math/fgoldi.c: Add support for Hamburg's `Goldilocks' field.
[catacomb] / progs / catcrypt.1
1 .\" -*-nroff-*-
2 .de VS
3 .sp 1
4 .RS
5 .nf
6 .ft B
7 ..
8 .de VE
9 .ft R
10 .fi
11 .RE
12 .sp 1
13 ..
14 .ie t \{\
15 . if \n(.g \{\
16 . fam P
17 . \}
18 .\}
19 .de hP
20 .IP
21 .ft B
22 \h'-\w'\\$1\ 'u'\\$1\ \c
23 .ft P
24 ..
25 .ie t .ds o \(bu
26 .el .ds o o
27 .TH catcrypt 1 "30 September 2004" "Straylight/Edgeware" "Catacomb cryptographic library"
28 .SH NAME
29 catcrypt \- encrypt and decrypt messages
30 .SH SYNOPSIS
31 .B catcrypt
32 .RB [ \-k
33 .IR keyring ]
34 .I command
35 .PP
36 where
37 .I command
38 is one of:
39 .PP
40 .B help
41 .RI [ command ...]
42 .br
43 .B show
44 .RI [ item ...]
45 .br
46 .B encrypt
47 .RB [ \-apC ]
48 .RB [ \-k
49 .IR tag ]
50 .RB [ \-f
51 .IR format ]
52 .RB [ \-o
53 .IR output ]
54 .RI [ file ]
55 .br
56 .B decrypt
57 .RB [ \-apqvC ]
58 .RB [ \-f
59 .IR format ]
60 .RB [ \-o
61 .IR output ]
62 .RI [ file ]
63 .br
64 .B encode
65 .RB [ \-p ]
66 .RB [ \-f
67 .IR format ]
68 .RB [ \-b
69 .IR boundary ]
70 .RB [ \-o
71 .IR output ]
72 .RI [ file ]
73 .br
74 .B decode
75 .RB [ \-p ]
76 .RB [ \-f
77 .IR format ]
78 .RB [ \-b
79 .IR boundary ]
80 .RB [ \-o
81 .IR output ]
82 .RI [ file ]
83 .SH "DESCRIPTION"
84 The
85 .B catcrypt
86 command encrypts and decrypts messages. It also works as a simple PEM
87 encoder and decoder. It provides a number of subcommands, by which the
88 various operations may be carried out.
89 .SS "Global options"
90 Before the command name,
91 .I "global options"
92 may be given. The following global options are supported:
93 .TP
94 .BR "\-h, \-\-help " [ \fIcommand ...]
95 Writes a brief summary of
96 .BR catcrypt 's
97 various options to standard output, and returns a successful exit
98 status. With command names, gives help on those commands.
99 .TP
100 .B "\-v, \-\-version"
101 Writes the program's version number to standard output, and returns a
102 successful exit status.
103 .TP
104 .B "\-u, \-\-usage"
105 Writes a very terse command line summary to standard output, and returns
106 a successful exit status.
107 .TP
108 .BI "\-k, \-\-keyring " file
109 Names the keyring file which
110 .B key
111 is to process. The default keyring, used if this option doesn't specify
112 one, is the file named
113 .B keyring
114 in the current directory. See
115 .BR key (1)
116 and
117 .BR keyring (5)
118 for more details about keyring files.
119 .SH "KEY SETUP"
120 Algorithms to be used with a particular key are described by attributes
121 on the key, or its type. The
122 .B catcrypt
123 command deals with both signing and key-encapsulation keys. (Note that
124 .B catcrypt
125 uses signing keys in the same way as
126 .BR catsign (1).)
127 .SS "Key-encapsulation keys"
128 (Key encapsulation is a means of transmitting a short, known, random
129 secret to a recipient. It differs from encryption in technical ways
130 which are largely uninteresting at this point.)
131 .PP
132 A
133 .I kemalgspec
134 has the syntax
135 .IR kem \c
136 .RB [ / \c
137 .IR bulk \c
138 .RB [ \- \c
139 .IR cipher ] \c
140 .RB [ / \c
141 .IR hash ]]
142 or
143 .IR kem \c
144 .RB [ / \c
145 .IR cipher \c
146 .RB [ / \c
147 .IR hash ]].
