FileAssurity - Trouble Shooting - General Product FAQs

Troubleshooting

Frequently Asked Questions

How do I know that when I verify files that have been signed by the person that sent me the files?
When FileAssurity validates files, it checks the signing key against a list of root CAs contained within the keystore. The list of root CAs are part of FileAssuritys' keystore and cannot be altered by hackers. If the key validates then FileAssurity knows that the person's signature is valid and that it came from that person. If the file has been signed by a self-signed key then it is up to you to trust that the person sending you the key is the one who signed the files. Once you have added this key to your keystore then validation will be automatic.

How does FileAssurity know that content has or has not been modified?
When a file is signed, a unique 'fingerprint' (hash value) is generated. This 'fingerprint' corresponds to the whole of the file contents (which is in itself just a number of bits). When FileAssurity checks a file, it repeats the calculation of the file contents. If this calculation does not match the 'fingerprint' then FileAssurity knows the file must have been modified and warns you that it is invalid. If the calculation matches then the file is valid. FileAssurity uses the Secure Hash Algorithm SHA-1, an international standard to calculate hash values.

Can I protect files for multiple recipients?
Yes. Unlike most PKI systems you can protect files or archives for multiple recipients. FileAssurity enables recipients to unprotect any file which has their key associated with it. Only one copy of the file is needed for this - you do not have a separate copy of the file per recipient - which is very important if it is a big file.

How does someone else protect files for me?
In order for someone to send you protected files that only you can view you must first export your protection key from Key Manager and send it to them. They can then import this key into their Key Manager and use it to send you protected files.

Can I protect files for groups?
There are two ways of doing this. One is to use the multiple recipients feature provided in FileAssurity. You can select all the people you want to protect a file for using multiple recipients and FileAssurity sorts it out for you.

The other is to acquire a key pair from a CA and issue this to everyone in the group. When members of the group import this key pair into FileAssurity they will be able to protect and access information with this key pair. If you do this you must remember not to use it for signing files because you will have no idea which member of the group really signed the file. You should only ever sign files with your personal signing key that is never shared with anyone else.

Why isnÆt FileAssurity integrated into Outlook or other Windows applications?
There are two critical reasons. Security and law.

Security. As has been well demonstrated by other security products that are integrated into mail (and other) applications, integration exposes the security product to the weaknesses of the applications. Plug-in supporters have had their claims of not being exposed to the weaknesses of the application comprehensively dismissed. Also, multiple plug-ins can interfere with each other. ArticSoft FileAssurity is not integrated, and cannot be exposed to any such problems.

Law. There are many products that add signature graphics into files to show a handwritten signature as well as the digital one. Whilst these are superficially attractive (the user hopefully sees a copy of their own signature) they have weaknesses. The user has no idea what the product has actually done. They cannot be certain that some other accidental change could not have happened. (European legislation requires that documents signed digitally must be precisely what the user saw.) Further, such signatures can only be applied to document types the product is capable of supporting. This means such methods are partial. ArticSoft FileAssurity does not alter any file content. There can be no question of files being altered as a result of signatures being applied. Further, the file is not altered when the signature is checked. The original signed file is always available and can be independently tested by experts without any risk.

Why must I have the recipientÆs key before I can send them a protected file?
If you want to call someone on the phone you need their phone number first. Otherwise you canÆt call them. Protection is just the same. If you donÆt have their key (phone number) you canÆt talk to them. But unlike the phone service, other people canÆt pick up the call or listen in when you send something protected to specific recipients.

If IÆm just signing a file do I need the recipientÆs key as well?
No.

They will however need yours if you did not get it from a public authority (see the list in Authorities keys in the Security > Key Management > Authorities tab). See self-signed keys.

My company runs their own CA. How do I recognize their signing keys automatically?
You can import the public key of your companyÆs CA in the .p7b format into FileAssurity using the Update Trusted Authorities function in Key Manager. This function allows you to import a self-signed public key and declare it to be a Trusted Authority. Please note that you canÆt then import that public key and its matching private key and sign files or folders. This feature may also be used if you have inadvertently deleted a Trusted Authority key and need to replace it.

You must take care to verify a public key before you make it a Trusted Authority because once it has been accepted your keystore will automatically consider keys signed by that Authority as being trusted also.

Why doesnÆt FileAssurity offer a choice of encryption algorithms?
Choosing an encryption algorithm is a non-trivial undertaking. The overwhelming number of users want a product that is best of breed, not a product demanding they make choices they donÆt want to understand.

ArticSoft have followed the most up to date guidance given by bodies such as the US National Institute of Science and Technology (NIST) in their recommendation for the Advanced Encryption Standard (AES) chosen to replace the Data Encryption Standard (DES). ArticSoft have implemented the strongest version as specified in the standard. We have also chosen the RSA public cryptosystem (standardized for more than 10 years and internationally recognised) using a key length of 2048 bits. (Most public Trusted Authorities currently use 1024 bits.)

There are many other algorithms you could choose. But why would you want to choose something less well recognised? As a business we look to use the æbest of breedÆ to deliver solutions to our customers, letting them get on with their business. Tools that offer choices for every possible technical feature offer no real advantage and ensure you have to be a real expert to use them properly.

How do I unprotect a number of files simultaneously?
FileAssurity is set up to allow you to work with files, folders and archives. The key to choosing which method is best for you lies in how you want to unprotect the files.

If you want to unprotect files singly, and to work with them on an individual basis then you should protect them as individual files.

If you want to be able to protect a large number of files simultaneously (either all the files in a folders or a mixture of individual files and whole folders) but still work on them afterwards as individual files then you should work with files and folders.

If you want to be able to unprotect a group of files or folders simultaneously (or want the recipient to be able to unprotect all the files you are sending them simultaneously) then you should create an archive. Parts or all of the contents of the archive can be verified and unprotected simultaneously.

What is a good password and how do I select one?
The first thing to understand, is what makes a bad password. The worst passwords are: password, 111111, fred, master, boss and whatever is the name of your organization/department/unit. Why are they bad? Because they are obvious, easy to guess and just plain stupid.

So what are good passwords? Things that are not dictionary words (in any language), do not repeat characters, are long enough to make it hard to watch or attack using æbrute forceÆ (starting from 0 and working upwards). But saying that doesnÆt really help because itÆs too difficult to understand what you should choose. After all, you still have to be able to remember the password.

The trick is to pick the right mixture of things that make it hard for someone else to guess or find by searching. This is where the password system may not help. Ideally it should accept up to 40 characters, and they should be anything that you can find on the keyboard. You may not use all 40, but if you want top quality at least you have the chance.

Now you need to pick something you feel comfortable typing, and uses at least 8 characters which may be anything on the keyboard. Well thatÆs hard, but you can pick a couple of words you do know, preferably not related to each other, and add a few special characters to them so you donÆt find them in a dictionary. For instance, ôTable!house*ö, ôKnight(soil)ö or ôDem0n**managerö. Other examples that could work include, ô1066andallthatö, ôHangthe****donkeyö or ôNow is the time forall menö. This last one is a quotation, but itÆs still hard to guess or attack, especially if you donÆt know where the spaces are!

Passwords need to be changed from time to time. Picking a frequency is not easy. On the one hand you need to change it often if it protects something vital. On the other hand you have to be able to remember it. Having a long password that is not obvious generally means you donÆt need to change it so often. So if you can cope with typing, pick a long password and it will last longer.