CREATING AND EXCHANGING KEYS

advertisement
PGP 3
CREATING AND EXCHANGING KEYS
The Essentials
The following instructions may appear long and complicated, but this is largely a one-off operation, consisting of
these essential steps:
1.
2.
3.
4.
5.
1
Creating your own public-private key pair
Creating a passphrase to ensure security of your private key
Customising your key and keyring
Exchanging keys with other key owners
Verifying and validating keys
Using PGP to generate a public-private key pair
Choose from the Start menu:
 Programs
 PGP
 PGP keys
This launches the PGP Key Generation Wizard.
Click Next to advance to the next window.
The Wizard then asks you to enter your name and email address.
It’s not absolutely necessary to enter your real name or even your email address. However, using your real name
makes it easier for others to identify you as the owner of your public key. Also, by using your correct email address,
you and others can take advantage of the plug-in feature that automatically looks up the appropriate key on your
current keyring when you address mail to a particular recipient.
Click Next to advance to the next dialog box where you are asked to select a key type.
Choose Diffie-Hellman/DSS and click Next.
The Wizard asks you to specify a size for your new keys.
Select the default i.e. 2048 bits and click Next.
You are then asked to indicate when the key pair will expire. (If you are just experimenting, you should set a time
limit of a day or so on your first try-outs. Once you have become confident with the system you can choose the
default option described below.)
You should choose the default option which is Key pair never expires and click Next.
2
Creating a passphrase
The Wizard then asks you to enter a passphrase.
In the Passphrase dialog box, enter the string of characters or words you want to use to maintain exclusive access to
your private key. To confirm your entry, press the TAB key to advance to the next line, then enter the same
passphrase again. Normally, as an added level of security, the characters you enter for the passphrase do not appear
on the screen. However, if you are sure that no one is watching, and you would like to see the characters of your
106742772
Page 1 of 5
17/02/16
PGP 3
passphrase as you type, clear the Hide Typing checkbox.
! NOTE: Your passphrase should contain multiple words and may include spaces, numbers, and punctuation
characters. Choose something that you can remember easily but that others won’t be able to guess. The passphrase
is case sensitive, i.e. it distinguishes between uppercase and lowercase letters. The longer your passphrase, and the
greater the variety of characters it contains, the more secure it is. Strong passphrases include upper and lowercase
letters, numbers, punctuation, and spaces but are more likely to be forgotten.
WARNING: Forgotten passphrases cannot ever be recovered.
Click Next to begin the key generation process.
The PGP Key Generation Wizard indicates that it is busy generating your key.
If you have entered an inadequate passphrase, a warning message appears before the keys are generated and you
have the choice of accepting the bad passphrase or entering a more secure one before continuing. If there is not
enough random information upon which to build the key, the PGP Random Data dialog box appears. As instructed
in the dialog box, move your mouse around and enter a series of random keystrokes until the progress bar is
completely filled in. Your mouse movements and keystrokes generate random information that is needed to create a
unique key pair.
After the key generation process begins, it may take a while to generate the keys. Eventually the Wizard indicates
that the key generation process is complete.
You’ll be asked if you want to send your new public key to a server. At the time of writing we don’t have a server
that publishes keys so leave the box unchecked.
Click Next followed by Finish.
3
Customising your key and keyring
You are left with a PGPkey window showing public keys of other users, world-wide. These come bundled with the
PGP software. You should delete these as you will be building your own list. Be careful when selecting them, that
you don’t select your own keys, which should be there too. Go to the Edit menu and choose Delete.
st-and.ac.uk versus st-andrews.ac.uk
St Andrews has two similar, but distinct domain names - st-and.ac.uk and st-andrews.ac.uk. Most people have their
mail software set up to automatically add @st-and.ac.uk to the user name in the To: field. This doesn't cause
difficulties to users in the normal run of things.
