PGP® Desktop for Windows User's Guide
Contents
1. Fewer Choices Search Pending Area Keys Validity Size Description 3 Choose the server you wish to search from the Search for keys on drop down menu 4 Specify your search criteria You can search for keys on a key server by specifying values for multiple key characteristics The inverse of most of these operations is also available For example you may search using User ID is not Charles as your criteria 5 Enter the value you want to search for Click More Choices to add additional criteria to your search for example Key IDs with the name Taggert created on or before February 2 1905 7 To begin the search click Search A progress bar appears displaying the status of the search To cancel a search in progress click Stop Search The results of the search appear in the window 8 To import the keys drag them to the PGPkeys main window 9 Close the PGPkeys Search Window screen Getting public keys from email messages A convenient way to get a copy of someone s public key is to have that per son include it in an email message When a public key is sent through email it appears as a block of text in the body of the message To add a public key from an email message e f you have an email application that is supported by the PGP plug ins then click da in your email application to extract the sender s public key from the email and add it to your public keyring Ch 15 Exchanging2. Glossary User s Guide Glossary PGP Desktop Compression function A compression function takes a fixed sized input and returns a shorter fixed sized output Corporate signing key A public key that is designated by the security officer of a corporation as the system wide key that all corporate users trust to sign other keys Conventional encryption Encryption that relies on a common passphrase instead of public key cryp tography The file is encrypted using a session key which encrypts using a passphrase that you will be asked to choose Cryptanalysis The art or science of transferring cipher text into plain text without initial knowledge of the key used to encrypt the plain text CRYPTOKI Same as PKCS 11 Cryptography The art and science of creating messages that have some combination of being private signed unmodified with non repudiation Cryptosystem A system comprised of cryptographic algorithms all possible plain text cipher text and keys Data integrity A method of ensuring information has not been altered by unauthorized or unknown means Decryption A method of unscrambling encrypted information so that it becomes legi ble again The recipient s private key is used for decryption denial of service attack An assault usually planned that seeks to disrupt Web access A denial of service attack overwhelms an Internet server with connection requests that cannot be completed In so doing it causes
3. General Subkeys Revokers Designated Revoker Keys Keys XE Bob Reynolds lt bobr acmecorp net gt Update from Server 130 Ch 16 Managing Keys User s Guide PGP Desktop The Revokers panel lists any keys that have the ability to revoke your PGP key and provides a convenient means for updating a revokers key with the Update from Server button If the key belonging to the revoker is not on your keyring then Unknown Key followed by the keys key ID displays instead of the user ID Highlight the key ID and click the Update from Server button to search for the key on a key server Appointing a designated revoker It is possible that you might forget your passphrase someday or lose your pri vate key your laptop is stolen or your hard drive crashes for example Unless you are also using Key Reconstruction and can reconstruct your pri vate key you would be unable to use your key again and you would have no way of revoking it to show others not to encrypt to it To safeguard against this possibility you can appoint a third party key revoker The third party you designate is then able to revoke your key just as if you had revoked it your self For a key to appear revoked to another user both the revoked key and the Des ignated Revoker key must be on his her keyring Thus the designated revoker feature is most effective in a corporate setting where all users keyrings con tain the company s De
4. PGP icons Untitled Message Plain Text File Edit View Insert Format PGP Tools Actions Help Send Accounts fal amp EA 0 MM t L Y joo amp OOH mE o S co ammm Subject NEN If you are creating a new message in Outlook the Standard toolbar will have PGP Desktop icons that let you e Encrypt the message e Sign the message e Open PGP Keys The Outlook Inbox also has PGP icons for e Decrypting a message and verifying its signature e Opening PGP Keys PGP Desktop installs PGP icons into the following email applications e Microsoft Exchange e Microsoft Outlook e Microsoft Outlook Express e Lotus Notes e Novell GroupWise e QUALCOMM Eudora If you use an email application that doesn t have PGP Desktop icons on its tool bar you can use the PGPtray icon to perform PGP Desktop functions on either the Current Windows or the Clipboard Be sure to check the toolbar of your email application for the PGP Desktop icons 22 Ch 2 The PGP Desktop Interface User s Guide PGP Desktop PGP Desktop Screens PGP Desktop s main screens are those for PGP Keys PGP Mail and the PGP Disk Editor The PGP Keys Screen The PGP Keys screen lets you manage your public private keypair s and the public keys of others For more detailed information about managing keys refer to Chapter 16 Managing Keys To access the PGP Keys screen 1 Click the PGPtray icon 2 Select PGPke
5. Split Key Cancel Help By default each shareholder is responsible for one share To increase the number of shares a shareholder possesses click the name in the share holder s list to display it in the text field below Type the new number of key shares or use the arrows to select a new amount Click Split Key You are prompted to select a directory in which to store the shares Select a location to store the key shares The Passphrase screen appears Enter the passphrase for the key you want to split and then click OK A confirmation dialog box opens Click Yes to split the key The key is split and the shares are saved in the location you specified Each key share is saved with the shareholder s name as the file name and a SHF extension as shown in the example below 228 NE NN Jose Medina Bob Reynolds MingPa 1 Pradeep Brapal 1 Share shf 1 Share shf Share shf 1Share shf Distribute the key shares to the owners then delete the local copies Once a key is split among multiple shareholders attempting to sign or decrypt with it will cause PGP to automatically attempt to rejoin the key Ch 16 Managing Keys User s Guide PGP Desktop Rejoining split keys Once a key is split among multiple shareholders attempting to sign or decrypt with it will cause PGP to automatically attempt to rejoin the key There are two ways to rejoin the key locally and remotely Rejoining key shares locally requires the sha
6. 20 Ch 2 The PGP Desktop Interface User s Guide PGP Desktop e File If you right click a file in Windows Explorer the PGP submenu lets you perform various PGP functions on the file depending on what kind of file it is If you select an unencrypted file you can encrypt sign wipe or cre ate an SDA If you select an encrypted file you can decrypt verify or wipe it If you select a PGPdisk file pgd you can mount or edit it f you select an ASCII key file asc you can decrypt verify or wipe it If you select decrypt verify you are given the option of importing the file f you select a PGP public or private keyring file PKR or SKR files respectively you can add the keys in it to your keyring or wipe the file The Start Menu Another way to access PGP is through the Windows Start Menu Click Start slide up to Programs then over to PGP f n Documentation t Intro to Crypto E PGP user s Guide fm Programs De Favorites By Documents E settings 4 Search 9 Help and Support Run Y Y Y Y B Log off O Turn Off Computer fJ start o AE The Start Menu gives you access to e PGP documentation e PGP Disk functions e The PGP Keys and PGP Mail screens Ch 2 The PGP Desktop Interface 21 PGP Desktop User s Guide Email applications You can access some PGP Desktop unctions from within certain email appli cations like Microsoft Outlook for example
7. depending on what you want to do This chapter shows and describes ways to access PGP Desktop and it s main screens PGP Keys PGP Mail and the PGP Disk Editor Accessing PGP Desktop There are four main ways to access PGP Desktop via the PGPtray icon via the Start Menu via Windows Explorer and from within email applications The PGPtray icon One way to access many PGP Desktop features is from the PGPtray icon About PGP License Help Options P ES E PGPdisk PGPdisk cy PGPkeys Mount Disk 14 PGPmail New Disk Edit Disk Current Window gt A Clipboard Unmount All Disks When you click on the PGP Desktop icon in the Windows System tray we call this the PGPtray icon a menu appears giving you access to e The About PGP screen which displays information about the version of PGP you are using including the licensing information e PGP online help so that you have easy access to information about PGP e PGP options so that you can control your PGP environment e Purging passphrase caches so that you can remove stored passphrases from the cache to prevent unauthorized use of PGP e PGP Disk functions so you have quick access to PGPdisk functionality e The PGP Keys and PGP Mail screens so that you have easy access to PGPkeys and PGPmail functionality e Encrypt Decrypt Verify and Sign options for data in the Current Window so that you can use PGP on the current window e Empty Ed
8. ing others to send messages to you automatically If the wizard appears continue with instructions in Using the PGP ICQ Wizard on page 59 Your PGP public key with your ICQ number is sent to the recipient This text is not encrypted 58 Ch 8 Securing ICQ User s Guide PGP Desktop Using the PGP ICO Wizard Use the PGP ICQ wizard to add your ICQ number as an identifier to your PGP key The wizard guides you through the process of selecting the key you want to use when securely communicating via ICQ and adding your ICQ num ber to the key To use the PGP ICO Wizard 1 The PGP ICO Wizard starts automatically when you click Send in ICO but you don t have an ICQ number on your PGP key The PGP ICO Wizard Welcome screen appears PGP ICQ Wizard Welcome to the PGP ICQ Wizard An ICQ number could not be found on any of the valid user IDs for your default PGP key In order to allow others to send ICQ messages to you automatically you should create a user ID on your key which contains your ICQ tt This wizard will assist you in this process Please press next to begin adding your ICQ to your default PGP key Cancel 2 Read the information in the Welcome screen then click Next The PGP ICO Wizard Gathering Information screen appears with your default user ID in the Name field and your ICO number in the ICO field PGP ICQ Wizard Bathering Information On completion a new user ID will be added to you
9. it is likely that a copy of his or her public key is on a keyserver This makes it very convenient for you to get a copy of the most up to date key whenever you want to send him or her mail and also relieves you from having to store a lot of keys on your public keyring If you are in a corporate setting then your administrator may direct you to use a corporate key server that holds all of your organization s frequently used keys In this case your PGP software is probably already configured to access the appropriate server There are a number of public keyservers such as the one maintained by PGP Corporation where you can locate the keys of most PGP users If the recipi ent has not pointed you to the Web address where his or her public key is stored you can access any keyserver and do a search for the user s name or email address This may or may not work as not all public keyservers are reg ularly updated to include the keys stored on all the other servers To get someone s public key from a keyserver 1 Open PGPkeys 2 Choose Search from the Server menu or click the Search button in PGP keys Ch 15 Exchanging Keys User s Guide PGP Desktop The PGPkeys Search window appears T PGPkeys Search Window Search for keys on Idap keyserver pgp com Y where User ID Y contains v Clear Search Key Type vis v Diffie Hellman Creation Date is on 11 17 2002 Expiration Date v is on 1 11 17 2002 v
10. tion a system failure or tampering with your system Reinstall PGP Cannot perform the requested operation because the output buffer is too small The output is larger than the internal buff ers can handle If you are encrypting or signing you may have to break up the message and encrypt sign smaller pieces at a time If you are decrypting or verifying ask the sender to encrypt sign smaller pieces and re send them to you Could not encrypt to specified key because it is a sign only key The selected key can only be used for sign ing Choose a different key or gener ate a new key that can encrypt data Could not sign with specified key because it is an encrypt only key The selected key can only be used for encrypting Choose a different key or gener ate a new key that can sign data 163 PGP Desktop 164 User s Guide Error Cause Solution Error in domain name system The destination address you provided is incor rect or your network connection is miscon figured Check to make sure that the des tination address you provided is the correct one If you are sure of this check your connection to the network Identical shares can not be combined You attempted to com bine the same share twice If you received the shares from a share file try choosing a differ ent share file If you received the shares from the network you
11. use the Windows Task Scheduler 46 Ch 5 Securing Files Overview Wiping This chapter tells you how PGP can wipe files and free disk space on your systems so that sensitive data cannot be retrieved even using disk recovery software It also tells you how you can schedule automatic free space wiping If you want to completely destroy sensitive files without leaving fragments of their data behind use the PGP Wipe utility When you delete a file using Wipe the file is immediately overwritten even on systems with virtual mem ory and all traces of the file are removed so that it cannot be retrieved even by using disk recovery software In addition you can set file wiping options from the General tab of the PGP Options screen You can enable Wipe to automatically wipe files when delet ing them To learn how to set wipe options see Setting General options on page 147 To erase free disk space that could contain data from previously deleted files and programs use the PGP Free Space Wiper utility To make sure your deleted data is not recoverable erase your free disk space periodically with the Free Space Wiper It is especially important to use the Free Space Wiper on Journaling filesys tems such as NTFS as such filesystems make a second copy of everything written to disk in a filesystem journal This helps the disk recover from dam age but requires extra work when removing sensitive data Wiping a file does not wipe
12. 134 Index User s Guide K key ID properties 128 key pair copying to a smart card 73 examining 101 specifying default 119 key reconstruction server restore your key from 144 send your key to 107 key server getting someone s public key from 112 searching 112 sending your public key to 109 updating your key on the server 142 using to circulate revoke keys 132 key size Diffie Hellman portion 102 DSS portion 102 setting 102 129 trade offs 102 129 keyrings changing attributes of 115 119 description of 115 location of 115 storing elsewhere 115 viewing attributes of 115 119 Index PGP Desktop keys adding a photo ID 126 adding your Microsoft Exchange Server ID to 104 copying a key pair to a smart card 73 creating on a smart card 67 deleting from your keyring 120 examining 101 exporting from a smart card 71 granting trust for validations 124 lost 107 144 managing 115 on a smart card 70 reappearing on server 144 reconstructing 107 144 rejoining a split key 139 removing signatures 143 removing user names 143 replacing a photo ID 127 revoking 132 setting size of 102 129 signing 123 updating on a key server 142 verifying authenticity of 114 L legitimacy determining a key s 114 Lotus Notes decrypting and verifying with 64 encrypting with 63 signing with 63 M managing keys 115 Microsoft Exchange Server user ID adding to your new key 104 MIME standard using to decrypt email 36 37 mounting PGPdi
13. DSS public key i Ge Acme Com Des Rev lt pradeepb acmecom net gt 2048 1024 DH DSS public key Ge Acme Corp PGPdisk ADK lt pradeepb acmecom n 2048 1024 DH DSS public key Ge Alice Cameron alicec amp acmecorp net 2048 1024 DH DSS public key mm Ge Bob Reynolds bobr amp acmecorp net 2048 1024 DH DSS public key Ge Fumiko Asako lt umikoa acmecomp net gt 2048 1024 DH DSS public key Ge Jose Medina lt josem acmecom net gt 2048 1024 DH DSS public key i 2048 1024 DH DSSpublickey m 2048 1024 Disabled DH DSS g Ge Katerina Laval katerinal amp acmecorp net ue Mar a Fuentes lt mariaf acmecorp net gt Ge Ming Pa Exurge Ice ree ig o 2048 1024 DH DSS public key El og Pradeep Brapal lt pradeepb acmecorp net gt 2048 1024 DH DSS key pair SanTau lt sam enst f gt 1024 Revoked RSA lega Ys SZho B3 amp ya com 2048 1024 Expired DH DSS p 4j Sa SamRamier lt sram ny com gt 1024 RSA legacy public Ge SJ Wilson lt sjwilson vcnet com gt 2048 2048 RSA public key xj Ge Vladimir Toskin vladimirt amp acmecorp net 2048 1024 DH DSS public key mumm Ge Owuor bleuep osibuep eceyauksorye 2048 1024 DH DSS public key m Ge Aravayic Avac a vac amp aypueyopn yon 2048 1024 DH DSS public key 2 Click u in the PGPkeys menu bar or pull down the Keys menu and select New Key The PGP Key Generation Wizard provides some introductory information on the first screen 3
14. English speakers One way or another we tried to incorpo rate all these criteria into a filter on the initial dictionary list or into the dis tance metric itself After the computer evolved the winning list we looked at it Yes the words were phonetically distinct But many of them looked like a computer picked them not a human A lot of them were just ugly and dumb Some were repugnant and some were bland and wimpy So we applied some wetware augmentation to the list Some words were deleted and replaced by some human chosen words We had the computer check the new words against the list to see if they were phonetically distant from the rest of the list We also tried to make the words not come too close to colliding phonetically with the other words in the larger dictionary just so that they would not be mis taken for other words not on the list There were a variety of selection criteria that Juola used in his algorithms He published a paper on it that goes into more detail This document is just a brief overview of how we built the list I m not entirely happy with the word list wish it had more cool words in it and less bland words like words like Aztec and Capricorn and the words in the standard military alphabet While we d like to reserve the right to revise the list at some future time it s not likely due to the legacy problems that this initial version will create This version of the list was las
15. Notes plugin Overview The PGP Lotus Notes plugin lets you encrypt sign and decrypt verify encrypted email messages using your Lotus Notes email program PGP sup ports Lotus Notes versions 4 5 x 4 6 x 5 x and 6 x The Lotus Notes 6 x plugin decrypts PGP MIME messages it does not encrypt them Encrypting and signing To encrypt and sign an email message using Lotus Notes 1 Use your Lotus Notes email client to compose your message as you nor mally would If you are sending sensitive email consider leaving your subject line blank or creating a subject line that does not reveal the contents of your encrypted mes sage 2 When you have finished composing the text of your email message click the PGP button on your toolbar Lj New Memo X Draft O Address ing Delivery Options 9 Tools a PGP NL A drop down menu appears listing your PGP options 3 Select Sign to digitally sign your message select Encrypt to encrypt the text of your message 4 f you choose to encrypt and or sign the message you are also given the option to encrypt the text before sending To do so click the PGP button and select Encode NOW from the new drop down menu 5 Send your message as you normally do Ch 9 Using Lotus Notes 63 PGP Desktop User s Guide If you have a copy of the public keys for every one of the recipients on your keyring and the recipients name or email address matches a user ID on your
16. Output When sending files as attachments with some email applica tions you may need to select the Text Output check box to save the file as ASCII text This is sometimes necessary in order to send a binary file using older email applications Selecting this option increases the size of the encrypted file by about 30 percent Wipe Original Select this check box to overwrite the original document that you are encrypting so that your sensitive information is not readable by anyone who can access your hard disk Secure Viewer Select this check box to protect text from TEMPEST attacks upon decryption If you select this option the data is displayed in a special TEMPEST attack prevention font that is unreadable to radiation capturing equipment upon decrypting and your email can t be saved in decrypted format For more information about TEMPEST attacks see the vulnerabilities section in An Introduction to Cryptography This option is only available when encrypting text or text files Conventional Encrypt Select this check box to rely on a common pass phrase rather than on public key cryptography The file is encrypted using a session key which encrypts and decrypts using a passphrase that you are asked to choose Self Decrypting Archive SDA Select this check box to create a self decrypting executable file If you select this option the file is encrypted using a session key which encrypts and decrypts using a passphrase that you are
17. PGP Enter Passphrase screen appears 7 Enter the PIN for your smart card then click OK The keypair is copied to your smart card PGP asks if you want to remove the private portion of the keypair from your keyring so that it only resides on the smart card 8 Click Yes to remove the private portion of your keypair from your keyring click No to leave the private portion of your keypair on your keyring If you clicked Yes the private portion of your keypair is deleted from the keyring on your system and exists only on your smart card If you clicked No the private portion is not deleted you now have two copies of the same keypair one on your system and the other on your smart card 74 Ch 10 Using Smart Cards 11 PGP Disk Basics This chapter describes the basics of PGP Disk What is PGP Disk PGPdisk is an easy to use encryption application that enables you to set aside an area of disk space for storing your sensitive data This reserved space is used to create a file called a PGPdisk volume Although it is a single file a PGPdisk volume acts very much like a hard disk in that it provides storage space for your files and applications You can think of it like a floppy disk or an external hard disk To use the applications and files stored in the volume you mount it or make it accessible to you When a PGPdisk volume is mounted you can use it as you would use any other disk You can install applications within the v
18. Viewer enabled an advisory mes sage appears Click OK to continue The decrypted message appears on a secure PGP screen in a special TEMPEST attack prevention font You can save the message in its decrypted state or you can save the orig inal encrypted version so that it remains secure Messages encrypted with the Secure Viewer option enabled cannot be saved in their decrypted state Ch 4 Securing Email 37 PGP Desktop PGP MIME User s Guide 38 If you are using an email application with one of the plug ins that supports the PGP MIME standard and you are communicating with another user whose email application also supports this standard both of you can automatically encrypt and decrypt your email messages and any attached files when you send or retrieve your email All you have to do is turn on the PGP MIME encryption and sign functions from the Email tab of the PGP Options screen which can be opened from PGPtray or from within PGPkeys When you receive email from someone who uses the PGP MIME feature the mail arrives with an icon in the message window indicating that it is PGP MIME encoded To decrypt the text and file attachments in PGP MIME encapsulated email and to verify any digital signatures simply click the lock and quill icon Attach ments are still encrypted if PGP MIME is not used but the decryption process is usually more involved for the recipient When you encrypt and sign with an email applicat
19. accept the new setting Changing your passphrase It s a good practice to change your passphrase at regular intervals perhaps every three months More importantly you should change your passphrase the moment you think it has been compromised for example by someone looking over your shoulder as you typed it in To change your passphrase 1 Open PGPkeys and select the key for which you want to change the pass phrase Choose Properties from the Keys menu or click amp to open the Properties screen The Properties screen appears Click Change Passphrase from the General tab The Passphrase screen appears If you want to change the passphrase for a split key you must first rejoin the key shares Click Join to collect the key shares Enter your current passphrase in the space provided then click OK The Confirmed Passphrase screen appears Enter your new passphrase in the first text box Press Tab to advance to the next text box and confirm your entry by entering your new passphrase again Click OK If you are changing your passphrase because you feel that your passphrase has been compromised you should wipe all backup keyrings and wipe your freespace Ch 16 Managing Keys 125 PGP Desktop 126 User s Guide Adding a new user name or address to your keypair You may have more than one user name or email address for which you want to use the same keypair After creating a keypair you can add alterna
20. acmecor Ge Jose Medina lt josem acmecom n If you intend to encrypt information to all members of an existing email distribu tion list you must create a PGP group by the same name as and including the same members as the email distribution list For example if there is a user group pgp com list set up in your email application you must create a user group pgp com group in PGP Working with distribution lists Use the Groups feature to create distribution lists and to edit the list of people to whom you want to send encrypted email To create a group distribution list 1 Choose New Group from the Groups menu 2 Enter a name for the group distribution list Optionally enter a group description For example you can name the group everyone pgp com with a description of All employees 3 Click OK to create the distribution list The group distribution list is added to your keyring and can be viewed in the Groups window Ch 4 Securing Email User s Guide Ch 4 Securing Email PGP Desktop To add members to a distribution list 1 In the PGPkeys window select the users or lists you want to add to your distribution list 2 Drag the users from the PGPkeys window to the desired distribution list in the Groups window Members in a distribution list can be added to other distribution lists To add a distribution list to another distribution list 1 Select the distribution list
21. address mail to a particular recipient 99 User s Guide If PGP detects that your computer is in a Microsoft Exchange Server envi ronment or if your PGP administrator has configured PGP to include spe cific installation settings the Administrator Options panel appears Read the information on this panel then click Next to continue On the Passphrase screen enter the string of characters or words you want to use to maintain exclusive access to your private key To confirm your entry press the Tab key to advance to the next field then enter the same passphrase again For more information on creating an effective passphrase see Creating a passphrase you will remember on page 105 Normally as an added level of security the characters you enter for the passphrase do not appear on the screen However if you are sure that no one is watching and you would like to see the characters of your pass phrase as you type clear the Hide Typing check box Unless your PGP administrator has implemented a PGP key reconstruction pol icy for your company no one including PGP Corporation can salvage a key with a forgotten passphrase 7 Click Next to begin the key generation process If you have entered an inadequate passphrase a warning message appears before the keys are generated Depending on the PGP settings specified by your administrator you may have the choice of accepting the bad passphrase or entering a more secure one before
22. appears Certificate Attributes Certificate Authority Type Windows 2000 Attribute Value Full Name roadking Email Address RFC822 roadking 192 168 1 21 Initials FLHR Organization Name Acme Corp Advanced Options Request Type CRS PKCS 10 b Verify the certificate attributes use the Add Edit and Remove buttons to make any required changes and click OK The PGP Enter Passphrase screen appears Enter the passphrase for your keypair then click OK The PGP Server Progress bar appears The certificate request is sent to the CA server The server authenti cates itself to your computer and accepts your request 135 PGP Desktop User s Guide In a corporate setting your company s PGP or PKI administrator veri fies your information in the request The identifying information and public key are assembled and then digitally signed with the CA s own certificate to create your new certificate The administrator sends you an email message stating that your certif icate is ready for retrieval 4 Retrieve your certificate and add it to your keypair In a corporate setting your certificate may be retrieved and added to your keypair automatically depending on the settings your administrator has configured If you do not have automatic certificate retrieval configured you can retrieve your certificate and add it to your keyring manually To do this follow these steps a In PGPkeys select the PGP key for wh
23. asked to choose and PGP automatically appends an sda exe extension The resulting executable file can be decrypted by simply dou ble clicking on it and entering the appropriate passphrase This option is especially convenient for users who are sending encrypted files to people who do not have PGP software installed Note that sender and recipient must be on the same operating system Refer to Chapter 7 Self Decrypt ing Archives for more information about SDAs If you are signing the files you are asked to supply your passphrase After encryption if you look in the folder where the original file was located you will find a file with the specified name represented by one of three icons Encrypted with Encrypted with Self decrypting text output standard output archive output If you are encrypting or signing a folder the output may be in a new folder depending on the options you selected 40 Ch 5 Securing Files User s Guide PGP Desktop Decrypting and verifying files When someone sends you encrypted data in a file you can unscramble the contents and verify any appended signature to make sure that the data origi nated with the alleged sender and that it has not been altered Use the Decrypt Verify option available from PGPtray or the Windows Explorer File to decrypt your files and folders To decrypt and or verify data that has been encrypted to your key you must have your private key and passphrase to complete the tas
24. been the inspiration of the whole modern gen eration of cryptographers Aegean Park Press www aegeanparkpress com The Aegean Park Press publishes a number of interesting historic books ranging from histories such as The American Black Chamber an expos of U S cryptography during and after WWI to declassified government documents Technical aspects of cryptography Web sites www iacr org International Association for Cryptologic Research IACR The IACR holds cryptographic conferences and publishes journals www pgpi org An international PGP Web site which is not maintained by PGP Corporation is an unofficial yet comprehensive resource for PGP www nist gov aes The National Institute of Standards and Technology NIST Advanced Encryption Standard AES Development Effort perhaps the most interesting project going on in cryptography today www ietf org rfc rfc2440 txt The IETF OpenPGP specification written by Jon Callas Lutz Donnerhacke Hal Finney and Rodney Thayer www ietf org rfc rfc3156 txt The IETF OpenPGP MIME specification written by Michael Elkins Dave del Torto Raph Levien and Thomas Roessler Introduction User s Guide PGP Desktop Books and periodicals Applied Cryptography Protocols Algorithms and Source Code in C 2nd edition Bruce Schneier John Wiley Sons 1996 ISBN 0 471 12845 7 If you can only buy one book to get started in cryptography this is the one to buy Handbo
25. can use the Windows Task Scheduler to schedule periodic folder and free space wiping To use this scheduling feature you must have the Windows Task Scheduler installed on your system If you do not have the Task Scheduler installed on your system you can download it from the Microsoft Web site www microsoft com To schedule folder and free space wiping 1 On the PGPmail screen click the Freespace Wipe button to start the Freespace Wipe Wizard The Wipe Free Space Wizard appears Read the information on the Welcome screen then click Next to continue The PGP Free Space Wipe Wizard prompts you to select the volume you want to wipe and the number of passes you want to perform In the Volume box select the disk or volume that you want PGP to wipe Then select the number of passes that you want PGP to perform The recommended guidelines are 3 passes for personal use 10 passes for commercial use 18 passes for military use 26 passes for maximum security Commercial data recovery companies have been known to recover data that has been over written up to nine times PGP uses highly sophisticated patterns dur ing each wipe to ensure that your sensitive data cannot be recovered 4 Click Next to continue 5 When the Perform Wipe screen opens click the Schedule button 6 When the Schedule screen appears click OK to continue If you are running Windows NT the Windows NT Confirm Password dia log box ap
26. com you could create a distribution list with that name The Groups menu in PGPkeys contains the Show Groups option that toggles the display of the Groups window in PGP keys TT PGPkeys DAR File Edit View Keys Server Groups Help su PREB CH Keys Validity Size Description Ge Acme Com ADK pradeepb Gacmecorp net 0 2048 1024 DH DSS public key Ge Acme Corp CSK lt pradeepb acmecom net gt 9 2048 1024 DH DSS public key Ge Acme Corp Des Rev lt pradeepbBacmecomp net 9 2048 1024 DH DSS public key Ge Acme Corp PGPdisk ADK lt pradeepbBacmecorp n 9 2048 1024 DH DSS public key Ge Alice Cameron alicec amp acmecorp net 9 2048 1024 DH DSS public key Ge Bob Reynolds bobr amp acmecorp net 9 2048 1024 DH DSS public key Ge Fumiko Asako fumikoaacmecorp net 9 2048 1024 DH DSS public key Ge Jose Medina lt josem acmecom net 0 2048 1024 DH DSS public key Ge Katerina Laval katerinal amp acmecorp net o 2048 1024 DH DSS public key ue Mara Fuentes lt manaf acmecop net gt 9 2048 1024 Disabled DH DSS Ge Ming Pa mingpacmecorp net 0 2048 1024 DH DSS public key Y Pradeep Brapal pradeepb amp acmecorp net 2048 1024 DH DSS key pair ua Samuel Tade sam amp nf ensnet 1024 Revoked RSA lega Groups Validity Description 82 all staff amp acmecorp com Everyone at Acme Ge Alice Cameron lt alicec acmecom Groups Ge Bob Reynolds lt bobr acmecom n win d ow Ge Fumiko Asako lt umikoa
27. continuing Your mouse movements and keystrokes generate random information that is needed to create a unique keypair If there is not enough random infor mation upon which to build the key the PGP Random Data screen appears As instructed in the dialog box move your mouse around and enter a series of random keystrokes until the progress bar is completely filled in PGP continually gathers random data from many sources on the system includ ing mouse positions timings and keystrokes If the Random Data screen does not appear it indicates that PGP has already collected all the random data that it needs to create the keypair PGP Desktop 5 6 8 9 700 If you are in a Microsoft Exchange Server environment PGP informs you that it needs to retrieve your email user ID from your Exchange server in order to add it to your new PGP key If this is the case continue with the instructions outlined in Adding your email ID from Exchange Server to your new key on page 104 When the key generation process indicates that it is done click Next Click Finish PGP automatically puts your private key on your private key ring and your public key on your public keyring Ch 14 Making Keys User s Guide PGP Desktop Once you have created a keypair you can use PGPkeys to create new key pairs and manage all of your other keys For instance this is where you exam ine the attributes associated with a particular key specify how c
28. deleted files and even gather personal information from the free disk space of your computer If you want to completely destroy your sensitive files without leaving frag ments of their data behind use the PGP Wipe utility When you delete a file using Wipe the file is immediately overwritten even on systems with virtual memory and all traces of the file are removed so that it cannot be retrieved Ch 5 Securing Files 41 PGP Desktop User s Guide even by using disk recovery software In addition you can set file wiping options from the General tab of the PGP Options screen You can enable Wipe to automatically wipe files when deleting them To learn how to set wiping options see Setting General options on page 147 To erase the free disk space that contains data from previously deleted files and programs use PGP Free Space Wiper To ensure that your deleted data is irrecoverable erase your free disk space periodically with the Free Space Wiper Using PGP Wipe to permanently delete a file Use the Wipe feature available from the PGPmail screen and the Windows Explorer File menu to permanently erase your files and folders To permanently delete your files and folders 1 Right click on the file and then choose Wipe from the menu or drag the file onto the Wipe button on the PGPmail screen A confirmation dialog box appears 2 Click OK to permanently erase the file To stop wiping the file before the task is comp