148 If a
149 .B kem
150 attribute is present on the key, then it must have this form; otherwise,
151 the key's type must have the form
152 .BR cckem- \c
153 .IR kemalgspec .
154 Algorithm selections are taken from appropriately-named attributes, or,
155 failing that, from the
156 .IR kemalgspec .
157 .PP
158 The key-encapsulation mechanism is chosen according to the setting of
159 .I kem
160 as follows. Run
161 .B catcrypt show kem
162 for a list of supported KEMs.
163 .TP
164 .B rsa
165 This is Shoup's RSA-KEM (formerly Simple RSA); see
166 .I
167 A proposal for an ISO standard for public key encryption (version 2.0)
168 available at
169 .BR http://eprint.iacr.org/2000/060/ .
170 Use the
171 .B rsa
172 algorithm of the
173 .B key add
174 command (see
175 .BR key (1))
176 to generate the key.
177 .TP
178 .B dh
179 This is standard Diffie-Hellman key exchange, hashing the resulting
180 shared secret to form the key, as used in, e.g., DLIES (P1363a).
181 Use the
182 .B dh
183 algorithm of the
184 .B key add
185 command, preferably with the
186 .B \-LS
187 options, to generate the key.
188 .TP
189 .B ec
190 This is the elliptic-curve analogue of
191 .BR dh .
192 Use the
193 .B ec
194 algorithm of the
195 .BR key (1))
196 command to generate the key.
197 .TP
198 .B symm
199 This is a simple symmetric encapsulation scheme. It works by hashing a
200 binary key with a randomly-generated salt. Use the
201 .B binary
202 algorithm of the
203 .B key add
204 command (see
205 .BR key (1))
206 to generate the key.
207 .TP
208 .B x25519
209 This is Bernstein's Curve25519, a fast Diffie-Hellman using a specific
210 elliptic curve.
211 Use the
212 .B x25519
213 algorithm of the
214 .B key add
215 command
216 (see
217 .BR key (1))
218 to generate the key.
219 .PP
220 The bulk crypto transform is chosen based on the
221 .B bulk
222 attribute on the key, or, failing that,
223 from the
224 .I bulk
225 stated in the
226 .IR kemalgspec .
227 Run
228 .B catcrypt show bulk
229 for a list of supported bulk crypto transforms.
230 .TP
231 .B gencomp
232 A generic composition of
233 a cipher secure against chosen-plaintext attack,
234 and a message authentication code.
235 Makes use of
236 .B cipher
237 and
238 .B mac
239 attributes.
240 This is the default transform.
241 .TP
242 .B naclbox
243 Use Salsa20 or ChaCha and Poly1305 to secure the bulk data.
244 This is nearly the same as the NaCl
245 .B crypto_secretbox
246 construction,
247 except that
248 .B catcrypt
249 uses Salsa20 or ChaCha rather than XSalsa20,
250 because it doesn't need the latter's extended nonce.
251 The
252 .B cipher
253 attribute may be set to one of
254 .BR salsa20 ,
255 .BR salsa20/12 ,
256 .BR salsa20/8 ,
257 .BR chacha20 ,
258 .BR chacha12 ,
259 or
260 .BR chacha8 ;
261 the default is
262 .BR salsa20 .
263 .PP
264 As well as the KEM itself, a number of supporting algorithms are used.
265 These are taken from appropriately named attributes on the key or,
266 failing that, derived from other attributes as described below.
267 .TP
268 .B cipher
269 This is the symmetric encryption algorithm
270 used by the bulk data transform.
271 If there is no
272 .B cipher
273 attribute then the
274 .I bulk
275 in the
276 .I kemalgspec
277 is used; if that it absent, then the default of
278 .B blowfish-cbc
279 is used. Run
280 .B catcrypt show cipher
281 for a list of supported symmetric encryption algorithms.
282 .TP
283 .B hash
284 This is the hash function used to distil entropy from the shared secret
285 constructed by the raw KEM. If there is no
286 .B hash
287 attribute then the
288 .I hash
289 in the
290 .I kemalgspec
291 is used; if that is absent then the default of
292 .B rmd160
293 is used. Run
294 .B catcrypt show hash
295 for a list of supported symmetric encryption algorithms.
296 .TP
297 .B mac
298 This is the message authentication algorithm
299 used by the
300 .B gencomp
301 bulk data transform
302 to ensure integrity of the encrypted message and
303 defend against chosen-ciphertext attacks.
