home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 17
/
CD_ASCQ_17_101194.iso
/
vrac
/
pspr22.zip
/
ENCRYPT.DOC
< prev
next >
Wrap
Text File
|
1994-07-15
|
15KB
|
329 lines
WHY SECURITY?
-------------
Security is not a topic many Internet users think about commonly as they
send electronic mail, log in to other machines, and otherwise
communicate. However, as the Internet grows, security issues become
more and more of a problem, especially when it is used to transmit
sensitive data (such as your credit card number).
With the current system as it is, traffic on the Internet is very easily
accessible by people other than the sender and recipient of the traffic.
Anyone with even a small bit of technological know-how and physical
access to the right locations can easily intercept and copy all traffic
from a particular site or sites. The physical location does not even
have to be in the same place as the site; any routing point between the
two sites might become a point of weakness.
In addition, for system administration purposes technicians are
routinely given total access to the computer(s) they maintain,
including the ability to read mail or news stored on those computers.
This does not just include the sender's and recipient's sites; any site
in between that acts as a forwarding agent for the mail could have its
batches read by its technicians (including your mail message).
Electronic mail sent to Control Enterprises travels over the Internet to
at least some degree, and is batched on at least three different sites
in transit (your computer, our computer, and a gateway computer in
between that is run by a service provider). This means that, if someone
decided to monitor or read mail travelling between our sites, they would
be able to possibly read your registration request and obtain your
credit card number. It could then be used to charge horrendous amounts
of money to your account without your knowledge!
For this reason, we discourage registration of our products via
electronic mail without some method of securing the communications line
from "snoopers." The best way we have come up with to do this is to
encrypt (or "encode") messages using the Pretty Good Privacy program
(PGP).
ABOUT PGP
---------
Control Enterprises has selected the Pretty Good Privacy program (or PGP
for short) for servicing our secure communications needs. PGP is at
this point the most popular standalone encryption program available, and
versions of the program are available for free both nationally and
internationally. This allows us to receive secure communication from
anyone in the world.
PGP works by taking a file that usually contains plain text (although it
could contain any information), encrypting its contents, and putting the
result in another file. The program uses a key, usually a very large
number, to encrypt the data. The method used by PGP is called "public
key encryption"; under this system, there are two keys, one that can
only encrypt and one that can only decrypt. You should have received
the encryption key (commonly called the "public key") with this Control
Enterprises software package; in case you didn't, here is a copy of it:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7
mQCNAi4diMcAAAEEAJso2VGfxKyXltHk/4SE9p39AMMU3rx+kv8VzWyRtBRFA2iV
nDsv8StCHA+eJheYmRzbRosSYcGyWkXlrPGcleajjw/rqjHNEYT5mxb5k3SOT38u
Mw6pXvoglX9EUeeWNfWJfzFVDl9m2rsEIysd8ZDkazCQ0ixF8+7SKIDDzIOpAAUR
tCtDb250cm9sIEVudGVycHJpc2VzLCBJbmMuIDxzdXBwb3J0QGNlaS5jb20+iQCV
AgUQLh2JH+7SKIDDzIOpAQE3OAQAgh+CvRDIztVJW+MIwpu8AIQ1HTOIihg/7Zgb
51QOs9AbU3AZ7Lf9Y0p5uSiKjGpk1KxwEB5Z5sXJOy6SU8x8U9M3Pa5n0MQjhEyl
ppQ37ikaQnPpS4z41im13P8RL3CfF3F39wfQqUAXl3mdtHfYATJyOeMFjnMuGtOa
o97kqbw=
=XkkH
-----END PGP PUBLIC KEY BLOCK-----
Messages encrypted with this key using PGP can only be decrypted by our
programmers and technicians at Control Enterprises. Thus, even if
someone were to intercept your registration message to us, all they
would be able to get out of it would be gibberish looking similar to the
key above.
AVAILABILITY OF PGP
-------------------
PGP is available freely from several sources; however, there are some
legal issues surrounding it that must be discussed.
PGP is encryption software that may be classified or regulated by your
local government. Some governments (notably the United States and
Canada) do not allow this program to be exported, and others (notably
France) have made it illegal to use it for encryption. Before using PGP,
you may want to make sure that you are doing nothing illegal either in
obtaining it or using it.