29. disk volume For example Changing a passphrase Adding and removing alternate users Setting read only status Mounting PGPdisk volumes Unmounting already mounted PGPdisk volumes Specifying PGP Options Specifying PGP Properties for mounting the PGPdisk volume at startup or for re encrypting your volume PGPdisk Editor Pradeep PGPdisk Volume pgd File Users View Help Unmount Properties User Name Read Only Kind e Pradeep Brapal lt pradeepb acmecorp net gt DH DSS Public Key The PGPdisk Editor displays the list of users who are allowed to access the volume and their method of authentication public key or passphrase An icon appears next to the name of the administrator for the volume The PGPdisk Editor can be accessed from Windows Explorer or from PGPtray To access the PGPdisk Editor from Windows Explorer 1 Locate and select the encrypted volume file you want to modify in the Windows Explorer folder tree 83 PGP Desktop 84 2 3 User s Guide Right click on the encrypted volume s file name to display the Context menu Select PGP gt Edit PGPdisk To access the PGPdisk Editor from PGPtray 1 2 In PGPtray select PGPdisk gt Edit Disk Locate and select the encrypted volume you want to modify then click Open Changing a passphrase for a PGPdisk volume Any user who knows a passphrase can change that passphrase but the administrator always has access to the con
30. e Once it s up there it s up there Some public servers have a policy against deleting keys Others have replication features that replicate keys between keyservers so even if you are able to delete your key on one server it could reappear later To send your public key to a keyserver Open PGPkeys 2 Select the public key to copy to the keyserver 3 Open the Server menu then select the keyserver on which you want to add your key from the Send To submenu The keyserver at PGP Corpora tion is Idap keyserver pgp com PGP lets you know that the keys are successfully copied to the server Once you place a copy of your public key on a key server it s available to people who want to send you encrypted data or to verify your digital signa ture Even if you don t explicitly point people to your public key they can get a copy by searching the key server for your name or email address Many people include the Web address for their public key at the end of their email messages In most cases the recipient can just double click the address to access a copy of your key on the server Some people even put their PGP fingerprint on their business cards for easier verification Including your public key in an email message 110 Another convenient method of delivering your public key to someone is to include it with an email message When you send someone your public key be sure to sign the email That way the recipient can verify your
31. ee ee ee ee 7 Who should read this User s Guide o o o e ee 7 LICENSING 2 28542240042 428 R84 e Leeder ee ode et es ok ee a de ds 7 This Users Guide s ici E esas oe Katee aos S42 RAN SAU RENS 9 Recommended readings sk RR RE eee OA REO X nee eee ees 10 A 2c624 2344in 202i eee oe d 9 309 9 33 xe X ipEcRoR 558 XO dowd Sos Ges web Ba 12 Chapter 1 PGP Basics auo RO RR RM y a RE a A a dE 15 A 25222475 22 04 554 4484222628026 6 6455862652566 84644 15 Conventional and public key cryptography o ooo ooo 15 So what is PGP Desktop really leen 16 This users guide ee a A A AE 16 Basic steps for using PGP Desktop o o e es 17 Chapter 2 The PGP Desktop Interface o o es 19 Accessing PGP Desktop ecos cipreses kx 3o x 9 39 Sox 3 Re DASE EOE 19 PGP Desktop SCreens someta 3 9 oko ed 3 R neor ROE ee A E ens Pasa 23 Chapter 3 Making a Keypair and Working with Public Keys 25 Making your keypair 55 ss Xx33 23432533539 S540 9 264508452 boxe 25 Putting your public key on a keyserver assau naaa 27 Getting someone s public key from a keyServer o ooo o 28 Chapter 4 Securing Email ooo ee 29 Encrypting and signing email iik uk ER RS edad A 29 Decrypting and verifying email 0 ooo e e 4 36 PGP MIMIE 5 3 2 xS CE eR E OR eR e Aa 38 Chapter 5 Securing Files 5s u
32. icon representing your keypair from PGPkeys to the folder where you want to save the key Select the icon representing your keypair in PGPkeys choose Copy from the Edit menu then choose Paste to insert the key information into a text document Copy your public key from a smart card directly to someone s keyring Another method of distributing your public key if you have it on a smart card is to copy it from the smart card directly to someone s keyring For more information about how to do this refer to Copying a keypair from your keyring to a smart card on page 73 Ch 15 Exchanging Keys PGP Desktop User s Guide Obtaining the public keys of others Just as you need to distribute your public key to those who want to send you encrypted mail or to verify your digital signature you need to obtain the pub lic keys of others so you can send them encrypted mail or verify their digital signatures There are three ways to obtain someone s public key e Get the key from a public keyserver e Add the public key to your keyring directly from an email message e Import the public key from an exported file Public keys are just blocks of text so they are easy to add to your keyring by importing them from a file or by copying them from an email message and then pasting them into your public keyring Getting public keys from a keyserver 112 If the person to whom you want to send encrypted mail is an experienced PGP user
33. if the volume was encrypted to their public key their private key They also need a copy of the PGPdisk program For more infor mation on how to mount a PGPdisk volume see Mounting a PGPdisk vol ume on page 35 89 PGP Desktop 90 User s Guide Changing the size of a PGPdisk volume While you cannot change the size of a PGPdisk volume once it has been cre ated you can create a larger or smaller volume and then copy the contents from the old volume to the new one To change the size of a PGPdisk volume 1 Create a new PGPdisk volume and specify the desired size For more infor mation on how to create a new volume see Creating a new PGPdisk vol ume on page 27 Copy the contents of the existing mounted PGPdisk volume into the newly created volume Unmount the old PGPdisk volume and then delete the encrypted file asso ciated with the volume to free up the disk space Re encrypting a PGPdisk volume PGP allows you to re encrypt all data stored on a PGPdisk This feature pro vides an additional level of protection in environments requiring a higher level of security With re encryption you can change the encryption algorithm used to protect the volume or re encrypt your PGPdisk with the same encryption algorithm to change your underlying encryption key An adept user may be able to search his or her computer s memory for the PGP disk s underlying encryption key and save it in order to continue acc
34. in the PGP folder Clicking Start gt Programs gt PGP gt PGPkeys Clicking the PGPtray icon 8 in the System tray then selecting PGP keys Clicking i in your email application s toolbar Ch 14 Making Keys User s Guide Ch 14 Making Keys PGP Desktop The PGPkeys window displays the private and public keypairs you have created for yourself as well as any public keys of other users that you have added to your public keyring It is from this window that you will per form all future key management functions T PGPkeys DER File Edit View Keys Server Groups Help Ss uU gt gt IPREB CH Keys Validity Size Description J Ge Acme Corp ADK lt pradeepb acmecom net gt 2048 1024 DH DSS public key Ge Acme Com CSK lt pradeepb acmecom net gt 2048 1024 DH DSS public key Ge Acme Com Des Rev lt pradeepb acmecom net gt 2048 1024 DH DSS public key Ge Acme Corp PGPdisk ADK pradeepb amp acmecor n 2048 1024 DH DSS public key Ge Alice Cameron alicec amp acmecorp net 2048 1024 DH DSS public key Ge Bob Reynolds bobr amp acmecorp net 2048 1024 DH DSS public key Ge Fumiko Asako lt fumikoa acmecom net gt 2048 1024 DH DSS public key Ge Jose Medina lt josem acmecom net 2048 1024 DH DSS public key 2048 1024 DH DSS public key j 2048 1024 Disabled DH DSS i Ge Katerina Laval katerinal amp acmecorp net ue Maria Fuentes lt mariaf acmecorp net gt So Ming Pa
35. indicating that it is now designated as your default keypair 119 PGP Desktop User s Guide Importing and exporting keys on your PGP keyring Although you often distribute your public key and obtain the public keys of others by cutting and pasting the raw text from a public or corporate key server you can also exchange keys by importing and exporting them as sepa rate text files For instance someone could hand you a disk containing their public key or you might want to make your public key available over an FTP server Deleting a key or signature on your PGP keyring At some point you may want to remove a key or a signature from your PGP keyring When you delete a key or signature from a key it is removed and not recoverable Signatures and user IDs can be re added to a key and an imported public key can be re imported to your keyring However a private key that exists only on that keyring cannot be recreated and all messages encrypted to its public key copies can no longer be decrypted If you want to delete a signature or user ID associated with your public key ona key server see Updating your key on a keyserver on page 142 for instruc tions To delete a key or signature from your PGP keyring 1 Open PGPkeys and select the key or signature you want to delete 2 Choose Delete from the Edit menu or click z in the PGPkeys toolbar The Confirmation screen appears 3 Click OK Disabling and enabling
36. is not stored in memory for any amount of time Therefore you are required to enter your passphrase for all PGPnet communications as well as your encrypting signing and decrypting tasks 148 App A Setting PGP Options User s Guide PGP Desktop Share passphrase cache among modules Automatically saves your pass phrase in memory and shares it among other PGP modules For example if you enter your passphrase to sign then you are not prompted for it to decrypt later on Select this option with the Cache passphrases while logged on option and your passphrase is saved in memory until you log off your computer Or select this option with Cache passphrases for and set the duration for which you want to save your passphrase Number of Passes This setting controls how many times the wipe utilities pass over the disk PGP s file wiping exceeds the media sanitization requirements of Depart ment of Defense 5220 22 M at three passes Security continues to increase up to approximately 28 passes Warn before user initiated wiping When this setting is selected a dialog box appears before you wipe a file to give you one last chance to change your mind before PGP securely overwrites the contents of the file and deletes it from your computer Automatically wipe on delete When you delete a file normally by placing it in the Recycle Bin the name of the file is removed from the file direc tory but the data in the file stays on the disk and is
37. key from ICQ to your keyring When someone sends you a PGP public key through ICQ you can add it to your keyring directly from the ICQ message To add a PGP public key to your keyring from an ICO message 1 Open the message that contains the PGP key The sender s public key is displayed in the text field of the Select Key s screen T Select key s PR Select the key s you would like to import to your keyring Walidity Size Description 4 admin lt IC0 172669420 gt e 2048 2048 RSA public key gt Select All Unselect All Cancel 2 Select the key and then click Import The key is imported to your PGP keyring If your keyring already contained the public key for this user then PGP adds the ICQ ID to the key If you keyring did not already contain the pub lic key for this user then PGP adds the key to your keyring Encrypting ICQ messages To send an encrypted ICQ message 1 Exchange public keys with the person to whom you want to send secure messages 2 Compose the message just as you normally would Formatting in your ICQ message is lost when the message is decrypted 3 When you are finished composing the message click the lock icon that appears on your ICO Send Online Message dialog box The message text is encrypted 4 Click Send Ch 8 Securing ICO 61 PGP Desktop User s Guide 62 Ch 8 Securing ICO e Using Lotus Notes This chapter tells you how to use PGP s Lotus
38. keyring then the appropriate keys are used automatically If the recipients name or email address does not match a user ID on your keyring if there is no corresponding public key on your keyring for the recipient or if one or more of the keys have insufficient validity then the PGP Recipient Selection screen appears so that you can specify the cor rect key You can force the PGP Recipient Selection screen to appear even if you have a valid copy of the public keys for every one of the recipients by holding down Shift when you click Send You should do this if you want to use the Secure Viewer or Conventional Encrypt options and you do not want your message to be sent automatically Drag the public keys for those who are to receive a copy of the encrypted email message into the Recipients list box You can also double click any of the keys to move it from one area of the screen to the other The Validity icon indicates the minimum level of confidence that the public keys in the Recipient list are valid This validity is based on the signatures associated with the key You can choose to conventionally encrypt your email message Select the Conventional Encryption check box to use a common passphrase instead of public key encryption If you select this option the message is encrypted using a session key which encrypts and decrypts using a passphrase you will be asked to specify Click OK to encrypt and sign your mail If you have e
39. left of the PGPkeys window Select Smart Card Properties from the View menu The Smart Card window appears 4 Click the Contents tab The Contents tab appears showing the keys stored on your smart card 5 Click the Wipe Contents button PGP asks for a confirmation that you want to delete all keys currently on the card Once you wipe the smart card you will not be able to retrieve any keys that were previously stored on the card This includes any keypairs or private keys you created on the card If you delete the private portion of your keypair then you will not be able to decrypt any data encrypted to it 6 Click OK The PGP Enter Passphrase screen appears 7 Enter the PIN for this smart card Normally as an added level of security the characters you enter for the passphrase do not appear on the screen However if you are sure that no one is watching and you would like to see the characters of your pass phrase as you type clear the Hide Typing check box 8 Click OK PGP deletes all keys stored on the smart card 72 Ch 10 Using Smart Cards User s Guide PGP Desktop Copying a keypair from your keyring to a smart card PGP also lets you copy an existing keypair from your desktop to a smart card This is a good way to make a usable backup of your keypair you can also use the copy on your smart card to copy your public key to other people s keyring see Copying your public key from a smart card to a keyr
40. lt mingp acmecorp net gt 2048 1024 DH DSS public key og Pradeep Brapal lt pradeepb acmecorp net gt DH DSS key pair Gq SarTau lt ssamBenstfr gt P Revoked RSA lega 4g SZho B3 amp ya com P Expired DH DSS p xj Sam Ramier lt sram ny com gt J RSA legacy public Ge SJ Wilson sjwilsonvcnet com RSA public key Ge Vladimir Toskin vladimirt amp acmecorp net DH DSS public key Ge Owuor bleuep osieuep eceyauksiorye DH DSS public key Ge Aravayioc Avac lt a amp vac aypewopn woy gt DH DSS public key Depending on your situation the PGPkeys window may be empty or it may be pre configured by your PGP administrator to display specific keys 2 Click in the PGPkeys menu bar The PGP Key Generation Wizard provides some introductory information on the first screen After you read the introductory information click Next to advance to the next panel The PGP Key Generation Wizard asks you to enter your name and email address Enter your name in the Full Name box and your email address in the Email Address box then click Next It is not absolutely necessary to enter your real name or even your email address However using your real name makes it easier for others to iden tify you as the owner of your public key Also by using your correct email address you and others can take advantage of the plug in feature that automatically looks up the appropriate key on your current keyring when you
41. may need to contact the user at the remote location and tell them to send a different set of shares No secret keys could be found on your keyring There are no private keys on your keyring Generate your own pair of keys in PGPkeys Socket is not con nected The network connec tion to the PGP key server or to the net work share file connec tion has been broken Try re establishing the connec tion by repeating the procedure you used to start the connection If that fails check your connec tion to the network The action could not be completed due to an invalid file opera tion The program failed to read or write data in a certain file The file is probably corrupt Try altering your PGP Options to use a different file if possible The evaluation time for PGP encrypting and signing has passed Operation aborted The product evaluation time has expired Download the freeware version or buy the commercial version of the product The keyring contains a bad corrupted PGP packet The PGP message that you are working with has been corrupted or your keyring has been corrupted Ask the sender to re send the message if it s a message that you re working with If it s your keyring try restoring from your backup keyring The keyring file is corrupt The program failed to read or write data in a certain file There is a file that is probably corrupt or missing It
42. may or may not be the keyring file Try using a different file name or path if possible The message data contains a detached signature The signature for the message file is located in a separate file Double click on the detached sig nature file first App B Troubleshooting User s Guide App B Troubleshooting PGP Desktop Error Cause Solution The passphrase you entered does not match the pass phrase on the key The passphrase you entered is incorrect You may have the CAPS LOCK on or you simply may have mis typed the passphrase Try again The PGP library has run out of memory The operating system has run out of memory Close other running programs If that doesn t work you may need more memory in your machine The specified user ID was not added because it already exists on the selected key You can t add a User ID to a key if there is one just like it already on the key Try adding a different user ID or delete the matching one first The specified key could not be found on your keyring The key needed to decrypt the current message is not on your keyring Ask the sender of the message to re send the message and make sure they encrypt the mes sage to your public key The specified input file does not exist The file name typed in does not exist Browse to find the exact name and path of the file you want Ther
43. may want to examine or change the attributes associated with your keys For instance when you obtain someone s public key you might want to identify its type either RSA or Diffie Hellman DSS check its fingerprint or determine its validity based on any digital signatures included with the key You may also want to sign someone s public key to indicate that you believe it is valid assign a level of trust to the key s owner or change a passphrase for your private key You may even want to search a key server for some one s key You perform all of these key management functions from PGPkeys The PGPkeys screen Ch 16 Managing Keys The PGPkeys screen displays the keys you have created for yourself as well as any public keys you have added to your public keyring It is from this win dow that you perform all your key management functions To open the PGPkeys screen e open the Start menu click Programs gt PGP gt PGPkeys e click the PGPtray lock icon in the System tray and then click PGPkeys 115 PGP Desktop User s Guide e double click the keys icon in the PGP program folder The PGPkeys screen appears TT PGPkeys ejes File Edit View Keys Server Groups Help wup djpos5rgeobH Keys Validity Size gw Acme Corp ADK lt pradeepbBacmeconp net gt Ge Acme Com CSK lt pradeepb acmecomp net Ge Acme Corp Des Rev lt pradeepbBacmecorp net gt 4 Ge Acme Corp PGPdis
44. more information about these algorithms see An Introduction to Cryp tography The Preferred Algorithm choice affects the following When using conventional encryption the preferred cipher is used to encrypt When creating a key the preferred cipher is recorded as part of the key so that other people will use that algorithm when encrypting to you e The Allowed Algorithms are recorded as part of the key so that other peo ple will use one of those algorithms when encrypting to you if the pre ferred algorithm is not available to them Clear the Allowed Algorithms check boxes only if you have suddenly learned that a particular algorithm is insecure For example if you become aware that IDEA has been broken you can deselect that check box and all new keys you generate will have a record that IDEA may not be used when encrypting to you Encrypting to a public key will fail if neither the Preferred Algorithm nor any of the Allowed Algorithms are available to the person encrypting the message e Display marginal validity level Use this check box to specify whether to display marginally valid keys as such or simply to show validity as on or off Marginal validity appears as bar icons having differing shading pat terns On off validity appears as circle icons green for valid gray for invalid the key has not been validated it has not been signed by either a trusted introducer or by you e Treat marginally valid keys as inva
45. one else can use it When you apply the correct mathematical key you unscramble the data The PGPdisk encryption formula uses random data for part of the encryption process Some of this random data comes from the movement of your mouse during encryption and some random data comes directly from your passphrase The PGPdisk program offers two strong algorithm options for protecting your PGPdisk volumes CAST and Twofish CAST is considered an excellent block cipher because it is fast and very diffi cult to break Its name is derived from the initials of its designers Carlisle Adams and Stafford Tavares of Northern Telecom Nortel Nortel has applied Ch 13 PGP Disk Technical Details 93 PGP Desktop User s Guide for a patent for CAST but they have made a commitment to make CAST available to anyone on a royalty free basis CAST appears to be exceptionally well designed by people with good reputations in the field The design is based on a very formal approach with a number of formally provable assertions that give good reasons to believe that it probably requires key exhaustion to break its 128 bit key CAST has no weak keys There are strong arguments that CAST is immune to both linear and differential cryp tanalysis the two most powerful forms of cryptanalysis in the published liter ature both of which have been effective in cracking the Data Encryption Standard DES Twofish is a relatively new but well regarded 256 bit bloc
46. photo ID to a key 126 a Root CA certificate to your key 133 combining groups 35 alternate passphrases adding to PGPdisk 84 attributes changing your keyrings 115 119 viewing your keyrings 115 119 Auto unmount preference after x minutes of inactivity 87 on computer sleep 161 automatic mounting of PGPdisk volumes 79 88 unmounting of PGPdisk volumes 87 161 C Certificate server See key server changing a passphrase for a PGPdisk volume 84 your passphrase 125 checking authenticity of a key 114 conventional encryption 31 33 40 64 creating a custom key pair 101 a key pair on a smart card 68 a new PGPdisk volume 77 recipient groups 34 custom key creating 101 Index Index D decrypting email 36 ICO messages 57 using PGPtray 40 with split keys 41 default key pair specifying 119 deleting a subkey 130 digital signatures 120 files 41 47 keys from a smart card 72 from your keyring 120 recipient groups 35 user IDs 120 using Secure Wipe 41 47 designated revoker properties 130 Diffie Hellman DSS keys an overview of 97 digital signature deleting 120 disks deleting free space 41 47 scheduled wiping 43 51 wiping files from 41 47 distributing PGPdisk volumes 89 distribution lists adding members to a group list 35 combining groups 35 creating a group 34 deleting a group 35 deleting a member 35 183 PGP Desktop E email combining recipient groups 35 copying public keys from 113 creating recipient gro
47. ready to access it again e Use a screen saver with a password so that it is more difficult for some one to access your machine or view your screen when you are away from your desk e Make sure that your PGPdisk volumes cannot be seen by other computers on the network You may need to talk to your network management peo ple to guarantee this The files in a mounted PGPdisk volume can be accessed by anyone who can see them on the network e Never write down your passphrases Pick something you can remember If you have trouble remembering your passphrase use something to jog your memory such as a poster a song a poem a joke but do not write down your passphrases e f you use PGPdisk at home and share your computer with other people they will probably be able to see your PGPdisk files As long as you unmount the PGPdisk volumes when you finish using them no one else will be able to read their contents e f another user has physical access to your machine that person can delete your PGPdisk files as well as any other files or volumes If physical access is an issue try either backing up your PGPdisk files or keeping them on an external device over which only you have physical control Ch 13 PGP Disk Technical Details 95 PGP Desktop User s Guide e Be aware that copies of your PGPdisk volume use the same underlying encryption key as the original If you exchange a copy of your volume with another and both change your master
48. selection which is Never or you can enter a specific date after which the keys will expire Once you create a keypair and have distributed your public key to the world you will probably continue to use the same keys from that point on However under certain conditions you may want to create a special key pair that you plan to use for only a limited period of time In this case when the public key expires it can no longer be used by someone to encrypt mail to you but it can still be used to verify your digital signature Similarly when your private key expires it can still be used to decrypt mail that was sent to you before your public key expired but can no longer be used to sign mail to others Click Next If PGP detects that your computer is in a Microsoft Exchange Server envi ronment or if your PGP administrator has configured PGP to include spe cific installation settings the Administrator Options panel appears Read the information in this panel then click Next to continue 10 In the Passphrase panel enter the string of characters or words you want to use to maintain exclusive access to your private key To confirm your entry press the Tab key to advance to the next field then enter the same passphrase again For more information on creating an effective pass phrase see Creating a passphrase you will remember on page 105 Ch 14 Making Keys User s Guide Ch 14 Making Keys PGP Desktop Normally as an adde
49. sensitive data cannot be recovered 4 Click Next to continue The Perform Wipe dialog box opens and displays statistical information about the drive or volume you selected 5 Click the Begin Wipe button to start freespace wiping your disk or volume The PGP Free Space Wiper scans and then wipes leftover fragments from your disk or volume 6 When the wipe session ends click Finish Clicking Cancel during file wipe can leave remains of the file on your computer Scheduling folder and free space wiping You can use the Windows Task Scheduler to schedule periodic folder and free space wiping for selected folders To use this scheduling feature you must have the Windows Task Scheduler installed on your system If you do not have the Task Scheduler installed on your system you can download it from the Microsoft Web site http www microsoft com To schedule folder and free space wiping 1 On the PGPmail screen click the Freespace Wipe button to start the Freespace Wipe Wizard The Wipe Free Space Wizard appears Ch 5 Securing Files 43 PGP Desktop 44 User s Guide Read the information in the welcome screen then click Next to advance to the next dialog box The PGP Free Space Wipe Wizard prompts you to select the volume you want to wipe and the number of passes you want to perform In the Volume box select the disk or volume that you want PGP to wipe Then select the number of passes that y
50. still recoverable even after you empty the Recycle Bin When you enable the Automatically Wipe on Delete option the Empty Recycle Bin action wipes the contents of the Recycle Bin so that your deleted items can no longer be recovered Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options App A Setting PGP Options 149 PGP Desktop User s Guide Setting Files options Use the Files tab to specify the location of the keyrings used to store your pri vate and public keys PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk PGP Keyring Files Public WE nd SettingssPradeep Brapal My DocumentsiPGP pubring pkr Private and Settings Pradeep Brapal My Documents PGP secring skr Make your selections for the following options e Public shows the current location and name of the file where the PGP pro gram expects to find your public keyrings If you plan to store your public keys in some other location you must specify this information here The location you specify can also be used to store all automatic backups of the public keyring e Private shows the current location and name of the file where the PGP program expects to find your private keyrings If you plan to store your private keys in some other location you must specify this information here Some users like to keep their private keyring on a floppy disk which th
51. the key from which your passphrase cannot be derived remains in memory while the disk is mounted This key is protected from virtual memory however if a certain section of Ch 13 PGP Disk Technical Details User s Guide PGP Desktop memory stores the exact same data for extremely long periods of time with out being turned off or reset that memory tends to retain a static charge which could be read by attackers If your PGPdisk is mounted for long peri ods over time detectable traces of your key could be retained in memory Devices exist that could recover the key You won t find such devices at your neighborhood electronics shop but major governments are likely to have a few PGPdisk protects against this by keeping two copies of the key in RAM one normal copy and one bit inverted copy and inverting both copies every few seconds Other security considerations In general the ability to protect your data depends on the precautions you take and no encryption program can protect you from sloppy security prac tices For instance if you leave your computer on with sensitive files open when you leave your desk anyone can access that information or even obtain the key used to access the data Here are some tips for maintaining optimal security e Make sure that you unmount PGPdisk volumes when you leave your com puter This way the contents will be safely stored in the encrypted file associated with the volume until you are
52. this manner of attack it is widely recommended that you create a word that includes a combination of upper and lowercase alphabetic letters numbers punctuation marks and spaces This results in a stronger password but an obscure one that you are unlikely to remember easily Trying to thwart a dictionary attack by arbitrarily inserting a lot of funny non alphabetic characters into your passphrase has the effect of making your passphrase too easy to forget and could lead to a disastrous loss of informa tion because you can t decrypt your own files A multiple word passphrase is less vulnerable to a dictionary attack However unless the passphrase you choose is something that is easily committed to long term memory you are unlikely to remember it verbatim Picking a phrase on the spur of the moment is likely to result in forgetting it entirely Choose something that is already residing in your long term memory It should not be something that you have repeated to others recently nor a famous quotation because you want it to be hard for a sophisticated attacker to guess If it s already deeply embedded in your long term memory you probably won t forget it Of course if you are reckless enough to write your passphrase down and tape it to your monitor or to the inside of your desk drawer it won t matter what you choose 105 PGP Desktop User s Guide Changing your keypair Once you create your key you can add remove or change
53. volumes Creating copying moving and deleting files and folders stored on your PGPdisk volume Accessing the PGPdisk Editor for a PGPdisk volume When a volume is unmounted its contents remain secured in an encrypted file where it is inaccessible until the volume is once again mounted The PGD file containing the PGPdisk contents can be stored on any disk drive in your system When a PGPdisk volume is mounted it appears as an empty disk drive in a Windows Explorer window so you can start working in it immediately To mount a PGPdisk volume in Windows Explorer 1 3 4 Locate and select the encrypted volume file you want to mount from the Windows Explorer folder tree Right click on the encrypted volume s file name to display the Context menu Select PGP gt Mount PGPdisk Enter the passphrase and click OK To unmount a PGPdisk volume in Windows Explorer 1 Locate and select the PGPdisk volume you want to unmount in the Win dows Explorer folder tree Right click on the mounted volume s file name to display the Context menu Select PGP gt Unmount PGPdisk Ch 11 PGP Disk Basics User s Guide PGP Desktop Creating a new PGPdisk volume To create a new PGPdisk volume 1 2 Ch 11 PGP Disk Basics Select Start gt Programs gt PGP gt PGPdisk The PGPdisk Wizard appears on your screen Read the introductory infor mation Click Next A dialog box appears t
54. you ve added names photographs or revokers first to be updated from the server and then your changes sent to the server upon completion of the update Updating the key beforehand ensures that for example the key has not been revoked since you last updated it App A Setting PGP Options 153 PGP Desktop 154 User s Guide Revocation Select this option to allow keys you revoke first to be updated from the server and then your changes sent to the server upon completion of the update Verification Select this option to have PGP automatically search and import from the key server when verifying a signed email message or file for which you do not have the sender s public key Modifying the list of servers The buttons on the right side of the list of servers let you modify the list New Adds a new server to your list see Adding and editing servers on page 145 for more information Remove Removes the currently selected server from your list Edit Allows you to edit server information for the currently selected server Set As Root Identifies the root server that is used for specific corporate operations such as updating group lists sending group lists updating introducers etc In corporate settings your PGP administrator will have already configured this Move Up and Move Down Use these buttons to arrange the servers in order of preference Adding and editing servers To add a new server or edit an exis
55. 1371 is used for old style HTTP key server 389 is commonly used for LDAP key servers If you don t know the port number leave this box blank the default port number for the type of server you are configuring will be used The Key box is for LDAPS servers The server key is used by the server to authenticate the connection Key information is not displayed until you connect to the server Under Serves Key for Domain select the Any Domain option to allow PGP to send keys from any domain to this keyserver This setting also applies to automatic searches and updates It is enabled by default If you want PGP to send only keys from a specific domain to this key server select the option below Any Domain Then enter the domain name in the space provided For example if you specify the domain pgp com only those keys whose email address ends in pgp com will be sent to this server Select the List in search window check box if you want this key server listed in the PGP Keys Search window When you have made your selections click OK The Server Information screen disappears and the server you just config ured displays in the list Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options 155 PGP Desktop User s Guide Setting certificate authority CA options Use the CA tab to add your X 509 certificate to your PGP key Before you can add your X 509 certifi
