Cypherpunks Eternity Service Data-haven

How to create your own Eternity web pages

There are three methods of creating web pages. We'll start with the simplest one and work upwards.

Requirements

You'll need a copy of PGP and an implementation of SHA1, plus ability to post to newsgroups. If you want to publish anonymously you'll need to be able to post to newsgroups anonymously.

There is an implementation of SHA1 in the eternity server software distribution, or here is the code standalone as a tgz file (tarred and gnu zipped) [sha1.tgz] or as a zip file [sha1.zip], also you can use a slower perl5 version [sha1.pl]. (Would a Win95/NT user like to compile SHA1 for 95/NT, sign and mail me the patches/binary for SHA1?)

Eternity Document Options

There are currently four types of options which you can set to control the way that your eternity document is cached, and listed in directory listings. The options are described in this section. You will use these options when you submit your document. You must give a URL option for your document, but the other options: Cache, Options,and Description are all optional.

URL

You must give your choice of url for your eternity document. It should be of the form: http://*eternity* where * stands for any printable character. An example might be:

URL: http://censored.eternity/

Cache

The Cache flag is optional, if you miss it out, the server will decide for itself how to cache the document. (The default behaviour will vary at different eternity servers, the server default is configurable by the server operator.)

If you do choose to set the Cache option, the possible values are:

Cache: yes
Cache: encrypted
Cache: no

The purpose of the Cache setting is to allow you as publisher of the document to describe your preferences about how careful you would like the server to be in not keeping copies of your document around. You can choose to allow the server to keep copies to speed up accesses, or if you are more paranoid you can make sure the server doesn't keep copies itself. The most paranoid setting is no. The least paranoid is yes.

If you set the setting to yes, your document will be cached which will mean that your document will be available more quickly, and will rely less on you reposting the document to ensure it is available in USENET. However if the eternity server is raided, your document will be sitting on it's disk.

If you set the setting to no, your document will not be cached, which will mean that the document will always have to be read from the eternity servers newspool. If the eternity server is raided, it's cache directory will be empty.

The encrypted setting is somewhere between the other two settings in security. Documents are cached, but they are encrypted in the cache. The level of protection this offers the eternity server depends on how well known the URL is. If the URL is openly published, this option only adds security by obscurity over a setting of yes.

Options

The options option allows you to choose whether your document is exdirectory or not.

The default if you miss this option off is directory.

Exdirectory documents mean that people will not know your document is available at the eternity server unless you tell people about the URL, or you link to it from another eternity document or ordinary web document (or unless they guess it, or the eternity server operator observes you accessing that URL).

Another use for exdirectory documents is for inline images, or a series of pages linked to from a home page. You probably only want a directory listing for the home page.

For normal, single document submissions you could add, or equivalently leave the option out:

Options: directory

Description

If you requested that your document is listed in the eternity URL directory, you can optionally give a short (60 character) string describing what it is about.

An example might be:

Description: Freds censored books

The description option is optional, so you can omit it, if you think your URL is obvious enough without further explanation.

Unsigned documents

The simplest type of eternity document to submit is an unsigned document. (Signed eternity documents are signed with a PGP key, which allows the server to allow only the author to update the document). The danger with unsigned documents is that other people can "update" your page for you, which will be an nuisance as you'll then have to update it again to get it back. The solution is to use PGP signatures. (A later version of the eternity server software might prevent other people updating unsigned documents, by disabling the updating of unsigned documents altogether).

To create an unsigned eternity document:

  1. ascii armor your document (your document might be an html file, or it might be an inline image, zip file or other document you wish to put up at an eternity URL).

    To do this, if your document is named "test.html", you would run PGP with the "-a" option, like this:

    pgp -a test.html

    PGP will create a document called "test.asc" which you will need to use in the next step.

  2. Copy "test.asc" and call the new file "test.txt" Edit "test.txt" to add your chosen options (see section above describing the options available for eternity documents). A typical example would be:

    URL: http://censored.eternity/
    Description: Freds censored books
    Cache: yes

    -----BEGIN PGP MESSAGE-----
    ...
    -----END PGP MESSAGE-----

    Where the lines begining with ----- and the information between these lines is the output of the previous step, your ascii-armored document.

  3. Next encrypt the document. Use pgp option "-c" which allows you to "conventionally encrypt" the file. Use password "eternity", the eternity servers know this password. (Everyone else will know this password too, but it does add a small amount of security by inconvenience, the less cluefull, and less motivated censors won't be interested enough to work out how to read the documents in their newsspool).

    So to encrypt the "test.txt" document you created in the previous step, you do:

    pgp -c -z"eternity" test.txt

    It may ask you if you want to over-write "test.asc" as this file will already exist. Say yes.

  4. The subject field of the article must be the SHA1 hash of your chosen eternity URL. You will need to run the SHA1 program to find out what the SHA1 hash of your documents URL is.

    On unix you would run:

    echo -n http://censored.eternity/ | sha1

    The SHA1 hash of the above URL is: 44ad6b2e9b27fc680e95986ce14de9d4decd8d6a

    The "-n" option to echo ensures that a newline character is not included in the hash.

