 |
____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 8, Part 2 The Magical Mystical Crypto-Primer ____________________________________________________________ by Tim "No Sinister Nickname" Skorick <TIM_SKORICK@non-hp-usa-om7.om.hp.com> V. WHAT'S THE EASIEST WAY TO GET INTO ALL THIS? (or "Phil Gets Paid") A. PGP and where to get it Awright, some of you cipherpunks knew this was coming. By far the easiest way to play around with cryptography is by getting your own free copy of PGP. PGP stands for "Pretty Good Privacy" and was created a while back by a real fun math teacher named Phil Zimmerman. It was only command-line-based, meaning you had to do those annoying dos-like commands and switches and all that and there's wasn't any windows-type point and click. They (him and his friends) finally came up with a windows version but then promptly sold the whole thing to a company called Network Associates. ~~~~~~~~~~~~~~~~~~~~~~~~ Go Get It! ~~~~~~~~~~~~~~~~~~~~~~~~ Go to http://bs.mit.edu:8001/pgp-form.html This is the Massachusetts Institute of Technology website where you can still get PGP version 5.0 for Windows. Now you could get the *new* PGP version 5.5 from http://www.nai.com/products/security/pgpfreeware.asp but that version will only let you send and get messages encrypted with a Diffie-Hellman key, and not an RSA key. If you want to play with both, you have to get the older freeware. Now either way, you're going to have to fill out a questionnaire at least promising that you're located in the USA and that you aren't going to email a copy of the software to "Bob the UnaHacker" in some terrorist country. I'm going to explain that in a little bit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Okay, let me assume for the sake of easiness that you're going to be running PGP on some flavor of windows or possibly on a mac. Doesn't matter which, it'll work the same on most of them. 1. Install it on your computer. 2. When it asks you which key type you want to generate, start with Diffie-Hellman just for the heck of it. 3. When it asks you for the size of key you want, just pick the biggest (heck, ya might as well). 4. You then get to pound random data out of your keyboard and then watch this fun little animation thingy. 5. So it finishes. The first thing you'll notice is that they automatically give you the keys of just about everybody who has ever worked at or near PGP. No biggie. You're good to go with the cryptofun. A. Playing with PGP First things first: your clipboard is your friend. Oh yes, make friends with your clipboard. Verrrrrry important. Take him out to dinner, date his sister, tell him he's cool. You'll be using him quite a bit. What makes PGP so user-friendly isn't only that it works with all these different operating systems ... it also uses only the most idiotically simple parts of all these operating systems. You know what the "copy" and "paste" functions are on most computers, right? To "copy" you hit Ctrl-C and it writes stuff that you selected onto your clipboard, and "paste" is just Ctrl-V and it copies the stuff back onto your document wherever you want. Your clipboard is just the way-station, so where better to use encryption and decryption functions? So remember: 1. To mess with the data, get it onto your clipboard. 2. To look at what you did to it, move it from your clipboard onto a document somewhere. If you ever want to see what's on your clipboard at the moment, go to the PGP menu and select the thing that says "Launch Associated Viewer." The encryption fun goes like this: 1. Type some goofy simple little letter to yourself: Dear Tim, quit doing that with your eyes or they'll freeze that way. 2. Highlight all the text with your mouse. 3. Hit Ctrl-C. (it just copied the letter onto your clipboard) 4. Select from your PGP menu "Encrypt clipboard." 5. When it shows you all your public keys of people to write to, choose your own. 6. Drag and drop your name onto the "recipient" list. 7. Hit "ok." (it just encrypted everything on your clipboard but left the ciphertext there) 8. Go back to your document. 9. Click somewhere down below the plaintext you already typed. 10. Hit Ctrl-V to paste. SPLAT! 