56. 4 bit block symmetric cipher using 128 bit keys based on mixing oper ations from different algebraic groups Considered one of the strongest algorithms Implicit trust Implicit trust is reserved for keypairs located on your local keyring If the private portion of a keypair is found on your keyring PGP assumes that you are the owner of the keypair and that you implicitly trust yourself Integrity Assurance that data is not modified by unauthorized persons during stor age or transmittal Introducer A person or organization who is allowed to vouch for the authenticity of someone s public key You designate an introducer by signing their public key ISO International Organization for Standardization Responsible for a wide range of standards like the OSI model and interna tional relationship with ANSI on X 509 Key A digital code used to encrypt and sign and decrypt and verify messages and files Keys come in keypairs and are stored on keyrings Key escrow recovery A practice where a user of a public key encryption system surrenders their private key to a third party thus permitting them to monitor encrypted communications Key exchange A scheme for two or more nodes to transfer a secret session key across an unsecured channel Key fingerprint A uniquely identifying string of numbers and characters used to authenti cate public keys For example you can telephone the owner of a public key and have him or her read the finge
57. 5 Exchanging Keys for detailed information Validate the public keys you get from the keyserver Once you have a copy of someone s public key you can add it to your public keyring A keyring is a file that stores your keys Each user has two keyrings one public and one private Your public keyring stores public keys yours and those you receive from others Your private keyring stores your private key s When you get someone s public key you should make sure that it has not been tampered with and that it really belongs to the purported owner You do this by comparing the unique fingerprint on your copy of someone s public key to the fingerprint on that person s original key For more information about validity and trust refer to An Introduction to Cryptography For instructions how to validate someone s public key see Validating keys on page 114 Start securing your email and files After you have generated your keypair and have exchanged public keys you can begin encrypting signing decrypting and verifying your email messages and files 17 PGP Desktop User s Guide To perform a PGP Desktop task you must select the file or email message that you want to secure and then choose your task Encrypt Sign Decrypt or Verify To learn how to access PGP Desktop see Chapter 2 The PGP Desktop Interface 18 Ch 1 PGP Basics 2 The PGP Desktop Interface There are multiple ways to access PGP Desktop functions
58. After you read the information click Next The PGP Key Generation Wizard asks you to enter your name and email address 4 Enter your name in the Full Name box and your email address in the Email Address box then click Next It is not absolutely necessary to enter your real name or even your email address However using your real name makes it easier for others to iden tify you as the owner of your public key Also by using your correct email address you and others can take advantage of the plug in feature that automatically looks up the appropriate key on your current keyring when you address mail to a particular recipient 5 f PGP detects that your computer is in a Microsoft Exchange Server envi ronment or if your PGP administrator has configured PGP to include spe cific installation settings the Administrator Options panel appears Read the information on this panel then click Next to continue 6 On the Passphrase screen enter the string of characters or words you want to use to maintain exclusive access to your private key To confirm your entry press Tab to advance to the next field then enter the same passphrase again For more information on creating an effective pass phrase see Creating a passphrase that you will remember on page 45 26 Ch 3 Making a Keypair and Working with Public Keys User s Guide PGP Desktop Normally as an added level of security the characters you enter for the passphrase do not app
59. DH DSS public key DH DSS public key 2048 1024 DH DSS public key lt eeeecccg eccccccoct Ch 2 The PGP Desktop Interface 23 PGP Desktop User s Guide 24 The PGP Mail Screen The PGP Mail screen gives you quick access to basic PGP Desktop functions encrypt sign encrypt and sign decrypt verify wipe and freespace wipe You can also open the PGPkeys screen For more information about PGPmail functionality refer to Chapter 4 Securing Email and Chapter 5 Securing Files To access the PGP Mail screen 1 Click the PGPtray icon 2 Select PGPmail from the menu The PGPmail screen appears x PGPmail The PGP Disk Editor Screen The PGP Disk Editor screen lets you do things to PGPdisk volumes like change the passphrase or add alternate users You can access the PGP Disk Editor screen in either of the following ways e Click the PGPtray icon slide up to PGPdisk and then over to Edit Disk On the Choose a PGPdisk screen select the PGPdisk you want to open then click Open e n Windows Explorer right click on the PGPdisk you want to edit slide down to PGP then over to Edit PGPdisk The PGPdisk Editor screen appears for the selected PGPdisk PGPdisk Editor Pradeep PGPdisk Volume pgd File Users View Help Unmount Properties User Name Read Only Kind g Pradeep Brapal lt pradeepb acmecorp net gt DH DSS Public Key Ch 2 The PGP Desktop Interface 3 Making a Keypair and Working
60. Editor click the Mount button or select Mount from the File menu The mounted PGPdisk volume appears on an empty drive in a Windows Explorer window Using a mounted PGPdisk volume You can create copy move and delete files and folders on a PGPdisk volume just as you normally do with any other volume Similarly anyone else who has access to the volume either on the same machine or perhaps over the network can also access the data stored in the volume It is not until you unmount the volume that the data in the encrypted file associated with the volume is made inaccessible Although the encrypted file associated with each volume is safe from snooping it can still be deleted If an unauthorized person is able to access your data he or she could potentially delete the encrypted file upon which the volume is based It is a good idea to keep a backup copy of the encrypted file 80 Ch 11 PGP Disk Basics User s Guide PGP Desktop Unmounting a PGPdisk volume After you are through accessing a given volume and you want to lock its con tents you need to unmount the volume You may lose data if you unmount a PGPdisk volume that contains open files If you select Allow forcible unmounting of PGPdisks with open files and Don t ask before forcibly unmounting a PGPdisk from the PGP Options panel then you will not receive a warning before unmounting a volume that contains open files and you risk losing the data stored in the volume F
61. GP Enter Passphrase screen appears 4 Enter your passphrase then click OK When you revoke a key it is marked out with a red X to indicate that it is no longer valid 5 Send the revoked key to the server so everyone will know not to use your old key Additional Decryption Key properties To access the ADK panel for a particular key select the desired key and then choose Properties from the Keys menu The Key Properties screen appears Click the ADK tab The ADK panel appears Note if there are no Additional Decryption Keys associated with the selected key then the ADK tab does not appear The ADK panel lists all Additional Decryption Keys ADKs for the selected key ADKs are keys that allow the security officers of an organization to decrypt messages that have been sent to or from people within your organiza tion There are two types of keys incoming additional decryption keys and outgoing additional decryption keys Although your PGP administrator should not ordinarily use the Additional Decryption keys there may be circumstances when it is necessary to recover someone s email For example if someone is injured and out of work for some time or if email records are subpoenaed by a law enforcement agency and the corporation must decrypt mail as evidence for a court case 132 Ch 16 Managing Keys User s Guide PGP Desktop Adding an X 509 certificate to your PGP key Ch 16 Managing Keys The instructions in this
62. I elk pd x he eae Lv dus 67 Generating a keypair on a smart card o e 67 Examining smart card propertieS o 70 Copying your public key from a smart card to a keyring 71 Wiping keys from your smart card a E AA RU RR wy 72 Copying a keypair from your keyring to a smart card 1 0 eee es 73 Chapter 11 PGP Disk BasiGS x uk AV EEXQUEEGO XC RAE Beek See X XE 75 What is PGP DISK Zas etu Pi Ser R SAR A ASAS A 75 Accessing PGPAISk et a a alado dd e dra al dt XA 75 Working with PGPdisk in Windows Explorer oo e 76 Creating a new PGPdisk volume o o e 17 Mounting a PGPdisk volume vera eee yee tte Si A ee RA SUV is TA 80 Using a mounted PGPdisk volume 0 0c es 80 iv Table of Contents User s Guide PGP Desktop Unmounting a PaPdisk volume aux Ea AAA A Be 81 Chapter 1 2 Using PGP Disk iiie e caina e aeaa Save ae Be e SE Be 83 Working with PGPdisk in a PGPdisk Editor o o 83 Maintaining PGPdisk volumes sasaaa aaa 88 Chapter 13 PGP Disk Technical Details lt lt 93 About PGPdisk volumes osa a A Se 93 The PGPdisk encryption algorithms oo es 93 Special security precautions taken by PGPdisk o o 94 Chapter 14 Making Keys Dura ae RR eee ite ee a Ce ex Aa 97 CHOOSING a Key type a RIAS Y aee cta statue b
63. Keys 113 PGP Desktop User s Guide e f you are using an email application that is not supported by the plug ins you can add the public key to the keyring by copying the block of text that represents the public key and pasting it into PGPkeys Importing keys and X 509 certificates You can import PGP public keys and PKCS 12 X 509 certificates a digital certificate format used by most Web browsers to your PGP public keyring You can also import Privacy Enhanced Mail PEM format X 509 certificates from your browser by copying and pasting into your public keyring Another method for obtaining someone s public key is to have that person save it to a file from which you can import it or copy and paste it into your public keyring There are three methods of extracting someone s public key and adding it to your public keyring e Select Import from the Keys menu and then navigate to the file where the public key is stored e Drag the file containing the public key onto the main PGPkeys window e Open the text document where the public key is stored select the block of text representing the key and then choose Copy from the Edit menu In PGPkeys choose Paste from the Edit menu to copy the key The key then shows up as an icon in PGPkeys You can also get PKCS 12 X 509 private keys by exporting them from your browser and dropping them into PGPkeys or by choosing Import from the Keys menu When importing an X 509 certificate the certificat
64. PGP Desktop tor Windows User s Guide Version Information PGP Desktop for Windows User s Guide version 8 1 Released June 7 2004 Copyright Information Copyright 1991 2004 by PGP Corporation All Rights Reserved No part of this document can be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of PGP Corporation Trademark Information PGP and Pretty Good Privacy are registered trademarks and the PGP logo is a trademark of PGP Corporation in the U S and other countries IDEA is a trademark of Ascom Tech AG All other reg istered and unregistered trademarks in this document are the sole property of their respective own ers Licensing and Patent Information The IDEA cryptographic cipher described in U S patent number 5 214 703 is licensed from Ascom Tech AG The CAST encryption algorithm is licensed from Northern Telecom Ltd PGP Corporation may have patents and or pending patent applications covering subject matter in this software or its documentation the furnishing of this software or documentation does not give you any license to these patents Acknowledgments The compression code in PGP Desktop is by Mark Adler and Jean Loup Gailly used with permis sion from the free Info ZIP implementation Export Information Export of this software and documentation may be subject to compliance with the rules and regu lations promulgated
65. Pkcs 12 X 509 114 location of 115 Index User s Guide public keys add or remove for a PGPdisk file 80 advantages of sending to key server 109 copying from a smart card 71 copying from email messages 113 exporting to files 111 getting from a key server 112 importing from files 114 including in an email message 110 location of 115 obtaining others 112 114 searching key server 112 sending to key server 109 signing 123 R receiving private email 29 recipient groups combining groups 35 creating 34 deleting 35 deleting a group 35 recipients groups of 34 reconstructing your key 107 144 rejoining a split key 139 removing a photo ID from a key 127 a subkey 130 files using Secure Wipe 41 47 keys from a smart card 72 revoker viewing key properties 130 revoking a subkey 129 keys 132 Root CA certificates 133 RSA keys an overview of 97 RSA Legacy keys an overview of 97 Index PGP Desktop S scheduling folder wiping 43 51 free space wiping 43 51 the Free Space Wiper 43 51 searching key server 112 Secure Viewer email encryption option 29 with previous versions 30 32 Secure Wipe using 41 47 Self Decrypting Archive SDA creating 40 sending private email 29 servers mounting PGPdisk volumes on 88 servers See also key servers setting passphrase for a key 26 100 102 145 signing 120 email 29 35 keys 123 public keys 123 with split keys 41 sleep mode unmounting PGPdisk in 161 smart card changing passphra
66. Split Message mode window in order for the PGP plug in but tons to appear 57 PGP Desktop User s Guide Encrypt 5 Send Online Message User Is Away message ICQ 168397671 Nick papasmuf EMail Chars 0 9 ey e T Msg Mode History Multiple gt gt Send your PGP public key Before you can encrypt an ICQ message you must obtain the public key of the person for whom you are sending the encrypted message You can obtain the recipients public key and add it to your PGP keyring through ICQ Exchanging public keys in ICQ To begin sending and receiving encrypted instant messages within ICQ you must exchange public keys with each person with whom you want to securely correspond With the PGP plug in you can send and receive PGP public keys through the ICQ application as well as send encrypted messages Sending your public key through ICO You can send your PGP public key to someone through ICQ Your public key has your ICQ number attached to it To send your PGP public key to someone through ICQ 1 Double click on the name of the person in your ICQ Contact List to open the ICQ Send Online Message dialog box 2 If you want to send a message along with your key enter the message text just as you normally would 3 Click the Send Key button The first time you use PGP with ICQ the PGP ICO Wizard appears Use the wizard to add your ICO number as an identifier to your PGP key allow
67. a number of items in your keypair at any time Your private and public keys are stored in separate keyring files You can copy them to another location on your hard drive or to a floppy disk By default the private keyring secring skr and the public keyring pubring pkr are stored along with the other program files in your PGP folder you can save your backups in any location you like Keys generated on a smart card cannot be backed up because the private por tion of your keypair is non exportable You can configure PGP to back up your keyrings automatically after you close PGP Your keyring backup options can be set in the Advanced tab of the Options screen Protecting your keys Besides making backup copies of your keys you should be especially careful about where you store your private key Even though your private key is pro tected by a passphrase that only you should know it is possible that some one could discover your passphrase and then use your private key to decipher your email or forge your digital signature For instance somebody could look over your shoulder and watch the keystrokes you enter or intercept them on the network or even over the Internet To prevent anyone who might happen to intercept your passphrase from using your private key store your private key only on your own computer If your computer is attached to a network make sure that your files are not automatically included in a system wide back
68. able behavior Open PGPkeys Click the New Key button on the PGPkeys menu bar The Key Generation Wizard Welcome screen appears 4 Click the Expert button The Key Generation Wizard Expert panel appears 5 Enter your name in the Full Name box and your email address in the Email Address box It is not absolutely necessary to enter your real name or email address However using your real name makes it easier for others to identify you as the owner of your public key Also by using your correct email address you and others can take advantage of the plug in feature that automatically looks up the appropriate key on your current keyring when you address mail to a particular recipient 6 In the Key Type box select the type of key you want to create Diffie Hellman DSS keys are not supported on smart cards In the Key Size box select a key size of 1024 bits Indicate when you want your keys to expire You can either use the default selection Never or you can enter a specific date after which the keys will expire Once you create a keypair and have distributed your public key to the world you will probably continue to use the same keys from that point on However under certain conditions you may want to create a special key pair that you plan to use for only a limited period of time In this case when the public key expires it can no longer be used by someone to encrypt mail to you but it can still be used to verify your digital
69. adeepb acmecorp net gt 2048 1024 Acme Corp Des Rev lt pradeepb acmecorp net gt 2048 1024 Acme Corp PGPdisk ADK lt pradeepb acmecorp net gt 2048 1024 Alice Cameron lt alicec acmecorp net gt 2048 1024 Bob Reynolds lt bobr acmecorp net gt 2048 1024 Fumiko Asako lt fumikoa Bacmecorp net gt 2048 1024 Jose Medina lt josem acmecorp net gt 2048 1024 E er ee Pg 5 M TERCER andina Some recipient keys are not valid Please verify that these recipients are correct Encryption Cancel Help options Conventional Encryption 5 Drag the public keys for those who are to receive a copy of the encrypted email message into the Recipients list box You can also double click any of the keys to move it from one area of the screen to the other The Validity icon indicates the minimum level of confidence that the public keys in the Recipient list are valid This validity is based on the signatures associated with the key You can choose from the following encryption options depending on the type of data you are encrypting e Secure Viewer Select this option to protect the data from TEMPEST attacks upon decryption If you select this option the decrypted data is displayed in a special TEMPEST attack prevention font that is unreadable to radiation capturing equipment and cannot be saved in decrypted format For more information about TEMPEST attacks see the section on vulnerabilities in An Introduction to Cryptograp
70. any potential journal entries that may have been created NTFS in particular can also store small less than 1K files in internal data structures that cannot be wiped properly without using the PGP Free Space Wiper with the Wipe NTFS internal data structures option PGP s file wiping exceeds the media sanitization requirements of Department of Defense 5220 22 M at three passes Security continues to increase up to approximately 28 passes Using PGP Wipe to permanently delete a file Ch 6 Wiping Use the PGP Wipe utility to permanently erase sensitive files and folders To permanently erase sensitive files and folders 1 Right click on the file slide down to PGP then over to Wipe from the menu or drag the file over the Wipe button on the PGPmail screen A wipe confirmation screen appears 47 PGP Desktop User s Guide 2 Click Yes to permanently erase the file To stop wiping the file before the task is completed click No Clicking Cancel during the wiping of a file can leave remnants of the file behind Many programs automatically save files in progress so backup copies of the file you deleted may exist PGP Corporation recommends that you run the Wipe util ity on the backup copies as well as the original file to thoroughly erase it from your system The best way to handle this situation is to enable PGP s Auto matically wipe on delete option on the General Options tab see Setting Gen eral options
71. assword your keypair for authentication to the computer that is collecting the key shares a network connection the IP address or Domain Name of the rejoining computer collecting the key shares Select Send Key Shares on the PGPkeys File menu Choose Send Share File from the PGPkeys File menu The Select Share File screen appears Locate your key share and then click Open The PGP Enter Passphrase screen appears 141 PGP Desktop User s Guide 5 Enter your passphrase and then click OK The Send Key Shares screen appears Send Key Shares Share File Jim Shares 1 Remote Address 192 168 1 101 Network Status Not Connected Authenticated 6 Enter the IP address or the Domain Name of the rejoining computer in the Remote Address text box then click Send Shares The status of the transaction is displayed in the Network Status box When the status changes to Connected you are asked to authenticate yourself to the rejoining computer The Remote Authentication screen appears asking you to confirm that the remote computer is the one to whom you want to send your key share 7 Click Confirm to complete the transaction After the remote computer receives your key shares and confirms the transaction a message box appears stating that the shares were success fully sent 8 Click OK 9 Click Done in the Key Shares window when you have completed sending your key share Updatin
72. ate portion of your keypair is non exportable To create a split key with multiple shares 1 In PGPkeys create a new keypair or select an existing keypair that you want to split 2 On the Keys menu click Share Split The Share Split screen opens 3 Add shareholders to the keypair by dragging their keys from PGPkeys to the Shareholder list on the Share Split screen To add a shareholder that does not have a public key click Add on the Share Split screen enter the persons name and then allow the person to type in their passphrase 4 When all of the shareholders are listed you can specify the number of key shares that are necessary to decrypt or sign with this key 137 PGP Desktop 138 User s Guide The total number of shares that make up the Group Key in the following example is four and the total number of shares required to decrypt or sign is three This provides a buffer in the event that one of the shareholders is unable to provide his or her key share or forgets the passphrase Split PGP Key Split Key Pradeep Brapal lt pradeepbB acmecorp net gt Shareholders To add shareholders drag their keys to this window or click Add to add a user without a key Key User Name Shares Ming Pa lt mingp acmecorp net gt Alice Cameron lt alicec acmecorp net gt Bob Reynolds lt bobr acmecorp net gt Robert Goodman Add Total Shares 4 Total Shares Required to Decrypt or Sign 2
73. by this option will cause them to be wiped This option does not increase the risk of anything negative happening to your disk as a result of the wiping operation 5 Click Next 49 PGP Desktop User s Guide The Perform Wipe screen opens and displays statistical information about the drive or volume you selected Wipe Free Space Wizard Perform Wipe Select Begin Wipe to start the free space wipe process If you would rather schedule this free space wipe for another time with the task scheduler press Schedule Disk Statistics for Drive C File System NTFS Number of Clusters 7315599 Sectors per Cluster 8 Bytes per Sector 512 Total Capacity 29262396 K Pass 1 3 Press Begin Wipe button to start wiping 6 Click Begin Wipe The PGP Free Space Wiper scans and then wipes leftover fragments from your disk or volume When the wipe session is complete a message appears near the bottom of the Perform Wipe screen telling you the selected drive has been wiped 7 Click Next The Completing screen appears Wipe Free Space Wizard Completing the PGP Wipe Free Space Wizard Congratulations You have successfully free space wiped your disk drive Data that has been previously erased will be unrecoverable Click Finish to close this Wizard 8 Click Finish 50 Ch 6 Wiping User s Guide PGP Desktop Scheduling folder and free space wiping Ch 6 Wiping You
74. cate however you must first obtain the Root CA certif icate from your company s key server PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk Certificate Authority Identification URL Revocation URL Type Windows 2000 Root Certificate Select Certificate For instructions on how to obtain the Root CA certificate and add an X 509 certificate to your key see Adding an X 509 certificate to your PGP key on page 133 Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options 156 App A Setting PGP Options User s Guide PGP Desktop Setting Advanced options Use the Advanced tab to select your preferred encryption algorithm the allowed algorithms key trust options key export format and automatic key ring backup settings PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk Encryption Preferred algorithm v Allowed Algorithms v AES M TripleDES IDEA Twofish Trust Model Export Format C Display marginal validity level O Compatible C Treat marginally valid keys as invalid Complete Warm when encrypting to keys with ADKs Smart Card Support Software Update None v v Automatically check for updates v Automatic keyring backup when PGPkeys closes Backup to keyring folder Backup to Make your selections for the fol
75. cent to Click here to Authorize manually paste the license authorization block into the box then click Authorize 8 Introduction User s Guide PGP Desktop This User s Guide The chapters and appendices in this User s Guide include e Chapter 1 PGP Basics provides an overview of PGP and what it does e Chapter 2 The PGP Desktop Interface describes and shows the way you interact with PGP e Chapter 3 Making a Keypair and Working with Public Keys tells you how to make your first keypair how to upload your public key to a keyser ver and how to download the public keys of others e Chapter 4 Securing Email tells you how PGP can secure your email messages e Chapter 5 Securing Files tells you how to use PGP to secure files on your computer e Chapter 6 Wiping describes how to erase files and or folders from your system so that they are not recoverable e Chapter 7 Self Decrypting Archives describes Self Decrypting Archives SDAs and tells you how to create them e Chapter 8 Securing ICO tells you how to secure your ICO communica tions e Chapter 9 Using Lotus Notes describes the Lotus Notes plugin and tells you how to use it e Chapter 10 Using Smart Cards describes smart cards and tells you how to use them with PGP e Chapter 11 PGP Disk Basics provides an overview of PGP Disk e Chapter 12 Using PGP Disk tells you how to use PGP Disk to create a secure drive on yo
76. cess Twofish Cipher Algorithm 256 bit Twofish is a new 256 bit block cipher symmetric algorithm It was one of five algorithms that the U S National Institute of Standards and Technology NIST considered for the Advanced Encryption Standard AES Ch 11 PGP Disk Basics User s Guide PGP Desktop Choose a filesystem format Specify a file system format for the new PGPdisk volume FAT available on all Windows platforms NTFS Windows NT 2000 and XP platforms only available for PGP disk volumes larger than 5MB FAT32 Windows 95 Windows 98 and Windows 2000 platforms only available for PGPdisk volumes larger than 260 MB Mount at startup Check this option to mount PGPdisk volumes at star tup When checked you are prompted for your PGPdisk passphrase at startup 9 Click OK This closes the Advanced Options dialog box 10 Click Next 11 Choose a protection method for your new PGPdisk volume Select one of the following options Public key If you choose to protect your PGPdisk with a public key a list of the public keys on your keyring will appear Select the key you want to use to protect your new PGPdisk volume Passphrase If you choose to protect your PGPdisk with a passphrase you must also enter a user name Enter the string of words or characters that serves as your passphrase to access the new volume also called the volume s master pass phrase To confirm your entry press Tab to advance to the
77. characters that serves as the passphrase to access the new volume To confirm your entry press Tab to advance to the next text box then enter the same passphrase again The suggested minimum size for a passphrase is eight characters Normally as an added level of security the characters you enter for the passphrase are not visible on the screen However if you are sure that no one is watching either physically or over the network and you would like to see the characters of your passphrase as you type click the Hide Typing box Your security is only as good as your passphrase Ch 12 Using PGP Disk 85 PGP Desktop User s Guide 6 Click Next A progress bar indicates how much of the PGPdisk volume has been initialized and formatted 7 Click Finish The alternate user has been added Once you have added an alternate user you can remove the alternate user by choosing Remove from the User menu To assign read only status 1 Open the PGPdisk Editor for the volume you want to modify then select the user name 2 Select Toggle Read Only from the User menu The Passphrase dialog box appears prompting you to enter the adminis trator s passphrase 3 Enter the administrator passphrase then click OK A red dot appears next to the user s name in the Read Only column Once you have assigned read only status to a user you can remove the restriction by repeating the steps above Removing alternate users from a PGPd
78. cular email domain If you want to limit the Trusted Introducer s key validation capabilities to a single domain enter the domain name in the Domain Restriction text box If you want to assign an expiration date to this signature enter the date on which you want this signature to expire in the Date text box Other wise the signature will never expire Click OK Enter your passphrase then click OK An icon associated with your user name is now included with the public key that you just signed Granting trust for key validations 124 Besides certifying that a key belongs to someone you can assign a level of trust to the owner of the keys indicating how well you trust them to act as an introducer for others whose keys you may get in the future This means that if you ever get a key from someone that has been signed by an individual whom you have designated as trustworthy the key is considered valid even though you have not done the check yourself To grant trust for a key Open PGPkeys and select the key for which you want to change the trust level You must sign the key before you can set the trust level for it Ch 16 Managing Keys User s Guide 4 PGP Desktop Choose Properties from the Keys menu or click A to open the Properties screen Use the Trust Level sliding bar to choose the appropriate level of trust for the keypair Trust Model Invalid sw 3 Valid Implicit Trust Close the dialog box to
79. d Key screen appears with the split key selected 4 Click OK to reconstitute the selected key 139 PGP Desktop 140 User s Guide The Key Share Collection screen appears Key Share Collection Key Test lt Key gt Key User Name Total Shares Collected 0 Total Shares Needed Network Shares To receive shares securely over Start Network your network connection click the Start Network button Local Shares To add a Share File stored Select Share File on this computer click the Select Share File button Cancel Do one of the following If you are collecting the key shares locally click Select Share File and then locate the share files associated with the split key The share files can be collected from the hard drive a floppy disk or a mounted drive Continue with Step 6 If you are collecting key shares over the network click Start Network The Passphrase dialog box opens In the Signing Key box select the keypair that you want to use for authentication to the remote system and enter the passphrase Click OK to prepare the computer to receive the key shares The status of the transaction is displayed in the Network Shares box When the status changes to Listening the PGP application is ready to receive the key shares At this time the shareholders must send their key shares Ch 16 Managing Keys User s Guide Ch 16 Managing Keys PGP Desktop When a s
80. d RR RO a Be ke Ro RR RR UR A ROI 39 Securing your files and folders with PGP o ooo ooo 39 Signing and decrypting files with a Split key 0 ooo oo oo 41 Permanently erasing files and free disk Space 0 oo moco moon 41 Table of Contents lii PGP Desktop User s Guide Chapter 6 Wiping ui ad ad de ld x e e e e A AO e E AA 47 ONES ds di de e ii il ds te 47 Using PGP Wipe to permanently delete a file o 47 Using the Wipe Free Space Wizard to clean free disk space 48 Scheduling folder and free space Wiping o o ee ee 51 Chapter 7 Self Decrypting Archives 0 o 55 Creating aM S DASS pac tek As ld a AS x e AAA e 55 Opening an SOA ss eri dd od ARUN id idu du M uictis dd Ad a oe 56 Chapter 8 Securing ICQ z 2n Ere med Xe area ar UE Ex ac NC ERE CE eR Es 57 ABOBUIG O odas Suc ers Lp Mo aiti t ie dre e out M rA dn yd dM NN 57 Exchanging public keys in ICQ zar ERES a SEE EE e eee 58 Encrypting ICO Messages vss oor RE ER REOR E X E EURO es 61 Chapter 9 Using Lotus Notes suicidar mk Ro R8 aa ER IC RC 63 OVEIMICW 2 9882 A dol ghe m deu iue uu SN ed A aie iB debui e 63 Encrypting and Signing sier 3 Svp ir S ee Ao a epe verus A dug qa dts fe 63 Decrypting and verifying suras ie AD p DONE FOROR maux O ds 64 Chapter 10 Using Smart Cards llle 67 COVOrVIBDV uas Peras e pcnc EIE e a s
81. d level of security the characters you enter for the passphrase do not appear on the screen However if you are sure that no one is watching and you would like to see the characters of your pass phrase as you type clear the Hide Typing check box Unless your administrator has implemented a PGP key reconstruction policy for your company no one including PGP Corporation can salvage a key with a for gotten passphrase 11 Click Next to begin the key generation process The PGP Key Generation Wizard indicates that it is busy generating your key If you have entered an inadequate passphrase a warning message appears before the keys are generated and you have the choice of accept ing the bad passphrase or entering a more secure one before continuing Your mouse movements and keystrokes generate random information that is needed to create a unique keypair If there is not enough random infor mation upon which to build the key the PGP Random Data screen appears Move your mouse around and enter a series of random key strokes until the progress bar is completely filled in PGPkeys continually gathers random data from many sources on the system including mouse positions timings and keystrokes If the Random Data screen does not appear it indicates that PGP has already collected all the random data that it needs to create the keypair If you are in a Microsoft Exchange Server environment PGP informs you that it needs to retrieve you
82. d to select a word from the even list The byte at offset 1 is used to select a byte from the odd list The byte at offset 2 selects a word from the even list again and the byte at offset 3 selects from the odd list again Each byte value is actually repre App C Biometric Word Lists 167 PGP Desktop 168 User s Guide sented by two different words depending on whether that byte appears at an even or an odd offset from the beginning of the byte sequence For example suppose the word adult and the word amulet each appears in the same corresponding position in the two word lists position 5 That means that the repeating three byte sequence 05 O5 O5 is represented by the 3 word sequence adult amulet adult This approach makes it easy to detect all three kinds of common errors in spoken data streams transposition duplication and omission A transposi tion will result in two consecutive words from the even list followed by two consecutive words from the odd list or the other way around A duplication will be detected by two consecutive duplicate words a condition that cannot occur in a normal sequence An omission will be detected by two consecutive words drawn from the same list To facilitate the immediate and obvious detection by a human of any of the three error syndromes described above without computer assistance we made the two lists have one obviously different property The even list con tains only two syl
83. day souvenir supportive telephone torpedo typewriter unify vagabond voyager Wilmington everyday filament gadgetry graduate handiwork hideaway impetus inferno intention leprosy maverick midsummer molecule nebula onlooker pandemic paramount perceptive pioneer processor pyramid recover responsive revival savagery specialist surrender therapist tradition ultimate universe vertigo warranty Wyoming User s Guide examine finicky Galveston gravity hazardous holiness inception informant inventive letterhead Medusa millionaire Montana newsletter opulent Pandora passenger performance pocketful provincial quantity repellent retraction revolver scavenger speculate suspicious tobacco travesty undaunted unravel Virginia Waterloo yesteryear App C Biometric Word Lists Glossary Glossary AES Advanced Encryption Standard NIST approved encryption standards usually used for the next 20 30 years Rijndael a block cipher designed by Joan Daemen and Vincent Rij men was chosen as the new AES in October 2000 Algorithm encryption A set of mathematical rules logic used in the processes of encryption and decryption Algorithm hash A set of mathematical rules logic used in the processes of message digest creation and key signature generation Anonymity Of unknown or undeclared origin or authorship concealing an entity s identification ANSI American National Standar
