PGP 6.5 Instruction Manual

PGP Freeware for Windows 95, Windows 98,

and Windows NT

User’s Guide

Versio n 6.5

PGP*, Version 6.5.1 06-99. Printed in the United States of America. PGP, Pretty Good, and Pretty Good Privacy are registered trademarks of Network Associates,

Inc. and/or its Affiliated Companies in the US and other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Portions of this software may use public key algorithms described in U.S. Patent numbers 4,200,770, 4,218,58 2, 4 ,405 , 82 9, a nd 4, 424 , 41 4, l ic ense d exclu siv ely by P ubli c Key Partners; the IDEA(tm) cryptographic cipher described in U.S. patent number 5,214,703, licensed from Ascom Tech AG; and the Northern Telecom Ltd., CAST Encryption Algorithm, licensed from Northern Telecom, Ltd. IDEA is a trademark of Ascom Tech AG. Network Associates Inc. may have patents and/or pending patent applicatio ns covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents. The compression code in PGP is by Mark Adler and Jean-Loup Gailly, used with permission from the free Info-ZIP implementation. LDAP software provided courtesy University of Michigan at Ann Arbor, Copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). Copyright © 1995-1999 The Apache Group. All rights reserved. See text files included with the software or the PGP web site for further information. This software is based in part on the work of the Independent JPEG Group. Soft TEMPEST font courtesy of Ross Anderson and Marcus Kuhn. Biometric word list for fingerprint verification courtesy of Patrick Juola.

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License A greement and Limited Warranty provided wi th the software. The information in this document is subject to change without notice. Network Associates Inc. does not warrant that the information meets you requirements or that the information is free of errors. The information may in clude technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in n ew editions of this document, if and when made available by Network Associates Inc.

Export of this software and documentation may be subject to co mpliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restrict the export and re-export of certain products and technical data.

Network Associates, Inc. (408) 988-3832 main 3965 Freedom Circle (408) 970-9727 fa x Santa Clara, CA 95 054 http://www .n ai.com

info@nai.com

* is sometimes used instead of the ® for registered trademarks to protect marks registered outside of the U.S.

LIMITED WARRANTY

Limited Warranty. substantially in accordance with the accompanyi ng written materials for a period of sixty (60) days from the date of original purchase. To the extent allowed by applicable law, implied warranties on the Software Product, if any, are limited to such sixty (60) day period. Some jurisdictions do not allow limitations on duration of an implied warranty, so the above limitation may not apply to you.

Customer Remedies.

exclusive remedy shall be, at Network Associates Inc’s option, either (a) return of the purchase price paid for the license, if any or (b) repair or replacement of the Software Product that does not meet Network Associates Inc’s limited warranty and which is returned at your expense to Network Associates Inc. with a copy of your receipt. This limited warranty is void if failure of the Software Product has resulted from accident, abuse, or misapplication. Any repaired or replacement Software Product will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. Outside the United States, neither these remedies nor any product support services offered by Network Associates Inc. are available without proof of purchase from an authorized international source and may no t be available from Network Associates Inc. to the extent they subject to restrictions under U.S. export control laws and regulations.

NO OTHER WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND EXCEPT FOR THE LIMITED WARRANTIES SET FORTH HEREIN, THE SOFTWARE AND DOCUMENTATION ARE PROVIDED “AS IS” AND NETWORK ASSOCIATES, INC. AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, CONFORMANCE WITH DESCRIPTION, TITLE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHERS, WHICH VARY FROM JURISDICTION TO JURISDICTION.

Network Associates Inc. warrants th at the Software Product will perform

Network Associates Inc’s and its suppliers’ entire liability and your

LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL NETWORK ASSOCIATES, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR EXEMPLARY DAMAGES OR LOST PROFITS WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE PRODUCT OR THE FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF NETWORK ASSOCIATES, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, NETWORK ASSOCIATES, INC’S CUMULATIVE AND ENTIRE LIABILITY TO YOU OR ANY OTHER P ARTY FOR ANY LOSS OR DAMAGES RESULTING FROM ANY CLAIMS, DEMA NDS OR ACTIONS ARISING OUT OF OR RELATING TO THIS AGREEMENT SHALL NOT EXCEED THE PURCHASE PRICE PAID FOR THIS LICENSE. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

What’s new in PGP version 6.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

How to contact Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Customer service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Comments and feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Year 2000 compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Recommended Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Chapter 1. Installing PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Compatibility with other versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Upgrading from a previous version . . . . . . . . . . . . . . . . . . . . . . . . .16

Installing PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Chapter 2. Using PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Basic steps for using PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Using PGPkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

PGPkeys icon definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Using PGPtray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Performing PGP functions from the Clipboard or Current Window . . .30

Using PGP from Windows Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Using PGPtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Using PGP within supported email applications . . . . . . . . . . . . . . . . . . . . . . .32

Using PGP/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Selecting recipients for encrypted files or email . . . . . . . . . . . . . .33

Taking shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Chapter 3. Making and Exchanging Keys . . . . . . . . . . . . . . . . . . . . . . . .35

Key concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Making a key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Creating a passphrase that you will remember . . . . . . . . . . . . . . . . . . . . . . . .40

User’s Guide v

Table of Contents

Backing up your keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Protecting your keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Adding and removing information in your key pair . . . . . . . . . . . . . . . . . . . . .42

Splitting and rejoining keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Distributing your public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

Obtaining the public keys of others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Adding a photographic ID to your key . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Creating new subkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Adding a new user name or address to your key pair . . . . . . . . . . . . . .46

Adding a designated revoker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Adding an X.509 certificate to your PGP key . . . . . . . . . . . . . . . . . . . . . .48

Changing your passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Deleting a key or signature on your PGP keyring . . . . . . . . . . . . . . . . . .53

Creating a split key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Rejoining split keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Making your public key available through a certificate server . . . . . . .61

Updating your key on a certificate server . . . . . . . . . . . . . . . . . . . .62

Including your public key in an email message . . . . . . . . . . . . . . . . . . .63

Exporting your public key to a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Getting public keys from a certificate server . . . . . . . . . . . . . . . . . . . . .65

Adding public keys from email messages . . . . . . . . . . . . . . . . . . . . . . . .67

Importing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Verifying the authenticity of a key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Why verify the authenticity of a key? . . . . . . . . . . . . . . . . . . . . . . .68

Verify with a digital fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Validating the public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Working with trusted introducers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

What is a trusted introducer? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

What is a meta-introducer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

Chapter 4. Sending and Receiving Secure Email . . . . . . . . . . . . . . . . . .71

Encrypting and signing email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

Encrypting and signing with supported email applications . . . . . . . . .72

Encrypting email to groups of recipients . . . . . . . . . . . . . . . . . . . . . . . .77

Working with distribution lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

vi PGP Freeware

Table of Cont ents

Sending encrypted and signed email to distribution lists . . . . . . .79

Decrypting and verifying email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Chapter 5. Using PGP for Secure File Storage . . . . . . . . . . . . . . . . . . . .83

Using PGP to encrypt and decrypt files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Using the PGP right-click menu to encrypt and sign . . . . . . . . . . .83

Using PGPtools to encrypt and sign . . . . . . . . . . . . . . . . . . . . . . . .85

Using PGPtray to decrypt and verify . . . . . . . . . . . . . . . . . . . . . . . .87

Using PGPtools to decrypt and verify . . . . . . . . . . . . . . . . . . . . . . .88

Signing and decrypting files with a split key . . . . . . . . . . . . . . . . . . . . . . . . . .88

Using PGP Wipe to delete files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Using the PGP Free Space Wiper to clean free space on your disks . . . . . .94

Scheduling Free Space Wiper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Chapter 6. Managing Keys and Setting PGP Options . . . . . . . . . . . . . .99

Managing your keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

The PGPkeys window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

PGPkeys attribute definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Examining a key’s properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

General Key Properties panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Subkey properties window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Designated revoker window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Specifying a default key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Verifying someone’s public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Signing someone’s public key . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Granting trust for key validations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Disabling and enabling keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Importing and Exporting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Revoking a key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Appointing a designated revoker . . . . . . . . . . . . . . . . . . . . . . . . . .116

Setting PGP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Setting general options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117

Setting file options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Setting emailoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Setting HotKey preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

User’s Guide vii

Table of Contents

Setting server options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

Setting CA options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Setting advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Chapter 7. PGPnet Virtual Private Networking . . . . . . . . . . . . . . . . . . .129

What is a VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

How does a VPN work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

What do you need to protect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

PGPnet features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

What is PGPnet? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

What is a Security Association? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

PGPnet’s two modes: tunnel and transport . . . . . . . . . . . . . . . . . . . . . . . . . .133

What is tunnel mode? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

What is transport mode? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

How does PGPnet communicate with secure and insecure hosts? . . . . . .133

How do you use PGPnet? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Changing Network Control Panel Settings . . . . . . . . . . . . . . . . . . . . . .135

Starting the PGPnet program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Selecting your authentication key or certificate . . . . . . . . . . . . . . . . . .136

The PGPnet window at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Using PGPnet from PGPtray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

PGPtray’s icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Turning PGPnet off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Turning PGPnet on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Exiting PGPnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Using PGPnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Viewing the Status Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Viewing the Log Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Using the Hosts Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

The Connect and Disconnect buttons . . . . . . . . . . . . . . . . . . . . . .145

Establishing an SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Adding a host, subnet, or gateway . . . . . . . . . . . . . . . . . . . . . . . .148

Modifying a host, subnet, or gateway entry . . . . . . . . . . . . . . . . .155

Removing a host, subnet, or gateway entry . . . . . . . . . . . . . . . . .155

Requiring a host to present a specific key or certificate . . . . . . . . . . .155

viii PGP Freeware

Table of Cont ents

Viewing the General Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Expert Mode: Bypassing the wizard to add hosts, gateways, and subnets

157

Cache passphrases between logins . . . . . . . . . . . . . . . . . . . . . . .162

Setting key expiration values . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Authenticating a connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Advanced Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Allowed Remote Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Set Adapter: Changing your secure network interface . . . . . . . . . . . . . . . . .173

Appendix A. Troubleshooting PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Appendix B. Transferring Files Between the Mac OS and Windows . 181

Sending from the Mac OS to Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

Receiving Windows files on the Mac OS . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

Supported Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Appendix C. Phil Zimmermann on PGP . . . . . . . . . . . . . . . . . . . . . . . . .187

Why I wrote PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

The PGP symmetric algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

About PGP data compression routines . . . . . . . . . . . . . . . . . . . . . . . . .193

About the random numbers used as session keys . . . . . . . . . . . . . . .193

About the message digest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

How to protect public keys from tampering . . . . . . . . . . . . . . . . . . . . .195

How does PGP keep track of which keys are valid? . . . . . . . . . . . . . . .198

How to protect private keys from disclosure . . . . . . . . . . . . . . . . . . . .200

What if you lose your private key? . . . . . . . . . . . . . . . . . . . . . . . .201

Beware of snake oil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

Compromised passphrase and private key . . . . . . . . . . . . . . . . . . . . . .206

Public key tampering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

Not quite deleted files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Viruses and Trojan horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208

Swap files or virtual memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209

Physical security breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

User’s Guide ix

Table of Contents

Tempest attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

Protecting against bogus timestamps . . . . . . . . . . . . . . . . . . . . . . . . . .210

Exposure on multi-user systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Traffic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Appendix D. Biometric Word Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Biometric Word Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

x PGP Freeware

Preface

Welcome to PGP! With PGP for Freeware, you can easily and securely protect the privacy of your email messages and file attachments by encrypting them so that only the intended recipients can read them. You can also digitally sign messages and files, which ensures their authenticity. A signed messages verifies that the information in it has not been tampered with in any way.

This guide describes how to use PGP and Windows NT. PGP Freeware has many new features, which are described in “What’s new in PGP version 6.5.1” on page 12.

If you are new to cryptography and would like an overview of the terminology and concepts you will encounter while using PGP, see An Introduction to Cryptography.

Freeware for Windows 95, Windows 98,

User’s Guide 11

Preface

What’s new in PGP version 6.5.1

This version of PGP includes these new features:

• PGPnet. PGPnet is a landmark product in the history of PGP. PGPnet

secures all TCP/IP communications between itself and any other machine running PGPnet. It is also fully interoperable with the Gauntlet GVPN firewall/gateway providing a complete solution for corporate remote access VPNs using the industry standard IPSec (Internet Protocol Security) and IKE (Internet Key Exchange) protocols. PGPnet has also been successfully tested with Cisc o routers (requires Cisco IOS 12.0( 5) or later with IPSec TripleDes Feature Pack), Linux FreeS/WAN 1.0, and many others. Refer to Chapter 7, “P GPnet V irtual P rivate Networki ng,” for more information and instruction s on using PGPnet.

• Self-Decrypting Archives. PGP can now encrypt files or folders into

Self-Decrypting Archives (SDA) which can be sent to users who do not even have PGP. The archives are completely independent of any application, and are compressed and protected by PGP's strong cryptography. Automated Freespace Wiping. PGP's Freespace Wipe feature now allows you to use the Windows Task Scheduler to schedule periodic secure wiping of the freespace on your disk. This ensures that previously deleted files are securely wiped.

• Hotkeys. The Use Current Window feature is significantly enhanced by the

addition of Hotkeys. You can now set hotkey combinations for the Encrypt/Decrypt/Sign functions.

• Fingerprint word list. When verifying a PGP public key fingerprint, you

can now choose to view the fingerprint as a word list instead of hexadecimal characters. The word list in the fingerprint text box is made up of special authentication words that PGP uses and are carefully selected to be phonetically distinct and easy to understand without phonetic ambiguity.

• Smart Word Wrapping. The word wrapping in PGP now automatically

rewraps paragraphs and even quoted paragraphs resulting in much cleaner signed messages.

How to contact Network Associates

Customer service

To order products or obtain product information, contact the Network Associates Customer Care department at (408) 988-3832 or write to the following address :

12 PGP Freeware

Network Associates, Inc. McCandless Towers 3965 Freedom Circle Santa Clara, CA 95054-1203 U.S.A.

