PGP 6.0 User’s Guide

PGP Windows 95, 98, and NT

User’s Guide

Version 6.0

PGP*, Version 6.0.2 11-98. Printed in the United States of America. PGP, Prett y Good, and Pretty Good Privacy are regi ster ed trademarks of Network Assoc iates,

Inc. and/or its Affiliated Companies in the US and other countries. All other registered and unregistered trademarks in this document are the sole property of their res pect ive owners .

Portions of this software may use public key algorithms described in U.S. Patent numbers 4,200,770, 4,218,582, 4,405,829, and 4,424,414, l ice n sed exc lusively by Public Key Partner s; the IDEA(tm) cryptograph ic ciph er described in U.S. patent number 5,214,703 , licensed from Ascom Tech AG; and the Northern Telecom Ltd., CAST Encryption Algorithm, licensed from Northern Telecom, Ltd. IDEA is a trademark of Ascom Tech AG. Network Associates Inc. may have patents and/or pending patent applications coverin g subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents. The compression code in PGP is by Mark Adler and Jean-Loup Gailly, used with permission from the free Info-ZIP implementation. LDAP software provided courtesy U niversity of Michigan at Ann Arbor, Copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). Copyright © 1995-1997 The Apache Gr oup. All rights res erved. See text files incl uded with the software or the PGP web site for further information. This software is based in part on the work of the Independent JPEG Group. Soft TEMPEST font courtesy of Ross Anderson and Marcus Kuhn.

The software provided with this documentation is licensed to you for your individual use under the terms of the End User Licen se Agreement and Limit ed Warranty provi ded with the software. The information in this docume nt is subject to change without not ice. Network Associates Inc. does not warrant that the information meets you requirements or that the information is free of errors. The information may include technical inaccuracies or typographical erro rs. Changes may be made to the information and incorporated in new editions of this document, if and when made available by Network Associates Inc.

Expor t o f th i s so f t wa re and do c u m entation may be subjec t to compli a nce wi t h the rules and regulations promulgated from tim e t o time by the Bureau of Export Administration, United States D e p a rt me nt of Com me r ce , wh ich restri c t the ex p or t a n d re -e xp o rt of certa i n p ro d ucts and technical data .

Network Ass ociates, Inc. (408) 988 -3832 main 3965 Freedom Circle (408) 970 -9727 fax Santa Clara, CA 95054 http://www.nai.com

info@nai.com

is sometimes used instead of t he ® for registered tr ademarks to protect marks registered outside of th e

U.S.

LIMITED WARRANTY

Limited Warranty.

Network Associates Inc. warrants that the Software Product will perform subs ta nt i a ll y i n ac co rdance with the acc ompanying wr itt e n ma terials fo r a period of sixty (60) days from the date of original purchase. To the extent allowed by applicable law, implied warr a n tie s on the Sof tw a re P roduct, if any, a re li mited to su ch sixty ( 6 0) da y p er i o d. Some jurisdictions do not allow lim itat ions o n durat ion of an imp lied war ran ty, so the ab ove limitation may not apply to you.

Customer Re me dies.

Network Associates Inc’s and its suppliers’ entire liability and your exclusive remedy shall be, at Network Associates Inc’s option, either (a) return of the purchase price paid for the license, if any or (b) repair or r eplacement of the Software Product that does not meet Network Associates Inc’s limited warranty and which is returned at your expense to Network Associates Inc. with a copy of your receipt. This limited warranty is void if failure of the Software Product has resulted from accident, abuse, or misapplication. Any repaired or replacement Software Product will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. Outside the United States, neither these remedies nor a n y pr o du ct support service s o ff ered by Ne twork Associ a te s Inc. are av a i la b l e without proof of purchase f rom an authorize d internati onal source and may not be available from Network Associates Inc. to the extent they subject to restrictions under U.S. export control laws and regulations.

NO OTHER WARRANT IES . TO TH E MAX IMUM EXT EN T PER MITTED BY AP PLICABLE LAW, AN D EXCEPT FOR THE LIMITE D WAR R ANTIES SET FOR T H HEREIN, THE SOFTWARE AND DOCUMENTATION ARE PROVIDED “AS IS” AND NETWORK ASSOCI ATES, INC. AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCH AN TAB ILIT Y , FITNES S FOR A PAR TIC UL AR PURPOS E, CONF ORMANC E WIT H DESC RIP TION, TITLE AND NO N-INF RIN GEMENT OF THIRD PARTY RIGHTS, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER S , WHICH VARY FROM JURISDICTION TO JURISDICTION.

LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, I N N O E VEN T SH AL L NE TWO RK AS SOCI A TE S, I NC . O R I T S S UPP L IERS BE LIABLE FOR ANY INDIRECT, INCID ENTAL, CONSEQUE NTIAL, SPECIA L OR EXEMPLARY DAMAGES OR LOST PROFITS WHAT SOEVER (I NCLUDING, WIT HOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINE SS INFORM ATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OR INAB ILIT Y TO USE TH E S OF TW AR E PR O D UC T OR TH E FAILURE TO PROV IDE SUPPORT SERVICES, EVEN IF NETWORK ASSOCIATES, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, NETWORK ASSOCIATES, INC’S CUMULATIVE AND ENTIRE LIABILITY TO YOU OR ANY OTHER PARTY FOR ANY LOSS OR DAMAGES RESU L TING FROM ANY C LAI MS, DE MANDS OR AC TION S A RISI N G OUT OF OR RELATING TO THI S AGREEMENT SHALL NOT EXCEED THE PURCHASE PRICE PAID FO R THIS LICENSE. BECAUSE SOME JU R ISDICTIONS DO NOT ALLOW T HE EXCLUSION OR LIMITATION OF LIABILITY, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

How to contact Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii

Customer service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii

Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii

Network Associates training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Comments and feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Recommended Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Chapter 1. Introducing PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

What’s ne w in PGP v e rs ion 6 .0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 7

Using PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

A quick overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Basic steps for using PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Chapter 2. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Running PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Using PGP from the System tray . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Performing PGP functions from the clipboard . . . . . . . . . . . . . . . .23

Opening the PGPkeys wind ow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Setting PG P Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Quitting PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Using PGP from supported email applications . . . . . . . . . . . . . . . . . . . . . . . .25

Using PGP/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Using PGP from the PGPtools application . . . . . . . . . . . . . . . . . . . . . . .26

Using PGP from the Windows Explorer . . . . . . . . . . . . . . . . . . . . . . . . . .26

Selecting recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Taking shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

PGPkeys icon definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

User’s Guide v

Table of Contents

Chapter 3. Making and Exchanging Keys . . . . . . . . . . . . . . . . . . . . . . . .31

Key concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Making a key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Creating a passphrase that you will remember . . . . . . . . . . . . . . . . . . . . . . . .38

Adding a photographic ID to your key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Creating new subkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Key Splitting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Protecting your keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Distributing your public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Making your public key available through a key server . . . . . . . .47

Updating your key on a key server . . . . . . . . . . . . . . . . . . . . . . . . .47

Removing signatures or user name s associated with your key . .48

Including your public key in an email message . . . . . . . . . . . . . . . . . . . 49

Exporting your public key to a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Obta ining t h e p ublic keys of other s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Getting public keys from a key server . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Adding public keys from email messages . . . . . . . . . . . . . . . . . . . . . . . .51

Importing a public key from a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Verifying the authenticity of a key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Signing the public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Getting public keys through trusted introducers . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 4. Sending and Receiving Secure Email . . . . . . . . . . . . . . . . . .55

Encrypting and signing email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Encrypting and signing with supported email applications . . . . . . . . .56

Encrypting email to groups of recipients . . . . . . . . . . . . . . . . . . . . . . . .61

Working with distribu tion lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Sending e ncrypted and signed emai l to distribution lists . . . . . . .62

Decrypting and verifying email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 5. Using PGP for Secure File Storage . . . . . . . . . . . . . . . . . . . .67

Using PGP to encrypt and decrypt files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

Using the PGP right-click menu to encrypt and sign . . . . . . . . . . .67

Usin g PGPt ools to encry pt and s ign . . . . . . . . . . . . . . . . . . . . . . . .69

Using PGPtray to decrypt and verify . . . . . . . . . . . . . . . . . . . . . . . .71

vi PGP for Windows 95, 98, and NT

Table of Contents

Using PGPtools to decrypt and verify . . . . . . . . . . . . . . . . . . . . . . .72

Signing and decrypting files with a split key . . . . . . . . . . . . . . . . . . . . . . . . . .73

Using PGP Wipe to delete files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Using the PGP Free Space Wiper to clean free space on your disks . . . . . .78

Chapter 6. Managing Keys and Setting Preferences . . . . . . . . . . . . . . .81

Managing your keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

The PGPkeys window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

PGPkeys attribute definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Examining a key’s properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

General key properties wind ow . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Subkey properties wind ow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Specifying a default key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Adding a new user name or address to a key pair . . . . . . . . . . . . . 88

Veri f y ing som eone’s pu blic key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Signing someone’s public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Granting trust for key validations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Disabling and enabling keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Deleting a key, signature, or user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Changing your Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Importing and Exporting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Revoking a key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Setting you r preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Searching for a key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Chapter 7. PGPdisk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