84. de your public key in an email message e Export your public key or copy it to a text file e Copy your public key from a smart card directly to someone s keyring Placing your public key on a keyserver Ch 15 Exchanging Keys The best method for making your public key available is to place it on a public keyserver which is a large database of keys where anyone can access it That way people can send you encrypted email without having to explicitly request a copy of your key It also relieves you and others from having to maintain a large number of public keys that you rarely use 109 PGP Desktop User s Guide There are a number of keyservers worldwide including those offered by PGP Corporation where you can make your key available for anyone to access lf you are using PGP in a corporate setting your PGP administrator will usually preconfigure your keyserver settings so that everything works correctly for your site When you re working with a public keyserver such as keyserver pgp com keep these things in mind before you send your key e Is this the key you intend to use Others attempting to communicate with you might encrypt important information to that key For this reason we strongly recommend that you only put keys on a key server that you intend for others to use e Will you remember your passphrase for this key so you can retrieve data encrypted to it or if you don t want to use the key so you can revoke it
85. deployed in PGP 5 0 and later ver sions PKCS Public Key Crypto Standards A set of de facto standards for public key cryptography developed in cooperation with an informal consortium Apple DEC Lotus Microsoft MIT RSA and Sun that includes algorithm specific and algorithm inde pendent implementation standards Specifications defining message syn tax and other protocols controlled by RSA Data Security Inc PKI Public Key Infrastructure A widely available and accessible certificate system for obtaining an entity s public key with some degree of certainty that you have the right key and that it has not been revoked Plaintext Normal legible un encrypted unsigned text Private key The secret portion of a keypair used to sign and decrypt information A user s private key should be kept secret known only to the user Private keyring A set of one or more private keys all of which belong to the owner of the private keyring Public key One of two keys in a keypair used to encrypt information and verify signa tures A user s public key can be widely disseminated to colleagues or strangers Knowing a person s public key does not help anyone discover the corresponding private key Public keyring A set of public keys Your public keyring includes your own public key s Public key cryptography Cryptography in which a public and private keypair is used and no security is needed in the channel itself Random numb
86. disk could not be unmounted if you want to prevent your computer from sleeping if a PGP disk could not be unmounted Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options App A Setting PGP Options 161 PGP Desktop User s Guide 162 App A Setting PGP Options App B Troubleshooting Troubleshooting This appendix presents information about problems you may encounter while using PGP and suggests solutions The following table lists PGP errors a pos sible cause for the error and a solution Error Cause Solution Administrative pref erences file not found The preference file con taining the configura tion set up by your PGP administrator usually IS IT personnel is miss ing Re install PGP onto your machine If the message contin ues to appear after re installing contact your PGP administrator and report this message They will need to generate a new PGP installer for you Authentication rejected by remote SKEP connection The user on the remote side of the network share file connection rejected the key that you provided for authentication Use a different key to authenti cate the network share file con nection or contact the remote user to assure them that the key you re using is valid The PGP memory page locking driver is not functioning correctly Could be the result of an incorrect installa
87. ds Institute Develops standards through various Accredited Standards Committees ASC The X9 committee focuses on security standards for the financial services industry ASCII armored text Binary information that has been encoded using a standard printable 7 bit ASCII character set for convenience in transporting the information through communication systems In the PGP program ASCII armored text files are given the default filename extension and they are encoded and decoded in the ASCII radix 64 format Asymmetric keys A separate but integrated user key pair comprised of one public key and one private key Each key is one way meaning that a key used to encrypt information can not be used to decrypt the same data Authentication The determination of the origin of encrypted information through the veri fication of someone s digital signature or someone s public key by check ing its unique fingerprint Authorization certificate An electronic document to prove one s access or privilege rights also to prove one is who they say they are Authorization To convey official sanction access or legal power to an entity 173 PGP Desktop 174 User s Guide Backdoor A cipher design fault planned or accidental which allows the apparent strength of the design to be easily avoided by those who know the trick When the design background of a cipher is kept secret a back door is often suspected Blind signature Ability to sig
88. e files within the volume Backing up PGPdisk volumes You may want to back up the contents of your PGPdisk volumes to safeguard your information from system corruption or disk failures While it is possible to back up the contents of a mounted PGPdisk volume just as you would any other volume it is probably not a good idea because the contents are not encrypted and will thus be accessible to anyone who can restore the back up Instead of backing up the contents of the mounted PGPdisk volume you should make a back up of the encrypted PGPdisk volume To back up PGPdisk volumes 1 Unmount the PGPdisk volume Ch 12 Using PGP Disk User s Guide PGP Desktop 2 Copy the unmounted encrypted file to a floppy disk tape or removable cartridge just as you would any other file Even if some unauthorized per son has access to the backup he or she will not be able to decipher its contents When making backups of the encrypted files keep these issues in mind PGPdisk is a product for security minded people and organizations Backing up the encrypted files to a network drive gives others plenty of opportunity to guess at a weak passphrase We recommend that you back up only to devices over which you have physical control A lengthy complicated passphrase helps further reduce the risk in this situation If you are on a network make sure that any network back up system does not back up your mounted volumes You may need to disc
89. e is not enough random data cur rently available The random number generator needs more input in order to gener ate good random num bers When prompted move the mouse around or press random keys in order to generate input There was an error during the writing of the keyring or the exported file The program failed to write data to a certain file Your hard drive may be full or if the file is on a floppy the floppy is not present in the floppy drive There was an error opening or writing the keyring or the output file A file that was needed couldn t be opened Make sure the settings in your PGP Options is correct If you ve recently deleted files in the direc tory that you installed PGP you may need to re install the prod uct This key is already signed by the speci fied signing key You can t sign a key that you have already signed You may have accidentally picked the wrong key If so choose a different key to sign 165 PGP Desktop 166 User s Guide Error Cause Solution Unable to perform operation because this file is read only or otherwise pro tected If you store your keyring files on removable media the media may not be inserted A file that was needed is set to read only or is being used by another program Close other programs that may be accessing the same files as the program you are running If you keep you
90. e must be imported from a file with a PEM PFX or P12 extension Validating keys When you exchange keys with someone it is sometimes hard to tell if the key really belongs to that person PGP software provides a number of safeguards that allow you to check a key s authenticity and to certify that the key belongs to a particular owner that is to validate it PGP warns you if you attempt to use a key that is not valid and also by default warns you when you are about to use a marginally valid key For more information on validity and trust see An ntroduction to Cryptogra phy 114 Ch 15 Exchanging Keys 16 Overview Managing Keys This chapter explains how to examine and manage the keys stored on your keyrings The keys you create as well as those you collect from others are stored on keyrings which are essentially files stored on your hard drive or on a floppy disk Normally your private keys are stored in a file named secring skr and your public keys are stored in another file named pubring pkr These files are usually located in your PGP folder and can be viewed and edited from the PGPkeys window As a result of your private key being encrypted automatically and your pass phrase being uncompromised there is little danger in leaving your keyrings on your computer However if you are not comfortable storing your keys in the default location you can choose a different filename or location Occasionally you
91. e revocation lists CRLs enter it in the corresponding field If you do not know the URL for Revocation leave this field blank or consult your company s PGP or PKI administrator d Inthe Type box specify the name of certificate authority you are using Your choices are Net Tools PKI VeriSign OnSite Entrust iPlanet CMS Windows 2000 e Click the Select Certificate button then select the Root CA certificate you just retrieved 134 Ch 16 Managing Keys User s Guide Ch 16 Managing Keys f 3 Make a certificate request PGP Desktop The Root Certificate text box displays information on the selected root CA certificate The terminology for the certificate is a policy decision Typically the following terminology is true for X 509 certificates Term Description CN Often a description of the type of certificate for Common Name example Root EMAIL The email address for the certificate holder OU The organization to which the certificate belongs Organizational Unit for example Accounting O Typically the name of the company to which the Organization certificate belongs for example Secure Corp L The location of the holder of the certificate for Locality example Palo Alto Click OK To do this follow these steps a Right click on your PGP keypair and select Keys gt Add gt Certificate from the Keys right click menu The Certificate Attributes dialog box
92. e s public key a signature icon along with your user name is shown attached to that key To sign someone s public key 1 2 Ch 16 Managing Keys Open PGPkeys and select the public key which you want to sign Choose Sign from the Keys menu or click to open the Sign Keys screen The Sign Keys screen appears with the public key and fingerprint dis played in the text box Click the Allow signature to be Exported check box to allow your signa ture to be exported with this key An exportable signature is one that is allowed to be sent to servers and travels with the key whenever it is exported such as by dragging it to an email message The check box provides a shorthand means of indicating that you wish to export your signature Click the More Choices button to configure options such as signature type and signature expiration PGP Sign Key By signing the selected user ID s you are certifying based on your own direct first hand knowledge that the key s and attached user ID s actually belong to the identified user s Before signing make sure the key s were given to you in a secure manner by the owner or you have verified the fingerprint with the owner Key User Name Fingerprint Simon Ramseier lt sramseie ny 50D7 1CB0 FCB4B8E9 E3F9 913B 52CE 5DDF E Signature Type Expiration 2 Non Exportable Never More Le O Exportable ODate 1171772003 y y O Metalntroducer Non Exportable S 18 nature Trust
93. e using it Twofish A new 256 bit block cipher symmetric algorithm Twofish was one of five algorithms that the U S National Institute of Standards and Technology NIST considered for the Advanced Encryption Standard AES 181 PGP Desktop 182 User s Guide User ID A text phrase that identifies a keypair For example one common format for a user ID is the owner s name and email address The user ID helps users both the owner and colleagues identify the owner of the keypair Validity Indicates the level of confidence that the key actually belongs to the alleged owner Verification The act of comparing a signature created with a private key to its public key Verification proves that the information was actually sent by the signer and that the message has not been subsequently altered by any one else Web of trust A distributed trust model used by PGP to validate the ownership of a pub lic key where the level of trust is cumulative based on the individuals knowledge of the introducers X 509 An ITU T digital certificate that is an internationally recognized electronic document used to prove identity and public key ownership over a commu nication network It contains the issuer s name the user s identifying information and the issuer s digital signature as well as other possible extensions Glossary A about PGP keyrings 115 PGP Wipe utility 41 47 PGPdisk volumes 93 accessing PGPdisk 75 adding a
94. e volume This allows alternate users to read the files but prevents them from altering the files in any way To add alternate users 1 Ensure that the PGPdisk volume is not currently mounted You cannot add alternate users while the PGPdisk volume is mounted 2 Open the PGPdisk Editor for the volume you want to modify then select Add from the User menu The Passphrase dialog box appears asking you to enter the administra tor s passphrase 3 Enter the administrator passphrase and click OK The PGPdisk User Creation Wizard appears Read the introductory infor mation Click Next 5 Choose a protection method for the new user Select one of the following Public key If you choose to protect the PGPdisk with a public key a list of the public keys on your keyring appears Highlight the alternate user s public key Public key is the most secure protection method when adding alternate users to a PGPdisk volume because 1 You don t need to exchange a passphrase with the alternate user which depending on your method could be intercepted or overheard 2 The alternate user doesn t need to memorize another passphrase which could be forgotten 3 It is easier to manage a list of alternate users if each uses his or her own private key to gain access to the volume Passphrase If you choose to protect your PGPdisk with a passphrase you must also enter the name of the alternate user Enter the string of words or
95. ear on the screen However if you are sure that no one is watching and you would like to see the characters of your pass phrase as you type clear the Hide Typing check box Unless your administrator has implemented a PGP key reconstruction policy for your company no one including PGP Corporation can salvage a key with a for gotten passphrase 7 Click Next to begin the key generation process Your mouse movements and keystrokes generate random information that is needed to create a unique keypair If there is not enough random infor mation upon which to build the key the PGP Random Data dialog box appears As instructed in the dialog box move your mouse around and enter a series of random keystrokes until the progress bar is completely filled in If you are in a Microsoft Exchange Server environment PGP informs you that it needs to retrieve your email user ID from your Exchange server in order to add it to your new PGP key If this is the case continue with the instructions outlined in Adding your email ID from your Microsoft Exchange Server to your new key on page 43 8 When the key generation process indicates that it is done click Next 9 Click Finish Putting your public key on a keyserver The best method for making your public key available is to place it on a public keyserver which is a large database of keys that anyone can access That way people can send you encrypted email without having to get your pub
96. eature may be ignored Ch 4 Securing Email User s Guide PGP Desktop e Conventional Encrypt Select this option to use a common passphrase instead of public key encryption If you select this option the message is encrypted using a session key which encrypts and decrypts using a passphrase that you will be asked to choose Click OK to encrypt and sign your mail If you have elected to sign the encrypted data the Signing Key Pass phrase screen appears requesting your passphrase before the mail is sent Enter your passphrase and then click OK If you do not send your email immediately but instead store it in your outbox you should be aware that when using some email applications the information is not encrypted until the email is actually transmitted Before queuing encrypted messages you should check to see if your application does in fact encrypt the messages in your outbox If it does not you can use PGPtray s Current Window option to encrypt your messages before queuing them in the outbox Encrypting and signing email without PGP plug in support Ch 4 Securing Email If your email application does not support the PGP plug ins you can use PGP tray to encrypt the text of your message prior to sending it The easiest way to encrypt your message without the use of a PGP plug in is to use the Cur rent Window options in PGPtray To encrypt and sign email without a PGP plug in Use your email application to co
97. ecause to send an encrypted email message that only your cousin can decrypt you encrypt it using your cousin s public key What makes this work is only your cousin s private key can decrypt a mes sage that was encrypted using her public key Even you who have her public key can t decrypt the message once it s been encrypted using her public key Let s be very clear about this only a private key can decrypt data that was encrypted with the corresponding public key So to send a private message that only you can decrypt and read your cousin encrypts it with your public key Your private key is the only key in the world that can decrypt that message and of course you re keeping your private key very very private right So what is PGP Desktop really PGP Desktop is a tool for keeping data safe it has three main components e PGPkeys Create your personal keypair a private key and a public key and get and manage the public keys of other people e PGPmail Encrypt email messages to other people and decrypt email mes sages sent to you e PGPdisk Encrypt a portion of your hard disk so that it s fully protected even if it s stolen PGP Desktop also does things like secure your ICO communications wipe files so that they are completely gone and create self decrypting archives This user s guide 16 This User s Guide describes all three of these components of PGP Desktop but in a slightly different order than you migh
98. ed Introducer Exportable options Options Maximum Trust Depth 0 Domain restriction Choose a signature type to sign the public key with Your choices are Non exportable Use this signature when you believe the key is valid but you don t want others to rely on your certification This signature type cannot be sent with the associated key to a key server or exported in any way 123 PGP Desktop User s Guide Exportable Use exportable signatures in situations where your signa ture is sent with the key to the key server so that others can rely on your signature and trust your keys as a result This is equivalent to checking the Allow signature to be exported check box on the Sign Keys menu Meta Introducer Non Exportable Certifies that this key and any keys signed by this key with a Trusted Introducer Validity Assertion are fully trusted introducers to you This signature type is non exportable The Maximum Trust Depth option enables you to identify how many levels deep you can nest trusted introducers For example if you set this to 1 there can only be one layer of introducers below the meta introducer key Trusted Introducer Exportable Use this signature in situations where you certify that this key is valid and that the owner of the key should be completely trusted to vouch for other keys This signature type is exportable You can restrict the validation capabilities of the trusted introducer to a parti
99. een appears Enter the passphrase for the key you want to remove from the server then click OK The Confirmation screen appears and the key is removed Update your key remove the unwanted signatures or user names Copy the updated key to the server If the key server is configured to synchronize keys with other key servers your key will be updated on the other servers automatically upon synchro nization If you delete your key from a key server you should be aware that someone who has your public key on their keyring can upload it to the server again You should check the server periodically to see if the key has reappeared you may have to delete your key from the server more than once Reconstructing your key 144 If you ever lose your private key or you forget your passphrase there is no way to recover from it unless your administrator has set up a key reconstruc tion policy which includes setting up a key reconstitution server and enabling this feature in your PGP software If this feature is enabled in your software you would have provided recovery information five secret questions and answers and would have sent your key to the key reconstruction server If you sent your key to a reconstruction server you can restore your keypair at any time as long as you have your public key and can answer at least three of the five secret questions you created To reconstruct your key from your company s reconstruction se
100. elected item in the View menu PGPkeys displays a column in the main window If you want to change the order of these columns click and drag the header of the column you want to move Ch 16 Managing Keys User s Guide Ch 16 Managing Keys PGP Desktop For a list of PGPkeys attribute definitions see the following table Attribute Description Keys Shows an iconic representation of the key along with the user name email address photograph of the owner and the names of the key s signers v TEE d Y Additional icons can be listed with a key indicating that a signature certificate or photographic user ID accompanies the key de 2 E ES A gold key and user represents your Diffie Hellman DSS keypair which consists of your private key and your public key A gray key and user represents an RSA keypair which consists of your private key and your public key A single gold key represents a Diffie Hellman DSS public key A single gray key represents an RSA public key When a key or keypair is dimmed the keys are temporarily unavailable for encrypting and signing You can disable a key from the PGPkeys window which prevents seldom used keys from cluttering up the Key Selection dialog box A gray key on a gold card represents an RSA key stored on a smart card Currently the only key type supported on smart cards is RSA A key with a red X indicates that the key has been revoked Users revoke their key
101. email using the PGP plug ins Although the procedure varies slightly between email applications when you are using an email application supported by the plug ins you can perform decryption and verification by clicking the envelope icon in the message or your application s toolbar In some cases you may need to select Decrypt Ver ify from the menu in your email application In addition if you are using an application that supports the PGP MIME standard you can decrypt and verify your email messages as well as any file attachments by clicking an icon attached to your message If you are using an email application that is not supported by the PGP plug ins you will decrypt and verify your email messages via PGPtray In addition if your email includes encrypted file attachments you must decrypt them sepa rately via PGPtray To decrypt and verify from supported email applications 1 Open your email message just as you normally do The body of the message will be a block of unintelligible ciphertext 2 To decrypt and verify the message click the locked envelope icon gt To decrypt and verify attached files decrypt them separately using the PGPtray icon The PGP Enter Passphrase screen appears asking you to enter your pass phrase 3 Enter your passphrase then click OK The message is decrypted If it has been signed and you have the sender s public key a message appears indicating whether the signature is valid If
102. equirements of DoD 5220 22 M at 3 passes Security continues to increase up to approximately 28 passes C Automatically wipe on delete App A Setting PGP Options 147 PGP Desktop User s Guide Make your selections for the following options e Always Encrypt to Default Key When this setting is selected all the email messages and file attachments you encrypt with a recipient s public key are also encrypted to you using your default public key It is useful to leave this setting turned on so that subsequently you have the option of decrypting the contents of any email or files you encrypt e Faster Key Generation When this setting is selected less time is required to generate a new Diffie Hellman DSS keypair This process is speeded up by using a previously calculated set of prime numbers rather than going through the time consuming process of creating them from scratch each time a new key is generated However remember that fast key generation is only implemented for key sizes above 1024 and below 4096 Although it would be unlikely for anyone to crack your key based on their knowl edge of these canned prime numbers some may want to spend the extra time to create a keypair with the maximum level of security The general belief in the cryptographic community is that using canned primes provides no decrease in security for the Diffie Hellman DSS algo rithms If this feature makes you uncomfortable you may turn it off e S
103. er An important aspect to many cryptosystems and a necessary element in generating a unique key s that are unpredictable to an adversary True random numbers are usually derived from analog sources and usually involve the use of special hardware 179 PGP Desktop 180 User s Guide Revocation Retraction of certification or authorization RFC Request for Comment An IETF document either FYI For Your Information RFC sub series that are overviews and introductory or STD RFC sub series that identify spec ify Internet standards Each RFC has an RFC number by which it is indexed and by which it can be retrieved www ietf org Rijndael A block cipher designed by Joan Daemen and Vincent Rijmen chosen as the new Advanced Encryption Standard AES It is considered to be both faster and smaller than its competitors The key size and block size can be 128 bit 192 bit or 256 bit in size and either can be increased by incre ments of 32 bits RSA Short for RSA Data Security Inc or referring to the principals Ron Rivest Adi Shamir and Len Adleman or referring to the algorithm they invented The RSA algorithm is used in public key cryptography and is based on the fact that it is easy to multiply two large prime numbers together but hard to factor them out of the product secret sharing See Key Splitting secure channel A means of conveying information from one entity to another such that an adversary does not have the ab
104. ere is a standard feature set used to describe sounds in English For example say the words pun fun dun and gun go ahead try it and notice how your tongue keeps moving back in your mouth on each word Linguists call this the place of articulation and noises that are very different in this feature sound differ ent to English speakers Combining the features of all the sounds in a word gives us a representation of the sound of the entire word and we can com pute the phonetic distance between a pair of words App C Biometric Word Lists User s Guide PGP Desktop Actually it wasn t that simple We didn t know how to weight the various features certain word level features like accents were hard to represent and the feature based analysis simply fails for certain sounds There were also a few other more subtle criteria for example we wanted the words to be com mon enough to be universally recognizable but not so common as to be bor ing and we didn t want confusing words like repeat or begin or error Some sound features are less perceptible to non native English speakers for example some Japanese speakers might hear and pronounce r and I the same way It would be nice if the words were short enough that you could fit enough of them on a small LCD display Large consonant clusters cork screw has five pronounced consonants in a row are sometimes hard to say especially to non
105. erties screen to assign the signer a level of trust Trusted Marginal or Untrusted Shows the date when the key will expire Most keys are set to Never however there may be instances when the owner of a key wants it to be used for only a fixed period of time A single key with a clock icon represents a public key or keypair that has expired Expiration Shows the date when the key was originally created You can sometimes make an assumption about the validity of a key based on how long it has been in circulation Creation If the key has been in use for a while it is less likely that someone will try to replace it because there are many other copies in circulation Never rely on creation dates as the sole indicator of validity opecifying a default keypair on your PGP keyring Ch 16 Managing Keys When encrypting messages or files PGP gives you the option to additionally encrypt to a keypair that you specify as your default keypair When you sign a message or someone s public key PGP will use this keypair by default Your default keypair is displayed in bold type to distinguish it from your other keys If you have more than one keypair you may want to specifically designate one pair as your default pair To specify your default keypair 1 Open PGPkeys and highlight the keypair you want to designate as your default key 2 Choose Set Default from the Keys menu The selected keypair is displayed in bold type
106. essing the PGPdisk even if he or she was removed from the user list Re encryption changes this underlying key and prevents him from gaining access To re encrypt a PGPdisk volume 1 Open the PGPdisk Editor for the volume you want to modify then click the Properties button or select Properties from the File menu The Properties dialog box appears Click the Re Encrypt button Enter your passphrase for the volume The PGPdisk Re Encryption Wizard appears Read the introductory information and click Next A dialog box appears displaying the current encryption algorithm protect ing your PGPdisk volume and the new encryption algorithm For example if your PGPdisk is currently encrypted with CAST then Twofish appears in the New Algorithm list and vice versa Ch 12 Using PGP Disk User s Guide Ch 12 Using PGP Disk PGP Desktop Choose from one of the following options Select the Re encrypt to the same algorithm check box to re encrypt the PGPdisk using the current algorithm then click Next Click Next to re encrypt the PGPdisk with the algorithm displayed in the New Algorithm drop down list The PGPdisk re encrypts using the encryption algorithm you selected 6 When the current status displays Done click Next Click Finish to complete the re encryption process 91 PGP Desktop User s Guide 92 Ch 12 Using PGP Disk 13 PGP Disk Technical Details This chapter discusses encryption and secu
107. ets library allowing it to be application independent Encrypts the entire communication channel and does not support digital signatures at the message level symmetric algorithm Also known as conventional secret key and single key algorithms the encryption and decryption key are either the same or can be calculated from one another Two sub categories exist Block and Stream subkey A subkey is a Diffie Hellman encryption key that is added as a subset to your master key Once a subkey is created you can expire or revoke it without affecting your master key or the signatures collected on it Text Standard printable 7 bit ASCII text Timestamping Recording the time of creation or existence of information TLS Transport Layer Security An IETF draft version 1 is based on the Secure Sockets Layer SSL ver sion 3 0 protocol and provides communications privacy over the Internet TLSP Transport Layer Security Protocol ISO 10736 draft international standard Triple DES An encryption configuration in which the DES algorithm is used three times with three different keys Trusted A public key is said to be trusted by you if it has been validated by you or by someone you have designated as an introducer Trusted introducer Someone whom you trust to provide you with keys that are valid When a trusted introducer signs another person s key you trust that the person s key is valid and you do not need to verify the key befor
108. ey insert like a key whenever they need to sign or decrypt mail The location you specify can also be used to store all automatic backups of the public keyring Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options 750 App A Setting PGP Options User s Guide PGP Desktop Setting Email options Use the Email tab to specify settings for your email application Not all of the selections apply to every email application PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk Email Options Ea Use PGP MIME when sending email Encrypt new messages by default Sign new messages by default Automatically decrypt verify when opening messages Always use Secure Viewer when decrypting Word wrap clear signed messages Wrap at column 70 Note some of these options may not be available with all plugins Make your selections for the following options App A Setting PGP Options Use PGP MIME when sending mail If you are using Eudora and you enable this setting all of your email messages and file attachments are automati cally encrypted to the intended recipient This setting has no effect on other encryptions you perform from the clipboard If you enable this set ting all of your email messages and file attachments are automatically encrypted Some email applications cannot suppor
109. ficate to your PGP keyring To do this follow these steps a Open your Web browser and connect to the CA s enrollment site If you do not know the URL consult your company s PGP or PKI admin istrator b Locate and examine the Root CA certificate This process varies between Certificate Authorities For example if your company were using the iPlanet CMS server you would click the Download a CA Certificate link and then click the Examine this Certificate button c Copy the key block for the Root CA certificate and paste it into your PGP keys window The Import Key screen appears and imports the Root CA certificate into your keyring d Sign the Root CA certificate with your key to make it valid then open the Key Properties and set the trust level Trust must be set on the Root CA 133 PGP Desktop User s Guide 2 Configure the CA tab in the Options screen To do this follow these steps a Select Options from the PGPkeys Edit menu then select the CA tab The CA tab appears PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk Certificate Authority Identification URL Revocation URL Type Windows 2000 Root Certificate Select Certificate b Enter the CAs URL in the Certificate Authority Identification URL field for example https nnn nnn nnn nnn nnnnn this is the same URL you used to retrieve the Root CA c lf there is a separate URL for retrieving certificat
110. friends and colleagues over the Internet in real time As with any type of communication especially through Internet based applications your conver sation is not secure and is subject to eavesdropping To secure your ICQ communications PGP offers a powerful integrated plug in that lets you easily encrypt and decrypt your ICO messages and exchange PGP keys through ICQ ICQ allows you to send messages of unlimited length to online users Offline users however are limited to receiving messages no longer than 450 charac ters Because of this limitation and because the size of encrypted text can exceed the size of the original text we recommend that you send your key and encrypted messages to online recipients only The PGP plug in for ICQ allows you to secure your ICQ communications by encrypting your messages before you send them over the Internet and decrypting and verifying automatically upon opening encrypted instant mes sages Since the plug in uses your PGP key together with your ICQ number to encrypt and secure your ICQ messages it can automatically verify and decrypt the ICQ messages that are encrypted to your PGP key When the PGP plug in for ICQ is installed on your system the lock icon c9 and the Send Key button appear in your ICO Send Online Message dialog box If you are using ICO version 2000b or higher then you must work in ICQ s Advanced mode not Simple mode and you must use the Single Message mode window not the
111. from time to time by the Bureau of Export Administration United States Department of Commerce which restrict the export and re export of certain products and technical data Limitations The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software The information in this doc ument is subject to change without notice PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors The information may include technical inaccuracies or typographical errors Changes may be made to the information and incor porated in new editions of this document if and when made available by PGP Corporation About PGP Corporation The recognized worldwide leader in secure messaging and information storage PGP Corporation develops markets and supports products used by a broad installed base of enterprises busi nesses governments individuals and cryptography experts to secure proprietary and confidential information During the past 13 years PGP technology has built a global reputation for open and trusted security products The PGP Corporation family of products includes PGP Universal an automatic self managing network based solution for enterprises as well as desktop mobile and SDK solutions Contact PGP Corporation at www pgp com Table of Contents Introduction s assa on ew
