RIPEM User's Guide

for RIPEM version 1.1

Mark Riordan

mrr@scss3.cl.msu.edu

June 1993


Introduction
What is RIPEM?

RIPEM (Riordan's Internet Privacy-Enhanced Mail, pronounced RYE-
pehm) is a public key encryption program oriented toward use
with electronic mail. It allows you to generate your own public
keypairs, and to encrypt and decrypt messages based on your key
and the keys of your correspondents. RIPEM is free, but each
user is required to agree to a license agreement which places
some limitations on its use.

This document is meant to instruct new users on the basic use of
RIPEM. It does not replace the Unix man page ripem.man, also
distributed with RIPEM. The man page describes all RIPEM
options in reference format; some obscure options are discussed
only in the man page. See also the Usenet newsgroup
alt.security.ripem.

Public Key Encryption

Public key encryption, a fairly recent concept, is an encryption
scheme in which messages are encrypted and decrypted with pairs
of keys. One component of a user's keypair is used for
encryption; the other is used for decryption. Thus, public key
cryptography is sometimes referred to as asymmetric
cryptography. Though both halves of the keypair are computed at
the same time, neither can be derived from the other.

This arrangement allows each correspondent to publish one half
of his keypair (the encryption key, public key, or public
component), keeping secret only the decryption half, or private
component. Users wishing to send a message to, say, Alice,
simply consult a non-secret directory of public components to
find Alice's public key component. They encrypt their messages
to Alice using her public key. Because only Alice knows her
private component, only she can decrypt any of these messages to
her. And none of the users corresponding with Alice need ever
have first exchanged any secret information with her.

Each user needs keep secret only his/her own private component.
Contrast this with traditional secret-key, or symmetric,
cryptography. In a group of N correspondents, each user must
keep track of N-1 secret keys. Furthermore, the total number of
secret keys required for traditional cryptography is (N)*(N-
1)/2, much larger than the N keys required by public key
cryptography.

Thus, public key cryptography's value lies in improved key
management, especially for large numbers of correspondents.
However, for the value of public key cryptography to be
realized, there must be an effective way for individual users to
widely advertise their public key components.

Privacy-Enhanced Mail

RIPEM provides capabilities very similar to Privacy-Enhanced
Mail (PEM), as described by Internet RFC's 1113-1115. However,
RIPEM lacks the concept of a certificate, a document which
guarantees that you have the correct public key of a
correspondent. RIPEM does implement a simple public key server,
but this is much less secure than the certificate-based key
management described in those RFC's. Because RIPEM does not
implement certificates, it is not compliant with these Internet
PEM RFC's. However, RIPEM is as compliant as is possible
without implementing certificates.

As specified in the PEM RFC's, RIPEM generates a pseudo-random
message key, and uses this key to encipher the message using a
traditional symmetric-key encryption algorithm. In the current
implementation of RIPEM, the DES (Data Encryption Standard)
algorithm in one of two different modes. RIPEM then enciphers
the message key using the RSA (Rivest-Shamir-Adleman) public key
algorithm, and includes the enciphered message key with the
message. Although the actual message text is never enciphered
with a public key algorithm, the effect is the same. The
advantage of this hybrid approach is performance-related: DES
and other typical symmetric cryptosystems are typically
thousands of times faster than public key systems.

RIPEM also "signs" the message by computing a checksum or hash
function of the message plaintext, and encrypting this hash
value with the sender's private key component. (Private RSA key
components are usually used for decryption of messages encrypted
with the public component, but in fact the reverse process also
works.) Rivest's MD5 message digest algorithm is used for the
hash function. This signature is verified by the recipient, to
ensure that the message really was from the purported sender.
The recipient computes her own message digest of the message
after decrypting the message. The recipient then decrypts the
encrypted message digest using the sender's public key and
checks it against the recomputed digest. If the two match, the
message must have been encrypted by the sender, since only the
sender knows his private component.

The results of these computations--the encrypted message key,
the encrypted message, the signature (encrypted hash value), and
various pieces of control information--are formatted into lines
of ASCII text suitable for inclusion into an electronic mail
message.

About RIPEM
Platforms Supported

RIPEM runs on MS-DOS, Macintosh, OS/2, Windows NT, and a variety
of Unix systems, including NeXTStep, SunOS, Sun Solaris 2.1, DEC
ULTRIX, IBM AIX, HP/UX, SGI Irix, MIPS RISC/os, Motorola System
V/88, Apollo, SCO Unix, Jolitz's 386BSD, Linux, ESIX, and
others. Ports to other platforms are anticipated. Some ports
of RIPEM do not have all the functionality of the Unix version;
in particular, some versions do not implement direct network
access to the RIPEM key server.

Licensing

The source code to RIPEM itself is in the public domain.
However, because RIPEM was developed using RSA Data Security's
RSAREF toolkit, use of RIPEM requires an RSAREF license. A copy
of this license is included in RIPEM distributions, and users of
RIPEM should read this license before running the program. The
author of RIPEM believes that the current RSAREF license allows
free personal use of RIPEM by citizens of the United States and
Canada. Commercial use is forbidden. However, this personal
interpretation has no legal standing, and RIPEM users are urged
to read the RSAREF license agreement themselves. Note: persons
wishing to redistribute RIPEM should consider relevent US
government export restrictions.

