Things to Try

pgp_Q_and_A.html

Q and A
==========

Q: Is there a specific encryption algo I should use, like AES, CAST, DES?
My key size is currently listed as 2048/1024, but I notice that yours is
1024/1024. Will this affect/limit the people who use my public key? I am
using the freeware version of PGP 8.1 on Windows XP.


A: My key size is on the small size. 2048/1024 is a good choice.
Public-Private Keys need to be longer that symmetric keys to be as secure,
because of certain mathematical attacks that are known. Also the message
size has to be smaller than the key size (not a problem when a "session key"
is exchanged).
---

Q. I've heard/read about others signing your key? What does this achieve? I
think it has something to do with validation?


A. You can assign a level of "Trust" to each Key on your Key Ring. If you
also "Sign" these Keys they will become "Valid."

If you attach a level of Trust to my Key in your Key Ring, then all keys that
I have Signed will also carry a level of Validity. How your PGP client
program knows which keys I have Signed involves the use of a Key Server (e.g.,
keyserver.pgp.com). We will discuss this in more detail when we cover email
security.

============
Did you type the "Pass Phrase" exactly as you did when you generated the
Public Key? Using the same capitalization is important.

Do you have the Public Key on the receiving machine's Key File or "Key
Ring"(using the utility program that comes with PGP)?

Does the editor being used for Cut and Paste write a simple TEXT file
(good), or does it write an HTML file or proprietary format file (bad)?

You might try generating another Key. Be sure to store the new key on
your "Key Chain."

=======

> When I try to "Sign & Encrypt" my HW-2 message, I get a list of
> recipients to choose from, and it is a list of people for whom I have
> public keys.
>
> It looks like what PGP is doing is asking "With which public keys do
> you want to encrypt?" Otherwise, why does it even care who the
> recipients are?
>
> But isn't the whole idea of HW-2 to encrypt with my Private Key and
> then sign with my Private Key? Or do I encrypt with your Public Key and
> sign with my Private Key? If so, why does PGP ask for recipients?
>
>
> How do I encrypt with my PRIVATE KEY instead of my PUBLIC KEY (which
> appears to be the default)?
---------------------------

You must encrypt with my Public Key. Then only I can decrypt the message
since my Private Key is needed.

The message is actually encrypted with a newly generated Session Key using
DES , IDEA, or CASE (preferred). For each recipient, the Session Key is
encrypted using their Public Key. Each additional recipient adds only a
fraction to the length of the encrypted message.

You "sign" the message first by calculating a MIC (message integrity check)
and encrypting the MIC with your Private Key. This is added to the message
before it is compressed and encrypted.

Anyone who decrypts the message and can then decrypt the MIC using your
Public Key knows it came from you. They also compute a MIC for the message
received to compare with the one in the signature to confirm the message
has not changed.

By the way, it's good to always add yourself as a recipient. Otherwise you
will not have a copy of the message you can decrypt.


==================

> Homework 2 requires that a message be encrypted and signed with my private
> key only. However, when I use PGP to encrypt a message, it asks for the
> recipient of the message. Does this mean that it will encrypt it with the
> recipient's public key as well? If I do not include any recipient, PGP
> complains and does not encrypt the message.
-------------------------

The PGP menu item "encrypted and signed" means "encrypted with the
recipient's public key" and "signed with the sender's private key." I have
modified the version on the Web to make this clearer:

3. Send me a message that is PGP "encrypted (with my public key) and signed
(with your private key)". The subject should be "HW-2" (4 characters, no
quotes).
==========================

> I was trying out certain things with PGP, and I found that for
>encrypting the messages using, say your public key, I needed a userid.
>In your case, I believe the user id is . But
>in the webpage where you have published the public key, you have mentioned
>your email as john.copeland@ece.gatech.edu. I think it would be better
>if the actual user id is put in as the email.
> Also, I have generated my public key. Could you please tell me
>how to add it to the class public key list??
------------------------

You must set up a file of people's Public Keys. The ID requested is the ID
used to pick out the correct key from that file. That is, use the same ID
that was used when you stored my Public Key.

On the Macintosh (and presumably on Windows) you are presented with a menu
from which to select a name (or ID).

