FigDoc.tioga
Feigenbaum, June 1, 1984 11:04:18 pm PDT
Michael Plass, January 24, 1986 1:20:41 pm PST
Fig
CEDAR 6.0 — FOR INTERNAL XEROX USE ONLY
Fig
Joan Feigenbaum
© Copyright 1986 Xerox Corporation. All rights reserved.
Abstract: A primitive encrypted-mail program that runs under walnut.
Created by: Joan Feigenbaum
Maintained by: Dan Greene <Greene.pa>
Keywords: encryption, mail, walnut
XEROX  Xerox Corporation
   Palo Alto Research Center
   3333 Coyote Hill Road
   Palo Alto, California 94304

For Internal Xerox Use Only
New Program: FIG, a primitive encrypted-mail program that runs under walnut.
Author (notice that I didn't say maintainer): Joan Feigenbaum
Instructions:
1) Bringover Fig from CedarChest
2) Run
% Walnut
if you have not already done so.
3) Run
% FIG
4) In order to send encrypted mail, you now press Walnut's NewForm button and
you should have an EncryptSend (ES) button and a SignSend (SS, for digital signature)
button in the Walnut SendMenu. If you don't, destroy this first window and press NewForm
again. Now you should have the ES and SS buttons. If you don't, see 8) below. If this is
the first time you have used FIG, you will have to wait several minutes while it creates
your public-key, private-key pair. This takes at least several minutes real time because
it must generate two very large primes.
5) Type in the text, subject, destination, cc, etc. of your message just as you would if
you were using Walnut without encryption. Then, instead of hitting Send, hit either
ES, to send the message encrypted, or SS, to send it encrypted and signed. If you try
to send an encrypted message to XX.pa, who has not yet created her encryption keys,
you will get the blinking message
    Cannot open [Indigo]<Cryptography>XX.key
in your message window. I guess that the best thing to do at this point is to send XX.pa an
unencrypted message telling her to sign herself up by executing steps 1) through 4).
If at least one of the recipients you tried to send to does have a key pair, just wait--the
message will be encrypted, displayed (encrypted) in a new send window, and sent. The
new send window will be refreshed for each intended recipient who has a public key,
and the "Cannot open..." error message will be flashed once for each intended recipient
who doesn't. NOTE THAT THE SUBJECT FIELD OF AN ENCRYPTED MESSAGE IS
NOT ENCRYPTED.

If you are sending signed mail then both you and the recipients are authenticated. This requires that you take your public key to the MASTER, who, after visually associating you with your key, signs your key with his master private key and then appends his signature to your public key file on indigo. You return with a copy of the MASTER's public key, which you leave on your local disk. This allows your program to verify other users public keys without any extra security mechanism in the IFS. However, until you and your recipients have registered yourselves with the MASTER, SS and V will flash warning messages.
6) In order to read encrypted or signed mail, display the message as you would any
message you received through walnut. As in step 4), you may have to destroy the
first copy you display because it doesn't have Decrypt (D) and Verify (V) buttons in
the menu. If you have run FIG and the second copy you display still doesn't have these
buttons, see 8) below. Now if the message you've displayed has a header field
EncryptedKey:, followed by a long string of digits, hit the D button to see the plain
text displayed. If the message has a header field Signature:, followed by a long string
of digits, hit the V button to see the plain text displayed.
7) FIG uses a combination of RSA public-key encryption and DES conventional
cryptography. The private key that you created the first time you used FIG
is now stored in a file ///Keys/YourUserName.PrivateKey
(in human-readable form), and if you are using your own personal dorado, you can just
leave it there until you have to erase your disk. If you are a summer student (or
anyone who uses public machines regularly), then before you log out, you must execute
% StorePrivateKey.
This will prompt you for a password--remember it. Next time you login to a public
machine and want to use FIG, execute
% RetrievePrivateKey,
which will prompt you for the same password and restore your private key to
///Keys/YourUserName.key. In the interim, the private key was stored encrypted in
/ivy/YourUserName/YourUserName.encryptedPrivateKey. If you have your own machine,
you can store and retrieve your private key in exactly the same way whenever you have
to erase your disk (e.g., in order to install a new release).
Known Bugs and Shortcomings:
8) Sometimes, the recommended sequence of commands
(run walnut, run FIG, destroy the first send- or message-viewer that walnut displays if
necessary) fails to get the D and V buttons displayed in the message-viewer. This is
apparently caused by some non-determinism in the viewers package that no one's tracked
down yet, and the only thing that cures it is a rollback.
9) You cannot yet use ES and SS to send encrypted or signed-encrypted mail to a
distribution list. (But you can use it to send to as many people as you're willing to
type in names, as long as they've all created keys.)
10) The password that you type in to StorePrivateKey and RetrievePrivateKey is
echoed. Hence, it is in the edithistory of the commandtool; hence your private key
isn't secure. Both fixes to this that I can think of--namely, debugging the EditedStream
module so that I can turn off echoing
and/or having StorePrivateKey and RetrievePrivateKey do the Tioga operations
needed to edit the password out of the edithistory--are beyond my current cedar hacking ability
and time constraints. If anyone else is interested or has a better idea, ...
11) If Indigo is busy and refusing new connections when your public key is generated,
you will get the message "Cannot Copy public key file to [Indigo]<cryptography>keys>".
The only thing I can think of to do in this situation is to issue the command
copy /indigo/cryptography/keys/yourUserName.publicKey ← ///temp/yourUserName.key
when Indigo gets less busy.
12) These programs are pretty slow. Sorry.
Future Work:
Until about 6/13, I will be coming in from time to time to read and hear your comments
and to fix minor problems. So please try this out as soon as you get a few spare minutes
and send me your comments. From June 15 until about September 15, I will be away.
Next fall, if it looks as though people are using FIG, I will probably do some more work
on it--there are lots of problems in security that it doesn't even address. So you can
continue to send me mail about it during the summer.
Why it's called FIG:
My name means Figtree; so it seemed like the best choice, in view of the tradition of
naming programs after nuts and trees and plants and such. This was all Mike Spreitzer's
idea.