6527 6386 protect security

8/9/2019 6527 6386 Protect Security

1/13an Security eBook

ProtectingYour SensitiveIn ormation withEncryption


2/13

2 E-Mail Encryption: Lots of Choices, Plenty of Tradeoffs

4 Public Key Crypto for Enterprise Users

7 Understanding Public Key Infrastructure

9 PGPs Universal Server Provides Unobtrusive Encryption

11 Encrypt Your E-Mail with GPG and Thunderbird

4

2

6

8 10

Contents

This content was adapted from Internet.coms Enterprise IT Planet and Enterprise Networking Planet Web sites. Contributors: Drew Robb and Paul Rubens.

1 Protecting Your Sensitive Information with Encryption, an Internet.com Security eBook. 2009, Internet.com

Protecting Your Sensitive Information with Encryption


3/13



C orporate espionage is big business these days.So it makes sense to deploy some kind o encryp-tion system to ensure that prying eyes cant deci-pher anything garnered rom intercepted messag-es or rom stolen computers. Whether it is customer data,employee data, intellectual property, or confdential fnancial

in ormation, losing anything can be seriously detrimental.Lost or stolen data can cripple abusinesss reputation and fnancialstanding, says Than Tran, productmarketing manager at PGP Corp.o Palo Alto, Cali . A businessmust ensure e-mails containingsensitive in ormation are keptsecure and that they comply withprivacy laws to assure sa e trans-actions or their customers and theprivacy o their employees.

Encryption SystemsTran explains that there are severaldi erent methods o e-mail en-cryption. Endpoint-to-Endpointrepresents ull encryption rom theoriginating device to the recipientdevice. This method provides thehighest level o security by allow-ing no intervening points at which plaintext data can be readby anyone but the intended parties. The drawback is thatthis mode also creates the greatest amount o complexity

rom an implementation, administration, and managementperspective. This complexity mainly results rom the actthat encryption so tware must be installed and maintained

on the endpoint that integrates with the client e-mail readerso tware.

Gateway-to-Endpoint is one way to simpli y things. It pro-vides ull encryption rom a gateway system within thesenders network to the recipients endpoint. In this scenario

the message leaves the senders desktop in plaintext and isencrypted by a gateway located within relative proximity tothe e-mail server. This mode elimi-nates the need or any encryptionso tware or user interaction on thesenders side.

Another variation on this isGateway-to-Gateway, says Tran.It is like Gateway-to-Endpoint, buadds an encryption gateway on therecipients side, thus eliminatingdesktop so tware and administra-tive costs on that end as well.

Finally, there is Gateway-to-Web,which provides access to sensitivedata via a Web server, possiblyco-located on the gateway itsel .The data is typically protected viatransport layer encryption, such asSecure Sockets Layer (SSL). This

allows secure communication to occur with any recipient,regardless o its architecture or level o sophistication.

In this scenario, a standard message is sent to the recipi-ent, advising that a secure message is waiting at the gate-way, says Tran. The recipient retrieves this message via a

E-Mail Encryption: Lots oChoices, Plenty o Tradeo s

By Drew Robb

Whether it is customer data, employee data,intellectual property, or confdential fnancial in ormation,

losing anything can be seriously detrimental.


4/13


5/13



P ublic key cryptography is one o the undamentaltechnologies used or exchanging in ormation onthe Internet securely. Its used by Web browsersto create secure connections to Web sites, and bye-mail security gateways and applications to encrypt mes-sages. Its strength lies in the act that it can be used to ex-

change encrypted in ormation between two parties that havenever communicated together be ore and have there orenever agreed on a secure way o exchanging messages.

To understand how public keycryptography works, lets con-sider secure communications ingeneral. One way to send a conf-dential message to someone is toagree on an ob uscation systemin advancelike substituting eachletter in the message with thenext one in the alphabet.

