Public Key Encryption
Steven Kray
Version: pcANYWHERE32 8.0
Operating system: Windows 95 OSR2
Well, I took your advice and purchased Version 8 to get better
encryption. I use Windows 98 on my Remote and Win 95 OSR2 on my
host. I have IE4 installed on both systems(although Netscape 4.05 is
my default navigator. The problem is that when I try to set to
PUBLIC KEY I am not able to get the Private Key Container to open so
I can select one.
I have selected a certificate common name.
How do I use PUBLIC KEY encryption?
How do I access Private Key Container?
I am able to enter symetric encryption, however I want public key
encryption.
Please Advise.
Thank you.
Tom Bailey [Symantec Corp.]
>Well, I took your advice and purchased Version 8 to get better
>encryption. I use Windows 98 on my Remote and Win 95 OSR2 on my
>host. I have IE4 installed on both systems(although Netscape 4.05 is
>my default navigator. The problem is that when I try to set to
>PUBLIC KEY I am not able to get the Private Key Container to open so
>I can select one.
>
>I have selected a certificate common name.
>
>How do I use PUBLIC KEY encryption?
>How do I access Private Key Container?
>
>
>I am able to enter symetric encryption, however I want public key
>encryption.
Hello Steven,
Thank you for posting to the Online Technical Support forum.
The PUBLIC KEY encryption is provided by a third-party source.
As an example (using VeriSign's Digital ID), you might want to refer to
the following document available from our online knowledgebase:
How To Install Public-Key Encryption Using Internet Explorer 3.02 And
VeriSign's Digital ID
http://service1.symantec.com/SUPPORT/pca.nsf/docid/19978612542
More information related to the encryption keys is available in:
What Are PKCS And PKCS#7?
http://service1.symantec.com/SUPPORT/pca.nsf/docid/19978485813
This last document refers the reader to RSA Laboratories' website for
more information about Public Key Cryptography Standards (PKCS).
I hope this helps you out.
Thank you,
Tom Bailey [Symantec Corp.]
Product Support Analyst
Please continue to post your messages to the public discussion groups as
Symantec does not provide support via private e-mail. Thank you.
If you have difficulty getting a response, please read the following article:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1998527114414
For free technical support newsletters, Knowledge Base support articles, our
Online Support Genie, and FAQs, visit our support page:
Steven Kray
> How To Install Public-Key Encryption Using Internet Explorer 3.02 And
> VeriSign's Digital ID
>
What a process. I did it, but I am not sure everything is working.
I configured my host from my remote, and although everything took,
when I called back I received the message that the Host was
requesting a lower encryption to pcanywhere.
Everything seemed to work well. My home/remote pca.store information
(converted from binary PKCS#7)is listed in the publickey directory
for my host, and vice-versa. The only thing that did not go well was
that my regedit file on both machines did not have a "machinekey"
folder under hkey_local_machine\software\microsoft\cryptography, and
therefore I could not determine the name that I downloaded from
Verisign. I know I got the right name because, I searched their
directory and it was properly listed.
Is the message that I converted by the host to a lower encryption one
or any of the following:
1. I need to reboot or, exit and re-enter pcanywhere on my host?
2. The public/private key works only when logging in, to protect my
host, but reverts to pcanywhere once logged in?
3. Are there defects in my installation of verisign that are
evident by the lack of my machinekey computer name?
Finally, what happens if I have to reinstall a new hard disk? Do I
just retain the p7C files and just convert them into the pca.store
through certcons, or do I actually have to go through this process
again with Verisign?
Please advise.
Tom Bailey [Symantec Corp.]
>What a process. I did it, but I am not sure everything is working.
>I configured my host from my remote, and although everything took,
>when I called back I received the message that the Host was
>requesting a lower encryption to pcanywhere.
>
>Everything seemed to work well. My home/remote pca.store information
>(converted from binary PKCS#7)is listed in the publickey directory
>for my host, and vice-versa. The only thing that did not go well was
>that my regedit file on both machines did not have a "machinekey"
>folder under hkey_local_machine\software\microsoft\cryptography, and
>therefore I could not determine the name that I downloaded from
>Verisign. I know I got the right name because, I searched their
>directory and it was properly listed.
