Cornell Home Page Computing at Cornell Authentication

Frequently Asked Questions about PGP

Contents

PGP in General

Q - How secure is PGP?

A - Very secure, assuming that you keep both access to your stored private key AND knowledge of your private key's password "secure". Ralf Senderek's article The Protection of Your Secret Key explains why a private key of standard 1024- or 2048-bit length is exceedingly unlikely to be guessed, even by a group of supercomputers working in parallel for 300+ years, unless there is a fundamental advance in the factoring of large numbers.

Q - What do I have to do to make it so that every time I write an e-mail, it is signed?

A - In the PGPKeys utility under Edit->Options...->Email are checkboxes for signing by default AND encrypting by default.

PGP Options window, Email tab

Q - Do I have to enter my password every time I sign / decrypt a mail message?

A - In the PGPKeys utility under Edit->Options...->General are two checkbox options, one for caching decryption passwords and one for caching signing passwords. Each has a time adjustment. Bear in mind that the longer 'window' of time you allow here, the larger chance someone else has of using your computer to perform these operations. By default, decryption is cached for 2 minutes and signing is not cached at all. If you decide to loosen these restrictions for convenience, it is recommended you lock your terminal if you plan to be away from your machine.

PGP Options window, General tab

Q - I forgot my private key, do I need to obtain a completely new private and public key?

A - Unfortunately, yes. Private keys are only as good as the passwords that protect them, and generating (and publishing/signing) a new keypair only takes a few minutes.

Q - I pressed the decrypt/verify button and it says "Signature Status: bad"

A - Either the signature really is corrupt or the sender may have used HTML mail with Outlook Express which has been known to produce problems. If they cannot send plain text mail with Outlook Express or the problem otherwise persists, have them instead encrypt a text/Word document outside their mail client and send it as an attachment.

Q - I pressed the decrypt/verify button and it has just a 0xBLAHBLAH string as the Sender.

A - You must first import the actual e-mail sender's key into your PGPKeys keyring window.

Q - I pressed the decrypt/verify button and it has the right Sender, but it also says (Invalid) after the name/e-mail.

A - Any public key being verified by you is considered "Invalid" until that public key has either been a) signed by a key you have specifically signed to be a local meta-introducer (this would be Cornell's PGP Admin key), or b) explicitly signed by your default signing key (which is usually your default private/public key pair). Check the signatures of the matching key on your keyring in PGPKeys (this is done by expanding the [+] icons next to and underneath that key's entry.

Q - What are Share Splits, and should I use them?

A - Share splitting is a way of dividing a Private PGP key into one or more "shareholders." This works similarly to a safe deposit box at a bank that requires all keys present in order to be opened. This operation is generally not necessary for normal tasks, but can certainly be done with PGP keys used at Cornell - since it affects only the private key. Bear in mind that all holders must be present before any decryption or signing can be carried out.

Q - I need to switch machines. How can I transfer my private key?

A - On Windows, your private keys are stored in a file called secring.skr, which normally installs to the folder "C:\Program Files\Network Associates\PGPNT\PGP Keyrings". On Mac OS, the PGP Private Keys file is kept in the PGP Keyrings folder in the PGP 6.5 folder, which is normally in your Applications folder. Copy this file to the same location on the new machine, and then run "Import" from the Keys menu in the PGPKeys utility on the destination machine. You will need your password for this key, and it is a good idea to delete the private keys file from the old location to keep as few duplicates around as possible (exceptions include having one home and one office installation).

It is not recommended to ever use PGP on public or lab machines.

 

PGP at Cornell

Q - Do I have to use PGP?

A - PGP is completely optional, and should be considered primarily for people who feel comfortable going through the initial setup and configuration steps. Some departments may begin requiring PGP (or some other form of PKI) for certain types of documents/e-mails that need reliable digital signatures, and it is expected that the IT staff for such departments will be familiar enough with PGP and the process to provide auxiliary help to end users.

Q - Do I need to use PGP if I already use Kerberos? Is PGP better than Kerberos?

A - PGP and Kerberos perform entirely separate functions at Cornell, and there is no overlap of these features.

Kerberos is used for authenticating your identity (NetID) to a Cornell service. For e-mail, this means logging in to the POP server via your Kerberos ticket and retreiving e-mail.

PGP has no role in any real-time services at Cornell like e-mail, secure web pages, Colts, JTF, etc. It is strictly used for signing and/or encrypting documents with PGP keys. If these documents are e-mails within a mail client, it will perform its role before the mail is sent or after it is already received. It does not interact with POP, SMTP, or any network operations.

Q - How can I add more keyservers to my PGP Freeware, in order to communicate with PGP users who store their keys elsewhere?

From the Edit menu in the PGPkeys application, choose Options on Windows or Preferences on a Mac, then click the Server tab. Clicking the New... button allows you to add a new server to the list in this window. Clicking on servers already in the list allows you to move them up or down the list and select which one will be the "root" server. For convenient use of PGP at Cornell, we recommend that you maintain the pgpkeys.cit.cornell.edu:11371 server as the root and topmost entry.

Q - Do I have to use PGP with an e-mail client? Can I use PGP with clients other than Eudora?

A - PGP is not tied to any particular software. Any file of any type can be encrypted, decrypted, or signed using the pop-up context mouse menu in an Explorer window or the standalone PGPtools application. Because most people do use PGP with e-mail, however, the PGP Freeware comes with plugins to integrate PGP more extensively with popular e-mail clients such as Eudora.

Q - Will using PGP away from campus/Ithaca pose any problems?

A - PGP can be used anywhere you have the software installed and access to your private and public keyrings. It is recommended that you limit as much as convenient the number of separate places your private keys are stored.

Q - Whenever I choose to sign and/or encrypt an e-mail message, as soon as I send it off it becomes an empty message in my outbox with a .ems attachment. As I like to re-read what I sent, is there any way to curtail this behavior?

A - Yes, Eudora has a setting that can do this, but if you are encrypting your messages it will leave them unencrypted in their "outbox" form. So this is more practical from a security standpoint if you're simply signing your messsages the majority of the time. If you do use encryption, be sure to delete the message from your outbox or save it as an encrypted text document on your local machine.

To prevent your messages from being converted into .ems attachments on Windows, first make sure Eudora is not running, then under the [Settings] entry in your deudora.ini (or eudora.ini for older versions) file, add the line allowcompletionplugins=0

Q - Some e-mail that I receive from PGP users shows up as an empty message with a .ems attachment. How can I read this?

A - Most default installations of Eudora should allow you to simply click on the attachment and be prompted for your private key passphrase to decrypt (if the message was encrypted), after which the text of the message will be displayed inline.

  • If this doesn't work, try opening the attachment through Eudora's File menu. On Windows, choose Open File then locate the actual file in your attachments folder; on a Macintosh, click once on the attachment to highlight it, then choose Open Selection.
  • If this still fails, you'll need to determine which version of Eudora you are running and how your machine is configured to handle various file extensions such as *.ems. Consult the CIT HelpDesk for assistance.

Return to Cornell's PGP Pilot home page | Authentication site | Information Technology Security Program

Last modified: May 25, 2007