Troubleshooting
Frequently Asked Questions
For security related questions on algorithms, signature and encryption mechanisms and keystore protection see Security Technology used in FAOPGP CLS
Can I send files securely to PGP or GnuPGP users ?
Yes. FAOPGP CLS supports versions 5.x+ of PGP and versions 1.2.3+ of GnuPGP. For versions 7.x+ the AES algorithm at it's strongest strength, 256 bits is always used. For versions 5.x and 6.x of PGP you must select the 'Compatibility with PGP version 5 and 6' checkbox (available from the 'Encrypt For' pull-down list box) as this forces FAOPGP to use the TDES algorithm.
Can I receive files securely from PGP or GnuPGP users ?
Yes. FAOPGP CLS supports versions 5.x+ of PGP and versions 1.2.3+ of GnuPGP.
Does FAOPGP CLS support detached signatures ?
Yes. A detached signature must be added to the input files list before the signed files. For example: "file.txt.asc, file.txt" where file.txt.asc is the detached signature and file.txt is the file for which the signature was computed.
How do I know that when I verify files they have been signed by the person that sent me the files ?
When FAOPGP validates files, it checks the signing key to see if it is PGP or PKI issued. If it is PKI issued then it is checked against a list of root CAs (Trusted Authorities) contained within the keystore. The list of root CAs are part of FAOPGPs' keystore and cannot be altered by hackers. If the key validates then FAOPGP knows that the person's signature is valid and that it came from that person. If the key is PGP issued it will be self-signed. It may also be self-signed under the x.509 scheme. In both cases If the file has been signed by a key then it is up to you to trust that the person sending you the key is the one who signed the files. If you add this self-signed key to your keystore then future validation will be automatic.
How does FAOPGP CLS know that files have or have not been modified ?
When a file is signed, a unique 'fingerprint' (hash value) is generated. This 'fingerprint' corresponds to the whole of the file contents (which is in itself just a number of bits). When FAOPGP CLS checks a file, it repeats the calculation of the file contents. If this calculation does not match the 'fingerprint' then FAOPGP CLS knows the file must have been modified and warns you that it is invalid. If the calculation matches then the file is valid. FAOPGP CLS uses the Secure Hash Algorithm SHA-1, an international standard, to calculate hash values.
How does someone else encrypt files for me ?
In order for someone to send you encrypted files that only you can view you must first send your public protection key from Key Manager. They can then import this key into their Key Manager and use it to send you encrypted files.
How do I encrypt files for others ?
In order for you to send someone encrypted files that only they can view they must first send you their public protection key from Key Manager. You must then import this key into Key Manager and you can then select it to send them encrypted files.
Why must I have the recipient’s key before I can send them an encrypted file ?
If you want to call someone on the phone you need their phone number first. Otherwise you can’t call them. Encryption is just the same. If you don’t have their key (phone number) you can’t talk to them. But unlike the phone service, other people can’t pick up the call or listen in when you send something protected to specific recipients.
If I’m just signing a file do I need the recipient’s key as well ?
No. They will however need yours to verify that it is really you if you did not get it from a public authority (see the list in Authorities keys in the Security > Key Management > Authorities tab). See self-signed keys.
Can I encrypt files for multiple recipients ?
Yes. Unlike most PKI systems you can encrypt files for multiple recipients. FAOPGP CLS enables recipients to decrypt any file which has their key associated with it. Only one copy of the file is needed for this - you do not have a separate copy of the file per recipient - which is very important if it is a big file. If you often send encrypted files to the same people it might be easier to associate them with a group.
My company runs their own CA. How do I recognize their signing keys automatically ?
You can import the public key of your company’s CA in the .p7b format into FAOPGP CLS using the Update Trusted Authorities function in Key Manager. This function allows you to import a self-signed public key and declare it to be a Trusted Authority. Please note that you can’t then import that public key and its matching private key and sign files or folders. This feature may also be used if you have inadvertently deleted a Trusted Authority key and need to replace it.
You must take care to verify a public key before you make it a Trusted Authority because once it has been accepted your keystore will automatically consider keys signed by that Authority as being trusted also.