304 If there is no
305 .B mac
306 attribute then
307 .IB hash -hmac
308 is chosen as a default. Run
309 .B catcrypt show mac
310 for a list of supported message authentication algorithms.
311 .TP
312 .B kdf
313 This is the key derivation function used to stretch the hashed shared
314 secret to a sufficient length to select symmetric encryption and
315 authentication keys, initialization vectors and other necessary
316 pseudorandom quantities. If there is no
317 .B kdf
318 attribute then
319 .IB hash -mgf
320 is chosen as a default. Run
321 .B catcrypt show kdf
322 for a list of supported key derivation functions.
323 .B Caution!
324 Not all supported functions have the required security features: don't
325 override the default choice unless you know what you're doing.
326 .SS "Signing keys"
327 A
328 .I sigalgspec
329 has the form
330 .IR sig \c
331 .RB [ / \c
332 .IR hash ].
333 If a
334 .B sig
335 attribute is present on the key, then it must have this form; otherwise,
336 the key's type must have the form
337 .BI ccsig- \c
338 .IR sigalgspec .
339 Algorithm selections are taken from appropriately-named attributes, or,
340 failing that, from the
341 .IR sigalgspec .
342 .PP
343 The signature algorithm is chosen according to the setting of
344 .I sig
345 as follows. Run
346 .B catcrypt show sig
347 for a list of supported signature algorithms.
348 .TP
349 .B rsapkcs1
350 This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
351 RFC3447; the difference is that the hash is left bare rather than being
352 wrapped in a DER-encoded
353 .B DigestInfo
354 structure. This doesn't affect security since the key can only be used
355 with the one hash function anyway, and dropping the DER wrapping permits
356 rapid adoption of new hash functions. Regardless, use of this algorithm
357 is not recommended, since the padding method has been shown vulnerable
358 to attack. Use the
359 .B rsa
360 algorithm of the
361 .B key add
362 command (see
363 .BR key (1))
364 to generate the key.
365 .TP
366 .B rsapss
367 This is the RSASSA-PSS algorithm described in RFC3447. It is the
368 preferred RSA-based signature scheme. Use the
369 .B rsa
370 algorithm of the
371 .B key add
372 command (see
373 .BR key (1))
374 to generate the key.
375 .TP
376 .B dsa
377 This is the DSA algorithm described in FIPS180-1 and FIPS180-2. Use the
378 .B dsa
379 algorithm of the
380 .B key add
381 command (see
382 .BR key (1))
383 to generate the key.
384 .TP
385 .B ecdsa
386 This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2. Use
387 the
388 .B ec
389 algorithm of the
390 .B key add
391 command (see
392 .BR key (1))
393 to generate the key.
394 .TP
395 .B kcdsa
396 This is the revised KCDSA (Korean Certificate-based Digital Signature
397 Algorithm) described in
398 .I The Revised Version of KCDSA
399 .RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ).
400 Use the
401 .B dh
402 algorithm of the
403 .B key add
404 command with the
405 .B \-LS
406 options (see
407 .BR key (1))
408 to generate the key.
409 .TP
410 .B eckcdsa
411 This is an unofficial elliptic-curve analogue of the KCDSA algorithm.
412 Use the
413 .B ec
414 algorithm of the
415 .B key add
416 command (see
417 .BR key (1))
418 to generate the key.
419 .TP
420 .B ed25519
421 This is Bernstein, Duif, Lange, Schwabe, and Yang's Ed25519 algorithm.
422 More specifically, this is HashEd25519
423 using the selected
424 .B hash
425 algorithm \(en by default
426 .BR sha512 .
427 Use the
428 .B ed25519
429 algorithm of the
430 .B key add
431 command
432 (see
433 .BR key (1))
434 to generate the key.
435 .TP
436 .B mac
437 This uses a symmetric message-authentication algorithm rather than a
438 digital signature. The precise message-authentication scheme used is
439 determined by the
440 .B mac
441 attribute on the key, which defaults to
442 .IB hash -hmac
443 if unspecified. Use the
444 .B binary
445 algorithm of the
446 .B key add
447 command (see
448 .BR key (1))
449 to generate the key.