Comments and feedback

Network Associates appreciates your comments and feedback, but incurs no obligation to you for information you submit. Please address your comments about PGP product documentation to: Network Associates, Inc., 3965 Freedom Circle Santa Clara, CA 95054-1203 U.S.A.. You can also e-mail comments to tns_documentation@nai.com.

Year 2000 compliance

Information regarding NAI products that are Year 2000 compliant and its Year 2000 standards and testing models may be obtained from NAI’s Web site at http://www.nai.com/y2k.

For further information, email y2k@nai.com.

Preface

1Installing PGP

This chapter describes how to install and run PGP Freeware Windows software. This chapter also provides a quick overview of the procedures you will normally follow in using the product.

Before you begin installing PGP be sure to review the system requirements outlined below.

System requirements

To install PGP on a Windows 95, Widows 98, or Windows NT system, you must have:

• Windows 95, Windows 98, or Windows NT 4.0 (Service Pack 3 or later)

•32 MB RAM

•16 MB Hard Disk Space

If you plan to run PGPnet on the system, you must also have:

•Microsoft TCP/IP

• A compatible LAN/WAN network adapter

• Windows 95b (OSR2) if you are installing on a Windows 95 system

User’s Guide 15

Installing PGP

Compatibility with other versions

PGP has gone through many revisions since it was released by Phil Zimmermann as a freeware product in 1991. Although this version of PGP represents a significant rewrite of the original program and incorporates a completely new user interface, it has been designed to be compatible with earlier versions of PGP. This means that you can excha nge secure email with people who are still using these older versions of the product:

• PGP 2.6 (Distributed by MIT)

• PGP for Personal Privacy, Version 5.0 - 5.5

• PGP for Business Security or PGP for Email and Files Version 5.5

• PGP Desktop Security or PGP for Personal Privacy Version 6.0

NOTE: PGP desktop products that are version 5.0 and later may require



the RSA add-on for backward compatibility.

Upgrading from a prev ious version

If you are upgrading from a previous version of PGP (from PGP, Inc., Network Associates, Inc. or ViaCrypt), you may want to remove the old program files before installing PGP to free up some disk space. However, you should be careful not to delete the private and public keyring files used to store any keys you have created or collected while using the previous version. When you install PGP, you are given the option of retaining your existing private and public keyrings, so you don’t have to go to the trouble of importing all of your old keys. To upgrade from a previous version, follow the appropriate steps listed next.

16 PGP Freeware

To upgrade from PGP Version 2.6.2 or 2.7.1

1. Exit all programs or open applications.

2. Make backups of your old PGP keyrings on another volume. In PGP for Windows versions 2.6.2 and 2.7.1, your public keys are stored in “pubring.pgp” and your private keys are stored in “secring.pgp”. In versions 5.x - 6.5, your public keys are stored in “pubring.pkr” and your private keys are stored in “secring.skr”.

Installing PGP

Ð TIP: Make two separate backups of your keyrings onto two

different floppy disks just to be safe. Be especially careful not to lose your private keyring; otherwise you will never be able to decrypt any email messages or file attachments encrypted with the lost keys. Store the keyrings in a secure place where only you ha ve access to them.

3. When you have succes sf ully backed up your old keyrings, remove or archive the (old) PGP software. You have two options here:

• Manually delete the entire old PGP folder and all of its contents; or

• Manually delete the old PG P program and archive the remaining

files, especially the configu ration and keyring files.

4. Install PGP version 6.5.1 using the provided installer.

5. Restart your computer.

To upgrade from PG P Ver sion 5. x

If you are upgrading from PGP version 4.x or 5.x, follow the installation instructions outlined in “Installing PGP” below.

User’s Guide 17

Installing PGP

You can install the PGP Freeware software from a CD-ROM or from downloaded files. The self-extracting file, Setup.exe, automatically extracts and steps you through the installation.After you install the software, you can create your private and public key pair and begin using PGP. Refer to the PGPWinUsersGuide.pdf file included with the program for instructions on using PGP.

To install PGP Freeware for Windows systems, carefully follow the steps outlined below.

To install PGP

1. Exit all programs currently running on your computer, then do one of the following:

• To install from a CD-ROM, insert it into the CD-ROM drive.

The Setup program automatically starts. If, however, the Setup program does not initiate, double-click Setup.exe in the PGP fo ld er on the CD-ROM.

• To install from downloaded files, extract the compressed

installation files onto your computer. Double-click on Setup.exe to start the installer.

2. The Setup program searches for open programs and prompts you to close them.

If you have PGP version 4.x - 6.x currently installed , the PGP setup program prompts you to uninstall the old PGP files. Click Yes to automatically uninstall the old version. Your keyring files are saved in a file named Old Keyrings.

You must reboot your computer after uninstallin g the files. Once your computer reboots, the installer continues.

The PGP Installation screen appears.

3. Review the instructions in the PGP Welcome dialog box, then click Next. The Network Associates license agreement appears.

4. Review the license agreement information, then click Yes to accept the licensing terms.

18 PGP Freeware

Installing PGP

The Whatsnew.txt file appears listing the new features and other important information regarding PGP version 6.5.1.

5. Review the Whatsnew.txt file, then click Next.

6. Register your product by enterin g yo ur name and in the User Information dialog box.

7. Click Next.

8. Click Browse to navigate to a destination directory for your PGP files or accept the default directory. Click Next to continue.

The Select Components dialog box appears, as shown in Figure 1-1.

Figure 1-1. PGP Select Components dialog box

9. Clear the components that you do not want to install. By default, each option is selected. Your installation options are:

• PGP Key Management (required). This item installs the PGP

program. You must install the Key Management utilities.

• PGPnet. Select this option to install the PGPnet program. PGPnet, a

Virtual Private Network (VPN), is an easy-to-use encryption application that allows you to communicate securely and economically with other PGPnet users throughout the world.

• PGP Eudora Plug-in. Select this option if you want to integrate PGP

functionality with your Qualcomm Eudora email program. PGP version 6.5.1 supports Eudora versions 3.05 and later.

User’s Guide 19

Installing PGP

• PGP Microsoft Exchange/Outlook Plug-in. Select this option if you

want to integrate PGP functionali ty with your Microsoft Exchange/Outlook email program. PGP version 6.5.1 supports Outlook 97 and 98.

• PGP Microsoft Outlook Express Plug-in. Select this option if you

want to integrate PGP functionality with your Microsoft Outlook Express email program. PGP version 6.5.1 supports the version that is included with Internet Explorer versions 4.x.

• PGP User’s Manual (Adobe Acrobat format). Select this option to

install the PGP User’s Guide.

• PGP CommandLine. Select this option if you want to install the

command line version of PGP for Wi n d ow s NT systems. This is for

use as a client only. Batch server processes require additional licensing.

10. Click Next. A dialog box appears, alerting you that the installer is ready to copy files.

11. Review the installation settings, then click Next. The PGP files are copied to the computer.

12. If you have keyrings on your computer from a previous version of PGP, click Yes to use your exis ting keyrings.

A browse dialog box appears. Browse to locat e y our public keyring, Pubring.pkr, and your private keyring, Secring.skr.

If you do not have keyrings on your computer, click No. When you first open the PGPkeys application, you are prompted to create a keypair.

13. If you chose to install the PGPnet application, the PGPnet Network Adapter List appears listing the network adapters found on your system, as shown in Figure 1-2.

Figure 1-2. PGPnet Network Adapter List

20 PGP Freeware

Installing PGP

If you want to communicate securely over a modem, select yo ur WAN adapter (for example, Remote Access WAN Wrapper or dialup adapter). If you want to communicate securely over an Ethernet connection, select your LAN adapter (for example, 3COM Megahertz LAN PC Card). When you have made your selection, click OK.

NOTE: On Windows 98 computers, WAN is listed as “Dialup



Adapter” instead of “Remote WAN Wrapper.”

The installation program binds the PGPnet driver to the adapter you selected and configures your computer to use the PGPnet application.

14. If you want to restart your computer automatically, select Yes, I want to restart my computer now.

15. Click Finish to complete the PGP installation and reboot your computer.

NOTE: You must reboot your computer if you install PGPnet.



That’s it! PGP is installed on your computer.

User’s Guide 21

Installing PGP

22 PGP Freeware

2Using PGP

PGP is based on a widely accepted encryption technology known as public key cryptography in which two complementary keys, called a key pair, are used to

maintain secure communications. One of the keys is designated as a private key to which only you have access and the other is a public key which you freely exchange with other PGP users. Both your private and your public keys are stored in keyring files, which are accessible from the PGPkeys window. It is from this window that yo u perform all your key management func tions.

This section takes a quick look at the procedures you normally follow in the course of using PGP. For details concerning any of these procedures, refer to the appropriate chapters in this book. For a comprehensive overview of PGP encryption technology, refer to “An Introduction to Cryptography,” which is included with the product.

Basic steps for using PGP

1. In stall PG P on your computer. Refer to Chapter 1, “Installing PGP” for

complete installation instru ctions.

2. Create a private and public key pair.

Before you can begin using PGP, you need to gen erate a key pair. A PGP key pair is composed of a private key to which only you have access and a public key that you can copy and make f reel y available to everyone with whom you exchange information.

You have the option of creating a new key pair immediately after you have finished the PGP installation procedure, or you can do so at any time by opening the PGPkeys application.

For more information about creating a private and public key pair, refer to

“Making a key pair” on page 36.

3. Exchange public keys with others. After you have created a key pair, you can begin corresponding with other

PGP users. You will need a copy of their public key and they will need yours. Your public key is just a block of text, so it’s quite easy to trade keys with someone. You can include your public key in an email message, copy it to a file, or post it on a public or corporate key server where anyone can get a copy when they need it.

User’s Guide 23

Using PGP

For more information about exchanging public keys, refer to “Distributing

your public key” on page 60 and “Obtaining the public keys of others” on page 64.

4. Validate public keys. Once you have a copy of someone’s publ ic key, you can add it to your

public keyring. You should then check to make sure that the key has not been tampered with and that it really belongs to the purported owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s orig inal key. When you are sure that you have a valid public key, you sign it to indicate that you feel the key is safe to use. In addition, you can grant the owner of the key a level of trust indicating how much confidence you have in that person to vouch for the authenticity of someone else’s public key.

For more information about valida ting your keys, refer to “Verifying the

authenticity of a key” on page 68.

5. Encrypt and sign your email and fi les. After you have generated your key pair and have exchanged public keys,

you can begin encrypting and signing email messages and files. PGP works on the data generated by other applications. Therefore the

appropriate PGP functions are designed to be immediately available to you based on the task you are performing at any given moment. There are several ways to encrypt and sign with PGP:

• From the System tray (PGPtray). PGPtray includes utilities to

perform cryptographic tasks on data on the Clipboard or in the current window. See “Using PGPtray” on page 29.

• From within supported email applications (PGP email plug-ins).

The plug-ins enable you to secure your email from within the supported email application. See “Using PGP within supported

email applications” on page 32.

• From PGPtools. PGPtools enables you to perform cryptogr aphic

tasks within applications not supported by plug-ins, plu s othe r security tasks, such as wiping files from your disk. See “Using

PGPtools” on page 31.

• From the Windows Explorer File menu. You can encrypt and sign

or decrypt and verify files such as word processing documents, spreadsheets and video clips directly from the Windows Explorer. See “Using PGP from Windows Explorer” on page 31.

24 PGP Freeware

For more information about encrypting email, refer to “Encrypting and

signing email” on page 71. For more informatio n about decrypting files,

refer to “Using PGP to encrypt and decrypt f iles” on page 83.

6. Decrypt and verify your email and files. When someone sends you encrypted data, you can unscramble the

contents and verify any appended signature to make sure that the data originated with the alleged sender and that it has not been altered.

• If you are using an email application that is supported by the plug-ins, you can decrypt and verify your messages by selecting the appropriate options from your applicat ion’s tool bar.

• If your email application is not supported by the plug-ins, you can copy the message to the clipboard and perform the appropriate functions from there. If you want to decrypt and verify files, you can do so from the Clipboard, Windows Explorer, or by using PGPtools. You can also decrypt encrypted files stored on your computer, and verify signed files to ensure that they have not been tampered with.

For more information about securing email, refer to “Decrypting and

verifying email” on page 79. For more information about securing files,

refer to “Using PGP to encrypt and decrypt f iles” on page 83.

Using PGP

7. Wipe files. When you need to permanently delete a file, you can use the Wipe feature

to ensure that the file is unrecoverable. The file is immediately overwritten so that it cannot be retrieved using disk recovery software.

For more information about wiping files, refer to “Using PGP Wipe to

delete files” on page 93.

User’s Guide 25

Using PGP

Using PGPkeys

When you choose PGPkeys from PGPtray, the PGPkeys window opens (Figure 2-1) showing the private and publi c ke y pairs you have created for yourself as well as any public keys of other users that you have added to your public keyring.

26 PGP Freeware

Figure 2-1. PGPkeys

(If you have not already created a new key pair, the PGP Key Generation Wizard leads you through the necessary steps. However, before going through the process of creating a new key pair, you should see Chapter 3,

“Making and Exchan ging Keys,” for complete details about the various

options.) From the PGPkeys window you can create new key pairs and manage all of

your other keys. For instance, this is where you examine the attributes associated with a particular key, sp eci fy how confident you are that the key actually belongs to the alleged owner, and indicate how well you trust the owner of the key to vouch for the authenticity of other users’ keys. For a complete explanation of the key management functions you perform from the PGPkeys window, see Chapter 6.

PGPkeys icon definitions

PGPkeys menu bar icons

The following table shows all of the icons used in the PGPkeys menu bar, along with a description of their functions .

Icon Function

Launches the Key Generation Wizard. Click this button to create a new key pair.

Revokes the currently selected key or signature. Click this button to disable a key or revoke a signature. Revoking a key will prevent anyone from encrypting data to it.

Allows you to sign the curren tly selec ted key. By si gning the ke y, you are certifying that the key and user ID belong to the identified user.

Deletes the currently selected item. Click this button to remove a key, signature, or photographic ID.

Using PGP

Table 2-1. PGPkeys menu bar icons

Opens the Key Search window which allows you to search for keys on local keyrings and remote servers.