112. ft D Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options Setting Servers options Use the Servers tab to specify settings for the public key servers or directory servers that you are using to send and retrieve public keys and with which you will automatically synchronize keys PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk Server e Idap keyserver pgp com e Idap europe keys pgp com 11370 Synchronize with server upon v Enerypting to unknown keys d C Signing keys Adding names photos revokers Domain 9 9 Listed 9 0 T A Remove Edit Set as Root Move Up Move Down C Revocation v Verification The box at the top of the screen shows configured servers How to modify the list of servers and how to add and edit the list of servers is described below Make your selections for the following options e Encrypting to unknown keys Select this option to have PGP automatically look up unknown recipients on the server to locate users that are not on your keyring when encrypting email e Signing keys Select this option to allow keys to which you re adding your signature first to be updated from the server and then your changes sent to the server upon completion of the update e Adding names photos revokers Select this option to allow keys to which
113. g your key on a keyserver 142 If you ever need to change your email address or if you acquire new signa tures all you have to do to replace your old key is send a new copy to the server the information is automatically updated However you should keep in mind that public key servers are only capable of adding new information and will not allow removal of user names or signatures from your key If your key is ever compromised you can revoke it this tells the world to no longer trust that version of your key Ch 16 Managing Keys User s Guide PGP Desktop Removing signatures or user names associated with your key At some point you may want to remove a subkey a signature or a user ID associated with a particular key Public keyservers are only capable of adding new information and will not allow removal of user names or signatures from your key To remove signa tures or user names associated with your public key you must first remove your key from the server make the required change then post your key back on the server If your Server settings on the Options screen are configured to synchronize keys with the key server when you add names photos revokers to your key your key is automatically updated on the server If however your keys do not automatically synchronize with the server follow the instructions outlined below to manually update your key on the key server When you delete a key signature or user name f
114. h 3 Making a Keypair and Working with Public Keys Securing Email This chapter explains how to secure email messages you send to others and decrypt and verify the messages others send to you Sending email that is not encrypted is like sending a postcard the message you write can easily be read by someone in between you and the recipient To secure your email PGP offers plug ins that work along with your email applications and other utilities to encrypt sign decrypt and verify email text The PGP email plug ins are available for seamless integration with Microsoft Exchange Outlook and Express Lotus Notes Novell GroupWise and QUAL COMM Eudora Encrypting and signing email The quickest and easiest way to secure email communications is by using an email application supported by the PGP plug ins If you are using an email application that is not supported by the PGP plug ins you can encrypt sign decrypt and verify the text of your email messages using PGPtray icon Encrypting and signing email using the PGP plug ins Ch 4 Securing Email Although the procedure varies slightly between different email applications you perform the encryption and signing process by clicking the appropriate buttons in the application s toolbar To encrypt and sign with supported email applications 1 Use your email application to compose your email message as you nor mally would If you are sending sensitive email consider leaving
115. hare is received the Remote Authentication screen appears Remote Authentication The remote system has authenticated with the following key at the address shown The key used by the remote system to authenticate the connection is not valid on the local keyring Please Confirm the use of this key or press Cancel to abort the connection Remote Address 192 168 1 100 Authenticating Key Name roadking lt roadking 192 168 1 21 gt Fingerprint 60E8 A0B6 300E 356C F650 BAOC 9410 CC04 B536 F23F Validity Invalid Valid Security Certificate PGP Signature DSS Exchange Diffie Hellman Ephemeral Cipher CAST If you have not signed the key that is being used to authenticate the remote system the key will be considered invalid Although you can rejoin the split key with an invalid authenticating key it is not recommended You should verify each shareholder s fingerprint and sign each share holder s public key to ensure that the authenticating key is legitimate Click Confirm to accept the share file Continue collecting key shares until the value for Total Shares Collected matches the value for Total Shares Needed on the Key Shares Collection screen Click OK The file is signed or decrypted with the split key To send your key share over the network 1 When you are contacted by the person who is rejoining the split key make sure that you have these items your key share file and p
116. hat allows you to identify the location and size of the new volume Click Browse to navigate to a destination directory for your PGPdisk vol ume or accept the default location Windows 95 The default location is C My Documents Windows NT The default location is C WINNT Profiles Name of Cur rent User Personal Windows 98 The default location is C My Documents Windows ME The default location is C My Documents Windows 2000 The default location is C Documents and Set tings Name of Current User My Documents Windows XP The default location is C Documents and Set tings Name of Current User My Documents Enter the amount of space you want to reserve for the new volume PGP disk Size field Use whole numbers no decimal places You can use the arrows to increase or decrease the number displayed in the field The amount of free disk space for the selected drive is shown above the Size field Choose KB kilobytes MB megabytes or GB gigabytes from the size list You can create a volume of any size larger than 100 kilobytes The maxi mum allowable size for a PGPdisk volume depends on your version of Win dows and on the size and format of your hard disk Click Advanced Options to specify where and how you want to mount your PGPdisk The Options dialog box appears 77 PGP Desktop 78 User s Guide Choose how you want to mount your PGPdisk Dn a drive letter m e O As a d
117. he lists Run On text box At System Start up This option runs your task only upon system start up At Logon This option runs your task when you log on to your com puter When idle This option runs your task when your system is idle for the amount of time you specify in the minutes text box 8 Enter the time of day that you want the task to start in the Start Time box 52 Ch 6 Wiping User s Guide PGP Desktop 9 Specify how often you want the task to run in the Schedule Task Daily box 10 Click Advanced to open a dialog box where you can select additional scheduling options such as the start date the end date and the duration of the task 11 Click OK A confirmation screen appears Your new PGP folder or free space task is now scheduled To edit or delete your PGP tasks use the Windows Task Scheduler Ch 6 Wiping 53 PGP Desktop User s Guide 54 Ch 6 Wiping 7 Self Decrypting Archives A self decrypting archive SDA is a self decrypting executable file that is con ventionally encrypted using a passphrase you specify The resulting file can be decrypted simply by double clicking it and entering the correct passphrase SDAs are valuable for situations where you need to send encrypted data to someone who doesn t have PGP SDAs can be a single file multiple files a directory multiple directories or even an entire drive All SDAs use the CAST5 algorithm SDAs can only be opened under the sa
118. ho are using RSA keys e Choose RSA Legacy only if those you communicate with are using older versions of PGP otherwise choose the new RSA key format The two formats are not compatible with each other The RSA key type is only fully compatible with PGP versions 7 0 and above and other OpenPGP applications If you plan to correspond with people who are still using RSA Legacy keys you might want to generate an RSA Legacy keypair which is com patible with older versions of the program If you need to you can gener ate more than one keypair 97 PGP Desktop Making a keypair User s Guide 98 Unless you have already done so while using another version of PGP the first thing you need to do before sending or receiving encrypted and signed email is create a new keypair You generate a new keypair from PGPkeys using the PGP Key Generation Wizard which guides you through the process If you have an existing keypair specify the location of your keys when you run the PGPkeys application You can go to the Files tab of the Options screen and locate your keyring files at any time Although it s fun do not create more than one keypair unless you need to When another user wants to send you email it might confuse them if you have more than one keypair Also you might not remember all of the passwords for each keypair To create a new keypair 1 Open PGPkeys You can open PGPkeys by Double clicking the PGPkeys icon
119. how PGPtray icon When this check box is selected you can access many PGP utilities through the convenience of PGPtray e Comment Block You can add your comment text in this area The text you enter here is always included in messages and files that you encrypt or sign Comments entered in this field appear below the BEGIN PGP MESSAGE BLOCK text header and PGP version number of each mes sage e Cache passphrase while logged on Automatically saves your passphrase in memory until you log off your computer If you select this option you are prompted for your passphrase once for each initial signing and decrypting task You will not be prompted to enter it again for the same task until you log off your computer When this setting is selected it is very important that you log off your com puter before leaving it unattended Your passphrase can remain cached for weeks if you never log off anyone could read your encrypted messages or encrypt messages with your key while you are away from your computer e Cache passphrase for Automatically saves your passphrase in memory for the specified duration of time in hours minutes seconds If you select this option you are prompted for your passphrase once for the initial sign ing or decrypting task You are not prompted to enter it again until the allotted time you specify has lapsed The default setting is 2 minutes e Do not cache passphrase When this setting is selected your passphrase
120. hy The Secure Viewer option may not be compatible with previous versions of PGP Messages encrypted with this option enabled can be decrypted by previ ous versions of PGP however this feature may be ignored Ch 4 Securing Email User s Guide Ch 4 Securing Email PGP Desktop e Conventional Encrypt Select this option to use a common passphrase instead of public key encryption If you select this option the message is encrypted using a session key which encrypts and decrypts using a passphrase that you will be asked to choose 7 Click OK to encrypt and sign your mail If you have elected to sign the encrypted data the Signing Key Pass phrase screen appears requesting your passphrase before the mail is sent 8 Enter your passphrase and then click OK If you do not send your email immediately but instead store it in your outbox you should be aware that when using some email applications the information is not encrypted until the email is actually transmitted Before queuing encrypted messages you should check to see if your application does in fact encrypt the messages in your outbox If it does not you can use PGPtray s Current Window option to encrypt your messages before queuing them in the outbox 33 PGP Desktop 34 Encrypting email to groups of recipients User s Guide You can use PGP to create group distribution lists For example if you want to send encrypted mail to 10 people at usergroup pgp
121. iated with each key The Wipe Contents button enables you to completely erase all data stored on the smart card see Wiping keys from your smart card on page 72 for more information Copying your public key from a smart card to a keyring Storing your keys on a smart card enables you to physically walk to a com puter a computer with a compatible smart card reader and PGP installed of course and automatically copy the public portion of your keypair to a PGP keyring on that system To copy your public key from your smart card to another user s keyring 1 2 3 Ch 10 Using Smart Cards Open PGPkeys Put your smart card into the smart card reader Wait for your key to display in PGPkeys When you see your key display it means that your public key has been copied onto the system Remove your smart card from the smart card reader Your public key remains on the system 71 PGP Desktop User s Guide Wiping keys from your smart card You can delete all the data stored on a smart card by using the Wipe Contents feature in the Smart Card properties window To wipe a smart card 1 Open PGPkeys 2 Put the smart card you want to wipe in the smart card reader A gold card icon 44 appears in the lower left of the PGPkeys window Removing a smart card from the smart card reader while wiping it may result in unpredictable behavior 3 Do one of the following Click the gold card icon in the lower
122. ich you made the certificate request b On the Server menu select Retrieve Certificate PGP contacts the CA server and automatically retrieves your new X 509 certificate and adds it to your PGP key When you add or change information in your keypair always update it on the key server so that your most current key can be available to anyone 136 Ch 16 Managing Keys User s Guide PGP Desktop Splitting and rejoining keys Any private key can be split into shares among multiple shareholders using a cryptographic process known as Blakely Shamir key splitting This tech nique is recommended for extremely high security keys For example PGP Corporation keeps a corporate key split between multiple individuals When ever we need to sign with that key the shares of the key are rejoined tempo rarily Split keys are not compatible with versions of PGP previous to 6 0 Creating a split key Ch 16 Managing Keys To split a key select the keypair to be split and choose Share Split from the Keys menu You are then asked to set up how many different shares will be required to rejoin the key The shares are saved as files either encrypted to the public key of a shareholder or encrypted conventionally if the shareholder has no public key After the key has been split attempting to sign with it or decrypt with it will automatically attempt to rejoin the key You cannot split a key generated on a smart card because the priv
123. ick OK The Microsoft Exchange Server screen appears the appearance of this screen varies depending on what version of Outlook you are using 5 Enter the full name of your Exchange Server in the Microsoft Exchange server field and enter your user login name in the Mailbox field 6 Click Check Name If the login information is entered correctly the names are underlined If you do not know what Exchange Server you are on or if the names did not underline then contact your Microsoft Exchange administrator 7 Click OK PGP continues the key generation process and adds your Microsoft Exchange email user ID to your new PGP key 8 When the key generation wizard indicates that it is done click Next 9 Click Finish PGP automatically puts your private key on your private keyring and your public key on your public keyring 104 Ch 14 Making Keys User s Guide PGP Desktop Creating a passphrase you will remember Ch 14 Making Keys Encrypting a file and then finding yourself unable to decrypt it is a painful les son in learning how to choose a passphrase you will remember Most applications require a single word password between three and eight letters For a couple of reasons we do not recommend that you use a sin gle word passphrase A single word password is vulnerable to a dictionary attack which consists of having a computer try all the words in the dictionary until it finds your password To protect against
124. ide PGP Desktop The Add Photo screen opens Add Photo Drag or paste a picture into the area below To choose a picture from a file click the Select File button For best results crop your picture to 120x144 Select File 2 Drag or paste your photograph onto the Add Photo screen or browse to it by clicking Select File The photograph can be from the Clipboard a JPG or BMP file For maximum picture quality crop the picture to 120 x 144 pixels before adding it to the Add Photo screen If you do not do this PGP will scale the picture for you 3 Click OK The Passphrase dialog box opens 4 Enter your passphrase in the space provided then click OK Your photographic user ID is added to your public key and is listed in the PGPkeys window When you add or change information in your keypair always update it on the key server so that your most current key can be available to anyone To replace your photographic ID 1 Open PGPkeys and select the photograph which is listed under your key Ge Ming Pa lt mingp acmecom net 9 2048 1024 DH DSS public key E Y Pradeep Brapal lt pradeepb acmecorp net gt 2048 1024 DH DSS key pair VW77777 e Pradeep Brapal lt pradeepb acmecom net gt 0 User ID Pr Pradeep Brapal lt pradeepb acmecom net DSS exportable sig 30 Photograph 0 Photograph Your photograph Choose Delete from the Edit menu Add your new photographic ID using the instr
125. ikely to be forgotten To confirm your entry press the TAB key to advance to the next line then enter the same passphrase again 7 Click OK Your keypair is reconstituted and appears in PGPkeys Ch 16 Managing Keys 145 PGP Desktop User s Guide 146 Ch 16 Managing Keys A Setting PGP Options This appendix describes how to set PGP options to suit your particular com puting environment About PGP Options PGP is configured to accommodate the needs of most users but you have the option of adjusting settings to suit your requirements You specify these set tings on the PGP Options screen To access the PGP Options screen do either of the following e Click the PGP icon in the System Tray called the PGPtray icon and select Options from the menu e Open PGP Keys pull down the Edit menu and select Options Setting General options Use the General tab to specify optional single sign on and file wiping set tings PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk Options Always encrypt to default key ig Faster key generation Show PGPtray icon Comment block optional Single Sign On 8 O Cache passphrase while logged on Cache passphrase for 00 02 00 O Do not cache passphrase v Share passphrase cache among modules File Wiping y Number of passes 3 gt v Wam before user initiated wiping PGP Wipe exceeds the media sanitization r
126. ility to reorder delete insert or read SSL IPSec whispering in someone s ear self signed key A public key that has been signed by the corresponding private key for proof of ownership session key The secret symmetric key used to encrypt each set of data on a transac tion basis A different session key is used for each communication ses sion sign To apply a signature signature A digital code created with a private key Signatures allow authentication of information by the process of signature verification When you sign a message or file the PGP program uses your private key to create a digital code that is unique to both the contents of the message and your private key Anyone can use your public key to verify your signature Glossary User s Guide Glossary PGP Desktop S MIME Secure Multipurpose Mail Extension A proposed standard developed by Deming software and RSA Data Secu rity for encrypting and or authenticating MIME data S MIME defines a for mat for the MIME data the algorithms that must be used for interoperability RSA RC2 SHA 1 and the additional operational con cerns such as ANSI X 509 certificates and transport over the Internet SSL Secure Socket Layer Developed by Netscape to provide security and privacy over the Internet Supports server and client authentication and maintains the security and integrity of the transmission channel Operates at the transport layer and mimics the sock
127. ime text box Weekly This option runs your task on a weekly basis at the date and time you specify Enter the number of weeks you want between each disk wipe in the text box provided then choose a day from the Sched ule Task Weekly list Monthly This option runs your task once each month on the day and at the time you specify Enter the time in the text box provided then enter the day of the month on which you want the task to run Click Select Months to specify which months the task will run Once This option runs your task exactly once on the date and at the time you specify Enter the time in the text box provided then select a month and a date from the lists Run On text box At System Start up This option runs your task only upon system start up At Logon This option runs your task when you log on to your com puter When Idle This option runs your task when your system is idle for the amount of time you specify in the minutes text box Enter the time of day that you want the task to start in the Start Time box 45 PGP Desktop User s Guide 9 Specify how often you want the task to run in the Schedule Task Daily box 10 Click Advanced to open a dialog box where you can select additional scheduling options such as the start date the end date and the duration of the task 11 Click OK A confirmation dialog box appears Your new PGP folder or free space task is now scheduled To edit or delete your PGP tasks
128. inal encrypted version so that it remains secure To decrypt and verify email attachments using Lotus Notes 1 After decrypting the email message as instructed above double click on the attachment You can also decrypt attachments without first decrypting the email message Simply double click on the attachment click the Launch button and enter your PGP passphrase when prompted 2 Select Launch then click OK The PGP Enter Passphrase screen appears asking you to enter your pass phrase 3 Enter your passphrase then click OK The attachment is decrypted You can save the attachment in its decrypted state or you can save the original encrypted version so that it remains secure Ch 9 Using Lotus Notes 65 PGP Desktop User s Guide 66 Ch 9 Using Lotus Notes 10 Overview Using Smart Cards This chapter describes smart cards and tells you how to use them with PGP A smart card sometimes called an intelligent token is a portable device that includes a computer chip which lets it store data and perform computations Smart cards come in multiple form factors they can be plastic cards about the size of a credit card or keychain fobs with USB connectors on one end for example In order to use PGP with a smart card you must have a supported smart card reader and the appropriate software drivers installed on your system PGP Corporation strongly recommends using software drivers from the vendor who makes y
129. ing on page 71 for more information Note that copying your keypair to a smart card is different from creating a keypair directly on the smart card When you create a keypair directly on a smart card you must have the smart card on the system to use your private key When you have a keypair on your desktop and copy it to a smart card things work slightly differently In this case the private portion of your keypair resides on the smart card and on your desktop unless you choose to delete the private portion of your keypair from your system There are two main reasons to copy an existing keypair to your smart card e To use it as a backup for the keypair on your system and to copy your public key from the smart card to other people s keyrings In this case you would have two copies of the same private key one on the system where you originally created it and one on the smart card e To use it as your only copy of your private key just as if you d created it directly onto the smart card In this case you would need to delete the private key from your system PGP gives you the option to do this You would select this option if you started using smart cards after you had already created your PGP keypair and wanted to have the advantages of having your keypair on your smart card but didn t want to create a new keypair Finally when you copy your PGP keypair to a smart card the passphrase for the keypair that s on the smart card
130. ing information to render it unreadable to anyone except the intended recipient who must decrypt it to read it Fingerprint A uniquely identifying string of numbers and characters used to authenti cate public keys This is the primary means for checking the authenticity of a key See Key Fingerprint FIPS Federal Information Processing Standard A U S government standard published by NIST Firewall A combination of hardware and software that protects the perimeter of the public private network against certain attacks to ensure some degree of security Hash function A one way function that takes an input message of arbitrary length and produces a fixed length digest Hierarchical trust A graded series of entities that distribute trust in an organized fashion commonly used in ANSI X 509 issuing certifying authorities HTTP HyperText Transfer Protocol A common protocol used to transfer documents between servers or from a server to a client Glossary User s Guide Glossary PGP Desktop Hexadecimal Hexadecimal describes a base 16 number system That is it describes a numbering system containing 16 sequential numbers as base units includ ing O before adding a new position for the next number Note that we re using 16 here as a decimal number to explain a number that would be 10 in hexadecimal The hexadecimal numbers are O 9 and then use the letters A F IDEA International Data Encryption Standard A 6
131. ion that is supported by the PGP plug ins you have two choices depending on what type of email appli cation the recipient is using If you are communicating with other PGP users who have an email application that supports the PGP MIME standard you can take advantage of a PGP MIME feature to encrypt and sign your email mes sages and any file attachments automatically when you send them If you are communicating with someone who does not have a PGP MIME compliant email application you should encrypt your email with PGP MIME turned off to avoid any compatibility problems Refer to the following table for a list of plug ins and their features Eudora Outlook ue nce Saws PGP MIME Yes No No No No Auto decrypt No Yes Yes Yes Yes Encrypt HTML Yes Yes No Yes No Preserve text format Yes Yes No Yes No ting Encrypt attachments Yes Yes No Yes Yes Encrypt Sign defaults Yes Yes Yes Yes Yes Print decrypted email Yes Yes No Yes No Ch 4 Securing Email Securing Files This chapter describes how to use PGP to securely maintain files It describes how to use PGP to encrypt decrypt sign and verify files either for email or for secure storage on your computer It also describes the PGP Wipe and Free Space Wipe functions which delete files by erasing their contents completely from your computer Securing your files and folders with PGP You can use PGP to encrypt and sign files to use as email attachmen
132. irectory on an NTFS volume Win2000 and WiriXP only Choose an encryption algorithm CASTS Cipher Algorithm 128 bit Choose a filesystem format FAT v Mount it at startup 8 Select the desired options from the appropriate check boxes and lists On a drive letter Select the drive letter where you want to mount your new PGPdisk volume A list of available drives appears in the drive let ter list Your new PGPdisk volume appears at this location in your Win dows Explorer folder tree when mounted As a directory on an NTFS volume This option is only available on Windows 2000 systems Click this option if you want to mount your new PGPdisk volume as a directory on an NTFS volume Type the path to an empty directory in the space provided or browse to the desired location If you enter a path to a non existing directory on an NTFS volume you will be asked if you want to create a directory by that name Select Yes then enter your passphrase The directory appears in Windows Explorer on the NTFS volume you selected Right click on a drive letter in Windows Explorer and select Properties to iden tify the file format for that drive Choose an encryption algorithm Select the encryption algorithm you want to use to protect your data CAST5 Cipher Algorithm 128 bit CAST is a 128 bit block cipher It is a strong military grade encryption algorithm that has a solid reputa tion for its ability to withstand unauthorized ac
133. is value from 1 to 999 minutes 87 PGP Desktop User s Guide Maintaining PGPdisk volumes 88 This section describes how to automatically mount PGPdisk volumes when you start your system how to back up and exchange the data in these vol umes with others and how to re encrypt your PGPdisk volume Automatically mounting PGPdisk volumes You can automatically mount PGPdisk volumes when you first start your sys tem There are two ways to automatically mount a volume e Check the Mount at Startup check box in the Advanced Options dialog box during the creation of your PGPdisk volume e Check the Mount at Startup check box in the Properties dialog box of the PGPdisk Editor for the volume you want to automatically mount Mounting PGPdisk files on a remote server You can place PGPdisk volumes on any kind of server Windows or UNIX and allow them to be mounted by anyone with a Windows machine The first person to mount the volume locally has read write access to the vol ume No one else is then able to access the volume If you want others to be able to access files within the volume you must mount the volume in read only mode applies to FAT and FAT32 filesystem formats only All users of the vol ume then have read only access If the volume is stored on a Windows server you can also mount the volume remotely on the server and allow people to share the mounted volume How ever this action provides no security for th
134. is automatically changed from whatever it was to the PIN of the smart card However the passphrase for the keypair that was already on your system the keypair you copied to the smart card doesn t change Thus you end up with two copies of the same exact keypair each with their own passphrase If you decide to delete the private key from your system and just keep the pri vate key on your smart card this isn t a problem you just use the PIN of the smart card as the passphrase for your private key If however you choose to keep both keypairs then use the passphrase for the keypair on your system it takes precedence over the passphrase of the smart card Ch 10 Using Smart Cards 73 PGP Desktop User s Guide To copy an existing PGP keypair to your smart card 1 Put your smart card in the smart card reader Removing your smart card from the smart card reader while copying keys to the smart card may result in unpredictable behavior Open PGPkeys Select the keypair you want to copy to your smart card Diffie Hellman DSS keys are not supported on smart cards 4 Pull down the Server menu and choose Send To gt Smart Card A note appears informing you that once the keypair is copied to the smart card your PGP passphrase for this keypair will automatically change to the PIN belonging to the smart card 5 Click OK to continue The PGP Enter Passphrase screen appears 6 Enter the passphrase for your key then click OK The
135. isk volume Removing alternate users is similar to adding alternate users or changing a passphrase To remove alternate users 1 Ensure that the PGPdisk volume is not mounted You cannot remove alter nate users if the PGPdisk volume is mounted 2 Open the PGPdisk Editor for the volume you want to modify then select the user name you want to remove from the list 3 Select Remove from the User menu The Passphrase dialog box appears prompting you for either the adminis trator passphrase or the passphrase for the user being removed 4 Enter the passphrase and then click OK The user has been removed Specifying properties for a PGPdisk volume The Properties button in the PGPdisk Editor allows you to identify mounting options as well as view which encryption algorithm is being used for that specific volume and gives you the option to re encrypt the volume If you want to set PGP options which relate to all PGPdisk volumes see Setting PGP Disk options on page 160 To specify properties 1 Open the PGPdisk Editor for the volume you want to modify then click the Properties button or select Properties from the File menu The Properties dialog box appears 86 Ch 12 Using PGP Disk User s Guide PGP Desktop 2 Select the desired options by clicking the appropriate check boxes Re Encrypt If selected this option allows you to change the encryp tion algorithm of the PGPdisk or re encircle your PGPdisk w
136. it Encrypt Decrypt Verify and Sign options for data on the Clipboard so that you can use PGP on the contents of the Clipboard Ch 2 The PGP Desktop Interface 19 PGP Desktop User s Guide Windows Explorer You can also access PGP Desktop functions from Windows Explorer Simply open Windows Explorer and then select the items you want to work on File Edit View Favorites Tools Help Q Bak 7j d p gt Search lie Folders X i ER ddress ca Folders X Name Si Desktop bt a My Documents E P My Computer E Local Disk C 7 a aaprojects a AAA Expand Explore Open Search Sharing and Security Scan with Norton AntiVirus Send To gt PGP Encrypt Sign Encrypt amp Sign Decrypt amp Verify Wipe Create SDA Windows Explorer gives you access to different PGP Desktop functions depending on what you select e Drive If you right click a drive on your system in Windows Explorer and select PGP from the menu that appears you can do the following to the drive Encrypt Sign or Encrypt Sign it Decrypt amp Verify it Wipe free space on it Create a self decrypting archive SDA of the drive e Folder If you right click a folder in Windows Explorer and select PGP from the menu that appears you can do the following to the folder Encrypt Sign or Encrypt Sign it Decrypt amp Verify it Wipe it Create an SDA with the contents of the folder in the archive
137. ith the same encryption algorithm to change your underlying encryption key This may be necessary if you feel that the security of your PGPdisk has been compromised or if you have removed a user from the PGP disk and want to make absolutely sure he can never access it again An adept user may be able to search his computer s memory for the PGPdisk s underlying encryption key and save it in order to continue accessing the PGP disk even if he was removed from the user list Re encryption changes this underlying key and prevents him from gaining access Mount at startup Check this option to mount the PGPdisk volume at startup When checked you are prompted for your PGPdisk pass phrase at startup Override global auto unmount setting When checked this option allows you to override the global auto unmount setting originally spec ified in the PGP Options panel for the selected PGPdisk volume The global auto unmount setting in the PGP Options panel applies to all mounted PGPdisk volumes If you want a PGPdisk volume to auto unmount at a different time than the time specified in the global auto unmount setting then you must choose to override it Ch 12 Using PGP Disk The Auto unmount after 15 minutes of inactivity option is available when you have selected to override the global auto unmount setting This option allows PGP to automatically unmount the PGPdisk volume when your computer is inactive for the specified time You can set th
138. k If the file was encrypted with the Secure Viewer option enabled the decrypted text appears on a secure PGP screen in a special TEMPEST attack prevention font Other wise the message will appear in its original state Messages encrypted with the Secure Viewer option enabled cannot be saved in their decrypted state They are only viewable on the secure PGP screen after decryption Signing and decrypting files with a split key Whenever you want to sign or decrypt files with a split key you must rejoin the key before you can perform the signing or decrypting task See Rejoining split keys on page 139 for more information Permanently erasing files and free disk space As you create and delete sensitive files on your computer fragments from the data contained in the files remain in the free disk space of your computer When you delete a file normally by placing it in the Recycle Bin the name of the file is removed from the file directory but the data in the file remains on the disk Even when you empty the Recycle Bin the data is not completely erased until the operating system overwrites the free disk space Also many programs create temporary files while you edit the contents of your docu ments These files are deleted when you close the documents but your data is also left behind in free disk space In essence your sensitive files are never completely erased and with the proper tools someone could retrieve your previously
139. k ADK lt pradeepb acmecom n Ge Alice Cameron lt alicec acmecom net Ge Bob Reynolds lt bobr 2acmecorp net gt Ge Fumiko Asako fumikoa amp acmecorp net Ge Jose Medina lt josem acmecom net Ge Katerina Laval katerinal amp acmecorp net Hue Maria Fuentes lt mariaf acmecop net gt Er Ming Pa mingp amp acmecorp net UY Pradeep Brapal pradeepb amp acmecorp net a Samlaucsam amp enst fr Y SZho B3 amp ya com Sa SamRamier lt sram ny com gt Ge SJ Wilson lt sjwilson venet com gt Ge Vladimir Toskin vladimirt amp acmecorp net Ge Ower blewep osisuep eceyauksiorye Ge Atavayioc Avac lt a amp vac ayyewopn wou gt COOOL CLC CHEMOCeeoeoooe 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 2048 1024 Description Trust DH DSS public key DH DSS public key DH DSS public key DH DSS public key DH DSS public key DH DSS public key DH DSS public key DH DSS public key DH DSS public key Disabled DH DSS DH DSS public key DH DSS key pair Revoked RSA lega Expired DH DSS p RSA legacy public RSA public key DH DSS public key DH DSS public key DH DSS public key PGPkeys attribute definitions 116 Some of the attributes associated with keys can be displayed in the main PGPkeys window You can choose which attributes you want to make visible by selecting them from the View menu For each s