How to Obtain RIPEM

RIPEM is distributed via anonymous FTP from rsa.com. RIPEM's
home base, on which the most recent version can always be found,
is the site ripem.msu.edu. RIPEM is distributed via non-
anonymous FTP from this site. To comply with export
restrictions, cryptology-related files on this server cannot be
obtained via anonymous FTP. To apply for FTP access to
ripem.msu.edu, send an email message to ripem@ripem.msu.edu.
State your citizenship (must be USA or Canadian) and your
willingness to comply with relevant export laws and software
licenses. Also state the "canonical" Internet domain name of
your host, and the country in which your host resides.

If you are not absolutely certain of the primary name of your
host, FTP to ripem.msu.edu under user anonymous. The FTP server
will inform you of your hostname. This is extremely important--
experience distributing RIPEM to date has shown that many users
do not know the canonical Internet hostname of their computer.

Here's a sample email message you might send:

To: ripem@ripem.msu.edu
Subject: FTP Access to ripem.msu.edu

Please give me access to ripem.msu.edu. I am an American
citizen, and I agree to comply with crypto export laws and
RSAREF license terms. My hostname is hobbit.egr.bigu.edu.
This host is located in the United States.

After you have sent your request, you'll receive a special FTP
username and password by return email. (There may be some
delay, because I need to actually read your message before
creating a username and password.) This username will work only
from the hostname you specified in your message.

Once you have retrieved RIPEM, you are free to redistribute it,
subject to export restrictions and RSAREF license terms. The
complex distribution mechanism described above applies only to
the site ripem.msu.edu, due to local site restrictions.
Caveats

Text files only. RIPEM encrypts only text-based messages;
"binary" messages must be printably encoded (for instance, with
uuencode) before being encrypted.

1023-character lines. The lines of text in plaintext messages
processed by RIPEM must be less than 1024 characters long.
(This restriction is borrowed from Internet RFC's on electronic
mail and privacy-enhanced mail.)

Message size limits. Due to the nature of the RSAREF toolkit,
RIPEM can encipher only messages which can fit entirely into the
central memory of your computer. This is unlikely to be a
problem on most workstations and larger computers, but may be a
problem for some PC users. The vanilla MS-DOS version of RIPEM
restricts messages to less than 48,000 characters.

Simple "filter" only. RIPEM acts only as a "filter": it simply
reads an input source and produces output. RIPEM is not capable
of formatting or delivering electronic mail messages. In fact,
although RIPEM has some features to facilitate its use with
electronic mail, it need not be used in conjunction with
electronic mail at all. For use with electronic mail, RIPEM
requires an external mail program; for instance, the Unix mail
program.

No guarantees. As RIPEM is free software, it should not be
surprising that it comes with no guarantees of any type.
Credits

RIPEM was written primarily by Mark Riordan, but nearly all of
the cryptographic technology comes from the RSAREF toolkit by
RSA Data Security, Inc. Much-appreciated contributions were
made by Mark Henderson, Richard Outerbridge, Greg Onufer, Marc
VanHeyningen, Mark Windsor, and others. The Macintosh version
of RIPEM was written by Ray Lau.

Using RIPEM
Usage Overview

Using RIPEM generally requires the following steps: generating
a keypair, communicating the public component of your key to
correspondents, encrypting messages, and decrypting messages.

RIPEM has a bewildering array of command line options. However,
most of them are not needed for ordinary use. Also, RIPEM looks
at certain environment variables to determine what to do in the
absence of certain command line options. Environment variables
are named entities attached to your session which have values
which you can set, either interactively or, more commonly,
automatically at login time. For instance, a Unix user running
the C Shell might include a line like

setenv RIPEM_SERVER_NAME ripem.msu.edu

in his/her .cshrc file, while an MS-DOS user would accomplish
the same thing by including

set RIPEM_SERVER_NAME=ripem.msu.edu

in the AUTOEXEC.BAT file.

For discussion of individual environment variables, see the
sections below and the RIPEM man pages. However, there is one
environment variable of general interest: the variable
RIPEM_ARGS can be given the value of options using exactly the
same syntax as used in command line parameters. Conflicts
between parameters specified both in RIPEM_ARGS and on the
command line are resolved in favor of the command line.

Here is a quick, simplified run-through of sample RIPEM usage:

To generate a keypair, placing the public component in mypublic
and the private component in mysecret:

ripem -g -P mypublic -S mysecret -R eks

Assume at this point that you have collected a number of
correspondents' public components in the file bigpubkeyfile by
concatenating a number of individual -P files.