>
>Is the message that I converted by the host to a lower encryption
>
>1. I need to reboot or, exit and re-enter pcanywhere on my host?
>2. The public/private key works only when logging in, to protect my
>host, but reverts to pcanywhere once logged in?
>3. Are there defects in my installation of verisign that are
>evident by the lack of my machinekey computer name?
>
>Finally, what happens if I have to reinstall a new hard disk? Do I
>just retain the p7C files and just convert them into the pca.store
>through certcons, or do I actually have to go through this process
>again with Verisign?
Hello Steven,
Congratulations on your success so far.
The 'reducing encryption' is an indication that the Host is not
recognizing the Remote's encryption key.
This may be due to a number of things. From my understanding, we have
run into some problems with the current VeriSign key generation process
and Internet Explorer 4.0. I am aware, however, that the current process
and result is not the same as it was a year ago.
Perhaps the purveyor of the encryption key could help you out more.
As to your last question, if you install a new hard drive, then you will
need to the key vendor.
Sorry I couldn't help you more with this.
Steven Kray
encryption that you had previously told me was available in version
8, through the public key process.
Now What I am trying to understand, that I find is not covered in
your information is that the process is so complicated that you
people at Symantec do not understand it nor can explain it.
Please respond to the following issues in addition to my prior
comments:
1. Do I have to have my Navigator on or loaded when using
pcAnywhere between my remote and host?
2. All I want to do is make sure that it is very difficult to crack
into my office network, which assurances I get when using Microsoft's
"dial up" network, but I want to use pcAnywhere for its features.
Does the public key encryption offer me this extra protection?
3. I only understood Microsoft's IE version 3.02 and higher to have
certain files that when installed on the system (and not loaded in
memory) were accessible by pcanywhere to enable public key. Now am I
learning:
(a)that IE4 does not have compatible files? or am I learning (b) that
the creation of a public key and private key under verisign gets
distorted and becomes non-usable for pcanywhere if I download the key
information with IE4?
**I am now more confused than before!
You need to review your weblink at
http://service1.symantec.com/SUPPORT/pca.nsf/docid/19978612542 and in
other locations that have both given wrong information and/or
mismipressions. I have followed those instructions diligently, with
two exceptions and some conserns:
exception 1: I used IE4 to create a public key.
exception 2: I did not down load the certificate information created
by my host from my host when I searched Verisign for certificate
information. I instead did everything from my home (remote) and
uploaded the information of my host to my host and converted the
information into a pca.store from remote control. (I saw no
difference in this process, as all that was happening was that I was
downloading information for conversion on to my file).
Concern 1: My Remote has in the certificate common name box, the name
assigned by Verisign to my remote computer. My host has in that box,
the name assigned by Verisign the name of my HOST computer. The
names are not technically "common" to both computers. (this is what
the instructions say). This makes little sense.
Concern 2: My private key container drop down list on my remote
(home terminal) has 4 identical selections that appear to be the
Verisign numerical ID. My private key contain drop down list on my
HOST has two identical selections of these Numerical ID numbers.
Concern 3: As noted, my impressions of your use of this encryption
is to get information and use a process that WEB sites use, but to
use it on my own local communication network. This should mean that
the information should never expire when my Verisign ID expires, as I
am never using this network to communicte to the web or anywhere
else. Maybe if you tell me what critical files must be in what
folders, what must appear in my registry through regedit, I can tweak
the process to make it work, and everyone will be happy.
FINAL COMMENTS: If you cannot figure this one out, then please send
me to customer service for an RMA, as there is no other benefit to
version 8 for me. I want and need higher protection for my office.
Thank you.
Tom Bailey [Symantec Corp.]
Hello Steven,
As I noted before, pcANYWHERE32 will make use of third party encryption
keys. It also has the ability to utilize the symmetric encryption key.
As I also attempted to point out, we do not set up the encryption key,
the third party does so.
I am sorry that I do not have the answers on encryption keys available to
give to you.
As with all of it's products, Symantec does offer a 60-day return policy
on all of its software. The Customer Service department may be reached
Monday through Friday between the hours of 6:00 AM and 5:00 PM PST at
(800) 441-7234.
