Arawak Net Tutorial: Easy digital signing and message encryption using PrivacyX.com illustrated with many Netscape screen shots

DIGITAL SIGNATURES --
"ALL ABOARD, THE TRAIN IS MOVING"

If you do not know how to acquire and intelligently use digital signatures and yet you order goods and services on the internet, or you accept such orders, listen up!

You have a few weeks between now till this Fall before Your Favorite Internet Shopping Store might bid you adieu if you cannot sign off your purchases with a digital signature. The new law passed by Congress and signed by Mr. Clinton on June 30th warrants merchants to put that kind of pressure on you starting early in October.

Unfortunately, if you set out on the web to get detailed tutorials on acquiring and using digital signatures you are in for a frustrating search. VeriSign has a nice tutorial on how to acquire the "keys" you need to make signatures, and so does PrivacyX.

HOW EXACTLY, IN DETAIL, DOES ONE USE THESE THINGS?

But once you have acquired your "keys" how exactly do you use them? Well, the answer is not so simple that your 15-year-old daughter will quickly supply it, and searching the net to find that answer presented in useful tutorial detail is a long, frustrating and generally unrewarding process.

The purpose of this article is to offer some help.

This article tries to help by presenting you with a series of screen shots, along with clarifying comments, that arise from sending and receiving digitally signed and encrypted email using the services of PrivacyX.com.

The following screen shots arising from using PrivacyX's service illustrate in detail the use of digital signatures and message encryption with Netscape (v. 4.7.2 on a Macintosh). If you do not have version 4.5 or higher of Netscape Communicator get one now -- there's no charge (in dollars) for it.

Start as you would with any message:

In the Netscape Communicator menu, choose Messenger. When the Messenger window opens, click on "New Msg". Complete the parts of the New Msg. window as you would normally. Then click on the security icon as shown below.

When the next dialogue box appears, ensure that you have check marks (or put them there now) in the boxes beside "Signed" and "Encrypted", as illustrated below.

However, if you do not wish to encrypt your message uncheck the box beside "Encrypted". The discussion that follows assumes that you will have both boxes checked. This is the key step that allows some very complex things to be done for you, by Netscape, in a manner that will look easy as "one, two, three'".

Now click on the coloured icon to the left of "Signed" to close the security dialogue box and restore the normal New Msg. window. Then try to send your message by opening the File menu and selecting "Send Now".

If this is your first effort you will see the following message.

STEPS IN FINDING YOUR ADDRESSE'S PUBLIC KEY

You see this message because Netscape has not received the Distributed Key (or "public key") that corresponds to the email address to which you are sending the message. It needs that Distributed key to encrypt the text of your email message so that your text can be read only by the person whose Guarded Key is the partner of the said Distributed Key.

If your addressee had previously sent you a digitally signed message and you read it using your Netscape Messenger, that message would have contained her/his Distributed (or "public") Key as an attachment, Netscape would have known it, and you would not see the warning message above. Thus, we are supposing that you had not previously received such a message.

To be able to encrypt the message to your chosen addressee, you must obtain her/his Distributed Key. Suppose he/she had indeed acquired one. If so, you have two options. First, as the warning mentions, you can open the Netscape security window and make some selections that will cause a search to be made among three possible databanks for public keys. The second option is to use the Navigator window of Netscape and go to the PrivacyX.com site (https://www.privacyx.com), where you will see a "Find A Key" button in the left frame.

This second option will first be discussed. Then will follow some remarks about the first option. Why the second option is useful in a wide variety of circumstances is explained below, as well.

Click on the "Find A Key" button in the left frame on the main page at the PrivacyX.com site, and the following window will open.

Enter the email address as illustrated above, and click on Search. The PrivacyX computer will then do a search of its own databank of public keys, and if that search is successful you will see the following window.

If your addressee had acquired a key at PrivacyX.com, you will see a windown such as that just shown. (There are good reasons why he/she should have done so, as will be explained below.) Once you see the window above, Netscape will, when you click on Get Certificate, download and log your addressee's public key into its memory banks (and the hard disk). If you go back to the File menu and chose "Send now" Netscape will get ready to send your message without showing the warning that we have been discussing.