140. k cipher symmetric algorithm Twofish was one of five algorithms that the U S National Institute of Standards and Technology NIST considered for the new Advanced Encryption Standard AES opecial security precautions taken by PGPdisk PGPdisk takes special care to avoid security problems that other programs may not These include the following Passphrase erasure When you enter a passphrase PGPdisk uses it only for a brief time then erases it from memory PGPdisk also avoids making copies of the passphrase The result is that your passphrase typically remains in memory for only a frac tion of a second This feature is crucially important if the passphrase remained in memory someone could search for it in your computer memory while you were away from the machine You would not know it but they would then have full access to any PGPdisk volumes protected by this pass phrase Virtual memory protection Your passphrase or other keys could be written to disk as part of the virtual memory system swapping memory to disk PGPdisk takes care that the pass phrases and keys are never written to disk This feature is important because someone could scan the virtual memory file looking for passphrases Memory Static lon Migration Protection 94 When you mount a PGPdisk your passphrase is turned into a key This key is used to encrypt and decrypt the data on your PGPdisk volume While the passphrase is erased from memory immediately
141. keys on your PGP keyring 720 Sometimes you may want to temporarily disable a key which can be useful when you want to retain a public key for future use but you don t want it cluttering up your recipient list every time you send mail To disable a key 1 Open PGPkeys and select the key you want to disable 2 Select Disable in the Keys menu The key is dimmed and is temporarily unavailable for use Ch 16 Managing Keys User s Guide PGP Desktop To enable a key 1 Open PGPkeys and select the key you want to enable 2 Select Enable in the Keys menu The key becomes visible and can be used as before Examining and setting key properties General Ch 16 Managing Keys In addition to the general attributes shown in the PGPkeys window you can also examine and change other key and subkey properties The Key Properties window includes the General Subkeys Revokers and ADK tabs each of which gives you necessary information about a person s public key or the ability to create configure edit or delete attributes in your own public key The following sections describe each element in more detail key properties From the General tabbed page you can verify someone s public key using their key fingerprint grant trust to a key and change the passphrase on your own key as well as view other key attributes To access the General Key Properties panel for a particular key select the desired key and then ch
142. ks could not be unmounted e Allow forcible unmounting of PGPdisks with open files Normally you can t automatically unmount a PGPdisk volume if any of the files in that volume are open Checking this option allows forcible unmounting even with open files The Don t ask before forcibly unmounting a PGPdisk option allows PGP disk to automatically unmount a PGPdisk volume without first warning you of any files that may be open You may lose data if you unmount a PGPdisk volume that contains open files If you select Allow forcible unmounting of PGPdisks with open files you will receive a warning if there are open files in the PGPdisk volume you are unmounting You are not warned of open files if you select the Don t ask before forcibly unmounting a PGPdisk option 160 App A Setting PGP Options User s Guide PGP Desktop Auto unmount after 15 minutes of inactivity When checked this option causes PGPdisk to automatically unmount any mounted PGPdisk volumes when your computer is inactive for the number of minutes in the box You can set this value from 1 to 999 minutes PGPdisk cannot automatically unmount a PGPdisk volume if any of the files in that volume are open Auto unmount on computer sleep When checked this option causes PGP disk to automatically unmount any mounted PGPdisk volumes when your computer goes into Sleep mode Not all computer models have a sleep mode Put a checkmark next to Prevent sleep if any PGP
143. lable words while the odd list contains only three syllable words That suggestion came from Patrick Juola a computational linguist PGPfone was the application that precipitated the actual development of the word list by Juola and Zimmermann PGPfone is an application that turns your computer into a secure telephone We used it to authenticate PGPfone s initial Diffie Hellman key exchange without using digital signatures and public key infrastructures We knew we would end up using it for authenticating PGP key fingerprints when we applied it to PGP later The idea behind building the word lists was to develop a metric to measure the phonetic distance between two words then use that as a goodness mea sure to develop a full list Grady Ward provided us with a large collection of words and their pronunciations and Patrick Juola used genetic algorithms to evolve the best subset of Ward s list To briefly summarize what he did he made a large population of guesses and let the population sexually reproduce by exchanging words with other guesses and like biological evolution the better guesses survived into the next generation After about 200 generations the list had mostly stabilized into a best guess with far greater phonetic distance between the words than what we started with in the initial guess lists The first major hurdle was the development of the metric Linguists have studied sound production and perception for decades and th
144. lected to sign the encrypted data the Signing Key Pass phrase screen appears requesting your passphrase before the mail is sent Enter your passphrase and then click OK If you do not send your email immediately but instead store it in your outbox you should be aware that when using some email applications the information is not encrypted until the email is actually transmitted Before queuing encrypted messages you should check to see if your application does in fact encrypt the messages in your outbox If it does not you can use PGPtray s Current Window option to encrypt your messages before queuing them in the outbox Decrypting and verifying 64 To decrypt and verify email using Lotus Notes Open your email message as you normally do You will see a block of unintelligible ciphertext in the body of your email message Ch 9 Using Lotus Notes User s Guide PGP Desktop 2 To decrypt and verify the message click the PGP Decrypt Verify button on your toolbar L gt encrypt and sign X X Delete Folder Copy into Tools a PGP Decrypt Verify tm admin gua admin lotus The PGP Enter Passphrase screen appears asking you to enter your pass phrase 3 Enter your passphrase then click OK The message is decrypted If it has been signed and you have the sender s public key the signature verification will appear in the PGP Log You can save the message in its decrypted state or you can save the orig
145. leted click Cancel Clicking Cancel during file wipe can leave remnants of the file behind Many programs automatically save files in progress so back up copies of the file you deleted may exist PGP Corporation recommends that you run the Wipe utility on the back up copies as well as the original file to thoroughly erase it from your hard disk Using the Wipe Free Space Wizard to clean free disk space 42 Use the Wipe Free Space Wizard available from the PGPmail screen to clean your free disk space To wipe free space on your disks 1 On the PGPmail screen click the Freespace Wipe button to start the Freespace Wipe Wizard The Wipe Free Space Wizard appears 2 Read the information in the welcome screen then click Next to advance to the next dialog box The PGP Free Space Wipe Wizard prompts you to select the volume you want to wipe and the number of passes you want to perform Ch 5 Securing Files User s Guide PGP Desktop 3 In the Volume box select the disk or volume that you want PGP to wipe Then select the number of passes that you want PGP to perform The recommended guidelines are 3 passes for personal use 10 passes for commercial use 18 passes for military use 26 passes for maximum security Commercial data recovery companies have been known to recover data that has been over written up to nine times PGP uses highly sophisticated patterns dur ing each wipe to ensure that your
146. lic key from you To put your public key on a keyserver 1 Open PGP Keys The PGP Keys screen appears Pull down the Server menu select Send To then slide over and down to the keyserver of your choice Your public key is uploaded to the keyserver you selected Ch 3 Making a Keypair and Working with Public Keys 27 PGP Desktop User s Guide Getting someone s public key from a keyserver 28 For you to send an encrypted email message to someone else you need to get their public key first To get someone s public key from a keyserver 1 2 Open PGPkeys Choose Search from the Server menu or click the Search button in PGP keys The PGPkeys Search Window screen appears Choose the server you wish to search from the Search for keys on drop down menu Specify your search criteria For example User ID contains John Galt This would find the keys with the name John Galt in their user ID Click More Choices to add additional criteria to your search for example Key IDs with the name Susan Jones created on or before March 6 2002 Click Search A progress bar appears displaying the status of the search To cancel a search in progress click Stop Search The results of the search appear in the window To import a key drag it from the search window onto the PGP Keys win dow and drop it there You can import multiple keys at one time if you wish Close the PGPkeys Search Window screen C
147. lid Use this check box to specify whether to treat all marginally valid keys as invalid Selecting this option causes the Key Selection dialog box to appear whenever you encrypt to marginally valid keys e Warn when encrypting to keys with ADKs Use this check box to specify whether to issue a warning whenever an encrypt to key has an associated Additional Decryption Key e Export Format The options are Compatible Exports keys in a format compatible with previous ver sions of PGP Complete Exports the new key format which includes photographic IDs and X 509 certificates App A Setting PGP Options User s Guide PGP Desktop e Smart card support Select the type of smart card you want PGP to sup port You can only support one type of smart card at any given time Your options are None Select this option if you do not have a smart card reader installed or you do not want PGP to support any type of smart card Aladdin Select this option if you want to use the Aladdin eToken Pro product line of USB smart cards with PGP Gemplus Select this option if you want to use GemPlus GemSafe Enterprise brand smart cards with PGP Rainbow Select this option if you want to use Rainbow Key 20XX brand smart cards with PGP Schlumberger Select this option if you want to use Schlumberger Cryptoflex brand smart cards with PGP Other Select this option if you are using a type of smart card other than Aladdin eToken Ge
148. lower left corner of the PGPkeys window Pull down the View menu and select Smart Card Properties The Smart Card window appears Smart Card aa Properties Contents Identification Manufacturer Aladdin Knowledge Systems Ltd Model eToken Card0S M Serial number 0001d922 Capabilities Supported key generation ASA 8 to 1024 bits Passphrase PIN length 4 to 16 characters Status Private keys on card The Properties tab displays information about the card including the name of the manufacturer the smart card model the serial number associated with the smart card its capabilities including the type of PGP key that the card can store and the number of characters your PIN may contain the total number of private keys you currently have on the smart card including subkeys 70 Ch 10 Using Smart Cards User s Guide PGP Desktop 4 To view a list of the keys stored on the smart card or to wipe the con tents of the smart card click the Contents tab Smart Card Properties Contents Keys Validity Size Description BY Steve Wilson lt swilson pgp com gt V 1024 1024 RSA key pair on 5n Wipe Contents The Contents tab displays information about the PGP data stored on the smart card Under Keys a list of the keys stored on the smart card dis plays You can find out more information about each key by viewing the signatures and user IDs assoc
149. lowing options e Preferred Algorithm Select your preferred algorithm The choices are AES The default The new Advanced Encryption Standard AES cho sen by the National Institute of Standards and Technology NIST is Rijndael a block cipher designed by Joan Daemen and Vincent Rijmen It is considered to be both faster and smaller than its competitors Selecting this option allows PGP to use key and block sizes of 256 192 and 128 bits in order of preference CAST CAST is a 128 bit block cipher It is a strong military grade encryption algorithm which has a solid reputation for its ability to withstand unauthorized access TripleDES If you want to use Triple DES then you must make the selection before you generate your keys Triple DES is a U S Govern ment algorithm that has withstood the test of time It s an encryption configuration in which the DES algorithm is used three times with three different keys IDEA If you want to use IDEA then you must make the selection before you generate your keys IDEA is the algorithm used for all RSA Legacy keys generated by PGP App A Setting PGP Options 157 PGP Desktop 158 User s Guide Twofish Twofish is a 256 bit block cipher symmetric algorithm Twofish was one of five algorithms that the U S National Institute of Standards and Technology NIST considered for the Advanced Encryption Standard AES Rijndael was the chosen algorithm For
150. mSafe GemPlus Rainbow or Schlumberger You will be asked to enter the filename for the DLL for the card you want PGP to support e Software Update Put a checkmark next to Automatically check for updates if you want PGP to automatically check for software updates at startup If a newer version of PGP is available a notification screen appears with a link that lets you download the new version e Automatic keyring backup when PGPkeys closes Select this check box to back up your public and private keyrings automatically when you close PGP Back up to keyring folder Select this option to store your keyring back up files in the default PGP keyring folder Back up to Select this option to specify the location in which you want to store your backup files Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options App A Setting PGP Options 159 PGP Desktop User s Guide Setting PGP Disk options The PGPdisk tab lets you to specify how you want to unmount existing vol umes PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk Unmount Options v Allow forcible unmounting of PGPdisks with open files C Don t ask before forcibly unmounting a PGPdisk Auto Unmount Options Y Auto unmount after 15 minutes of inactivity v Auto unmount on computer sleep Prevent sleep if any PGPdis
151. mation Cautions indicate the possibility of loss of data or minor damage to equip ment A Caution tells you about a situation with the potential for loss of data or minor damage to equipment Special attention should be paid to Cautions Introduction User s Guide PGP Desktop Warnings indicate the possibility of significant damage to equipment or injury to human beings A Warning means that your equipment may be damaged or someone could be injured Please take Warnings seriously Introduction 13 PGP Desktop User s Guide 14 Introduction 1 PGP Basics This chapter introduces you to PGP Pretty Good Privacy Desktop software Overview PGP Desktop is a tool for keeping your data safe It encrypts scrambles your data so that if an unauthorized person gets hold of it they can t make heads or tails of it Naturally when you want to use it it gets changed back to nor mal decrypted For lots of information about encryption see An Introduction to Cryptogra phy which was installed on your computer when PGP was installed Conventional and public key cryptography There are two kinds of cryptography the science that includes encryption conventional and public key Conventional cryptography uses the same passphrase to encrypt and decrypt data Conventional cryptography is great for data that isn t going anywhere because it encrypts and decrypts quickly However conventional cryptogra phy isn t as well sui
152. me operating system as they were cre ated under In other words you can t open an SDA on a Macintosh if it was cre ated by the Windows version of PGP and vice versa Creating an SDA To create an SDA 1 Select the files directories or drive you want to include in the SDA 2 Right click on your selection slide down to PGP then over and down to Create SDA File Edit View Favorites Tools Help Qs gt amp d pa Search Es Folders IES ES Xx i EE Address lt C Folders X Name 4 Size Type a Desktop 5 Documents and Settings File Folder E My Documents DRIVERS File Folder El Y My Computer program Files File Folder ss Local Disk C S wInDowS File Folder El DVD CD RW Drive D wutemp File Folder J Control Panel mm 34KB JPGFile El E Shared Documents Preview S O Documents Open r7 3 My Network Places Edit Recycle Bin Print Open With gt Scan with Norton AntiVirus Send To PGP gt Encrypt Sign Encrypt amp Sign Wipe Create SDA Ch 7 Self Decrypting Archives 55 PGP Desktop User s Guide The Enter Passphrase screen appears 3 Enter the passphrase you want to use for this SDA then enter it again for confirmation You must be able to securely communicate this passphrase to the person who is going to be decrypting the SDA 4 If you are creating an SDA with a file or files specifically selected that is not on the drive or in a directory but s
153. mpose your email message as you nor mally would If you are sending sensitive email consider leaving your subject line blank or creating a subject line that does not reveal the contents of your encrypted mes sage 2 When you have finished composing the text of your email message click on the PGPtray icon and select Encrypt Sign or Encrypt amp Sign from the Current Window menu Select the public key of the recipient of the message and click OK Encrypted text appears in the email message window Send your message as you normally do If you have a copy of the public keys for every one of the recipients the appropriate keys are automatically used and the message is sent 37 PGP Desktop 32 User s Guide However if you specify a recipient for whom there is no corresponding public key or one or more of the keys have insufficient validity the PGP Recipient Selection screen appears so that you can specify the correct key You can force the PGP Recipient Selection screen to appear even if you have a valid copy of the public keys for every one of the recipients by holding down Shift when you click Send You should do this if you want to use the Secure Viewer or Conventional Encrypt features and you do not want your message to be sent automatically ds Recipient Selection Drag users from this list to the Recipients list Validity Size Acme Corp ADK lt pradeepb acmecorp net gt o 2048 1024 Acme Corp CSK lt pr
154. n documents without knowledge of content similar to a notary public Block cipher A symmetric cipher operating on blocks of plain text and cipher text usu ally 64 bits CA Certificate Authority A trusted third party TTP who creates certificates that consist of asser tions on various attributes and binds them to an entity and or to their pub lic key CAPI Crypto API Microsoft s crypto API for Windows based operating systems and applica tions CAST A 64 bit block cipher using 64 bit key six S boxes with 8 bit input and 32 bit output developed in Canada by Carlisle Adams and Stafford Tavares Certificate digital certificate An electronic document attached to a public key by a trusted third party which provides proof that the public key belongs to a legitimate owner and has not been compromised Certification Endorsement of information by a trusted entity Certify To sign another person s public key Certifying authority One or more trusted individuals who are assigned the responsibility of cer tifying the origin of keys and adding them to a common database Ciphertext Plaintext converted into a secretive format through the use of an encryp tion algorithm An encryption key can unlock the original plaintext from ciphertext Clear signed message Messages that are digitally signed but not encrypted Clear text Characters in a human readable form or bits in a machine readable form also called plain text
155. next text box then enter the same passphrase again The suggested minimum size for a passphrase is eight characters Normally as an added level of security the characters you enter for the passphrase are not visible on the screen However if you are sure that no one is watching either physically or over the network and you would like to see the characters of your passphrase as you type click the Hide Typing box Your security is only as good as your passphrase Ch 11 PGP Disk Basics 12 Click Next A progress bar indicates how much of the PGPdisk volume has been initialized and formatted 13 Click Next to mount your PGPdisk 14 Click Finish to begin working with your new PGPdisk volume Your PGPdisk volume appears in a Windows Explorer window 79 PGP Desktop User s Guide Mounting a PGPdisk volume When you create a new volume the PGPdisk program automatically mounts it so you can begin using it to store your files When you are ready to secure the contents of the volume you must unmount it Once a volume is unmounted its contents remain secured in an encrypted file where it is inaccessible until the volume is once again mounted There are several ways to mount a PGPdisk volume e Find the file for the PGPdisk in Windows Explorer and double click it e In Windows Explorer right click the PGPdisk file and select PGP gt Mount PGPdisk e In PGPtray select PGPdisk gt Mount Disk e n the PGPdisk
156. ok of Applied Cryptography Alfred Menezes Paul van Oorschot and Scott Vanstone CRC Press 1996 ISBN 0 8493 8523 7 This is the technical book you should get after Schneier There is a lot of heavy duty math in this book but it is nonetheless usable for those who do not under stand the math Journal of Cryptology International Association for Cryptologic Research IACR See www iacr org Advances in Cryptology conference proceedings of the IACR CRYPTO conferences published yearly by Springer Verlag See www iacr org The Twofish Encryption Algorithm A 128 Bit Block Cipher Bruce Schneier et al John Wiley amp Sons Inc 1999 ISBN 0471353817 Con tains details about the Twofish cipher ranging from design criteria to algo rithm cryptanalysis Politics of cryptography Introduction Web sites www epic org Electronic Privacy Information Center www crypto org Internet Privacy Coalition www eff org Electronic Frontier Foundation www privacy org privacy org Great information resource about privacy issues www cdt org Center for Democracy and Technology www philzimmermann com Phil Zimmermann s home page his Senate testimony and so on Books Privacy on the Line The Politics of Wiretapping and Encryption Whitfield Diffie and Susan Landau The MIT Press 1998 ISBN 0 262 04167 7 This book is a discussion of the history and policy surrounding cryptogra phy and communications security It is an excellent
157. olume or move or save your files to the volume When the volume is unmounted it is inaccessible to anyone who does not know your secret passphrase Even a mounted volume is protected it is stored in encrypted format unless a file or application is in use If your computer should crash while a volume is mounted the volume s contents remain encrypted Accessing PGPdisk Ch 11 PGP Disk Basics PGPdisk can be accessed from the PGPtray click the PGPtray icon slide up to PGPdisk then slide over and select the appropriate command About PGP License Help Options PGPkeys Mount Disk 14 PGPmail New Disk Edit Disk Current Window Clipboard Unmount All Disks The PGPdisk menu on the PGPtray provides a convenient means of creating and mounting volumes 75 PGP Desktop User s Guide PGP Disk options are Mount Disk Mounts the specified PGPdisk volume provided that the cor rect passphrase is entered New Disk Displays the PGPdisk wizard which guides you through the process of creating a new PGPdisk volume Edit Disk Opens the PGPdisk Editor where you can perform administra tive tasks to a PGPdisk volume Unmount All Disks Unmounts all existing PGPdisk volumes and stores them in encrypted format Working with PGPdisk in Windows Explorer 76 Windows Explorer can be used to perform the primary PGPdisk operations Mounting PGPdisk volumes Unmounting already mounted PGPdisk
158. on page 147 Using the Wipe Free Space Wizard to clean free disk space Use the PGP Wipe Free Space Wizard to clean your free disk space To wipe free space on your disks 1 On the PGPmail screen click the Freespace Wipe button The Welcome screen of the Wipe Free Space Wizard appears Wipe Free Space Wizard Welcome to the PGP Wipe Free Space Wizard When a file is deleted by your computer the data that was in the file actually remains on your hard drive Over time this leads to a large amount of potentially sensitive data left behind in random places on your drive Using PGP s file wiping feature when you delete files solves only part of the problem because many files are created and deleted by applications or operating system without your knowledge PGP s volume wiping cleans all the free space on your hard drive which does not contain actual file data including all deleted files their directory entries and the little areas after the end of existing files which may still have old data left behind 2 Read the information then click Next 48 Ch 6 Wiping User s Guide Ch 6 Wiping PGP Desktop The Gathering Information screen appears Wipe Free Space Wizard Gathering Information Please select which volume you wish to wipe and the number of passes you wish to perform Volumes often contain lots of freespace The more freespace there is on a volume the longer it will take to perform each pass Y
159. on your current keyring when you address mail to a particular recipient 107 PGP Desktop 102 5 User s Guide In the Key Type box select the type of key you want to create If you do not know which key type is the right choice for you see Choosing a key type on page 97 In the Key Size box select the number of bits you want your new key to be made of For Diffie Hellman DSS or RSA keys select a key size from 1024 to 4096 bits For RSA Legacy keys select a key size from 1024 to 2048 bits A large key size may take a long time to generate depending on the speed of the computer you are using It may also take a long time if you have Faster key generation turned off in the General tab of the PGP Options screen The key size corresponds to the number of bits used to construct your dig ital key The larger the key the less chance that someone will be able to crack it but the longer it takes to perform the decryption and encryption process You need to strike a balance between the convenience of per forming PGP functions quickly with a smaller key and the increased level of security provided by a larger key Unless you are exchanging extremely sensitive information that is of enough interest that someone would be willing to mount an expensive and time consuming cryptographic attack in order to read it you are safe using a key composed of 1024 bits Indicate when you want your keys to expire You can either use the default
160. oncepts in PGP Desktop please refer to An Introduction to Cryptography it was put onto your computer when you installed PGP Desktop Licensing PGP Desktop uses a license number system to determine what features will be active on your computer Following is a brief description of that system For complete information and purchase options go to https store pgp com Licensing options When you start PGP Desktop for the first time after installation the PGP License screen appears it s also available via the License command on the PGP menu You have two options you can enter your PGP Desktop license information there are two ways of doing this described below or you can use the PGP software unlicensed for non commercial use only this is called PGP Freeware Commercial use of PGP Freeware is a violation of the License Agreement If you choose the second option PGP Freeware and you are legally permitted to do so under the end user license agreement for non commercial use then you will be able to use PGPmail PGPkeys and PGPtray The email plugins and PGPdisk will not be available Introduction 7 PGP Desktop User s Guide If you use a licensed version of PGP the functionality that will be available depends on the type of license you purchased Personal Desktop or Enter prise For complete information about PGP license and purchase options go to https store pgp com Entering your license information There a
161. onfident you are that the key actually belongs to the alleged owner and indicate how well you trust the owner of the key to vouch for the authenticity of other users keys For a complete explanation of the key management functions you per form from the PGPkeys window see Chapter 16 Managing Keys Generating a custom key Ch 14 Making Keys If you want to specify the type of key to generate specify a key size and set an expiration date then follow the instructions below on how to generate a custom key To generate a custom keypair To create a new keypair 1 Open PGPkeys 2 Click s in the PGPkeys menu bar 3 At the Key Generation Wizard Welcome screen click the Expert button The Key Generation Wizard Expert panel appears PGP Key Generation Wizard Expert Key Parameter Selection Enter the parameters which will be used to generate your key pair Full name Email address Key type Diffie Hellman DSS v Key size 2048 1024 4096 Key expiration never O More Information 4 Enter your name in the Full Name box and your email address in the Email Address box It is not absolutely necessary to enter your real name or even your email address However using your real name makes it easier for others to iden tify you as the owner of your public key Also by using your correct email address you and others can take advantage of the plug in feature that automatically looks up the appropriate key
162. onstruct the key Each piece is then encrypted with the hash the uniquely identifying number of one answer If you know any three answers you can successfully recon struct the whole key 108 Ch 14 Making Keys 15 Overview Exchanging Keys This chapter tells you about how to exchange keys that is how to distribute your public key so that others can send you encrypted messages and how to get the public keys of others so that you can send encrypted messages to them It also describes how to validate someone s public key After you create your keypair you need to exchange keys with those whom you intend to exchange encrypted messages You make your public key avail able to others so that they can send you encrypted information and verify your digital signature to send encrypted messages to them you will need their public keys Your public key is basically composed of a block of text so it is quite easy to make it available through a public keyserver include it in an email message or export or copy it to a file The recipient can then use whatever method is most convenient to add your public key to his or her public keyring Finally once you have someone s public key you should validate it to make sure it belongs to the person to whom it s supposed to belong Distributing your public key You can distribute your public key in various ways e Make your public key available through a public keyserver e Inclu
163. oose Properties from the Keys menu Pradeep Brapal lt pradeepb acmecorp net gt General Subkeys ID OxF6ED5F66 Type DH DSS Size 2048 1024 Created 11 11 2002 Expires Never Cipher AES 256 Change Passphrase Fingerprint SECI BADO FBD2 4BEC 3109 5B66 E4BD EEBD FEED 5F56 Hexadecimal Trust Model Implicit Trust 127 PGP Desktop User s Guide Verifying someone s public key In the past it was difficult to know for certain whether a key belonged to a particular individual unless that person physically handed the key to you on a floppy disk Exchanging keys in this manner is not usually practical especially for users who are located many miles apart There are several ways to check a key s fingerprint but the safest is to call the person and have them read the fingerprint to you over the phone Unless the person is the target of an attack it is highly unlikely that someone would be able to intercept this random call and imitate the person you expect to hear on the other end You can also compare the fingerprint on your copy of some one s public key to the fingerprint on their original key on a public server The fingerprint can be viewed in two ways in a unique list of words or in its hexadecimal format To check a public key with its digital fingerprint 1 Open PGPkeys and select the public key you want to verify 2 Choose Properties from the Keys menu or click to open the Properties sc
164. or more information on setting PGP options see Setting PGPdisk options on page 73 There are several ways to unmount a volume e In Windows Explorer right click on the PGPdisk file and select PGP gt Unmount PGPdisk e n the PGPdisk Editor click the Unmount button or select Unmount from the File menu e n PGPtray select PGPdisk gt Unmount All Disks e Enable a key shortcut the default is Ctrl Shift U to unmount all PGPdisks For details more information see Setting HotKey options on page 65 Once a volume is unmounted its contents are locked in the encrypted file associated with the volume The contents of the volume are stored in the encrypted file and its contents remain inaccessible until the volume is once again mounted lt may help to view PGPdisk volumes as a window that pro vides a view to the data in the encrypted file The contents of a PGPdisk vol ume file only become available when the file is mounted as a volume by someone who knows a valid passphrase Ch 11 PGP Disk Basics 81 PGP Desktop User s Guide 82 Ch 11 PGP Disk Basics 12 Using PGP Disk This chapter explains how to create mount and unmount existing PGPdisk volumes and how to specify properties that protect volume contents by unmounting them under certain circumstances Working with PGPdisk in a PGPdisk Editor Ch 12 Using PGP Disk The PGPdisk Editor is used for administrative tasks you perform on your PGP
165. orated key reconstruction as part of your com pany s security policy you will be prompted to enter additional secret infor mation when you create your PGP keypair or when you choose Send to Key Reconstruction Server from the Server menu in PGPkeys Your administrator may also supply you with a user ID and password so that you can log on to the key reconstruction server Once your key is on the server you can restore it at anytime by selecting Reconstruct Key from the Keys menu in PGPkeys You cannot reconstruct a key that was generated on a smart card because the private portion of the keypair is non exportable To send your key to your company s key reconstruction server 1 If the Key Reconstruction screen opened automatically as you created a keypair continue with Step 3 otherwise open PGPkeys and select your keypair 2 Open the Server Send To menu and select Reconstruction Server Ch 14 Making Keys 107 PGP Desktop User s Guide The Key Reconstruction screen appears Key Reconstruction If you ever lose your passphrase or key PGP will allow you to reconstruct your key pair using information which you supply now Enter 5 answers to questions that only you would know The questions shown are only examples You should try to come up with your own questions You must be able to remember 3 of these answers if you ever need to reconstruct your key pair Prompt 1 What did we do at that camp Answe
166. ostes E M Ed AE amp OE 97 IMakirig a keyDal sr ninm AA A A EUR UR UR BAL OE UR i 98 Generating a custom Key 0 94m PA R3 RE A REOR Rex PE ER 101 Adding your email ID from Exchange Server to your new key 104 Creating a passphrase you will remember leen 105 Changing your Keypa suae md uei wees EM ca dE EE AAA EX 106 Protecting your Keys sut eo ALORS RS ESRB RES eSI I 106 PGP key reCONStMIClION was z aee rane i c eis RR XE wb Pa RES SU wee os 107 Chapter 15 Exchanging Keys 2 lk pem a XE gw ls ia 109 OVVIE WW ecient IS E a Ee pdt AI vC e uere 2 ane tte ap s 109 Distributing your public Key llle 109 Obtaining the public keys of others oo ooo ees 112 Validating REVS ss ac SS o e a SEE ES ei uut 114 Chapter 16 Managing Keys o ooo e 115 ONIS Wrona ARI ets o Pa A E ef se UE dt 115 The POPKEBVSSCIBBIT q oz a a a a Oe ale a 115 PGPkeys attribute definitions nes sias esd a ea ce es 116 Specifying a default keypair on your PGP keyring o 119 Importing and exporting keys on your PGP keyring 120 Deleting a key or signature on your PGP keyring 0000 o 120 Disabling and enabling keys on your PGP keyring o o 120 Table of Contents v PGP Desktop User s Guide Examining and setting key properties o ooo es 121 S bkeys Properties s sos a a e a ie n 128 Designated revoker prope