Sends the currently selected key to the server. Click this button to upload your key to the Certificate or domain server.

Updates the currently selected key from a Certificate or domain server. Click this button to import keys from a Certificate or domain server to your keyring.

Displays the Properties dialog box for the currently selected key. Click this button to view the General and Subkey properties for a key.

Allows you to import keys from file on to your keyring.

Allows you to export the selected key to a file.

User’s Guide 27

Using PGP

PGPkeys window icons

The following table shows all of the mini-icons used in the PGPkeys window, along with a description of what they represent.

Table 2-2. PGPkeys window icons

Icon Description

A gold key and user represents your Diffie-Hellman/DSS key pair, which consists of your private key and your public key.

A single gold key represents a Diffie-Hellman/DSS public key.

A gray key and user represen ts you r RSA ke y pair, wh ich c onsists of your private key and your public key.

A single gray key represents an RSA public key.

When a key or key pair is dimmed, the keys are temporarily unavailable for encrypting and signing. You can disable a key from the PGPkeys window, which prevents seldom-used keys from cluttering up the Key Selection dialog box.

This icon indicates that a photographic user ID accompanies the public key.

A key with a red X indicates that the key has been revoked. Users revoke their keys when they are no longer valid or have been compromised in some way.

A key with a clock indicates that the key has expired. A key’s expiration date is established when the key is created.

An envelope represents the owner of the key and lists the user names and email addresses associated with the key.

A gray circle indicates that the key is invalid.

A green circle indicates tha t the y key is val id. An add itiona l red circ le in the ADK column indicates that the key has an associated Additional Decryption Key; an additional gray circle in the ADK column indicates tha t the key does n ot have an a ssociated Additi onal Decryption Key.

A green circle and user indicates that you own the key, and that it is implicitly trusted.

28 PGP Freeware

Using PGP

Table 2-2. PGPkeys window icons

A pencil or fountain pen indicates the signatures of the PGP users who have vouched for the authenticity of the key.

- A signature with a red X through it indicates a revoked signature.

- A signature with a dimmed pencil icon indicates a bad or invalid signature.

- A signature with a blue arrow next to it indicates that it is exportable.

A certificate represents an X.509 certificate, a recognized electronic document used to prove identity and public key ownership over a communication network.

A clock indicates an expired X.509 certificate. A red X indicates a revoked X.509 certificate.

An empty bar indicates an invalid key or an untrusted user.

A half-filled bar indicates a marginally valid key or marginally trusted user.

A striped bar indicates a valid key that you own and is implicitly trusted, regardless of the signatures on the key.

Using PGPtray

You can access many of the main PGP functions by clicking the lock icon ( ) which is normally located in the System tray, and then choosing the

appropriate menu item. (If you can’t find this icon in your System tray, run PGPtray from the Start menu.)This feature provides immediate access to the PGP functions regardless of which application you are using and is especially useful if you are using an email application th at is not supported by the PGP plug-ins.

NOTE: If you installed PGPnet, this icon will appear in your System



tray instead of the lock icon. The look of the PGPtray icon tells you if PGPnet is off or not installed (gray lock), installed (yellow lock on a network), or installed but not working (yellow lock on a network with a red X).

A full bar indicates a completely valid key or a completely trusted user.

User’s Guide 29

Using PGP

Performing PGP func tions from the Clipbo ard or Current Window

If you are using an email application that is not supported by the PGP plug-ins, or if you are working with text generated by some other application, you can perform your encryption/decryption and signature/verification functions via the Windows Clipboard or within the current application window.

Via the Windows Clipboard

For instance, to encrypt or sign text, you copy it from your application to the Clipboard ( then paste ( intended recipients. When you receive an encrypted or signed email message, you simply reverse the process and copy the encrypted text, known as ciphertext from your a pplication to the Clipboard, decrypt and verify the information, and then view the contents. After you view the decrypted message, you can decide whether to save the information or retain it in its encrypted form.

Within the Current Window

CTRL +C), encrypt and sign it using the appropriate PGP functions,

CTRL +V) it back into your application before sending it to the

You can perform the same cryptographic tasks using the Current Window menu item, which copies the text in the current window to the Clipboard and then performs the selected task.

Figure 2-2. PGPtray’s Current Window feature

30 PGP Freeware

Using PGP from Windows Explorer

You can encrypt and sign or decrypt and verify files such as word processing documents, spreadsheets a nd video clips directly from Windows Ex plorer. If you are not using an email application such as Qualcomm Eudora, which supports the PGP/MIME standard, or an application such as Exchange or

Outlook that doesn’t require PGP to encrypt or sign files, you must use this method to attach files that you want to send along with your email messages. You might also want to encrypt and decrypt files that you store on your own computer to prevent others from accessing them.

To access PGP functions from Windows Explorer, choose the appropriate option from the PGP submenu of the File menu. The options that appear depend on the current state of the file you have selected. If the file has not yet been encrypted or signed, then the options for performing these functions appear on the menu. If the file is already encrypted or signed, then options for decrypting and verifying the contents of the file are displayed.

Using PGPtools

If you are using an email application that is not su p p o r t e d b y t he plug-ins, or if you want to p erfor m PGP func tion s fro m wit hin o ther applic atio ns, you c an encrypt and sign, decrypt and verify, or securely wipe messages and files directly from PGPtools. You can open PGPtools by:

Using PGP

• Clicking Start-->Programs-->PGP-->PGPtools,

• Clicking the PGPtools icon ( ) on the System tray When PGPtools (Figure 2-3) opens, you can begin your encryption tasks.

Figure 2-3. PGPtools

If you are working with text or files, you can encrypt, decrypt, sign, and verify by selecting the text or file and then dragging it onto the appropriate button in PGPtools.

If you are working with files, click on the appropriate button in PGPtools to choose a file or select the Clipboard.

User’s Guide 31

Using PGP

When you decrypt a file, a Save As dialog bo x appears and PGP creat es a new plaintext file with a .txt suffix; the decrypted file has a .txt.pgp suffix.

Using PGP within supported email applicati ons

One of the most convenient ways to use PGP is through one of the popular email applications supported by the PGP plug-ins. With these plug-ins, you can encrypt and sign if your version of PGP supports the PGP email plug-ins, as well as decrypt and verify your messages while you ar e composing and reading your mail with a simple click of a button.

If you are using an email application that is not supported by the plug-ins, you can easily encrypt the text of the message using PGPtray. In addition, if you need to encrypt or decrypt files, you can do so directly from the Windows Clipboard or by choosing the appropriate PGP menu option in Wind ows Explorer. You can also use PGP to encrypt and sign files on the hard disk of your computer for secure storage, to securely wipe files from your hard disk

and to wipe free disk space so that sensitive data can’t be retrieved with disk recovery software.

If you have one of these popular email application supported by the PGP plug-ins, you can access the necessary PGP functions by clicking the appropriate buttons in your application’s toolbar:

32 PGP Freeware

• Qualcomm Eudora

• Microsoft Exchange

•Microsoft Outlook

• Microsoft Outlook Express

• Lotus Notes (available separately)

• Novell Groupwise (available separately) For example, you click the envelope and lock icon ( ) to indicate that you

want to encrypt your message and the pen and paper ( ) to indicate that you want to sign your message. Some applications also have an icon of both a lock and quill, which lets you do both at once.

When you receive email from another PGP user, you decrypt the message and verify the person’s digital signature by clicking the opened lock and envelope, or by selecting Decrypt/Verify ( ) from PGPtools.

You can also access the PGPkeys window at any time while composing or retrieving your mail by clicking the PGPkeys button ( ) in some plug-ins.

Using PGP/MIME

If you are using an email application with one of the plug-ins that supports the PGP/MIME standard, and you are communicating with another user whose email application als o supports this standard, both of you can automatically encrypt and decrypt your email messages and any attached files when you send or retrieve your email. All you have to do is turn on the PGP/MIME encryption and signing functions from the PGP Options dialog box.

When you receive email from someone who uses the PGP/MIME feature, the mail arrives with an attached icon in the message window indicating that it is PGP/MIME encoded.

To decrypt the text and file attachments in PGP/MIME encapsulated email and to verify any digital signatures, you simply double-click the lock and quill ( ) icon. Attachments are still encry pted if PGP/MIME is not used, but the decryption process is usually more involved for the recipient.

Selecting recipients for encrypted files or email

When you send email to someone whose email application is supported by the

PGP plug-ins, the recipient’s email address d e termines which keys to use when encrypting the contents. However, if you enter a user name or email address that does not correspond to any of the keys on your public keyring, or if you are encrypting from PGPtray or from PGPtools, you must manually select the recipient’s public key from the PGP Key Selection dialog box.

Using PGP

To select a recipient’s public key, drag the icon representing the key into th e Recipients list box and then click OK.

For complete instructions on how to encry pt, sign, decrypt, and verify email, see Chapter 4, “Sending and Receiving Secure Email.” For complete instructions on how to encrypt files to store on your hard disk or to send as attachments, see Chapter 5, “Using PGP for Secure File Storage.”

Taking shortcuts

Although you will find that PGP is quite easy to use, a number of shortcuts are available to help you accomplish your encryption tasks even quicker. For example, you while you are managing your keys in the PGPkeys window, you can press the right mouse button to perform all the necessary PGP functions rather than accessing them from the menu bar. You can also drag a file containing a key into the PGPkeys win d ow to add it to your keyring.

Keyboard shortcuts are also available for most menu operations. These keyboard shortcuts are shown on all the PGP menus, and other shortcuts are described in context throughout this manual.

User’s Guide 33

Using PGP

Getting Help

When you choose Help from PGPtray or from the Help menu within PGPkeys, you access the PGP Help system, which provides a general overview and instructions for all of the procedures you are likely to perform. Many of the dialog boxes also have context-sensitive help, which you access by clicking the question mark in the right corner of the window and then pointing to the area of interest on the screen. A short explanation appears.

34 PGP Freeware

3Making and Exchanging

Keys

This chapter describes how to generate the public and private key pairs that you need to correspond with other PGP users. It also explains how to distribute your public key and obtain the public keys of others so that you can begin exchanging private and authenticated email.

Key concepts

PGP is based on a widely accepted and high ly trusted public key encryption system, as shown in Figure 3-1, by which you and other PGP users generate a key pair consisting of a private key and a public key. As its name implies, only you have access to your private key, but in order to correspond with other PGP users you need a copy of their public key and they need a copy of yours. You use your private key to sign the email messages and file attachments you send to others and to decrypt the messages and files they send to you. Conversely, you use the public keys of others to send them encrypted email and to verify their digital signatures.

public key private key

decryptionencryption

plaintext ciphertext plaintext

Figure 3-1. Public Key Cryptography diagram

User’s Guide 35

Making and Exchanging Keys

Making a key pa ir

Unless you have already done so while using another version of PGP, the first thing you need to do before sending or receiving encrypted and signed email is create a new key pair. A key pair consists of two keys: a private key that only you possess and a public key that you freely distribute to those with whom you correspond. You generate a new key pair from PGPkeys using the PGP Key Generation Wizard, which guides you through the process.

NOTE: If you are upgrading from an earlier version of PGP, you have



probably already generate d a private k ey and have distributed its matching public key to those with whom you correspond. In this case

you don’t have to make a new key pair (as described in the next section). Instead, you specify the location of your keys when you run the PGPkeys application. You can go to the Files panel of the Options dialog box and locate your keyring files at any time.

To create a new key pair

1. Open PGPkeys. You can open PGPkeys by:

• clicking Start-->Programs-->PGP-->PGPkeys

• clicking the PGPtray icon ( ) in the System tray, then clicking PGPkeys

• clicking in your email application’s toolbar

PGPkeys appears, as shown in Figure 3-2.

Figure 3-2. PGPkeys

2. Click in the PGPkeys menu bar. The PGP Key Generation Wizard provides some introd uctory

information on the first screen.

3. When you are finished reading this information, click Next to advance to the next pane.

The PGP Key Generation Wizard asks you to enter your name and email address.

36 PGP Freeware

Making and Exchanging Keys

4. Enter your name on the first line and your email address on the second line.

It’s not absolutely necessary to enter your real name or even your email address. However, using your real name makes it easier f or others to identify you as the owner of your public key. Also, by using your correct email address, you and others can take advantage of the plug-in feature that automatically looks up the appropriate key on your current keyring when you address mail to a particular recipient.

5. Click Next to advance to the next dialog box. The Key Generation Wizard asks you to select a key type.

6. Select a key type, either Diffie-Hellman/DSS or RSA and then click Next.

NOTE: If your version of PGP does not support RSA, this step may



not be available to you. For more information about RSA support, see the WhatsNew file that accompanies the product.

Earlier versions of PGP use an older technology referred to as RSA to generate keys. With PGP Version 5.0 and above, you have the option of creating a new type of key based on the improved Elga mal variant of Diffie-Hellman technology.

• If you plan to correspond with people who are still using RSA keys, you might want to generate an RSA key pair that is compatible with older versions of the program.

• If you plan to corre spond w ith p eople who ha ve PGP Ver sion 5. 0 or later, you can take advantage of the new technology and generate a pair of Diffie-Hellman/DSS keys.

• If you want to exchange email with all PGP users, make an RSA key pair and a Diffie-Hellman/DSS key pair, then use the a ppropriate pair depending on the version of PGP used by the recipient. You must create a separate key pair for each type of key that you need.

7. The PGP Key Generation Wizard asks you to specify a size for your new keys.

Select a key size from 1024 to 3072 bits, or enter a custom key size from 1024 to 4096 bits.

NOTE: A custom key size may take a long time to generate,



depending on the speed of the computer you are using.

User’s Guide 37

Making and Exchanging Keys

The key size corresponds to the number of bits used to construct your digital key. The larger the key, the less chance that someone will be able to crack it, but the longer it takes to perform the decryption and encryption process. You need to strike a balance between the convenience of performing PGP functions quickly with a smaller key and the increased level of security provided by a larger key. Unless you a re exchanging extremely sensitive information that is of enough interest that someone would be willing to mount an expensive and time-consuming cryptographic attack in order to read it, you are safe using a key composed of 1024 bits.