    I would be interested to hear from a windows person what the easiest way to acheive this under DOS is.

  5. Submit your document to USENET by posting it to the newsgroup alt.anonymous.messages Set the subject field to be the SHA1 hash your calculated in the previous step. Make the body of your USENET post be the contents of file "test.asc".

Signed documents

Signed documents have the advantage over unsigned documents that they prevent other people modifying your documents. If you want to update your eternity document, the server can verify the digital signature on the updated document and only accept updates signed by you.

Another use for signed documents is to create non-updateable documents. To acheive this you sign your document, and then discard the private key. After this you couldn't update the document if you wanted to. If you are being threatened by censors being unable to remove the document might be in your advantage.

(A later version of the eternity server software might prevent other people updating unsigned documents, by disabling the updating of unsigned documents altogether).

To create a signed eternity document:

  1. Generate a pgp key (or use an existing one). You can use command:

    pgp -kg to create a new pgp key.

  2. Extract the PGP key into the file "key.asc" with this command:

    pgp -kxa fred key.asc Where "fred" is the user id you chose for your new key.

  3. sign and ascii armor your document (your document might be an html file, or it might be an inline image, zip file or other document you wish to put up at an eternity URL).

    To do this, if your document is named "test.html", you would run PGP with the "-a" option, like this:

    pgp -sa test.html -u fred

    Where fred is the user id of the key you wish to sign the document with.

    PGP will create a document called "test.asc" which you will need to use in the next step.

  4. Copy "test.asc" and call the new file "test.txt" Edit "test.txt" to add your chosen options (see section above describing the options available for eternity documents). A typical example would be:

    URL: http://censored.eternity/
    Description: Freds censored books
    Cache: yes

    -----BEGIN PGP MESSAGE-----
    ...
    -----END PGP MESSAGE-----

    Where the lines begining with ----- and the information between these lines is the output of the previous step, your ascii-armored document.

  5. Now insert the public key you extracted to file "key.asc" into the document, at the end or whereever (order is not important).

    Then your new document would look like: URL: http://censored.eternity/
    Description: Freds censored books
    Cache: yes

    -----BEGIN PGP MESSAGE-----
    ...
    -----END PGP MESSAGE-----

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    ...
    -----END PGP PUBLIC KEY BLOCK-----

  6. Next encrypt the document. Use pgp option "-c" which allows you to "conventionally encrypt" the file. Use password "eternity", the eternity servers know this password. (Everyone else will know this password too, but it does add a small amount of security by inconvenience, the less cluefull, and less motivated censors won't be interested enough to work out how to read the documents in their newsspool).

    So to encrypt the "test.txt" document you created in the previous step, you do:

    pgp -c -z"eternity" test.txt

    It may ask you if you want to over-write "test.asc" as this file will already exist. Say yes.

  7. The subject field of the article must be the SHA1 hash of your chosen eternity URL. You will need to run the SHA1 program to find out what the SHA1 hash of your documents URL is.

    On unix you would run:

    echo -n http://censored.eternity/ | sha1

    The SHA1 hash of the above URL is: 44ad6b2e9b27fc680e95986ce14de9d4decd8d6a

    The "-n" option to echo ensures that a newline character is not included in the hash.

    I would be interested to hear from a windows person what the easiest way to acheive this under DOS is.

  8. Submit your document to USENET by posting it to the newsgroup alt.anonymous.messages Set the subject field to be the SHA1 hash your calculated in the previous step. Make the body of your USENET post be the contents of file "test.asc".

Encrypting with URL related password

Encrypting the submitted document with password of "eternity" as described in the above is not that secure. In fact it is pretty much just obfuscation, people won't be able to read the document unless they read the documentation, and go to the trouble of decrypting them.

Another more secure option is to instead encrypt the document with the SHA1 of the URL with a 1 prefixed. That is for the example URL of http://censored.eternity/, the password would be:

% echo -n 1http://censored.eternity/ | sha1
08e2bc27d0e5d8058db7f2de9e0a28cb2dd7298c
%
Then you would replace step 6 above with this command:

% pgp -c"08e2bc27d0e5d8058db7f2de9e0a28cb2dd7298c

This method has the advantage that if someone does not know the URL they won't be able to decrypt the eternity document in the news spool. For paranoid use with this option I guess you should really set the document to exdirectory, otherwise someone could just try all of the listed URLs to see which one it is.

For best security in fact you should use only private eternity servers. (Where a private server is one your run on your local machine).

Password protecting eternity documents

A separate security option is that you can password encrypt the actual document. Then anyone who wishes to read the document must provide the password to the eternity server.

To password encrypt your eternity document, you would replace step 3 above with the command:

% pgp -sac test.html -u fred -z"password"

Other combinations

You can combine these options in logical ways. For example you could password protect an unsigned document, or submit a document which was encrypted with a password related to the URL, but which wasn't signed.
Comments, html bugs to me (Adam Back) at <adam@cypherspace.org>