167. ot be easily read The default setting is 70 which prevents prob lems with most applications If you change the word wrap setting in PGP make sure that it is less than the word wrap settings in your email application If you set it to be the same or a greater length carriage returns may be added that invalidate your PGP signa ture Click OK to save your changes and close the PGP Options screen or select another tab to continue configuring your PGP options Setting HotKeys options Use the HotKeys tab to specify keystroke shortcuts for PGP functions PGP Options General Files Email HotKeys Servers CA Advanced PGPdisk HotKeys amp Purge passphrase caches Ctrl F12 Unmount all PGPdisks Ctrl Shift U Encrypt current window Ctrl Shift E Sign current window Ctrl Shift Encrypt amp Sign current window Ctrl Shift C K KI Decrypt amp Verify current window Ctrl Shift D Make your selections for the following options 152 Purge passphrase caches The default hotkey is Ctrl F12 Unmount all PGPdisks The default hotkey is Ctrl Shift U Encrypt current window The default hotkey is Ctrl Shift E Sign current window The default hotkey is Ctrl Shift S App A Setting PGP Options User s Guide PGP Desktop e Encrypt amp Sign current window The default hotkey is Ctrl Shift C e Decrypt amp Verify current window The default hotkey is Ctrl Shi
168. ou should balance out your need for security with the time needed to wipe a volume The more passes you choose to perform the more securely the free space will be wiped PGP uses heavily researched techniques and patterns designed specifically for overwriting data on magnetic and optical media Most users should be fine with 1 to 3 passes however the wiping algorithms continue to increase security up to 26 passes Wipe drive C N x with 3 passes In the Wipe Drive box select the disk or volume you want PGP to wipe and the number of passes you want PGP to perform The recommended guidelines are 3 passes for personal use 10 passes for commercial use 18 passes for military use 26 passes for maximum security Commercial data recovery companies have been known to recover data that has been overwritten up to nine times PGP uses highly sophisticated patterns dur ing each wipe to make sure your sensitive data cannot be recovered 4 Choose whether to wipe internal NTFS data structures If the selected partition is not your boot partition you may perform an intensive wipe operation that overwrites internal NTFS data structures that may hold residual data The partition will be completely filled during this process and as such you should not use the disk for anything else while this operation is in progress Some of these structures are not gener ally considered free space on your drive but the techniques employed
169. ou want PGP to perform The recommended guidelines are 3 passes for personal use 10 passes for commercial use 18 passes for military use 26 passes for maximum security Commercial data recovery companies have been known to recover data that has been over written up to nine times PGP uses highly sophisticated patterns dur ing each wipe to ensure that your sensitive data cannot be recovered 4 Click Next to continue 5 When the Perform Wipe screen opens click the Schedule button 6 When the Schedule screen appears click OK to continue If you are running Windows NT the Windows NT Confirm Password dia log box appears Enter your Windows NT login password in the first text box Press Tab to advance to the next text box and confirm your entry by entering your password again Click OK Ch 5 Securing Files User s Guide Ch 5 Securing Files PGP Desktop The Windows Task Schedule screen appears Please review edit the schedule for this job PR Schedule C At 1 27 PM every day starting 11 17 2002 i Schedule Task Start time DET oa 5 Schedule Task Daily Every 1 day s C Show multiple schedules Choose how often you want the task to run from the Schedule Task area Your choices are Daily This option runs your task once at the time you specify on the days you indicate Click OK to close the dialog box then enter the time you want to run the task each day in the Start T
170. our smart card reader They must include the PKCS 11 the cryptographic token interface standard library You can create and store your PGP keys on a smart card and access them using a PIN rather than a passphrase The smart card has the added protec tion of being with you at all times a key on a smart card is less vulnerable than the same key stored on your computer The private portion of your keypair that is generated on a smart card never leaves the smart card it s not exportable Decryption and signing operations take place directly on the card The exception to this is if you generate a key pair on your desktop rather than on the smart card and then afterwards copy the keypair to your smart card You must specify the smart card type in the Advanced tab of the PGP Options screen before you can generate a PGP keypair on a smart card Refer to Set ting Advanced options on page 157 for more information Generating a keypair on a smart card Make sure to specify the appropriate smart card type in the Advanced tab of the PGP Options screen before you generate a PGP keypair on your smart card If you don t the smart card check box will not display Ch 10 Using Smart Cards 67 PGP Desktop User s Guide To generate a PGP keypair on a smart card 1 Put your smart card in the smart card reader Removing your smart card from the smart card reader while generating a key pair on the smart card may result in unpredict
171. p net gt 2048 1024 Bob Reynolds bobr Bacmecorp net gt 2048 1024 lt Fumiko Asako lt fumikoa Bacmecorp net gt 2048 1024 Jose Medina lt josem acmecorp net gt 2048 1024 E A PX anima Some recipient keys are not valid Please verify that these recipients are correct per Encryption Cancel Help options Conventional Encryption 4 Drag the public keys for those who are to receive a copy of the encrypted email message into the Recipients list box You can also double click any of the keys to move it from one area of the screen to the other The Validity icon indicates the minimum level of confidence that the public keys in the Recipient list are valid This validity is based on the signatures associated with the key You can choose from the following encryption options depending on the type of data you are encrypting e Secure Viewer Select this option to protect the data from TEMPEST attacks upon decryption If you select this option the decrypted data is displayed in a special TEMPEST attack prevention font that is unreadable to radiation capturing equipment and cannot be saved in decrypted format For more information about TEMPEST attacks see the section on vulnerabilities in An Introduction to Cryptography The Secure Viewer option may not be compatible with previous versions of PGP Messages encrypted with this option enabled can be decrypted by previ ous versions of PGP however this f
172. passwords both of you are still using the same key to encrypt the data While it is not a trivial opera tion to recover the key it is not impossible You can change the underlying key by re encrypting the PGPdisk volume 96 Ch 13 PGP Disk Technical Details 14 Making Keys This chapter describes how to generate the public and private keypairs that you need to correspond with other PGP users It also explains how to distrib ute your public key and obtain the public keys of others Choosing a key type Ch 14 Making Keys PGP provides you with two key types to choose from Diffie Hellman DSS and RSA Versions of PGP prior to 5 0 used RSA keys exclusively Versions later than 5 0 introduced the ElGamal variant of Diffie Hellman technology With PGP versions 7 0 and above the RSA key format has been improved to provide support for features previously available only to Diffie Hellman DSS keys support for Additional Decryption Keys ADKs designated revokers multiple encryption subkeys and photo ID features These features are not available to users with RSA keys created prior to Version 7 0 now known as RSA Legacy keys Which key type is the right choice for you e Choose Diffie Hellman DSS or RSA if you want to take advantage of many PGP key features Additional Decryption Keys ADKs designated revok ers multiple encryption subkeys and photo IDs e Choose RSA or RSA Legacy if you plan to correspond with people w
173. pears Enter your Windows NT login password in the first text box Press Tab to advance to the next text box and confirm your entry by entering your password again Click OK 57 PGP Desktop User s Guide The Windows Task Schedule screen appears Please review edit the schedule for this job Schedule 4C A 1 27 PM every day starting 11 17 2002 Schedule Task Start time Daily vw 1 27PM E Schedule Task Daily Evey 1 a day s v C Show multiple schedules 7 Choose how often you want the task to run from the Schedule Task area Your choices are Daily This option runs your task once at the time you specify on the days you indicate Click OK to close the dialog box then enter the time you want to run the task each day in the Start Time text box Weekly This option runs your task on a weekly basis at the date and time you specify Enter the number of weeks you want between each disk wipe in the text box provided then choose a day from the Sched ule Task Weekly list Monthly This option runs your task once each month on the day and at the time you specify Enter the time in the text box provided then enter the day of the month on which you want the task to run Click Select Months to specify which months the task will run Once This option runs your task exactly once on the date and at the time you specify Enter the time in the text box provided then select a month and a date from t
174. pecifically selected you ll be prompted to confirm the filename and location of the SDA If no file is specifically selected you won t be prompted for a filename or location 5 Click Save PGP creates the SDA with contents you specified The default filename for an SDA with a file or files specifically selected is the name of one of the files in the SDA with sda exe appended The default filename for an SDA with no files specifically selected that is just directories or drives is the name of one of the directories or drives with sda exe appended Unless you specified otherwise the SDA is saved in the same location as the original files Opening an SDA To open an SDA 1 Double click the SDA file It should have an extension of sda exe The PGP Self Decrypting Archive Enter Passphrase screen appears 2 Enter the appropriate passphrase and specify a location for the files in the SDA to be decrypted to then click OK The SDA is decrypted If you are decrypting the SDA in the same location as where you got the files that are in the SDA you will be prompted to save the files to a different location or with a different name so as not to overwrite the original files 56 Ch 7 Self Decrypting Archives About ICO Securing ICO This chapter describes how PGP can secure your ICO communications Ch 8 Securing ICO ICO I Seek You is an Internet application that allows you to communicate with
175. r 1 Prompt 2 What is my favorite item Answer 2 o Prompt 3 What was on my chair Answer 3 _ Prompt 4 Where is that secret place Answer 4 O O Prompt 5 Where did hide the toys Amwetb More Information 3 On the Key Reconstruction screen enter five questions that only you can answer in the Prompt boxes the default questions are examples only Choose obscure personal questions with answers that you are not likely to forget Your questions can be up to 95 characters in length An example of a good question might be Who took me to the beach or Why did Fred leave An example of a bad question would be What is my mother s maiden name or Where did go to high school If you prefer you can also leave the questions blank and simply provide five answers 4 In the Answer boxes enter the answers to the corresponding questions Your answers are case sensitive and can be up to 255 characters Use the Hide Answers check box to view or hide your answers 5 Click OK to continue If the PGP Enter Passphrase for Key screen appears enter the passphrase for your key then click OK If the Server User ID and Password screen appears enter your user ID and password to log on to the server If you do not know your user ID or pass word consult your administrator 6 Click OK Your private key is split into five pieces using Blakely Shamir key split ting Three of the five pieces are needed to rec
176. r email user ID from your Exchange server in order to add it to your new PGP key If this is the case continue with the instructions outlined in Adding your email ID from Exchange Server to your new key on page 104 12 When the key generation process indicates that it is done click Next 13 Click Finish PGP automatically puts your private key on your private keyring and your public key on your public keyring 103 PGP Desktop User s Guide Adding your email ID from Exchange Server to your new key If PGP detects that your computer is in a Microsoft Exchange Server environ ment then PGP retrieves your email user ID from your Exchange server and adds it to your new PGP key during the key generation process To retrieve your email ID from your Exchange Server 1 During key generation a PGP Information screen informing you that PGP must retrieve your user ID from your Exchange server appears 2 Read the information and click OK PGP Information In order to complete the key generation process PGP must connect to the Exchange Server to retrieve your ID Please provide your logon information to connect to the Exchange Server that you use to read and send e mail The Choose Profile screen appears 3 Select the user profile you want to connect to from the Profile Name box This will likely be your company name Choose Profile Profile Name outlook x New Cancel Help Options gt gt 4 Cl
177. r key You may be asked for your PGP password in order to sign the user ID and show others that it is valid Please enter verify your name and ICQ tt in the edit boxes below Mame Bob ICQ t 12345678 teen Ch 8 Securing ICO 59 PGP Desktop 60 User s Guide 3 Make sure the user ID displayed in the Name field belongs to the key you want to use for securing your ICQ sessions If you want to specify a dif ferent key enter the key s user ID 4 Click Next The PGP Passphrase screen appears 5 Enter your PGP passphrase and then click OK The PGP ICQ Wizard Completing screen appears PGP ICQ Wizard 6 Click Finish Completing the PGP ICQ Wizard Your ICQ has been added to your PGP key Users who communicate with you via ICQ will now be able to automatically send you encrypted messages If you are communicating for the first time with another ICQ user using PGP you will want to send them your PGP key by pressing the Send Key button located at the bottom of the ICQ message composition window Enabling the Encrypt toolbar button located near the top of the ICQ message composition window will cause your message to be encrypted to the key of the recipient providing you have their PGP key on your keyring Cancel PGP adds your ICO number to your key as a new user ID and returns to the message you were sending Ch 8 Securing ICO User s Guide PGP Desktop Adding a public
178. r keyring files on a floppy disk make sure that the floppy disk is in the floppy drive App B Troubleshooting C Biometric Word Lists By Philip Zimmermann and Patrick Juola PGP uses a special list of words to convey binary information in an authenti cated manner over a voice channel such as a telephone via biometric signa tures The human voice that speaks the words if recognized by the listener serves as a means of biometric authentication of the data carried by the words The word list serves the same purpose as the military alphabet which is used to transmit letters over a noisy radio voice channel But the military alphabet has 26 words each word representing one letter For our purposes our list has 256 carefully selected phonetically distinct words to represent the 256 possible byte values of O to 255 We created a word list for reading binary information over the phone with each word representing a different byte value We tried to design the word list to be useful for a variety of applications The first application we had envi sioned was to read PGP public key fingerprints over the phone to authenticate the public key In that case the fingerprint is 20 bytes long requiring 20 words to be read aloud Experience has shown it to be fairly tedious and error prone to read that many bytes in hexadecimal so it seems worth using a word list to represent each byte by a word Some applications may require transmitting e
179. rackdown crusade dogsled dropper eating endow eyeglass flatfoot frighten goggles highchair involve kiwi minnow necklace obtuse peachy preclude pupil quota regain revenge robust App C Biometric Word Lists User s Guide rocker scenic sentence skydive snowcap spaniel spindle standard stopwatch sweatband tempest tracker trouble unearth vapor wallet Zulu ruffled scorecard shadow slingshot snowslide spearhead spyglass stapler stormy swelter tiger transit tumor unwind village watchword sailboat Scotland shamrock slowdown solo spellbind stagehand steamship sugar tactics tissue trauma tunnel uproot virus wayside Three Syllable Word List adroitness almighty Apollo atmosphere belowground bottomless Burlington cannonball cellulose clergyman component consensus crossover decadence detergent disable embezzle App C Biometric Word Lists adviser amulet armistice autopsy bifocals Bradbury businessman Capricorn certify coherence concurrent consulting crucifix December determine disbelief enchanting aftermath amusement article Babylon bodyguard bravado butterfat caravan chambermaid combustion confidence corporate cumbersome decimal dictator disruptive enrollment sawdust seabird showgirl snapline southward spheroid stagnate sterling surmount talon tonic treadmill tycoon upset Vulcan willow aggregate antenna aste
180. re two ways to enter your PGP Desktop license information e f you have your License Number and an active Internet connection enter your License Number in the appropriate box on the PGP License screen Also enter a Name and Organization to associate with the License Num ber Make sure to remember or write down the Name and Organization you enter because PGP Desktop will save this information and if you need to authorize again you will need to enter the Name and Organization exactly as you entered it the first time When all three boxes are filled in click Authorize TT PGP License Authorization Please enter your Name Organization and License Number in the fields below Press the Authorize Button to automatically authorize this product over the Internet If you received a License Authorization from a Customer Service Representative directly you may enter it manually by pressing the Manual button at the bottom Licensee Information I Name Organization License Number Paste the License Authorization below exactly as you received it Be sure to include the lines END PGP LICENSE AUTHORIZATION If you don t have a License Number or if you are evaluating this product press the Purchase Now button to obtain a License Number from our online store e f you are unable to Authorize automatically using the above method and you have been sent a License Authorization from PGP Customer Service click the triangle adja
181. read even for begin ners and non technical people Includes information that even a lot of experts don t know Crypto How the Code Rebels Beat the Government Saving Privacy in the Digital Age Steven Levy Penguin USA 2001 ISBN 0140244328 11 PGP Desktop User s Guide Network security Symbols Books Building Internet Firewalls Elizabeth D Zwicky D Brent Chapman Simon Cooper and Deborah Russell Editor O Reilly amp Associates Inc 2000 ISBN 1565928717 This book is a practical guide to designing building and maintaining firewalls Firewalls and Internet Security Repelling the Wily Hacker William R Cheswick Steven M Bellovin Addison Wesley Longman Inc 1994 ISBN 0201633574 This book is a practical guide to protecting networks from hacker attacks through the Internet Available on the Web at www wilyhacker com Network Security Private Communication in a Public World Second Edi tion Charles Kaufman Radia Perlman and Mike Speciner Pearson Educa tion 2002 ISBN 0130460192 This book describes many network protocols including Kerberos IPsec SSL and others It includes some basics of cryptography and works up from there to show how actual sys tems are constructed 12 Notes Cautions and Warnings are used in the following ways A Notes are extra but important information A Note adds important information but you could still use the product if you didn t have that infor
182. reen The Properties screen opens 3 Use the series of words or characters displayed in the Fingerprint text box to compare with the original fingerprint By default a word list is displayed in the Fingerprint text box However you can select the Hexadecimal check box to view the fingerprint in 20 hexadecimal characters Fingerprint Fingerprint concert retrospect Dakland savagery village sensation dragnet handiwork 3EC9 84D0 F6D2 4B6C 3109 5B66 E4BD EEBD FBED 5F56 chatter applicant erase gossamer tonic quantity tycoon hazardous village unify eyetooth gossamer Y Hexadecimal C Hexadecimal Hexadecimal view Word list view The word list in the fingerprint text box is made up of special authentica tion words that PGP uses and are carefully selected to be phonetically dis tinct and easy to understand without phonetic ambiguity The word list serves a similar purpose as the military alphabet which allows pilots to convey information distinctly over a noisy radio channel If you d like to know more about the word hash technique and view the word list see Appendix C Biometric Word Lists 122 Ch 16 Managing Keys User s Guide PGP Desktop Signing someone s public key When you create a keypair the keys are automatically signed by themselves Similarly once you are sure that a key belongs to the proper individual you can sign that person s public key indicating that you are sure it is a valid key When you sign someon
183. reholders presence at the rejoin ing computer Each shareholder is required to enter the passphrase for their key share Rejoining key shares remotely requires the remote shareholders to authenti cate and decrypt their keys before sending them over the network PGP s Transport Layer Security TLS provides a secure link to transmit key shares which allows multiple individuals in distant locations to securely sign or decrypt with their key share Before receiving key shares over the network you should verify each share holder s fingerprint and sign their public key to ensure that their authenticating key is legitimate Ch 16 Managing Keys To rejoin a split key 1 Contact each shareholder of the split key To rejoin key shares locally the shareholders of the key must be present To collect key shares over the network ensure that the remote sharehold ers have PGP installed and are prepared to send their key share file Remote shareholders must have their key share files and passwords 8 keypair for authentication to the computer that is collecting the key shares a network connection the IP address or Domain Name of the computer that is collecting the key shares 2 At the rejoining computer use Windows Explorer to select the file s that you want to sign or decrypt with the split key 3 Right click on the file s and select Sign or Decrypt from the PGP menu The PGP Enter Passphrase for Selecte
184. rity issues and provides user tips and other technical information about PGPdisk About PGPdisk volumes You can use PGPdisk volumes to organize your work keep similarly named files separate or keep multiple versions of the same documents or programs separate Although the volumes you create with PGPdisk function just as any other vol ume you are accustomed to working with the data is actually stored in one large encrypted file Only when you mount the file are its contents are pre sented in the form of a volume It is important to realize that all of your data remains secure in the encrypted file and is only deciphered when you access one of the files Having the data for a volume stored in this manner makes it easy to manipulate and exchange PGPdisk volumes with others but it also makes it easier to lose data if the file is somehow deleted It is wise to keep a back up copy of these encrypted files so that the data can be recovered in case something happens to the original It is also important to note that you cannot compress an encrypted file in an attempt to reduce its size but you can compress the individual files contained in the mounted volume and thereby store more encrypted data in the volume You can also store one secure PGPdisk volume within another and thus nest several volumes for an added level of security The PGPdisk encryption algorithms Encryption employs a mathematical formula to scramble your data so that no
185. roid backwater bookseller Brazilian Camelot caretaker Cherokee commando conformist corrosion customer designing dinosaur distortion enterprise PGP Desktop scallion select skullcap snapshot soybean spigot stairway stockman suspense tapeworm topmost Trojan uncut upshot waffle woodlark alkali applicant Atlantic barbecue borderline breakaway candidate celebrate Chicago company congregate councilman Dakota detector direction document equation 177 PGP Desktop 172 equipment existence forever getaway guitarist headwaters hurricane indigo insincere Istanbul liberty megaton miracle monument Norwegian Orlando paperweight pedigree pharmacy politeness proximate racketeer replica retrieval sandalwood sensation stethoscope sympathy tolerance trombonist underfoot upcoming visitor whimsical Yucatan escapade exodus fortitude glossary hamburger hemisphere hydraulic inertia insurgent Jamaica maritime microscope misnomer mosquito October outfielder paragon Pegasus phonetic positive puberty rebellion reproduce retrospect sardonic sociable stupendous tambourine tomorrow truncated unicorn vacancy vocalist Wichita Eskimo fascinate frequency gossamer Hamilton hesitate impartial infancy integrate Jupiter matchmaker microwave molasses narrative Ohio Pacific paragraph penetrate photograph potato publisher recipe resistor revenue Satur
186. rom a key it is removed and not recoverable Signatures and user names can be added again to a key and an imported public key can be imported again to your keyring However a pri vate key that exists only on that keyring cannot be created again and all mes sages encrypted to its public key copies can no longer be decrypted To remove signatures or user names from your key on a keyserver This procedure is for removing signatures or user names associated with your key on LDAP key servers only Additionally the key server must be configured to allow this action If you do not know the type server or its configuration set tings consult the key server administrator for your company before updating your key 1 Open PGPkeys 2 Choose Search from the Server menu or click 2 in the PGPkeys menu The PGPkeys Search window appears 3 Choose the server you want to search from the Search for Keys On menu 4 Specify your search criteria to locate your public key The default is User ID but you can click the arrows to select Key ID Key Status Key Type Key Size Creation Date or Expiration Date For exam ple you might search for all keys with the User ID of Fred 5 To begin the search click Search The results of the search appear in the window 6 Right click on the key that you want to remove from the server then select Delete from the menu Ch 16 Managing Keys 143 PGP Desktop User s Guide The Passphrase scr
187. rprint associated with their key so you can compare it with the fingerprint on your copy of their public key to see if they match If the fingerprint does not match then you know you have a bogus key PGP Desktop 178 User s Guide Key ID A legible code that uniquely identifies a keypair Two keypairs may have the same user ID but they will have different Key IDs Key length The number of bits representing the key size the longer the key the stronger it is Key management The process and procedure for safely storing and distributing accurate cryptographic keys the overall process of generating and distributing cryptographic key to authorized recipients in a secure manner keypair A public key and its complimentary private key In public key cryptosys tems like the PGP program each user has at least one keypair Keyring A set of keys Each user has two types of keyrings a private keyring and a public keyring Key splitting or secret sharing The process of dividing up a private key into multiple pieces and share those pieces among a group of people A designated number of those peo ple must bring their shares of the key together to use the key LDAP Lightweight Directory Access Protocol A simple protocol that supports access and search operations on directo ries containing information such as names phone numbers and addresses across otherwise incompatible systems over the Internet Message digest A compac
188. rties 0 0 aa leere 130 Additional Decryption Key properties 0 aaa e 132 Adding an X 509 certificate to your PGP key o o o oooooo ee 133 Splitting and rejoining keys 4 e nee se ae a A A 137 Updating your key on a keyServer o o 4 4 142 Reconstructing your key cis caia a ee beara A ae See ac RN a ot 144 Appendix A Setting PGP Options ooo eee es 147 About PGP ODLUOLS 5 dE A ewes se CGR ae 3 v E eee eS 147 oetung General Options s 32 8 matan EA SO ROS CDS d See gg 147 Setting Files oDEHODS 32x 4 oq QE dem A o qR ecd 150 Setting Emal OpEtIODSe s enc swe re RE E AI s XY ELE RU 151 Setting HotKeys options leer 152 Setting Servers OptionS p eu pu eR LS o REOR E Ex ees 153 Setting certificate authority CA OPti0NS o oo ooo o 156 Setting Advanced options 2 24 um d send A Pees weds 157 Setting PGP Disk OPON Se aneian a AA Ek ee oes oe ee ws 160 Appendix B Troubleshooting 0 00 ee es 163 Appendix C Biometric Word Lists oo es 167 CIDLICDLI PLI EIS 173 INDEX 262 Uus Dee a di d d 183 vi Table of Contents Introduction This User s Guide explains how to use PGP Desktop Who should read this User s Guide This User s Guide is for anyone who is going to be using the PGP Desktop software to protect their data If you are new to cryptography and would like an overview of the terminology and c
189. rver 1 2 Open PGPkeys then select the key that you want to reconstruct Select Reconstruct Key from the Key menu If the reconstruction server is a PGP key server the Server User ID and Password screen appears Enter your user ID and password to log on to the server If you do not know your user ID or password consult your administrator Click OK The Key Reconstruction screen appears In the Key Reconstruction screen enter answers in the Answer boxes to their corresponding questions Keep in mind that your answers are case sensitive You must be able to answer at least three questions to restore your key You can use the Hide Answers check box to view or hide your answers Ch 16 Managing Keys User s Guide PGP Desktop 5 Click OK to continue The PGP Enter Confirmed Passphrase screen appears 6 In the Passphrase box enter a new string of characters or words you want to use as the new passphrase for your new keypair Your passphrase should contain multiple words and may include spaces num bers and punctuation characters Choose something that you can remember easily but that others won t be able to guess The passphrase is case sensitive meaning that it distinguishes between uppercase and lowercase letters The longer your passphrase and the greater the variety of characters it contains the more secure it is Strong passphrases include upper and lowercase letters numbers punctuation and spaces but are more l
190. s when they are no longer valid or have been compromised in some way A single key with a clock icon represents a public key or keypair that has expired Two users represent a group email distribution list A pencil or fountain pen indicates the signatures of the PGP users who have vouched for the authenticity of the key A signature with a red X through it indicates a revoked signature A signature with a dimmed pencil icon indicates a bad or invalid signature A signature with a blue arrow next to it indicates that it is exportable A certificate represents an X 509 certificate a recognized electronic document used to prove identity and public key ownership over a communication network A clock indicates an expired X 509 certificate A red X indicates a revoked X 509 certificate This icon indicates that a photographic user ID accompanies the public key 117 PGP Desktop User s Guide Attribute Description Validity Indicates the level of confidence that the key actually belongs to the alleged owner The validity is based on who has signed the key and how well you trust the signer s to vouch for the authenticity of a key The public keys you sign yourself have the highest level of validity based on the assumption that you only sign someone s key if you are totally convinced that it is valid The validity of any other keys which you have not personally signed depends on the level of trust you have gran
191. se 74 copying a key pair to 73 copying your public key from 71 creating a new key pair on 68 viewing properties of 70 wiping 72 starting PGPdisk 75 187 PGP Desktop subkey creating new 128 expiration 128 properties 128 removing 130 revoking 129 size 128 validity 128 T tasks scheduled freespace wiping 43 51 TEMPEST attacks see also Secure Viewer text output 40 troubleshooting PGP 163 trust granting for key validations 124 U unmounting PGPdisk volumes 80 81 Auto unmount 87 using Free Space Wipe 41 43 47 51 V validating keys granting trust for 124 validity checking a key s 114 verifying authenticity of a key 114 email 36 37 VeriSign OnSite 134 viewing attributes of keyrings 115 119 key attributes 101 volumes mounting 80 unmounting 81 188 User s Guide W Windows 2000 134 wiping disks 41 43 47 51 files 41 47 using Free Space Wipe 41 47 your smart card 72 word wrap 152 X X 509 certificates adding root CA certificates 133 adding to keypair 125 importing 114 Index
192. section describe how to add an X 509 certificate to your keypair if you are using the Planet CMS Server This process varies between Certificate Authorities and some of the terminology you must use when interacting with your CA is a policy decision You may need to consult your company s PGP or PKI administrator for instructions An X 509 digital certificate is a recognized electronic document used to prove identity and public key ownership over a communication network You can request an X 509 digital certificate and add it to your keypair using PGP menu options and your company s Certificate Authority CA or a public CA for example VeriSign There are four main steps to adding an X 509 certificate to your keypair 1 Retrieve the Root CA certificate from the CA and add it to your PGP key ring 2 Enter information about the CA in the CA tab on the Options screen Request a certificate from the CA Your X 509 certificate request is veri fied and signed by the CA The CA s signature on the certificate makes it possible to detect any sub sequent tampering with the identifying information or the public key and it implies that the CA considers the information in the certificate valid 4 Retrieve the certificate issued by the CA and add it to your keypair Each of these four steps is described in greater detail in the following sec tions To add an X 509 certificate to your PGP keypair 1 Obtain and add the Root CA certi
193. seful security measure and provides an automatic way to periodically switch to a new encryption key without having to recreate and distribute a new public key This feature is available for Diffie Hellman DSS and RSA keys Subkeys are not supported by RSA Legacy keys To create new subkeys 1 Open PGPkeys and select your keypair then click Properties from the Keys menu or click y The Properties screen appears 2 Click the Subkeys tab Ch 16 Managing Keys User s Guide PGP Desktop The Subkeys screen appears To create a new subkey click New The New Subkey screen opens Enter a key size from 1024 to 3072 bits or enter a custom key size from 1024 to 4096 bits Indicate the start date on which you want your subkey to activate Indicate when you want your subkey to expire You can either use the default selection which is Never or you can enter a specific date after which the subkey will expire To avoid confusion when maintaining more than one subkey on your keypair try not to overlap your subkeys start and expiration dates Click OK The Passphrase screen appears Enter your passphrase and then click OK Your new subkey is listed in the Subkey window When you add or change information in your keypair always update it on the key server so that your most current key can be available to anyone Revoking subkeys To revoke a subkey 1 Ch 16 Managing Keys Open PGPkeys and select your keypair
194. ser ID from your Exchange server in order to add it to your new PGP key If this is the case continue with the instructions outlined in Adding your email ID from Exchange Server to your new key on page 104 14 When the key generation process indicates that it is done click Next 15 Click Finish Your new keypair is generated and stored directly on your smart card Since the smart card is in the smart card reader your key appears on your keyring and is represented by a key on a card icon E Because the private portion of your keypair stays only on the smart card when you remove the smart card from the smart card reader the key icon changes to a single key to reflect that the public portion is left on the key ring and the private portion has been removed with the smart card Ch 10 Using Smart Cards 69 PGP Desktop User s Guide Examining smart card properties A key stored on a smart card is noted in the PGPkeys window with a special key and card icon Gyr By viewing the smart card properties you can find information regarding the card itself such as the manufacturer serial number and key types it supports as well as view a list of the keys stored on the card To view smart card properties 1 Open PGPkeys 2 Put your smart card in your smart card reader A gold card icon 4 appears in the lower left corner of the PGPkeys win dow 3 Do one of the following Click the gold card icon found in the