To encrypt a message to recipient@bighost.edu, whose public key
can be found in bigpubkeyfile, assuming my private component is
in mysecret, the input message is in mymessage, and the
encrypted output is to be placed in cipher.out:

ripem -e -r recipient@bighost.edu -p bigpubkeyfile -s
mysecret
-i mymessage -o cipher.out

To decrypt a message to you, reading from the file cipher.out
and placing the decrypted message in the file plain.out, given
my private component is in the file mysecret:

ripem -d -s mysecret -i cipher.out -o plain.out

Generating a Keypair

Before you can use RIPEM, you must generate your own keypair.
To do this, you must run RIPEM with the -g (for generate)
option, and specify sources of pseudo-random information that
RIPEM can use to create a unique keypair for you. RIPEM can
obtain pseudo-random information from the running system, from
characters you type at the keyboard, from a file, and from the
command line. The first two options are generally the most
useful.

You must also specify two special output files: one for the
public component of the keypair and one for the private
component.

Because keypairs are typically left unchanged for long periods
of time--a year or more--it is very important that the private
component of your keypair be kept secret. For this reason,
RIPEM stores private key components only in encrypted form.
(The key is encrypted using DES in CBC mode, with a pseudo-
random "salt" added to the key.) When generating a keypair,
RIPEM asks you for a key to be used to encrypt the private key
component. This secondary key will be needed whenever you use
RIPEM subsequently. It is critical that this key-to-a-key be
chosen carefully, and that you remember it. If you forget the
key to your private key component, your public key is worthless
and unusable. The key to your private key can be up to 255
characters long. (This length limitation is an arbitrary
implementation detail; RIPEM takes a hash function of the
password you type before actually using it to encrypt the
private component.)

A typical invocation of RIPEM to generate a keypair is:

ripem -g -u fred@snark.edu -P mypublickey -S mysecretkey -R
eks

This call requests RIPEM to generate a keypair (-g). It
identifies you (-u) as fred@snark.edu; this information is
placed in the output files. The public component (-P) is placed
in the file mypublickey. The private (or secret) component (-S)
is placed in the file mysecretkey. RIPEM will prompt you
(twice) for an encryption password before writing to this file.
The -R eks option means that to obtain a pseudo-random data for
key generation, RIPEM will use the entire command line, will
prompt you at the keyboard for a pseudo-random string, and will
also query the system for pseudo-random information before
generating the keypair.

RIPEM identifies your key by your electronic mail address, which
is specified by the -u option. If you omit the -u option,
RIPEM will attempt to determine your email address by taking the
value of the environment variable RIPEM_USER_NAME or, if that is
not present, by querying the running system. It is best to
identify your key in a form that others will be able to use as
an email address. For instance, in the above example,
fred@snark.edu is a better key identifier than just fred,
because it is more readily used by correspondents on other
hosts. If your host is known on the network by several
different names, or if you ordinarily use several different
computers interchangeably, it may be safer to explicitly specify
your email address to RIPEM, rather than have it to figure out
the address from the running system.

By default, RIPEM generates keypairs roughly 516 bits in size.
The author of RIPEM believes that this size is more than
adequate for most purposes. However, the -b parameter is
available for users who wish to generate larger keys. Specify -
b bitsize to generate a key of size bitsize bits; bitsize must
be between 512 and 1024, inclusive. Large keys are slower to
generate as well as to subsequently use for encryption.

Generating a keypair is much slower than encryption or
decryption. On a 386 PC-class computer, be prepared to wait
several minutes for the key generation to complete.

Note that the first several bytes of all RIPEM keys are the
same. This is due to RIPEM's use of OSI Distinguished Encoding
Rules and associated key identifying strings to encode keys. It
does not mean that the public keys generated are numerically
similar.
Managing Keys

Once you have generated a keypair, you must publicize the public
component so that others can use it to send messages to you.
Also, you must obtain access to the keys of other users. Key
distribution can be by:

* Internet key server (requires Internet access for key lookup,
but not for publication)
* The finger protocol (requires Internet access for key lookup
and publication)
* Flat files (can be used with little or no network access)

You can choose the techniques that RIPEM uses to find a key by
setting the -Y command line option. The -Y option takes an
argument which is a string of one or more of the characters s,
g, and f, which stand for Server, finGer, and File. For each
correspondent, when necessary RIPEM will attempt to learn the
correspondent's public key by consulting these sources in the
order specified until the key is obtained.

The default value of the -Y option is "sf", which means that
RIPEM first attempts to look up a public key via an Internet key
server. If it is unsuccessful, it attempts to look up the key
in a flat file. Read the discussion below for details on other
related command line options.

Key Distribution via the RIPEM Internet Key Server

Key Server Description and Limitations

If you have Internet access, you can communicate your key to
others by registering the key on an Internet RIPEM key server.
Currently, there is an "experimental" RIPEM key server running
on the host ripem.msu.edu. This host is experimental in that it
is an unofficial service which may have to be terminated with
little or no advance notice.

This RIPEM key server acts as a central repository for public
keys, saving users the effort of distributing their keys
individually to all potential correspondents. This key server
is not an especially secure mechanism. The level of security
present in the key protocols is much less than that provided,
for instance, by the Privacy Enhanced Mail certificate mechanism
specified in the Internet PEM RFC's. The authenticity of keys
maintained on the server is not guaranteed. The RIPEM key
server is simply a means for RIPEM users to conveniently
exchange keys.