A more sophisticated methodwould be to use encryption so t-ware, which uses an encryptionalgorithm known as a cipher. Themessage (known as plaintext)is entered and passed to thealgorithm along with a keya string o characters that yousupplycomes out in encrypted orm (known as ciphertext).This unintelligible jumble o characters can only be con-verted back to the original plaintext by passing the messagethrough the same cipher and supplying the same key. This isknown as a symmetric encryption system.

An interesting thing about this system is that its security

doesnt rely on the cipher itsel being secret. The only thingthat needs to be kept secret is the key. (In act you couldargue that the more widely known and understood a cipheris, the more you can trust it to be e ectiveproprietary algrithms that arent open to public inspection by independentexperts could have secret backdoors built in that allow

anyone in the know to decrypt messages without the key.)

One problem with symmetric systems is that to send some-one a message securely youhave to be able to give them thesecret key frst without anyoneelse seeing it. Why is that aproblem? Imagine a situation inwhich you were traveling abroadand had to e-mail some valuablecorporate in ormation back to acolleague without the authoritiesin the country you are in gettingtheir hands on it. I you hadntalready agreed on a key be oreyou went traveling then youdbe stuck: you couldnt send anencrypted message withoutfrst supplying a key, and youdhave no way o e-mailing a key

securely. O course you could make a phone call to tell yourcolleague the key you intend to use, but what i the conversation is overheard or the phone line is tapped?

How Public Key Cryptography Works

The solution is to use an ingenious cryptographic systemcalled public key cryptography (PKC). The undamental pao PKC is that the encryption key is split into two separate

Public Key Cryptoor Enterprise Users

By Paul Rubens

One problem with symmetric systems is that to sendsomeone a message securely you have to be able to give

them the secret key frst without anyone else seeing it.


6/13



keyslets call them key A and key B. I you encrypt someplaintext with key A, you cant decrypt the resulting cipher-text with key A to get back to your original plaintext. To de-crypt ciphertext produced using key A, you need to use keyB. In actand this turns out to be very use ulthe reverse isalso true: i you encrypt some plaintext with key B, you cantdecrypt it again with that key. You can only decrypt it withkey A. I you encrypt a message with one key in the key pair,you can only decrypt it with the other one.

I you want to be able to receive encrypted messages romanyone who wants to contact you, you frst need to generatea key pair (using suitable PKC so tware.) One o these youdesignate your private key, which youkeep secret. But heres the clever bit:the other key you designate as yourpublic key, and this doesnt have to bekept secret. In act the reverse is true:it should be distributed as widely aspossible so that anyone who wants itcan easily get it.

To send that message to a colleaguenow, all you need is their public key.There are a number o ways that youmight get might get hold it, which wewill look at later. The important thingis that this public key doesnt have to

be kept secret, so even i you calledyour colleague and the phone linewas being tapped it wouldnt matter.Anyone overhearing the conversa-tion and writing down the public keycouldnt use it to decrypt the messagethat you encrypt with it.

Now remember how we mentioned earlier that your pri-vate key can also be used to encrypt a message that canonly be decrypted using your public key. You may well askwhat would be the point o encrypting a message i the keyneeded to decrypt it is publicly available.

The answer is quite surprising. Lets imagine you receivea message rom your colleague, and you believe that it isencrypted with his private key. I you use their public key todecrypt the message success ully then that means that themessage must indeed have been encrypted using your col-leagues private key (which only your colleague has accessto). No other key could have been used to encrypt the mes-sage. So encrypting a message with a private key acts as adigital signature: I you can decrypt a message with Johnspublic key, it must have been encrypted using Johns private

key, so it must have been written by John.

Using double encryption, its possible to send an encrypted,digitally signed message to anyone who has made their pub-lic key available. Heres how:

Imagine you want to send a message to your colleague Bobat head o fce. First you write your message (the plaintext)and encrypt it with your private key to produce the cipher-texta message that is e ectively digitally signed as comin

rom you and no one else. You then encrypt this ciphertexta second time using Bobs public key. Finally, you e-mail theresulting gobbledegook to Bob.

