Digital signatures and encryption

Installation and use of software

Malcolm Raggett. Created December 2004, last modified July 2008

Introduction

A digital signature is used on a document, typically an email, so that the recipient can be sure that the message really is from the sender. To achieve this, an encrytion mechanism is needed that encodes the document with the author's Private Key and adds this code as the signature to the document. The original document is not altered or encrypted in this process. Anyone who receives the document can check the signature with the widely-available Public Key of the author. If there is a postive match, you know that the document has been sent by the author and the document has not been altered since being signed.

Another use for the technology is to encrypt documents. This is a necessary safeguard if you are dealing with personal data as defined by the Data Protection Act 1998 and you are transporting or storing the data outside the secure SOAS network (e.g. on a memory stick or a laptop).

Some sections of this User Guide are based on John Michael Ashley's The GNU Privacy Handbook and the Enigmail documentation. These documents also provide useful background to the principles of encryption and to OpenPGP and GnuPG.

Applicability

There are a number of combinations of systems and software that can be used for digital signing. This Guide covers the installation of

• open source program GnuPG (GNU Privacy Guard) on
  • a PC running Windows XP SP2 ( see http://www.gnupg.org/) and
  • a Macintosh running OS-X 10.2 (see http://macgpg.sourceforge.net/)
• Enigmail plugin for the email program Thunderbird on PC and Mac
• WinPT on PC
• FireGPG extension for the Firefox browser (PC, Mac and Linux) for signing and/or encrypting messages in Google Mail
• GPGFileTool (if you want to sign or encrypt documents other than emails on a Mac)
• GPGee, an extension for Windows Explorer that adds the ability to encrypt files on a disc drive

GnuPG is the core program that provides the key management, encryption and decryption funtionality, and needs to be installed on your computer whichever email client or document authoring program you use.

Thunderbird is a good, cross-platform email client with GnuPG support. However there are plugins available for the other major email clients; Thunderbird is simply used as an example (that is known to work!) in this Guide.

You can use digital signatures with Google Mail by using the excellent Firefox browser and FireGPG extension.

Pre-requisites

You will need Administrator-level access to your computer to install the software.

Download the following software to your computer:

• GnuPG "compiled for Microsoft Windows" or GnuPG for Mac OSX 10.1 or higher
• Enigmail (and Thunderbird, if you need it) or another client for your preferred email program. (shift-click (Option-clicking on Mac) or right click on the correct version of the Enigmail module for your system and use "Save Link as..." to download the software to your desktop)
• WinPT (if you want to sign documents other than emails on a PC), or
• GPGFileTool (if you want to sign or encrypt documents other than emails on a Mac)
• GPGee (if you want to sign or encrypt files on a Windows PC)

Overview

The following steps are required to set up and use digital signatures with email on your computer:

1. install and configure GnuPG
2. generate your key pair and a revocation certificate
3. backup your keys and revocation certificate
4. publicise your public key
5. install FireGPG for Google Mail in Firefox
6. install and configure the Enigmail email client for Thunderbird
7. digitally sign email messages and check signed messages sent to you
8. optionally, install GPGee (Windows) or GPGFileTool (Mac OS X) to sign or encrypt documents other than emails
9. importing other peoples' public keys to your keyring

Detailed instructions

1. Install and configure GnuPG (Windows)

1. Create the Installation Folder
   Browse to C:\Program Files and create a new directory named GnuPG
   
2. Create your Home Directory
   Browse to C:\Documents and Settings\Username\Application Data and create a subfolder called gnupg, where Username is the login name of the user who will be using GnuPG. (If you cannot see the Application Data folder it's probably because Windows Explorer has hidden it from view. To see it, Use My Computer or Explorer, goto Tools | Folder Options... select the View tab and click the radio button called "Show hidden files and folders").
   This will be the home directory where your keyrings and configuration file will be kept.
   If there are multiple users on your system, you will need to do this for each user.
3. Extract GnuPG
   Use your compressed file program (WinZip, WinRAR, Stuffit, etc.) to extract the contents of the zip file you downloaded into C:\Program Files\gnupg
   
   If you used the GnuPG zip, you will have a directory full of files which need sorting out!
   • Create two subdirectories called Doc and Locale.
   • Move/Drag all the .mo files into the Locale directory.
   • Move/Drag everything other than the .exe files into the Doc directory
4. Modify the Path
   In order for GnuPG to work correctly, the GnuPG installation directory must be in your PATH.
   
