is logged on. If no one else is
logged on, it is much safer to run PGP on your unix machine. It is
better to run on a mac or PC, as those do not provide networking
facilities for other people to be remotely running programs the way
unix machines do.
© Copyright 1994 Adam Shostack. All rights reserved.