Lurking with PGP

Michael K. Johnson

Issue #32, December 1996

Phil Zimmermann's PGP program was written primarily to allow people to be quite sure their private communications remain private. The messages are encrypted so that only the intended recipient is able to read them—as long as users have read the manual and paid heed to its security warnings. Pretty Good Privacy.

Lurking is a time-honored practice. If you don't want to seem foolish when you join a newsgroup, you lurk there, reading articles without posting any, learning what is expected of participants in that newsgroup. The same goes for mailing lists. Some people never quit lurking—and on the Internet, and on Usenet, that's all right.

While reading Usenet news or a mailing list, you have probably seen a PGP-signed message. It looks something like this (the signature has been slightly modified to fit in the magazine):

-----BEGIN PGP SIGNED MESSAGE-----
This is an example PGP-signed message.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCUAwUBMYlOKyd5aW9FNqjdAQHVpAP4vrpL2MoIm3MFk
95e7mRaYwRoKSL4lpCDR8WvDo13ICvaa/IbYxZwH/5IFM
vve7a+HnFPFd7pKegsJxSc8MgFnnBCxTJAEeimLCmZ+DA
VHPwqnEjxdeTWvwoysg2hm89CUOxvn4ArbG3yntlRlL+k
0HPjV+D0Uvi+LN0sNroi5A==
=G3yB
-----END PGP SIGNATURE-----

You can read the message just fine by ignoring all the PGP-specific stuff. But you can also make use of it by learning a few simple commands—and learning how to use them.

Simple Security?

Are you intimidated by PGP's manual? Perhaps you should be. Unlike other software products, with which it is Okay to fool around in order to learn it piece by piece as you need it, cryptographic software needs to be well-understood to be truly secure. Using it incorrectly can give you a feeling of security—but that's worse than not using it at all, because with that false sense of security, you will use it to send sensitive information that you would never have dreamed of sending via e-mail otherwise. The manual section on key management isn't that long, but you do have to understand it, and to do that, you do need to read quite a bit of the manual.

If you want to write PGP-encrypted e-mail, you have to read the manual. This article can't substitute for the manual in teaching you how to keep your e-mail private. You have your choice of the free manual distributed with the source code, the printed version of the official manual sold by MIT Press, or the O'Reilly book, PGP: Pretty Good Privacy, ISBN 1-56592-098-8, written by Simson Garfinkel.

So Why Read This Article?

So you can “PGP-lurk”. You don't have to send PGP-encrypted e-mail in order to take advantage of PGP signatures; you can simply verify that messages sent by other people are really sent by them, and not by someone else masquerading as them. But in order to do that, you really need a little bit of background. Don't worry, this won't hurt a bit...

PGP is based on public key cryptography. Each person has a public key that everyone else needs to know, and a private key which must not be known by anyone else. A message is encrypted with both the sender's private key and the recipient's public key. The message can only be decrypted with the recipient's private key, which only the recipient knows.

It is possible, however, to simply sign a message without encrypting it. The sender's private key is used to sign the message, and the sender's public key is used to validate the signature. Notice that the recipient doesn't need any keys at all to validate a signature. As long as recipients are able to trust that their copies of the sender's public key are correct, they can trust the signature.

Since you don't need to protect the secrecy of a private key in order to use PGP to validate signatures, you don't need to read a book to learn how create a private key and keep it secret. You just need to know how to find other people's public keys and know how to use PGP to check signatures.

If you have read the newsgroup comp.os.linux.announce, you will have noticed by now that every message posted there is “digitally signed by the moderator, using PGP”. Lars Wirzenius, the moderator, allows you to be sure that he approved the articles for posting by PGP-signing them. In his signature, he states, “Finger wirzeniu@kruuna.helsinki.fi for PGP key needed for validating signature.” If you run the command finger wirzeniu@kruuna.helsinki.fi, you will see something resembling Listing 1. Don't type that key in from the listing; if the key is going to do you any good, you will be able to get it over the internet. If you don't like finger, you can get it from his home page, www.cs.helsinki.fi/~wirzeniu/.