When Bob receives this messagehe decrypts it using his private keyto get the ciphertext message thatyou encrypted with your privatekey. Bob then decrypts this usingyour public key. I he gets a mes-sage (rather than gobbledegook) heknows that the message defnitelycame rom you (because otherwisehe couldnt have decrypted it withyour public key) and he knows thatno one else could have read themessage, because no one else hashis private key.

PKE Has Its LimitsAre there any limitations to the PKEapproach? The answer to this ques-tion is yes.

First, any encrypted message is only as strong as the cipherthat is used to encrypt it. I a weakness is discovered in thecipher such that you no longer need a key to decrypt themessage or it becomes possible to work out the key (directlyor indirectly) rom the contents o the ciphertext then clearlthe system is not secure.

Another caveat is that any key-based encryption system issusceptible to a brute orce attackmethodically trying evepossible key until the correct one is ound. Modern encryp-tion techniques rely on the act that i there is a su fcientlylarge keyspace (meaning there are a su fciently large num-ber o possible keys) it is likely to take hundreds o milliono years to fnd a key by brute orce using the computers thaare currently available. But as computers become more power ul, the length o the keys typically used may need to beincreased to ensure that the chances o success ully brute

orcing a key remain tiny.

I you want to beable to receiveencrypted messages

rom anyone whowants to contact you,

you frst need togenerate a key pair

(using suitable PKCso tware.)


7/13



Its important to remember that any encrypted message isnever completely sa e rom a brute orce attack: someonemight guess the correct key with their very frst guess. Its

just that with a strong cipher and a long key the probability othat happeningor that they hit upon the correct key within athousand yearsis vanishingly small.

The fnal problem thats worth mentioning is the problem okey management: how do you get hold o someones publickeys, and how can you be sure that it is the public key be-longing to the person you think it belongs to? I you send amessage to Bob using the public key that you think belongsto Bob but actually belongs to Carol, then Bob wont be

able to read it. More worryingly, i Carol manages to gether hands on the message she will be able to read it, eventhough you intended it or Bobs eyes only.

Despite these potential problems, its air to say that PKEhas revolutionized the way that secure communications arecarried out. In the next piece, well be looking at key management and how PKE is used in the real world to provide com-mercial and open-source secure e-mail systems. n


8/13



In the last piece we took a look at how public key encryp-tion systems work, and how anyone can send you an en-crypted messagewhich only you can readi they haveaccess to your public key. It turns out that the processo getting your public key to people who need to use it is acomplex task that involves a combination o trust, third par-

ties, and various other actors which together are known aspublic key in rastructure.

On the ace o it, giving peopleaccess to your public keyshouldnt be much o a prob-lem. You could make it available

or download on your Website, you could distribute it ona memory stick, or you couldsimply e-mail it to people.

But in practice there is a bigproblem with that: i someonewants to send a message thatonly you can read, they need touse your public key to encrypttheir message. But i they usea key that they think belongs toyou but actually belongs to someone else (call them Mallory)then you wont be able to read the message, and Mallory will.So i Mallory wants to read confdential messages intended

or you, all he has to do is replace your public key with his onyour Web site, or on a memory stick youve distributed, or ine-mails that he sends out purporting to come rom you, and ihe can then intercept any messages bound or your encrypt-ed with this bogus key he will be able to read them.

O course you would realize something was up when youdiscovered that using your private key you couldnt decryptand read the messages you received (because they havebeen encrypted with Mallorys public key, not your publickey). But i Mallory were smart he would re-encrypt the mesages intended or you a ter he had read them with your rea

public key and send them on. In that case you wouldnt knowthat anything was amiss. Mallory would have carried out aman in the middle attack.

So how can this problembe overcome? How can youdistribute your public key tosomeone in such a way thatanyone who receives it can besure that it really is your key,and not, or example, Mal-lorys? And how can you besure that any public keys youget hold o really do belong tothe people that you think thatthey do? The answer is to getany public key vouched or bya trusted third party, and thatswhere PKI comes in.

