PGP for ABSOLUTE Beginners

                               David Hamilton

This posting is for absolute beginners and consists of 7 sections with no
section being more than 250 words long (though section 2 refers to 2 other
sources). The 7 sections are:

  1. Introduction for absolute beginners
  2. The 2 best web sites for absolute beginners
  3. The 3 uses of PGP for absolute beginners
  4. Your first passphrase for absolute beginners
  5. Clear signing for absolute beginners
  6. Windows shells risks for absolute beginners
  7. 4 things to do next for absolute beginners

----------------------------------------------------------------------------

1) INTRODUCTION FOR ABSOLUTE BEGINNERS

I believe that a source of difficulty and frustration for PGP absolute
beginners is that there is so much documentation available from so many
sources (with most of it being long, detailed and complex) that many of them
give up .... and this is a defeat for us all. A scythe needs to be taken to
all of this information on their behalf.

I've recently progressed from being a PGP absolute beginner to just a
beginner and I think that absolute beginners need simple, concise
information that they HAVE to know INITIALLY without being given lots of
reasons or explanations. As someone else said, 'absolute beginners need an
ABC'. It's when absolute beginners have gained more experience that they can
find out why things are done in a certain way and how to do more complex
things. It's then that they can read Phil Zimmermann's documentation and
it's then that they can look, with understanding, at many of the other
excellent sources of advice that are available.

The great majority of any value that this posting may have is in section 2
which refers absolute beginners to other people's efforts. Thanks to them
for making PGP adoption easier.
                               Return to Index
----------------------------------------------------------------------------

2) THE 2 BEST WEB SITES FOR ABSOLUTE BEGINNERS

a) Seattle WebWorks at http://www.seattle-webworks.com/pgp/. From here,
advice is also given on downloading and configuring the AEgis Pretty Good
Privacy Windows Shell. A shell is a more friendly surround for PGP. Since
PGP operates from Dos and looks a bit strange, it can be much easier to use
and understand if you use a Dos or Windows shell. There are more than a
dozen shells.

Many people think well of the AEgis shell and it certainly makes PGP much
easier to use. You're an absolute beginner, so do what you're told: download
the AEgis shell! b) NorthStar at http://www.iuc.org/current.html and then
look for a reference to PGP Jump Start or Learn To Use PGP. (The current web
page for PGP beginners is http://www.iuc.org/NS062396.HTM but this may
change in the future so go to the main page and check.)

These 2 web sites guide you through getting, installing and setting up PGP
and some other basics. Print out both: if something isn't clear to you in
one, it may be in the other.

You can get download the PGP program (version 2.6.2) from either site. If
you're not in the USA, you can instead get PGP version 2.6.3i from the
International PGP web site at http://www.ifi.uio.no/pgp/.

Although terrific, I think that there are 4 things that the above sites do
not explain in clear, simple, succinct terms and they are covered in
sections 3 - 6 following.
                               Return to Index
----------------------------------------------------------------------------

3) THE 3 USES OF PGP FOR ABSOLUTE BEGINNERS

PGP is basically used for 3 things.

   * a) Encrypting a message or file so that only the recipient can decrypt
     and read it. The sender, by signing, can also guarantee to the
     recipient, that the message or file must have come from the sender and
     not an impostor.
   * b) Clear signing a plain text message guarantees that it can only have
     come from the sender and not an impostor. In a plain text message, the
     text is readable by anyone (ie is 'plain') but a PGP signature is
     attached.
   * c) Encrypting computer files so that they can't be decrypted by anyone
     other than the person who encrypted them.

                               Return to Index
----------------------------------------------------------------------------

4) YOUR FIRST PASSPHRASE FOR ABSOLUTE BEGINNERS

The Seattle site above directs you to an excellent but lengthy and detailed
web site about passphrases. You don't need to read all of it at this time.
Instead, try the following.