What is PGPdisk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

PGPdisk features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Why use PGPdisk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Starting the PGPdisk program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Working with PGPdisk Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Creating a new PGPdisk volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Changing a passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Adding alternate passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Removing a passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

User’s Guide vii

Table of Contents

Maintainin g PGPdisk Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Tech nical D e t a ils and Secu r ity Co ns ider a t ions . . . . . . . . . . . . . . . . . . . . . . . 1 2 4

Removing all alternate passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Add/Remove Public Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117

Mounting a PGPdisk volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Usin g a mou nt e d PGPdisk volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 9

Unmounting a PGPdisk volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Specifying Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Mounting PGPdisk files on a remote server . . . . . . . . . . . . . . . . . . . . .122

Automatically mounting PGPdisk volumes . . . . . . . . . . . . . . . . . . . . . .122

Backing up PGPdisk volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Exchanging PG Pdisk volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Changing the size of a PG Pdisk volume . . . . . . . . . . . . . . . . . . . . . . . .124

About PGPdisk volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

The PGPdisk e ncryption algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

Passphrase quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Special security prec autions taken by PGPdisk . . . . . . . . . . . . . . . . . .127

Passphrase erasure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Virtual memory protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Memory Static Ion Migration Protection . . . . . . . . . . . . . . . . . . . .127

Other security considera tions . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Appendix A. Troubleshooting PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Appendix B. Transferring Files Between the Mac OS and Windows .133

Sending f ro m the Ma c O S to Window s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 3 4

Receiving Windows files on the Mac OS . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Supported App lications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Appendix C. Phil Zimmermann on PGP . . . . . . . . . . . . . . . . . . . . . . . . .139

Why I wrote PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

The PGP symmetric algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

About PGP data compression routines . . . . . . . . . . . . . . . . . . . . . . . . .145

About the random numbers used as session keys . . . . . . . . . . . . . . .145

About the message digest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

How to protect public keys from tampering . . . . . . . . . . . . . . . . . . . . .147

viii PGP for Windows 95, 98, and NT

Table of Contents

How does PGP keep track of which keys are valid? . . . . . . . . . . . . . . .150

How to protect private keys from disclosure . . . . . . . . . . . . . . . . . . . .152

What if you lose your private key? . . . . . . . . . . . . . . . . . . . . . . . .153

Beware of snake oil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Compromised passphr ase and private key . . . . . . . . . . . . . . . . . . . . . .158

Public key tampering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Not quite deleted files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Viruses and Trojan horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Swap file s or v ir t ual me m ory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

Physical security breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Tempest attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Protecting against bogus timestamps . . . . . . . . . . . . . . . . . . . . . . . . . .162

Exposure on multi-user systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Traffic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

User’s Guide ix

Table of Contents

x PGP for Wind ows 95, 98, and NT

Preface

PGP is part of yo u r organization’s security toolkit for protecting one of your most important assets: information. Corporations have traditionally put locks on their doors and file cabi nets and require em p loyees to show identificati on to prove th at they are permitted access into various parts of the business site. PGP is a valuable tool to help you protect the security and integrity of your organization’s data and messages. For many companies, loss of confidentiality means loss of business.

Entire books have been written on the subject of implementing network securit y. T he foc us o f th is guid e is o n impl ementi ng P GP as a t ool w ithi n yo ur overall n e twork security structu re . PGP is merely one piece of an overall security system, but it is an extremely important one. PGP provides encrypti on, which protects d ata from the eyes of anyone for who m it was not intended, even those who can see the encrypted data. This protects information from both i nt e rnal and external “outsiders.”

This guide d esc ri bes h ow to us e PGP many new features, which are described in Chapter 1, “Introducing PGP.”

If you are new to c ryptography and would like an overv iew of the termi nology and concepts you will encounter while using PGP, see An Introduction to

Cryptography.

for Windows 95, 98, and NT. PGP has

User’s Guide xi

Preface

How to contact Network Associates

Customer service

To orde r prod uc t s or ob t a i n p ro du ct info rmation , c o ntact the N e t work Associates Cust omer Care department at (408) 988-3832 or wri te to th e following address:

Network Associates, Inc. McCandless Towers 3965 Freedom Circle Santa Clara, CA 95054-1203 U.S.A.