Imagine that theres someone in the communitycall himSolomonthat everyone trusts as an upstanding and trust-worthy citizen. You take your public key in person to Solo-mon, who checks who you say you are (perhaps by checkingyour drivers license or passport). He then signs a certifcatethat he attaches to the key that says that he, Solomon, canpersonally vouch or the act that the attached key belongsto you.

Understanding PublicKey In rastructureBy Paul Rubens

It turns out that the process o getting your public key to people who needto use it is a complex task that involves a combination o trust, third parties, and

various other actors which together are known as public key in rastructure.


9/13



In the digital world Solomon would e ectively encrypt yourpublic key along with a certifcate saying I certi y that thispublic key belongs to X using his private key. Anyone receiv-ing this could only decrypt it using Solomons public key, andwhat they would fnd is your key, plus the message sayingthat it is indeed your key. Since only Solomon could havecreated the message, and since the message and the keycould not have been altered in any way (because they wereboth encrypted and thus tamper-proo ) then the they could be surethat the key was indeed your key as long as they trusted Solomonto tell the truth, and as long as theycould be sure that the key that theybelieve to be Solomons publickey is in act his. (In practice theprocedure is slightly di erent in thatit uses something called a hashing

unction, but the principal is exactlythe same.)

But surely this just pushes the prob-lem back one stage? The personreceiving your key can be sure thatit is genuinely yours only i they canbe sure that the copy o Solomonspublic key that they have is genuine.But how can they know that it is?

One answer in the real world is to have a limited number otrusted third parties (or Solomons), known as certifcationauthorities or CAs, who issue certifcates, and or the pub-lic keys or these CAs, known as root certifcates, to be pre-installed in so tware packages (such as Microso ts InternetExplorer.) This means that as long as a public key that youreceive is signed by a CA that you have a root certifcate or,then you can be sure that the public key belongs to the per-son it says that it doesi you are sure that the pre-installedroot certifcate you have is genuine and you deem the CA tobe trustworthy.

I the root certifcate was included with a so tware package,then you have to decide whether you trust the maker o theso tware to have included a genuine root certifcate or not.Likewise, you can look at the details o any CA and decidewhether you trust them. Microso t includes root certifcates

or CAs as diverse as commercial U.S. entities such asVisa and RSA (which you may well know and trust), as wellas more obscure overseas ones such as the UruguayanAdministracion National de Correos and the Government oSlovenias General Certifcation Authority (which you maywell know nothing about and there ore have no reason to

trust beyond the act that they sound vaguely o fcialwhicis a tenuous reason to trust any organization). Ultimately itsup to you which so tware makers and CAs you chose to trusand which you dont.

Theres another way that you can get reassurance that apublic key you get hold o is genuine without having to placyour trust in certifcate authorities and root certifcates, and

thats known as a web o trust. In thismodel, you meet ace to ace withpeople you know, and get them tosign your public key with their privatkey confrming that your public keyis really yours. The more people youcan get to sign your key the better,so this is o ten done at a signingparty where a number o peoplemeet ace to ace.

The principle then is this: imaginethat you get a public key that youthink belongs to Carol, but you cantbe sure because you didnt get it di-rectly rom her. When you get it, youmight see that it has been signed asgenuine by Bill. I you know Bill anhave a copy o his public key that yogot rom him when you met him ac

to ace, you can easily decide that thekey does belong to Carol, because Bill says so and you trusthim. O course the flament o trust could be longer: Carolskey could have been signed by Ben, who you dont know,but Bens key could have been confrmed by Bill, who you doknow. The more people you trust who confrm that the keyis genuine, either directly or indirectly, the better. Webs otrust are good or small networks o people who mostly knoeach other, but arent suitable or very large groups with ahigh proportion o people you dont know.

The important point to remember in the end is that althoughpublic key ciphers are extremely secure as ar as we know

public key in rastructure relies on an element o trust: Youcan only use a public key belonging to someone you dontknow i you can trust that it belongs to the person that youthink it does. This means thinking care ully about the CAs oweb o trust members that you deal with, and seeking n

I the root certifcatewas included with aso tware package,then you have to

decide whether youtrust the maker o the

so tware to haveincluded a genuine

root certifcate or not.