11. Look at that mess! -----BEGIN PGP MESSAGE----- Version: PGP for Personal Privacy 5.0 MessageID: B7gCHs7p6DU/TxZ7XFDbRklmHhdaWbBU qANQR1DBw04Djbfak/0G+g0QEACBqiGqyQEM8itHm0VGIvPovTWQwV27ARi/kScm Ffk+ekdHKelizo52sAzCN35+5JvO9F+rPTjgIOnDynhflfDoMc8sFJggrU+srXPR MQR6X53eOmYZOBQmXcg8GiVRgl+RyN1ZlqiKPV05Edl/UjueyE6koTeQRhbcUtRq BPLloA26jZcklJZu1lvPvkoAjxq+OuZKWNmlXQziTGMtTtgxDmtF7zZ6wZNCV652 CNGeIZVTMCC8ZAZ91lDq2qKq9fRzIVAyW0K0xMlMBMqTMhJCBScWr6iCCKnOwhFW OFRRByfOhX5bMiddET8SbL40Qfyc9lLG+xEGuOw6O5xMT5aQdWiSog4idrrBd61K KjUUglfeDFsni2lqGeUkt/nUcEnMhAApZoXxoKQ6wzZUipOxrMhWeQB8vLNTNmQc 5sPZEapLEioftjh9axL+lF2Z/9XAy0+UnUsjtw7OMhxyvhZWjjQNEko8OvaW7pL0 6eaXooE909ESkRKvkP2CATTVeTinXQk4kSH24SFwDaYxLDMJtGv88jOinKmBhOa0 c3UGKEfRliOgxqq18M6KdJtVOOLzTeiPuKmkwtgOXnt7ky7V1cy61kiBPWjme8Hs vt0VvFbKitU/dVjfdnrlMKJccG/PgYFYJ/9YM4M5XpSimMNxppLgFCbum3buVnn4 wP82aA//YRq9hkFblfdBk0bIrjOB11O5zo7MCabbkIm+xrQtVM7EZ1AV/OQw1QpM CvAOIHfq1THi3wWGIU9npMvDnelSsJRpWl2kde2tUDYZWELjSFjPofysFXd02fc2 yGFG+6Eb0a3WzFwSjwVfZUhmUVRGnOVK/WIz+jIAJq08mAUoq9lE7LUblpBgZb3l 4G5iGZ8H0yskYRzzXg5rPV3dV8fyo4pasbJ8tVnQBYZQ7t0MFdl0x/xqBm9fDevX vTf/atvWBF9+Vp9QepRmZ+ehATYe1N4VBknylhV4SRFar4Sja4BYWVVjYP/k1M6Q jkQ9jTmulHml317IH9HLdilri8cDosDX6n02QMD6lw/uiWs+ohpgLXuMCqbPLR1L 9y5Kbj2gTdlNUs/3b5RUXRDNjtjqVFpgscgQWNUseZ10P214L6I+lqAIh3qb5gdC FrKb82fvJdcFwQZtam9JHooyiG11OSRrahdMf2u8C0YWrfCKIDhLEwEaY3lHtk9P GumJu+9cF6z2hWovHHJ5lvWlwNNOtxohSGxV/3R8F41cQXnUPkPNLxqbYzlqzoZ1 z3Q6dyQ2gBbnjKiQm/VfDpPyKdvkWktl2iR2kyVyDwbP0u8NBQTsbkQ2r9yMPM/3 PHQoT8ME5q3FLOgSirV1YnNQCkTCfOHGb37ZtZlVQYN00gjJVCnJWr8bh9jD19yt YOvixVgaym2dwCk6e+GBxKtKJ5KgpULANG/tJbY8MZjpw7IyDK6lgo1wmnn4NSjG JIGLXn8rk44KbT2Qo3SzZftRf8Y+1i49QQ5eEdrFmxz1vg== =md+y -----END PGP MESSAGE----- WOW! That digital oatmeal looks cooler every time I make it. Heh heh heh. Now at the risk of sounding like Magnum P.I., I know what you're thinking. You're thinking "AAUUUGH! I put my letter through a blender! Oh the humanity!" Just calm down. Remember, it's moronic to encrypt messages that can't be decrypted (this doesn't go for some password protecting ideas and for "digital signatures," but those aren't really messages and we'll chit chat about that in the next primer). At first glance, for all we know, that mess up there might just be random garbage. Guess what? We can prove that it ain't. You wrote the letter to yourself and encrypted it with your own public key, didn't ya? You have your private key and can decrypt the message even easier than you encrypted it! Ha ha ha HA! Here's what ya do: 1. Highlight the entire ciphertext, from the beginning of the "-----BEGIN PGP.." to the end of the " END PGP MESSAGE-----" 2. Hit Ctrl-C to copy it onto your clipboard. (I know it was already there from last time but let's pretend you just got this particular blob sent to you from somebody else) 3. Go to wherever your PGP menu is and click on "Decrypt/Verify clipboard" and put in your passphrase when asked for it. (When you see the box that says "Decryption Successful," that means that it just decrypted the stuff on your clipboard but left it there) 4. Go to your original document and click down past the stuff you already put there. 5. Hit Ctrl-V to paste. 6. Voila! Dear Tim, quit doing that with your eyes or they'll freeze that way. Ta-DUM! Isn't this a momentous occasion? I think I'm misty-eyed ... A. Getting someone else's public key This is easy. You find the text version of their key on either a website or from a text file or email or whatever. I showed you part of mine, it looks a lot like the encrypted mess we just saw. 1. Highlight the whole thing again, from the beginning of the " -----BEGIN PGP PUBLIC KEY ... " to the end of the " ... --END PGP PUBLIC KEY BLOCK-----." 2. Then hit Ctrl-C to copy the key to your clipboard. 3. Now go to the PGP menu and just pick the option that says "Add Key from Clipboard." 4. You'll see a window open up telling you that PGP saw the key and knows what it is, and you hit the "import" button. Simple, huh? A. What PGP really does It's a plain and simple truth that most secret-key programs run way faster than public-key systems. So PGP makes the best of both worlds. When you encrypt a message to someone with PGP, it first compresses the message to make sure it won't take up a whole lot of space. It then makes its own little secret symmetric key (like from DES or something) and encrypts the text with that (really fast) symmetrical algorithm. After that, it takes the receiver's public key and encrypts just the secret DES-type key. Since it's only encrypting a key, it goes way quicker than if it were encrypting the whole message. The PGP message is both of these blobs of ciphertext all crammed together. When the receiver's PGP program gets the message, it uses the private key of the recipient to decrypt the secret key from the blob first (goes quickly cuz it's just a key). It then uses the symmetric key it just deciphered to decrypt the rest of the message from the blob quickly, and decompresses the message the rest of the way into readable form. V. OTHER WAYS TO START USING CRYPTO A. Secure your Netscape connection - Part One: Your browser COULD be secure: Dude, it suuuuuuuucks that people haven't done this more often yet. Check it out. If you have the right version, Netscape