Registering a Key via the Key Server

To allow the maximum number of users to publicize their keys via
this mechanism, the RIPEM key server accepts key registration
requests by electronic mail. Although the RIPEM key server
itself is connected only to the Internet, users of non-Internet
networks such as CompuServe, BITNET, and so on can register
their keys by sending their key registration requests via an
appropriate network gateway.

To register your key, send the public component (the output file
from the -P option) to the email address

ripem-register-keys@ripem.msu.edu

On a Unix system, for instance, you can register your key by a
command like:

mail ripem-register-keys@ripem.msu.edu <mypublickey

The key server will register your public key in its database and
will send you a confirming message. The key is identified by
the email address specified during the generation of the key,
but the confirming message is sent to the address from which the
key file was sent.

If you read electronic mail on several different hosts but wish
to use the same public key on all of them, you can register the
key under multiple names. You can do this by editing the key
file before sending it to the server, and adding additional
User: lines. (See the separate document on file formats.) Or,
you can register the key under different names via separate
email messages.

To subsequently delete your key from the server, encrypt a
message starting with the string

RemoveKey

with the -m mic-only command line option and send the encrypted
message to the address:

ripem-remove-keys@ripem.msu.edu

The message must have been encrypted by the owner of the key
being removed.

To change your key on the server, generate a new keypair and
encrypt the public component (the file from RIPEM's -P option)
with the -m mic-only command line option. Send the result to
the address:

ripem-change-keys@ripem.msu.edu

The message must have been encrypted by the owner of the key
being changed.

Obtaining Keys from the Key Server: Live Access

Real-time "live" queries to the RIPEM key server are made
directly by RIPEM using the UDP IP network protocol. "Live"
queries are possible if your computer is connected to the
Internet, your copy of RIPEM has been compiled for network
access, and your computer is running the right network software.
This is often true of Unix computers but is generally not true
of other computers. At this writing, for instance, the MS-DOS
version of RIPEM supports only the PC/TCP network software from
FTP Software, Inc.

In order to access the key server, RIPEM needs to know its
Internet address. You can tell RIPEM the address of the server
in two ways: you can set the environment variable
RIPEM_SERVER_NAME to the name of the server, or you can specify
the server name with the -y command line option. In either
case, you can specify more than one server name, separating the
server names with commas (and no blank spaces). If you specify
a list of server names in this way, when querying servers RIPEM
will query the servers in the order listed until it obtains the
desired public key, or exhausts the list.

Obtaining Keys from the Key Server: Email-Only Access

For users for whom live UDP network access to the RIPEM key
server is not possible or not feasible, electronic mail access
to the key server has been implemented. To obtain a copy of the
complete database of registered RIPEM keys via email, send a
message to the address:

ripem-get-keys@ripem.msu.edu

The subject and content of the message are ignored by the
server, and hence can be left blank.

The return email message will contain a flat file of public
keys, readable directly by RIPEM. This same file can be gotten
by anonymous FTP to the host ripem.msu.edu. This file can be
used as described below in the section discussing flat files.

Key Distribution via the Internet Finger Program

Another means of distributing keys over the Internet is via the
finger mechanism. Finger is a simple protocol which allows a
user to publish personal information that can be accessed across
a TCP/IP network. For the most part, only Unix users can
publish their keys using this mechanism. The advantage of
finger over a RIPEM key server is that it relies only upon the
correct operation of the sender's and receiver's computers, and
upon the link between them. If the RIPEM key server is
unavailable due to hardware, networking, or human errors, finger
will be a more reliable choice. In general, though, key lookup
using finger is slower than the RIPEM key server.

To set up your Unix account to give out your public key, include
your public component in a file named .plan, located in your
home directory. Your computer must be set up to run the fingerd
finger daemon, which is normally the case on most Unix
computers. Your computer must be up and running on the network
for a correspondent to be able to access your key via the finger
mechanism.

In no case do you need the finger program itself; RIPEM contains
its own implementation of the finger protocol sufficient for the
purpose of looking up keys. Hence, in some cases you can use
the finger mechanism to look up someone else's key even if you
are unable to publish your own key via finger due to the lack of
a fingerd server program on your computer. For instance, an MS-
DOS version of RIPEM is available that can look up keys via
finger on PC's running the PC/TCP network implementation from
FTP Software, Inc.

Aside from the -Y g command line option, there are no RIPEM
command line options specific to the use of the finger
mechanism.

Key Distribution via Flat Files

The key files generated by the -g option are ordinary text files
formatted in such a way that a database of public keys can be
created simply concatenating a collection of separate public key
files. RIPEM is capable of scanning such flat files. It looks
up a user's key based upon email address, so there is no
ambiguity even if a flat file of keys contains keys for a large
number of individuals from different sites.

The best way of obtaining a flat file containing keys is from
the RIPEM key server, via email or FTP as described above.