10/13



At this point, weve looked at the theory behind pub-lic key encryption and public key in rastructure. Buthow is all o this pulled together into a product thatenables you to send or receive encrypted e-mailmessages?

I you need encryption in an enterpriseenvironment then the ideal solution is astransparent to those using it as possible.Thats because any specifc steps thatusers have to take to encrypt their mes-sages are likely to be orgotten, ignored,or carried our incorrectly.

For that reason, many organizationschoose to install an encryption gate-way appliance that encrypts messagesa ter they have been sent by users romstandard e-mail clients like Microso tOutlook, and which decrypts incomingmessages be ore passing them on totheir destinations.

One o the earliest public key encryp-tion applications was called Pretty GoodPrivacy (PGP), written in 1991 by PhilZimmermann. PGP, Inc. was bought byNetwork Associates in 1997, but ol-lowing a management buyout in 2002 PGP morphed intoPGP Corp., which today is one o the best known vendors ocorporate encryption solutions. The companys o erings arebased around a set o encryption applications or e-mail andother targets such as mobile devices or storage disks that use a common encryption plat orm, plus a management

server called PGP Universal Server that oversees them all.

PGPs Universal Gateway E-MailPGPs Universal Gateway Email is the companys gatewayencryption (and decryption) application. To build a transpar-

ent secure e-mail system an organiza-tion runs a virtual appliance made upo PGP Universal Server and UniversalGateway Email. This can run on a hard-ened version o Linux on one o severaspecifc server hardware confgurations

rom vendors including Dell, HP, andIBM, or it can take the orm o a virtuamachine running on VMware ESX.

The appliance is connected betweenthe corporate mail server and thecorporate frewall, and when it receivesoutgoing e-mail messages rom themail server it kicks into action. The frstthings the encryption application has todo is decide which messages to encryptand fnd the public keys belonging to therecipients o those messages that needto be encrypted. This in ormation isprovided by the PGP Universal Server.Its role is to manage and apply rules andpolicies or encryption, based on acto

including the destination, the sender, or even the contentso the message. Account creation, group management, andpolicy en orcement can be automated by integrating Active

Directory, Lotus Notes/Domino directories, or other LDAPdirectories with the Universal Server.

PGPs Universal Server ProvidesUnobtrusive Encryption

By Paul Rubens

I you need encryption in an enterpriseenvironment then the ideal solution is as transparent

to those using it as possible.


11/13



Lets imagine that you want to send an e-mail to someone atanother organization, and the Universal Server determines,by looking at the rules and policies that it has to apply, thatyour message should be encryptedperhaps because youare working in a confdential new product group. To encryptthe message the encryption so tware frst needs the intend-ed recipients public key. So how does it get that?

Universal Server Key ManagementKey management is a key role (i youll pardon the pun) thatthe Universal Server carries out or the encryption so tware.One place it can look or a key is PGPs Global Directory.(Whenever PGP products generate keys anywhere in theword, the public keys are sent automatically to this GlobalDirectory. Key owners are e-mailedevery six months to confrm that thekeys should remain in the directory,which may not be the case i , orexample, the matching private key hasbeen lost or compromised.) It canalso search or a key by looking ora corporate keyserver at the mes-sages destination domain, or it couldhave already received it out o band perhaps manually delivered on amemory stick.

What happens i policy dictates that a

message you want to send should beencrypted, but no public key or therecipient can be ound, perhaps be-cause the intended recipient or theirorganization doesnt use encryptionso tware and there ore has no key?

In this situation you cant use public key encryption, but youcan use a compromise. Universal Gateway Email providestwo alternatives: PGP Universal Web Messenger and PDFMessenger. The frst o these sends an unencrypted e-mailto your intended recipient in orming them that they havebeen sent a message, and that they can view it by visitinga secure Web site and entering a password that could bedelivered separatelyperhaps by SMS. The second encryptsthe message as a PDF, which is sent to the recipient, whocan then decrypt and view it using standard Adobe AcrobatReader so tware once they have the password.