However, before doing so, you can use Netscape's View A Certificate command to see information about the Public Key you have just downloaded. Here is an example:

GET READY TO SHOW YOUR ULTRA-SECRET PRIVATE-KEY PASSWORD

Let us return now to the point where you open the File menu a second time and select "Send Now". Netscape has not yet digitally signed your message, and it is about to do that, using your Guarded ("private") key.

For safety's sake you should have set up your Netscape preferences so that at EVERY use of your Guarded ("private") key the user must produce the password. If you did so, you will be presented with a new demand, before Netscape sends your message:

You will be required to provide the password for your Guarded Key (and this is the password that you need to guard with almost your life, and carefully keep away from prying eyes). The demand for this ultra-secret password looks like this in Netscape:

When you supply this password correctly, Netscape will send your message. It has used that password to retrieve your private key and use it to "digitally sign" your message. The digital signature is a tiny file attached to your email, and it is a separate object from the encrypted email message.

Thus, to use an analogy, if you were ordering a ticket on a cruise from Your Favorite Travel Agent, the order would be the encrypted message (and to achieve this encryption you will need that agent's Distributed Key). Additionally, your digital signature would go along, and it would have been created using your Guarded Key (or "private key"). [Note: By the way, in the process your agent would also receive your Distributed Key, allowing her/him to send back to you an encrypted message that only you can read because only you have the Guarded Key needed to decipher that message.]

PRIVACYX OFFERS A NICE SETUP FOR LOW-COST SECRET GROUP DISCUSSION OVER THE INTERNET

Now, why did I say that your addressee should also have registered and obtained a public key at PrivacyX.com?

Well, if it is a question of placing an order for a cruise ticket with your travel agent, then you should probably use one of the more well known databases for Public Keys, and these can be accessed directly from the Netscape Security window. That is, you should probably look there for your agent's public key.

My concern here is with the far more common situation where there is use of signed and protected messages in the context of simply exchanging information confidentially with family members, friends and colleagues. There are good reasons to predict that millions of people will be using keys for this set of purposes in the near future.

Now in this situation, PrivacyX.com has a nice setup for you.

When you register you are strongly prompted to use a nickname. Then EVERY message you send out via their service will show ONLY the nickname in the "From" line, as you will see in the illustrations below. This is done automatically by their computer. Therefore, if both you and your addressee have registered at PrivacyX, you have this measure of anonymity built into your exchange of messages.

And, to top it off, PrivacyX.com's databank has stored NO PERSOINAL DEMOGRAPHIC INFORMATION about you or your addressee based on what you say when you sign up for the service; because its registration process never asks for such information!

Therefore, you and a small group of colleagues, all armed with PrivacyX.com registrations, can carry on sensitive discussions with (1) anonymity, (2) digital signatures for assurance of the origins of messages (assuming you all have been effective in guarding your Guarded Keys), and (3) encryption of messages as directed by each message sender. (And, as the screens just shown indicate, the process is almost as simple as "one, two, three".)

Thus, even if the entire discussion is housed on PrivacyX.com's computer, staff at PrivacyX.com cannot read the files, unless someone in the focus group failed to encrypt a message (in which case that message will be readable).

Here then is the basis for a genuinely private international focus group whose discussions are so sensitive that they cannot be shared outside the group until a public summary is created and approved for publication by all members of the group.

DETAILED STEPS IN THE MESSAGE DECRYPTION PROCESS

Now let us see what happens when your Favorite Travel Agent, or your colleague with whom you are carrying on secret discussions over the internet (thanks to encryption, digital signing, and automatic email-header anonymizing by PrivacyX), receives your encrypted message.

The following screen shots assume he/she is also using Netscape. (This is not a bad choice, since it is superior in being fussy about secure messaging facilities. Yes, you should have both Netscape and Explorer on your computer. As happens so often with competing software, there are some important things that one does well and others that the competition does well.)

