FileAssurity - Trouble Shooting - General Product FAQs

Troubleshooting

Frequently Asked Questions

For security related questions on algorithms, signature and encryption mechanisms and keystore protection see Security Technology used in FAOPGP

Can I send files securely to PGP or GnuPGP users ?
Yes. FAOPGP supports versions 5.x+ of PGP and versions 1.2.3+ of GnuPGP. For versions 7.x+ the AES algorithm at it's strongest strength, 256 bits is always used. For versions 5.x and 6.x of PGP you must select the 'Compatibility with PGP version 5 and 6' checkbox (available from the Default Settings dialog) as this forces FAOPGP to use the TDES algorithm.

Can I receive files securely from PGP or GnuPGP users ?
Yes. FAOPGP supports versions 5.x+ of PGP and versions 1.2.3+ of GnuPGP.

How do I know that when I verify files they have been signed by the person that sent me the files?
When FAOPGP validates files, it checks the signing key to see if it is PGP or PKI issued. If it is PKI issued then it is checked against a list of root CAs (Trusted Authorities) contained within the keystore. The list of root CAs are part of FAOPGPs' keystore and cannot be altered by hackers. If the key validates then FAOPGP knows that the person's signature is valid and that it came from that person. If the key is PGP issued it will be self-signed. It may also be self-signed under the x.509 scheme. In both cases If the file has been signed by a key then it is up to you to trust that the person sending you the key is the one who signed the files. If you add this self-signed key to your keystore then future validation will be automatic.

How does FAOPGP know that files have or have not been modified?
When a file is signed, a unique 'fingerprint' (hash value) is generated. This 'fingerprint' corresponds to the whole of the file contents (which is in itself just a number of bits). When FAOPGP checks a file, it repeats the calculation of the file contents. If this calculation does not match the 'fingerprint' then FAOPGP knows the file must have been modified and warns you that it is invalid. If the calculation matches then the file is valid. FAOPGP uses the Secure Hash Algorithm SHA-1, an international standard, to calculate hash values.

How does someone else encrypt files for me?
In order for someone to send you encrypted files that only you can view you must first send your public protection key from Key Manager. They can then import this key into their Key Manager and use it to send you encrypted files.

How do I encrypt files for others?
In order for you to send someone encrypted files that only they can view they must first send you their public protection key from Key Manager. You must then import this key into Key Manager and you can then select it to send them encrypted files.

Why must I have the recipient’s key before I can send them an encrypted file?
If you want to call someone on the phone you need their phone number first. Otherwise you can’t call them. Encryption is just the same. If you don’t have their key (phone number) you can’t talk to them. But unlike the phone service, other people can’t pick up the call or listen in when you send something protected to specific recipients.

If I’m just signing a file do I need the recipient’s key as well?
No. They will however need yours to verify that it is really you if you did not get it from a public authority (see the list in Authorities keys in the Security > Key Management > Authorities tab). See self-signed keys.

Can I encrypt files for multiple recipients?
Yes. Unlike most PKI systems you can encrypt files for multiple recipients. FAOPGP enables recipients to decrypt any file which has their key associated with it. Only one copy of the file is needed for this - you do not have a separate copy of the file per recipient - which is very important if it is a big file. If you often send encrypted files to the same people it might be easier to associate them with a group.

Can FAOPGP decrypt text or import/verify keys contained within PGP public key blocks ?
Yes. To do this you use the secure text editor - see Decrypting Secure Text

A sample PGP public key block is shown below :

Why isn’t FAOPGP integrated into Outlook or other Windows applications?
There are two critical reasons. Security and law.

Security. As has been well demonstrated by other security products that are integrated into mail (and other) applications, integration exposes the security product to the weaknesses of the applications. Plug-in supporters have had their claims of not being exposed to the weaknesses of the application comprehensively dismissed. Also, multiple plug-ins can interfere with each other. FAOPGP is not integrated, and cannot be exposed to any such problems.

Law. There are many products that add signature graphics into files to show a handwritten signature as well as the digital one. Whilst these are superficially attractive (the user hopefully sees a copy of their own signature) they have weaknesses. The user has no idea what the product has actually done. They cannot be certain that some other accidental change could not have happened. (European legislation requires that documents signed digitally must be precisely what the user saw.) Further, such signatures can only be applied to document types the product is capable of supporting. This means such methods are partial. FAOPGP does not alter any file content. There can be no question of files being altered as a result of signatures being applied. Further, the file is not altered when the signature is checked. The original signed file is always available and can be independently tested by experts without any risk.

My company runs their own CA. How do I recognize their signing keys automatically?
You can import the public key of your company’s CA in the .p7b format into FAOPGP using the Update Trusted Authorities function in Key Manager. This function allows you to import a self-signed public key and declare it to be a Trusted Authority. Please note that you can’t then import that public key and its matching private key and sign files or folders. This feature may also be used if you have inadvertently deleted a Trusted Authority key and need to replace it.

You must take care to verify a public key before you make it a Trusted Authority because once it has been accepted your keystore will automatically consider keys signed by that Authority as being trusted also.

Why doesn’t FAOPGP offer a choice of encryption algorithms?
Choosing an encryption algorithm is a non-trivial undertaking. The overwhelming number of users want a product that is best of breed, not a product demanding they make choices they don’t want to understand.

ArticSoft have followed the most up to date guidance given by the US National Institute of Science and Technology (NIST) who in their recommendation for the Advanced Encryption Standard (AES) replaced the Data Encryption Standard (DES). ArticSoft have implemented the strongest version as specified in the standard. We have also chosen the RSA public cryptosystem (standardized for more than 10 years and internationally recognised) using a key length of 2048-4096 bits. (Most public Certificate Authorities currently use 1024 bits.)

There are many other algorithms you could choose. But why would you want to choose something less well recognised? As a business we look to use the ‘best of breed’ to deliver solutions to our customers, letting them get on with their business. Tools that offer choices for every possible technical feature offer no real advantage and ensure you have to be a real expert to use them properly.

What is a good password and how do I select one?
The first thing to understand, is what makes a bad password. The worst passwords are: password, 111111, fred, master, boss and whatever is the name of your organization/department/unit. Why are they bad? Because they are obvious, easy to guess and just plain stupid.

So what are good passwords? Things that are not dictionary words (in any language), do not repeat characters, are long enough to make it hard to watch or attack using ‘brute force’ (starting from 0 and working upwards). But saying that doesn’t really help because it’s too difficult to understand what you should choose. After all, you still have to be able to remember the password.

The trick is to pick the right mixture of things that make it hard for someone else to guess or find by searching. This is where the password system may not help. Ideally it should accept up to 40 characters, and they should be anything that you can find on the keyboard. You may not use all 40, but if you want top quality at least you have the chance.

Now you need to pick something you feel comfortable typing, and uses at least 8 characters which may be anything on the keyboard. Well that’s hard, but you can pick a couple of words you do know, preferably not related to each other, and add a few special characters to them so you don’t find them in a dictionary. For instance, “Table!house*”, “Knight(soil)” or “Dem0n**manager”. Other examples that could work include, “1066andallthat”, “Hangthe****donkey” or “Now is the time forall men”. This last one is a quotation, but it’s still hard to guess or attack, especially if you don’t know where the spaces are!

Passwords need to be changed from time to time. Picking a frequency is not easy. On the one hand you need to change it often if it protects something vital. On the other hand you have to be able to remember it. Having a long password that is not obvious generally means you don’t need to change it so often. So if you can cope with typing, pick a long password and it will last longer.