What is PGP?

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories and whole disk partitions to increase overall security. The OpenPGP message format is covered in more detail here, for those interested.

PGP utilizes something called asymmetric cryptography, which Cory Doctorow explained as such in his novel Little Brother:

(excerpt from Little Brother, a free novel by Cory Doctorow)

In public key crypto, each user gets two keys. They're long strings of mathematical gibberish, and they have an almost magic property. Whatever you scramble with one key, the other will unlock, and vice-versa. What's more, they're the only keys that can do this -- if you can unscramble a message with one key, you know it was scrambled with the other (and vice-versa).

So you take either one of these keys (it doesn't matter which one) and you just publish it. You make it a total non-secret. You want anyone in the world to know what it is. For obvious reasons, they call this your "public key."

The other key, you hide in the darkest reaches of your mind. You protect it with your life. You never let anyone ever know what it is. That's called your "private key." (Duh.)

Now say you're a spy and you want to talk with your bosses. Their public key is known by everyone. Your public key is known by everyone. No one knows your private key but you. No one knows their private key but them.

You want to send them a message. First, you encrypt it with your private key. You could just send that message along, and it would work pretty well, since they would know when the message arrived that it came from you. How? Because if they can decrypt it with your public key, it can only have been encrypted with your private key. This is the equivalent of putting your seal or signature on the bottom of a message. It says, "I wrote this, and no one else. No one could have tampered with it or changed it."

The passage goes more in depth, but for now this is all you need to know to understand how it's used in 3301(if you still need help visualizing it: here. )

PGP in the context of 3301

The first use of PGP verification by 3301 is seen in the 2012 puzzle. They did something called clearsigning: leaving the message unencrypted for anyone to read but verifiable to ensure that the original message has not been changed, and is in fact from who they say they are.

PGP-Signed Message
Hash: SHA1

- From here on out, we will cryptographically sign all messages with this key.

It is available on the mit keyservers.  Key ID 7A35090F, as posted in a2e7j6ic78h0j.

Patience is a virtue.

Good luck.

Version: GnuPG v1.4.11 (GNU/Linux)


But wait! How do I use this?

Whichever operating system you use, we recommend you use the GnuPG implementation of the OpenPGP standard.

As with almost any kind of open source software, there's going to be multiple people who have forked and edited the source code to create their own version of it which can run on multiple platforms, support different GUIs, maybe even different encryption algorithms but we highly recommend you use the command line interface as it will always display important warnings that some GUIs ignore.

Setting up in Windows 10

You will first need to download and install Gpg4win, the windows version of GnuPG. When you run the executable, it will give you a prompt. Deselect everything except GnuPG. These are unnecessary for what you'll be doing. Continue to install.

From here, you're going to launch the command prompt. To ensure you successfully installed it, type

gpg --version

and hit enter. You should get an output something like:

Supported algorithms:
 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
 Compression: Uncompressed, ZIP, ZLIB, BZIP2

This means it successfully installed and recognizes the gpg command, and you're ready to head to the next step.

Setting up in MacOS

If you're running MacOS, you have it easy! There is a good GUI implementation that can be downloaded here However if you wish to use GnuPG through the command line, you will have to do this.

Setting up in any Linux distribution.

Depending on your distribution, GnuPG may already be installed! To check, open your terminal and type

gpg --version

and hit enter. If you don't get an error saying the command was not found, it's installed! However, if it isn't it's easy to install. In your terminal, type

[package manager] install gnupg
Note: you may have to be logged in as sudo, or your package manager might require extra flags. Consult your package manager's documentation for further help

Generating your keypair using the command line

With your command line still open, start the generation process by typing

gpg --full-generate-key

Input the information as the prompt asks.

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
   (14) Existing key from card
 Your selection? 1
 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (3072) 4096

is what is recommended. You can set the key to expire if you wish, but I always set mine to never expire.

Whether or not you use your real name when creating the key is entirely up to you. Now, you can send your public key to a keyserver using the command

gpg --send-keys keyID

this will make it so your public key is available for people to use. NEVER SHARE YOUR PRIVATE KEY OR PASSPHRASE WITH ANYONE.

Generating the revocation certificate(optional)

Revocation certificates are used in case your private key gets compromised or lost- the GnuPG equivalent of someone stealing your steam password. This will allow you to revoke your key and make it unusable. Do this by typing

gpg --generate-revocation keyID

Should your private key be compromised for any reason, now that you've done this all you have to do is this to tell people that it's no longer valid. Save this file, if nothing else. Keep it somewhere nobody but you can access it.

Great! Now how do I verify 3301's messages?

Now that you've created your own keypair, you can verify messages signed by 3301. To do this, you are going to import their public key with:

gpg --receive-keys 0x181F01E57A35090F

Their public key can also be found here, here, here, and here. It sounds silly, but you can check yourself to make sure it's the right key not just by using the full fingerprint, but also looking to see if someone did this. If it has goatse from 2014, it's the real 3301 key.

Now, let's verify the message at the top. Copy and paste it to a text file and save it, then run

gpg --verify path/to/file

Your output should look something like this

gpg: Signature made 01/04/12 21:46:03 Central Standard Time
 gpg:                using RSA key 181F01E57A35090F
 gpg: Good signature from "Cicada 3301 (845145127)" [full]
Community content is available under CC-BY-SA unless otherwise noted.