When RIPEM uses a flat key for public key lookup, it determines
the file's name in one of three ways:

* By using the value of the -p (for public key component)
command line argument. If you specify -p mypubfile on the
RIPEM command line, RIPEM will use mypubfile as the flat file
of public keys.
* In the absence of -p, by using the value of the
RIPEM_PUBLIC_KEY_FILE environment variable.
* If neither of the above is specified, by using a default file
name. On Unix systems, this file name is the fixed name
/usr/local/etc/rpubkeys. On MS-DOS systems, it is the name
\RIPEMPUB.

It is possible to specify multiple public key files by
specifying the -p option more than once. This allows you, for
instance, to specify a common key file shared by a group of
people, plus a separate key file for your personal
correspondents.

Automatic Key Distribution via RIPEM Headers

One final way of distributing your public key component is
automatic: RIPEM includes your public key in the PEM headers
inside every message you encrypt. RIPEM takes advantage of this
fact when deciphering, as follows:

When you are deciphering a message, RIPEM needs to find the
sender's public component in order to verify the signature on
the message. If RIPEM cannot find the public key of the sender
via the mechanisms described above, it resorts to looking in the
PEM headers that immediately precede the ciphertext in any
RIPEM-enciphered message. If RIPEM finds the sender's public
component in the header, it will use this key in attempting to
verify the signature. It will also issue a warning message,
since if the message is fake, the key inside the message is
probably fake as well.

If RIPEM does not find the sender's key, it exits with an error
message.

If the -P option has been specified, RIPEM, under these
conditions, will append the sender's public key to the file
specified by -P. You should be cautious about trusting keys
obtained in this manner.

Managing Private Key Components

Unlike public key components, private key components are stored
in flat files only. Typically, a given user will have only one
RIPEM key, and its private component will be kept by itself in
the file originally specified by the -S option during key
generation.

During encryption and decryption, RIPEM will need to consult
this file to determine your private key component. RIPEM
determines the file's name in one of three ways:

* By using the value of the -s (for secret key component)
command line argument. If you specify -s myprivatekey on the
RIPEM command line, RIPEM will use myprivatekey as the flat
file of private keys.
* In the absence of -s, by using the value of the
RIPEM_PRIVATE_KEYFILE environment variable.
* If neither of the above is specified, by using a default file
name. On Unix systems, this file name is the fixed name
.ripemprv in your home directory. On MS-DOS systems, it is
the name \RIPEMPRV.

Because the private key component file generated by ripem -g
identifies your key by your email address, it is possible to
create a database of private keys by concatenating the -S files
created by RIPEM. RIPEM uses only the private component that
corresponds to your currently-specified email address. This may
be useful if, for some reason, you wish to maintain multiple
public keys, identified by different email aliases. Also,
because the private key components are encrypted, it is possible
to maintain a publicly accessible file of private key components
without great loss of security. However, it is generally best
for each user to have exactly one public key, and for its
private component to be kept in its own file, reasonably secured
against access by others.

Changing the Key to Your Private Key

You can change the key to your private component by using the -c
option. This tells RIPEM to read your current private key file,
decrypt it with your current key, prompt you for a new key,
reencrypt your private component with the new key-to-the-key,
and write out a new private component file. The old private key
file specified as described above. The modified private key
file to be created is specified via the -S option. Thus, the
sequence:

$ ripem -c -s mysecret -S newsecret
Enter password to private key:
Enter new password to private key:
Enter again to verify:

reads the encrypted private key from mysecret and creates a new
file, newsecret, with the same private component encrypted with
a new key.

Note that the -c option changes neither the private component
nor the public component of your public key. If you believe
that the key to your private component has been compromised, it
is probably better to change your public key (by creating a new
one) than to simply change the key to your private key.
Encrypting a Message

The -e option specifies that RIPEM is encrypting a message.

In encryption mode, RIPEM understands the -u, -p, -s, -y, -Y,
and -R options described above. The following options are also
important:

Specifying Input and Output Files (-i and -o)

By default, RIPEM reads its input from standard input, and
writes its output on standard output. If standard input and
output are files, this is written as <infile and >outfile on
most systems. Alternatively, an input file can be specified via
the -i option, and an output file via the -o option:
-i infile -o outfile.

Specifying Recipients and Processing Mail Headers (-r and -h)

The recipient(s) of a message can be specified in two ways: on
the command line, or via message headers in the input plaintext.

To specify recipients explicitly on the command line, use the -r
option: -r recipient_addr. Recipient_addr must be the
recipient's email address, in a form which RIPEM can use to look
up the recipient's public key. For instance, suppose your
recipient has valid email addresses bob@egr.biguniv.edu and
bob@biguniv.BITNET. If Bob has registered his RIPEM public key
only as bob@egr.biguniv.edu, then the address bob@biguniv.BITNET
will not be adequate for RIPEM's purposes, even if it is a valid
email address.

The -r option can be used multiple times for multiple
recipients.

