Now at the risk of sounding like Magnum P.I., I know what
you're thinking. You're thinking "AAUUUGH! I put my
letter through a blender! Oh the humanity!"
Just calm down.
Remember, it's moronic to encrypt messages that can't be decrypted
(this doesn't go for some password protecting ideas and for "digital
signatures," but those aren't really messages and we'll
chit chat about that in the next primer). At first glance,
for all we know, that mess up there might just be random garbage.
Guess what? We can prove that it ain't. You wrote
the letter to yourself and encrypted it with your own public
key, didn't ya? You have your private key and can decrypt the
message even easier than you encrypted it! Ha ha ha HA!
Here's what ya do:
1. Highlight the entire ciphertext, from the beginning of
PGP.." to the end of the " END PGP MESSAGE-----"
2. Hit Ctrl-C to copy it onto your clipboard. (I know it
was already there from last time but let's pretend you just got
this particular blob sent to you from somebody else)
3. Go to wherever your PGP menu is and click on "Decrypt/Verify
clipboard" and put in your passphrase when asked for it.
(When you see the box that says "Decryption Successful,"
that means that it just decrypted the stuff on your clipboard
but left it there)
4. Go to your original document and click down past the stuff
you already put there.
5. Hit Ctrl-V to paste.
Dear Tim, quit doing that with your eyes or they'll freeze
Ta-DUM! Isn't this a momentous occasion? I think
I'm misty-eyed ...
A. Getting someone else's public key
This is easy. You find the text version of their key
on either a website or from a text file or email or whatever.
I showed you part of mine, it looks a lot like the encrypted
mess we just saw.
1. Highlight the whole thing again, from the beginning of
the " -----BEGIN PGP PUBLIC KEY ... " to the end of
the " ... --END PGP PUBLIC KEY BLOCK-----."
2. Then hit Ctrl-C to copy the key to your clipboard.
3. Now go to the PGP menu and just pick the option that says
"Add Key from Clipboard."
4. You'll see a window open up telling you that PGP saw the key
and knows what it is, and you hit the "import" button.
A. What PGP really does
It's a plain and simple truth that most secret-key programs
run way faster than public-key systems. So PGP makes the
best of both worlds.
When you encrypt a message to someone with PGP, it first compresses
the message to make sure it won't take up a whole lot of space.
It then makes its own little secret symmetric key (like from
DES or something) and encrypts the text with that (really fast)
After that, it takes the receiver's public key and encrypts
just the secret DES-type key. Since it's only encrypting
a key, it goes way quicker than if it were encrypting the whole
message. The PGP message is both of these blobs of ciphertext
all crammed together.
When the receiver's PGP program gets the message, it uses
the private key of the recipient to decrypt the secret key from
the blob first (goes quickly cuz it's just a key).
It then uses the symmetric key it just deciphered to decrypt
the rest of the message from the blob quickly, and decompresses
the message the rest of the way into readable form.
V. OTHER WAYS TO START USING CRYPTO
A. Secure your Netscape connection
- Part One: Your browser COULD be secure:
Dude, it suuuuuuuucks that people haven't done this more often
yet. Check it out. If you have the right version,
Netscape can connect to cooperating web sites in a really secure
way. Try it, instead of typing "http://", type
"https://". That tells your net machine to try
to connect with the server using its "Secure Sockets Layer."
That's the part of your browser that can encrypt everything going
between you and the server you're surfing to.
You know the little key type thingy in the lower corner of
your browser? It usually has a slash through it or shows
an open lock or something. This means you are wandering
around the web making non-secure connections. If you hook
up a secure connection using "https" to a web server,
it will show a complete key, or a closed lock, or various other
"locked" looking things.
If you don't see a change, or get a message saying "hey
doofus, this isn't an https site," don't worry. Most
websites aren't set up to let you connect securely, there's usually
no reason to. You'll find the places with "https"
addresses at online stores, banks, and other places where security
would be needed. I mean, do you REALLY care how many people
know you post to the Nine Inch Nails board seven hundred times