PGP and the PI
THE NATION'S PI COMPUTER EXPERT
TALKS ABOUT ON-LINE PRIVACY
By Joesph Seanor

CLICK HERE TO GO TO INFORMATION ON JOSEPH SEANOR'S
AWARD WINNING BOOK THE PRIVATE INVESTIGATOR AND THE INTERNET


Mr. Seanor Was Selected As 1996 NAIS Investigator Of The Year

Why do I need to worry about privacy? Why should I
worry about encryption? I just send notes and letters across
the Internet, nobody will read these except for the people that
I send them to, right? Wrong! The Internet is an incredible
source of information and tools for the Private Investigator, but
it can also be a headache for the Private Investigator. When a
report is sent to a client, every Private Investigator will normally
send it in a sealed envelope. Yet letters and notes sent across
the Internet are being sent in plain view of anyone with a little bit
of computer know how. As it has been said, a little bit of knowledge
can be dangerous.

If you have not already done so, read my article in the
past issue of NAIS on "Surfin' The Internet" which gives a basic
introduction to the Internet. When you send email via the Internet,
just because you address your letter to a specific person, does
not mean that they are the only ones who see it. It is very easy
for anyone with a little computer knowledge to have copies of email
directed to another address, or to fool the computer into thinking
they are you or the receipient and read your private mail. For these
reasons, encryption becomes very important. Encryption means the
scrambling of a message into an illegible message and then sending
this note to another person who can descramble the message. Even
if someone can read your mail, or the mail of the person you are
sending it to, they will not be able to understand an encrypted letter.
In addition, there are options to provide for a "digital signature", this
means that the note is electronically "signed" by you and if anyone
tampers with it in any way, then the person you are sending it to will
know that there has been an attempt to gain unauthorized access to
the message.

How can all this be done, and most importantly, how
much will this cost me? All of these issues, privacy, encryption,
and digital signatures can be handled with one product called
Pretty Good Privacy (PGP). And here is the best part, PGP is
FREE! PGP was developed by Phillip Zimmermann from MIT.
He was concerned about the lack of privacy and encryption tools
for the average citizen and created PGP based upon a very powerful
government encryption technique called RSA. RSA is the formula
used in many encryption packages that are used by the Federal
Government and private industry. PGP provides a very powerful and
safe method of protecting all the email or any documents you may
transmit with your computer, plus it protects any documents,
spreadsheets, or files on your hard drive. What this comes down to
is that if you don't want anyone to read your messages or files, use
PGP. PGP creates two "keys" for you to use. One key is your
"secret" key, this you never let anyone have. The other key is your
"public" key that you send to everyone that you want to receive
encrypted text or files from.

How can a Private Investigator get PGP? PGP is available
on the Internet and many of the major computer services from
Compuserve to America Online. However, I will deal with only
the version that can be obtained from the Internet. In order to get
PGP you MUST be a US citizen and answer a few simple questions
before you will be told the final location of the program. This is
done to ensure that the program is not sent out of the United States.
The export laws prevent something like PGP from being sent
overseas. To obtain PGP you must telnet to net-dist.mit.edu.
Once there you will log in as getpgp (after all of this, you will be
asked a few questions and then will be given the site to ftp to in
order to get the software.)

Now that you have the software, you must download it from
you Internet account to your personal computer. Once that is
accomplished use the pkunzip program to decompress the program.
The commands are:



cd \ (this will place you in your root directory)

md \pgp (this will create a directory named PGP)

copy pgp*.zip c:\pgp (you must be in your download directory)

copy pkunzip.exe c:\pgp (this copies the pkunzip program into the pgp
directory)

pkunzip pgp*.zip (this will unzip any file that begins with
pgp and ends with zip)


The program is now unzipped and in the PGP directory. Before
you start to use PGP you need to make a few changes to your
autoexec.bat file and to the PGP config.txt file. In your root directory edit
your autoexec.bat and then enter the following lines:

SET PGPPATH=XXXXX (where X is the directory in which you keep your pgp
keyrings, this should be a different directory then the PGP
directory)


SET TZ=XXXXX (where X is your time zone, you will find the options in the
PGP documentation.)


