PGP Desktop Security Version 7.0.3 ReadMe
for Windows 95, 98, Millenium, NT, and 2000
Copyright (c) 1990-2000 by Networks Associates Technology, Inc., and its Affiliated Companies.
All Rights Reserved.

Thank you for using Network Associates' products. This ReadMe file contains important information regarding PGP. Network Associates strongly recommends that you read this entire document.

Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us.

Warning: Export of this software may be restricted by the U.S. Government.

WHAT'S IN THIS FILE  

Enhancements in this Release
New Features
Documentation
System Requirements
Known Issues
Additional Information
Contacting Network Associates
Copyright and Trademark Attributions

ENHANCEMENTS IN THIS RELEASE

1. AES support. This release of PGP adds support for the new Advanced Encryption Standard algorithm (Rijndael). AES is the new NIST standard algorithm for the highest security with a 256-bit symmetric key size.

2. IKE Aggressive Mode support. PGPnet now supports the Aggressive Mode standard for IKE. This enables users to use usernames/passwords in combination with dynamic addresses to establish a secure VPN connection.

3. IKE Extended Authentication support. PGPnet now supports the Extended Authentication draft standard (Version 6+). This provides the ability to use legacy authentication methods such as RADIUS and SecurID when establishing VPN connections with compatible gateways.

4. Enable/Disable VPN. This release enables administrators to disable the VPN portion of PGPnet. This provides administrators the flexibility of using third-party VPN clients (such as the Nortel Extranet Access client) with PGP's market-leading Personal Firewall and Personal Intrusion Detection features.

5. Windows ME Support. PGP now supports Microsoft Windows Millenium Edition.

6. Optional reboot upon silent install. The PGPadmin utility now gives administrators the choice of whether or not PGP, upon completing silent installation on user machines, will automatically reboot.

7. RSA 4096 support. The new RSA V4 key type now supports the full range of key sizes supported by DH/DSS keys up to 4096 bits.

NEW FEATURES

Enterprise-Class Manageability

1. Easy pre-configuration and optional "lock down" of PGP product settings. This release takes PGP to the next level of enterprise manageability by introducing several new instrumental features that give administrators more control over PGP deployments in their environments.
   
   Using the updated PGPadmin utility, administrators can pre-configure all settings within PGP 7.0 (ranging from cryptographic policies to Personal Firewall settings) prior to deploying PGP to their end users. Administrators can also specify, on a very granular level, which settings in PGP are "locked down" from user modification. "Locked down" settings appear grayed out in the GUI to end users, and are protected in storage using cryptographic methods.

2. Automated configuration updating. PGP 7.0 introduces a valuable feature that helps administrators keep product configuration information on deployed PGP clients up-to-date. Computers protected by PGP 7.0 can automatically download updated configuration information on a scheduled basis from any PGP Keyserver 7.0 or standard LDAP v2 or v3 compliant directory. Updates can be downloaded using standard LDAP or LDAPS (LDAP over SSL - which provides configuration data over a strongly authenticated and encrypted connection).

3. "Shrink-to-fit" pre-configured packages of PGP. PGP 7.0 includes a new space-saving feature that creates smaller pre-configured packages of PGP based on what components administrators choose to deploy to their end users. The updated PGPadmin utility will automatically remove all unneeded components from pre-configured packages of PGP, therefore reducing overall package size. This minimizes download times when deploying PGP to end users.

4. Improved multi-user support on Windows NT/2000 systems. This release introduces improved support for multiple users using a single Windows NT/2000 system by storing all user-specific information (such as keyring, PGP configuration data, and random data pool) in each user's Windows profile area. Computer specific information, such as VPN settings, are stored in a central location on the system.

Personal Firewall / Personal IDS / VPN

5. Flexible, enterprise-class Personal Firewall and Personal IDS (Intrusion Detection). This release introduces PGP's robust Personal Firewall and Personal IDS technology. PGP creates a dual-layer security perimeter around any computer it protects. Utilizing IDS technology from Network Associates' leading CyberCop family of intrusion protection solutions, PGP provides protection from common attacks, including SYN floods, Ping floods, Smurf, Bonk, Ping of Death, Back Orifice, Teardrop, and so on.
   