He/she would select Messenger in the Communicator window, and then click on the Get Msg. icon. After supplying the required email password (not to be confused with the Guarded Key password), they will see a result such as what follows:

This demand for your addressee's Guarded Key password arises because you had sent a message encrypted with her/his Public Key. Netscape is asking for their Guarded Key password in order to proceed to decipher the message. Once they supply this password correctly, they will see a window such as the following:

The sentence "Thank you for your test message" is the text that had been encrypted by you and sent to your addressee. (Remember that at this point we are pretending to be the addressee seated at her/his computer console.)

The coloured emblem on the right is a Netscape message to your addressee (your agent, or colleague, e.g.) telling her/him that what he/she is now reading had arrived encrypted and digitally signed. Had the digital signature not been confirmed by Netscape, your addressee would have received a related error message. (The confirmation process takes place automatically, and before you would be shown a message such as that above.)

Thus, in summary once you have acquired your Guarded ("private') and Distributed ("public") Keys, and you know how to retrieve the public keys of others, you need little or no specialized computer knowledge or keyboard commands to do the following thing -- send others encrypted and digitally signed messages which Netscape Communicator will automatically validate, and which they can be confident have come from you (unless your Guarded key has been stolen and its password found by some means). All this assumes you are working within the Netscape environment, or another with equal simplicity of use and sophistication in treating issues in secure messaging.

The only slightly tricky step in what you have just reviewed is finding your addressee's public key, which Netscape demands for encrypting your message to that person. This is NOT integral to using digital signatures. You can digitally sign and send a message that is not encrypted. What we did above assumes that you want to both digitally sign and also encrypt your message.

As regards the tricky step just cited, our view, to repeat, is that if it is a matter of purchasing goods and services you will probably find the merchant's public key in one of the well known databases -- three are accessible via a Netscape pull-down menu. These include Netscape's own database, and that of VeriSign.

WHY YOU SHOULD LOOK CAREFULLY AT WHAT PRIVACYX OFFERS

If, however, it is a matter of exchanging anonymized, encrypted and signed email messages among two or more people, such as an international focus group that must exchange ideas with nearly zero probability of the texts being read by outsiders, then the services of PrivacyX deserve careful examination.

PrivacyX.com does not yet charge a fee, as it is currently relying on advertising revenues. However, it's ad. banners are served up to your screen by its own computers, and not by those of buccaneer third-party marketers who are only too anxious to find an opportunity to help them track your web surfing across multiple web sites. PrivacyX.com chooses what to show you on the basis of asking you what class of advert's you would like to see when you register with them.

This is a helpful company because they have set themselves up to serve you with absolutely minimal prying into your personal situation, and by design their system does not allow their staff to read any encrypted text from your messages while those messages reside on their computer. Furthermore, their computer automatically assigns your chosen 'anonymous name' to the "From" line of all your out-going email messages.

With the little bit of information PrivacyX does ask from you (essentially, your chosen nickname, your email address and what kinds of advert's you would like to have flashed on your screen), PrivacyX may not get approval as a certifier of your identity for the purposes of paying for your next N-thousand-dollar cruise tickets (even though the Guarded Key ("private key") made by your computer (not by PrivacyX.com) in setting up their service is just like any other private key in creating an unmistakable path to your door, unless someone steals your key and uses it as if they are you). But they have quite a nice setup for groups that need email privacy.

[Note: PrivacyX staff was not asked to review or approve this article in advance, and they or others may see errors, which I will promptly fix (send corrections to lestone@arawak.net). No payment or other consideration, in exchange for this tutorial that highlight's PrivacyX.com, has been discussed with PrivacyX, none is being sought, and none will be sought.

Our motivation here is simple. Big organizations hire high-priced experts to create environments for secure messaging when needed. Little People need the same power. PrivacyX has stepped up to the plate to make a contribution to this end.

Thanks also to Ambrosia Software for the award-winning SnapZPro, which allows you to make screen shots in what are normally difficult circumstances.]