106742772
Page 2 of 5
17/02/16
PGP 3
PGP, however, recognises that the two forms are different, so if the public key you are using to encode is called
aa4@st-andrews.ac.uk, and Eudora is sending the message to aa4@st-and.ac.uk, confusion breaks out. Instead of
automatically using the appropriate key the PC will offer you only a split second to choose the appropriate key
before the dialogue box disappears and Eudora goes off into a loop from which you can only exit by hitting Alt and
Esc.
To avoid this happening to the people you correspond with, select your own key in PGPkeys, and choose
Add/Name from the Keys menu. A dialogue box will ask you for a new name and a new email address to add to
the key. Just enter the same information as you did when you first created your key, but make sure that where you
entered st-and.ac.uk, this time you enter st-andrews.ac.uk.
Your own key on your keyring should now look like this.
If you have the problem described above when you are sending mail, try typing the full address into the TO: header
in Eudora.
Backing up your keys
Once you have generated a key pair, it is wise to put a copy of it in a safe place in case something happens to the
original. Your private keys and your public keys are stored in separate 'keyring' files, which you can copy just like
any other files to another location on your hard drive or to a floppy disk. By default, the private keyring (secring.skr)
and the public keyring (pubring.pkr) are stored along with the other program files in the “PGP Keyrings” folder in
your PGP folder, but you can save your backups in any location you like.
4
Exchanging keys with other key owners
There are various ways of making your public key available (see the user documentation accompanying the
software) but perhaps the easiest is to include it in an e-mail and then verify it by phone. Follow these instructions:
Sending your public key to a recipient
From the Start menu choose Programs/PGP/PGPkeys.
This starts the PGPkeys application.
Select your entry in the PGPkeys window and then click Copy on the Edit menu.
Start Eudora, choose New Message from the Message menu and put the cursor in the message area where you
would normally type your message. Then click Paste on the Edit menu. You’ll see a lot of gobbledegook in the
106742772
Page 3 of 5
17/02/16
PGP 3
message window but don’t let this worry you.
Enter the recipient’s address in the To: field and send the email to the recipient.
The recipient then follows the instructions in the next section to put your public key on their keyring. However they
must also verify that the public key has really been sent by you. .
Receiving someone else’s public key
If someone sends you their key in an e-mail, you should proceed as follows. First you add it to your keyring and
then you verify it.
Open the mail message. You should see a lot of gobbledegook enclosed in the lines:
BEGIN PGP PUBLIC KEY BLOCK
END PGP PUBLIC KEY BLOCK
Choose Message Plug-ins from the Eudora Edit menu followed by PGP Decrypt and Verify.
A window should open showing details of the key and its owner, highlighted.
If there is more than one key, you can click on the Select All button followed by Import.
Launch the PGPkeys application (Start/Programs/PGP/PGPkeys) and you should see the new public key entry in the
window.
5
Verifying and validating keys
The next step is to verify that this key really came from the person it claims to belong to.
From the PGPkeys window select the recipient’s key and choose Properties… from the Keys menu.
From the resulting popup window make sure that the Hexadecimal box is unchecked. You should see some lines of
words in the Fingerprint section. (see over)
Ring the recipient and ask them to verify that this fingerprint matches their own. They will need to follow steps 1.
and 2. above but select their own key from the PGPkeys window. Ask them to read out their list of words and, if
they are the same as the ones you see, the public key has indeed been sent by them.
Dismiss the popup box by clicking Close.
Validating keys
Before you start exchanging secure e-mails with your correspondent, however, there is one more thing you should
do. PGP will look at the To: section in the header of your email and automatically choose the correct public key for
you intended receiver ONLY IF you have told PGP that the key is valid. To do this you must select the recipient's
entry in the PGPkeys box and choose Sign from the Keys menu. You will be asked for your passphrase. Once you
have signed the key, click OK.
106742772
Page 4 of 5
17/02/16
PGP 3
106742772
Page 5 of 5
17/02/16
Download