I don't like giving up, but there doesn't seem to be any answers that I
can give you. I apologize.
Regards,
Steven Kray
and Verisign, you do have Public Key encryption in your software, you
do describe it and your programmers must know how it works. If
someone there can give me a basic knowledge of how it works, I am
sure I can figure this one out. Please review my Questions, Concerns
and Comments enumerated below and offer some form of answer, either
as a post or via Email to me. It is your software and you have to
know how this option works, so I can play with it and make it work
for me.
Please Help with these very Basic Questions that have been modified
from the original quoted text:
On Wed, 16 Sep 1998 06:32:24 GMT, Tom Bailey [Symantec Corp.] wrote:
***1. Do I have to have my Navigator on or loaded when using
pcAnywhere between my remote and host to access encryption?
***3. According to your bulletins, I understood Microsoft's IE
version 3.02 and higher to have certain files that when installed on
the system (and not loaded in
memory) were accessible by pcanywhere to enable public key some sort
of CRYPTO FIle. Plaese advise me:
***3(a)Does IE4 have that same compatible files? or
***3(b) Does IE4 somehow when used to download and create a public
key and private key under verisign disable the uses of that public
key in pcAnywhere.
***You need to review your weblink at
http://service1.symantec.com/SUPPORT/pca.nsf/docid/19978612542 and
other locations that appear to give wrong information and/or CLARIFY
THE FOLLOWING ISSUES:
***issue1: Which Navigators to use to create a public key, IE4,
Netscape 4.05, or IE3.02.
***issue2: Do I have to create the certificate from my host or which
will never act as a REMOTE terminal, or can I just upload to my HOST
the certificate of my REMOTE terminal that was created by my REMOTE
pcAnywhere terminal.
THE INFORMATION AT ISSUE THAT IS CREATED WITH THE CERTIFICATION AND
CONVERSION IS THE pca.store CERTIFICATE NAME, THAT I can change and
rename, per your instructions, after I convert it with your
pcAnywhere utility CERTCONS.EXE.
***Concern 1: My Remote has in the certificate common name box, the
name assigned by Verisign to my remote computer. My host has in that
box, the name assigned by Verisign the name of my HOST computer. The
names are not technically "common" to both computers. (This is what
the pcAnywhere instructions say, however this makes little sense.
***Concern 2: My private key container drop down list on my remote
(home terminal) has 4 identical selections that appear to be the
Verisign numerical ID. My private key contain drop down list on my
HOST has two identical selections of these Numerical ID numbers.
***Concern 3: As noted, my impressions of your use of this
encryption is to get information and use a process that WEB sites
use, but to use it on my own local communication network. This
should mean that the information should never expire when my Verisign
ID expires, as I am never using this network to communicate to the
web or anywhere else.
> >
>
Tom Bailey [Symantec Corp.]
Thank you for your postings.
Please allow me to attempt to explain things a bit clearer as there seems
to be some growing confusion.
1) Some larger corporate customers currently use a public/private
encryption key which they acquired from a third-party provider such as
Verisign. pcANYWHERE32 v8.0 was designed to able to make use of these
public/private encryption keys. It does not install the public/private
keys, nor troubleshoot their use. Mainly because the company who wrote
the software would know how to setup and operate their own product.
This is similar to pcANYWHERE32's use of a network device to connect to
another machine: we do not supply the network, we merely use the network
that has been set up.
2) This encryption is only very minimally more secure than the
symmetric encryption.
3) The public/private encryption is only used at the point of
connection between the two computers, after the session is begun, the
symmetric encryption is used.
4) pcANYWHERE symmetric encryption is regenerated at each connection,
so that even if someone was able to crack the encryption, and that
cracking would take some major computer power, the next session the
symmetric encryption will be different.
5) The public/private key encryption is only to utilized to
authenticate that the calling machine is who it says it is. In other
words, the public/private key encryption enhancement can be duplicated by
using the Callback feature on the Host.
6) pcANYWHERE32 v8.0 was developed to work with the installed
public/private key encryption. At the point of development, it worked in
conjunction with Verisign and Internet Explorer v3.02 (as well as the
beta of Internet Explorer 4.0). There were some changes to Internet
Explorer 4.0 related to encryption which should not cause any problems.
