What is PGP?
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories and whole disk partitions to increase overall security. The OpenPGP message format is covered in more detail here, for those interested.
PGP utilizes something called asymmetric cryptography, which Cory Doctorow explained as such in his novel Little Brother:
In public key crypto, each user gets two keys. They're long strings of mathematical gibberish, and they have an almost magic property. Whatever you scramble with one key, the other will unlock, and vice-versa. What's more, they're the only keys that can do this -- if you can unscramble a message with one key, you know it was scrambled with the other (and vice-versa).
So you take either one of these keys (it doesn't matter which one) and you just publish it. You make it a total non-secret. You want anyone in the world to know what it is. For obvious reasons, they call this your "public key."
The other key, you hide in the darkest reaches of your mind. You protect it with your life. You never let anyone ever know what it is. That's called your "private key." (Duh.)
Now say you're a spy and you want to talk with your bosses. Their public key is known by everyone. Your public key is known by everyone. No one knows your private key but you. No one knows their private key but them.
You want to send them a message. First, you encrypt it with your private key. You could just send that message along, and it would work pretty well, since they would know when the message arrived that it came from you. How? Because if they can decrypt it with your public key, it can only have been encrypted with your private key. This is the equivalent of putting your seal or signature on the bottom of a message. It says, "I wrote this, and no one else. No one could have tampered with it or changed it."The passage goes more in depth, but for now this is all you need to know to understand how it's used in 3301 (if you still need help visualizing it: here).
PGP in the context of 3301
The first use of PGP verification by 3301 is seen in the 2012 puzzle. They did something called clearsigning: leaving the message unencrypted for anyone to read but verifiable to ensure that the original message has not been changed, and is in fact from who they say they are.
But wait! How do I use this?
Whichever operating system you use, we recommend you use the GnuPG implementation of the OpenPGP standard.
As with almost any kind of open source software, there's going to be multiple people who have forked and edited the source code to create their own version of it which can run on multiple platforms, support different GUIs, maybe even different encryption algorithms but we highly recommend you use the command line interface as it will always display important warnings that some GUIs ignore.
If you are looking to verify a message from 3301, you can use isitcicada.
Setting up in Windows 10
You will first need to download and install Gpg4win, the windows version of GnuPG. When you run the executable, it will give you a prompt. Deselect everything except GnuPG. These are unnecessary for what you'll be doing. Continue to install.
From here, you're going to launch the command prompt. To ensure you successfully installed it, type
gpg --version
and hit enter. You should get an output something like:
Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
This means it successfully installed and recognizes the gpg command, and you're ready to head to the next step.
Setting up in MacOS
If you're running MacOS, you have it easy! There is a good GUI implementation that can be downloaded here However if you wish to use GnuPG through the command line, you will have to do this.
Setting up in any Linux distribution.
Depending on your distribution, GnuPG may already be installed! To check, open your terminal and type
gpg --version
and hit enter. If you don't get an error saying the command was not found, it's installed! However, if it isn't it's easy to install. In your terminal, type
[package manager] install gnupg
Note: you may have to be logged in as sudo, or your package manager might require extra flags. Consult your package manager's documentation for further help
Generating your keypair using the command line
With your command line still open, start the generation process by typing
gpg --full-generate-key
Input the information as the prompt asks.
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from card Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096
is what is recommended. You can set the key to expire if you wish, but I always set mine to never expire.
Whether or not you use your real name when creating the key is entirely up to you. Now, you can send your public key to a keyserver using the command
gpg --send-keys keyID
this will make it so your public key is available for people to use. NEVER SHARE YOUR PRIVATE KEY OR PASSPHRASE WITH ANYONE.
Generating the revocation certificate (optional)
Revocation certificates are used in case your private key gets compromised or lost- the GnuPG equivalent of someone stealing your steam password. This will allow you to revoke your key and make it unusable. Do this by typing
gpg --generate-revocation keyID
Should your private key be compromised for any reason, now that you've done this all you have to do is this to tell people that it's no longer valid. Save this file, if nothing else. Keep it somewhere nobody but you can access it.
Great! Now how do I verify 3301's messages?
Now that you've created your own keypair, you can verify messages signed by 3301. To do this, you are going to import their public key with:
gpg --receive-keys 6D854CD7933322A601C3286D181F01E57A35090F
Their public key can also be found here, here, here, and here.
Now, let's verify the message at the top. Copy and paste it to a text file and save it, then run
gpg --verify path/to/file
Your output should look something like this
gpg: Signature made 01/04/12 21:46:03 Central Standard Time gpg: using RSA key 181F01E57A35090F gpg: Good signature from "Cicada 3301 (845145127)" [full]