PGP 3 CREATING AND EXCHANGING KEYS The Essentials The following instructions may appear long and complicated, but this is largely a one-off operation, consisting of these essential steps: 1. 2. 3. 4. 5. 1 Creating your own public-private key pair Creating a passphrase to ensure security of your private key Customising your key and keyring Exchanging keys with other key owners Verifying and validating keys Using PGP to generate a public-private key pair Choose from the Start menu: Programs PGP PGP keys This launches the PGP Key Generation Wizard. Click Next to advance to the next window. The Wizard then asks you to enter your name and email address. It’s not absolutely necessary to enter your real name or even your email address. However, using your real name makes it easier for others to identify you as the owner of your public key. Also, by using your correct email address, you and others can take advantage of the plug-in feature that automatically looks up the appropriate key on your current keyring when you address mail to a particular recipient. Click Next to advance to the next dialog box where you are asked to select a key type. Choose Diffie-Hellman/DSS and click Next. The Wizard asks you to specify a size for your new keys. Select the default i.e. 2048 bits and click Next. You are then asked to indicate when the key pair will expire. (If you are just experimenting, you should set a time limit of a day or so on your first try-outs. Once you have become confident with the system you can choose the default option described below.) You should choose the default option which is Key pair never expires and click Next. 2 Creating a passphrase The Wizard then asks you to enter a passphrase. In the Passphrase dialog box, enter the string of characters or words you want to use to maintain exclusive access to your private key. To confirm your entry, press the TAB key to advance to the next line, then enter the same passphrase again. Normally, as an added level of security, the characters you enter for the passphrase do not appear on the screen. However, if you are sure that no one is watching, and you would like to see the characters of your 106742772 Page 1 of 5 17/02/16 PGP 3 passphrase as you type, clear the Hide Typing checkbox. ! NOTE: Your passphrase should contain multiple words and may include spaces, numbers, and punctuation characters. Choose something that you can remember easily but that others won’t be able to guess. The passphrase is case sensitive, i.e. it distinguishes between uppercase and lowercase letters. The longer your passphrase, and the greater the variety of characters it contains, the more secure it is. Strong passphrases include upper and lowercase letters, numbers, punctuation, and spaces but are more likely to be forgotten. WARNING: Forgotten passphrases cannot ever be recovered. Click Next to begin the key generation process. The PGP Key Generation Wizard indicates that it is busy generating your key. If you have entered an inadequate passphrase, a warning message appears before the keys are generated and you have the choice of accepting the bad passphrase or entering a more secure one before continuing. If there is not enough random information upon which to build the key, the PGP Random Data dialog box appears. As instructed in the dialog box, move your mouse around and enter a series of random keystrokes until the progress bar is completely filled in. Your mouse movements and keystrokes generate random information that is needed to create a unique key pair. After the key generation process begins, it may take a while to generate the keys. Eventually the Wizard indicates that the key generation process is complete. You’ll be asked if you want to send your new public key to a server. At the time of writing we don’t have a server that publishes keys so leave the box unchecked. Click Next followed by Finish. 3 Customising your key and keyring You are left with a PGPkey window showing public keys of other users, world-wide. These come bundled with the PGP software. You should delete these as you will be building your own list. Be careful when selecting them, that you don’t select your own keys, which should be there too. Go to the Edit menu and choose Delete. st-and.ac.uk versus st-andrews.ac.uk St Andrews has two similar, but distinct domain names - st-and.ac.uk and st-andrews.ac.uk. Most people have their mail software set up to automatically add @st-and.ac.uk to the user name in the To: field. This doesn't cause difficulties to users in the normal run of things. 106742772 Page 2 of 5 17/02/16 PGP 3 PGP, however, recognises that the two forms are different, so if the public key you are using to encode is called aa4@st-andrews.ac.uk, and Eudora is sending the message to aa4@st-and.ac.uk, confusion breaks out. Instead of automatically using the appropriate key the PC will offer you only a split second to choose the appropriate key before the dialogue box disappears and Eudora goes off into a loop from which you can only exit by hitting Alt and Esc. To avoid this happening to the people you correspond with, select your own key in PGPkeys, and choose Add/Name from the Keys menu. A dialogue box will ask you for a new name and a new email address to add to the key. Just enter the same information as you did when you first created your key, but make sure that where you entered st-and.ac.uk, this time you enter st-andrews.ac.uk. Your own key on your keyring should now look like this. If you have the problem described above when you are sending mail, try typing the full address into the TO: header in Eudora. Backing up your keys Once you have generated a key pair, it is wise to put a copy of it in a safe place in case something happens to the original. Your private keys and your public keys are stored in separate 'keyring' files, which you can copy just like any other files to another location on your hard drive or to a floppy disk. By default, the private keyring (secring.skr) and the public keyring (pubring.pkr) are stored along with the other program files in the “PGP Keyrings” folder in your PGP folder, but you can save your backups in any location you like. 4 Exchanging keys with other key owners There are various ways of making your public key available (see the user documentation accompanying the software) but perhaps the easiest is to include it in an e-mail and then verify it by phone. Follow these instructions: Sending your public key to a recipient From the Start menu choose Programs/PGP/PGPkeys. This starts the PGPkeys application. Select your entry in the PGPkeys window and then click Copy on the Edit menu. Start Eudora, choose New Message from the Message menu and put the cursor in the message area where you would normally type your message. Then click Paste on the Edit menu. You’ll see a lot of gobbledegook in the 106742772 Page 3 of 5 17/02/16 PGP 3 message window but don’t let this worry you. Enter the recipient’s address in the To: field and send the email to the recipient. The recipient then follows the instructions in the next section to put your public key on their keyring. However they must also verify that the public key has really been sent by you. . Receiving someone else’s public key If someone sends you their key in an e-mail, you should proceed as follows. First you add it to your keyring and then you verify it. Open the mail message. You should see a lot of gobbledegook enclosed in the lines: BEGIN PGP PUBLIC KEY BLOCK END PGP PUBLIC KEY BLOCK Choose Message Plug-ins from the Eudora Edit menu followed by PGP Decrypt and Verify. A window should open showing details of the key and its owner, highlighted. If there is more than one key, you can click on the Select All button followed by Import. Launch the PGPkeys application (Start/Programs/PGP/PGPkeys) and you should see the new public key entry in the window. 5 Verifying and validating keys The next step is to verify that this key really came from the person it claims to belong to. From the PGPkeys window select the recipient’s key and choose Properties… from the Keys menu. From the resulting popup window make sure that the Hexadecimal box is unchecked. You should see some lines of words in the Fingerprint section. (see over) Ring the recipient and ask them to verify that this fingerprint matches their own. They will need to follow steps 1. and 2. above but select their own key from the PGPkeys window. Ask them to read out their list of words and, if they are the same as the ones you see, the public key has indeed been sent by them. Dismiss the popup box by clicking Close. Validating keys Before you start exchanging secure e-mails with your correspondent, however, there is one more thing you should do. PGP will look at the To: section in the header of your email and automatically choose the correct public key for you intended receiver ONLY IF you have told PGP that the key is valid. To do this you must select the recipient's entry in the PGPkeys box and choose Sign from the Keys menu. You will be asked for your passphrase. Once you have signed the key, click OK. 106742772 Page 4 of 5 17/02/16 PGP 3 106742772 Page 5 of 5 17/02/16