I'm Still Not Convinced

If the possibility of a forged posting on the comp.os.linux.announce newsgroup doesn't worry you enough to make you want to install PGP, consider another situation. Suppose you see a newsgroup posting or e-mail message that looks like it is from Ted Ts'o (one of the main Linux developers), and which claims that:

  • A security hole has been found in Linux,

  • It is being exploited by crackers who are destroying the systems they crack into,

  • An attached kernel patch will solve the problem, and

  • You should install the patch on your system(s) as soon as possible.

Further suppose that the patch is beyond your comprehension. Do you install the patch? Let's assume that Ted is trustworthy (a pretty good assumption). How do you know that it is really Ted who made the posting or sent the message? Perhaps the patch really creates a security hole through which a cracker could attack, and a cracker is forging the message and pretending to be Ted in order to convince you to apply the patch.

You can know because Ted PGP-signed his patch, and because you have a copy of his public key. No one could sign it correctly without a copy of his private key, and Ted is a security expert who keeps his private key very safe.

Getting Keys

In order to check a PGP-signed message, you need to have the public key. Where do you get the key? You want to get the real user's real key, not a fake one produced by a forger who is using the fake key to impersonate the sender.

Fundamentally, you need to get the key from a different source than the message. News and mail are notoriously insecure; anyone can fake an e-mail or news message, and anyone who wants to read this article to learn about PGP will probably not notice that the message is fake, and probably won't know how to tell the difference.

If someone is forging messages that are supposed to look like they come from someone else, and they are including PGP, they will also be attempting to propagate a fake key for the user as whom they are masquerading. This means that in an ideal world, you will collect public keys before you need to use them to verify a message. However, there's a good chance that you don't have the key yet when you want to read the message. Where do you look to find a key, and how do you know that it is correct?

Sometimes you can get a key from someone's home page on the Web. If you do that, you have to weigh the possibility that someone has broken security on that system and corrupted the key there. If you get the key well before you want to verify a suspicious message, chances are pretty good that the key you get will be good. The same goes for keys retrieved via finger. If you think you will ever want to verify a comp.os.linux.announce posting, get the key now. If you are paranoid, keep checking for the next few days to make sure there is no announcement that the key was forged or compromised.

One place to find lots of PGP keys is on BAL's PGP Public Key Server, at www-swiss.ai.mit.edu/~bal/pks-toplev.html. This web site has a large database of public keys, and the person you are looking for may have submitted the public key to the database. There's no security; anyone could post an update to anyone else's public key, even forgeries. You still have to verify the keys you get from BAL's server; it's only a convenient point of exchange.

None of these techniques ensure that the key you get is good. All security is a matter of degree, and this technique provides, for most purposes, a reasonable level of assurance that you have the right key. Don't bet the family fortune on it.

Essentially, PGP allows you to extend trust you already have. If you trust your brother to tell you the truth in person, and he has verified that your copy of his PGP public key is correct, then you can be rather sure that a message that is correctly signed with his private key really comes from him. You can be only as sure of that, however, as of his ability to keep his private key secret.

Signed Keys

If your brother is sure that his copy of Joe's public key is correct, and you trust your brother to give you a good copy of Joe's public key, then you can be fairly sure that a message that is signed with Joe's public key really comes from Joe. This is a very useful notion, and PGP supports it.

To verify that he is positive that Joe's public key really belongs to Joe, your brother can sign the key with his own private key. If you are certain that your copy of your brother's public key is correct, and your brother has signed Joe's public key, then if you trust your brother's judgement in verifying keys you can be mostly sure that your copy of Joe's public key is correct. Now that you know Joe's key, if you trust his judgement, you can be reasonably confident of the veracity of public keys which he has signed.

PGP users have organized PGP-key-signing gatherings (parties, BOF (Birds of a Feather) sessions at conferences, whatever) in order to meet face to face and sign each other's keys. As people go to different gatherings in different places, it becomes easier and easier to say, “I trust my brother, and my brother has signed Joe's key, and Joe has signed Jean's key, so I can be pretty sure that this message signed with Jean's key is really from Jean.” This concept has become known as the “web of trust”.