A passphrase will protect your secret key in case it gets stolen or someone
gets access to your computer. In either case, if you have a passphrase,
nobody apart from you can decrypt messages or files meant for you (ie
created using your public key) and nobody else can sign messages pretending
to be you because PGP users can spot this.

If you don't use a passphrase, you're not taking security seriously. You're
an absolute beginner, so do what you're told: use a passphrase!

Make up your passphrase by choosing 5 random words from a dictionary with at
least 10,000 words in. Your passphrase could then be secure for up to
several thousand years! Put blanks between the words if you want to or just
run all the words together. If any of the 5 words start with a capital
letter, replace by the lower case letter: it's easier to remember and type
if you do. If you want to, you can change your passphrase every 6 months or
year (eg on your birthday).
                               Return to Index
----------------------------------------------------------------------------

5) CLEAR SIGNING FOR ABSOLUTE BEGINNERS

Read section 3b again. Your PGP signature is different for EVERY message you
sign because PGP does a calculation on the message using your secret key
(which is unique to you). As every message is different, the signature is
different too so you can't cut and paste signatures from one message to
another.

Note that the signature proves that the message came from the sender but it
does not prove that the sender created the text in the message. eg if I
clear sign the text of Hamlet, you still won't believe that I 'wrote' it.

If the signature on a clear signed message checks out then that's fine. But
if a clear signed signature DOESN'T check out, it MAY still have come from
the person it appears to have come from. The reason is that the clear signed
message is copied to an emailer and if the message is reformatted in or by
the emailer (eg word wrapping happens such that a word is moved from the end
of one line to the beginning of another line), the signature WON'T check out
because the message has changed between being PGP signed and being
transmitted/received. However, it is SAFEST to treat the message with the
failed signature as being from an impostor.
                               Return to Index
----------------------------------------------------------------------------

6) WINDOWS SHELLS RISKS FOR ABSOLUTE BEGINNERS

Using Windows shells to access PGP can be a security risk. This is because
your passphrase, your key and your message plain text might be left in the
Windows swapfile thus compromising security if someone else has or gains
access to your computer. If you can't cope with yet another thing to grasp
at this time, skip the next paragraph!

A simple solution for Windows 3.1 or 3.11 users is to get ZAPSWAP.COM (part
of the WIPEUTIL set of routines at Mark Andreas's home page
http://www.sky.net/~voyageur/. This can be used to securely overwrite the
contents of the swapfile a number of times (eg 3). There is debate as to
whether the Windows95 swapfile can be dealt with in the same way.
                               Return to Index
----------------------------------------------------------------------------

7) 4 THINGS TO DO NEXT FOR ABSOLUTE BEGINNERS

   * a) Ignore people who confuse the word 'beginner' with the word
     'stupid': you ARE an absolute beginner; you are NOT stupid.
   * b) Keep reading the following newsgroups:
        o alt.security.pgp
        o comp.security.pgp.announce
        o comp.security.pgp.discuss
        o comp.security.pgp.resources
        o comp.security.pgp.tech
   * c) Practise using PGP. There are some people (ie not everyone) in the
     above groups who won't mind helping you getting to know PGP. Failing
     that, learn PGP by using it with a friend. Another way is for you to
     set up on your computer another public/secret key pair (eg for 'Fred')
     with a simple passphrase (eg a single word). If you do this, Fred need
     only have a small key (eg 512 bits). You can then send messages
     backwards and forwards between you and Fred which gets you used to
     things. eg you can send encrypted messages and clear signed messages
     and check things are working.
   * d) In your own time, take a look at the following information sources.
     They are more detailed and more complex but also more enjoyable when
     you've grasped the basics.
        o Phil Zimmermann's documentation that comes with PGP
        o http://www.stack.urc.tue.nl/~galactus/pgp/faq/ (excellent detail)
        o http://www.primenet.com/~shauert (PGP shells)
          many, many other sources: eg try using search engines on PGP

And that's all there is to it!