Why doesn’t FAOPGP CLS offer a choice of encryption algorithms ?
Choosing an encryption algorithm is a non-trivial undertaking. The overwhelming number of users want a product that is best of breed, not a product demanding they make choices they don’t want to understand.
ArticSoft have followed the most up to date guidance given by the US National Institute of Science and Technology (NIST) who in their recommendation for the Advanced Encryption Standard (AES) replaced the Data Encryption Standard (DES). ArticSoft have implemented the strongest version as specified in the standard. We have also chosen the RSA public cryptosystem (standardized for more than 10 years and internationally recognised) using a key length of 2048-4096 bits. (Most public Certificate Authorities currently use 1024 bits.)
There are many other algorithms you could choose. But why would you want to choose something less well recognised? As a business we look to use the ‘best of breed’ to deliver solutions to our customers, letting them get on with their business. Tools that offer choices for every possible technical feature offer no real advantage and ensure you have to be a real expert to use them properly.
What is a good password and how do I select one ?
The first thing to understand, is what makes a bad password. The worst passwords are: password, 111111, fred, master, boss and whatever is the name of your organization/department/unit. Why are they bad? Because they are obvious, easy to guess and just plain stupid.
So what are good passwords? Things that are not dictionary words (in any language), do not repeat characters, are long enough to make it hard to watch or attack using ‘brute force’ (starting from 0 and working upwards). But saying that doesn’t really help because it’s too difficult to understand what you should choose. After all, you still have to be able to remember the password.
The trick is to pick the right mixture of things that make it hard for someone else to guess or find by searching. This is where the password system may not help. Ideally it should accept up to 40 characters, and they should be anything that you can find on the keyboard. You may not use all 40, but if you want top quality at least you have the chance.
Now you need to pick something you feel comfortable typing, and uses at least 8 characters which may be anything on the keyboard. Well that’s hard, but you can pick a couple of words you do know, preferably not related to each other, and add a few special characters to them so you don’t find them in a dictionary. For instance, “Table!house*”, “Knight(soil)” or “Dem0n**manager”. Other examples that could work include, “1066andallthat”, “Hangthe****donkey” or “Now is the time forall men”. This last one is a quotation, but it’s still hard to guess or attack, especially if you don’t know where the spaces are!
Passwords need to be changed from time to time. Picking a frequency is not easy. On the one hand you need to change it often if it protects something vital. On the other hand you have to be able to remember it. Having a long password that is not obvious generally means you don’t need to change it so often. So if you can cope with typing, pick a long password and it will last longer.
Scripting FAQs
Do I need to have a Windows account in order to create and schedule a script ?
Yes, in order to create and then schedule a script, you need a Windows account. You need to be logged on to Windows to schedule a script. Once you have created and scheduled your script you don't need to be logged on, as Windows will run the script, under your Windows account without actually seeing the Windows login action on the screen (it works in the background, but under your account rights). Bear in mind that Windows will take your account properties (permissions, rights) and will run the script under those conditions (so if you schedule a script to take a file from a location where your account has no read rights, the script will not work).
Will CLS run scripts regardless of whether someone is logged onto Windows or not ?
Yes. If you schedule a script to run at a certain time and you are not logged on to Windows at that time then the CLS script will still run, IF the CLS autologin parameter was specified in the script file and IF you are running a registered version of CLS (if you are running a 15 day evaluation version then CLS will wait for a manual click on the trial button).
NOTE 1 : Scheduled scripts can only run under Windows user IDs that have a password assigned to them - previously you must have logged into Windows and created and scheduled a script and assigned it to run under a password protected user account. Windows will not log that user on to run the script, but it will run the script under the rights of the user account for which it was scheduled.
NOTE 2 : The CLS keystore will only be available if you passed the CLS autologin parameters to that script (so make sure you have selected the Auto Logon checkbox in the Command Editor). If you don't specify the autologin parameter in the script file or the -passfile parameter then the script will not run but will wait for the user to login to Windows and to manually type the password for the related CLS keystore.