Review: PGPfreeware 6.5.2 and SafeMail 2.1
Developer: PGP Security (a Network Associates Business)
Web (international): http://www.pgpi.com/
Price: free for non-commercial use, not readily available outside the USA and Canada due to encryption technology export restrictions.
Requirements: Power Mac with Mac OS 7.6.1 or later, 16 MB of RAM.
Developer: Highware, Inc.
Price: $39 (shareware)
Requirements: Power Mac with Mac OS 7.6 or later, 2 MB of RAM.
The US Congress recently passed legislation sanctioning the use of digital signatures for purposes such as contracts and legal documents. Essentially, a digital signature is just as valid as a written signature. Interest in digital signatures rose quickly since this legislation passed, and I began a quest for Macintosh software that would let me digitally sign my e-mail. The pickings were slim. The only two applications I found that would work with standalone e-mail applications were PGPfreeware and SafeMail. Other applications or plug-ins work with specific Web browsers to provide certification or authentication. I did not look at these applications.
E-mail digital signatures typically use the public key/private key security scheme. You create a public key for each of your e-mail accounts and upload it to one or more public key servers. The public key becomes available for anyone to access or download. A private key is created along with your public key, and you assign it a password. Your private key does not get distributed. You use your password-protected private key when you sign or encrypt (or both) your e-mail. If you send signed e-mail to someone, he can read your e-mail and verify that it truly came from you by looking up your public key. If you send encrypted e-mail to someone, she must access your public key to decrypt the message. If you encrypted and signed your e-mail, the decrypted e-mail also contains your digital signature.
Downloading and Installation
USA and Canadian users can download PGPfreeware from MIT’s Web site. You first answer four “yes/no” questions about your country of residence, expected usage, and license requirements. If you answer “yes” to all four questions, you are directed to the download page. (Note: do not bother lying about your country of origin. PGP will not download if your IP address maps to any countries other than USA or Canada.) Users outside of USA and Canada can use the international version of PGPfreeware.
The PGPfreeware download (poorly labeled as “Archive.sit”) is 5.4 MB. The full default installation (via an Installer VISE script) requires 10 MB of disk space. Installation is simple and quick. You must restart your computer to use PGPfreeware. PGPfreeware (full installation) includes three applications (PGPtools, PGPkeys, PGPnet), seven extensions, one contextual menu item, an Apple Guide document, a 220 page-PDF manual, and an 88-page PDF guide to encryption.
You download the SafeMail shareware program from Highware’s Web site. The download file is 2 MB. The full default installation requires only 2 MB of disk space. Installation (via an Installer VISE Lite script) is simple and quick. As with PGPfreeware, you must restart your computer to use SafeMail. SafeMail is compatible with PGP-based applications and can use their personal and public key files. SafeMail is comprised of the SafeMail Keyring Manager, Eudora and Sherlock plug-ins, an extension, a contextual manager file, an OpenLib Folder containing a FileCrypt application and 27 library files, and an 88-page PDF manual.
Creating Keys and Uploading Public Keys
PGPfreeware allows quick and easy creation of your private and public keys. You launch the PGPkeys application directly or from the PGP menu (a gray padlock icon, see Figure 1). You click the key icon, select New… from the Keys menu, or type Command-N to launch a “Key Generation Wizard.” The wizard walks you through the steps needed to create keys. You first enter your name and e-mail address. You then choose the type of key pair: the newer Diffie-Hellman/DSS or the older RSA.
Figure 1: Padlock Menus for PGPfreeware (grey) and SafeMail (gold)
You then select the key size (from 1024 to 4096 bits). Larger key sizes are more secure but are slower to use. Next you decide when your key should expire. (The default choice is never.) PGPkeys’ wizard then asks you to enter and confirm a passphrase containing at least eight characters. PGPfreeware recommends mixing alphabetic and non-alphabetic characters. A bar graph rates the quality of your passphrase (mixing upper and lower case and intermingling numbers and other characters increases the quality). The wizard has two passphrase security features: you can choose to hide typing while entering the passphrase and you must retype the passphrase in the confirmation box (you cannot use copy and paste).
When your passphrase is confirmed, you have the option of sending your public key to Internet servers. PGPfreeware lists two public key sites: ldap://certserver.pgp.com and http://pgpkeys.mit.edu:11371. You can manually send your public key to your domain server or to any other public key site. (You can also use preferences to add other key server choices.) Your key now appears in the PGPkeys window (Figure 2). Overall, key generation with PGPfreeware was quick and easy.