can connect to cooperating web sites in a really secure way. Try it, instead of typing "http://", type "https://". That tells your net machine to try to connect with the server using its "Secure Sockets Layer." That's the part of your browser that can encrypt everything going between you and the server you're surfing to. You know the little key type thingy in the lower corner of your browser? It usually has a slash through it or shows an open lock or something. This means you are wandering around the web making non-secure connections. If you hook up a secure connection using "https" to a web server, it will show a complete key, or a closed lock, or various other "locked" looking things. >Oooooooh! Aaaaaah!< If you don't see a change, or get a message saying "hey doofus, this isn't an https site," don't worry. Most websites aren't set up to let you connect securely, there's usually no reason to. You'll find the places with "https" addresses at online stores, banks, and other places where security would be needed. I mean, do you REALLY care how many people know you post to the Nine Inch Nails board seven hundred times a day? - Part Two: It probably ain't But even if you're connecting to a site that can do the whole secure thang, and even if you do connect and see the "locked" looking thing in the corner, you probably aren't any more secure than you were before. "Why" you ask? Cuz even then, the crypto connection that your browser is using is probably weak. - Part Three: Here's why it ain't Here's the skinny. Our U.S. government people consider crypto technology a weapon, because twenty years ago back in the cold war it was a dangerous thing for your enemy to have. The United States "Export Law" says that since it's considered a weapon, it's illegal to export out of the country. Why is it such a big freakin deal? Well, America has interests spread out all over the place, and we have spies who pay real close attention to what goes on all over the world, especially in terrorist countries. If terrorists start using strong crypto, we can't eavesdrop on them and maybe tell when they're gonna blow stuff up (Not that our spying on these people has kept them from blowing stuff up before now). Now before you get all in a frenzy, people have been trying to reach an agreement with our intelligence people for a while now.. There are a lot of bills in the House and the Senate trying to fix this, but no luck yet. I mean, heck, Congress has only been at it for about six years now, give em a little time ... So when you download a browser off the net, most people get stuck downloading what's called an "export-grade" web browser. That means one whose crypto stuff is weak enough for the government to feel okay about you exporting it. Don't buy anything off the web with those wimpy little browsers, cuz any cyber-moron that knows how to use a packet sniffer and a cracking utility can read your credit info that you buy stuff with. >Boooooo! Hissssss!< Part Four: Here's why that sucks Netscape can work with all the great crypto stuff out there through its Secure Sockets Layer but people are usually limited to 40-bit encryption stuff, which is really weak and super lame. Crypto stuff that weak has been cracked left and right. Heck, Bruce Schneier will even give you a SCREEN SAVER that can crack this type of encryption, and it even BRUTE FORCES IT!!!! Can you imagine how weak that is? Sheesh!! You can get it at http://www.counterpane.com/smime.html Part Five: Fix it! Help is here! >sound of trumpets< This super high-class software guy named Farrell McKay and some of his friends put together a little set of files called "Fortify" that you download right into your browser's home directory, run them, and they just strengthen the SNOT outta your browser. They pump it UP, my friends. Here's what you should do. First send me a million dollars. Then, go to the "Fortify" website at http://www.fortify.net/index.html. Then check what your connection security is for right now at the link that says "SSL checker" (Yes, that stands for "Secure Sockets Layer Checker"). It will tell whether or not your browser is set on "wimpy mode" or whether or not it can connect to a server in a safe way. It will even list all the different secure connections you could have along with what you actually have. If that page tells you that your connection is weak, go to the "download" page and get the version that's right for your computer (there isn't a version available for Macs yet). Stick the stuff in the directory that your browser is in and follow whatever other instructions there are. It's easy and really quick to do, and then you have to restart your browser. Now to check if it worked. Go back to the