The Pure Crypto Project Quick Start Guide
You may have noticed that using the program pcp2 requires some preparations. The reason for this is of course that you need to have your own two RSA keys (a signing key and an encryption key), before you can do anything.
In general the Pure Crypto Project assumes that every person using pcp2 is in posession of their own two RSA keys and that these two keys will never be shared with anyone. The public parts of these keys can safely be exchanged with other persons who want to encrypt files for you and who wish to verify your signatures.
For practical reasons the signing key is stored in a file "signingkey" and the encryption key in a file "encryptionkey". Both keys must be stored in a subdirectory $HOME/.pcp in a user's home directory with minimal permissions.
sdlh-generate-hashkey and pcp2-generate-rsakeys
So the first step is to make that subdirectory and change into it:mkdir $HOME/.pcp ; chmod 700 $HOME/.pcp
cd $HOME/.pcp
Before you create your own encryption and signing keys a third file, the hashkey file, is needed, because hashing a message with the Shamir Discrete Logarithm Hash Function, that pcp2 uses, is based on your individual hashkey. And this hashkey will be incorporated into the new signing and encryption keys as well.
So the creation of your personal hashkey file is the next step:
cd $HOME/.pcp
sdlh-generate-hashkeyThe resulting file "hashkey" contains only public information and you need not protect this file in any way. It contains two long numbers (the hashmodulus and the generator) which everyone can use, knowing it is your personal hashkey. That's why your hashkey values will also be part of your public keys you will give to other persons.
Once you see a file "hashkey" in $HOME/.pcp, you can start to generate your own RSA keys. Please start with your signing key: (remain in the directory $HOME/.pcp !)
pcp2-generate-rsakeys sigThe results of this program are two files "signingkey" and "signingkey.pub". While "signingkey" contains very sensitive information and must be kept secret, the other file "signingkey.pub" does not and can be shared with anyone safely. It is essential to know that the private part of the file "signingkey" is stored unprotected, which is the number for the decryption exponent. Please bear in mind that, as a last step, you need to manually protect your signing and encryption key with a passphrase using pcp2-protect-privatekey.
I forgot to mention that when you enter the UserID for the key you should use the word 'signing' in your UserID, to define its use. You will see why this is important later. With pcp2 you won't have a bunch of signing keys, you always have exactly one, and this file is it.
Now you can generate your own encrypton key in the same fashion:
pcp2-generate-rsakeys enc
By now your directory should look like:
-rw------- 1 ralph ralph 1940 25. Dez 16:58 encryptionkey
-rw-r--r-- 1 ralph ralph 1475 25. Dez 16:58 encryptionkey.pub
-rw-r--r-- 1 ralph ralph 905 25. Dez 16:26 hashkey
-rw------- 1 ralph ralph 2368 25. Dez 16:58 signingkey
-rw-r--r-- 1 ralph ralph 1687 25. Dez 16:58 signingkey.pubIf you try to encrypt some file now, you will notice that the list of encryption keys is empty. But on the other hand, you are now able to sign any file. The fact that you cannot verify your own signature once again shows, that you dont't have any trusted public keys, that are needed for encryption and signature verification.
Trusted Public Keys
All trusted public keys (signing keys or encryption keys) must be stored in a subdirectory "$HOME/.pcp/trusted-keys". And to become a trusted public key that key file must be clearsigned with your own signing key.
So lets put our own public encryption and signing keys into the subdirectory and sign them, so they can be used as trusted public keys. (You are still in the .pcp directory!)
mkdir trusted-keys ; chmod 700 trusted-keys
cp encryptionkey.pub trusted-keys/my-encryptionkey.pub
pcp2 -s trusted-keys/my-encryptionkey.pub
cp signingkey.pub trusted-keys/my-signingkey.pub
pcp2 -s trusted-keys/my-signingkey.pub
Whenever you get a public key from anyone, and if you are sure you have the correct key belonging to this person (by first hand knowledge), you can put it into the trusted-key subdirectory and sign it in the same way. All public signing keys should have the word 'signing' in the UserID so that they don't show up in the list of encryption keys.
Protecting your Private Keys
After generating RSAkeys with pcp2-generate-rsakeys, the decryption exponent is stored unprotected in the key file. Now it is time to protect this private information with a passphrase using the program pcp2-protect-privatekey.For more information about the protection mechanism behind this program see: https://senderek.ie/pcp2/pcp-security.php.
There is a last step before you can protect your private keys. A file of at least 1100000 bytes of truely random data, the entropy file, is required. So this file has to be created first. And it is a good idea to sign that file too, so you are able to check from time to time if the file is still unchanged as bit rot or worse can happen to this entropy file.
dd if=/dev/random of=entropy bs=1K count=1100 ; chmod 400 entropy
pcp2 -ds entropyIf you lose this file, your private key cannot be unlocked, so it is wise that you store the unprotected keys in a safe place, before you replace them with the new (protected) keys.
pcp2-protect-privatekey signingkey new-signingkeyand
pcp2-protect-privatekey encryptionkey new-encryptionkeyI assume, you already know the importance of selecting a good passphrase for both keys. The files "new-signingkey" and "new-encryptionkey" now store the private part (the decryption exponent) in protected form. And after you have backed up your unprotected files in a safe place, you can overwrite the unprotected files with the protected ones.
Now you are fully prepared and you can use pcp2 to its full potential.
What is quite beyond my imagination is the fact, that I thought this would all self-explain when I first published pcp in the year 2003. Please forgive me for this oversight.