Technical support

Network Ass ociates is famous for its dedication to customer sat isfaction. We have continued this tr adi tion by making our site on the Wo rld Wide Web a valuable resource for answers to technical support issues. We encourage you to make this you r f i rs t st o p fo r answe rs to fr e q u e ntly ask e d qu e s tions, for updates to Netw ork Associat es software, and for access to N etwork Assoc iates news and encryption information

World Wide Web

Technical Support for your PGP product is also available t hrough these channels:

Phone Email

To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready before you call:

If the aut omat ed se rvic es d o not ha ve th e an swers y ou n eed, cont act Net work Associates at one of the fo llowing numbers Monday through Friday between

A.M

6:00

xii PGP for Windows 95, 98, and NT

. and 6:00 P.M. Pacific time.

Phone

http://www.nai.co m

(408) 988-3832

PGPSupport@pgp.com

(408) 988-3832

• Product name and version number

• Computer brand and model

• Any additional hardware or peripherals connected to your computer

• Operating system type and version numbers

• Network type and version, if applicable

• Content of any status or error message displayed on screen, or appearing

in a log file (not all products produce log files)

• Email application and version (if the problem involves using PGP with an

email product, for example, the Eudora plug-in)

• Specific steps to reproduce the problem

Network Associates training

Preface

For infor mat ion a bo ut sched uli ng on-si te tra ini ng f or an y N etwo rk Assoc iates product, call (800) 338-8754.

Comments and feedback

Network Associates appreci a te s your comments and fe e db ack, but incurs no obligation to you for information you submit. Please address your comments about PGP product documentation to: Network Associates, Inc., 3965 Freedom Circle Santa Clara, CA 95054-1203 U.S.A.. You can also e- mail comments to tns_documentation@nai.com.

Introducing PGP

Welcome to PGP. With PGP, you can easily and securely protect the privacy of your data by encrypting it so that only intended individuals can read it. You can also digitally sign information, which ensures it’s authenticity.

What’s new in PGP version 6.0

This version of PGP includes these new features:

Secure Viewer.

•

private information on your computer screen from interception through electromagnetic radiation—also known as TEMPEST attacks. It is widely known that eavesdroppers, with special equipment, can capture and reconstru ct video s creen cont ent from r adio freque ncy radiat ion. When tex t is encrypte d with the Secure Viewer option enabled, the decryp ted text is displayed in a special TEMPEST attack prevention font and window that are unreadable to radiation capturing equipment. The Secure Viewer feature allows you to securely view your decrypted text.

PGPdisk Functionality.

•

6.0. PGPdisk is an easy-to-use encryption application that enables you to set asi de an are a o f di s k sp a c e fo r st oring your sen si t i v e data.

Secure View e r i s P GP’s software solution to protect the

PGPdisk functionality is built into PGP version

Designated Revokers.

•

your keyring is allowed to revoke your key. This can be useful in situations where you are afraid of losing your private key, forgetting your passphrase, or in extreme cases such as a physical incapacity to use th e key. In such cases, the third-party you designate will be able to revoke your key, send it to the server and it will be just as if you had revoked it yourself.

Added Plug-ins.

•

included. A Groupwise plugin is availab le separ ate ly.

Added Plug-ins.

•

included. A Groupwise plugin is availab le separ ate ly.

PGPdisk Functionality.

•

6.0. PGPdisk is an easy-to-use encryption application that enables you to set asi de an are a o f di s k sp a c e fo r st oring your sen si t i v e data.

Photographic User ID.

•

Photo IDs ca n be signed just like a user ID to p rovide extra information when verifying the key.

You may now specify that another public key on

Email plug-ins for Outlook Express and Outlook 98 ar e

PGPdisk functionality is built into PGP version

You can add your photograph to your public key.

User’s Guide 17

Introducing PGP

Secure Communications with the PGP Certificate Server 2.0.

•

PGP provides a secure connection when any query is sent to the server. This secure conne cti on p reve nts any t ra ffi c anal ys is wh ich mi gh t de termi ne th e keys you are retrieving from or sending to the server.

• Secure Deletion from the PGP Certificate Server.

You can delete or disab l e y our own k e y on th e se rver by a u th e ntica ti ng yourself th r ough Transport Layer Security (TLS).

• PGPkeys Toolbar.

An iconic toolbar has been added to PGPkeys for easy

access to the most frequently used key management functions.

Unknow n Rec i pie nt o r Sig ner Se rve r Lo ok up.

•

When decrypting or verifying a message, you can automatically perform a server lookup on all the keys which the message is encrypted to or signed by to determine their identity.

Subkey Management.

•

(Diffie-Hellman/DSS keys only) With the subkey management feature, you can manage your encryption (DH) and signing (DSS) keys separately.

• Signature Reverification.

The signatures collected on keys are automatically verified when added to your ring. It is p ossible, howeve r, whether through data corruption or malicio us tamperi ng, for invalid signatures to exist. This new feature allows you to reverify the signatures to ensure th at they are valid.