   • To modify the path, Click on Start --> Control Panel --> System --> Advanced --> Environment Variables
     
   • Highlight the Path variable under System variables, and click Edit.
     
   • Add ;C:\Program Files\gnupg to the end of the Path.
5. Create Registry Entries
   You now need to create a set of Registry entries for the GnuPG home directories.
   Use Notepad to create a text file called gnupg_XP.reg and paste the following text into it.
   Ensure that there are no spaces at the start of each line.
   Be sure to modify the user entry in the HomeDir and OptFile lines.
   Double click on this file in Windows Explorer and answer "yes" to add the entries to the registry.
   
   REGEDIT4
   
   [HKEY_LOCAL_MACHINE\Software\GNU]
   
   [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG]
   
   [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG]
   "gpgProgram"="C:\\Program Files\\gnupg\\gpg.exe"
   
   [HKEY_CURRENT_USER\Control Panel\Mingw32]
   
   [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS]
   
   [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS]
   "MODir"="C:\\Program Files\\gnupg\\Locale"
   
   [HKEY_CURRENT_USER\Software\GNU]
   
   [HKEY_CURRENT_USER\Software\GNU\GNUPG]
   
   [HKEY_CURRENT_USER\Software\GNU\GNUPG]
   "HomeDir"="C:\\Documents and Settings\\user\\Application Data\\gnupg"
   "gpgProgram"="C:\\Program Files\\gnupg\\gpg.exe"
   "OptFile"="C:\\Documents and Settings\\user\\Application Data\\gnupg\\gpg.conf"
   
   Each user on a multi user system will need their own individual gnupg_XP.reg file and will need to carry out this step when they are logged in.
   
   If you are working on a machine where other may have access to your user area, where you use more than one computer, or where the computer cannot store personal data, you can configure GPG to use a removable drive such as a memory stick. Just alter the HomeDir and OptFile line as appropriate.
   
6. Configure GnuPG
   • You need to create the GnuPG configuration file to control how you wish GnuPG to work.
     Go to your "HomeDir" and create a new text file called gpg.conf
   • Edit the file and add the following, saving and exiting when done:
     default-recipient-self
     keyserver pgp.surfnet.nl
     default-cert-check-level 3
     keyserver-options auto-key-retrieve include-revoked include-subkeys
     no-mangle-dos-filenames
     no-secmem-warning
     
     
7. Test your installation
   The next thing that you need to do is to test that GnuPG is installed correctly and that you can run it.
   Open a Command Prompt/Dos Prompt.
   • At the prompt, type gpg --version
     
     You should see a screen of information which should look similar to this:
     
     gpg (GnuPG) 1.2.4
     Copyright (C) 2003 Free Software Foundation, Inc.
     This program comes with ABSOLUTELY NO WARRANTY.
     This is free software, and you are welcome to redistribute it
     under certain conditions. See the file COPYING for details.
     
     Home: C:/Documents and Settings/bporter/Application Data/GnuPG
     Supported algorithms:
     Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
     Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
     Hash: MD5, SHA1, RIPEMD160, SHA256
     Compression: Uncompressed, ZIP, ZLIB
     
   • At the prompt, type gpg --list-keys
     
     You will get a message similar to the following displayed:
     
     gpg: keyring: 'C:/Documents and Settings/user/Application Data/GnuPG\pubring.gpg' created
     
     (The user entry above should correspond to the username of the logged in user)

1. Install and configure GnuPG (Macintosh OS X)

1. double click the GnuPG file you downloaded. Read and agree to the licence.
2. In the resulting window of uncompressed files that appears, double click the “GnuPG for Mac OS X versionnumber.mpkg” file. This launches the installer. You will need administrator rights to install this program.
3. Enter the admin name and password.
4. Click Continue or Agree until you get to the Select a Destination window.
5. Click on the hard disc you want to use, then click continue, then Install.
6. Wait for “The software was successfully installed ” message and click close.
7. Open a Terminal window (use Finder to locate Terminal if you don't have an icon set up)
8. At the % prompt, type rehash    (this makes sure that new commands are seen by the Teminal)
9. At the % prompt, type gpg    (this sets up your keyring)
10. Type Contol+C to exit the script
11. At the % prompt, type gpg --version
    if GnuPG is working correctly, you should see output similar to this:
    
    gpg (GnuPG) 1.2.3
    Copyright (C) 2003 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.
    