If the message plaintext has been prepared by a mail program, it
may already contain mail headers which state the recipients'
email addresses in "To:" and "cc:" lines. To take advantage of
this situation, you can use the -h option. The -h option tells
RIPEM how to handle plaintext input that contains mail headers.
"Mail headers" are defined to be all the lines at the beginning
of a message, up to the first blank line.

The syntax is: -h header_opts, where header_opts is one or more
of the letters i, p, and r. i tells RIPEM to include the
headers as part of the message to be encrypted. p tells RIPEM
to prepend the headers to the encrypted output. r tells RIPEM
to examine the message headers, looking for "To:" and "cc:"
lines. Any recipients named on those lines are included as
recipients to RIPEM's encryption.

The default is "-h i", which causes message headers to be
included in the plaintext being encrypted, but no other header
processing is done. This is equivalent to treating the message
as if it does not contain mail headers at all.

A useful combination is "-h pr", which extracts recipients'
names from the mail headers at the beginning of the input,
copies the mail headers unmodified and unencrypted to the
beginning of the output, and then discards the headers before
encrypting the rest of the message. This combination is
suitable for instances in RIPEM is being used to encrypt a
message after it has been prepared by a mail program but before
it has been sent.
Decrypting a Message

The -d option specifies that RIPEM is decrypting a message.

During decryption, RIPEM looks at the values of the -i, -o, -u,
-p, -s, -P, -y, and -Y options discussed above.

If RIPEM cannot decrypt the input message, or if the input
message fails the signature check, RIPEM will generate no output
in the -o file or on standard output. Instead, it will issue an
error message on the standard error device, which is usually
your terminal. In addition, RIPEM returns a value of zero to
the operating system if the message decrypts properly, and it
returns a non-zero value if there are problems. This is typical
behavior for programs under Unix and MS-DOS and allows you to
write command scripts which check to see whether decryption
proceeded properly.

If RIPEM does decrypt the message properly, it will write the
decrypted plaintext to the -o file or to standard output. The
output contains only the original plaintext (subject to any
modifications performed by the -h option used by the sender of
the message). It does not include any mail headers or other
superfluous text added to the encrypted message--for instance,
by a mail system--after the encryption.
Advanced Usage

Specifying Encryption Algorithm (-A)

By default, RIPEM encrypts messages using DES in Cipher Block
Chaining (CBC) mode. This is the data encryption algorithm and
mode used by Internet PEM-conformant software.

Although DES has proven quite resistant to theoretical attacks
of cryptanalysts for 16 years, many cryptologists have expressed
concern over DES's relatively small keyspace, which leaves it
potentially vulnerable to brute-force attack by a well-funded
opponent. (DES keys are 56 bits long.) One obvious solution to
the keyspace problem is to use multiple passes of DES.

A few years ago, IBM suggested a particular multi-pass usage of
DES called Encrypt-Decrypt-Encrypt (EDE). In EDE usage
(sometimes called Triple-DES), each 64-bit block is encrypted
with a 56-bit key we'll call key1. The result of that
encryption is decrypted with a second 56-bit key called key2.
Finally, the 64-bit result of that decryption is encrypted with
key1. This use of DES results in a dramatic increase of
keyspace from 2^56 keys to 2^112 keys.

RIPEM implements this use of DES, with Cipher Block Chaining
applied after each triple encryption, and refers to it as DES-
EDE-CBC. When encrypting, specify -A des-ede-cbc to select this
mode. When decrypting, RIPEM automatically detects the
encryption algorithm used and decrypts appropriately.

DES-EDE has not been widely adopted by the cryptographic
community. In particular, DES-EDE encryption is not conformant
with Internet PEM as of this writing. Therefore, use the
default mode (which can also be explicitly requested via -A des-
cbc) for all but your most critical messages. In addition,
consider that there is some performance degradation associated
with Triple-DES.

Specifying Debug Mode (-D and -Z)

Users experiencing problems with RIPEM, or simply wishing to
examine the inner workings of the program, can use the -D option
to cause RIPEM to print informative messages while it executes.
Debugging options were originally implemented in RIPEM for
development purposes, but have been left in place for the
benefit of curious users. Specify -D debuglevel to turn on
debug messages. Debuglevel is an integer specifying the amount
of debug output desired. 0 specifies no debug output, while 4
is the maximum value currently implemented.

Debug messages are normally written to the standard error
output, which is usually your terminal screen. To write debug
messages to a file, use the -Z debugfile option.

Specifying Encryption Mode (-m)

By default, in encryption (-e) mode RIPEM encrypts a message,
encodes it to printable ASCII characters, and signs the message.
This processing corresponds to the -m encrypted command line
option. With non-default values for the -m option, RIPEM can
perform other types of processing in -e mode.

-m mic-clear specifies that the message is signed, but not
encrypted. The body of the message is left in plaintext, so
that the recipient can read it without decryption software of
any sort. If the recipient wishes to verify the signature,
however, he/she will have to use RIPEM in -d mode as usual.

