Lost Newbie

Richard Lynch lynch at lscorp.com
Sat Sep 26 21:35:05 CEST 1998 

At 8:36 AM 9/25/98, Kirk Fort wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Alright, Ill do my best to try to explain some stuff to you.

I'm doing my best to understand it all, but it ain't enough.

>To generate a secret/public keypair, run gpg --gen-key

My elation at having a menu was dashed by my inability to understand which
choice was best for my particular application.

I guessed 3), since I don't think I need the stuff to be signed.  I'm
sending an online order to be run through a credit card machine at my
client's real-life store.  I suppose somebody could try to prank somebody
else by ordering coffee or CDs for them, but since there's no profit in it
to the forger, I'm currently not worried about it.  Y'all will probably
rain on my parade real soon in this matter, though.  :-)

Then I put in my client's name, e-mail, and a comment.  Whoo Hooo.  I seem
to have generated a key and a secret key.  Damned if I know what the
difference is or how to use them, though.

>Data that is encrypted with a public key can only be decrypted by the
>matching secret key.  The secret key is protected by a password, the
>public key is not.
>
>So to send your friend a message, you would encrypt your message with his
>public key, and he would only be able to decrypt it by having the secret
>key and putting in the password to use his secret key.

Sounds good.  'Cept I'm unclear on the difference between a password and a
secret key...  Why does he need both?  Not a big deal:  I just don't get
it.

I got as far as trying to ASCII encrypt a file, and then I got this:

[chatmus at ruby gpg]$ ./gpg -vae  /home/c/h/chatmus/test.txt
gpg (GNUPG) 0.3.5; Copyright (C) 1998 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
gpg: this is a PGP generated ElGamal key which is NOT secure for signatures!
gpg: key 812E70CE, uid 2640: invalid self-signature: Unknown pubkey algorithm
gpg: key 812E70CE, uid 2640: invalid user id - removed
gpg: key 812E70CE: no user ids - rejected
gpg: key 812E70CE: can't put it into the trustdb
gpg: failed to initialize the TrustDB: Bad certificate
You did not specify a user ID. (you may use "-r")

Enter the user ID: Michael Cameron
gpg: this is a PGP generated ElGamal key which is NOT secure for signatures!
gpg: key 812E70CE, uid 2640: invalid self-signature: Unknown pubkey algorithm
gpg: key 812E70CE, uid 2640: invalid user id - removed
gpg: key 812E70CE: no user ids - rejected
gpg: key 812E70CE: insert trust record failed: Bad certificate
gpg: this is a PGP generated ElGamal key which is NOT secure for signatures!
gpg: key 812E70CE, uid 2640: invalid self-signature: Unknown pubkey algorithm
gpg: key 812E70CE, uid 2640: invalid user id - removed
gpg: key 812E70CE: no user ids - rejected
gpg: failed to insert it into the trustdb: Bad certificate
It is NOT certain that the key belongs to its owner.
If you *really* know what you are doing, you may answer
the next question with yes

Use this key anyway? y
gpg: reading from '/home/c/h/chatmus/test.txt'
gpg: writing to '/home/c/h/chatmus/test.txt.asc'

gpg: Ooops: Ohhhh jeeee ... (pkclist.c:538:select_algo_from_prefs)
secmem usage: 1472/1472 bytes in 3/3 blocks of pool 1472/16384
Aborted

Why do I get the idea that I've found a bug, or I'm just doing something
that nobody who knew what they were doing would try?  :-)

What's with the "insecure memory"?  Can I make it secure?  Or should I not
worry?  Or what?

And how come it doesn't know who owns the key?
Is it because:
A)  I need to specify the client's name (or some other id)
B)  I didn't pick one of the "sign and encrypt" options.

>You can 'conventionally' encrypt something by using the option 'gpg -c'.
>It is encrypted using a passphrase, and does not use public and secret
>keys.  If the person you send the data to knows that passphrase, they can
>decrypt it. This is usually most usefull for encrypting things to
>yourself, although you can encrypt things to your own public key in the
>same way.

That pretty much just hung. :-(

[chatmus at ruby gpg]$ ./gpg -c
gpg (GNUPG) 0.3.5; Copyright (C) 1998 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
gpg: this is a PGP generated ElGamal key which is NOT secure for signatures!
gpg: key 812E70CE, uid 2640: invalid self-signature: Unknown pubkey algorithm
gpg: key 812E70CE, uid 2640: invalid user id - removed
gpg: key 812E70CE: no user ids - rejected
gpg: key 812E70CE: can't put it into the trustdb
gpg: failed to initialize the TrustDB: Bad certificate
›$#created by GNUPG v0.3.5 (GNU/Linux)

yu
  ]Š

Had to break.

>You can add and copy keys to and from your keyring with the 'gpg --import'
>and 'gpg --export' option. 'gpg --export-secret-keys' will export secret
>keys. This is normally not usefull, but you can generate the key on one
>machine then move it to another machine.
>
>Keys can be signed under the 'gpg --edit-key' option.  When you sign a
>key, you are saying that you are certain that the key belongs to the
>person it says it comes from.
>
>Hmm, what else.  You have already figured out the -o option it looks like.
>- -r just lets you specify the recipient (which public key you encrypt with)
>on the command line instead of typing it interactively.
>
>Oh yeah, this is important. By default all data is encrypted in some weird
>binary format.  If you want to have things appear in ascii text that is
>readable, just add the '-a' option.

*THAT* one I understand.  YAY!

>So if I want to encrypt a message to my friend, sign the message, and do
>it in ascii, I type 'gpg -esar myfriend mymsg'.  'man gpg' is a good way
>to figure out all the options.  The biggest problem you will have is their

My ISP host chose not to put the gpg man pages in... Where are they.  I
looked, but failed to find them.

>is not (yet) a good usable version of gpg that works under windows.  I
>believe that people are working on it.  Remember that gpg is still version
>0.4.0 . New versions are released about every week or so.  This is still
>alpha software.  Things break and you sorta need to keep up with this list
>to get the full use out of gpg.  If you need more functionality, windows
>and mac versions, you might want to try pgp for now.  pgp is the precursor
>to gpg.  It does the same thing as gpg, but comes under different
>licensing terms.  I don't know if the way you want to use it would be
>considered 'commercial'.  It can be found at www.pgpi.con and www.pgp.com
>which sends you to www.na.com I believe.

I already checked with those folks, and while they were willing to cut the
price way down... it wasn't low enough to make it worthwhile to my client.
We don't expect high volume. :-(

>Hope you are able to get something working.  If you have anymore questions
>let me know.

Well, I've certainly done that. :-)

THANKS!!!

PS  Is somebody working on an "Introduction" yet?
It ain't much, but I reckon I could try to start one.

--
--
-- "TANSTAAFL" Rich lynch at lscorp.com

More information about the Gnupg-devel mailing list