Figure 2: The PGPkeys Window
SafeMail also allows quick and easy key creation. You launch the SafeMail application directly or by choosing Keyrings… from the SafeMail menu (a gold padlock icon, see Figure 1). Selecting New Key Pair… from the Keyring menu launches (guess what) a Key Generation wizard. You enter your name and e-mail address in the first window. You choose the key pair type (DSS or RSA) and key size (768, 1024, 1536, 2048, 3072, or 4096) from a pop-up menu. You then choose Never or a specified number of days (not a date) before the key expires. SafeMail gives you the option of adding your Web site URL and other information to your public key. (Users access this by choosing Get Info on your key.)
Next comes the passphrase window. You have no options here; you must blindly type your passphrase twice. If your typing was error-free, the Create Key button becomes clickable. Key creation time was much longer than with PGPfreeware even with the same key type and size. When your key is created, SafeMail asks whether you wish to make the new key your default. The new key appears in SafeMail’s PGP Public Keys/PGP Private Keys window (Figure 3). To upload your key you choose Send Selection from the Server menu. SafeMail sends your key to www.keyserver.net:11371 unless you type a different key server URL into the dialog box. Overall, key generation was a bit slower and slightly more complicated than with PGPfreeware.
Figure 3: SafeMail’s PGP Public Keys/PGP Private Keys Window
Signing and Encrypting E-mail
Both programs use nearly identical techniques for signing or encrypting e-mail. In your e-mail program you select the portion of the e-mail you wish to encrypt (none, any, or all). You then access the padlock menu and choose your option (sign, encrypt, or both). If you just want to sign your e-mail, both programs display a small dialog box for entering your passphrase.
If you choose Encrypt (or Encrypt and Sign), you must then select a recipient’s public key. If your recipient is already known, both programs display a recipient list window (Figures 4 and 5). You choose one or more recipients. If your e-mail recipient is not listed in your public key files, you have to add the recipient.
PGPfreeware connects to certserver.pgp.com and accesses your list of recipients. This wastes time because the recipient’s key will not be listed. You must cancel this operation, launch PGPkeys, and choose Search… from the Server menu (or type Command-F). When you find the public key for your recipient, you drag it to your PGPkeys window. You then return to your e-mail program and choose Encrypt again. SafeMail also requires you to find the unknown public key by selecting Find Keys… from the Edit menu. You choose which key server to search, then enter the search information. Select the public key from the list, then click the Import button to add the public key to your keyring.
Figure 4: PGP’s Recipients WIndow
Figure 5: SafeMail’s Recipients Window
Verifying and Decrypting E-mail
Both programs verify signed e-mail by accessing the appropriate public key (attached to the e-mail, listed among your recipients, or located on a public key server). PGPfreeware silently accesses the public key and then adds information to your e-mail text about the identify of the signer. SafeMail displays a Signature Check dialog box listing the signer’s identity and key validity. SafeMail also adds information to your e-mail text. You can remove the added information by clicking the Restore Original button at the bottom of the Signature Check dialog box.
You decrypt e-mail in both programs by selecting the encrypted text (with SafeMail you only need to place your cursor within a block of encrypted text), choosing decrypt from the padlock menu, and entering your passphrase in a dialog box. Both programs rapidly decrypted text.
I used PGPfreeware for over three weeks with no problems or crashes. SafeMail frequently caused Outlook Express 5.02 to crash with type 2 or 3 errors. I also experienced three complete system crashes in less than two hours after installing SafeMail. The crashes continued even after I removed PGPfreeware from my Macintosh. SafeMail also pops up pay the shareware fee reminder screens each time you launch and whenever you try to decrypt or look up public keys.
I highly recommend PGPfreeware. It handles all your e-mail signature and encryption needs and costs nothing but download time. Its manuals and help files are excellent. PGPfreeware includes PGPnet, an application that allows you to create a virtual private network over the Internet using an encrypted tunnel. PGPfreeware also can completely wipe (beyond the ability of anyone to recover or read) individual files or all the free space on a drive.
SafeMail also handles all your e-mail signature and encryption needs. Some tasks are easier to perform with SafeMail than with PGPfreeware. However, SafeMail causes many application and system crashes and costs $39. Stay away from this program unless you truly need one of its unique features (such as restoring e-mail to original format after verifying a digital signature).