Secure Instant Messaging
with other PGP tips
John Michaels

Secure Messaging
Someone recently asked for my opinion of Project SCIM's Secure Cryptographic Instant Messenger. As you can see by the very name, this is meant as a privacy enhancing competitor to the better known commercial instant messaging applications such as AOL IM, Yahoo messenger, or ICQ.

Let me be straight up about this: SCIM is not a product I'd care to use.

On the bright side, SCIM is a comparatively small download at just 1.5 MB. Better yet, it's freeware (for private use). And I tend to be forgiving about software that I don't have to shell out for. But not this forgiving.

Three out of four times, SCIM crashed my system when I tried to run it. This sucks even by Microsoft standards. The other issue that concerns me is the source code. Specifically, SCIM does not appear to be open source.

The Project SCIM website states that SCIM uses open source algorithms from Cryptix, but the source code for the complete messenger application can't be found on the site. Nor was Project SCIM responsive to a source code inquiry sent to their contact address. I have a tendency to mistrust crypto products that won't open source their code. So much for SCIM

Faking It
But is a fancy messenger with questionable built-in crypto necessary? Not... necessarily.

The fact is, if you have PGP (commercial or freeware), or its variants (PGPi, for instance), installed on your computer you can already encrypt your IM traffic without too much trouble.

Go down to your Windows system tray and right click on the PGPTray icon, select Options, then click the HotKeys tab. See those choices for "Encrypt current window" and "Decrypt & verify current window"? Select their check boxes, and pick a keystroke sequence you find convenient. (I use Ctl+Shift+C and Ctl+Shift+D, respectively).

Now, when you're messaging away, before you hit send, do a Ctl+Shift+C. You'll get the PGP public key selection screen. Once you've picked your keys, your message text will be encrypted. Now hit send.

Likewise, when you receive an encrypted IM, make sure your cursor is in the message text block, and press Ctl+Shift+D. Voila! IM decrypted.

All that, and you didn't have to download yet another proprietary software package, and make sure your friends got the same one.

Other Uses for those HotKeys
I've got an acquaintance who often uses a Yahoo webmail account from his own computer. He's forever sending his encrypted messages as attachments. Mildly annoying and unnecessary: He could be drafting his mails in the Yahoo window, and Ctl+Shift+Cing, saving himself the extra steps of drafting the message in Notepad, saving, encrypting the file, creating a Yahoo email, and attaching the encrypted file. Typety-type, click is so much easier.

Now for most of my email, I use Eudora, which happens to have a handy-dandy plug-in to automatically interface with PGP. Neat, eh? Your POP client probably has that, too.

But I only use the plug-in to encrypt mails I send. See, I can set it up to default to signed and encrypted mails so I never forget and send an email in the clear when it really has to be private; I have to consciously opt to send something in the clear. So the plug-in is great for outgoing mail.

Incoming mail is another matter for me. Your mileage may vary, but I'm not entirely comfortable with the fact that the plug-in leaves me with unencrypted mails in my folders. Maybe I'm overly cautious, but I keep thinking, "What if someone else got access to my computer? Do I want my wife to see what's in those letters from Shel..." Never mind; let's just say, "Better safe than sorry." Instead of letting the PGP plug-in permanently open my virtual "envelopes," I just Ctl+Shift+D. Now I get the cleartext in a another window, from which I can copy the text to a email reply window, which gets encrypted in turn. This way, I never leave a cleartext message on my system.

Here's another little tip: Go to the PGP Options again. On the General tab, make sure you check "Always encrypt to default key". Now when you encrypt your email to me, you can go back and read your own message, too. I don't know how many times I've gotten an email that was encrypted only with my public key, but not the sender's own, and the sender then needed me to give him something from his own - now inaccessible - message.

Key Length
Years back, when computers were wimpier, it was often worthwhile to generate and use 1024 bit keys; large keys took forever to process. Generally, it seemed like the sensitivity of the message didn't justify the hassle.

That isn't the case anymore. My own computer is pretty far behind on the power curve, but it's still cranking along at 366 MHz. There's no excuse not to use 4096 bit keys. 2048 bit D-H/DSS is probably going to be pretty secure for quite a while (barring the appearance of a transcendental mathematical genius who devises a new way to factor primes), but why not go for the gusto? Repeat after me: "Better safe than sorry."

Who are you?
Don't worry; I'm not the B5 Inquisitor. Just bringing up another point about keys. Now that I've convinced you to generate a brand new 4096 bit key pair... Stop!