Signature Expiration.

•

You can create signatures on other keys that will

expire after a given date.

Enhanced Int erfa c e

•

. An intuitive toolbar has been added to PGPkeys for

easy access to the most freq uently used key management f unctions.

Improved Application Integration.

•

The PGPtray allows in-place encrypt/ decr ypt /si gn/v erif y wit h most ap pli cati ons wi thou t th e n eed f or an explicit copy and paste by the user.

Freespace Wipe.

•

PGPtools now has the ability to wipe all freespace on your

disks.

Enhance d Wip i ng.

•

Both file and volume wiping now use a significantly enhanced set of patter ns over mult iple wipes special ly tuned for the medi a types in use by today's computers.

Key Splitting.

•

Any high secur ity private key can be split i nto shares amon g multiple “shareholders” using a cryptographic process known as Blakely-Shamir splitting.

PGPdisk ADK.

•

An Additi onal Decryption Key can be specif ied for acc e ss to all new PGPdisks created with a configured client install of PGP. This utilizes the new public key support in PGPdisk.

18 PGP for Windows 95, 98, and NT

Introducing PGP

New features o f PGPdisk

Public Key Support.

• configured to open a PGPdisk. This support is integrated with PGP 6.0 and its keyrings. For example, if Bob wants to give his wife Mary access to his PGPdisk, he can give access to Mary by adding her public key to the PGPdisk. The key for the disk will be encrypted to Mary's key.

New Disk Wizard.

• by a New Disk Wizard which will guide you through the process step by step.

Window s NT Su ppor t.

• to Windows 95, 98, and MacOS.

A public key or multiple public keys can now be

The process of creating a PGPdisk has been simplified

PGPdisk now runs on Windows NT 4.0 in addition

User’s Guide 19

Introducing PGP

Using PG P

PGP is a security software application that enables you and your co-wor kers to exchange or store information securel y, so that no one else can read it.

One of the most convenient w ays to use PGP is through one of the popular email applications supported by the PGP plug-ins. With these plug-ins, you can enc ryp t and sign as wel l as de c ry pt and verify y o u r me s s ag e s while you are com p os i ng and reading your mail wit h a s imp le click of a but to n.

If you are using an email application that is not supported by the plug-ins, you can easily encrypt the text of the message using PGPtray. In addition, if you need to encrypt or decrypt file attachments, you can do so directly from the Windows clipboard by choosing the appropri ate menu option. You can also use PGP to encrypt and sign files on the hard disk of your computer for secure storage, to secu rel y wi pe f ile s f rom yo ur har d dis k and to wi pe fr ee di sk spa ce so that sensitive data can’t be retrieved with disk recovery software.

A quick overview

PGP is based on a widely accepted encryption technology known as public key cryptography in which two complementary keys, called a key pair, are used to

maintain secure communications. One of the keys is designated as a private key to which only yo u have access and the other is a public key which you freely exchange with other PGP users. B oth your private and your public keys are stored in keyring files, which are accessible from the PGPkeys window. It is from this window that you perform all your key management functions.

For a com p rehensi ve ov e rview of PGP encr y pti o n technolo g y , refe r to “An Introduction to Cryptography,” which is included with the product.

20 PGP for Windows 95, 98, and NT

Introducing PGP

Basic steps for using PGP

This section takes a quick look at the procedures you normally follow in the course of using PGP. For details concerning any of these procedures, refer to the appropri ate chapters in this book.

1. Install PGP on your com pute r. Ref er to the PGP I nst a ll ati on Gu ide included with the product for c omplete installation instructions.

2. Create a private and public key pair. Before you can begin using PGP, you need to generate a key pair. A PGP

key pair is composed of a private key to which only you have access and a public key that you can copy and make freely available to everyone with whom you exchange information.

You have the opti on of cre ating a new ke y pair immedi ately aft er you have finished the PGP installation procedure, or you can do so at any time b y opening the PGPkeys application.

For more information about creating a private and public key pair, refer to

“Making a key pair” on page 32.

3. Exchange public keys with others. After you have created a key pair, you can begin corresponding with other

PGP users. You will need a copy of their public key and they will need yours. Your pub lic k ey is ju st a b loc k of tex t, so i t’ s quit e easy t o tr ade keys with some one. You can i ncl ud e your pu blic k ey in a n e mail messa ge , co py it to a file, or post it on a public or cor porate key server where anyone can get a copy when they need it.

For more information about exchanging public keys, refer to “Distributing

your public key” on page 46 and “Obtaining the public keys of others” on page 50.