-m mic-only also specifies that the message is signed, but not
encrypted. However, the body of the message is printably
encoded into ASCII characters as per RFC 1113. This encoding
expands the size of the message by about 33% and adds no
security; it simply helps guarantee that the message will
survive hostile mail software verbatim. In practice, mic-only
mode is infrequently used.

Specifying Your Username (Email Address) (-u)

As described above, you can specify your username (or more
correctly, your email address) via the -u option or via the
environment variable RIPEM_USER_NAME. The default is for RIPEM
to attempt to determine your email address from the running
system.

RIPEM makes use of this information in all three modes: key
generation, encryption, and decryption. If you have a number of
email addresses that you wish to be regarded as equivalent, you
can specify your username as a list of comma-separated email
addresses. During key generation and encryption, RIPEM will use
the first name in the list as your username. During decryption,
RIPEM will search your private key file for your private
component under each one of the comma-separated names until it
succeeds in finding a matching key in the file.

These features make it easier to use RIPEM if you have mail
forwarded to a primary mail account from a number of other email
addresses. To make use of the multiple username capability, you
must edit your private key file to include multiple User: lines.

Specifying the Key to Your Private Component (-k)

By default, RIPEM prompts you interactively when it needs to
know the key to the private component of your public key.
However, with some loss in security, it is possible to inform
RIPEM of this key by other means. This capability may be useful
for instances when RIPEM is invoked by another program, or for
when you are testing or benchmarking.

You can specify the key to your private key via the -k option;
specify -k keytokey on the command line. As a special case, you
can specify -k -. Specifying - as your password on the command
line causes RIPEM to read the password as the first line from
standard input.

If -k is not specified, RIPEM will check the value of the
environment variable RIPEM_KEY_TO_PRIVATE_KEY. If this variable
exists and has a non-null value, its value will be used as the
key to the private key; otherwise, RIPEM will prompt you on your
terminal for this key.

Specifying the key to your private key via -k or via the
environment variable is generally less secure than typing it
interactively. Although RIPEM erases its command line arguments
shortly after startup, there is a brief window of time during
which other users on a Unix system could view your command line
arguments by using the ps command. Likewise, other users could
determine the value of your RIPEM_KEY_TO_PRIVATE_KEY variable by
various means, especially if they had physical access to your
terminal. Therefore, these options should be used with caution,
if at all.
Using UNIX Mail Programs and Utilities

This section suggests techniques for using RIPEM in conjunction
with popular Unix mail programs. Use of the C-Shell is assumed.

It is possible, of course, to compose a message in a text
editor, save the message to a file, run RIPEM to encrypt the
message, start your mailer, insert the encrypted file into a
message, and then send the message. In fact, the encryption and
mailing can be done on separate systems, with appropriate file
transfers. However, on most Unix systems it is possible to
eliminate several of these tedious steps.

Setting Up Your Environment

It is recommended that Internet-connected Unix users include the
following in their .cshrc file:

setenv RIPEM_SERVER_NAME ripem.msu.edu
setenv RIPEM_PRIVATE_KEY_FILE ~/.ripemprv
setenv RIPEM_PUBLIC_KEY_FILE ~/ripempub
setenv RIPEM_USER_NAME (Your email address; e.g.,
smith@bigu.edu)

Create a shell script to encrypt RIPEM messages. Place the
following lines in a file named ripem-encrypt, put this file in
a directory mentioned in your path, and give it execute
permission. (This file is available in the RIPEM distribution,
in the util directory.)

#!/bin/sh
tempfile=/tmp/msg-`whoami`
ripem -e -h pr -i $1 -o $tempfile
cp $tempfile $1
rm $tempfile

Create a shell script to decrypt RIPEM messages. As above,
place these lines in the file ripemd:

ripem -d | more

Create a shell script to help reply to encrypted RIPEM messages.
Place this in ripemr:

ripem -d -h pr | quote -h

Include the following lines in the file .mailrc in your home
directory. (A sample .mailrc can be found in the RIPEM
distribution, in the util directory.)

set editheaders
set EDITOR=ripem-encrypt

Creating a RIPEM Public Key

The initial generation of keys can procede something like this:

cd ~
ripem -g -S .ripemprv -P ripempub -R eks

Type random garbage at the keyboard when prompted.

Type in a secret password when prompted for the password to your
private key. Type it again when prompted for verification.

Now register the key:

mail ripem-register-keys@ripem.msu.edu <ripempub


Encrypting an Email Message Using "mail"

If you are using the "mail" package that comes with many Unix
systems, you can use the following procedure to compose,
encrypt, and send a message. In this example, your input is in
bold.