   PGP provides flexible packet filtering Personal Firewall technology as the second line of defense for computers it protects. The product comes with six specific pre-defined levels of protection, each with its own associated list of packet filtering rules. Administrators can also create customized rules prior to deploying PGP, as well as keep them up-to-date using PGP's new automatic configuration update feature.

6. Automatic blocking of attacks and hostile network traffic. PGP 7.0 can optionally block attacks as soon as they are detected. Additionally, PGP can optionally block all further network traffic from machines identified as being hostile (for an administrator-specified period of time).

7. Powerful intruder tracing provides useful tracking information. Utilizing PGP's intruder tracing feature, users and administrators can obtain very detailed information about systems that originated the attack.

8. Customizable user alerting for Intrusion Detection events. PGP 7.0 allows administrators to configure when and how users are notified about attacks against their computers. Responses range from being completely silent to playing a sound and blinking the PGP systray icon.

9. SMTP-based administrator alerting for cyberattacks. This release provides optional SMTP-based alerting to warn administrators of attacks occurring against computers protected by PGP 7.0.

10. Next generation client-to-client and client-to-server VPNs. PGP 7.0 includes revolutionary peer-to-peer VPN capabilities that enable truly scalable, enterprise-wide network encryption. If enabled, PGP 7.0 will attempt to communicate via IPsec whenever an IP-based connection is attempted to or from another network device. This behavior is controlled by administrators and can be enabled only in environments that require this level of security.

11. Simple point-and-click VPN connections via PGP systray. Users can now easily connect to VPN gateways and other VPN endpoints that administrators have configured within PGP to require a manual connection by simply selecting the appropriate link icon in the convenient PGP systray.

12. Support for new IKE/IPsec "mode-config" standard. PGP 7.0 users can now establish VPN connections to networks that are using Network Address Translation (NAT). When users connect to a VPN gateway that also supports this standard, users can automatically obtain a "virtual identity" (IP address along with DNS and WINS server information) which PGP will use when communicating with devices behind the VPN gateway, thus making the user seem like he/she is located inside the remote network.

13. Support for "split-tunnel" and "non split-tunnel" VPN connections. This release introduces a new "exclusive gateway" capability that allows administrators to optionally force all network traffic from a remote access user's system down a VPN tunnel to your corporate network (for example, thus preventing split-tunnel VPN connections). This feature not only provides a higher level of network security, but it also provides administrators visibility and control over which web resources users access.

14. Simultaneous protection of multiple network adapters. This release adds support for binding to and protecting multiple network adapters simultaneously (such as dial-up, cable modem, DSL, LAN, or ISDN), providing Personal Firewall, Personal IDS and VPN capabilities on all selected adapters.

15. Optimized VPN connection performance via new MTU path discovery capability. PGP now automatically determines the optimal packet size (MTU, Maximum Transmission Unit) for each VPN connection. This eliminates any packet fragmentation that may occur due to intermediate Internet routers that use smaller packet sizes than the user's ISP or your corporate network.

PGP Key and X.509 Certificate Support

16. New RSA key format. PGP 7.0 introduces a new RSA key format that provides support for PGP's Additional Decryption Key (ADK), designated revoker, multiple encryption subkeys, and photo ID features. Previously these features were only available to users with Diffie-Hellman keys. PGP will continue to support users who have RSA keys in the older key format (now called the RSA Legacy key format).

17. iPlanet (formerly Netscape) CMS 4.x support. PGP 7.0 includes support for effortlessly requesting, retrieving, and using X.509 certificates issued from iPlanet CMS 4.x PKIs.

18. Microsoft Windows 2000 Certificate Services support. This release of PGP adds support for users to easily request, retrieve, and use X.509 certificates issued from Microsoft Windows 2000 Certificate Services.