Now change to your PGP directory, and edit the config.txt file. If you
add these lines, PGP will always output encrypted files in ASCII format
(more on that later).
Armor=on
Textmode=on

Now it is time to start using the program and creating your
keys. As stated earlier, PGP works off of two keys that are created
with the program. To create your keys enter the following command
from the PGP directory:

pgp -kg

This will create two keys for you, one secret and one public.
While creating a key for you, the program will ask you how powerful
a key. I would suggest you take the 1024 bit key, it takes a bit longer,
but it is secure. You will also be asked for a passphrase, do NOT make
this a simple passphrase, but something that only you will know and
remember. If you forget this passphrase, then you must start all over
again and change your key everywhere. You will also have two key rings
made for you as well, one of these will hold all of your friends keys.
Now that you have a public key, you need to create an ASCII version
of it that you can send in email to everyone or add to your signature file
on the Internet. In order to do this enter the command.

pgp -kxa

Now that you have an ASCII version of your public key, you
can append this to any note you send out and even add it to your
signature block so that anyone can encrypt text to you using your
public key. This is what my public key looks like in ASCII:
-----BEGIN PGP PUBLIC KEY BLOCK----Version: 2.6.2
mQCNAy8694oAAAEEAO6sw9U6TGYXai9UzktpgyizShe4iIT4TY
cvwXh+62Wbdear kbi1x9Q2GOHq9ruQ/JB53iyuuid5J92/nzFYhd
QfDE3cjOS8M+uA8Rwcl99KcKN3BmqMFsR3LFcIswQbPBOuF
joMHWUWnoHsi7i5We5cUYy7sg8K0NYh3pW52eKpAAUR tB
hDSUJJUiA8Y2liaXJAbmV0Y29tLmNvbT4= =JemX
----END PGP PUBLIC KEY BLOCK-----

It is very important that you include every part of the
public key in all your notes and postings, if one piece is missing,
your key is useless. There are some servers on the Internet that
act as key rings for everyone, if you want to find out more about
this send an email message to:

pgp-public-keys@pgp.iastate.edu

When you receive a public key from someone you must
add it to your public key ring. In order to do this you would save
this persons public key to a file and copy this file to the PGP
directory. Once there you would issue the command:
pgp -ka CIBIR (this would use a key that you received from CIBIR.)

When you do this, you will be asked to verify that this
really is who it claims to be. Once you do this, anything that is
encrypted by this person or "signed" will be verified as coming
only from them. Right now we have a secret and a public key, we
have an ASCII version of our own public key that we can send to
everyone and post to all of our notes, and we have some public
keys from friends. Now it is time to encrypt our first note using
PGP.

In order to do this, all you need to do is create a file, letter,
or other document and then copy that document to the PGP directory.
Once there, you can issue the command:

pgp -ea test.doc CIBIR

This will encrypt a file named "test.doc" using the public key
for CIBIR, which was just presented above. PGP will then output a file
called "test" this file will be in an ASCII format that you can post into
a email document or to a Usenet newsgroup posting, if you want any
aspect of PGP to output as an ASCII file, just add the a to the end of
the option(in the above line -ea). If you want to encrypt files on your
computer's hard drive or floppy disks then enter:

pgp -e test.doc CIBIR

This will encrypt a file named "test.doc" using the public key
for CIBIR and the file will be in a binary format and listed as "test.pgp".
This is not used for email or Usenet newsgroup postings, since the file
can not be "read". But is rather used on your own hard drive or on a
floppy disk. Here is a handy option for PGP, if you want to encrypt
and make it so that it can only be displayed on the screen of the
recipient and NOT saved to disk. Enter the following command:

pgp -steam test.doc CIBIR

This will make a file that is in ASCII format that you can
email or post to a Usenet group. However, when the person decrypts
the file, it will only display on the screen. What do you do when
someone sends you an encrypted file? If you would like to practice
this, send your public key to:

cibir@netcom.com


We will add you to our public key ring and then mail you
back an encrypted note so that you can practice the procedure for
decrypting a PGP note. Once you read your email and find a note
that is encrypted, you will want to save that file as text and then
download it to your PC. Once there, you then copy it over to your
PGP directory. Now you can decrypt it using the following
command:

pgp cibir.doc

PGP will ask you for you passphrase, you will need to
type in your secret passphrase in order for this file to be decrypted.
This will then decrypt a file that is called "cibir.doc" PGP does not
include a file extension (such as TXT, DOC, WKS, or WRI) when
decrypting a file, so you need to know what type of file it is.
Now PGP has finished decrypting the file and you now have a
plaintext document from CIBIR!

Now that you know the basics of PGP, there is one
other subject about PGP to go over before ending this introduction
to PGP. That is the digital signature aspect of PGP. PGP allows
you to sign a document so that it can be verified that you were the
person sending the document and that it was in no way altered
during transmission. In order to do this you issue the following
command:

pgp -esa test.doc (where test.doc is the document to be encrypted)

This will produce a file that is encrypted, signed, and in
ASCII format. When the person you are sending it to receives it,
they will be able to decrypt it and verify that it was your signature
on the file and that no one else altered the file. If you just want
to have a signature on a letter or a note to verify that you were
the person who sent it, you can issue the following command:

pgp -sat test.doc

This will create a file that is in plaintext and yet it will
have added to the bottom a signature block so that anyone that
wants to verify your letter or posting can use PGP to verify your
signature. If you want to verify someone else's letter or posting
that includes a signature block on it, all you do is copy the file
to the PGP directory and issue the following command:

pgp note.txt (where note.txt is the document that has a signature to be verified)

If you have this persons public key, then PGP will
verify that this person did sign that document. These are the
basics for using PGP. PGP is a great product and one that
should be used more and more with the sudden and dramatic
growth of the Internet. Each person deserves privacy and this
is one way of giving Internet users the kind of privacy that they
deserve. Below you will find a short list of PGP commands
and what they mean. If you have any questions about PGP
or you would like to talk with CIBIR Corporation, you can contact
us via email at:

CIBIR@NETCOM.COM

Or you can contact our office at (703) 780-9033. I
encourage you to use PGP and to try a test of PGP. CIBIR
will be happy to send you an encrypted test document so that
you can practice using PGP if you desire.


PGP Commands



pgp -kg Generate your two keys, secret
and public, and your keyrings

pgp -kxa Extract your public key in ASCII
format to give to others

pgp -kvc user Verify a users key over the
telephone by reading it to them

pgp -e filename user Encrypt a file (binary) for user

pgp -ea filename user Encrypt a file (ASCII) for user,
used for posting a letter or email

pgp -sa filename Sign a file in ASCII format

pgp -esa filename user Sign, and encrypt (ASCII)
a file for user

pgp -sat filename Sign a file but leave the message
in plaintext, used for Usenet

pgp -steam filename user Sign, encrypt(ASCII) and force
the file to the screen only

pgp encrypt Decrypt an encrypted file (will not
add a file extension to the file)


This document was written by Joseph C. Seanor III,
President of CIBIR Corporation, A 21st Century PI Company.
CIBIR specializes in computer and cyberspace crime also
white collar crime and fraud. For more information you can
contact CIBIR via email cibir@netcom.com or you can call
the office at (703) 780-9033 or FAX (703) 780-5703.

CLICK HERE TO GO TO INFORMATION ON JOSEPH SEANOR'S
AWARD WINNING BOOK THE PRIVATE INVESTIGATOR AND THE INTERNET


Mr. Seanor Was Selected As 1996 NAIS Investigator Of The Year

RETURN TO NAIS NEWSLETTER MENU