450 .PP
451 As well as the signature algorithm itself, a hash function is used.
452 This is taken from the
453 .B hash
454 attribute on the key, or, failing that, from the
455 .I hash
456 specified in the
457 .IR sigalgspec ,
458 or, if that is absent, determined by the signature algorithm as follows.
459 .hP \*o
460 For
461 .BR rsapkcs1 ,
462 .BR rsapss ,
463 .BR dsa ,
464 and
465 .BR ecdsa ,
466 the default hash function is
467 .BR sha .
468 .hP \*o
469 For
470 .BR kcdsa
471 and
472 .BR eckcdsa ,
473 the default hash function is
474 .BR has160 .
475 .PP
476 Run
477 .B catcrypt show hash
478 for a list of supported hash functions.
479 .SH "ENCODINGS"
480 Two encodings for the ciphertext are supported.
481 .TP
482 .B binary
483 The raw format, which has the benefit of being smaller, but needs to be
484 attached to mail messages and generally handled with care.
485 .TP
486 .B pem
487 PEM-encapsulated Base-64 encoded text. This format can be included
488 directly in email and picked out again automatically; but there is a
489 4-to-3 data expansion as a result.
490 .SH "COMMAND REFERENCE"
491 .SS help
492 The
493 .B help
494 command behaves exactly as the
495 .B \-\-help
496 option. With no arguments, it shows an overview of
497 .BR catcrypt 's
498 options; with arguments, it describes the named subcommands.
499 .SS show
500 The
501 .B show
502 command prints various lists of tokens understood by
503 .BR catcrypt .
504 With no arguments, it prints all of the lists; with arguments, it prints
505 just the named lists, in order. The recognized lists can be enumerated
506 using the
507 .VS
508 catcrypt show list
509 .VE
510 command. The lists are as follows.
511 .TP
512 .B list
513 The lists which can be enumerated by the
514 .B show
515 command.
516 .TP
517 .B kem
518 The key-encapsulation algorithms which can be used in a
519 key-encapsulation key's
520 .B kem
521 attribute.
522 .TP
523 .B cipher
524 The symmetric encryption algorithms which can be used in a
525 key-encapsulation key's
526 .B cipher
527 attribute.
528 .TP
529 .B mac
530 The message authentication algorithms which can be used in a
531 key-encapsulation key's
532 .B mac
533 attribute.
534 .TP
535 .B sig
536 The signature algorithms which can be used in a signing key's
537 .B sig
538 attribute.
539 .TP
540 .B hash
541 The hash functions which can be used in a key's
542 .B hash
543 attribute.
544 .TP
545 .B enc
546 The encodings which can be applied to encrypted messages; see
547 .B ENCODINGS
548 above.
549 .SS encrypt
550 The
551 .B encrypt
552 command encrypts a file and writes out the appropriately-encoded
553 ciphertext. By default, it reads from standard input and writes to
554 standard output. If a filename argument is given, this file is read
555 instead (as binary data).
556 .PP
557 The following options are recognized.
558 .TP
559 .B "\-a, \-\-armour"
560 Produce ASCII-armoured output. This is equivalent to specifying
561 .BR "\-f pem" .
562 The variant spelling
563 .B "\-\-armor"
564 is also accepted.
565 .TP
566 .BI "\-f, \-\-format " format
567 Produce output encoded according to
568 .IR format .
569 .TP
570 .BI "\-k, \-\-key " tag
571 Use the key-encapsulation key named
572 .I tag
573 in the current keyring; the default key is
574 .BR ccrypt .
575 .TP
576 .BI "\-p, \-\-progress"
577 Write a progress meter to standard error while processing large files.
578 .TP
579 .BI "\-s, \-\-sign-key " tag
580 Use the signature key named
581 .I tag
582 in the current keyring; the default is not to sign the ciphertext.
583 .TP
584 .BI "\-o, \-\-ouptut " file
585 Write output to
586 .I file
587 rather than to standard output.
588 .TP
589 .B "\-C, \-\-nocheck"
590 Don't check the public key for validity. This makes encryption go much
591 faster, but at the risk of using a duff key.
592 .SS decrypt
593 The
594 .B decrypt
595 command decrypts a ciphertext and writes out the plaintext. By default,
596 it reads from standard input and writes to standard output. If a
597 filename argument is given, this file is read instead.