195. signated Revoker key If the revokers key is not present on a person s keyring then the revoked key does not appear revoked to that user and he she may continue to encrypt to it Ch 16 Managing Keys This feature is available for Diffie Hellman DSS and RSA keys Designated revokers are not supported by RSA Legacy keys To add a designated revoker to your key 1 Open PGPkeys and then select the keypair for which you want to add a revoker 2 Select Add Revoker from the Keys menu A screen opens and displays a list of keys 3 Select the key s in the User ID list that you want to appoint as a revoker 4 Click OK A confirmation screen appears 5 Click OK to continue The Passphrase screen appears Enter your passphrase then click OK 7 The selected key s is now authorized to revoke your key For effective key management distribute a current copy of your key to the revoker s or upload your key to the server 137 PGP Desktop User s Guide Revoking a key If the situation ever arises that you no longer trust your personal keypair you can issue a revocation to the world telling everyone to stop using your public key The best way to circulate a revoked key is to place it on a public key server To revoke a key 1 Open PGPkeys and select the keypair you want to revoke 2 Choose Revoke from the Keys menu The Revocation Confirmation screen appears 3 Click OK to confirm your intent to revoke the selected key The P
196. signature Similarly when your private key expires it can still be used to decrypt mail that was sent to you before your public key expired but can no longer be used to sign mail to others 68 Ch 10 Using Smart Cards User s Guide PGP Desktop 9 Select the Generate key on Smart Card check box The Generate key on Smart Card check box does not appear if the smart card is not inserted in the smart card reader or if you have not specified a smart card type on the Advanced tab of the PGP Options screen 10 Click Next 11 If PGP detects that your computer is in a Microsoft Exchange Server envi ronment or if your PGP administrator has configured PGP to include spe cific installation settings the Administrator Options panel appears Read the information on this panel then click Next to continue 12 0On the Passphrase panel enter the PIN that corresponds to the smart card The PIN acts as your PGP passphrase Normally as an added level of security the characters you enter for the passphrase do not appear on the screen However if you are sure that no one is watching and you would like to see the characters of your pass phrase as you type clear the Hide Typing check box 13 Click Next to begin the key generation process PGP generates your new keypair directly on your smart card This process can take several minutes If you are in a Microsoft Exchange Server environment PGP informs you that it needs to retrieve your email u
197. signature and be sure that no one has tampered with the information along the way Of course if your key has not yet been signed by any trusted introducers recipi ents of your signature can only truly be sure the signature is from you by ver ifying the fingerprint on your key Ch 15 Exchanging Keys User s Guide PGP Desktop To include your public key in an email message 1 2 4 Open PGPkeys Right click on your keypair slide down to Send To on the context menu then slide over and select Mail Recipient If you are prompted for a profile name make the appropriate selection and click OK Your email application opens with your key information already in place Address the message and send it If this method doesn t work for you you can open PGPkeys select your key pair pull down the Edit menu and select Copy open an email message then Paste With some email applications you can simply drag your key from PGP keys into the text of your email message to transfer the key information Exporting your public key to a file Another method of distributing your public key is to copy it to a file and then make this file available to the person with whom you want to communicate There are three ways to export or save your public key to a file Select the icon representing your keypair from PGPkeys then choose Export from the Keys menu Enter the name of the file to which you want to save the key Drag the
198. sk volumes 80 automatically 79 88 on aremote server 88 185 PGP Desktop N Net Tools PKI 134 Novell GroupWise 38 O obtaining others public keys 112 114 options Email 151 PGPdisk 160 overview of Diffie Hellman keys 97 of PGPdisk volumes 93 of RSA keys 97 of RSA Legacy keys 97 P passphrase adding alternate ones for PGPdisk 84 as a protection method for PGPdisk 79 changing 125 changing on smart card 74 changing yours for PGPdisk 84 forgotten 107 144 setting 26 100 102 145 suggestions for 145 PGP troubleshooting 163 PGP Free Space Wiper using 41 47 PGP MIME standard overview 38 using to decrypt email 36 37 PGPdisk CAST encryption algorithm 93 changing your passphrase 84 creating a new volume 77 encryption algorithms 93 security precautions 94 memory static ion migration 94 passphrase erasure 94 tips for the user 95 186 User s Guide virtual memory protection 94 setting unmount preferences 87 Twofish encryption algorithm 94 PGPdisk preferences automatic unmounting 161 PGPdisk volumes backing up 88 changing the size of 90 exchanging 89 mounting 80 nesting 93 overview 93 unmounting 80 81 unmounting automatically 87 161 PGPkeys window Creation label 119 examining keys properties 121 Key ID 128 Size label 118 Trust label 119 uses 115 Validity label 118 PGPtray using 40 photo ID adding to a key 126 removing from a key 127 Pkcs 12 keys obtaining 114 private keys importing
199. t distillate of your message or file checksum It represents your message such that if the message were altered in any way a differ ent message digest would be computed from it Meta introducer A trusted introducer of trusted introducers MIC Message Integrity Check Originally defined in PEM for authentication using MD2 or MD5 Micalg message integrity calculation is used in secure MIME implementations MIME Multipurpose Internet Mail Extensions A freely available set of specifications that offers a way to interchange text in languages with different character sets and multimedia email among many different computer systems that use Internet mail standards Non repudiation Preventing the denial of previous commitments or actions One way hash A function of a variable string to create a fixed length value representing the original pre image also called message digest fingerprint message integrity check MIC Glossary User s Guide Glossary PGP Desktop Passphrase An easy to remember phrase used for better security than a single pass word key crunching converts it into a random key Password A sequence of characters or a word that a subject submits to a system for purposes of authentication validation or verification PGP MIME An IETF standard RFC 2015 that provides privacy and authentication using the Multipurpose Internet Mail Extensions MIME security content types described in RFC1847 currently
200. t modified in September 1998 App C Biometric Word Lists 169 PGP Desktop 170 Two Syllable Word List aardvark adult allow artist baboon bedlamp berserk blowtorch breadline button checkup clamshell cobra cranky cubic dragnet drumbeat edict enlist eyetooth flytrap gazelle goldfish hockey island klaxon miser Neptune offload pheasant prefer puppy ragtime reindeer reward absurd afflict alone assume backfield beehive billiard bluebird breakup buzzard chisel classic commence crowfoot dashboard drainage drunken egghead erase facial fracture Geiger gremlin indoors jawbone locale Mohawk newborn optic physique preshrunk python ratchet rematch rhythm accrue ahead ammo Athens backward beeswax bison bombast brickyard cement choking classroom concert crucial deadbolt dreadful Dupont eightball escape fallout framework glitter guidance indulge keyboard lockup mural nightbird orca playhouse printer quadrant rebirth repay ribcage acme aimless ancient atlas banjo befriend blackjack bookshelf briefcase chairlift chopper cleanup cowbell crumpled deckhand drifter dwelling endorse exceed flagpole freedom glucose hamlet inverse kickoff merit music Oakland payday Pluto prowler quiver reform retouch ringbolt User s Guide adrift Algol apple Aztec beaming Belfast blockade brackish Burbank chatter Christmas clockwork c
201. t think First we talk about creat ing your keypair and sending your public key to a keyserver this should be a part of the PGP Keys section but because most things you do with PGP Desktop requires a keypair we cover it first Then we talk about PGP Mail then PGP Disk and then we come back to PGP Keys Ch 1 PGP Basics User s Guide PGP Desktop Basic steps for using PGP Desktop Ch 1 PGP Basics Now that we know a little bit about PGP Desktop let s go deeper into what you need to do to get started using it 1 Install PGP Desktop on your computer If you are a corporate user your corporate or PGP Desktop administrator may have specific installation instructions for you to follow or your com pany may install the product on your machine for you Either way this is the first step Create your keypair As mentioned earlier most things you do with PGP Desktop require a key pair a private key and a public key If you haven t created your keypair yet or you have but you re still new to PGP Desktop see Chapter 3 Mak ing a Keypair and Working with Public Keys for instructions how to create your keypair Exchange public keys with others After you have created a keypair you can begin corresponding with other PGP Desktop users You will need a copy of their public key and they will need yours We cover this briefly in Chapter 3 Making a Keypair and Working with Public Keys and you can also see Chapter 1
202. t this feature Encrypt new messages by default If you enable this setting all of your email messages and file attachments are automatically encrypted Some email applications cannot support this feature Sign new messages by default If you enable this setting you are prompted to sign all of your email messages Some email applications can not support this feature This setting has no effect on other signatures you add from the clipboard or with Windows Explorer Automatically decrypt verify when opening messages If you enable this setting all of your email messages and file attachments that are encrypted and or signed are automatically decrypted and verified Some email appli cations cannot support this feature Always use Secure Viewer when decrypting If you enable this setting all of your decrypted email messages are displayed in the Secure Viewer win dow with a special TEMPEST attack prevention font and they can t be saved in decrypted format For more information about TEMPEST attacks see An Introduction to Cryptography 151 PGP Desktop User s Guide Word wrap clear signed messages at column This setting specifies the column number where a hard carriage return is used to wrap the text in your digital signature to the next line This feature is necessary because not all applications handle word wrapping in the same way which could cause the lines in your digitally signed messages to be broken up in a way that cann
203. te names and addresses to the keys You can only add a new user name or email address if you have both the private and public keys To add a new user name or address to your key 1 Open PGPkeys and select the keypair for which you want to add another user name or address Choose Add Name from the Keys menu The PGP New User Name screen appears Enter the new name and email address in the appropriate fields then click OK The PGP Enter Passphrase screen appears Enter your passphrase then click OK The new name is added to the end of the user name list associated with the key If you want to set the new user name and address as the primary identifier for your key select the name and address and then choose Set as Primary Name from the Keys menu When you add or change information in your keypair always update it on the key server so that your most current key can be available to anyone Adding a photographic ID to your key You can include a photographic user ID with your PGP keys This feature is available for Diffie Hellman DSS and RSA keys The Photo graphic ID feature is not supported by RSA Legacy keys Although you can view the photographic ID accompanied with someone s key for verification you should always check and compare the digital fingerprints To add your photograph to your key 1 Open PGPkeys and select your keypair and then click Add Photo on the Keys menu Ch 16 Managing Keys User s Gu
204. ted for situations where you need to send encrypted data to someone else especially if you want to send encrypted data to someone you ve never met Fortunately public key cryptography is especially well suited to these two sit uations Public key cryptography uses two keys called a keypair for encrypt ing and decrypting One of these two keys is your private key and like the name suggests you need to keep it private Very very private The other key is your public key and like its name suggest you can share it with the general public In fact you re supposed to share it Don t give your private key or its passphrase to anyone Technical note your public and private keys are mathematically related but there s no way to figure out someone s private key if you have their public key Ch 1 PGP Basics 15 PGP Desktop User s Guide So how does public key cryptography work Let s say you and your cousin in another state want to exchange private messages Both of you have PGP Desktop First you both need to create your keypair one private key and one public key Your private key you keep secret your public key you send to a public keyserver which is a public facility for distributing public keys Some companies have their own private keyservers Once the public keys are on the keyserver you can go back to the keyserver and get your cousin s public key and she can go to the keyserver and get yours This is important b
205. ted to any other users who have signed the key If there are no signatures associated with the key then it is not considered valid and a message indicating this fact appears whenever you encrypt to the key Validity is indicated by either circle or bar icons depending upon your Advanced Options Display marginal validity level setting If not enabled then validity appears as a gray circle for invalid keys and marginally valid keys if the Advanced Options Treat marginally valid keys as invalid is set a green circle for valid keys that you do not own dd a green circle and a user for valid keys that you own In a corporate environment your PGP administrator may sign users keys with the Corporate Signing Key Keys signed with the Corporate Signing Key are usually assumed to be completely valid Size Shows the number of bits used to construct the key Generally the larger the key the less chance that it will ever be compromised However larger keys require slightly more time to encrypt and decrypt data than do smaller keys When you create a Diffie Hellman DSS key there is one number for the Diffie Hellman portion and another number for the DSS portion The DSS portion is used for signing and the Diffie Hellman portion for encryption When you create an RSAv4 key the first number represents the encryption key and the second number represents the signing key Description Describes the type of information displa
206. tents of the volume If you choose to protect your PGPdisk volume with a PGP key then you must go into PGPkeys to change the passphrase for your private key You cannot change it from the PGPdisk Editor To change your passphrase 1 Ensure that the PGPdisk volume is not mounted You cannot change a passphrase if the PGPdisk volume is mounted Open the PGPdisk Editor for the volume you want to modify then select the user name that applies to the passphrase you are changing Select Change Passphrase from the Users menu The Passphrase dialog box appears Enter your passphrase then click OK The Enter New Passphrase window appears Enter the string of words or characters that serves as your new pass phrase to access the new volume also called the administrator s pass phrase To confirm your entry press Tab to advance to the next text box then enter the same passphrase again The suggested minimum length for a passphrase is eight characters Click OK The New Passphrase dialog box closes The passphrase has been changed Adding alternate users to a PGPdisk volume The PGPdisk administrator can make the PGPdisk available to other users The users can access the volume using their own unique passphrase or private key Only the person who knows the administrator passphrase can add alter nate users Ch 12 Using PGP Disk User s Guide PGP Desktop You also have the option of assigning a read only status to th
207. that you want to add to another list 2 Drag the selected list into the list to which it will be added To delete members from a distribution list 1 Within the distribution list select the member to be deleted 2 Press Delete PGP asks you to confirm your choice To delete a distribution list 1 Select the distribution list to be deleted from the Groups window 2 Press Delete Sending encrypted and signed email to distribution lists To send encrypted and signed email to a distribution list 1 Address the mail to your mail distribution list The name of your encryption distribution list must correspond to the name of the email distribution list 2 Use your email application to compose your email message just as you normally would 3 When you have finished composing the text of your email message click on the PGPtray icon and select Encrypt Sign or Encrypt Sign from the Current Window menu The PGP Key Recipients screen appears 4 Select the recipient s public keys for the text you are encrypting or sign ing 5 Send the message 35 PGP Desktop User s Guide Decrypting and verifying email The quickest and easiest way to secure email communications is by using an email application supported by the PGP plug ins If you are using an email application that is not supported by the PGP plug ins you can encrypt sign decrypt and verify the text of your email messages by using PGPtray Decrypting and verifying
208. the message is encrypted with the Secure Viewer option enabled an advisory message appears Click OK The decrypted message appears on a secure PGP screen in a special TEMPEST attack prevention font 36 Ch 4 Securing Email User s Guide PGP Desktop 4 You can save the message in its decrypted state or you can save the orig inal encrypted version so that it remains secure Messages encrypted with the Secure Viewer option enabled cannot be saved in their decrypted state Decrypting and verifying email without PGP plug in support If your email application does not support the PGP plug ins you can use PGP tray to decrypt the text of your message prior to sending it The easiest way to decrypt your message without the use of a PGP plug in is to use the Cur rent Window options in PGPtray To decrypt and verify from non supported email applications 1 Open your email message just as you normally do You will see a block of unintelligible ciphertext in the body of your email message In PGPtray select Current Window gt Decrypt Verify If the email message includes encrypted file attachments decrypt them separately with PGPtools or PGPtray The PGP Enter Passphrase screen appears asking you to enter your pass phrase Enter your passphrase then click OK The message is decrypted If it has been signed a message appears indi cating whether the signature is valid If the message is encrypted with Secure
209. the server to become so busy attempting to respond to the attack that it ignores legitimate requests for connections DES Data Encryption Standard A 64 bit block cipher symmetric algorithm also known as Data Encryption Algorithm DEA by ANSI and DEA 1 by ISO Widely used for over 20 years adopted in 1976 as FIPS 46 Dictionary attack A calculated brute force attack to reveal a password by trying obvious and logical combinations of words Diffie Hellman The first public key algorithm invented in 1976 using discrete logarithms in a finite field 175 PGP Desktop 176 User s Guide Digital cash Electronic money that is stored and transferred through a variety of com plex protocols Direct trust An establishment of peer to peer confidence Digital signature See signature DSA Digital Signature Algorithm A public key digital signature algorithm proposed by NIST for use in DSS DSS Digital Signature Standard A NIST proposed standard FIPS for digital signatures using DSA ECC Elliptic Curve Cryptosystem A unique method for creating public key algorithms based on mathemati cal curves over finite fields or with large prime numbers EES Escrowed Encryption Standard A proposed U S government standard for escrowing private keys Elgamal scheme Used for both digital signatures and encryption based on discrete loga rithms in a finite field can be used with the DSA function Encryption A method of scrambl
210. then click Properties from the Keys menu or click Y The Properties screen appears Click the Subkeys tab The Subkeys screen opens Select the subkey and click Revoke A PGP Warning appears informing you that once you revoke the subkey other user s will not be able to encrypt data to it Click Yes to revoke the subkey or click No to cancel this operation The Passphrase screen appears Enter your passphrase then click OK 129 PGP Desktop User s Guide The subkey is revoked and the icon changes to a key with a red X Removing subkeys To remove a subkey 1 Open PGPkeys and select your keypair then click Properties from the Keys menu or click Y The Properties screen appears 2 Click the Subkeys tab The Subkeys screen opens 3 Select the subkey and click Remove A PGP Warning appears informing you that once you remove the subkey you will not be able to decrypt information encrypted to it 4 Click Yes to remove the subkey or click No to cancel this operation The subkey is removed and the key disappears from the subkeys window Designated revoker properties To access the Revokers panel for a particular key select the desired key and then choose Properties from the Keys menu The Key Properties screen appears Click the Revokers tab The Revokers panel appears If there are no designated revokers for the selected key then the Revokers tab does not appear Pradeep Brapal lt pradeepbeacmecorp net gt
211. ting server 1 Click the New button If you are editing an existing server click on the server you want to edit and click Edit The Add New Server screen appears Add New Server Server Information Name Port Base DN Key unknown Serves Keys for Domain Any Domain O List in search window App A Setting PGP Options User s Guide App A Setting PGP Options PGP Desktop In the Type drop down list select the type of server to use to access the keyserver Your choices are PGP Keyserver HTTP Select this option if you are using a Web based PGP Keyserver to store and retrieve PGPkeys PGP Keyserver LDAP Select this option if you are using a PGP Keyser ver through LDAP to store and retrieve PGPkeys PGP Keyserver LDAPS Select this option if you are using a PGP Key server through LDAPS to store and retrieve PGPkeys X 509 Directory LDAP Select this option if you are using a generic LDAP directory server to store and retrieve X 509 certificates issued by iPlanet CMS or Microsoft Certificate Services X 509 Directory LDAPS Select this option if you are using a generic LDAPS directory server to store and retrieve X 509 certificates issued by iPlanet CMS or Microsoft Certificate Services In the Name box enter the domain name or IP address of the server For example server pgp com or 123 45 67 89 In the Port box enter the port number of the server For example 1
212. ts as well as decrypt and verify files or attachments that have been encrypted to you Encrypting and signing files Use the Encrypt Sign or Encrypt and Sign options available from PGPtray or Ch 5 Securing Files the Windows Explorer File menu to secure your files and folders When you select Encrypt or Encrypt and Sign the PGP Key Selection screen automatically appears you use it to select the public keys of the recipients for the data you are encrypting 8 PGPshell Key Selection Dialog Drag users from this list to the Recipients list Acme Corp CSK lt pradeepb acmecorp net gt Acme Corp Des Rev lt pradeepb acmecorp net gt Acme Corp PGPdisk ADK lt pradeepb acmecorp net gt Alice Cameron lt alicec acmecorp net gt 3 all staff acmecorp com Bob Reynolds lt bobr acmecorp net gt 5 Fumiko Asako lt fumikoa acmecorp net gt Recipients Pradeep Brapal lt pradeepbBacmecorp net gt de I Text output Cancel Help Input Is Text E ncry P tion Wipe Original options Conventional Encryption Self Decrypting Archive You select the public keys by dragging them to the Recipients list You can choose additional encryption options from the lower left menu The options available to you depend upon the type of data that you are encrypting 2048 1024 2048 1024 2048 1024 2048 1024 4keys 2048 1024 2048 1024 2048 1024 39 PGP Desktop User s Guide The options are Text
213. uctions outlined in Adding a photographic ID to your key on page 126 Ch 16 Managing Keys 127 PGP Desktop User s Guide Subkeys properties 128 To access the Subkeys Properties panel for a particular key select the desired key and then choose Properties from the Keys menu The Key Properties screen appears Click the Subkeys tab The Subkeys panel appears Pradeep Brapal lt pradeepb acmecorp net gt DR General Subkeys ADK Revokers Walid from Expires 28 11 19 2002 Never New The Master Key for this key is used for signing only Subkeys are used for encryption and may be replaced and revoked separately from the Master Key without losing any of the Signatures applied to this key Changes made here will require redistribution of this key to the server in order to be noticed by others Creating new subkeys Every Diffie Hellman DSS and RSA key is actually two keys a signing key and an encryption subkey PGP Version 6 0 and above provides the ability to cre ate and revoke new encryption keys without sacrificing your master signing key and the signatures collected on it One of the most common uses for this feature is to create multiple subkeys that are set to be used during different periods of the key s lifetime For example if you create a key that will expire in three years you might also create three subkeys and use each of them for one of the years in the lifetime of the key This can be a u
214. up where others might gain access to your private key Given the ease with which computers are accessi ble over networks if you are working with extremely sensitive information you may want to keep your private key on a floppy disk which you can insert like an old fashioned key whenever you want to read or sign private informa tion As another security precaution consider assigning a different name to your private keyring file and then storing it somewhere other than in the default location Use the Files tab of the Options screen to specify a name and loca tion for your private and public keyring files 106 Ch 14 Making Keys User s Guide PGP Desktop PGP key reconstruction If you lose your key or forget your passphrase and do not have a backed up copy from which to restore your key you will never again be able to decrypt any information encrypted to your key You can however reconstruct your key if your administrator has implemented a PGP key reconstruction policy for your company where your key is encrypted and stored on a PGP key recon struction server in such a way that only you can retrieve it A PGP key reconstruction server can be set up by your administrator to act as sort of a safety net for you if you lose your private key or passphrase The reconstruction server stores your key in such a way that only you can access it Your company does not have the ability to decrypt your key If your administrator has incorp
215. ups 34 decrypting 36 37 deleting recipient groups 35 encrypting 29 35 to groups of people 34 including your public key in 110 receiving private 29 sending private 29 signing 29 35 verifying 36 37 encrypting email 29 35 36 37 to groups of people 34 ICQ messages 61 encryption options email conventional 31 33 64 Secure Viewer 30 32 files conventional 40 Secure Viewer 40 self decrypting archive 40 text output 40 wipe original 40 Entrust 134 Eudora 36 with PGP MIME 36 without PGP MIME 37 examining key properties 121 smart card properties 70 exchanging PGPdisk volumes 89 public keys obtaining others 112 114 via ICQ 58 exporting keys to files 111 your key from a smart card 71 184 User s Guide F files deleting 41 47 exporting public keys to 111 importing public keys from 114 wiping 41 47 fingerprints example of hexadecimal view 122 example of word list view 122 folder wiping scheduling 43 51 forgotten passphrase 107 Free Space Wipe 41 47 scheduling tasks 43 51 G generating a custom key pair 101 a key pair on a smart card 67 granting trust for key validations 124 groups adding members 35 combining groups 35 creating 34 deleting 35 H HTTP HyperText Transfer Protocol definition 176 ICQ decrypting messages 57 encrypting messages 61 exchanging keys 58 using the PGP ICQ Wizard 59 importing Pkcs 12 X 509 private keys 114 private keys 114 public keys from files 114 iPlanet CMS
216. ur system e Chapter 13 PGP Disk Technical Details describes technical details behind PGP Disk e Chapter 14 Making Keys tells you how to create PGP keys e Chapter 15 Exchanging Keys describes the details of making and exchanging PGP keys e Chapter 16 Managing Keys tells you how to manage your PGP keys e Appendix A Setting PGP Options describes PGP s options e Appendix B Troubleshooting tells you how to fix problems you may run into e Appendix C Biometric Word Lists tells you about PGP s special biomet ric word lists and what they re for There is also a Glossary and an Index Introduction 9 PGP Desktop User s Guide Recommended readings 10 This section identifies Web sites books and periodicals about the history technical aspects and politics of cryptography as well as trusted PGP down load sites The history of cryptography The Code Book The Evolution of Secrecy from Mary Queen of Scots to Quantum Cryptography Simon Singh Doubleday amp Company Inc 1999 ISBN 0 385 49531 5 The Codebreakers The Story of Secret Writing David Kahn Simon Schuster Trade 1996 ISBN 0 684 83130 9 updated from the 1967 edi tion This book is a history of codes and code breakers from the time of the Egyptians to the end of WWII Kahn first wrote it in the sixties this is the revised edition This book won t teach you anything about how cryp tography is done but it has
217. uss this with your System Administrator Under some circumstances you may not mind if backups are made of your encrypted files because this information is secure Under no circumstances is it a good idea to allow the contents of your mounted volumes to be backed up as this defeats the whole purpose of keeping this information encrypted Exchanging PGPdisk volumes You can exchange PGPdisk volumes with colleagues who have their own PGPdisk program by sending them a copy of the encrypted file that contains the data associated with the volume Here are some of the ways you might exchange PGPdisk volumes e As mail attachments e On floppy disks or CD Rs e Over a network Ch 12 Using PGP Disk Public key is the most secure protection method when adding alternate users to a PGPdisk volume because 1 You don t need to exchange a passphrase with the alternate user which depending on your method could be intercepted or overheard 2 The alternate user doesn t need to memorize another passphrase which could be forgotten 3 It is easier to manage a list of alternate users if each uses his or her own private key to gain access to the volume The more security precautions you take the greater assurance you have that your sensi tive information remains confidential Once the intended party has a copy of the encrypted file all they need in order to gain access to the contents of the volume is to mount it using the correct passphrase or
218. ven lengthier byte sequences over the phone for example entire keys or signatures This may entail read ing more than a hundred bytes Using words instead of hex bytes seems even more justified in that case When reading long sequences of bytes aloud errors may creep in The kinds of error syndromes you get on human spoken data are different than they are for transmitting data through a modem Modem errors usually involve flipped bits from line noise Error detection methods for modems usually involve CRCs to be added which are optimized for detecting line noise bursts How ever random sequences of spoken human words usually involves one of three kinds of errors 1 transposition of two consecutive words 2 duplicate words or 3 omitted words If we are to design an error detection scheme for this kind of data transmission channel we should make one that is optimized for these three kinds of errors Zhahai Stewart suggested a good scheme in personal conversation with me in 1991 for error detection of these errors Stewart s scheme for error detection while reading aloud long sequences of bytes via a word list entails using not one but two lists of words Each list contains 256 phonetically distinct words each word representing a different byte value between O and 255 The two lists are used alternately for the even offset bytes and the odd offset bytes in the byte sequence For example the first byte offset O in the sequence is use
219. with Public Keys This chapter describes three things that first time PGP users should consider doing soon after they install PGP creating their public private keypair send ing their public key to a key server and getting the public keys of others from a key server If you have a public private keypair and you ve worked with public key serv ers before then you can probably skip this chapter The sections in this chapter are e Making your keypair e Putting your public key on a keyserver e Getting someone s public key from a keyserver Making your keypair To create a new keypair 1 Open PGPkeys You can open PGPkeys by Clicking Start gt Programs gt PGP gt PGPkeys Clicking the PGPtray icon 2 in the System tray then selecting PGPkeys The PGPkeys screen displays the keypairs you have created for yourself as well as any public keys of other users that you have added to your pub lic keyring PGPkeys is your tool for managing your keyrings Depending on your situation the PGPkeys window may be empty or it may be pre configured by your PGP administrator to display specific keys Ch 3 Making a Keypair and Working with Public Keys 25 PGP Desktop User s Guide T PGPkeys File Edit View Keys Server Groups Help wuap djpscuo8W Keys Validity Size Description Ge Acme Com ADK pradeepb Gacmecorp net 2048 1024 DH DSS public key m Ge Acme Corp CSK lt pradeepb acmecom net 2048 1024 DH
220. yed in the Keys column key type type of ID or signature type Additional Decryption Key Shows whether the key has an associated Additional Decryption Key Key ID A unique identifying number associated with each key This identification number is useful for distinguishing between two keys that share the same user name and email address 118 Ch 16 Managing Keys User s Guide PGP Desktop Attribute Description Indicates the level of trust you have granted to the owner of the key to serve as an introducer for the public keys of others This trust comes into play when you are unable to verify the validity of someone s public key for yourself and instead rely on the judgment of other users who have signed the key When you create a new keypair these keys are considered implicitly trustworthy as shown by the striping in the trust and validity bars or by a green dot and user icon p An empty bar indicates an invalid key or an untrusted user EN A half filled bar indicates a marginally valid key or marginally trusted Trust user A striped bar indicates a valid key that you own and is implicitly trusted regardless of the signatures on the key Emme A full bar indicates a completely valid key or a completely trusted user When a public key on your keyring is signed by another user the level of authenticity for that key is based on the trust you have granted to the signer Use the Key Prop
221. your subject line blank or creating a subject line that does not reveal the contents of your encrypted mes sage 2 When you have finished composing the text of your email message click the envelope and lock icon 33 to encrypt the text of your message then click the paper and pen icon E to sign your message 3 Send your message as you normally do If you have a copy of the public keys for every one of the recipients the appropriate keys are automatically used and the message is sent 29 PGP Desktop 30 User s Guide However if you specify a recipient for whom there is no corresponding public key or one or more of the keys have insufficient validity the PGP Recipient Selection screen appears so you can specify the correct key You can force the PGP Recipient Selection screen to appear even if you have a valid copy of the public keys for every one of the recipients by holding down Shift when you click Send You should do this if you want to use the Secure Viewer or Conventional Encrypt features and you do not want your message to be sent automatically 8 Recipient Selection Drag users from this list to the Recipients list Validity Size Acme Corp ADK lt pradeepb acmecorp net gt o 2048 1024 Acme Corp CSK lt pradeepb acmecorp net gt 2048 1024 Acme Corp Des Rev lt pradeepb acmecorp net gt 2048 1024 Acme Corp PGPdisk ADK lt pradeepb acmecorp net gt 2048 1024 Alice Cameron lt alicec acmecor
222. ys from the menu The PGPkeys screen appears Dor File Edit View Keys Server Groups Help sera PZRERB CH Keys Ge Acme Com ADK lt pradeepb acmecom net gt Ge Acme Com CSK lt pradeepb acmecom net gt Ge Acme Com Des Rev lt pradeepbBacmecom net gt Ge Acme Corp PGPdisk ADK pradeepb Gacmecorp n Ge Alice Cameron lt alicec acmecom net Ge Bob Reynolds lt bobr acmecom net gt Ge Fumiko Asako lt fumikoa acmecom net gt Ge Jose Medina lt josem acmecom net gt Ge Katerina Laval lt katerinal acmecom net gt uw Mar a Fuentes lt mariaf acmecop net gt ue Ming Pa lt mingp acmecorp net gt WQ Pradeep Brapal lt pradeepb acmecorp net gt Gq SanTau lt sam enst f gt Ys SZho B3 amp ya com xj 9 Sam Ramier lt sram ny com gt E Ge SJ Wilson lt sjwilson vcnet com gt Ge Vladimir Toskin vladimirt amp acmecorp net Ge Owuor bleuep osibuep eceyauksorye Ge Aravayioc Avac lt a amp ivac awpewopn woy gt Size Description Trust 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 DH DSS public key 2048 1024 Disabled DH DSS 2048 1024 DH DSS public key DH DSS key pair Revoked RSA lega Expired DH DSS p RSA legacy public RSA public key
Download Pdf Manuals
Related Search