8. Click Next to advance to the next pane. The PGP Key Generation Wizard asks you to indicate when the key pair

will expire.

9. Indicate when you want your keys to expire. You can either use the default selection, which is Never, or you can enter a specific date after which the keys will expire.

NOTE: When creating a Diffie-Hellman/DSS key pair, the size of the DSS portion of the key is less than or equal to the size of the Diffie-Hellman portion of the key, and is limited to a maximum size of 1024 bits.

38 PGP Freeware

Once you create a key pair and have distributed your public key to the world, you will probably continue to use the same keys from that point on. However, under certain conditions you may want to create a special key pair that you plan to use for only a limited period of time. In this case, when the public key expires, it can no longer be used by someone to encrypt mail for you but it can still be used to verify your digital signature. Similarly, when your private key expires, it can still be used to decrypt mail that was sent to you before your public key expired but can no longer be used to sign mail for others.

10. Click Next to advance to the next pane. The PGP Key Generation Wizard asks you to enter a passphrase.

11. In the Passphrase dialog box, enter the string of characters or words you want to use to maintain exclusive access to your private key. To confirm your entry, press the T

AB key to advance to the next line, then enter the

same passphrase again. Normally, as an added level of security, the characters you enter for the

passphrase do not appear on the screen. However, if you are sure that no one is watching, and you would like to see the characters of your passphrase as you type, clear the Hide Typing checkbox.

Making and Exchanging Keys

 NOTE: Your passphrase should contain multiple words and may

include spaces, numbers, and punctuation characters. Choose

something that you can remember easily but that others won’t be able to guess. The passphrase is case sensitive, meaning that it distinguishes between uppercase and lowercase letters. The longer your passphrase, and the greater the variety of characters it contains, the more secure it is. Strong passphrases include upper and lowercase letters, numbers, punctuation, and spaces but are more likely forgotten. See “Creating a passphrase that you will

remember” on page 40, for more information about choosing a

passphrase.

WARNING: No one, including Network Associates, can recover a

forgotten passphrase.

12. Click Next to begin the key generation process. The PGP Key Generation Wizard indicates that it is busy generating your

key. If you have entered an inadequate passphrase, a warning message

appears before the keys are generated and you have the choice of accepting the bad passphrase or entering a more secure one before continuing. For more information about passphrases, see “Creating a

passphrase that you will remember” on page 40.

If there is not enough random information upon which to build the key, the PGP Random Data dialog box appears. As instructed in the dialog box, move your mouse around and enter a series of random keystrokes until the progress bar is completely filled in. Your mouse movements and keystrokes generate random information that is needed to create a unique key pair.

NOTE: PGPkeys continually gathers random data from many



sources on the system, including m ouse positions, timings, and keystrokes. If the Random Data dialog box does not appear, it indicates that PGP has already collected all the random data that it needs to create the key pair.

After the key generation process begins, it ma y take a while to generate the keys. In fact, if you specify a size other than the default values for a Diffie-Hellman/DSS key, the fast key generation option is not used and it may take hours to generate your key at larger sizes. Eventually the PGP Key Generation Wizard indicates that the key generation process is complete.

User’s Guide 39

Making and Exchanging Keys

13. Click Next to advance to the next pane. The PGP Key Generation Wizard indicates that you have successfully

generated a new key pair and asks if you want to sen d your public key to a certificate server.

14. Specify whether you want your new public key to be sent to the server, and then click Next (the default se rver is sp ec ified in t he Server Opti ons dialog box).

When you send your public key to the certificate server, anyone who has access to that certificate server can get a copy of your key when they need it. For complete details, see “Distributing your public key” on page 60.

When the key generation process is complete, the fina l panel appears.

15. Click Finish. A key pair representing your newly created keys appears in the PGPkeys

window. At this point you can examine your keys by checking their properties and the attributes associated with the keys; you may also want to add other email addresses that belong to you. See “Adding and

removing information in your key pair” on page 42, for details about

modifying the information in your keypair.

Creating a passphrase that you will remember

Encrypting a file and then finding yourself unable to decrypt it is a painful lesson in learning how to choose a passphrase you will remember. Most applications require a password between three and eight letters. A single word password is vulnerable to a dictionary attack, which consists of having a computer try all the words in the dictionary until it finds your password. To protect against this manner of attack, it is widely recommended that you create a word that includes a combin at ion of upper and lowercase alphabetic letters, numbers, punctuation marks, and spaces . This results in a stronger password, but an obscure one that you are unlikely to remember easily. We do not recommend that you use a single-word passphrase.

A passphrase is less vulnerable to a dictionary attack. This is accomplished easily by using multiple words in your passphrase, rather than trying to thwart a dictionary attack by arbitrarily inserting a lot of funny non-alphabetic characters, which has the effect of making your passphrase too easy to forget and could lead to a disastrous loss of information because you can’t decryp t your own files. However, unless the passphrase you choose is something that is easily committed to long-term memory, you are unlikely to remember it verbatim. Picking a phrase on the spur of the moment is likely to resu lt in forgetting it entirely. Choose something that is alread y resid ing in your

40 PGP Freeware

long-term memory. Perhaps a silly saying you heard years ago tha t has somehow stuck in your mind all this time. It should not be something that you have repeated to others recently, nor a famous quotation, because you want it

to be hard for a sophisticated attacker to guess. If it’s already deeply embedded in your long-term memory, you probably won’t forget it.

Of course, if you are reckless enough to write your passphrase down and tape it to your monitor or to the inside of your desk drawer, it won't matter what you choose.

Backing up your keys

Once you have generated a key pair, it is wise to put a copy of it in a safe place in case something happens to the original. PGP prompts you to save a backup copy when you close the PGPkeys application after creating a new key pair.

Your private keys and your public keys are stored in separate keyring files , which you can copy just like any other fi les to another location on your hard drive or to a floppy disk. By default, the private keyring (secring.skr) and the public keyring (pubring.pkr) are stored along with the other program files in the “PGP Keyrings” folder in your PGP folder, but you can save your backups in any location you like.

Making and Exchanging Keys

PGP periodically prompts you to backup your keys. When you specify that you want to save a backup copy of your keys, the Save As dialog box appears, asking you to specify the location of the backup private and public keyring files that are to be created.

Protecting your keys

Besides making backup copies of your keys, you should be especially careful about where you store your private key. Even though yo ur private key is protected by a passphrase that only you should know, it is possible that someone could discover your passphrase and then use your private key to decipher your email or forge your digital signature. For instance, somebody could look over your shoulder and watch the keystrokes you enter or intercept them on the network or even over the airwaves.

User’s Guide 41

Making and Exchanging Keys

To prevent anyone who might happen to intercept yo ur passphrase from being able to use your private key, you should store your private key only on your own computer. If your computer is attached to a network, you should also make sure that your files are not automatically included in a system-wide backup where others might gain access to your private key. Given the ease with which computers are accessible over networks, if you are working with extremely sensitive information, you may want to keep your private key on a floppy disk, which you can insert like an old - fashioned key whenever you want to read or sign private information.

As another security precaution, consider assigning a different name to your private keyring file and then storing it somewhere oth er than in the default PGP folder where it will not be so easy to locate. Use the Files panel of the PGPkeys Options dialog box to specify a name and location for your private and public keyring files.

Adding and removing informati on in your key pair

At any time you can add, change, or remove these items in your key pair:

• a photographic ID

• additional subkeys

• a user name and address

• designated revokers

• an X.509 certificate

• your passphrase

Adding a photographic ID to your key

You can include a photographic user ID with your Diffie-Hellman/DSS key.

WARNING: Although you can view the photographic ID accompanied

with someone’s key for verification, you should always check and compare the digital fingerprints. See “Verifying someone’s public key”

on page 108 for more information about authentication.

To add your photograph to your key

1. Open PGPkey s.

2. Select your key pair an d then click Add Photo on the Keys menu.

42 PGP Freeware

Making and Exchanging Keys

The Add Photo dialog box opens, as sho wn in Figure 3-3.

Figure 3-3. Add Photo dialog box

3. Drag or paste your photograph onto the Add Photo dialog box or browse to it by clicking Select File.

NOTE: The photograph must be a.JPG or.BMP file. For maximum



picture quality, crop the picture to 120x144 pixels before adding it to the Add Photo dialog box. If you do not do this, PGP will scale the picture for you.

4. Click OK. The Passphrase dialog box opens, as shown in Figure 3-4.

Figure 3-4. Passphrase dialog box

5. Enter your passphrase in the space provided, then click OK. Your photographic user ID is added to your public key and is listed in the

PGPkeys window. You can now send your key to the server. See “To

send your public key to a certificate server” on page 61, for additional

instructions.

User’s Guide 43

Making and Exchanging Keys

To replace your photographic ID

1. Open PGPkey s.

2. Select your key.

3. Select the photograph that you want to replace.

4. Choose Delete from the Edit menu.

5. Add your new photographic ID using the instructions outlined in “To

add your photograph to your key” on page 42.

Creating new subkeys

Every Diffie-Hellman/DSS key is actually two keys: a DSS signing key and a Diffie-Hellman encryption subkey. PGP Version 6.5 provides the ability to create and revoke new encryption keys without sacrificing your ma ster signing key and the signatures collected on it. One of the most common uses for this feature is to create multiple subkeys that are set to be used during different periods of the key's lifetime. For example, if you create a key that will expire in three years, you might also create 3 subkeys and use each of them for one of the years in the lifetime of the key. This can be a useful security measure and provide s an aut omatic wa y to peri odically switch to a new e ncryptio n key without having to recreate and distribute a new public key.

44 PGP Freeware

To create new subkeys

1. Open PGPkey s.

2. Select your key pair and then click Properties on the Keys menu, or click .

The Properties dialog box opens.

3. Click the Subkeys tab.

Making and Exchanging Keys

The Subkeys dialog box opens, as shown in Figure 3-5.

Figure 3-5. PGP key property page

(Subkeys dialog box)

4. To create a new subkey, click New. The New Subkey dialog box opens.

5. En t er a key size from 1024 to 3072 b i t s, or enter a cu stom key size from 1024 to 4096 bits.

6. Indicate the start date on which you want your subkey to activate.

7. Indicate when you want your subkey to expire. You can either use the default selection, which is Never, or you can enter a specific date after which the subkey will expire.

8. Click OK. The Passphrase dialog box appears.

9. Enter your passphrase and then click OK. Your new subkey is listed in the Subkey window.

User’s Guide 45

Making and Exchanging Keys

Adding a new user name or address to your key pair

You may have more than one user name or email address for which you want to use the same key pair. After creating a new key pair, you can add alternate names and addresses to the keys. You can only add a new user name or email address if you have both the private and public keys.

To add a new user name or addres s to your key

1. Open PGPkeys.

2. Select the key pair for which you want to add another user name or address.

3. Choose Add/Name from the Keys menu. The PGP New User Name dialog box appears (Figure 3-6).

46 PGP Freeware

Figure 3-6. PGP New User Name dialog box

4. Enter the new name and email address in the approp riate fields, and then click OK.

The PGP Enter Passphrase dialog box appears.

5. Enter your passphrase, then click OK. The new name is added to the end of the user name list associated with

the key. If you want to set the new user name and address as the primary identifier for your key, select the name and address and then choose Set as Primary Name from the Keys menu.

Adding a designated revoker

It is possible that you might forget your passphrase someday or lose your private key. In this case, you would never be able to use your key again, and you would have no way of revoking your old key when you create a new one. To safeguard against this possibility, you can appoint a third-party key revoker on your public keyring to revoke your key. The third-party you designate will be able to revoke your DH/DSS key, send it to the server and it will be just as if you had revoked it yourself.

To add a designated revoker t o your key

1. Open PGPkeys.

2. Select the key pair for which you want to designate a revoker.

3. Select Add/Revoker from the Keys menu. A dialog box opens and displays a list of keys.

4. Select the key(s) in the User ID list that you w ant to appoint as a designated revoker.

Making and Exchanging Keys

5. Click OK. A confirmation dialog box appears.

6. Click OK to continue. The Passphrase dialog box appears.

7. Enter your passphrase, then click OK.

8. The selected key(s) is now auth orized to revoke your key. For effective key management, distribute a current copy of your key to the revoker(s) or upload your key to the server. See “Distributing your public key” on

page 60 for instructions.

User’s Guide 47

Making and Exchanging Keys

Adding an X.509 certificate to your PGP key

 NOTE: The instructions in this section describe how to add an X.509

certificate to your keypair if you are using the Net Tools PKI Server.

An X.509 digital certificate is a recognized electronic document used to prove identity and public key ownership over a commu nica tion network.

You can request an X.509 digital certificate and add it to your keypair using PGP menu and Certificate Authority (CA) or a public CA (for example, VeriSign).

There are four main steps to adding an X.509 certificate to your keypair. First, retrieve the Root CA certificate from the CA and add it to your PGP keyring. Next, enter information about the CA in the CA Options panel. Request a certificate from the CA. Your X.509 certificate request is verified and signed by

the CA. (The CA’s signature on the certificate makes it possible to detect any subsequent tampering with the identifying information or the public key, and it implies that the CA considers the information in the certificate valid.) Finally, retrieve the certificate issued by the CA and add it to your keypair.

To add an X.509 certificate to your PGP k eypair

1. Obtain and add the Root CA certificate to your PGP keyring.

To do this, follow these steps:

1. Open your Web browser and connect to the CA’s enrollment site.

2. Click the Download a CA Certificate link. From the drop-down list,

select a certificate authority and the appropriate certificate.

3. Click Examine this Certificate and copy the key block for the Root

CA certificate and paste it into PGPkeys. The Import Key dialog box appears and imports the Root CA

certificate into your keyring.

4. Sign the Root CA certificate wi th your key to make it valid, then open the Key Properties and set the trust level. Trust must be set on the Root CA.

2. Configure CA Options panel.

To do this, follow these steps:

5. Select from the PGPkeys Edit menu, then click on the CA tab.

48 PGP Freeware

Making and Exchanging Keys

The CA panel appears, as shown in Figure 3-7.