4. Validate pu bl ic keys. Once you have a copy of someone’s public key, you can add it to your

public keyring. You should then check to make sure that the key has not been tamper ed with and that it reall y belongs to th e purpor ted owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. When you are sure that you have a valid public key, you sign it to indicate that you feel the key is sa fe to use. I n additio n, you can g rant the ow ner of the key a level of trust indicating h ow much confidence you have in that person to vouch for the authenticity of someone els e ’s public key .

For more information about validating your keys, refer to “Verifying the

authenticity of a key” on page 52.

User’s Guide 21

Introducing PGP

5. Encrypt and sign your email and files. After you have generated your key pair and have exchanged public keys,

you can begin encrypting and signing email messages and files.

• If you are using an email application supported by the plug-ins, you can

encrypt and sign y our messages by selecting the ap p ropriate options from your application’s tool bar.

• If your email application is not supported by the plug-ins, you can

perform the ap p ropriate functions from PGPtray. You can also encrypt and sign files from PGPtools be f ore attaching them to your email . Encrypting ensures that only you and your intended recipients can decipher the file’s conten ts; signing ens ures that any tampe ring will be readily apparent.

For more information abo ut encrypt ing and sign ing info rma tion, refer to

“Encrypting and signing email” on page 55.

6. Decrypt and verify your email and files. When someone sends you encrypte d data, you can unscramble the

contents and verify any appended signature to m ake sure that the data originat e d with the alleged sender and that it h as not been altered.

• If you are using an email application that is supported by the plug-ins,

you can decrypt and verify your messages by selecting the appropriate options from y ou r app lication’s tool bar.

• If your email application is not supported by the plug-ins, you can copy

the message to the cl ipboard and perf orm the appropriat e functions fro m there. If you want to decrypt and verify f ile attachments, you can do so from the Wind ows cl ipboard . You can a lso decrypt encryp ted f iles stored on your computer, and verify signed files to ensure that they have not been tampered with.

For more inform ation about decrypting and verifying data, refer to

“Decrypting and veri fying email” on page 63.

7. Wipe files. When you need to permanently delete a file, yo u can us e the W i pe feature

to ensure that the file is unrecoverable. The f ile is immediately o verwritten so that it ca nnot be retrieved using disk reco ve ry softwa re .

For more information about wip ing files, refe r to “Using PGP W ipe to

delete fil e s” on page 77.

22 PGP for Windows 95, 98, and NT

Getting Started

This chapter explains how to run PGP and provides a quick overview of the procedures you will normally follow in using the product. It also contains a table of the icons used with PGPkeys.

Running PGP

PGP works on the data generated by other applications. Therefore the appropriate PGP functions are designed to be immediately available to you based on the task you are performing at any given moment. There are four primary ways to use PGP:

• From the System tray (PGPtray)

• From within supported email applications (PGP email plug-ins)

• From the Windows Explorer File menu

• From the PGPt ools toolbar

Using PGP from the System tray

You can access many of the main PGP functions by c li cking the lock icon, which is normally located in the System tray, and then choosing the appropriate menu item. (If yo u can’t find this icon in your System tray, run PGPtray from the Start menu).

Performing PGP functions from the clip board

You will notice that many of the options on the System tray refer to PGP functions that you perform from the Wind ows clipboard. If you are using an email application that is not supported by the PGP plug-ins, or if you are working with text generat ed by some ot her application, you perf orm your encryption /decrypt ion and signature/v erificat ion functions via the Windows clipboard.

For instance, to encrypt or sign text, you copy it fr om your application to the clipboard, encrypt and sign it using the appropriate PGP functions, then paste it back into your application before sending it to the intended recipients. When you receive an encrypted or signed email message, you simply reverse the process and copy the encrypted text, known as ciphertext fro m you r application to the clipboard, decrypt and verify the information, and then view the contents. After you view the decrypted message, you can decide whether to save the information or retain it in its encrypted form.

User’s Guide 23

Getting Started

Opening the PGPkeys window

When you ch oose Laun ch PGPkey s f rom t he PGP p op-up menu , th e PGP key s window opens, showing the private and public key pairs you have created for yourself as well as any public keys of other users that you have added to your public keyring. (If you have not already created a new key pair, the PGP Key Generation Wizard leads you through the necessary steps. However, before going throu gh the proces s of creating a new key pair, you sh ould see

Chapter 3 for com p l e te d e t ai l s a b out the various op t i o ns.)

From the PGPkeys window you can create new key pairs and manage all of your other keys. For instance, this is where you examine the attributes associated with a partic ular key, specify how confident you are that the key actually belongs to the alleged owner , and indicate how well you trust the owner of the key to vouch for the authenticity of other users’ keys. For a complete explan at ion of the ke y m anag ement f u nction s you pe rfor m fr om the PGPkeys window, see Chapte r 6.