In particular, this issue causes a problem with usage outside the United
States or Canada. Since PGP's "home base" is inside the USA, exporting
certain versions of PGP is illegal. Be sure to read below the relevant
sections for where you live.
There are two versions of the freeware PGP available; the reason for
this has to do with licensing issues for one of the patents used by PGP.
The first, MIT PGP, was developed by the Massachusetts Institute of
Technology for use in the USA or Canada only. The second, PGP 2.6ui,
was derived from an older version of PGP and is freely available around
the world. In addition, there is a third version, ViaCrypt PGP,
available for sale within the USA or Canada; it is commercial software,
and may be used for commercial purposes. All three of these programs
work with each other; the only practical differences between the three
programs involve the legalities and licenses with each one.
For Users in the USA or Canada
------------------------------
PGP uses patented technology to do its work. A license is therefore
required to use it for commercial purposes; the freeware versions of PGP
do not contain a commercial license. A commercial version of the
program is available from a company in the USA called ViaCrypt; this
program contains a license to use it for any purpose, commercial or
noncommercial. You may contact ViaCrypt as follows:
Phone: 602/944-0773
Fax: 602/943-2601
Address: ViaCrypt
2104 West Peoria Avenue
Phoenix, Arizona 85029
CIS: 70304,41
Internet: viacrypt@acm.org
Note that their version of PGP is completely compatible with the free
versions of PGP available. Control Enterprises uses ViaCrypt PGP, since
we use it for commercial purposes. Note also that since ViaCrypt is a
US company, ViaCrypt PGP is export-controlled and prohibited for export
to anywhere except Canada without a special license from the Department
of State, USA.
If you live in the United States and do not wish to buy ViaCrypt PGP,
you should use MIT PGP. The latest version (as of this writing) is 2.6,
and it is available over the Internet from net-dist.mit.edu. To ensure
that the program is not exported illegally over the Internet, there is a
procedure that must be followed:
1. Read the files MITLICEN.TXT and RSALICEN.TXT, the usage licenses
granted by MIT and RSA Data Security, Inc. (holder of a patent on a part
of PGP) for using MIT PGP. These files should have been included with
this Control Enterprises software package; if they were omitted, you may
get them via FTP from net-dist.mit.edu in the directory /pub/PGP.
2. Telnet to net-dist.mit.edu and log in as "getpgp".
3. Read the information given and answer the questions asked.
4. When the program displays the directory where PGP itself is stored,
write it down.
5. FTP to net-dist.mit.edu and immediately change to that directory.
Do it in one command, not in several; i.e. "cd /pub/PGP/dist/U.S.-only-
xxxx".
6. Download the files as you would normally.
If you experience any problems with this system, you can get a more
comprehensive description of the process via anonymous FTP from
net-dist.mit.edu under /pub/PGP/README.
International Users (Outside the USA and Canada)
------------------------------------------------
If you live outside the United States or Canada, you should use PGP
2.6ui. The "ui" stands for "unofficial international" version. Please
note that although it is considered "unofficial", it is no less secure
and no less robust than either the ViaCrypt or the MIT versions! It is
available freely from several places on the Internet via FTP:
UK: ftp.demon.co.uk: /pub/pgp/pgp26uix.zip
Italy: ftp.dsi.unimi.it: /pub/security/crypt/PGP/pgp26uix.zip
This is not an exhaustive list; if you know how to use "archie", you
should be able to find other sites. The program is also available on
many BBSs around the world.
USING PGP
---------
Once you have acquired a copy of PGP, installed it, and followed the
directions for setting it up and generating a key, you can now use it
with your Control Enterprises software.
Adding Our Public Key
---------------------
The first thing you should do is add the Control Enterprises key to your
public key ring and verify that it is, indeed, our key and not a fake.
Besides being provided with the software, our public key is available on
the keyservers (see the PGP documentation for a description of the
keyservers and how they work). You can also get a copy via electronic
mail by sending a blank mail message to pgp-key@cei.com; you will
receive an automatic reply from us containing our public key which you
can save to a file.
Once our key has been saved to a file, you can add it by running PGP on
it:
PGP -ka CEIKEY.PGP
The file name for the key may be different; if so, substitute the proper
filename for "CEIKEY.PGP". This file may be used if you do not have any
other copies of the key; we strongly recommend getting our key from
several other sources as well.