Figure 3-7. PGP dialog box

(CA Panel)

6. Enter the CA’s URL in the Certificate Authority URL text box, for example, https://nnn.nnn.nnn.nnn:nnnnn (this is the same URL you used to retrieve the Root CA).

7. If there is a separate URL for retrieving certificate revocation lists (CRLs), enter it in the corresponding text box.

If you do not know the URL for Revocation, leave this field blank .

8. In the Type box, specify the name of certificate authority you are using. Your opt i ons are:

• Net Tools PKI Server

• VeriSign OnSite

•Entrust

9. Click the Select Certificate button, then select the Root CA certificate you just retrieved.

User’s Guide 49

Making and Exchanging Keys

The Root Certificate text box displays information on the selected root CA certificate. The terminology for the certificate is a policy decision. Typically, the following terminol ogy is true for X.509 certificates:

CN (Common Name)

EMAIL The email address for the certificate holder. OU

(Organizational Unit)

O (Organization)

L (Locality)

Often a description of the type of certificate

(e.g., “Root”).

The organization to which the certificate belongs (e.g.,“Accounting”).

Typically the name of the company to which the certificate belongs (e.g.,“Secure Company”).

The location of the holder of the certificate (e.g., “Santa Clara”).

10. Click OK.

3. Make a certificate request.

To do this, follow these steps:

1. Right-click on your PGP keypair and select Keys -->Add/Certificate from the Keys menu.

The Certif icate Attr ibutes dialog box appears, as shown in Figure

3-8.

50 PGP Freeware

Figure 3-8. Certificate Attributes Dialog Box

2. Verify the certificate attributes; use the Add, Edit, and Remove buttons to make any required changes, and click OK. The PGP Enter Passphrase dialog box appears.

3. Enter the passphrase for your keypair, then click OK.

Making and Exchanging Keys

The PGP Server Progress bar appears, as shown in (Figure 3-9).

Figure 3-9. PGP Server Progress Bar

The certificate request is sent to the CA server. The server authenticates itself to your computer and accepts your request.

4. Once you receive a message stating that your certificate is ready for retrieval, you can download it and add it to your keypair.

To do this, follow these steps:

1. In PGPkeys, sele ct the PGPkey for which you made the certificate request.

2. On the Server menu, select Retrieve Certificate. PGP contacts the CA server and automatically retrieves your new

X.509 certificate and adds it to your PGPkey.

3. If you are running PG Pnet, set this certificate as your X.509 authentication key in PGPnet (View ->Options -> Authentication).

Changing your passphrase

It’s a good practice to change your passphrase at regular intervals, perhaps every three months. More importantly, you should change your passphrase the moment you think it ha s been compromised, for exa mple, by someone looking over your shoulder as you typed it in.

To change your passphrase

1. Open PGPkeys.

2. Select the key for which you want to change the passphrase.

3. Choose Properties from the Keys menu or click to open the Properties dialog box.

User’s Guide 51

Making and Exchanging Keys

The Properties dialog box appears, as shown in Figure 3-10.

Figure 3-10. Properties dialog box

(Genera l panel)

52 PGP Freeware

4. Click Change Passphrase. The Passphrase dialog box appears.

NOTE: If you want to change the passphrase for a split key, you



must first rejoin the key shares. Click Join to collect the key shares. See “Signing and decrypting files with a split key” on page 88 for

information about collecting key shares.

5. Enter your current passphrase in the space provided, then click OK. The Change Passphrase dialog box appears.

6. Enter your new passphrase in the first text box. Press the T

AB key to

advance to the next text box and confirm your entry by entering your new passphrase again.

7. Click OK.

WARNING: If you are changing your passphrase because you feel that

your passphrase has been compromised, you should wipe all b ackup keyrings and wipe your freespace.

Making and Exchanging Keys

Deleting a key or signature on your PGP keyring

At some point you may want to remove a key or a signature from your PGP keyring. When you delete a key or signature from a key, it is removed and not recoverable. Signatures and user IDs can be re-added to a key, and an imported public key can be re-imported to your keyring. However, a private key that exists only on that keyring cannot be recreated, and all messages encrypted to its public key copies can no longer be decrypted.

NOTE: If you want to delete a signature or user ID associated with your



public key on a certificate server, see “Updating your key on a certificate

server” on page 62 for instructions.

To delete a key or signature from your PGP keyring

1. Open PGPkeys.

2. Select the key or signature you want to delete.

3. Choose Delete from the Edit menu or click in the PGPkeys toolba r. The Confirmation dialog box appears.

4. Click the OK button.

Splitting and rejoining keys

Any private key can be split into shares among multiple “shareholders” using a cryptographic process known as Blakely-Shamir key splitting. This technique is recommended for extremely high security keys. For example, Network Associates keeps a corporate key split between multiple individuals. Whenever we need to sign with that key, the shares of the key are rejoined temporarily.

Creating a split key

To split a key, select the key pair to be split and choose Share Split from the Keys menu. You are then asked to set up how many different shares will be

required to rejoin the key. The shares are saved as files either encrypted to the public key of a shareholder or encrypted conventionally if the shareholder has no public key. After the key has been split, attempting to sign with it or decrypt with it will automaticall y attempt to rejoin the key. For information about rejoining a split key, see “Signing and decrypting files with a split key”

on page 88.

User’s Guide 53

Making and Exchanging Keys

To create a split key wit h multi ple shares

1. Open PGPkey s.

2. In PGPkeys, create a new key pair or select an existing key pair that you want to split.

3. On the Keys menu, click Share Split. The Share Split dialog box opens (Figure 3-11) on top of PGPkeys.

54 PGP Freeware

Figure 3-11. Share Split dialog box

4. Add shareho ld e rs to the key pair by dragging their keys from PGPkeys to the Shareholder list in the Share Split dialog box.

To add a shareholder that does not have a public key, click Add in the Share Split dialog box, enter the persons name and then allow the person to type in their passphrase.

5. When all of the shareholders are listed, you can specify the number of key shares that are necessary to decrypt or sign with this key.

Making and Exchanging Keys

In Figure 3-12, for example, the total number of shares that make up the Group Key is four and the total number of shares required to decrypt or sign is three. This provides a buffer in the event that one of the shareholders is unable to provide their key share or forgets the passphrase.

Figure 3-12. Share Split dialog box

(Example)

By default, each shareholder is responsible for one share. To increas e the number of shares a shareholder possesses, click the name in the

shareholder’s list to display it in the text field below. Type th e new number of key shares or use the arrows to select a new amount.

6. Click Split Key. A dialog box opens and prompts you to select a directory in which to

store the shares.

7. Select a location to store the key shares. The Passphrase dialog box appears.

8. Enter the passphrase for the key you want to split and then click OK. A confirmation dia log box opens.

9. Click Yes to split the key.

User’s Guide 55

Making and Exchanging Keys

The key is split and the shares are saved in the locatio n you specified.

Each key share is saved with the shareholder’s name as the file name and a .shf extension, as shown in the example below:

10. Distribute the key shares to the owners, then delete the local copies. Once a key is split among multi p le shareholders, attempting to sign or

decrypt with it will cause PGP to automatically attempt to rejoin the key. To learn how to rejoin a split key to sign or d e crypt files, “Signing and

decrypting files with a split key” on page 88.

Rejoining split keys

Once a key is split among multiple shareholders, attempting to sign or decrypt with it will cause PGP to automatically attempt to rejoin the key. There are two ways to rejoin the key, locally and remotely.

Rejoining key shares locally requires the shareholders presence at the rejoining computer. Each shareholder is required to enter the passphrase for their key share.

56 PGP Freeware

Rejoining key shares remotely requires the remote shareholders to authenticate and decrypt their keys before sending them over the network. PGP's Transport Layer Security (TLS) provides a secure link to transmit k ey shares which allows multiple individuals in distant locations to securely sign or decrypt with their key share.

Ë IMPORTANT: Before receiving key shares over the network, you

should verify each shareholder’s fingerprint and sign their public key to ensure that their authenticating key is legitimate. To learn how to verify a keypair, see “Verify with a digital fingerprint” on page 69.

To rejoin a split key

1. Contact each shareholder of the split key. To rejoin key shares locally, the shareholders of the key must be present.

To collect key shares over the network, ensure that the remote shareholders are prepared to send their key share file. Remote shareholde rs mu st ha v e:

Making and Exchanging Keys

– their key share file and password – a keypair (for authentication to the computer that is collecting the

key shares) – a network connection – the IP address or Domain Name of the computer that is collecting

the key shares

2. At the rejoining computer, use Windows Explorer to select the file(s) that you want to sign or decrypt with the spl it key.

3. Right-click on the file(s) and select Sign or Decrypt from the PGP menu. The PGP Enter Passphrase fo r Selected Key dialog box appears with the

split key selected.

4. Click OK to reconstitute the selected key. The Key Share Collection dialog box appears, as shown in Figure 3-13.

Figure 3-13. Key Share Collection dialog box

5. Do one of the following:

User’s Guide 57

Making and Exchanging Keys

• If you are co llecting the key shares locally, click Select Share File

• If you are collecti ng key sh ares over the network, click Start

and then locate the share files associated with the split key. The share files can be collected from the hard drive, a floppy disk, or a mounted drive. Continue with Step 6.

Network. The Passphrase dialog box ope ns. In th e Signing Key box, select the

keypair that you want to use for authentication to the remote system and enter the passphrase. Click OK to prepare the computer to receive the key shares.

The status of the transaction is displa yed in th e Network Shares box. When the status changes to “Listening,” the PGP application is ready to receive the key shares.

At this time, the shareholders must send their key shares. To learn how to send key shares to the rejoining computer, see “To send your

key share over the network” on page 59.

When a share is received, the Remote Authentication dialog box appears, as shown in Figure 3-14.

58 PGP Freeware

Figure 3-14. Remote Authentication dialog box

If you have not signed the key that is being used to authenticate the remote system, the key will be considered invalid. Although you can rejoin the split key with an invalid authenticating key, it is not recommended. You should verify each shareholder’s fingerprint and sign their public key to ensure that the authenticating key is legitimate.

Making and Exchanging Keys

Click Confirm to accept the share file.

6. Continue collecting key shares until the value for Total Shares Collected matches th e value for Total S hares Needed in the Key Shares Collectio n dialog box.

7. Click OK. The file is signed or decrypted with the split key.

To send your key share ov er the net work

1. When you are conta cted by the person who is rejoining the split key, make sure that you have these items:

– your key shar e fil e and password – your keypair (for authentication to the computer that is collecting

the key shares) – a network connection – the IP address or Domain Name of the rejoining computer collecting

the key shares

2. Select Send Key Shares on the PGPkeys File menu. The Select Share File dialog box appears.

3. Locate your key share and then click Open. The PGP Enter Passphrase dialog box appears.

4. Enter your passphrase and then click OK.

User’s Guide 59

Making and Exchanging Keys

The Send Key Shares dialog box appears, as shown in Figure 3-15.

5. Enter the IP address or the Domain Name of the rejoining computer in the Remote Address text box, then click Send Shares.

The status of the transaction is displa yed in th e Network Status box.

When the status changes to “Connected,” you are asked to authenticate yourself to the rejoining computer.

Figure 3-15. Send Key Shares dialog box

The Remote Authenti cation dialog box appears asking you to confirm that the remote computer is the one to whom you want to send your key share.

6. Click Confirm to complete th e tran saction. After the remote computer receives your key shares and confirms the

transaction, a message box appears stati ng that the shares were successfully sent.

7. Click OK.

8. Click Done in the Key Shares window when you have completed sending your key share.

Distributing your public key

After you create your keys, you need to make them available to others so that they can send you encrypted information and verify your digital signature. There are three ways in which you can distribute your public key:

• Make your public key available through a public certif icate server,

• Include your public key in an email message, Or

60 PGP Freeware

Making and Exchanging Keys

• Export your public key or copy it to a text file.

Your public key is basically composed of a block of text, so it is quite easy to make it available through a public certificate server, include it in an email message, or export or copy it to a file. The recipient can then use whatever method is most convenient to add your public key to their public keyring.

Making your public key available through a certificate server

The best method for making your public key available is to place it on a public certificate server where anyone can access it. That way, people can send you email without having to explicitly request a copy of your key. It also relieves you and others from having to maintain a large number of public keys that you rarely use. There are a number of certificate servers worldwide, including those offered by Network Associates, Inc., where you can make your key available for anyone to access.

To send your public key to a certif icate serve r

1. Connect to the Internet.

2. Open PGPkeys.

3. Select the icon that represents the public key you want to post on the certificate server.

4. Open the Server menu, then select the certificate server you want to post on from the Send To submenu. PGP lets you know that the keys are successfully uploaded to the se rver.

Once you place a copy of your public key on a certificate server, you can tell people who want to send you encrypted data or to verify your digital signature to get a copy of your key from the server. Even if you don’t explicitly point them to your public key, they can get a copy by searching the certificate server for your name or email address. Many people include the Web address for their public key at the end of their email messages; in most cases the recipient can just double-click the address to access a copy of your key on the server. Some people even put their PGP fingerprint on their business cards for easier verification.

User’s Guide 61

Making and Exchanging Keys

Updating your key on a certificate server

If you ever need to change your email address, or if you acquire new signatures, all you have to do to replace your old key is send a new copy to the server; the information is automatical ly updated. However, you should keep in mind that public certificate servers are only capable of updating new information and will not allow removal of user names or signatures from your key. To remove signatures or user names from your key, see “Removing

signatures or user names associated with your key” for instructions. If your

key is ever compromised, you can revoke it, which tells the world to no longer trust that version of your key. See Chapter 6, “Managing Keys and Setting PGP

Options” for more details on how to revoke a key.

Removing signatures or user names associated with your key

At some point you may want to remove a key, a signature, or a user ID associated with a particular key.

Public certificate servers are only capable of updating new in formation and will not allow removal of user names or signatures from your key. To remove signatures or user names associ ated with your public key, you must first remove your key from the server, make the required change, then post your key back on the server.

If your PGP Ser ver setti ngs are con figured to synchron ize keys wi th the ser ver upon adding names/photos/revokers to your key, your key is automatically updated on the server. If, however, your keys do not automatically synchronized with the server, follow the instructions outlined below to manually update your key on the certificate server.