When Does Gateway Encryption Fail?A gateway encryption product may make e-mail encryp-tion totally transparent to users, but there are a number oreasons why it may not be suitable in all cases. For example,an e-mail must be digitally signed (using a private key) atthe point it was created to provide non-repudiation or somelegal purposesotherwise the sender could disown themessage on the grounds that it could have been tamperedwith a ter it le t their computer but be ore it was encryptedat a gateway, or even that they did not originate it in the frstplace. A gateway encryption product may also not be practi-cal when mobile users need to send e-mail rom outside thecorporate network.

To cater to these and other circum-stances PGP also o ers its Desktope-mail application. This runs as a locadesktop mail proxy service that workwith all e-mail clients (not as a plug-in or specifc e-mail applications.)Key and policy management can becarried out by the application, or bythe corporate Universal Server. Themachines private key can be storedon the machine itsel protected bya passphrase and, optionally, somesecond actor authentication system

such as a GemPlus, Alladin, or Axalto(Schlumberger) smart card. It canalso be stored within the TrustedPlat orm Module (TPM) o suitablyequipped laptops or on a Universal

Server, or synchronized between thetwo. When the so tware is managed by a Universal Serverseparate policies can be en orced on the computer whenthe Universal Server is unreachable.

For smaller organizations or individuals, a ull blown encrytion plat orm such as this may seem like overkill, and in maways it probably is. In the next piece Ill be taking a look atlow-cost or ree open source encryption solutions that usethe same public key encryption technology. n

A gatewayencryption productmay make e-mailencryption totally

transparent to users,but there are a

number o reasonswhy it may not besuitable in all cases.


12/13



P ublic key encryption isnt just the preserve o largeorganizations. Thats because there are opensource PKE solutions that enable smaller compa-nies and individuals to use the technology at nocostmost commonly to encrypt and digitally sign e-mailmessages.

Earlier we looked at PGPCorp.s public key encryptionplat orm, and whats interestingabout this commercial plat-

orm is that it adheres to theOpenPGP standard an e-mailencryption standard defned bythe OpenPGP Working Groupo the Internet EngineeringTask Force (IETF) ProposedStandard RFC 4880. Open-PGP was actually derived romPGP, the pioneering public keyencryption program created byPhil Zimmerman back in 1991,which is the basis or PGPCorp.s plat orm.

The good news is that theresa completely ree, open-source implementation o theOpenPGP standard called GNU Privacy Guard (or, morecommonly, GPG). Since any OpenPGP compliant so t-ware (should) work with any other, this means that GPG iscompatible with PGP. Like any open-source alternative toa commercial product there are di erences between PGPCorp.s plat orm and GPG in terms o support and additional

eatures, but GPG o ers solid public key encryption and kmanagement eatures as an alternative to a system such asthat o ered by PGP Corp., on a number o plat orms incluing Windows, Linux, UNIX, and OS X.

To illustrate GPGs use Ill concentrate on the Windows plat-

orm or the simple reason that 90 percent o all desktopsand laptops run Windows iyou use another plat orm thenthe general in ormation will stapply even o the details areslightly di erent.

GPG is actually a commandline tool, but thanks to somehandy plug-ins to popular e-mail clients you shouldnt everhave to learn any o the com-mands. (But like most com-mand line tools, i you do takethe time to master the com-mands youll fnd GPG mucheasier to control directly thanthrough a ront end.)

The frst step to running GPGis to run the Windows installer,which you can download rom

GPGs Web site (www.gnupg.org).

GPG for Thunderbird

The next step is to fnd a GPG plug-in or the e-mail clientyou intend to use. In this article well use the open-sourceThunderbird 2 e-mail client, although plug-ins o varying

GPG is actually a command line tool, but thanks to somehandy plug-ins to popular e-mail clients you shouldnt ever

have to learn any o the commands.

