- 1 What is PGP?
- 2 PGP in the context of 3301
- 3 But wait! How do I use this?
- 4 Setting up in Windows 10
- 5 Setting up in MacOS
- 6 Setting up in any Linux distribution.
- 7 Generating your keypair using the command line
- 8 Great! Now how do I verify 3301's messages?
What is PGP?
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories and whole disk partitions to increase overall security. The OpenPGP message format is covered in more detail here, for those interested.
PGP utilizes something called asymmetric cryptography, which Cory Doctorow explained as such in his novel Little Brother:
The passage goes more in depth, but for now this is all you need to know to understand how it's used in 3301(if you still need help visualizing it: here. )
PGP in the context of 3301
The first use of PGP verification by 3301 is seen in the 2012 puzzle. They did something called clearsigning: leaving the message unencrypted for anyone to read but verifiable to ensure that the original message has not been changed, and is in fact from who they say they are.
But wait! How do I use this?
Whichever operating system you use, we recommend you use the GnuPG implementation of the OpenPGP standard.
As with almost any kind of open source software, there's going to be multiple people who have forked and edited the source code to create their own version of it which can run on multiple platforms, support different GUIs, maybe even different encryption algorithms but we highly recommend you use the command line interface as it will always display important warnings that some GUIs ignore.
Setting up in Windows 10
You will first need to download and install Gpg4win, the windows version of GnuPG. When you run the executable, it will give you a prompt. Deselect everything except GnuPG. These are unnecessary for what you'll be doing. Continue to install.
From here, you're going to launch the command prompt. To ensure you successfully installed it, type
and hit enter. You should get an output something like:
Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
This means it successfully installed and recognizes the gpg command, and you're ready to head to the next step.
Setting up in MacOS
Setting up in any Linux distribution.
Depending on your distribution, GnuPG may already be installed! To check, open your terminal and type
and hit enter. If you don't get an error saying the command was not found, it's installed! However, if it isn't it's easy to install. In your terminal, type
[package manager] install gnupg
Note: you may have to be logged in as sudo, or your package manager might require extra flags. Consult your package manager's documentation for further help
Generating your keypair using the command line
With your command line still open, start the generation process by typing
Input the information as the prompt asks.
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from card Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096
is what is recommended. You can set the key to expire if you wish, but I always set mine to never expire.
Whether or not you use your real name when creating the key is entirely up to you. Now, you can send your public key to a keyserver using the command
gpg --send-keys keyID
this will make it so your public key is available for people to use. NEVER SHARE YOUR PRIVATE KEY OR PASSPHRASE WITH ANYONE.
Generating the revocation certificate(optional)
Revocation certificates are used in case your private key gets compromised or lost- the GnuPG equivalent of someone stealing your steam password. This will allow you to revoke your key and make it unusable. Do this by typing
gpg --generate-revocation keyID
Should your private key be compromised for any reason, now that you've done this all you have to do is this to tell people that it's no longer valid. Save this file, if nothing else. Keep it somewhere nobody but you can access it.
Great! Now how do I verify 3301's messages?
Now that you've created your own keypair, you can verify messages signed by 3301. To do this, you are going to import their public key with:
gpg --receive-keys 0x181F01E57A35090F
Their public key can also be found here, here, here, and here. It sounds silly, but you can check yourself to make sure it's the right key not just by using the full fingerprint, but also looking to see if someone did this. If it has goatse from 2014, it's the real 3301 key.
Now, let's verify the message at the top. Copy and paste it to a text file and save it, then run
gpg --verify path/to/file
Your output should look something like this
gpg: Signature made 01/04/12 21:46:03 Central Standard Time gpg: using RSA key 181F01E57A35090F gpg: Good signature from "Cicada 3301 (845145127)" [full]