In terms of registering keys, my key is under the name John Copeland on
pgp.com's key server, ldap://certserver.pgp.com. You can do a search for
any name containing "John Copeland" and get my Public Key. You can put your
key there by clicking "Register" when you generate it with the PGPtools
utility.

I have email accounts on a number of computers. They all forward to a
single account, which is now john.copeland@csc.gatech.edu My primary email
that I give out is john.copeland@ece.gatech.edu in the belief that ECE will
be around longer than CSC. All the computers have several aliases for my
account name (john.copeland, jcopeland, copeland, ...).
==============

> What is *DH/DSS* public key? I run pgp on our system to generate a
>pair of pri/pub keys. It asks me to select from 512/768/1024 bits.
---------------------------

You must be running the International version. If it does not give you a
choice, except for length, then choose the largest length.

My version (U.S. only, v 6.5) lets you choose either DH/DSS (Diffie Hellman
public-private keys for session key setup, p.147, and Digital Signature
Standard, p.152) or choose RSA public-private key (older style, patent
problems, not recommended).
==============================

I setup two PCs (A and B)to try the PGP software and the Email
application I use is Netscape Messanger, which is not supported by PGP.
Suppose that A wants to send a Encrypted/Signed message to B. First, A
encrypts and signs the message. Then it copies the encrypted/signed
result and pastes it in the email and sends it out. After B receives the
email, B copies the encrypted/signed message and pastes it in a text
file and decrypt/verify the file. I can get the original clear text A
sent, but the "PGPlog" gives me the "Invalid Key" message as the
attached file. (I didn't do any editing after I paste the
encrypted/signed message in my email.) Did I make any mistake in the
above example?

If I can't decrypt/verify a encrypted/signed message in the email using
the above method, what should I do ?(I've read through the manual, but I
can't find the answer.)

=======================================================

SInce the Message decrypted, the Public Key worked.

The "Invalid Key" message appears because you need to get several people
who have PGP to "validate" your key. Sent them a message with the Key
pasted in and a request for them to "Validate" the Key, which they can do
when they paste your Key into their "Key Rings.".

You should also "Register" the Key when you generate it. When you register,
list your name in a way that people would search for it. Also list your
most permanent email address.

---------------------------------
>I got two messages from you. One is saying "Please try to send a message
>again because my message didn't decript properly" and the other is saying
>"You PGP message was received and decrypted, as shown below.

======================

Your message showed a valid signature, but did not decrypt on the first
try. Later when I tried to decrypt that result, it decrypted.

Evidently if you sign first and then encrypt, "decrypt and validate" works
in one pass.

if you encrypt first and then sign, it causes the signature to appear in
plaintext (an intruder could do traffic analysis) and PPG only validates on
the first pass. A second pass is needed to decrypt.

========================
>There are two options for signing and encrypting using the PGP program.
The
>first is to encrypt and then sign in two separate steps. The second is to
>encrypt and sign in the same step. Is there a difference between the two
(e.g.
>is one of them less safe than the other)?
----------------

If you select "encrypt and sign" the steps will be done in the optimum
order, which is "sign" and then "encrypt."

If you "encrypt" and produce a base64 encoded message before "signing", you
may expand the message unnecessarily by doing two base64 encodings, each of
which expands a binary (or text) message by 33%.

If someone does it the reverse way (Encrypt, then Sign), the receiver has
to run "Decrypt/Verify" twice. The first pass only verifies, leaving the
encrypted message.

================================

Your key is an RSA key. The homework suggested using a Diffie Hellman/ SHA
key which is available on the latest versions of the PGP program (from PGP
Corporation).

Your message was encrypted with your private RSA key (or with a random
session key that was also sent in RSA encrypted form).

I did have your public key already. The

>*** PGP Signature Status: not verified (signing key missing)

message evidently is because your key is not on the two key servers.

Your message was encrypted, but it was not secret since anyone could
decrypt it with your public key.
=====================

You are right about keeping the same Public/Private Keys. To keep your
present Public and Private Keys, copy the files named "Private Keys" and
"Private Keys" from the directory "PGP Key Rings" on a floppy. Replace
the files with those same names on the new hard drive after you install
PGP on the new computer.

----------------------
John Copeland