FileAssurity - Trouble Shooting - General Product FAQs

Troubleshooting

Frequently Asked Questions

For security related questions on algorithms, signature and encryption mechanisms and keystore protection see Security Technology used in ContentAssurity

How do I know that when I verify content it has been signed by the person that sent me the content?
When ContentAssurity validates content, it checks the signing key against a list of personal keys and root CAs in the keystore. The list of root CAs are part of ContentAssuritys' keystore and cannot be altered by hackers. If the key validates then ContentAssurity knows that the person's signature is valid and that it came from that person. If the content has been signed by a self-signed key then it is up to you to decide if you trust that the person sending you the key is the one who has signed the content. Once you have added this key to your keystore then validation will be automatic.

How does ContentAssurity know that content has or has not been modified?
When content is signed, a unique 'fingerprint' (hash value) is generated. This 'fingerprint' corresponds to the whole of the content (which is in itself just a number of bits). When ContentAssurity checks the content, it repeats the calculation of the contents. If this calculation does not match the 'fingerprint' ContentAssurity knows it must have been modified and warns you that it is invalid. If the calculation matches then the content is valid. ContentAssurity uses the Secure Hash Algorithm SHA-1, an international standard to calculate hash values.

How does someone else protect content for me?
For someone to send you protected content they have to have your key. You must first export your protection key from Key Manager and send it to them. They can then import this key into their Key Manager and use it to send you protected information.

How do I protect content for others?
In order for you to send someone protected content that only they can view they must first export their protection key from Key Manager and send it to you. You can then import this key into Key Manager and use it to send them protected content.

Why must I have the recipient’s key before I can send them protected content?
If you want to call someone on the phone you need their phone number first. Otherwise you can’t call them. Protection is just the same. If you don’t have their key (phone number) you can’t talk to them. But unlike the phone service, other people can’t pick up the call or listen in when you send something protected to specific recipients.

If I’m just signing content do I need the recipient’s key as well?
No.

They will however need yours if you did not get it from a public authority (see the list in Authorities keys in the Security > Key Management > Authorities tab). See self-signed keys.

Can I protect content for multiple recipients?
Yes. Unlike most PKI systems you can protect content for multiple recipients. ContentAssurity enables recipients to unprotect content which has their key associated with it. Only one copy of the content is needed for this - you do not have a separate copy of the content for each recipient - important when it's a lot of content.

How do I protect content for groups?
There are two ways of doing this. One is to use the multiple recipients feature provided in ContentAssurity. You can select all the people you want to protect content for using multiple recipients and ContentAssurity sorts it out for you.

The other is to acquire a key pair from a CA and issue this to everyone in the group. When members of the group import this key pair into ContentAssurity they will be able to protect and unprotect content with this key pair. If you do this you must remember not to use it for signing content because you will have no idea which member of the group really signed it. You should only ever sign content with your personal signing key that is never shared with anyone else.

Why isn’t ContentAssurity integrated into Outlook or other Windows applications?
There are two critical reasons. Security and law.

Security. As has been well demonstrated by other security products that are integrated into mail (and other) applications, integration exposes the security product to the weaknesses of the applications. Plug-in supporters have had their claims of not being exposed to the weaknesses of the application comprehensively dismissed. Also, multiple plug-ins can interfere with each other. ArticSoft ContentAssurity is not integrated, and cannot be exposed to any such problems.

Law. There are many products that add signature graphics into content to show a handwritten signature as well as the digital one. Whilst these are superficially attractive (the user hopefully sees a copy of their own signature) they have weaknesses. The user has no idea what the product has actually done. They cannot be certain that some other accidental change could not have happened. (European legislation requires that content signed digitally must be precisely what the user saw.) Further, such signatures can only be applied to content the product is capable of supporting. This means such methods are partial. ArticSoft ContentAssurity does not alter any file content. There can be no question of content being altered as a result of signatures being applied. Further, the content is not altered when the signature is checked. The original signed content is always available and can be independently tested by experts without any risk.

My company runs their own CA. How do I recognize their signing keys automatically?
You can import the public key of your company’s CA in the .p7b format into ContentAssurity using the Update Trusted Authorities function in Key Manager. This function allows you to import a self-signed public key and declare it to be a Trusted Authority. Please note that you can’t then import that public key and its matching private key and sign content. This feature may also be used if you have inadvertently deleted a Trusted Authority key and need to replace it.

You must take care to verify a public key before you make it a Trusted Authority because once it has been accepted your keystore will automatically trust keys signed by that Authority.

Why doesn’t ContentAssurity offer a choice of encryption algorithms?
Choosing an encryption algorithm is a non-trivial undertaking. The overwhelming number of users want a product that is best of breed, not a product demanding they make choices they don’t want to understand.

ArticSoft have followed the most up to date guidance given by bodies such as the US National Institute of Science and Technology (NIST) in their recommendation for the Advanced Encryption Standard (AES) chosen to replace the Data Encryption Standard (DES). ArticSoft have implemented the strongest version as specified in the standard. We have also chosen the RSA public cryptosystem (standardized for more than 10 years and internationally recognised) using a key length of 2048 bits. (Most public Trusted Authorities currently use 1024 bits.)

There are many other algorithms you could choose. But why would you want to choose something less well recognised? As a business we use the ‘best of breed’ to deliver solutions to our customers, letting them get on with their business. Tools that offer choices for every possible technical feature offer no real advantage and ensure you have to be a real expert to use them properly.

How do I unprotect multiple content simultaneously?
You can select multiple content in a document or the whole document and paste it into ContentAssurity. ContentAssurity will process the document ignoring the unsecured content.

What is a good password and how do I select one?
The first thing to understand, is what makes a bad password. The worst passwords are: password, 111111, fred, master, boss and whatever is the name of your organization/department/unit. Why are they bad? Because they are obvious, easy to guess and just plain stupid.

So what are good passwords? Things that are not dictionary words (in any language), do not repeat characters, are long enough to make it hard to watch or attack using ‘brute force’ (starting from 0 and working upwards). But saying that doesn’t really help because it’s too difficult to understand what you should choose. After all, you still have to be able to remember the password.

The trick is to pick the right mixture of things that make it hard for someone else to guess or find by searching. This is where the password system may not help. Ideally it should accept up to 40 characters, and they should be anything that you can find on the keyboard. You may not use all 40, but if you want top quality at least you have the chance.

Now you need to pick something you feel comfortable typing, and uses at least 8 characters which may be anything on the keyboard. Well that’s hard, but you can pick a couple of words you do know, preferably not related to each other, and add a few special characters to them so you don’t find them in a dictionary. For instance, “Table!house*”, “Knight(soil)” or “Dem0n**manager”. Other examples that could work include, “1066andallthat”, “Hangthe****donkey” or “Now is the time forall men”. This last one is a quotation, but it’s still hard to guess or attack, especially if you don’t know where the spaces are!

Passwords need to be changed from time to time. Picking a frequency is not easy. On the one hand you need to change it often if it protects something vital. On the other hand you have to be able to remember it. Having a long password that is not obvious generally means you don’t need to change it so often. So if you can cope with typing, pick a long password and it will last longer.