IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
widespread use. This version is command-line oriented, but it can also be
integrated into graphical user interfaces and mail clients with add-on
programs. PGP can be obtained from various sources; among others, there are
public domain versions available from numerous WWW, FTP or mail servers.
The controversial Corporate Message Recovery (CMR) function was
introduced with Version 5. CMR offers the option of making it possible for a
third person to decrypt files or messages that have been encrypted by one
person for a second. The use of a "third key" of this type can be made
mandatory by the administrator in the configuration.
On account of the legal restrictions on the export of cryptographic products in
force in the USA, it should be ensured with all versions of PGP that they are
obtained from European suppliers or servers.
Secure installation and operation
Although PGP makes use of cryptographic procedures that are recognised as
being secure, incorrect configuration or operator errors may result in lowering
of the level of security. As with most relatively complex crypto products, the
installation and configuration of PGP, including key generation, is not entirely
easy. To prevent the possibility of operating errors creeping in, familiarisation
with the product and with certain basic cryptographic terms is essential.
In every organisation, therefore, one member of staff should familiarise himor
herself with handling PGP and be available to the others as a PGP contact
person. This person should then instruct the other users in the secure operation
of PGP. In particular, users should have intensive practice in encryption,
signatures and key management before they use PGP. It is also recommended
that a uniform version of PGP should be used within a particular organisation
in order to avoid any of the compatibility problems described above. There is
extensive documentation accompanying PGP; this should be read before PGP
is put to use. Experience shows, though, that not all users have the patience to
read the documentation, so it is advisable to draw up written instructions that
are adapted to the specifics of the organisation concerned.
If users have any questions about PGP which go beyond the scope of the
supplied documentation, there are various means of obtaining answers:
- Firstly there is a collection of the most commonly posed questions about
PGP and answers to these questions (Frequently Asked Questions - FAQ)
on the Internet, as well as guides and explanations on the subject of PGP.
- It is possible to obtain answers to PGP problems very quickly via
newsgroups such as alt.security.pgp, de.comp.security or sci.crypt.
- There are several books on PGP.
Key generation:
With PGP, all users generate their own "key pair" themselves. The following
points should be borne in mind in this connection:
- When generating RSA keys it is possible to select between various key
lengths. It should be remembered that resistance to deciphering increases
with key length, but also that performance drops. The chosen key length
should therefore be 768 bits or, preferably, 1024 bits.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000