    Home: ~/.gnupg
    Supported algorithms:
    Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
    Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
    Hash: MD5, SHA1, RIPEMD160, TIGER192, SHA256
    Compression: Uncompressed, ZIP, ZLIB

2. Generate your key pair and a revocation certificate (Windows and Mac)

If you have been using another PGP-compatible program or GnuPG on another computer, you can import your keys to your new installation; you do not have to generate new key pairs if you are upgrading or changing computers. If you already have your own key pairs and revocation certificates, skip to step 5. Installing Enigmail, then use Enigmail's key management to import your keys.

1. Decide on a passphase. This should be several words in length and a: easily remembered, and b: is unique and not easily guessed. You will need to enter this phrase whenever you want to sign documents, so don't make it too long either.
2. Generate a key pair:

   Open a Command Prompt/Dos Prompt (Terminal on the Mac) .
   
   At the prompt, type gpg --gen-key and follow the prompts.
   
   It is generally best to accept the default settings when promted to make a choice.

   • DSA/ElGamal is the default key type and is what most people use.
   • A 1024 key size is a reasonable compromise between performance and security.
   • You do not have to enter a comment when asked. Your name and email address are all that is requred.

   So now you have a Key Pair, but before you go on you need to know what the KeyID is so that you can identify it in the commands we are going to use later. Get yourself a pen and paper ready to make a note.
   
   At the prompt, type gpg --list-keys
   
   This will give you a listing similar to this:
   
   C:/Documents and Settings/bporter/Application Data/GnuPG\pubring.gpg
   --------------------------------------------------------------------
   pub 1024D/BB36BA75 2003-11-11 Barry Porter <barry@bpuk.net>
   sub 4096g/1F5A0D8B 2003-11-11
   
   Note down the number in the position which is shown in red above.
   This is your KeyID.

3. Generate a revocation certificate

• Create a Revocation Certificate for your secret key. You cannot delete your key once you have made it public since you may need it in future to check signatures or decrypt documents. However if your private key and passphrase become known you need a way of telling people not to use your key in future communications. This is done with a revocation certificate. You will create a revocation certificate now in case you forget your passphase.
  
  Open a Command Prompt/Dos Prompt (Terminal on the Mac) and navigate to your "HomeDir".
  
  At the prompt, type gpg --output revcert.asc --gen-revoke 0xKeyID
  (Where KeyID is the one you noted down earlier.)
  
  Important: The 0x prior to the KeyID is a "Zero" and an "x", not a "Capital O" and an "x".
  
  revcert.asc is an ASCII Armored text file containing your Revocation Certificate. You should rename it to something like "GnuPG Revocation Certficate for 0xKeyID.asc" so that if/when you find it after a few months, it will mean something to you and you won't delete it!

3. Backup your Keyring and Revocation Certificate to a VERY safe place (Windows and Mac)

You should make a copy of your keyrings and the revocation certificate and save them to a floppy disk (or better still, a CD), lock it against being overwritten, label it and put it somewhere very safe that you won't forget! You should also consider making another backup on some other media (CD, LS120, ZIP, PCMCIA Memory Card, USB Stick) and put that in another safe place. It is a good idea to have the backup in a different building to your computer.

You can use this backup to copy your key pair to other computers; you do not have to generate more key pairs if you use more than one computer or if you upgrade at a later date, but keep your private key private (i.e. in user area on the hard disc that only you can access) and do not reveal your passphrase to anyone.

4. Make your public key available (Windows and Mac)

Now that you have created your Key Pair, you should make your public key available to other users so that they may verify emails you send against the key.

There are a number of ways of doing this; some prefer to give their public key out to people who request it via an email address in the OpenPGP comment in their signatures; others publish their key on a website and place a link to it in the OpenPGP comment in their signatures; most people prefer to simply upload their keyring to a keyserver where everybody can access it as required.