Once you've added the key, you should verify that it is the correct key.
If the key has been signed by someone you trust as an introducer, that
should be enough. Otherwise, you will need to verify the "fingerprint"
on the key. A key's fingerprint is a special number calculated from the
key; it is specially designed to be impossible to copy. You may view
the fingerprint with the command:
PGP -kvc "Control Enterprises"
You may, if you wish, call Control Enterprises and read this fingerprint
over the phone to us; we can then confirm that the fingerprint is
correct. Alternatively, here is the information PGP should return when
you ask for the fingerprint:
-----
Type bits/keyID Date User ID
pub 1024/C3CC83A9 1994/07/08 Control Enterprises, Inc. <support@cei.com>
Key fingerprint = 00 06 40 1E C8 D7 A8 E1 8D 04 71 BC E9 8A BD D4
1 matching key found.
-----
If this does not match EXACTLY what PGP tells you, then the key
distributed with the software is invalid. DO NOT USE THIS KEY IF THIS
HAPPENS! Obtain a new key (from a different source) and verify it. If
the key distributed with the software is wrong, you will want to be
doubly sure to check the program; it is likely that the key was tampered
with to hide tampering that may have been done to the program itself.
Checking Our Software for Tampering
-----------------------------------
Secondly, you should verify that the program you received is in fact
the correct software, and that it has not been tampered with and does
not contain a virus.
A program may be provided with your software package that runs PGP
automatically for you to check the program. Check the program's
documentation for details.
If not, you can still run the command manually. To do this, you should
look for a file with the same name as the program file with an extension
of .SIG. Run PGP with this file and the program file names as
arguments. For example, if the program name is PSPRINT.EXE, you should
look for a file called PSPRINT.SIG; after you have found it, you may run
the command:
PGP PSPRINT.SIG PSPRINT.EXE
At that point, you should see the following:
-----
File has signature. Public key is required to check signature.
File 'psprint.sig' has signature, but with no text.
Text is assumed to be in file 'psprint.exe'.
.
Good signature from user "Control Enterprises, Inc. <support@cei.com>".
Signature made 1994/07/08 19:44 GMT
WARNING: Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to: "Control Enterprises, Inc. <support@cei.com>".
Signature and text are separate. No output file produced.
-----
The WARNING: message indicates that you have not told PGP that the key
has been verified; if you have verified the key and told PGP that you
have, this message may not appear. The date and time on the signature
itself may also be different than what is shown here, and (obviously) if
you are testing a different software program, the filenames may be
different.
If you get any other message from PGP, do not use it. In particular,
you may get the following message:
-----
WARNING: Bad signature, doesn't match file contents!
Bad signature from user "Control Enterprises, Inc. <support@cei.com>".
Signature made 1994/07/08 19:44 GMT
-----
If you see this message, STOP USING THE PROGRAM IMMEDIATELY and contact
Control Enterprises! We can get you a clean copy of the program and
also make sure that the source for the copy you received (which has
almost certainly been tampered with in some way) gets a clean copy for
download also.
Sending a Message to Control Enterprises
----------------------------------------
Finally, if you wish to register the program via electronic mail or
otherwise contact us securely, you may do so with the following steps:
1. Write your message. This can be done with any regular text editor
such as DOS EDIT, Windows Notepad, or some other program. Be sure that
the message is stored as ASCII/ANSI text. If you are registering, you
can use the registration form provided with your software and fill in
the blanks with a text editor.
2. Encrypt the message. This is done with PGP:
PGP -eta <filename> "Control Enterprises"
This will encrypt the file <filename> into a file with the same name as
the original, but with an extension of .ASC.
3. Mail the encrypted file to us at "support@cei.com". The file format
is of a type that it will not get corrupted in transit through almost
all electronic mail networks, including the Internet, UUCP, FidoNet,
BitNet/EARN/NetNorth, CompuServe, and many others.
If you wish, you may include your own public key in the message if you
want us to respond to you securely. Be sure to export the key to an
"ASCII-armored" file so it won't be corrupted in transit with:
PGP -kxa <name>
Alternatively, if your key is available by other means, you may indicate
in your message how we can get your key.