NOTE: When you delete a key, signature, or user ID from a key, it is



removed and not recoverable. Signatures and user IDs can be re-added to a key, and an imported public key can be re-imported to your keyring. However, a private key that exists only on that keyring ca nnot be recreated, and all messages encrypted to its public key copies can no longer be decrypted.

To remove signatures or user names a ssociated with your key on a certif icate server

Ë IMPORTANT: This procedure is for removing signatures or user names

associated with your key on LDAP certificate servers only. Additionally, the certificate server must be configured to allow this action.

1. Open PGPkey s.

62 PGP Freeware

Making and Exchanging Keys

2. Choose Search from the Server menu or click in the PGPkeys menu. The PGPkeys Search window appears.

3. Choose the server you want to search from the Search for K eys On menu.

4. Specify your search criteria to locate your public key: The default is User ID, but you can click the arrows to select Key ID, Key

Status, Key Type, Key Size, Creation Date, or Expiration Date. For example, you might search for all keys with the User ID of Fred.

5. To begin the search, click Search. The results of the search appear in the window.

6. Right-click on th e ke y that you want to remove from the server, then select Delete from the right-click menu.

The Passphrase dialog box appears.

7. Enter the passphrase for the key you want to remove from the server and then click OK.

Confirmation dialog appears and the key is removed.

8. Update your key (remove the unwanted signatures or user names).

9. Copy the updated key to the server (see “Making your public key

available through a certificate server” on page 61 for instructions).

If the server on which you are updating your public key is configured to synchronize keys with other public certificate servers, your key will be updated on the other servers automatically upon synchronization.

IMPORTANT: If you delete your key from a certificate server, you

should be aware that someone who has your public key on their keyring can upload it to the server again. You should check the server periodically to see if the key has reappeared - you may have to delete your key from the server more than once.

Including your public key in an email message

Another convenient method of delivering your public key to someone is to include it along with an email message.

To include your public key in an email message

1. Open PGPkey s.

User’s Guide 63

Making and Exchanging Keys

2. Select your key pair an d then click Copy on the Edit menu.

3. Open the editor you use to compose your email messages, place the cursor in the desired area, and then click Paste on the Edit menu. In newer email applications, you can si mply drag your key from PGPkeys into the text of your email message to transfer the key informa tion.

When you send someone your public key, be sure to sign the email. That way, the recipient can verify your signature and be sure that no one has tampered with the information along the w ay . O f course, if your key has not yet been signed by any trusted introducers, recipients of your signature can only truly be sure the signature is from you by verifying the fingerprint on your key.

Exporting your public key to a file

Another method of distributing your public key is to copy it to a file and then make this file available to the person with whom you want to communicate.

To export your public key to a file

There are three ways to export or save your public key to a file:

• Select the icon representing your key pair from PGPkeys, then click

Export on the Keys menu and enter the name of the file where you want the key to be saved,

• Drag the icon representing your key pair from PGPkeys to the folder that you want the key to be saved,

• Select the icon representing your key pair in PGPkeys, click Copy on the Edit menu, then choose Paste to insert the key information into a text document.

NOTE: If you are sending your key to colleagues who are using



PCs, enter a name of up to eight initial characters and three additional characters for the file type extension (for example, MyKey.txt).

Obtaining the public keys of others

Just as you need to distribute your public key to those who want to send you encrypted mail or to verify your digital signature, you need to obtain the public keys of others so you can send them encrypted ma il or verify their digital signatures.

64 PGP Freeware

Making and Exchanging Keys

To obtain someone’s public key

There are three ways you can obtain someone’s public key:

• Get the key from a public certificate server,

• Add the public key to your keyring directly from an email message, Or

• Import the public key from an exported file.

Public keys are just blocks of text, so they are easy to add to your keyring by importing them from a file or by copying them from an email message and then pasting them into your public key r ing.

Getting public keys from a certificate server

If the person to whom you want to send encrypted mail is an experienced PGP user, chances are that they have placed a copy of their public key on a certificate server. This makes it very convenient for you to get a copy of their most up-to-date key whenever you want to send them mail and also relieves you from having to store a lot of keys on your public keyring.

There are a number of public certificate servers, such as the one maintained by Network Associates, Inc., where you can locate the keys of most PGP users. If the recipient has not pointed you to the Web address where his or her public key is stored, you can access any certificate server and do a search for the user’s name or email address, because all certificate servers are regularly updated to include the keys stored on all the other servers.

To get someone’s public key from a certificat e server

1. Open PGPkey s.

2. Choose Search from th e Server menu or click the Search button ( ) in

PGPkeys.

User’s Guide 65

Making and Exchanging Keys

The PGPkeys Search window appears as in Figure 3-16.

66 PGP Freeware

Figure 3-16. PGPkeys Search window

More Choices view

(

)

3. Choose the server you wish to search from the Search for Keys On menu.

4. Specify your search criteria. You can search for keys on a certificate server by specifying values for

these key characteristics:

•User ID

• Key ID

• Key Status (Revoked or Disabled)

• Key Type (Diffie-Hellman or RSA)

•Creation date

• Expiration date

Making and Exchanging Keys

• Revoked keys

• Disabled keys

• Key size

• Keys signed by a particular key

The inverse of most of these operations is also available. For example, you may search using “User ID is not Bob” as your criteria.

5. Enter the value you want to search for.

6. Click More Choices to add additional criteria to your search; for example, Key IDs with the name Fred created on or before October 6,

1998.

7. To begin the search, click Search. A progress bar appears displaying the status of the search.

NOTE: To cancel a search in progress, click Stop Search.



The results of the search appear in the window.

8. To import the keys, drag them to the PGPkeys main window.

9. Click Clear Search to clear your search criteria.

Adding public keys from email messages

A convenient way to get a copy of someone’s public key is to have that person include it in an email message. When a publ ic key is sent through email, it appears as a block of text in the body of the message.

To add a public key fr om an email messag e

If you have an email application that is supported by the PGP plug-ins, then click in your email application to extract the sender’s public key from the email and add it to your public keyring.

If you are using an email application that is not supported by the plug-ins, you can add the public key to the keyring by copying the block of text that represents the public key and pasting it into PGPkeys.

User’s Guide 67

Making and Exchanging Keys

Importing keys

To import from your browser by copying and pasting into your public keyring.

Another method for obtaining someone’s public key is to have that person save it to a file from which you can import, or it or copy and paste it into your public keyring.

To import a public key from a file

There are three methods of extracting someone’s public key and adding it to your public keyring:

•Click on Import from the Keys menu and then navigate to the file

• Drag the file containin g the public key onto the main PGPkeys

• Open the text document where the public key is stored, select the

where the public key is stored,

window, Or

block of text representing the key, and then click on the Edit menu. Go to PGPkeys and choose Paste from the Edit menu to copy the key. The key then shows up as an icon in PGPkeys.

Verifying the authenticity of a key

When you exchange keys with someone, it is sometimes hard to tell if the key really belongs to that person. PGP software provides a number of safeguards that allow you to check a key’s authenticity and to certify that the key belongs to a particular owner (tha t is , to validate it). The PGP program also warns you if you attempt to use a key that is not valid and also defaults to warn you when you are about to use a marginally va lid key.

Why verify the authenticity of a key?

One of the major vulnerabilities of public key encryption systems is the ability of sophisticated eavesdroppers to mount a “man-in-the-middle” attack by replacing someone’s public key with one of their own. In this way they can intercept any encrypted email intended for that person, decrypt it using their own key, then encrypt it again with the person’s real key and send it on to them as if nothing had ever happened. In fact, this could all be done automatically through a sophisticated computer program that stands in the middle and deciphers all of your correspondence.

68 PGP Freeware

Based on this scenario, you and those with whom you exchange email need a way to determine whether you do indeed have legitimate copies of each

others’ keys. The best way to be completely sure that a pu blic key actually belongs to a particular person is to have the owner copy it to a floppy disk and then physically hand it to you. However, you are seldom close enough to personally hand a disk to someone; you generally exchange public keys via email or get them from a public certificate server.

Verify with a digital fingerprint

You can determine if a key really belongs to a particular person by checking its digital fingerprint, a unique series of numbers or words generated when the key is created. By comparing the fingerprint on your copy of someone’s public key to the fingerprint on their original key, you can be absolutely sure that you do in fact have a valid copy of their key. To learn how to verify with a digital fingerprint, see “Verifying someone’s public key” on page 108.

Validating the public key

Once you are absolutely convinced that you have a legitimate copy of someone’s public key, you can then sign that person’s key. By signing someone’s public key with your private key, you ar e certifying that you are sure the key belongs to the alleged user. For instance, when you create a new key, it is automatically certified with yo ur own digital signature. By default, signatures you make on other key s are not exportable, which means they apply only to the key when it is on your local keyring. For detailed instructions on signing a key, see “Signing someone’s public key” on page 110.

Making and Exchanging Keys

Working with trusted introducers

PGP users often have other trusted users sign their public keys to further attest to their authenticity. For instance, you might send a trusted colleague a copy of your public key with a request that he or she certify and return it so you can include the signature when you post your key on a public certificate server. Using PGP, when someone gets a copy of your public key, they don’t have to check the key’s authenticity themselves, but can instead rely on how well they trust the person(s) who signed your key. PGP provi d es the means for establishing this level of validity f or ea ch of the public keys you add to your public keyring and shows the level of trust and validity associated with each key PGPkeys. This means that when you get a key from someone whose key is signed by a trusted introducer, you can be fairly sure that the key belongs to the purported user. For details on how to sign keys and validate users, see

“Signing someone’s public key” on page 110.

User’s Guide 69

Making and Exchanging Keys

What is a trusted introducer?

PGP uses the concept of a trusted introducer, someone who you trust to provide you with keys that are valid. This concept may be familiar to you from Victorian novels, in which people gave letters of introduction to one another. For example, if your uncle knew someone in a farawa y city with whom you might want to do business, he might w r ite a letter of introduction to his

acquaintance. With PGP, users can sign one another’s keys to validate them. You sign someone’s key to indicate that you are sure that their key is valid, which means that it truly is their key. There are several ways to do this. When a trusted introducer signs another person’s key, you trust th at the keys they sign are valid, and you do not feel that you must verify their keys before using them.

What is a meta-introducer

PGP also supports the concept of a meta-introducer--a trusted introducer o f trusted introducers. If you work in a very large company, you might have a regional security officer, a trusted introducer, who would sign users’ keys. You could trust that these keys were valid because the regional security officer had performed the actions to ensure validity. The organization may also have a head security officer who works with the local security officers, so that a person in a West Coast office could trust a person in an East Coast office, because both their keys had been signed by their respective regional security officers, who in turn had their keys signed by the head security officer, who is a meta-introducer. This allows the establishm ent of a trust hierarchy in the organization.

70 PGP Freeware

4Sending and Receiving

Secure Email

This chapter explains how to encrypt and sign the email you send to others and decrypt and verify the email others send to you.

Encrypting and signing email

There are three ways to encrypt and sign email messages. The quickest and easiest way to encrypt and sign email is with an application supported by the PGP email plug-ins. Although the procedure varies slightly between different email applications, you perfor m the encryption and signing process by

clicking the appropriate buttons in the application’s toolbar. If you are using an email application that is not supported by the PGP

plug-ins, you can encrypt and sign your email messages via Windows clipboard by selecting the appropriate option from the lock icon in the System tray . To include file attachments, you encrypt the files from W indows Explorer before attaching them

Ð TIP: If you are sending sensitive email, consider leaving your subject line

blank or creating a subject line that does not reveal the contents of your encrypted message.

If you do not have one of the email applications that is supported by PGP, see

Chapter 5 for information about how to encrypt files.

As an alternative to using the plug-ins, you can use PGPtools to encrypt and sign your email text and attachments before sending them, see “To encrypt

and sign text using PGPtools” on page 75.

User’s Guide 71

Sending and Receiving Secure Email

Encrypting and signing with supported email applications

When you encrypt and sign with an email application that is supported by the PGP plug-ins, you have two choices, depending on what type of email application the recipient is using. If you are communicating with other PGP users who have an email application that supports the PGP/MIME standard, you can take advantage of a PGP/MIME feature to encrypt and sign your email messages and any file attachments automatically when you send them. If you are communicating with someone who does not have a PGP/MIME-compliant email application, you should encrypt your email with PGP/MIME turned off to avoid any co mpatibility problems. Refer to Table

4-1, “PGP Plug-in Features,” for a list of plug-ins and their features.

Table 4-1. PGP Plug-in Features

PGP/MIME Auto-decrypt

Encrypt HTML

View decrypted HTML as an HTML document

Encrypt attachments

Encrypt/Sign defaults

Eudora

3.0.x

Yes Yes No No No Yes No Yes Yes Yes N/A Yes converts to plain

No Yes No Yes No

Yes Yes Yes Yes No

Yes Yes Yes Yes Yes

Eudora

4.0.x

Exchange/ Outlook

text before encrypting

Lotus Notes

Yes No

To encrypt and sign with supporte d emai l appli cations

1. Use your email applica tion to compose your email message as you normally would.

Outlook Express

72 PGP Freeware

2. When you have finished composing the text of your email message, click to encrypt the text of your message, then click to sign the message.

Sending and Receiving Secure Email

 NOTE: If you know that you are going to use PGP/MIME regularly,

you can leave this turned on by selecting the appropriate settings in the Email panel of the Options dialog box.

3. Send your message as you normally do. If you have a copy of the public keys for every one of the recipients, the

appropriate keys are used. However, if you specify a recipient for whom there is no corresponding public key or one or more of the keys have insufficient validity, the PGP Key Selection dialog box appears (Figure

4-1) so that you can specify the correct key.

Encryption options

Figure 4-1. PGP Recipient Selection window

User’s Guide 73

Sending and Receiving Secure Email

4. Drag the public keys for those who are to receive a copy of the encrypted email message into the Recipients list box. You can also double-click any of the keys to move them from one area of the screen to the other.

The Validity icon indicates the minimum level of confidence that the public keys in the Recipient list are valid. This validity is based on the signatures associated with the key. See Chapter 6, “Managing Keys and

Setting PGP Options,” for details.