Please don't just generate a whole, brand new, stand-alone keypair, and revoke your old one.

Try this instead: Use the tray icon to open PGPKeys. Right click on your own key in the list, and select Key Properties. Click the Subkeys tab. You'll see a list of your encryption keys; probably you'll only have one.

Press that New button below the list. Here's where you generate your new 4096 bit key. Type "4096" into the Key Size block (the pull-down list probably only goes to 3072). Click OK. You'll be prompted for you passphrase. Once you've typed that in, your new key is made, and you'll see it in the list. To get rid of your old short key, find it in the list, click on it to highlight it, then click either the Revoke or Remove button. Revoke leaves the key in place but unusable for encryption, while Remove gets rid of it altogether.

Why make your new key through this roundabout method? Signatures.

Odds are, lots of other people signed your old key, verifying that you are really you. If you made up an entirely new keyset, you'd lose all those signatures and have to start over again. But attaching the new encryption pair to your existing keyset leaves the signatures intact. When you distribute your updated key to all your friends, they can verify immediately that this really is Joe Blow's key, and not some third party trying a spoof.

Let's see some picture ID, buddy.
If you're expecting real-world meetings with PGP correspondents whom you've never met before, here's a neat feature. PGP allows you to embed your picture in your public key (PGPKeys, right click your key, Add, select Photo). Instant digital photo ID.

What's in a name?
When you're encrypting an email, the plug-in looks at the recipient's email address to try to figure out which key to use. If it can't match the address to any names on the PGP keyring, you have to manually select the appropriate key(s). If you use multiple email addresses, you can save your friends a few seconds by tagging your key with all your addresses: PGPKeys, right click your key, Add, select Name. Of course, any address that you use for anonymity, which you don't want to publicly link to your PGP identity - should not be added to your key.

Me, Myself, and I
You can have as many public/private keypairs on your keyring as you want. This is handy for folks running multiple nyms (electronic identities) online. Just open PGPKeys, select Keys from the main menu, then New.

But.... If you have more than one private key on your ring, you may want to set one as the default: right click on key, Set as default. Do this with caution. If you set PGP to always sign/encrypt with your key, it'll always include the default key in the encryption list, even if you were trying to use the other one key. No big deal; just remember to remove extra keys from the encrypt-to list before you press OK.

Wipe that grin off your face.
This may sound silly, but you have noticed PGP in your Windows Explorer right-click menu, haven't you? Right there at your fingertips (literally) is the ability to sign and encrypt any file on your hard drive. Even if you don't have PGPDisk, this can darned near give you all the file security you need. But the best feature is un-file security: Wipe.

When you "delete" a file in Windows, all you've really done is move it from whatever folder it was in to a folder named Recycled, where it sits forever if you never remember to "empty" your Recycle Bin. And even if you do empty the trash occasionally, that doesn't really delete the file either; only the data telling your drive where it once stored that file goes away. The data itself stays on the drive until it happens to get overwritten by something else that needs the space. Until that happens, your data can be read with a file recovery program.

Unless you Wipe it. Wipe not only "deletes" the file; it overwrites the data making it nonrecoverable. Your wife's divorce lawyer won't be getting those shots of you and Carmen at the office Christmas party now. To make sure you've thoroughly overwritten a file, you should tell PGP to make at least three "passes" (overwrite three times); you can set this as a default: Click the tray icon, select Options, General tab, File Wiping, Number of passes.

It's also a good idea to periodically wipe all the free space on your hard drive. This gets anything you missed, and any fragments of program temp files or Windows virtual memory. Run FreeSpace Wipe by right clicking the tray icon, select PGPTools, and click the FreeSpace Wipe button. Select the drive to be wiped, and set the number of passes.

Warning: A complete free space wipe can take quite a long time. If you can spare your computer now, press Begin. But you may want to press Schedule and set a time during the middle of the night for the wipe to be performed automatically.

Play around
PGP is a handy tool, and if you mainly use it through a POP mail client, you may be missing some things. Next time you have a few minutes to spare, try exploring the PGP menus.


Comment on this article
View all comments on this article


Did you like this article?
Please consider rewarding the author's
hard work with a donation.

Don't have PayPal yet?


Please rate this article! Knowing what you like will help us provide the content you want.

Bad Poor Average Good Excellent

If there's anything specific you'd like to say about this article, please do so here. Comments may be used in an upcoming Letters to the Editor.

Copyright © 2003 by Doing Freedom! magazine. All rights reserved.