MXC Software Logo  
MXC Software provides low cost software to protect your digital assets.  
HomeSolutions/ProductsDeployment/InstallationAbout CryptographyUser ManualTutorialFAQ

  Why should I use encryption?
  What are the best known encryption and hash algorithm for practical daily use?
  What is difference between a login name and certificate common name?
  iSafeguard™ supports several encryption and signature algorithm. Which algorithms should I use?
  What is the encryption algorithm used in Personal Information Editor?
  What is two factor security?
  I am not asked to enter a pass phrase when opening a PIE file. Why?
  Where is my profile stored?
  How do signing and encrypting in iSafeguard™ work?
  There are two key lengths, 2048 and 128, I am confused.
  When I hit hotkeys nothing happens. Why?
  What is the man-in-the-middle attack?
  How can I secure my profile?
  Can encrypted emails carry virus?
  Why can't I decrypt encrypted emails I received?
  I encrypted some data with one of my certificates stored on my computer. However I can't decrypt the data and get error "Invalid type specified." What is going on?
  How can I delete a certificate and the related keypair from my computer?
 

FAQ

If you have any question regarding how the software works or related we love to hear from you. Send your questions to help@mxcsoft.com.

Why should I use encryption?

Well, you don't have to. Actually encryption adds extra inconvenience. For example, if you want to open an encrypted file you have to decrypt it first. Once done you have to encrypt it again. To read an encrypted email, you have to hit a hot key to decrypt the encrypted message.

But remember there are so many prying eyes trying to find out your secrets, some may be just curiosity, some may really want to steal your sensitive information for their benefits. Without the protection (inconvenience) you are vulnerable.

iSafeguard™ simplifies the user interaction without compromising security. You can, for example, open your encrypted file with one context menu selection; or encrypt your email message with a single hot key. Actually once you get used to using encryption software you will feel much better and be glad that you use one.

What is difference between a login name and certificate common name?

The iSafeguard™ login name is the name that you use to login to the system. The combination of your login name and login pass phrase is used to decrypt your private key stored in the your profile.

The name in a certificate is the name that shows in the certificate manager and your recipients will see that name too when you sign a message.

What is the encryption algorithm used in Personal Information Editor?

168 bit 3DES and RSA.

Remember that you must choose a RSA key length at least 2048 to get the full security 3DES provided. If you choose a 1024 RSA key length, for example, you won't be able to get the full security 3DES provides. The security is only as strong as the weakest chain.

What is two-factor security?

Two-factor security says to access something protected you need to have

  1. Something you have, and
  2. Something you know.

It is probably one of the best security models.

iSafeguard™ follows this model. To decrypt a file or access something encrypted you must

  1. Have your profile (something you have), and
  2. Know your pass phrase (something you know).
I am not asked to enter a pass phrase when opening a PIE file. Why?

The Personal Information Editor uses RSA and 3DES. That is why every time you run the editor you are required to log in. Your login name and pass phrase are required to access your profile. When loading a PIE file the private key of your choice is used. When saving a PIE file corresponding public key is used.

Therefore you only need to remember one pass phrase instead of a pass phrase for every PIE file, which makes your life a little bit easier.

Where is my profile stored?

By default your profile is stored in your "My Documents" directory but you can move it somewhere else. To find the location of your profile login to iSafeguard™ and start the Options dialog box from the taskbar menu. On the first tab you will find your profile path.

How does signing and encrypting in iSafeguard™ work?

iSafeguard™ uses RSA PKCS #7 Cryptographic Message Syntax (CMS) Standard published by RSA Laboratories, a division of RSA Data Security, Inc. Details on this specification are available on their Web site http://www.rsa.com.

When encrypting data a session key is generated to encrypt the data. And then the intended recipients' public keys are used to encrypt the session key. Finally the encrypted session key and the encrypted message are sent to the recipients.