598 .PP
599 The following options are recognized.
600 .TP
601 .B "\-a, \-\-armour"
602 Read ASCII-armoured input. This is equivalent to specifying
603 .BR "\-f pem" .
604 The variant spelling
605 .B "\-\-armor"
606 is also accepted.
607 .TP
608 .B "\-b, \-\-buffer"
609 Buffer plaintext data until we're sure we've got it all. This is forced
610 on if output is to stdout, but is always available as an option.
611 .TP
612 .BI "\-f, \-\-format " format
613 Read input encoded according to
614 .IR format .
615 .TP
616 .BI "\-p, \-\-progress"
617 Write a progress meter to standard error while processing large files.
618 .TP
619 .B "\-v, \-\-verbose"
620 Produce more verbose messages. See below for the messages produced
621 during decryption. The default verbosity level is 1. (Currently this
622 is the most verbose setting. This might not be the case always.)
623 .TP
624 .B "\-q, \-\-quiet"
625 Produce fewer messages.
626 .TP
627 .BI "\-o, \-\-output " file
628 Write output to
629 .I file
630 instead of to standard output. The file is written in binary mode.
631 Fixing line-end conventions is your problem; there are lots of good
632 tools for dealing with it.
633 .TP
634 .B "\-C, \-\-nocheck"
635 Don't check the private key for validity. This makes decryption go much
636 faster, but at the risk of using a duff key, and possibly leaking
637 information about the private key.
638 .PP
639 Output is written to standard output in a machine-readable format.
640 Major problems cause the program to write a diagnostic to standard error
641 and exit nonzero as usual. The quantity of output varies depending on
642 the verbosity level and whether the plaintext is also being written to
643 standard output. Output lines begin with a keyword:
644 .TP
645 .BI "FAIL " reason
646 An error prevented decryption. The program will exit nonzero.
647 .TP
648 .BI "WARN " reason
649 .B catcrypt
650 encountered a situation which may or may not invalidate the decryption.
651 .TP
652 .BI "OK " message
653 Decryption was successful. This is only produced if main output is
654 being sent somewhere other than standard output.
655 .TP
656 .B "DATA"
657 The plaintext follows, starting just after the next newline character or
658 sequence. This is only produced if main output is also being sent to
659 standard output.
660 .TP
661 .BI "INFO " note
662 Any other information.
663 .PP
664 The information written at the various verbosity levels is as follows.
665 .hP 0.
666 No output. Watch the exit status.
667 .hP 1.
668 All messages.
669 .PP
670 .B Warning!
671 All output written has been checked for authenticity. However, output
672 can fail midway through for many reasons, and the resulting message may
673 therefore be truncated. Don't rely on the output being complete until
674 .B OK
675 is printed or
676 .B catcrypt decrypt
677 exits successfully.
678 .SS "encode"
679 The
680 .B encode
681 command encodes an input file according to one of the encodings
682 described above in
683 .BR ENCODINGS .
684 The input is read from the
685 .I file
686 given on the command line, or from standard input if none is specified.
687 Options provided are:
688 .TP
689 .BI "\-p, \-\-progress"
690 Write a progress meter to standard error while processing large files.
691 .TP
692 .BI "\-f, \-\-format " format
693 Produce output in
694 .IR format .
695 Run
696 .B catcrypt show enc
697 for a list of encoding formats.
698 .TP
699 .BI "\-b, \-\-boundary " label
700 Set the PEM boundary string to
701 .IR label ;
702 i.e., assuming we're encoding in PEM format, the output will have
703 .BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
704 at the top and
705 .BI "\-\-\-\-\-END " label "\-\-\-\-\-"
706 at the bottom. The default
707 .I label
708 is
709 .BR MESSAGE .
710 .TP
711 .BI "\-o, \-\-output " file
712 Write output to
713 .I file
714 instead of to standard output.
715 .SS "decode"
716 The
717 .B decode
718 command decodes an input file encoded according to one of the encodings
719 described above in
720 .BR ENCODINGS .
721 The input is read from the
722 .I file
723 given on the command line, or from standard input if none is specified.
724 Options provided are:
725 .TP
726 .BI "\-f, \-\-format " format
727 Decode input in
728 .IR format .
729 Run
730 .B catcrypt show enc
731 for a list of encoding formats.