Setting PGP Preferences

When you choose PGP Preferences from the PGP pop-up menu, you access the PGP Preferences dialog box in which you specify settings that affect how the PGP program functions based on your computing environment.

By clicking the appropriate t ab, you can advance to the preference settings you want to modif y. For a complete expl anation of these settings, see Chapter 6.

Getting Help

When you choose Help from the PGP menu or window, you access the PGP help syst em, whi ch p rovi de s a gener al ove rvi ew a nd i nstr uct i ons fo r a ll o f the procedures you are likely to perform. Many of the dialog boxes also have context- sensitive help, which you access by cli cking the question mark i n the right corner of the window and then pointing to the area of interest on the screen. A short explanation appears.

Quitting PGP

By default, the PGPtray program runs whenever you start your computer, as indicated by the lock icon displayed in the System tray. If for some reason you need to quit ru nning PGPtray, you can do so by choosing Exit PGPtray from the PGP pop-up menu.

24 PGP for Windows 95, 98, and NT

Getting Started

Using PGP from supported email applications

If you have one of these po pular email applications supported by the PGP plug-ins, you can access the necessary PGP function s by clicking the appropriate buttons in yo ur ap p lication’s toolbar:

• Qualcomm E udora

• Microsoft Exchange

• Microsof t Outlook

• Microsoft Express

• Novell Groupwise (available separately)

For example, you click the envelope and lock icon ( ) to indicate that you want to encrypt your message and the pen and paper ( ) to indicate that you want to sign your message. Some applications also have an icon of both a lock and quill ( ), which lets you do both at once.

When you receive email from another PGP user, you decrypt the message and verify the person’s digital signature by clicking the opened lock and envelope, or by selecting “Decrypt/Verify” fr om the PGPmenu ( ).

You can also access the PGPkeys window at any time while composing or retrieving your ma il by clicki ng the PGPkey s button ( ) in some plug-in s.

Using PGP/MIM E

If you are using an email application wit h one of the plug-ins that supports the PGP/MIME stan dard, and you are communicating with anothe r user whose email application also suppor ts this standard, b oth of you can automatically encrypt and decrypt your email messages and any attached files when you send or retrieve your email. All you have to do is turn on the PGP/MIME encryption and signing functions from th e P GP Preferences dialog box.

When you receive email fr om someone w ho uses the PGP/MIME feature, the mail arrives with an attached icon in the message window indicating that it is PGP/MIME encoded.

To decrypt the text and file attachments in PGP/MIME encapsulated email and to verify any digital signatures, you simply double-click the lock and quill ( ) icon. Attachments are still encrypted if PGP/MIME is not used, but the decryption process is usually more involved for the recipient.

User’s Guide 25

Getting Started

Using PGP from th e P GPtoo ls appl ica tio n

If you are using an email application that is not supported by the plug-ins, or if you wa nt t o per for m PGP fun cti ons from wit hin oth er a pp licati o ns, yo u can encrypt an d si gn, decrypt and verify, or se curely wipe messages and f il e s directly from the PGP tools window. You can open the PGPtools wi ndow by:

• Clicking Start-->Programs-->PGP-->PGPtools.

• Double-cli cking the PGPtools icon ( ) on the system tray .

When the PGPtools window (Figure 2-1) opens, you can begin your encryption work.

Figure 2-1. PG P tool s wi ndow

If you are working with text or files, you can encrypt, decrypt, sign, and verify by select ing th e t ext or f ile an d th en d raggi ng it onto the appro priat e bu tton in the PGPtools window.

If you are working with files, click on the appropriate button i n the PGPtools window to choose a file or select the Clipboard.

Using PGP f rom the Windo ws E xplo rer

You can encrypt and sign or dec ry p t and verify files such as word processing document s, spreadshee ts and video cl ips direct ly from the Win dows Explorer. If you are not using an email application such as Qualcomm Eudora, which supp o rts the PG P / MIME st andar d , or a n ap p l icatio n su c h as E xc h a n g e or Outl oo k th a t doe sn’t req uire PGP to encr y p t or si gn files , you mus t use this method to attach files that you want to send along with your email messages. You might also want to encrypt and decrypt files that you store on your own computer to prevent others from accessing them.

To access PG P f unctions from the Windows Explorer, c hoose the appropriate option from the PGP submenu of the File menu. The options that appear depend on the current state of the fi l e you hav e selec ted . If the file has not yet been encrypted or signed, then the options for performing these functions appear on the menu. If t he file is already en crypted or s igned, then opt ions for decrypting and verifying the contents of the file are displayed.