When decrypting one of the recipients' private key is used to decrypt the session key. And then the session key is used to decrypt the message.

When signing the message is digested to generate a hash value using SHA1 or MD5, then the hash value is encrypted with signer's private key to generate a digital signature.

When signing and encrypting the message is first signed with the signer's private key and then encrypted with recipients' public keys.

There are two key lengths, 2048 and 128, I am confused.

If RSA were fast enough you would have one key length instead of two. RSA is rarely used to encrypt a message because it is much slower than 3DES and RC2. Therefore a 3DES or RC2 session key is used to encrypt a message and a RSA is used to encrypt the session key that is much shorter than the message. Refer to FAQ: How does signing and encrypting in iSafeguard™ work? for more information.

The 2048 key length is the RSA key pair length and the 128 key length is the session key length. If 3DES is used the session key length is 168 bits.

When I hit hot keys nothing happens. Why?

First check to make sure you are logged in. If you are not the hot keys will not work since you need to access your private keys and certificates. To find out if you are logged in try to find the golden lock icon on the task bar (see figure below). If you can't find the lock you are not logged in.

Next make sure you click once in the window that contains the content you want sign and encrypt or decrypt and verify. This makes that window have the input focus. Remember that hot keys work with the window that has the input focus.

What is the man-in-the-middle attack?

It is possible someone might intercept your certificate (public key) and replace it with his own - this is the so-called man-in-the-middle-attack. In this way the attacker could intercept any encrypted email intended for you, decrypt it using his own private key, then encrypt it again with your real certificate and send it on to you as if nothing had ever happened.

Therefore it is very important to verify the certificates you received from your friends by checking the thumbprints of the certificates with your friends. Once the thumbprints of the certificates you received are verified you are sure your communications are secure.

How can I secure my profile?

To secure your profile you must choose a good pass phrase that is hard to guess. And optionally do the following

  • Rename your profile to something like WinEtc.dll and move it to your Windows system directory where thousands of DLLs locate. This makes it harder to find your profile.
  • A better way to protect your private keys is to use Smartcard/Security Token. In most case the private keys stored in a Smartcard/Security Token cannot be exported. This effectively avoids any one from stealing your private keys.
Can encrypted emails carry virus?

Yes it can, just like regular emails can.

However a signed and/or encrypted email before decryption is nothing more than text. When you receive such an email it is safe to open it with your email program.

But if you view the content with iSafeguard™ mini-viewer the viewer will decrypt and display the content. This could run the malicious code if there is any in the email.

It is strongly recommended that you do the following:

  1. Insisting your correspondents to sign all emails sent to you; since signing an email must be done manually - this eliminate the possibility of some malicious code fake a digital signature.
  2. Checking the crypto properties of the email. Checking crypto properties is safe even if there is malicious code in the email content.
  3. Making sure the email's signer is trusted by validating the signer's certificate. And don't automatically trust the sender's identity shown in your email program it could be fake or used. But the signer's digital signature will never fool you.
  4. If you trust the signer you may then use the mini-viewer to display the content. Otherwise delete it from your inbox.
Why can't I decrypt encrypted emails I received?

When you receive an encrypted email message you can read it with hot key (Ctrl+Shift+R). A viewer is launched and the decrypted message is shown. You can't decrypt the message because we believe the original message should be kept encrypted.

I encrypted some data with one of my certificates stored on my computer. However I can't decrypt the data and get error "Invalid type specified." What is going on?

You can import the certficate from your computer to your profile, then you will be able to decrypt the data. The reason for this failure is that the key pair is stored in MS Base CSP which does not support stronger encryption algorithms like 3DES.

How can I delete a certificate and the related keypair from my computer?

Use iSafeguard™ Certificate Manager. Make sure you turn on option Allow using certificates on my computer so the certificates on your computer shows in iSafeguard™ Certificate Manager.


Trademarks Copyright ?2001-2007 MXC Software. All rights reserved.