• What is SHA?

SHA stands for Secure Hash Algorithm.? This is the mathematical method of generating a signature on your files or emails.? It uses your private key so that you and only you can sign an email or file – this way, if the email is changed in any way before the recipient receives it, or if the file you placed on the internet is replaced without your knowledge, the signature verification will fail and this will show that it is not the original email or file that you sent.

• What algorithms are available?

There are several SHA algorithms avaliable – these are RIPEMD160, SHA-1, SHA224, SHA256, SHA384 and SHA512.? There are others such as Whirlpool and IDEA, but these are not included in OpenPGP or Enigmail.

• What SHA settings should I use?

There is no “right answer” to this question – to some extent, this is an entirely personal choice.? If you have a DSA signature key, you will need to use a 160 bit hash function (for example, RIPEMD160 or SHA-1) unless you have the most recent version of GnuPG.? If you enable DSA2, this will allow you to use either SHA224 or SHA256 with your DSA key – see this page for full instructions on enabling DSA2.

Arguably, 160 bit hash functions are becoming less and less secure.? There have been several published problems with SHA-1 security including the potential ability to break the function without having to try a full brute-force attack and try every possible code combination.? There is a very good Wikipedia article on SHA if you’re interested in reading more about the weaknesses.

Because of the weaknesses in SHA-1 and RIPEMD160, I would recommend that you use DSA2 with any DSA signing keys.? If you enable DSA2, you will be able to use SHA224 and SHA256 with any existing DSA key.? However, if you do not yet have a key, or don’t mind replacing your original, I would highly recommend that you use an RSA key.

RSA keys support virtually all hash functions.? This opens up opportunities to use the most secure hash functions including SHA256, SHA384 and SHA512. ? There are few drawbacks to the use of SHA512 – namely that it increases the size of the signature (which isn’t really a problem at all), and that it’s not fully supported on some clients.? If everyone you communicate with has Thunderbird and Enigmail (or Mobility Email) then you can freely use SHA512 without any problems.? Some systems (especially older products) only support up to SHA256, although this is changing rapidly.

• So how do I change my SHA settings?

In Enigmail, this is really easy.? Simply go to OpenPGP > PREFERENCES and select the PGP/MIME tab.? There’s a drop-down box? with a list of SHA options – just select one and hit? OK.

If you use OpenPGP with other applications (such as GPGee for file signing and verification) then you may have to edit your GPG.conf file.? To do so, simply go to your GPG Home Directory (on Windows XP / 2000, the default is C:\Documents and Settings\[user]\Application Data\GnuPG\) and open GPG.conf with Notepad or another text editor.? All you have to do is enter the following to a new line then save the file:

digest-algo SHA256 – just replace SHA256 with your preferred algorithm.

If you use a DSA key and you want to set a default SHA setting in GPG.conf, enter the following:

digest-algo SHA256
enable-dsa2
Remember with the above that you can either use SHA224 or SHA256, and you must add the enable DSA2 line.

So that’s it.? Relatively simple once you know how, and you should only have to do this once.? When it’s set up, the settings will be remembered for as long as Enigmail or GnuPG is installed on your computer.? But if you still have questions, please feel free to use the comments form below.

• The Easy Way

Enigmail offers you a wizard when you initially install it, and this guides you through a key generation phase. If you aborted the wizard, it will not display again, so you will have to manually generate your keys. Don’t worry though – this is simple. Once you have configured your email accounts in Thunderbird (adding usernames and passwords etc), hit OpenPGP > KEY MANAGEMENT. This will give you a window similar to this:

All you have to do is go to GENERATE > NEW KEY PAIR. The following will appear:

Select your chosen email address from the drop-down list at the top, then chose a passphrase (password) – remember that you must remember this. If you forget your passphrase, there is no way to recover it, so you will not be able to read any encrypted email you’ve sent or received using this particular key pair.

Next step is to set the appropriate options for the key. A comment is optional – I normally don’t bother with a comment, but it can help you differentiate (for example) your personal-use key pair from your business-use key pair if you need to. Expiry of the key is also optional – you can set it to expire in any amount of time you wish, or you can select the checkbox so that it never expires.

Before you generate your key, select the “Advanced” tab:

Here, you’ll be able to set up the key in a way you are comfortable with. The default setting is for a DSA/El Gamal key pair with a 1024 bit DSA key for signing and a 2048 bit El Gamal key pair for encryption. There are two drop-down boxes available: one allows you to set the size of your key pair from 1024 bits (least secure) to 4096 bits (most secure) – the other drop-down box (shown expanded in the image above) allows you to change the type of key you use. Your choice of key type is actually quite important as I’ll explain.