732 .TP
733 .BI "\-b, \-\-boundary " label
734 Set the PEM boundary string to
735 .IR label ;
736 i.e., assuming we're encoding in PEM format, start processing input
737 between
738 .BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
739 and
740 .BI "\-\-\-\-\-END " label "\-\-\-\-\-"
741 lines. Without this option,
742 .B catcrypt
743 will start reading at the first plausible boundary string, and continue
744 processing until it reaches the matching end boundary.
745 .TP
746 .BI "\-p, \-\-progress"
747 Write a progress meter to standard error while processing large files.
748 .TP
749 .BI "\-o, \-\-output " file
750 Write output to
751 .I file
752 instead of to standard output.
753 .SH "SECURITY PROPERTIES"
754 Assuming the security of the underlying primitive algorithms, the
755 following security properties of the ciphertext hold.
756 .hP \*o
757 An adversary given the public key-encapsulation key and capable of
758 requesting encryption of arbitrary plaintexts of his own devising is
759 unable to decide whether he is given ciphertexts corresponding to his
760 chosen plaintexts or random plaintexts of the same length. This holds
761 even if the adversary is permitted to request decryption of any
762 ciphertext other than one produced as a result of an encryption request.
763 This property is called
764 .BR IND-CCA2 .
765 .hP \*o
766 An adversary given the public key-encapsulation and verification keys,
767 and capable of requesting encryption of arbitrary plaintext of his own
768 devising is unable to produce a new ciphertext which will be accepted as
769 genuine. This property is called
770 .BR INT-CTXT .
771 .hP \*o
772 An adversary given the public key-encapsulation and verification keys,
773 and capable of requesting encryption of arbitrary plaintext of his own
774 devising is unable to decide whether the ciphertexts he is given are
775 correctly signed. This property doesn't seem to have a name.
776 .PP
777 Not all is rosy. If you leak intermediate values during decryption then
778 an adversary can construct a new correctly-signed message. Don't do
779 that, then \(en leaking intermediate values often voids security
780 warranties. But it does avoid the usual problem with separate signing
781 and encryption that a careful leak by the recipient can produce evidence
782 that you signed some incriminating message.
783 .PP
784 Note that
785 .BR catcrypt 's
786 signatures do
787 .I not
788 provide `non-repudiation' in any useful way. This is deliberate: the
789 purpose of signing is to convince the recipient of the sender's
790 identity, rather than to allow the recipient to persuade anyone else.
791 Indeed, given an encrypted and signed message, the recipient can
792 straightforwardly construct a new message, apparently from the same
793 sender, and whose signature still verifies, but with arbitrarily chosen
794 content.
795 .SH "CRYPTOGRAPHIC THEORY"
796 Encryption of a message proceeds as follows.
797 .hP 0.
798 Emit a header packet containing the key-ids for the key-encapsulation
799 key, and signature key if any.
800 .hP 1.
801 Use the KEM to produce a public value and a shared secret the recipient
802 will be able to extract from the public value using his private key.
803 Emit a packet containing the public value.
804 .hP 2.
805 Hash the shared secret. Use the KDF to produce a pseudorandom keystream
806 of indefinite length.
807 .hP 3.
808 Use the first bits of the keystream to key a symmetric encryption
809 scheme; use the next bits to key a message authentication code.
810 .hP 4.
811 If we're signing the message then extract 1024 bytes from the keystream,
812 sign the header and public value, and the keystream bytes; emit a packet
813 containing the signature. The signature packet doesn't contain the
814 signed message, just the signature.
815 .hP 5.
816 Split the message into blocks. For each block, pick a random IV from
817 the keystream, encrypt the block and emit a packet containing the
818 IV, ciphertext, and a MAC tag over the ciphertext and a sequence number.
819 .hP 6.
820 The last chunk is the encryption of an empty plaintext block. No
821 previous plaintext block is empty. This lets us determine the
822 difference between a complete file and one that's been maliciously
823 truncated.
824 .PP
825 That's it. Nothing terribly controversial, really.
826 .SH "SEE ALSO"
827 .BR key (1),
828 .BR catsign (1),
829 .BR dsig (1),
830 .BR hashsum (1),
831 .BR keyring (5).
832 .SH AUTHOR
833 Mark Wooding, <mdw@distorted.org.uk>