19. Key reconstruction feature helps users recover from lost or forgotten passphrases. PGP 7.0 introduces a new, optional key reconstruction feature that leverages PGP's cryptographic key splitting technology to provide a secure means for users to recover their private keys. This enables users who have forgotten their PGP passphrase to regain access to their encrypted data after answering five questions whose answers only the user would know.

20. Automatic X.509 certificate retrieval upon successful certificate request. After users step through a simple wizard that generates their encryption and signing keypairs at install time, PGP can automatically submit an X.509 certificate request to a pre-configured X.509 RA/CA. This release adds a feature that will automatically poll the associated LDAP directory for the user's certificate. Once the user's certificate is located, it is automatically downloaded and configured as the primary authentication method for PGP's integrated VPN client.

21. Support for using X.509 certificates for secure email. This release gives customers the choice of what type of keys/certificates to use for exchanging secure email (for example, PGP keys and/or X.509 certificates). PGP 7.0 users can also concurrently send an encrypted email to users with PGP keys as well as other users with X.509 certificates.

22. Automatic X.509 certificate lookup from LDAP directories. If the X.509 certificate of a secure email recipient is not cached locally on the senders PC, PGP can now automatically search an administrator pre-defined list of LDAP directories for that user's certificate. Users can also use the PGPkeys application to perform manual searches of LDAP directories for X.509 certificates.

23. Support for storing and searching for PGP keys on LDAP servers. Extending support for storing PGP keys on servers, other PGP Certificate Servers, and PGP Keyservers. PGP can now store and retrieve PGP keys from any standard LDAP v2 or v3 compliant directory.

24. Silent keyring maintenance. PGP now performs automatic, unattended keyring maintenance such as key synchronization, trusted introducer updates, and CRL downloading without displaying any non-critical dialog boxes.

25. Ability to open to multiple keyrings at once. Users can now open and manage multiple keyrings at a time, thus simplifying keyring management.

26. Automatic keyring backup. A new automatic backup feature allows the user to automatically back up keyrings to the keyring directory or another directory when any changes are made to the keyring. PGP no longer creates a series of backups in the keyring folder. Automated keyring backup is now entirely in the user's control.

Entropy and Cryptographic Algorithms

27. Continuous entropy collection. PGP now continuously collects random data from mouse movements and keystrokes (whether a PGP-related window is open or not), and stirs that random data into the PGP entropy pool.

28. Twofish support. PGP introduces the option of encrypting email, disks, files, and ICQ instant messages using Twofish, a relatively new, but well regarded 256-bit cipher. Twofish was one of five finalists for NIST's new Advanced Encryption Standard (AES).

Single Sign-On

29. Improved overall ease-of-use via new centralized passphrase caching. PGP 7.0 simplifies users' lives by only requiring them to enter their passphrase once to one of the many PGP components, and then the user can launch any of the other PGP modules without needing to enter their passphrase again (unless configured to do so by the administrator).

Instant Messaging Plug-In

30. ICQ Plug-in. PGP 7.0 secures the next generation of interpersonal communications by introducing integration with ICQ 99b and ICQ 2000a. Users can now safely share instant messages via PGP's world-renowned encryption and digital signature capabilities, which have been extended to this exciting platform. Users can secure all the methods of communication and data sharing capabilities of ICQ by leveraging the PGP ICQ plug-in for instant message protection and PGP's Dynamic Peer-to-Peer VPN capabilities for securing file transfer, chat, and all other direct client-to-client communications.

Email Plug-Ins

31. Lotus Notes 5.x client support. This release extends PGP's broad messaging platform coverage to another critical platform used in many enterprises today. This new plug-in exploits many of the new interface capabilities of Lotus Notes 5.x, thus making PGP even easier to use. This release of PGP also continues support for Lotus Notes 4.5.x and 4.6.x clients.

32. Rich text support in Outlook plug-in. The PGP plug-in for Outlook 97, 98, and 2000 now supports preserving rich text formatting of digitally signed and/or encrypted messages.