Don't go off the deep end when it comes to the web of trust. PGP doesn't make people trustworthy. As Zimmermann says in the PGP manual, “Trust is not necessarily transferable; I have a friend who I trust not to lie. He's a gullible person who trusts the President not to lie. That doesn't mean I trust the President not to lie. This is just common sense.” If you don't trust someone about other things, there's no reason to trust their signatures of other people's keys. They may be duped or careless or lying themselves.

Verifying Keys

When people verify that their copy of someone else's key is correct, they don't laboriously check 1000-10000 characters of the ASCII representation of the key. Instead, they compare an abbreviated form called a fingerprint. Each key is verified by its fingerprint, which is represented by 32 hexadecimal characters. The possibility of two keys having the same fingerprint is so close to nil that you don't even have to consider it. So if the fingerprints match, the keys match.

Before checking fingerprints, it is best to quickly check the ID. The ID is even more abbreviated; it consists of only 8 hexadecimal characters. If, for instance, a user uses two different sets of PGP keys, the ID is used to differentiate between them.

Examples

Since we started with comp.os.linux.announce, let's show how you can easily retrieve the public key for verifying those messages. (I assume that you have PGP installed. If you don't, I'll explain later how to do that. I just want to keep things simple for now.)

PGP normally tries to do the right thing without being told. If you feed it a public key, it figures that you want to add it to your “public key ring”, available for inspection or use at any time. Normally, you call it with the name of a file, so try this:

finger wirzeniu@kruuna.helsinki.fi > /tmp/cola
pgp /tmp/cola

If PGP complains “Key ring file 'home/.pgp/pubring.pgp' cannot be created”, then you should create the directory ~/.pgp and try again:

mkdir ~/.pgp
pgp /tmp/cola
rm /tmp/cola

PGP will ask if you want to add the key to your public key ring; answer yes. When it asks whether you want to certify any keys yourself, answer no. You can't do that without having created your own public and private key. You will still be able to verify messages, but you can't use some of PGP's built-in features. This will look like Listing 2.

The comp.os.linux.announce key is now on your public key ring, and you can now use it to verify posts made to comp.os.linux.announce.

Checking Signed Messages

Now let's try checking the signature on a message posted to comp.os.linux.announce. Using your newsreader, save a message to a file, preferably with the extension “.asc” (short for ascii). Let's save it in the file cola.asc, and then call PGP to check the signature:

pgp cola.asc

PGP is verbose (as usual), and checks the signature. Part of what it says lets us know that the signature checks out Okay—but it warns that it can't be sure, because you don't have a key of your own:

File has signature.  Public key is required to
check signature.  Good signature from user
"Lars Wirzenius <wirzeniu@cs.helsinki.fi>".
Signature made 1996/05/01 11:36 GMT
WARNING: Because this public key is not certified
with a trusted signature, it is not known with
high confidence that this public key actually
belongs to:
"Lars Wirzenius <wirzeniu@cs.helsinki.fi>".

If you want to get rid of that warning, you will have to create your own keys, and before you do that, you ought to read the manual and understand it.

PGP also saves a copy of the message without the signature in a file called cola—it strips the .asc from the filename. If you had saved the original message in a file named “cola”, it would have asked you for a different filename to put the unsigned message in. Unfortunately, at the present time, the only way to check a signature without creating a new file containing the unsigned text is to press CTRL-C when PGP stops to ask you what to do.

Checking Fingerprints

In order to verify that your copy of a key is the right one, you need to put the key on your keyring, and then use PGP to print its fingerprint. Use the command:

pgp -kvvc user_id

where user_id is either part of the recipient's e-mail address or the actual 8-character key ID. Listing 3 shows part of the output of this command for the key used to sign Announcements of the Linux Emergency Response Team (ALERTs), which are used to announce security issues related to Linux. This (-kvvc) shows a lot of information for each key; you can get a more concise listing with the command:

pgp -kvc user_id

Now try to print the fingerprint for the key Lars uses to sign comp.os.linux.announce postings. You can check it below.