With a DSA/El Gamal key pair, the key size you specify will only alter the size of the El Gamal encryption key and not the DSA key. The DSA key is always 1024 bits. By using a DSA key, you are also restricting yourself to a more limited set of Secure Hash Algorithms for signing files and emails – see my tutorial on Choosing the right SHA Settings for further details. Arguably, the El Gamal encryption is as secure as RSA, but takes longer to encrypt and decrypt messages. I personally prefer to use an RSA key pair because it is compatible with a wider range of SHA settings, it’s faster than El Gamal at encryption and decryption, and RSA can be used for both encryption and signing, so you don’t need a separate type of key. The disadvantage to this, however, is that there is some doubt as to the security of a large-bit key used for signing emails and files – more bits may cause a weakness in the hashing. Enigmail only allows you to create RSA keys that are used for both signing and encryption – if you are at all interested in having more options, I suggest that you use the Advanced Method to generate your keys as shown below.Once you have chosen your key settings, you simply have to click “Generate Key” and it will be done. You will be asked if you wish to create a Revocation Certificate – I would recommend that you do this. If you forget your passphrase, a revocation certificate will allow you to revoke the key. If you don’t have these certificates, you will need the passphrase to revoke the key (which isn’t much help if you’ve forgotten it!!!)

Your public and private keys are stored in the GnuPG home directory – on Windows XP and 200, this is usually:

C:\Documents and Settings\[user]\Application Data\GnuPG\

To backup your keys, you should simply copy the contents of this folder and store them securely elsewhere.

• The Advanced Method

So, you want some more advanced options for key generation? I highly recommend this as it gives you more flexibility as to the type of keys you use, the size of both the encryption and signature keys, and your choice of Secure Hash Algorithm.

First thing’s first – we need to use GnuPG with the Command Line. This means making a small change (on Windows systems only) to make the process much simpler. I created a flash animation with an easy step-by-step guide.

Once this is done, hit START > RUN and type “cmd” into the box. Press enter or click OK and this will launch an MS Dos prompt. Type the following into the command prompt exactly as it appears:

gpg –gen-key

This will give you a list of options – for the purposes of this example, I’ll create a 2048 bit RSA signing key with a 4096 bit encryption key.

Type “5” and press enter then select your key size – in this example, I used “2048“. You are then given options for expiry – for a key that’s valid for 2 years, enter “2y“. You’re then asked to confirm the details are correct – if they are, hit “y” then enter.

Once your chosen key settings are in, you’ll be asked for your real name, your email address and a comment (which is optional). Please note that GnuPG does not allow short names by default – under “Real Name” you will need to enter text longer than 5 characters. There is, however, a way around this. When you first go to generate the key, hit START > RUN > cmd then enter the following into the command line:

gpg –gen-key –allow-freeform-uid

And this will allow you to use (for example) your first name only if you so wish.

You will be given a chance to confirm or change your details. If they are correct, enter “O” for Okay and enter your chosen passphrase when prompted. Again, the passphrase is extremely important – you need to remember this as it is required every time you use the keys to send or receive an encrypted email or file.

Once done, the key will generate – this may take a few moments depending on your hardware. Once it has generated, the screen will show details of your new key:

Read the screen output – in this example, you will see that the key name is 9B48740F – this is shown in the line above the key fingerprint:

pub 2048R/9B48740F

We now need to add your subkey by editing the key you’ve just generated. Type:

gpg –edit-key 9B48740F (replace 9B48740F with your key name)

Now, type addkey and enter your passphrase when prompted.

Now enter your chosen options – I entered “6” for an RSA encryption key, “4096” bits and “2y” for a 2 year expiry:

Once all the details are confirmed, the key will be generated for you. Generation times for the encryption keys are generally longer than signing keys – especially when there is a larger bit-size. It should still only take a minute or so depending on the key size and the hardware used. Once the key is generated, you will get a confirmation message followed by a Command> option. You must type “save” before you close the command prompt.

So that’s it! Easy, wasn’t it? Generally, GnuPG gets press as being “difficult to use” because it’s a command line tool, but for key generation, it’s actually very straightforward. You can now use your advanced encryption and signing key in Thunderbird by going to the OpenPGP menu, selecting KEY MANAGEMENT > FILE > RELOAD KEY CACHE

• Distribute Your Keys

So, the whole point in using encrypted communications is so that you can communicate securely. For others to communicate with you using encrypted email or files, they need your public key. You can do one of a few things.

Firstly, you could send your public key to everyone you know. This is quite a simple way of distributing your keys, although not entirely convenient. Not all your friends or contacts will use cryptography so you may just confuse them. Additionally, it takes a significant amount of time to do yourself. To send your keys by email, go to OpenPGP > KEY MANAGEMENT. Find your key in the list, right-click on it and select Send Public Keys by Email. Add whoever you want to receive the keys in the “to” part of the email and hit send – it’s pretty easy to do, but maybe not ideal.

Secondly, you could upload your public keys to a keyserver (here is an example of a keyserver, where you can search for keys by email address, key name etc.) This way, when someone tries to send you an encrypted email but doesn’t have your public key, they can search for it, download it and use it automatically. This is my recommended option, although you need to appreciate that your full name and email address will be available online.

Finally, here’s an option that’s somewhere in the middle. Why not upload a copy of your public key to your webspace – you can then include a link to it from your website, or in a signature automatically attached to your outgoing email. This still means that only people you have emailed previously will be able to send you encrypted communications, but it also means that you know who has your key.

I hope the above was helpful – any questions / comments? Feel free to leave them below.