Disk and File Encryption

33. Mounting of PGPdisks as folders on Windows 2000 systems. PGP 7.0 includes many enhancements to its transparent disk encryption component, PGPdisk. As an alternative to mounting PGPdisks as a separate virtual drive on a user's system, PGP now supports mounting PGP disks as a virtual folder on Windows 2000 systems with NTFS-formatted drives.

34. Control access to PGPdisks using only PGP keys. Users can now use the new PGPdisk Editor tool to effortlessly add or remove users' public keys to the access list for a PGPdisk. Users can also add passphrases as an alternative method to control access to PGPdisks; however, PGPdisk no longer requires a master/administrative passphrase at the time of creation.

35. Automatic mounting of PGPdisks at logon. Users now have the option having their PGPdisks automatically mount during the startup process.

36. Re-encrypt PGPdisks without PGPdisk re-creation. This release adds the ability for users (or administrators) to re-encrypt all data on a PGPdisk. This feature provides an additional level of protection in environments requiring a higher level of security. PGPdisks can either be re-encrypted using a new CAST encryption key, or they can be converted to using Twofish encryption.

Disk, File and Freespace Wiping

37. Automatic wipe upon file delete. Users now have the option of having files automatically wiped as soon as they are deleted. On Windows systems with the Recycle Bin enabled, files are wiped once they are "emptied" from the Recycle Bin.

38. Significantly improved disk wiping time. This release incorporates new technology for wiping file slack space and disks that is significantly faster than previous versions of PGP.

DOCUMENTATION

Also included with this release are the following manuals, which can be viewed on-line as well as printed: 

• Introduction to Cryptography
  

• PGP User's Guide
  

The documentation is automatically installed with the PGP software. Go to Start -> Programs -> PGP -> Documentation to locate the manuals. Each document is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print these documents with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product.

To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's Web site.

This release also includes integrated online help in Microsoft HTML Help (.CHM) format. Please note that you must have Internet Explorer 4.01, Service Pack 2 or later installed on your system to view the online help.

• PGP online help
  

• PGPdisk online help
  
• PGPnet online help

Documentation feedback is welcome. Send email to tns_documentation@nai.com.

SYSTEM REQUIREMENTS

To install PGP on a Windows system, you must have:

• Intel Pentium 166 MHz processor or better
  
• Windows 95B (OSR2), Windows 98, Windows Millenium, Windows NT 4.0 with Service Pack 4 or later, Windows 2000, or Windows 2000 with Service Pack 1
  
• 32 MB RAM (64 MB RAM for Windows NT and 2000)
  
• 32 MB hard disk space

If you plan to run PGPnet on the system, you must also have:

• Microsoft TCP/IP
  

• A compatible LAN/WAN network adapter 

KNOWN ISSUES

1. You must shut down a docked Windows 2000 laptop--rather than undock the laptop in standby mode--if PGPnet is bound to the dock's network adapter.

2. Due to a Windows 2000 limitation, you cannot use the normal Delete function to delete a folder on a PGPdisk mounted as a directory. However, you can work around this limitation by selecting the folder and pressing Shift+Delete.

3. To reconstitute a split key over a network, all key shareholders must use PGP 7.0.

4. Groups files created with versions of PGP prior to 7.0 must be re-created using PGP 7.0.

ADDITIONAL INFORMATION

PGP

• The Windows Explorer provides PGP with information only about the target of a shortcut and not the shortcut itself. If you use the Wipe feature in the Explorer, the shortcut itself will not be wiped. The actual target will be wiped. When using PGPtools, the shortcut will also be wiped.

• Hotkeys are for use with applications that support general text editing. Using Hotkeys with some applications may result in unpredictable behavior.

• Windows 95 users must make sure that the "compatibility mode with MS-DOS" feature is turned off for proper PGPdisk operation.

• The Adaptec DirectCD software is fully compatible with PGP. However, you must not create a PGPdisk on a CD-R using Adaptec's CD-R features which allow in place additions. You may create the PGPdisk on a normal hard drive and then copy it to the CD-R.