Once you have generated the fingerprint, you need to compare it to a trusted version. That might mean the fingerprints listed in this article, or it might mean calling the sender on the phone, or it might include a fingerprint listed in a book. There are many options—it's up to you to judge if the option you choose provides good enough verification for your purposes.

Here is a list of IDs and fingerprints for important and useful keys in the Linux world:

  • Lars Wirzenius's comp.os.linux.announce key:4CBA92D1 E7FA89856D9B781D F530EBFBD811CA3F

  • Linux Security FAQ Primary Key used to verify ALERTS:ADF3EE95 AB4FE7382C3627BC 6934EC2A2C05AB62

  • Ted Ts'o's signature key used to sign other people's keys (Ted organizes PGP-signing BOFs at conferences, and so has signed many other people's keys):466B4289 9C056649DF837EEF D8AC7542A2334B91

  • Your humble author, who will also be organizing PGP-signing BOFs at some conferences, and wants to show off:4536A8DD 2AEC88084064CED8 DDF8122B61438315

(Please note that in order to fit the fingerprints into the article, we have removed many of the spaces. The spaces are just there to help you read the fingerprint, and the fingerprint is the same with or without spaces.)

Linux developers are starting to talk about listing their PGP key IDs and fingerprints in the CREDITS file in the Linux kernel source code.

Pretty Good Privacy

There's a pretty good chance that after using PGP to quietly verify signatures for a few years, you will at some point want to use it for its original purpose—privacy. Perhaps you want to send a password to someone. Maybe you simply want to send your credit card over the Internet. You don't have to be a hero of the information underground to want to keep your mail private; there are many prosaic reasons as well. If you are already used to using PGP to verify signatures, you will not find it difficult to learn how to use PGP to encrypt your email. Just read the manual carefully so that your communications are truly secure.

Installing PGP

Installing PGP is a bit of a mess, partially because there is a patent that is honored in the US and Canada on the public key algorithm used, and partially because of the US's insane ITAR regulations. If this were an editorial, I'd have a lot to say about how incredibly stupid the US government is acting in this case, but this isn't an editorial, so I won't say a word on the subject...

If you have Red Hat Commercial Linux, life is easy. You can install PGP from an RPM available via anonymous ftp from ftp.hacktic.nl in the /pub/replay/pub/redhat/ directory. For those outside the US, you can use either the US version or the international version; for those in the US, you can only legally use the US version because of patent law. As of this writing, the current version number of both versions is 2.6.3, and you just have to choose between pgp-2.6.3i-1.i386.rpm (the international version) and pgp-2.6.3usa-2.i386.rpm (the US version). There are also README files in that directory that explain the situation more fully. You also get one more benefit: since version 3.0.3 was released, all official RPM's created by Red Hat are PGP-signed so that you know you have the official version. Installing PGP will allow that feature to work.

Life is also easy if you use Debian. There are .deb files available for both the international and US versions available in the non-free directory of selected archive sites. If you live outside the US, please download your copy from a Debian archive outside of the US to avoid causing Debian legal trouble. You can get a list of archive sites by connecting to ftp.debian.org with ftp. As of this writing, the file you want is pgp-i-2.6.2i-5.deb (the international version) or pgp-us-2.6.2i-5.deb (the US version). A new version using the ELF binary file format will probably be available with the ELF-based Debian 1.1 when it is released.

With other distributions, you will probably have to build PGP from source. You can get the source via ftp from net-dist.mit.edu in the /pub/PGP/ directory. However, MIT makes you jump through several hoops to make sure that you are really a US resident to protect themselves from over-eager US law enforcement officials. Instructions for building PGP are included, and I wish you good luck.

Warning: Within the US, you can use the free version of PGP only for non-commercial purposes. For commercial purposes, you are required to buy a copy of ViaCrypt's PGP. You can reach ViaCrypt at viacrypt@acm.org or (800)536-2664, or you can buy the product from the company that originally ported ViaCrypt's PGP to Linux, SSC (LJ's publisher).

Michael K. Johnson is only slightly paranoid... His public key ID and fingerprint are listed above; his public key is registered with Bal's public key server.