5. You can choose from the following encryption options depending on the type of data you are encrypting:

• Secure Viewer. Select this option to protect the data from TEMPEST attacks upon decryption. If you select this option, the decrypted data is displayed in a special TEMPEST attack prevention font that is unreadable to radiation capturing equipment. For more information about TEMPEST attacks, see “Vulnerabilities” on page

206.



NOTE: The Secure Viewer option may not be compatible with previous versions of PGP. Files encrypted with this opt ion enabled can be decrypted by previous versions of PGP, however this feature may be ignored.

74 PGP Freeware

• Conventional Encrypt. Select this option to use a common passphrase instead of public key encryption. If you select this option, the file is encrypted using a session key, which encrypts (and decrypts) using a passphrase that you will be asked to choose.

• Self Decrypting Archive. Select this option to create a self decrypting executable file. If you select this option, the file is encrypted using a session key, which encrypts (and decrypts) using a passphrase that you are asked to choose. The resulting executable file can be decrypted by simply double-clicking on it an d entering the appropriate passphrase. This option is especially convenient for users who are sending encrypted files to people who do not have PGP software installed. Note that sender and recipient must be on the same platform.

6. Click OK to encrypt and sign your mail. If you have elected to sign the encrypted data, the Signing Key

Passphrase dialog box appears, as shown in Figure 4-2, requesting your passphrase before the mail is sent.

Sending and Receiving Secure Email

Figure 4-2. Signing Key Passphrase dialog box

7. Enter your passphrase and then click OK.

WARNING: If you do not send your email immediately but instead store

it in your outbox, you should be aware that when using some email applications the information is not encrypted until the email is actually transmitted. Before queuing encrypted messages you should check to see if your application does in fact encrypt the messages in your outbox. If it does not, you can use PGPmenu’s Encrypt Now option to encrypt your

messages before queuing them in the outbox.

To encrypt and sign text usi ng PGPtools

1. Copy the text that you want to encrypt and sign to the clipboard.

2. Click on the Encrypt, Sign, or Encrypt and Sign button in PGPtools.

PGPkeys

encrypt

sign

encrypt and sign

decrypt/ verify

wipe

Freespace wipe

Figure 4-3. PGPtools window

The PGP Key Select File(s) dialog box appears.

3. Click the Clipboard button. The PGP Key Recipients dialog box appears (Figure 4-1).

User’s Guide 75

Sending and Receiving Secure Email

Setting PGP Options,” for details.

5. You can choose from the following encryption options depending on the type of data you are encrypting:

206.



76 PGP Freeware

6. Click OK to encrypt and sign your mail. If you have elected to sign the encrypted data, the Signing Key

Passphrase dialog box appears, as shown in Figure 4-2, requesting your passphrase before the mail is sent.

7. Enter your passphrase and then click OK.

8. Paste the text into your email message, then send the message.

Sending and Receiving Secure Email

Encrypting email to groups of recipients

You can use PGP to create group distribution lists. For example, if you want to send encrypted mail to 10 people at usergroup@secure.com, you could create a distri b u tion list wi th that name . T he Gro ups menu in PGPkeys contains the Show Groups option that toggles the display of the Groups window in PGPkeys. The Groups List window is displayed as in Figure 4-4.

NOTE: If you intend to encrypt information to all members of an existing



email distribution list, you must create a PGP group by the same name as, and including the same members as, the email distribution list. For example, if there is a usergroup@secure.com list set up in your email application, you must create a usergroup@secure.com g r oup in PGP.

Groups window

Figure 4-4. PGPkeys with Groups window

User’s Guide 77

Sending and Receiving Secure Email

Working with distribution lists

Use the Groups feature to create distribution lists and to edit the list of people to whom you want to send encrypted email.

To create a grou p ( distr ibut ion list)

1. Choose New Group from the Groups menu.

2. Enter a name for the group distribution list. Optionally, enter a group description.

3. Click OK to create the distribution list. The group distribution list is added to yo ur keyring and can be viewed

in the Groups window.

To add members to a d istributi on list

1. In the PGPkeys window, select the users or lists you want to add to your distribution list.

2. Drag the users from the PGPkeys window to the desired distribution list in the Groups window.

78 PGP Freeware

NOTE: Members in a distribution list can be added to other



distribution lists.

To delete members fro m a dist ributio n list

1. Within the distributi on list, select the member to be deleted.

2. Press the D

ELETE key.

PGP asks you to confirm your choice.

To delete a distribution list

1. Select the distribution list to be deleted from the Groups window.

2. Press the D

ELETE key.

Sending and Receiving Secure Email

To add a distribution list to another distribution list

1. Select the distribution list that you want to add to another list.

2. Drag the selected list into the list to which it will be added.

Sending encrypted and s igned email to distribut ion lists

You can send encrypted email to groups of recipients once your PGP distribution lists are created. See “Working with distribution lists” on page 78

for more information about creating and editing distribution lists.

To send encrypted and signed email to a distribution list

1. Address the mail to your mail distribution list. The name of your encryption distribution list must correspond to the

name of the email distribution list.

2. Use your email applica tion to compose your email message just as you normally would.

3. When you have finished composing the text of your email message, click to encrypt the text of your message, then click to sign the message.

The PGP Key Recipients dialog box appears (Figure 4-1). You can select the recipient’s public keys for the text you are encrypting or signing. The options available are described in “To encrypt and sign with supported

email applications” on page 72.

4. Send the message.

Decrypting and verifying email

The quickest and easiest way to decrypt and verify the email sent to you is with an application supported by the PGP plug-ins. Although the procedure varies slightly between different email applicatio ns, when you are using an email application supported by the plug-ins, you can perform the decryption and verification operations by clicking the envelope icon in the message or your application’s toolbar. In some cases you may need to select Decrypt/Verify from the menu in your email application. In addition, if you are using an application that supports the PGP/MIME standard, you can decrypt and verify your email messages as well as any file attachments by clicking an icon attached to your message.

User’s Guide 79

Sending and Receiving Secure Email

If you are using an email application that is not supported by the PGP plug-ins, you will decrypt and verify your email messages via PGPtray. In addition, if your email includes encrypted file attachments, you must decrypt them separately via PGPtools or PGPtray.

To decrypt and verify from supported em ail appl ications

1. Open your email message just as you normally do. You will see a block of unintelligible ciphertext in the body of your email

message.

2. Copy the cipher text to the Clipboard.

3. To decrypt and verify the message, click the locked envelope icon ( ). To decrypt and verify attached files, decrypt them separat e ly using

PGPtools or PGPtray. The PGP Enter Passphrase dialog box appears, as shown in Figure 4-5,

asking you to enter your passphrase.

80 PGP Freeware

Figure 4-5. Signing Key Passphrase dialog box

4. Enter your passphrase, then click OK. The message is decrypted. If it has been signed and you have the senders

public key, a message appears indicating whether the signature is valid. If the message is encrypted with the Secure Viewer option enabled, an

advisory message appears. Click OK to continue. The decrypted message appears on a secure PGP scre e n in a special TEMPEST attack prevention font.

5. You can save the messa ge in its decrypted state, or you can save the original encrypted version so that it remain s secure.

Sending and Receiving Secure Email

 NOTE: Messages encrypted with the Secure Viewer option enab led

cannot be saved in their decrypted state.

To decrypt and verify fro m non-sup ported ema il app licatio ns

1. Open your email message just as you normally do. You will see a block of unintelligible ciphertext in the body of your email

message.

2. In PGPtray, select Decrypt/Verify. If the email message includes encrypted file attachments, decrypt them

separately with PGPtools or PGPtray. The PGP Enter Passphrase dialog box appears, as shown in Figure 4- 5,

asking you to enter your passphrase.

3. Enter your passphrase, then click OK. The message is decrypted. If it has been signed, a message appears

indicating whether the signature is valid . If the message is encrypted with Secure Viewer enabled, an advisory

message appears. Click OK to continue. The decrypted message appears on a secure PGP screen in a special TEMPEST attack prevention font.

4. You can save the messa ge in its decrypted state, or you can save the original encrypted version so that it remain s secure.

NOTE: Messages encrypted with the Secure Viewer option enab led



cannot be saved in their decrypted state.

User’s Guide 81

Sending and Receiving Secure Email

82 PGP Freeware

5Using PGP for Secure File

Storage

This chapter describes how to use PGP to securely maintain files. It describes how to use PGP to encrypt, decrypt, sign and verify files either for email or for secure storage on your computer. It also describes the PGP Wipe and Free Space Wiper functions, which delete files by erasing their contents completely from your computer.

Using PGP to encrypt and decrypt files

You can use PGP to encrypt and sign files to use as email attachments. You can also use the techniques described in this chapter to encrypt and sign files so that you can store them securely on your computer.

Using the PGP right-click menu to encrypt and sign

Use the PGP right-click menu to send an encrypted file as an attachment with your email message, or to encrypt a file to protect it on your computer.

To encrypt and sign using the right-click menu

1. In Windows Explorer, right-click on the file or files that you want to encrypt.

2. Choose one of the following options from the PGP right-click menu:

• Encrypt. Select this option to only encrypt the f ile or f iles you

selected.

• Sign. Select this option to only sign the file or files you selected.

• Encrypt and Sign. Select this option to both encrypt and sign the file

or files you selected.

The PGP Key Selection dialog box appears, as shown in Figure 5-1.

User’s Guide 83

Using PGP for Secure File Storage

Encryption options

You can select the recipient’s public keys for the file you are encrypting or signing.

Figure 5-1. PGP Recipients dialog box

84 PGP Freeware

3. Select the public keys by d r agging them to the Recipients list. You can choose from the following encryption options depending on the

type of data you are encrypting:

• Text Output. When sending files as attachments with some email applications, you may need to select the Text Output checkbox to save the file as ASCII text. This is sometimes necessary in order to send a binary file using older email appli c ations. Selecting this option increases the size of the encrypted file by about 30 percent.

• Wipe Original. Select this checkbox to overwrite the original document that you are encrypting, so that your sensitive information is not readable by anyone who can access your hard disk.

• Secure Viewer. Select this checkbox to protect text from TEMPEST attacks upon decryption. If you select this option, the data is displayed in a special TEMPEST atta ck prevention font that is unreadable to radiation capturing equipment upon decrypting. For more information about TEMPEST attacks, see “Vulnerabilities” on

page 206.

NOTE: This option is only available when encrypting text or



text files.

Using PGP for Secure File Storage

• Conventional Encrypt. Select this checkbox to rely on a common passphrase rather than on public key cryptography. The file is encrypted using a session key, which encrypts (and decrypts) using a passphrase that you are asked to choose.

• Self Decrypting Archive. Select this checkbox to create a self decrypting executable file. If you select this option, the file is encrypted using a session key, which encrypts (and decrypts) using a passphrase that you are asked to choose. The resulting executable file can be decrypted by simply double-clicking on it an d entering the appropriate passphrase. This option is especially convenient for users who are sending encrypted files to people who do not have PGP software installed. Note that sender and recipient must be on the same platform.

If you are signing the files, you are asked to supply your passphrase. After encryption, if you look in the folder where the original f ile wa s

located, you will find a file with the specified name represented by one of four icons:

encrypted with standard output

encrypted with text output

If you are encrypting or signing a folder, the output may be in a new folder, depending on the options yo u selected .

Using PGPtools to encrypt a nd sign

To encrypt and sign using PGPtools

1. Open PGPto ols.

2. In Windows Explorer, select the file or files that you want to encrypt. You can select multiple files, but you must encrypt and sign each of them

individually.

3. Drag the file(s) onto the Encrypt, Sign, or Encrypt and Sign button PGPtools.

The PGP Recipients dialog box appear s, as shown in Figure 5-1.

4. Select the public keys by d r agging them to the Recipients list.

self decrypting archive o ut put

self extracting archive output

User’s Guide 85

Using PGP for Secure File Storage

5. You can choose from the following encryption options depending on the type of data you are encrypting:

• Wipe Original. Select this checkbox to overwrite the original document that you are encrypting, so that your sensitive information is not readable by anyone who can access your hard disk.

page 206.



NOTE: This option is only available when encrypting text or text files.

86 PGP Freeware

6. Click OK.

If you are signing the files, you are asked to supply your passphrase.

Using PGP for Secure File Storage

After encryption, if you look in the folder where the original f ile wa s located, you will find a file with the specified name represented by one of four icons:

encrypted with standard output

encrypted with text output

If you are encrypting or signing a folder, the output may be in a new folder, depending on the options yo u selected .

Using PGPtray to decrypt and verify

If the email you receive has file attachments , and you are not using a PGP/MIME-compliant email a pplication, you must decrypt them from the Windows clipboard.

To decrypt and verify files usi ng PGPtray

1. In Windows Explorer, select the file or files that you want to decrypt and verify.

2. Choose Decrypt/Verify from PGPtray. The passphrase dialog box appears, as shown in Figure 5-2.

self decrypting archive o ut put

self extracting archive output

Figure 5-2. Passphrase dialog box

3. Enter your passphrase and then click OK. The file is decrypted. If it has been signed, a message appears indicating

whether the signature is valid.

User’s Guide 87

Using PGP for Secure File Storage

If the text file is encrypted with Secure Viewer enabled, an advisory message appears. Click OK to continue. The decrypted text appears on a secure PGP screen in a special TEMPEST attack prevention font.

4. You can save the messa ge in its decrypted state, or you can save the original encrypted version so that it remain s secure.

NOTE: Messages encrypted with the Secure Viewer option enabl ed



cannot be saved in their decrypted state. They are only viewable on the secure PGP screen after decryption.

Using PGPtools to decrypt and ve rify

To decrypt and verify using PGPtools

1. In Windows Explorer, select the file or files that you want to decrypt.

2. Drag the file onto the Decrypt/Verify button in PGPtools. The PGP Enter Passphrase dialog box appears, as shown in Figure 5-2,

asking you to enter your passphrase.

3. Enter your passphrase and then click OK. If the file is signed, a message appears indicating whether the signature

is valid. If the text file is encrypted with Secure Viewer enabled, an advisory

message appears. Click OK to continue. The decrypted text appears on a secure PGP screen in a special TEMPEST attack prevention font.