• PGP 7.0's new RSA keys should not be used with previous versions of PGP. PGP 7.0 also generates "RSA Legacy" keys, which can be used with any previous version.

• Due to ICQ's limited message size, the PGP plug-in for ICQ does not use the "Always encrypt to default key" feature even if that option is selected.

• The PGP Exchange/Outlook plug-in does not support Microsoft Word as an email editor.

• PGPdisk is incompatible with versions of VirusScan 4.5 or 5.0 with a scan engine of 4.0.50. Please upgrade to VirusScan Version 4.5 or 5.0 with a scan engine of 4.0.70 or later prior to installing PGP Desktop Security 7.0.

• Installing versions of PGP prior to 7.0 on a machine containing 7.0 is not supported and may result in unpredictable behavior.

PGPnet

• Do not attempt to manually uninstall PGPnet. It is very important that you use the PGP Uninstaller to remove PGPnet. PGPnet makes extensive modifications to the registry and changes the bindings on network adapters. The PGP Uninstaller can be accessed via the Add/Remove Programs control panel.

• Novell's Netware client for Windows 2000 is not currently compatible with PGPnet. Please check with Novell for updates.

• If you use hardware profiles on NT, and you hide a network adapter to which PGPnet is bound, you will be prompted to re-bind to that adapter when you reboot using a hardware profile that does not hide the adapter.

• On Windows NT/2000 platforms, the DHCP Client service must be running to ensure proper operation of the PGPnet Virtual Identity feature. To avoid this problem, set your DHCP Client service to start automatically.

• 3COM's Dynamic Access control panel prompts you to reboot if you use Set Adapter to modify your network bindings. Ignore this reboot request until Windows has finished updating the network bindings.

• PGPnet does not support Token Ring or FDDI network interface cards. PGPnet fully supports Ethernet cards for VPN, Personal Firewall, and Personal IDS.

• PGPnet is not compatible with the Intel EtherExpress 16 driver.

• Installing virtual private network software such as PGPnet on the same machine as a firewall or another VPN client is highly likely to cause problems. We recommend uninstalling the other product prior to installing or choosing not to install PGPnet on such a machine. Note that this 7.0.3 release introduces compatibility with some of these clients such as the Nortel VPN client.

• You cannot use the default MSN dialer to connect to MSN if PGPnet is installed. To connect to MSN with PGPnet, use the Microsoft Dial-Up Networking client.

CONTACTING NETWORK ASSOCIATES

For questions, orders, problems, or comments 

Contact the Network Associates Customer Service department between 8:00 a.m. and 8:00 p.m. Central Time, Monday through Friday, at:

Network Associates Customer Service
4099 McEwen Road, Suite 500
Dallas, Texas 75244

Phone: (972) 308-9960
Email: services_corporate_division@nai.com
World Wide Web: http://support.nai.com

Contact Network Associates Customer Service for information about technical support subscription plans.

For corporate-licensed customers:

Phone: (972) 308-9960

For retail-licensed customers:

Phone: (972) 855-7044

To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready when you call:

• Program name and version number
• Computer brand and model
• Any additional hardware or peripherals connected to your computer
• Operating system type and version numbers
• Network name, operating system, and version
• Network card installed, where applicable
• Modem manufacturer, model, and speed, where applicable
• Relevant browsers or applications and their version numbers, where applicable
• How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions
• Information needed to contact you by voice, fax, or email

For product upgrades

Network Associates has a worldwide range of partnerships and reseller relationships with hundreds of independent vendors, each of which can provide you with consulting services, sales advice, and product support for Network Associates software. For assistance in locating a local reseller, you can contact Network Associates Customer Service at (972) 308-9960.

For reporting problems

Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered is documented, there is no need to report the problem to Network Associates.

If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates with your suggestions or concerns.

For on-site training information

Contact Network Associates Customer Service at (800) 338-8754.

COPYRIGHT AND TRADEMARK ATTRIBUTIONS

Copyright (c) 1990-2000 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies.

Trademark Attributions

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon�s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMachf, TMeg, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

License Agreement

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.