New Program: FIG, a primitive encrypted-mail program that runs under walnut. Author (notice that I didn't say maintainer): Joan Feigenbaum Instructions: 1) Bringover [Indigo]Fig.df 2) Run % Walnut if you have not already done so. 3) Run % FIG 4) In order to send encrypted mail, you now press Walnut's NewForm button and you should have an EncryptSend (ES) button and a SignSend (SS, for digital signature) button in the Walnut SendMenu. If you don't, destroy this first window and press NewForm again. Now you should have the ES and SS buttons. If you don't, see 8) below. If this is the first time you have used FIG, you will have to wait several minutes while it creates your public-key, private-key pair. This takes at least several minutes real time because it must generate two very large primes. 5) Type in the text, subject, destination, cc, etc. of your message just as you would if you were using Walnut without encryption. Then, instead of hitting Send, hit either ES, to send the message encrypted, or SS, to send it encrypted and signed. If you try to send an encrypted message to XX.pa, who has not yet created her encryption keys, you will get the blinking message Cannot open [Indigo]XX.key in your message window. I guess that the best thing to do at this point is to send XX.pa an unencrypted message telling her to sign herself up by executing steps 1) through 4). If at least one of the recipients you tried to send to does have a key pair, just wait--the message will be encrypted, displayed (encrypted) in a new send window, and sent. The new send window will be refreshed for each intended recipient who has a public key, and the "Cannot open..." error message will be flashed once for each intended recipient who doesn't. NOTE THAT THE SUBJECT FIELD OF AN ENCRYPTED MESSAGE IS NOT ENCRYPTED. If you are sending signed mail then both you and the recipients are authenticated. This requires that you take your public key to the MASTER, who, after visually associating you with your key, signs your key with his master private key and then appends his signature to your public key file on indigo. You return with a copy of the MASTER's public key, which you leave on your local disk. This allows your program to verify other users public keys without any extra security mechanism in the IFS. However, until you and your recipients have registered yourselves with the MASTER, SS and V will flash warning messages. 6) In order to read encrypted or signed mail, display the message as you would any message you received through walnut. As in step 4), you may have to destroy the first copy you display because it doesn't have Decrypt (D) and Verify (V) buttons in the menu. If you have run FIG and the second copy you display still doesn't have these buttons, see 8) below. Now if the message you've displayed has a header field EncryptedKey:, followed by a long string of digits, hit the D button to see the plain text displayed. If the message has a header field Signature:, followed by a long string of digits, hit the V button to see the plain text displayed. 7) FIG uses a combination of RSA public-key encryption and DES conventional cryptography. The private key that you created the first time you used FIG is now stored in a file ///Keys/YourUserName.PrivateKey (in human-readable form), and if you are using your own personal dorado, you can just leave it there until you have to erase your disk. If you are a summer student (or anyone who uses public machines regularly), then before you log out, you must execute % StorePrivateKey. This will prompt you for a password--remember it. Next time you login to a public machine and want to use FIG, execute % RetrievePrivateKey, which will prompt you for the same password and restore your private key to ///Keys/YourUserName.key. In the interim, the private key was stored encrypted in /ivy/YourUserName/YourUserName.encryptedPrivateKey. If you have your own machine, you can store and retrieve your private key in exactly the same way whenever you have to erase your disk (e.g., in order to install a new release). Known Bugs and Shortcomings: 8) Sometimes, the recommended sequence of commands (run walnut, run FIG, destroy the first send- or message-viewer that walnut displays if necessary) fails to get the D and V buttons displayed in the message-viewer. This is apparently caused by some non-determinism in the viewers package that no one's tracked down yet, and the only thing that cures it is a rollback. 9) You cannot yet use ES and SS to send encrypted or signed-encrypted mail to a distribution list. (But you can use it to send to as many people as you're willing to type in names, as long as they've all created keys.) 10) The password that you type in to StorePrivateKey and RetrievePrivateKey is echoed. Hence, it is in the edithistory of the commandtool; hence your private key isn't secure. Both fixes to this that I can think of--namely, debugging the EditedStream module so that I can turn off echoing and/or having StorePrivateKey and RetrievePrivateKey do the Tioga operations needed to edit the password out of the edithistory--are beyond my current cedar hacking ability and time constraints. If anyone else is interested or has a better idea, ... 11) If Indigo is busy and refusing new connections when your public key is generated, you will get the message "Cannot Copy public key file to [Indigo]keys>". The only thing I can think of to do in this situation is to issue the command copy /indigo/cryptography/keys/yourUserName.publicKey _ ///temp/yourUserName.key when Indigo gets less busy. 12) These programs are pretty slow. Sorry. Future Work: Until about 6/13, I will be coming in from time to time to read and hear your comments and to fix minor problems. So please try this out as soon as you get a few spare minutes and send me your comments. From June 15 until about September 15, I will be away. Next fall, if it looks as though people are using FIG, I will probably do some more work on it--there are lots of problems in security that it doesn't even address. So you can continue to send me mail about it during the summer. Why it's called FIG: My name means Figtree; so it seemed like the best choice, in view of the tradition of naming programs after nuts and trees and plants and such. This was all Mike Spreitzer's idea. ÊD˜J˜MJ˜J˜>J˜J˜J˜6J˜J˜J˜ J˜0J˜J˜J˜¤J˜ZJ˜]J˜YJ˜ZJ˜(J˜J˜XJ˜UJ˜WJ˜vJ˜-J˜]J˜UJ˜\J˜VJ˜TJ˜XJ˜FJ˜þJ˜J˜SJ˜QJ˜UJ˜XJ˜OJ˜VJ˜YJ˜=J˜J˜MJ˜LJ˜9J˜WJ˜TJ˜VJ˜J˜SJ˜%J˜J˜MJ˜SJ˜SJ˜VJ˜>J˜J˜J˜J˜3J˜XJ˜VJ˜WJ˜:J˜J˜PJ˜WJ˜5J˜J˜OJ˜TJ˜ZJ˜&J˜MJ˜`J˜NJ˜J˜VJ˜WJ˜NJ˜QJ˜J˜J˜,J˜J˜ J˜WJ˜ZJ˜SJ˜YJ˜XJ˜5J˜J˜J˜VJ˜YJ˜J˜—…—Æ