Cryptography for RISC OS
Paul Webb can keep a secret, can you?
What's the Point?
Although e-mail has become an indispensable tool of communication, many computer users have not thought about the fact that their private correspondence could be either intercepted and read or altered. It therefore seems only prudent to make e-mail transmissions as secure as possible by taking advantage of a number of freely available programs which have been ported to RISC OS.
This article therefore introduces the reader to Phil Zimmermann's Pretty Good Privacy (PGP) encryption program and to the GNU Privacy Guard (GnuPG) in addition to steganographic programs like Paul Vigay's !Steg. The article is in no way intended as a technical discussion of cryptography. Readers who would like to learn about cryptographic concepts like symmetric ciphers, public key ciphers and one-way hashing should consequently refer to the Resources section at the end of this article.
Pretty Good Privacy - Public Key Cryptography
PGP was written by Phil Zimmermann to empower citizens by making available a military grade secure e-mail and file encryption program. PGP consequently allows its users to exchange messages with privacy, authentication and convenience by using public key cryptography. In contrast to traditional cryptographic systems which use a single key to encrypt or scramble messages, PGP uses public and privatekeys which complement each other. User A would therefore send an encrypted message to User B by scrambling the message with User B's public key. User B would then be able to decrypt the message by using his secret key. Moreover, messages can be signed with the sender's private key so that the recipient can be sure that the message emanates from a reputable source. Finally, PGP dispenses with the need for a secure channel which is a pre-requisite of single key systems that need to transmit the key to the sender and recipient before encrypted messages can be sent over insecure channels.
Obtaining PGP
If you think that PGP may meet your needs, Gareth McGaughan's port of PGP 2.6.3ia is available from Nat Queen's cryptographic site. Installation can then be painlessly accomplished by copying the PGP distribution to a directory on your hard disc before placing the PGP executable in the Library directory. In addition, you should also set the PGPPATH system variable.
First Steps
Before using PGP, you will need to generate a key pair. Although there are a number of PGP front ends available for RISC OS like Martin Willers' PGPfront, it's a good idea to initially use PGP from the command line so that you can better appreciate PGP's range of facilities.
To generate your key pair, enter the following command at the Task Window prompt:
pgp -kg
You will then be asked to pick your RSA key size and to enter a user ID and pass phrase. Unless you have specific requirements, pick "military grade" for key size and enter a user ID which is a combination of your name and e-mail address enclosed in angled brackets. If all goes well, PGP should tell you that key generation has been completed. Your public key can now be extracted from your key ring pubrng/pgp by issuing the following command:
pgp -kxa
If we assume that the user Fred J. Bloggs wants to extract his public key for dissemination, the following command would extract his public key to the file keys/asc.
pgp -kxa "Fred" keys
And here's Fred's fictitious public key ready for use!
Type Bits/KeyID Date User ID
pub 1024/BE7B3641 2001/04/05 Fred J. Bloggs
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
[.....]
-----END PGP PUBLIC KEY BLOCK-----
So Fred is now nearly ready to send and receive encrypted e-mails although he will have to add the public keys of those whom he wishes to correspond with to his own public key ring. If we assume that Fred has received a public key from a friend entitled keys/asc, this key can be added to the public key ring by typing:
pgp keys/asc
E-mails can then be encrypted and decrypted by using the following commands:
pgp -seatpgp
GNU Privacy Guard: a Replacement for PGP
Although PGP has been the de facto standard for secure e-mail and file encryption, the GNU Privacy Guard has recently become popular in situations where users want to continue to use PGP without using software which uses patented algorithms. For further information on this topic, visit GnuPG's home page.
Retaining PGP's Functionality
Like PGP, GnuPG also uses public key cryptography and offers similar facilities including key pair creation, the ability to exchange and verify keys, to encrypt and decrypt documents and to authenticate a document via a digital signature.
Installing GnuPG
GnuPG has been ported to RISC OS by Stefan Bellon and can be obtained from the author's web site. Pre-RISC OS 4 users will also need to obtain a copy of Richard Atterer's RaFS or Jason Tribbeck's LongFiles. Users who wish to retain compatibility with PGP 2.x keys should also refer to Stefan's site for further information. Fortunately, installation simply involves copying the app into an appropriate directory although you will also need to obtain Theo Markettos's CryptRand binary which should be copied into the !GnuPG directory and renamed CryptRand.
First Steps
Before using GnuPG, you will again need to create a key pair like you did when setting up PGP which can be accomplished by typing:
gpg --gen-key
You will then be asked to select a key type and size. If you are a new user, simply select the defaults. You may also be prompted for a key expiration date. Again, select a key that does not expire if you are a newbie. Finally, provide GnuPG with a user ID and pass phrase where the pass phrase is a combination of alphabetic and non-alphabetic characters.
Your public key may then be extracted for dissemination by typing the following command:
gpg --output fred/gpg --armor --export Fred@Ireland.com
The public key is consequently saved to the file fred/gpg in ASCII armored format which is suitable for display on a web page or for transmission via e-mail.
And here's user Fred's fictitious GnuPG public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4-sb17 (RISC OS)
Comment: For info see http://www.gnupg.org
[.....]
-----END PGP PUBLIC KEY BLOCK-----
A message can now be encrypted for transmission via e-mail by using the --encrypt option. Moreover, the encrypted result can either be placed in standard output or directed to a specific file by using the --output option. Finally, the --recipient option would be used to select the public key of the intended recipient:
gpg --output sample/gpg --encrypt --recipient Steve@home.com sample/txt
Conversely, our encrypted document can be decrypted with the --decrypt option:
gpg --output sample/txt --decrypt sample/gpg
Our example does of course assume that Steve's public key is on our public key ring which can be simply accomplished by using the --import option:
gpg --import Steve/gpg
Steganography
Paul Vigay's !Steg (http://www.vigay.com/riscos) and Nat Queen's !Stego both provide a useful supplement to PGP or GnuPG in situations where it may be impractical to use a public key cryptographic system. Think for example of a scenario at work in which encryption is forbidden and you will quickly come to appreciate the value of steganographic techniques.
Put simply, steganography is the process of hiding information in an image file which in our case means within a RISC OS sprite file. It is therefore possible to hide an encrypted message in a sprite file if we are using !Steg by dragging the encrypted message onto !Steg's icon bar which results in a window opening. You will then be prompted for a pass phrase and can set a number of parameters including grid size, step size and palette. After clicking on OK, a sprite is generated which can be saved by clicking MENU before dragging the sprite to the appropriate directory.
Resources - PGP
Natt Queen's web site is an invaluable resource both for a wide range of security-related utilities like PGP and !Stego and as the link to PGP relevant literature. After reading his introductory articles, you could then usefully move on to Phil Zimmermann's PGP User's Guide Volumes One and Two which are bundled with the software. If you are interested in the politics of privacy, read the transciprt of a radio interview with Phil Zimmermann which is available from www.animatedsoftware.com/hightech/philspgp.htm
Resources - GnuPG
A very readable GnuPG manual - The GNU Privacy Handbook - is available from the Free Software Foundation in HTML and PDF as is a mini-HOWTO. In addition, a book entitled Replacing PGP 2.X with GnuPG can also be obtained from the same site for those users who need to learn how GnuPG can be used to communicate with PGP 2.x users.
Steganography
With regard to Steganography, Neil F. Johnson's Short Introduction to Steganography is well worth reading.
Signing Off
So if you are at all concerned by those potential snoopers who may be lurking on the net, check out PGP, GnuPG and !Steg for RISC OS. You'll be glad you did!
Paul Webb