Secure Instant Messaging
with other PGP tips
Let me be straight up about this: SCIM is not a product I'd care to use.
On the bright side, SCIM is a comparatively small download at just 1.5 MB. Better yet, it's freeware (for private use). And I tend to be forgiving about software that I don't have to shell out for. But not this forgiving.
Three out of four times, SCIM crashed my system when I tried to run it. This sucks even by Microsoft standards. The other issue that concerns me is the source code. Specifically, SCIM does not appear to be open source.
The Project SCIM website states that SCIM uses open source algorithms from Cryptix, but the source code for the complete messenger application can't be found on the site. Nor was Project SCIM responsive to a source code inquiry sent to their contact address. I have a tendency to mistrust crypto products that won't open source their code. So much for SCIM
Go down to your Windows system tray and right click on the PGPTray icon, select Options, then click the HotKeys tab. See those choices for "Encrypt current window" and "Decrypt & verify current window"? Select their check boxes, and pick a keystroke sequence you find convenient. (I use Ctl+Shift+C and Ctl+Shift+D, respectively).
Now, when you're messaging away, before you hit send, do a Ctl+Shift+C. You'll get the PGP public key selection screen. Once you've picked your keys, your message text will be encrypted. Now hit send.
Likewise, when you receive an encrypted IM, make sure your cursor is in the message text block, and press Ctl+Shift+D. Voila! IM decrypted.
All that, and you didn't have to download yet another proprietary software package, and make sure your friends got the same one.
Other Uses for those HotKeys
Now for most of my email, I use Eudora, which happens to have a handy-dandy plug-in to automatically interface with PGP. Neat, eh? Your POP client probably has that, too.
But I only use the plug-in to encrypt mails I send. See, I can set it up to default to signed and encrypted mails so I never forget and send an email in the clear when it really has to be private; I have to consciously opt to send something in the clear. So the plug-in is great for outgoing mail.
Incoming mail is another matter for me. Your mileage may vary, but I'm not entirely comfortable with the fact that the plug-in leaves me with unencrypted mails in my folders. Maybe I'm overly cautious, but I keep thinking, "What if someone else got access to my computer? Do I want my wife to see what's in those letters from Shel..." Never mind; let's just say, "Better safe than sorry." Instead of letting the PGP plug-in permanently open my virtual "envelopes," I just Ctl+Shift+D. Now I get the cleartext in a another window, from which I can copy the text to a email reply window, which gets encrypted in turn. This way, I never leave a cleartext message on my system.
Here's another little tip: Go to the PGP Options again. On the General tab, make sure you check "Always encrypt to default key". Now when you encrypt your email to me, you can go back and read your own message, too. I don't know how many times I've gotten an email that was encrypted only with my public key, but not the sender's own, and the sender then needed me to give him something from his own - now inaccessible - message.
That isn't the case anymore. My own computer is pretty far behind on the power curve, but it's still cranking along at 366 MHz. There's no excuse not to use 4096 bit keys. 2048 bit D-H/DSS is probably going to be pretty secure for quite a while (barring the appearance of a transcendental mathematical genius who devises a new way to factor primes), but why not go for the gusto? Repeat after me: "Better safe than sorry."
Who are you?
Please don't just generate a whole, brand new, stand-alone keypair, and revoke your old one.
Try this instead: Use the tray icon to open PGPKeys. Right click on your own key in the list, and select Key Properties. Click the Subkeys tab. You'll see a list of your encryption keys; probably you'll only have one.
Press that New button below the list. Here's where you generate your new 4096 bit key. Type "4096" into the Key Size block (the pull-down list probably only goes to 3072). Click OK. You'll be prompted for you passphrase. Once you've typed that in, your new key is made, and you'll see it in the list. To get rid of your old short key, find it in the list, click on it to highlight it, then click either the Revoke or Remove button. Revoke leaves the key in place but unusable for encryption, while Remove gets rid of it altogether.
Why make your new key through this roundabout method? Signatures.
Odds are, lots of other people signed your old key, verifying that you are really you. If you made up an entirely new keyset, you'd lose all those signatures and have to start over again. But attaching the new encryption pair to your existing keyset leaves the signatures intact. When you distribute your updated key to all your friends, they can verify immediately that this really is Joe Blow's key, and not some third party trying a spoof.
Let's see some picture ID, buddy.
What's in a name?
Me, Myself, and I
But.... If you have more than one private key on your ring, you may want to set one as the default: right click on key, Set as default. Do this with caution. If you set PGP to always sign/encrypt with your key, it'll always include the default key in the encryption list, even if you were trying to use the other one key. No big deal; just remember to remove extra keys from the encrypt-to list before you press OK.
Wipe that grin off your face.
When you "delete" a file in Windows, all you've really done is move it from whatever folder it was in to a folder named Recycled, where it sits forever if you never remember to "empty" your Recycle Bin. And even if you do empty the trash occasionally, that doesn't really delete the file either; only the data telling your drive where it once stored that file goes away. The data itself stays on the drive until it happens to get overwritten by something else that needs the space. Until that happens, your data can be read with a file recovery program.
Unless you Wipe it. Wipe not only "deletes" the file; it overwrites the data making it nonrecoverable. Your wife's divorce lawyer won't be getting those shots of you and Carmen at the office Christmas party now. To make sure you've thoroughly overwritten a file, you should tell PGP to make at least three "passes" (overwrite three times); you can set this as a default: Click the tray icon, select Options, General tab, File Wiping, Number of passes.
It's also a good idea to periodically wipe all the free space on your hard drive. This gets anything you missed, and any fragments of program temp files or Windows virtual memory. Run FreeSpace Wipe by right clicking the tray icon, select PGPTools, and click the FreeSpace Wipe button. Select the drive to be wiped, and set the number of passes.
Warning: A complete free space wipe can take quite a long time. If you can spare your computer now, press Begin. But you may want to press Schedule and set a time during the middle of the night for the wipe to be performed automatically.
Did you like this article?