To upload your public key to a keyserver,

1. open a Command Prompt/Dos Prompt (Terminal on the Mac) and navigate to your "HomeDir".
2. At the prompt, type gpg --keyserver pgp.surfnet.nl --send-keys 0xKeyID
   (Where KeyID is the one you noted down earlier.)
   Important: The 0x prior to the KeyID is a "Zero" and an "x", not a "Capital O" and an "x".
   You can substitute your chosen keyserver for pgp.surfnet.nl

5. Install FireGPG for Google Mail in Firefox

You will need a working version of Firefox, the free cross-platform Web browser. Download and install this now if you need to.

FireGPG is an extension for Firefox. You can check if it is already installed by going to Tools | Addons and looking in the list displayed. If FireGPG is not installed, do the following steps:

1. Using Firefox, go to the FireGPG Web site
2. click on Install
3. click the Download FireGPG button (you may need to tell Firefox to allow the site to download a file in the header bar)
4. a Software Installation window should open. Click the Install Now button
5. click the Restart Firefox button

To check that FireGPG is working, open a message in Google Mail and click on Reply. After a short delay you should see additional buttons saying Sign, Sign and Send, Encrypt, Encrypt and Send, Sign and encrypt, and Sign Encrypt and Send. You can configure FireGPG to only display a sub-set of these buttons if you want.

6. Install and configure Enigmail for Thunderbird (Windows and Mac)

You will need a working version of Thunderbird, the free email client for Windows, Mac OS-X and Linux. Set this up now if you need to.

Enigmail is an extension for Thunderbird, not a stand-alone program.

1. Download the appropriate version of enigmail.xpi to a temporary location such as the Desktop on your computer by either shift-clicking (Option-clicking on Mac) or right clicking on the link and selecting Save Link As...
2. To install Enigmail, Select Tools > Extensions > Install (the + button on the Mac) . Browse for the Enigmail .xpi and install it.
3. Shutdown and re-start Thunderbird to make Enigmail available.
4. If the GnuPG executable is in a non-standard directory, you should specify its location using the Enigmail Preferences panel. On Windows this is typically C:Program Files/gnupg/gpg.exe. On a Mac, it is normally /usr/local/bin/gpg.
5. To check if Enigmail has located the GnuPG executable and is ready for use, go to the Enigmail menu of the mail window and click on About Enigmail .
6. Configure the settings in both your Account and in Enigmail > Preferences before attempting to send your first mail or the mail will be sent unsigned and/or un-encrypted. If you are transfering your keys from another computer, you need to import, as a minimum, your own private/public key pair at this stage:
   1. Copy your keys folder from your old computer to a CD or USB stick. On Windows, this is normally C:Documents and Settings/username/Application Data/gnupg/. On a Mac it is normally /users/username/.gnupg
   2. Insert the copy you just made into your new computer and use Enigmail > OpenPGP key management > Key > Import key > From file. Browse to the copy and import your private keyring and your public keyring in turn. Remember to destroy the copy or keep it in a very safe place, as it has your private key on it!
7. To enable Enigmail for an account and set the signing/encryption defaults use the Tools -> Account Settings menu. Select the OpenPGP Security menu item below the account you want to configure.
   • tick the Enable “OpenPGP support” checkbox
   • You can let Enigmail select the OpenPGP key if you only have one key pair set up, or specify the OpenPGP key you want to use with the radio buttons and Select Key... button.
   • Click the Advanced... button and, in the Basis tab, copy-and-paste the following list in the keyservers line:
     pgp.surfnet.nl, pgp.mit.edu, random.sks.keyserver.penguin.de, pgp.dtype.org, keyserver.kjsl.com
   • You can check through the settings on the remaining advanced tabs, but the defaults should be a workable start.
8. To set user preferences use the Enigmail -> Preferences menu choice in the Thunderbird window. These are, in fact, the same settings you find in the Advanced window of step 7, so there shouldn't be a need to alter these at this stage.

7. Sign messages and check others' signatures

With GnuPG and Enigmail successfully set up, you are ready to sign messages you send to others:

1. Compose your message as normal.
2. click on the Enigmail menu. If the Sign Message option is ticked, press the ESC key. If it is not ticked, click where it says Sign Message.
3. Click the Send button. You will be prompted to enter your passphrase. If you enter the phrase correctly, the screen will briefly display the signed message and send it.

Note that digital signatures work unreliably with HTML messages, so it is good practice to use plain text messages if you are signing them. Holding down the SHIFT key as you click the Write button to start a new message will force a plain text message in Thunderbird.