4. You can save the messa ge in its decrypted state, or you can save the original encrypted version so that it remain s secure.

NOTE: Messages encrypted with the Secure Viewer option enabled



cannot be saved in their decrypted state. They are only viewable on the secure PGP screen after decryption.

Signing and decrypting files with a split key

88 PGP Freeware

Using PGP for Secure File Storage

To rejoin key shares locally requires the shareholders presence at the rejoining computer. Each shareholder is required to enter the passphrase for their key share.

To rejoin key shares remotely requires the remote shareholders to authenticate

and decrypt their keys before sending them over the network. PGP’s Transport Layer Security (TLS) provides a secure link to transmit key shares which allows multiple individ uals in distant locations to securely sign or decrypt with their key share.

Ë IMPORTANT: Before receiving key shares over the network, you

To rejoin a split key

1. Contact each shareholder of the split key. To rejoin a key shares locally, the shareholders of the key must be present.

To collect key shares over the network, ensure that the remote shareholders are prepared to send their key share file. Remote shareholders must have:

– their key share file and password – a public key (for authentication to the computer that is collecting the

key shares) – a network connection – the IP address or Domain Name of the computer that is collecting

the key shares

2. At the rejoining computer, use Windows Explorer to select the file(s) that you want to sign or decrypt with the spl it key.

3. Right-click on the file(s) and select Sign or Decrypt from the PGP menu. The PGP Enter Passphrase fo r Selected Key dialog box appears with the

split key selected.

4. Click OK to reconstitute the selected key. The Key Share Collection dialog box appears, as shown in Figure 5-3.

User’s Guide 89

Using PGP for Secure File Storage

90 PGP Freeware

Figure 5-3. Key Share Collection dialog box

5. Do one of the following:

• If you are co llecting the key shares locally, click Select Share File

and then locate the share files associated with the split key. The share files can be collected from the hard drive, a floppy disk, or a mounted drive. Continue with Step 6.

• If you are collecti ng key sh ares over the network, click Start Network.

The Passphrase dialog box ope ns. In th e Signing Key box, select the keypair that you want to use for authentication to the remote system and enter the passphrase. Click OK to prepare the computer to receive the key shares.

The status of the transaction is displa yed in th e Network Shares box. When the status changes to “Listening,” the PGP application is ready to receive the key shares.

At this time, the shareholders must send their key shares. To learn how to send key shares to the rejoining computer, see “To send your

key share over the network” on page 91.

Using PGP for Secure File Storage

When a key is received, the Remote Authentication dialog box appears, as shown in Figure 5-4.

Figure 5-4. Remote Authentication dialog box

recommended. You should verify each shareholder’s fingerprint and sign their public key to ensure that the authenticating key is legitimate.

Click Confirm to accept the share file.

6. Continue collecting key shares until the value for Total Shares Collected matches th e value for Total S hares Needed in the Key Shares Collectio n dialog box.

7. Click OK. The file is signed or decrypted with the split key.

To send your key share ov er the net work

1. When you are conta cted by the person who is rejoining the split key, make sure that you have these items:

– your key shar e fil e and password – your keypair (for authentication to the computer that is collecting

the key shares)

– a network connection

User’s Guide 91

Using PGP for Secure File Storage

– the IP address or Domain Name of the rejoining computer collecting

the key shares

2. Select Send Key Shares on the PGPkeys File menu. The Select Share File dialog box appears.

3. Locate your key share and then click Open. The PGP Enter Passphrase dialog box appears.

4. Enter your passphrase and then click OK. The Send Key Shares dialog box appears, as shown in Figure 5-5.

92 PGP Freeware

Figure 5-5. Send Key Shares dialog box

5. Enter the IP address or the Domain Name of the rejoining computer in the Remote Address text box, then click Send Shares.

The status of the transaction is displa yed in th e Network Status box. When the status changes to “Connected,” you are asked to authenticate yourself to the rejoining computer.

The Remote Authenti cation dialog box appears asking you to confirm that the remote computer is the one to whom you want to send your key share.

6. Click Confirm to complete th e tran saction. After the remote computer receives your key shares and confirms the

transaction, a message box appears stati ng that the shares were successfully sent.

7. Click OK.

8. Click Done in the Key Shares window when you have completed sending your key share.

Using PGP Wipe to delete files

The Wipe option on PGPtools deletes files and their contents. The Wipe feature is a secure way of permanently removing a file and its contents from the hard drive of your computer. When you delete a file norma lly by placing it in the Trash, the name of the file is removed from the file directory, but the data in the file stays on the disk. Wipe removes all traces of a file’s data so that

no one can use a software tool to recover the file.

To permanently delete a file using the PGP right-click menu

1. In Windows Explorer, select the file or files that you want to wipe.

2. Right-click on the file and then choose Wipe from the menu. A confirmation dialog box appears.

3. Click OK to permanently erase the file. To stop wiping the file before the task is completed, click Cancel.

NOTE: Clicking Cancel during file wipe can leave remnants of the



file behind.

Using PGP for Secure File Storage

To permanently delete a file using PGPtools

1. In Windows Explorer, select the file or files that you want to wipe.

2. Drag the file onto the Wipe button ( ) in PGPtools. A confirmation dialog box appears.

3. Click OK to permanently erase the file. To stop wiping the file before the task is completed, click Cancel.

NOTE: Clicking Cancel during file wipe can leave remnants of the



file behind.

User’s Guide 93

Using PGP for Secure File Storage

Even on systems with virtual memory, PGP correctly writes over all the contents of the file. It is worth noting that some application programs save the file prior to encrypting it and may have leave fragments of the file on your disk in locations which are no longer considered part of the file. For more information, see “Swap files or virtual memory” on page 209. You can use PGP

Free Space Wiper to wipe all free space on your disk to solve this problem. See the next section for information about Free Space Wiper. Also, be aware that many programs automatically save files in progress, so there may be back-up copies of the file that you want to delete.

Using the PGP Free Space Wiper to clean free space on your disks

As you create and delete files on your computer, the data contained in those files remains on the drive. PGPtools can be used to securely wipe the data in a file before it is deleted to negate the possibility of the data ever being recovered.

Many programs create temporary files while you edit the contents of the documents. These files are deleted when you close the documents but the actual document data is left scattered about your drive. To help reduce the chance that your document’s data can later be recovered, Network Associates recommends that you securely wipe the free space on your drives as well as securely deleting sensitive documents.

94 PGP Freeware

To wipe free space on y our disks

WARNING: Before running the PGP Free Space Wiper, file sharing must

be turned off and all applications on the volume or disk that you want to wipe must be closed.

1. Open PGPto ols.

2. Click the Wipe Free Space button ( ) in PGPtools. The PGP Free Space Wiper Welcome screen appears.

3. Read the inform ation carefully, then click Next to advance to the next dialog box.

The PGP Free Space Wiper prompts you to select the volume you want to wipe and the number of passes you want to perform.

4. In the Volume box, select the disk or volume that you want PGP to wipe. Then, select the number of passes that you want PGP to perform. The recommended guidelines are:

Using PGP for Secure File Storage

• 3 passes for personal use.

• 10 passes for commercial use.

• 18 passes for military use.

• 26 passes for maximum security.

NOTE: Commercial data recovery co mpanies have been known to



recover data that has been over written up to 9 times. PGP uses highly sophisticated patterns during each wipe to ensure that your sensitive data cannot be recovered.

5. Click Next to continue. The Perform Wipe dialog box opens, as shown in Figure 5-6, and

displays statistical information about the drive or volume you selected.

Figure 5-6. Free Space Wiper

(Perform Wipe dialog box)

6. Click the Begin Wipe button to start freespace wiping your disk or volume.

The PGP Free Space Wiper scans and then wipes leftover fragments from your disk or volume.

7. When the wipe session ends, click Finish. WARNING: Clicking Cancel during file wipe can leave remains of the

file on your computer.

User’s Guide 95

Using PGP for Secure File Storage

Scheduling Free Space Wiper

You can use the W ind ow s Ta sk Sch edu ler t o sc hed ule p erio dic sec ure w ip ing of freespace on your disks.

Ë IMPORTANT: To use this scheduling feature, you must have the

Windows Task Scheduler installed on your system. If you do not have the Task Scheduler installed on your system, you can download it from the Microsoft website (http://www.microsoft.com).

To schedule freespace wiping

1. Follo w steps 1 - 5 in “To wipe free space on your disks” on page 94.

The Perform Wipe dialog box opens, as s hown in Figure 5-6, and displays statistical information about the drive or volume you selected.

96 PGP Freeware

Figure 5-7. Free Space Wiper

(Perform Wipe dialog box)

2. Click the Schedule button to start freespace wiping your disk or volume. The Schedule Free Space Wipe dialog box appears.

3. Click OK to continue. If you are running Windows NT, the Windows NT Confirm Password

dialog box appears.

Using PGP for Secure File Storage

Enter your Windows NT login password in the first text box. Press the

AB key to advance to the next text box and confirm your entry by

T entering your password again. Click OK.

The Windows Task Schedule dialog box appears, as shown in Figure

5-8.

Figure 5-8. Windows Task Schedule dialog box

4. Choose how often you want the task to run from the Schedule Task area. Your choices are:

• Daily. This runs your task once at the time you specify on the days you indicate. Click OK to close the dialog box, then enter in the Start Time text box the time each day when the task will run.

• Weekly. This runs your task on a weekly basis at the date and time you specify. Specify how many weeks between disk wipes in the text box provided, then choose a day from the Schedule Task Weekly list.

• Monthly. This runs your task once each month on the day and at the time you specify. Enter the time text box provided, then enter the day of the month on which you want the task to run. Click Select Months to specify which months the task will run.

User’s Guide 97

Using PGP for Secure File Storage

• Once. This runs your task exactly once on the date and at the time you specify. Enter the time in the text box provided, then select a month and a date from the lists Run On text box.

• At System Start up. This runs your task only upon system start up .

• At Logon. This runs your task when you log on to your computer.

• When Idle. This runs your task when your system is idle for the

amount of time you specify in the minutes text box.

5. Click Advanced to open a dialog box where you can select additional

scheduling options, such as the start da te, the end date, an d the duration of the task.

6. Click OK.

A confirmation dialog box appe ars. Your freespace wiping task is now scheduled.

98 PGP Freeware

6Managing Keys and Setting

PGP Options

This chapter explains how to examine and manage the keys stored on your keyrings. It also describes how to set your options to suit your particular computing environment.

Managing your keys

The keys you create, as well as those you collect from others, are stored on keyrings, which are essentially files stored on your hard drive or on a floppy disk. Normally your private keys are stored in a file na med Secring.skr and your public keys are stored in another file named Pubring.pkr. These files are usually located in the PGP Keyrings folder.

NOTE: As a result of your private key being encrypted automatically



and your passphrase being uncompromised, there is no danger in leaving your keyrings on your computer. However, if yo u are not comfortable storing your keys in the def ault location, you can choose a different filename or location. For details, see “Setting PGP options,”

later in this chapter.

Occasionally, you may want to examine or change the attributes associated with your keys. For instance, when you obtain so meone’s public key, you might want to identify its type (either RSA or Diffie-Hellman/DSS), check its fingerprint, or determine its validity based on any digital signatures included with the key. You may also want to sign someone’s public key to indicate that you believe it is valid, assign a level of trust to the key’s owne r, or change a passphrase for your private key. You may even want to search a key ser ver for someone’s key. You perform all of these key-management functions from PGPkeys.

User’s Guide 99

Managing Keys and Setting PGP Options

The PGPkeys window

To open the PGPkeys window, open the Start menu, click Programs-->PGP-->PGPkeys, or click the PGPtray icon ( ) in the System

tray and then click Launch PGPkeys. The PGPkeys window, as shown in Figure 6-1, displays the keys you have

created for yourself, as well as any public keys you have added to your public keyring.

100 PGP Freeware

Figure 6-1. PGPkeys window

A key and user icon ( ) represent the private and public key pairs you have created for yourself, and single keys ( ) represent the public keys you have collected from others. If you have more than one type of key, you will notice that RSA-type keys are silver keys and Diffie- Hellman/DSS keys are gold keys.

By clicking on the plus sign at the left side of the key icon, you can expand the entries to reveal the user ID and email address for the owner of the key as represented by the envelope icons ( ). By clicking the plus sign next to an envelope icon, you can see the signatures of any users who have certified the

user ID. If you don’t want to expand each key individually, simply select the keys of interest and then choose Expand Selection from the Edit menu.

PGP 6.5 Instruction Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

User’s Guide

Versio n 6.5

Table of Contents

Preface

What’s new in PGP version 6.5.1

How to contact Network Associates

Customer service

Comments and feedback

Year 2000 compliance

Recommended Readings

1Installing PGP

System requirements

Compatibility with other versions

Installing PGP

2Using PGP

Basic steps for using PGP

Using PGPkeys

Using PGPtray

Performing PGP func tions from the Clipbo ard or Current Window

Using PGP from Windows Explorer

Using PGPtools

Using PGP within supported email applicati ons

Taking shortcuts

Getting Help

Key concepts

Making a key pa ir

Creating a passphrase that you will remember

Backing up your keys

Protecting your keys

Adding and removing informati on in your key pair

Adding a photographic ID to your key

Creating new subkeys

Adding a new user name or address to your key pair

Adding an X.509 certificate to your PGP key

Deleting a key or signature on your PGP keyring

Splitting and rejoining keys

Creating a split key

Rejoining split keys

Distributing your public key

Making your public key available through a certificate server

Including your public key in an email message

Exporting your public key to a file

Obtaining the public keys of others

Getting public keys from a certificate server

Adding public keys from email messages

Importing keys

Verifying the authenticity of a key

Validating the public key

Working with trusted introducers

Encrypting and signing email

Encrypting and signing with supported email applications

Encrypting email to groups of recipients

Decrypting and verifying email

Using PGP to encrypt and decrypt files

Signing and decrypting files with a split key

Using PGP Wipe to delete files

Using the PGP Free Space Wiper to clean free space on your disks

Scheduling Free Space Wiper

Managing your keys

The PGPkeys window