26 PGP for Windows 95, 98, and NT

Selectin g reci pi ents

When you send email to someone whose emai l application is s upported by the PGP plug-ins, the recipient’s email address determines which keys to use when encrypting the contents. However, if you enter a user name or email address that does not correspond to any of the keys on your public keyring or if you are encrypting from the clipboard or from the Windows Explore r, you must manual ly select the re cipient’s public key from the PGP Key Selection dialog box. To select a recipient’s public key, simply d rag the ic on representing their key into the Recipient’s list box and then cli ck OK.

For complete instructions on how to encrypt and sign and decrypt and verify email, se e Chapter 4. If you want to encrypt files to store on your hard disk or to send as email attachments, see Chapter 5.

Taking shortc uts

Although you will find that PGP is easy to use, a number of shortcuts are available to help you accomplish your encryption tasks even quicker. For instance, while you are managing your keys in the PGPkeys window, you can press th e right mouse button to perfo rm all the nec essary PGP f unctions rath er than accessing them fr om th e menu bar. You can also drag a file containing a key into the PGPkeys window to add it to your keyring.

Getting Started

Keyboard shortcuts are also available for most m enu operations. These keyboard sh ortcut s are shown on all th e PGP menus, an d other sh ortcu ts are described in context throughout this manual.

PGPkeys icon definitions

PGPkeys men u bar icon s

The follow in g table shows a ll of the icons used in the PGPkeys menu bar, along with a description of their functions.

Icon Function

Launches the Key Generation Wizard. Click this button to create a new key pair.

Revokes the currently selected key or signat ure. Click this button to disable a key or revo ke a signature. Revoking a key will prevent anyone from encrypting data to it.

Allows you to sign th e cur rently sel ec ted key. By signi ng the key, you are certifying that the key and user ID belong to t he identified user .

User’s Guide 27

Getting Started

Deletes the currently selected item. Click this button to remove a key, signatur e, or photographic ID.

Opens the Key Search window whic h all ows you to search for keys on local keyri ngs and remote servers.

Sends the currently selected key to the server. Click this button to upload your key to the Certificate or domain server.

Updates the curren tly selected key from a Certificate or domain server. Click thi s button to import keys f rom a Certificate or domain server to your keyring.

Displays the Properties dialog box for the currently selected key. Click this bu tton t o view t he Gene ral a nd Sub key pro perti es f or a key.

Allows you to import keys from file on to your keyring.

Allows you to export the selected key to a file.

PGPkeys wind ow icon s

The follow ing tabl e sh ows all of the min i-i co ns use d in the PGP keys window, along with a description of what they represent.

Icon Description

A gold key and user repres ents your Diffie-Hellman/DSS key pair, which consists of your private key and your publi c key.

A single gol d key represents a Diffie-Hellman/DSS public key.

A gray key and user represents your RSA key pair, which consists of your private key and your public key.

A single gr ay key represents an RSA public key.

When a key or key pair is dimm ed, the keys are temporar ily unavailable for encrypting and signing. You can disable a key from the PGPkeys window, which prevents sel dom-used keys from cluttering up the Key Selection dialog box.

This icon indicates that a photographi c user ID is accompanied with the public key.

28 PGP for Windows 95, 98, and NT

Getting Started

A key with a red X indicates tha t the key has been revoked. Users revoke their key s when they are no longer valid or have been compromised in some way.

A key with a clock indicates that the key has expired. A key’s expiratio n date i s established when the key is created.

An envelope represents the owner of the key and lists the user names and email addresses associated with the key.

A gray circle indicates that the key is invalid

A green circle indicat es that they key is valid. An addit ional red circle in the ADK column indicates that the key has an associated Additional Decryption Key; an addit ional gray circle in the ADK column indicat es that the key does not have an asso ciated Addit ional Decryption Key.

A green circle and user indicates that you own the key, and that it is implic itl y tr u st ed .

A pencil or fountain pen indicates the sig natures of the PGP users who have vouched for the aut henticity of the key. A signature with a red X through it indic ates a revoked signature. A signature with a dimmed pencil icon indicates a bad or invali d signature. A signature with a blue arrow next to it indicates that it is exportable.

An empty bar indicat es an invalid key or an untrusted user.

A half-fill ed bar indicates a marginally valid key or marginally trusted user.

A striped bar indicat es a valid key that you own and is implicitly trusted, regardless of the signatures on the key.

A full bar indicates a completely valid key or a completely trusted user.

User’s Guide 29

Getting Started

30 PGP for Windows 95, 98, and NT

+ 150 hidden pages