If the recipient does not have Enigmail or an equivalent application, they will still be able to read your signed message. They will also see a signature block of apparently random text at the bottom of the message. This is the digital signature. If the recipient has Enigmail installed, Enigmail will automatically decrypt the signature with you public key, check that the message has not changed and confirm this (or not) in the message window. Enigmail does not display the signature, only the message.

There is currently no automatic way for signatures to be checked when using a Web browser to read your messages, but digital signature plugins are available for Outlook, Outlook Express, Pegasus and Eudora, and for a range of platforms. Check the GnuPG site for latest information on these clients.

8. Optionally install GPGee for documents other than emails (Windows only)

Although the commonest application for digital signatures is email, there may be a need to digitally sign or encrypt other documents such as word processed documents or spreadsheets. This can be done on Windows computers using a utility called GPGee, but note that only the textual content is verifiable with a digital signature; formatting can change and the signature can still be valid. You must have a working copy of GnuPG before installing GPGee, however you do not need an email client installed.

1. (First time only) Download and install the Windows Explorer extension GPGee from http://gpgee.excelcia.org/
2. Using Windows Explorer (shortcut: press and hold the Windows key and press E) to highlight the file you want to encrypt/decrypt
3. Right click on the file, select GPGee | Encrypt or Verify/Decrypt

8. Optionally install GPGFileTool for documents other than emails (Mac OS X only)

Although the commonest application for digital signatures is email, there may be a need to digitally sign or encrypt other documents such as word processed documents or spreadsheets. This can be done on Macintosh OS X computers using a utility called GPGFileTool, but note that only the textual content is verifiable with a digital signature; formatting can change and the signature can still be valid. You must have a working copy of GnuPG before installing GPGFileTool, however you do not need an email client installed.

To install GPGFileTool:

1. Download and unstuff GPGFileTool
2. Create an alias to GPGFileTool on your desktop

To digitally sign or encrypt a document, drag the document to the GPGFileTool icon. Click the option to sign (or encrypt) and GPGFileTool will create a copy of the document with a digital signature and the extension .gpgs. If you drag a .gpgs file to GPGFileTool you can verify the signature. If you wish to exchange a document with Windows users the most convenient way is to use a detached signature. If you receive a file with a detached signature, drag the .sig file into GPGFileTool to verify it.

9. Importing other peoples' public key to your keyring

Enigmail will check digitally signed messages you receive against public keys held on your keyring. If it doesn't find a public key from the sender there, it will try the public key servers you set up in the configuration. Checking against a public key server requires you to be connected to the Internet and causes a delay, so if you are likely to receive several messages from the same person it is a good idea to import their public key to your keyring.

You can obtain public keys either from a public key server, from ad hoc Web servers or by requesting public keys from the owner by email.

1. Locate the Web link to the public key you want to import and click it. This will display a Web page of apparently random text. Highlight the entire page of text (use CTRL+A), including the opening and closing lines and copy this to the clipboard (use CTRL+C). Use this public key as a test. You can recognise a public key file from the extension .asc.
2. In Thunderbird, click the enigmail menu and select OpenPGP key management.
3. In the OpenPGP Key Management window, select Key -> Import Key -> From Clipboard.
4. Confirm that you do want to import from clipboard and that the key is the correct one to import. This will add the key to your keyring or update an existing key if it has changed.

1. In Thunderbird, click the enigmail menu and select OpenPGP key management.
2. In the OpenPGP Key Management window, select Key -> Import Key -> From File.
3. In the Open File dialogue box, locate the file in the normal way.
4. Confirm the import of the key.

1. In Thunderbird, click the enigmail menu and select OpenPGP key management.
2. In the OpenPGP Key Management window, select Key -> Import Key -> From Keyserver.
3. Type the name or the email address of the person whose public key you want to obtain in the “Search for Key” box. The “Keyserver” dropdown box displays the first keyserver in your configuration list and there is not normally any need to change this. Click the button to start the search.
4. The search can take a short while at busy times, but you should soon see a window appear with a selection of public key matching your search term. Tick the boxes against those keys you wish to import and click to import the keys.
5. You are returned to the OpenPGP Key Management window, which should now be displaying the additional imported keys.

IT Documentation
• Policies
• Procedures
• Staff user guides
• Student user guides
• Technical guides
• Forms
• Service Levels
• Minutes of meetings
• Licences
• Surveys