SSL checker at their site, you might have to hit reload. See what it says? Most versions should connect at a full 128-bit RC-4! Note: Remember the cryptogenius Ron Rivest who helped create RSA? RC-4 is one of his own special algorithms, and a sweet one at that. So, you can send and receive super-secret encrypted email that nobody can read, and you can connect with whopping 128-bit RC-4 to participating websites. This would be a good time to rub your hands together and cackle maniacally. Now I know you're hooked ... V. WRAP UP STUFF A. All that confuses is not crypto The biggest thing to keep in mind when you dig around for good crypto stuff to play with is this: Just because it has a fancy-schmancy name like "cryptographic module" and seems to screw up text real good doesn't mean that it is real cryptography. Even if it comes from a big name software company, it ain't necessarily worth your while. Real cryptography is incredibly difficult to make secure. Most of these companies churning out software packages that protect passwords and encrypt little documents and stuff don't bother with any kind of real work in that area. I won't even go into these wiseguys on the web and in hacker rags that write their own stuff and then try to sell you on it. Sheesh! Most of them have no idea what they're getting themselves into. Cryptography is just too tough and experts are few and far between. These warnings are covered a bit more in the web resources section later on. So ... B. Beware "kindergarten cryptography" Don't just take someone else's word for it. There are all kinds of interesting ideas floating around about new crypto stuff from people who only sound like they know what they're talking about. From hacker magazines, to newsgroup postings from alleged elite experts, to rave reviews in big computer magazines, everybody seems to know what crypto should be and where to find the good stuff. Ugh. It ain't the wares that the journalists rave about. It ain't the program that your favorite hacker writes. It ain't the impressive looking plug-in that your favorite software company tries to sell you. The "good stuff" is what survives the tests by the experts. Remember this: learn the names of the experts. Learn the names of the algorithms and cryptosystems. After a long, long, long time on the market and after a wayyyyy lot of tests, the algorithms and systems that live on are the good ones. And that's only for today. Breakthroughs in computing power have made more than one seemingly secure cryptosystem obsolete. Every algorithm that is untested or unreleased to the public, every algorithm that flies in the face of established mathematical law and number theory, every algorithm that claims to be great but isn't available to be proven is not cryptography, but kindergarten cryptography. Using kindergarten cryptography is even worse than using no cryptography at all. You know why kindergarten cryptography is so dangerous? Because it fools you into thinking it's cryptography, and you use it on private stuff that it isn't really going to protect. If you didn't try to use any crypto at all, at least you would know enough to save the private stuff for later and it would never be at risk! C. Words you get to throw around! Awright all you showoffs! You should be able to use all the words down there in quotes even if you can't necessarily give a total definition for some of them. Throw them around, get used to them. Better yet, use them in sentences - around your friends who don't know what they mean :) Yack away! You know that: "Cryptology" is made up of "Cryptography" (or "crypto") and "Cryptanalysis" and the guys that do that are "Cryptographers" and "Cryptanalysts." You know that the "Ceasar cipher" was an old way to "encipher" (or "encrypt") something and also to "decipher" (or "decrypt") something. Before you encrypt, the message is still "plaintext," and "ciphertext" is what it is when it's encrypted. A "substitution cipher" ain't the best "cryptosystem" anymore. "Algorithms" are step by step math processes, here's some: "RSA" "IDEA" "DES" "Blowfish" "CAST" "El Gamal" "RC-4" and they all HAVE to use a "key." "Binary" means made up of ones and zeros. A "passphrase" is a series of passwords. "Blocks" are chunks of text, "iterations" are separate encryption steps that your algorithm takes on the blocks. A "random number generator (RNG)" gives you good random numbers and nobody will "brute force" your key if it's big enough. "Protocol" means behavior. A "symmetrical cipher" is the same as "private key" crypto which is also called "secret key" crypto. These are the opposite of "asymmetrical ciphers" which are also known as "public key" crypto which you use a "key pair" for