$ mail smith@bigu.edu
Subject: Greetings
This is a test message
~e
Enter password to private key: (Type your password here.)
(Type Control-D)
$

The ~e command to mail was originally designed to edit the
message being composed. Nowadays, however, it is rarely used
(in favor of the ~v visual edit command). The tricks described
above effectively turn ~e into an "encrypt" command on SunOS and
some other Unix systems. On some Unix systems, however, the
mail command does not interpret the editheaders option. On
those systems, you need to use a different approach, which
requires you to type the recipient's address twice:

$ mail smith@bigu.edu
Subject: Greetings
This is a test message
~| ripem -e -r smith@bigu.edu
Enter password to private key: (Type your password here.)
(continue)
(Type Control-D)
$

Decrypting an Email Message Using "mail"

$ mail
Mail version ......
"/usr/spool/mail/jones": 1 message 1 new
>N 1 smith@bigu.edu Wed Sep 30 22:38 29/1119
Greetings
& pipe ripemd
Pipe to: "ripemd"
Enter password to private key: (Type your password here.)
(The plaintext message is displayed.)
"ripemd" 29/1119
& q
$

Encrypting an Email Message Using "Mush"

Mush is a mail package that is compatible with mail, but
provides additional capabilities. The procedure described above
for encrypting messages with mail also works with mush.

Decrypting an Email Message Using "Mush"

The procedures described for mail also work with mush. However,
mush's greater power allows you to configure it to be easier to
use than mail, especialy in curses mode. Configure mush by
creating a file named .mushrc in your home directory and placing
the following lines in it:

set edit_hdrs
set editor=/home/scss3/mrr/bin/ripem-encrypt
set visual=/usr/ucb/vi
bind-macro D :pipe ripemd\n
bind-macro R r~f\n~\|ripemr\n~v\n

To decrypt and display a message in curses mode, simply type the
letter D while the cursor is positioned on the corresponding
message index line:

56 U Mark Riordan <mrr@cl-next Nov 3, (13/460) "test"
(press D)
:pipe ripemd (This is generated automatically by the mush
macro.)
Enter password to private key: (Type the password.)
(The plaintext is displayed.)
56 Mark Riordan <mrr@cl-next Nov 3, (13/460) "test"
mrr 56: ...continue...

To reply to an encrypted message, type R while the cursor is
positioned on the corresponding message line. The R macro
decrypts the message, quotes the text of the message with the
traditional "> " line prefix, and enters a visual editor. For
this procedure to work, you must have compiled the quote
program--located in the ripem/util directory--and installed it
in a directory on your path.

56 U Mark Riordan <mrr@cl-next Nov 3, (13/460) "test"
(press R)
To: mrr@museum.cl.msu.edu
Subject: Re: test 5

~f
Including message 56 ... (30 lines)
(continue editing letter)
~|ripemr (All of this is generated automatically by the
macro.)
Enter password to private key: (Type the password, to
decrypt the message.)
(Mush calls up a visual editor on a quoted copy of the
plaintext of the message to you. Compose your reply and exit
the editor. To exit vi, for instance, type ZZ.)
(continue editing letter)
~e (Type this to encrypt your reply)
Enter password to private key: (Type the password, to
encrypt your reply.)
(continue editing letter)
(Type control-D to finish the outgoing letter and have mush
send it.)

Using RIPEM with ELM's MIME Features

The popular Unix mailer Elm has recently been extended to
provide MIME (Multipurpose Internet Mail Extension)
capabilities. (MIME is not particular to Elm, and MIME support
is or will soon be available in other mailers as well.) RIPEM
can be used with Elm's MIME support, though somewhat awkwardly.
Below are preliminary instructions for interfacing RIPEM with
Elm.

Edit your local or system mailcap file to add the following
lines:

# This entry is for reading a mail message encoded by RIPEM
application/ripem; ripem -d ; copiousoutput

This is necessary only on the receiving end.

On the sending end:

* Compose the message and encode it, saving the result in a
temporary file, say, mymsg.

* Start the mail message in Elm and include the temporary file
as a MIME message with a line of the form:
[include mymsg application/ripem]

* Send the message.

Upon receipt, Elm will recognize it as a MIME message and start
RIPEM to decode it. If the receiving mailer does not understand
MIME, the usual methods of decrypting RIPEM messages can be
used.

Using RIPEM with the MH Mailer

The RIPEM source distribution contains two Perl scripts that
facilitate reading and sending encrypted messages with RIPEM.
display-ripem decrypts and displays RIPEM messages; send-ripem
encrypts and sends messages. These utilities, written by Marc
VanHeyningen, can be found in the ripem/util directory. See the
source code for documentation.

Using RIPEM with EMACS

Jeff Thompson has written functions for the powerful EMACS
editor to facilitate use of RIPEM. These functions are in the
file ripem/util/ripem.el in the RIPEM source distribution. To
enable the use of these functions, edit your ~/.emacs file and
add to it a line like:

(load "/home/local/ripem/util/emacs/ripem.el")

(Modify the file name in quotes to be the correct path to the
ripem.el file.)

To encrypt a message, enter the message, including the To: and
cc: lines, into an EMACS buffer and type:

Esc x ripem-encrypt

To decrypt a message, load it into an EMACS buffer and type:

Esc x ripem-receive

Online help is available by typing:

Ctrl-h f function_name

where function_name is one of: ripem-encrypt, ripem-sign, ripem-
receive, or ripem-list-users.

RIPEM User's Guide Page 17