Encrypt Your E-Mail withGPG and Thunderbird

By Paul Rubens


13/13


quality are available or many more clients including Eudoraand Outlook Express on Windows, Thunderbird, KMail andEvolution on Linux, and Thunderbird and Mail.app on OS X.

The GPG plug-in or Thunderbird is called Enigmail, whichyou can download rom and then install into the e-mail client.(Dont skip the download stage and try to install it directlyi you are running Fire ox or your browser will try to installEnigmail into itsel instead o Thunderbird.)

Once Thunderbird has been restarted youll see an Open-PGP menu item, and clicking thiswill bring you to the OpenPGP KeyManagement window. Its rom herethatby clicking the Generateoptionyou can create your ownpublic and private keys. These canbe associated with a particular e-mailaddress, or you can choose to usethis key pair with two or more e-mailaddresses you might use. Youll alsobe asked or an optional passphraseto protect your key. ( Its a good ideato use this eatureotherwise anyonewith access to your computer will beable to sign messages in your nameand decrypt confdential incomingmessages.) Theres also a comment

box, where you can add a descriptiono yoursel (such as Managing Direc-tor o Rubens Inc.), which makes itmuch easier or anyone searching akey server or your public key to identi yyou correctly.

Once you click Generate Key a key pair is created, a terwhich youll be asked i you want to create and save a revo-cation certifcate that you can use to invalidate your key pairat some uture time i it becomes compromised. The fnalstepi you want your public key to be widely availableisto upload it to a key server by choosing the Upload Public

Keys option.

Sending Encrypted MessagesSo how do you go about sending an encrypted message?Simply write an e-mail message using the e-mail client inthe normal way, and then click on Encrypt Message in themessages OpenPGP menu. When you send the message,the OpenPGP Key Selection window will pop up, allowingyou to select the recipients public key rom your store okeys. I you dont have the recipients key you can click onDownload missing keys to carry out a keyserver search to

try and fnd it. Assuming you fnd the key you need, selectit and download it to your key store, and send the messageagain.

As youll recall, you can sign an e-mail with your private keyto prove that the e-mail really came rom you. To do this, simply choose the Sign Message option instead o EncryptMessage.

I you want to make it easy or others to fnd your public key(especially i you dont want to submit your key to a keyserv

erperhaps to avoid the risk o spamyou can also send them an e-maila ter selecting the Attach My PublicKey option in this menu. (O coursethey should be aware that althoughthe e-mail might appear to come romyou, it might have come rom some-one else.)

One handy thing about installingGPG is that it is available to anyapplication that needs encryption ca-pabilities i a suitable plug-in or thaapplication has been written. Thatmeans that as well as using GPGthrough your e-mail client, you canalso use it through a Web browser.

A ter installing the FireGPG Add-oninto Fire ox you can use Gmail tosend and receive encrypted or signede-mails using the extra buttons that

appear on the Gmail Web inter ace.(You can also encrypt, decrypt, sign, or veri y the signatureo text in any Web page by right clicking in Fire ox or selecing FireGPG rom the Tools menu.) The FirePGP Add-on is

ar rom per ectlooking up keys rom a key server doesseem to work properly, or examplebut its certainly useand will likely improve in uture versions.

Compared to commercially available solutions GPG does

have drawbacks. Unlike gateway solutions o ered by thelikes o PGP Corp. GPGs unctionality isnt transparent tousers, and cant be relied to encrypt all messages as encryp-tion can easily be switched o by the user. Key managemenis also much more rudimentary, and i a user orgets theirprivate key passphrase then the key pair becomes unusableas there is no way to retrieve it. But overall GPG is a use ul(andlets not orget ree) implementation o OpenPGP,it can be a very e ective solution or individuals and smalbusinesses. n

One handy thing

about installingGPG is that it isavailable to anyapplication that

needs encryptioncapabilities i a

suitable plug-in orthat application has

been written.

6527 6386 protect security

Documents