like "Diffie-Hellman" keys which are based on the "discrete logarithm problem" or "RSA keys" which are based on the "Integer Factorization Problem." If it's an asymmetrical cipher the "encryption algorithm" that turns plaintext into ciphertext is different from the "decryption algorithm" that turns ciphertext back into plaintext. "PGP" can use all these. "Secure Sockets Layer" is how your browser tries to use crypto but it's hampered by annoying "export law" that limits you to downloading "export-grade" encryption, which is weak. "Fortify" fixes that right up, and it ain't no "kindergarten cryptography." And - look way down at the last book suggestion - "steganography" is the art of hiding messages - usually encrypted ones - someplace where you wouldn't expect. V. WANNA LEARN MORE? A. Quick web stuff Real quick ways to get some more entry-level info, most are stuff in Acrobat format! 1. Go to the PGP user's manual that you downloaded with the software and thumb through to about page 81 in the manual for version 5.0, page 77 in version 5.5's manual. That has a great section on crypto stuff. If you're not sure where on your computer it is, go to the directory you put PGP in. Open the folders till you come to one with a bunch of files in it, and there should be a document there with a .pdf extension. That's it. 2. Hit RSA's website at http://www.rsa.com/rsalabs/newfaq/ and download their world famous cryptography FAQ. It's stellar. 3. Let's keep our learning well-rounded, go to Bruce Schneier's Counterpane website for two VERY important essays on understanding what cryptography, privacy and security are all about. They're both downloadable: "Why Cryptography Is Harder Than It Looks" http://www.counterpane.com/whycrypto.pdf.zip "Security Pitfalls in Cryptography" http://www.counterpane.com/pitfalls.pdf.zip A. Books to look for "Applied Cryptography" Second Edition by Bruce Schneier, John Wiley & Sons, 1996 This is hands-down the best place for you newer crypto people to start really digging in. Bruce wrote this book in plain English (but it has been translated into others too!), explaining everything really clearly. It's sometimes really funny and always easy to read. The book just covers everything. Absolutely everything. The price is a little hefty, but it's a big book and has the source code in C in the back for all you programmers who wanna start tinkering with programming crypto. Check out some more reviews, alternate language versions and other info at Bruce's site http://www.counterpane.com/applied.html "Handbook of Applied Cryptography" by Alfred Menezes, CRC Press, 1996 This one is a little tougher to find, but it's a really sweet layout of the math and algebra stuff underneath a lot of the secrets that make crypto strong. There's a big treat here, too. It talks about using crypto in places like the banking industry and in alarm systems and all manner of neato environments. It also has a lot of newer information about things happening in the crypto world lately. Look at the info and also a couple of chapters in Acrobat format at: http://www.dms.auburn.edu/hac/ "Decrypted Secrets" by F. L. Bauer, Springer Verlag, 1997 This one is a doozy. This was written from a really technical, but also historical perspective. Just don't let the columns of numbers and figures freak you out too bad at first. Some people might have trouble wading through all the math and number theory stuff, but you will be rewarded when you do. There are a ton of stories from history, like spies and wars and stuff since way back when. All of these stories are fascinating to read and are used to make you better understand why the basic rules of using crypto are the way they are. They show this by telling you all the funny ways that crypto people have screwed up in the past, and also by highlighting some of the smarter minds that made the really huge breakthroughs and discoveries. "Disappearing Cryptography" by Peter Wayner, Ap Professional, April 1996 This book is a little trippy. It deals more with some of the high-level privacy philosophy involved, and lays it out in a very interesting, if strange, way. Each section has a real simple description of what it talks about, followed by more technical math descriptions and then a programming example. Good to have, even though it deals more with hiding cryptography (a practice called "steganography") than it does with actual cryptography. _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don't email us about any crimes you have committed! And don't expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Tim "No Sinister Nickname" Skorick <TIM_SKORICK@non-hp-usa-om7.om.hp.com>. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com