Verisign has not noted any changes in their product but the resulting
keys have changed. Previously, there was one key, currently three keys
show up. It has become problematic on using the public/private
encryption keys from Verisign with pcANYWHERE32 v8.0. That is, it should
work, but many times it doesn't, and no one can (or will) say
specifically why.
In answer to your posted questions:
>***1. Do I have to have my Navigator on or loaded when using
>pcAnywhere between my remote and host to access encryption?
No. If using Windows 95/98, you must have Internet Explorer 3.02 or 4.0
installed.
>***3. According to your bulletins, I understood Microsoft's IE
>version 3.02 and higher to have certain files that when installed on
>the system (and not loaded in memory) were accessible by
>pcanywhere to enable public key some sort of CRYPTO FIle.
>***3(a)Does IE4 have that same compatible files? or
Yes.
>***3(b) Does IE4 somehow when used to download and create a public
>key and private key under verisign disable the uses of that public
>key in pcAnywhere.
No.
>***You need to review your weblink at
>http://service1.symantec.com/SUPPORT/pca.nsf/docid/19978612542 and
>other locations that appear to give wrong information and/or CLARIFY
>THE FOLLOWING ISSUES:
>
>***issue1: Which Navigators to use to create a public key, IE4,
>Netscape 4.05, or IE3.02.
No. This is 'private', not public. The only one we know works is
Internet Explorer 3.02. However. IE 3.02 no longer works with the
current Verisign java.
>***issue2: Do I have to create the certificate from my host or which
>will never act as a REMOTE terminal, or can I just upload to my HOST
>the certificate of my REMOTE terminal that was created by my REMOTE
>pcAnywhere terminal.
The public keys are just downloaded onto the authenticating machine.
Once the stores are created they (the stores) can be copied.
>THE INFORMATION AT ISSUE THAT IS CREATED WITH THE CERTIFICATION AND
>CONVERSION IS THE pca.store CERTIFICATE NAME, THAT I can change and
>rename, per your instructions, after I convert it with your
>pcAnywhere utility CERTCONS.EXE.
The store name does not matter. All that matters is that the same store
has the correct public key.
>***Concern 1: My Remote has in the certificate common name box, the
>name assigned by Verisign to my remote computer. My host has in that
>box, the name assigned by Verisign the name of my HOST computer. The
>names are not technically "common" to both computers. (This is what
>the pcAnywhere instructions say, however this makes little sense.
That is correct. This is the name of your public key.
>***Concern 2: My private key container drop down list on my remote
>(home terminal) has 4 identical selections that appear to be the
>Verisign numerical ID. My private key contain drop down list on my
>HOST has two identical selections of these Numerical ID numbers.
At one time, this process put your private name in. Something has
changed this.
>***Concern 3: As noted, my impressions of your use of this
>encryption is to get information and use a process that WEB sites
>use, but to use it on my own local communication network. This
>should mean that the information should never expire when my Verisign
>ID expires, as I am never using this network to communicate to the
>web or anywhere else.
Incorrect. You are using a web browser to install a private key.
I hope this helps you out as I have no other information for you on this
thread.
Thank you and good luck,
Larry McDowall (Symantec)
Thank you for this new information on your configuration.
On 27 Sep 1998 17:51:47 GMT, Steven Kray wrote:
>Well, I have tried to abandon Public Key / Private Key encryption and
>use Symmetrick Encryption.
>
>Even though my HOST is configured not to allow any lower encryption
>level, when I call in I get a message that PCanywhere host wants
>pcanywere encryption, a lower encryption.
>
>Was Symmetric used to login my remote, and then it switched to
>pcanywhere (which is OK), or does symmetric not work as easily as I
>have been led to believe.
pcANYWHERE32 should not be doing this. If the remote and host are both
set to use Symmetric encryption, then this is what should be used in
the session, not a lower encryption.
>Again, all I care about is that the encryption prevents others from
>getting into the system. If the encryption level switches during the
>session to an easier encryption that is OK. But you told me that
>when I got hat message for Public Key encryption, it meant that I was
>not screened by the higher encryption.
Encryption will not prevent users from getting into your system; this
functionality is provided by pcANYWHERE callers. Encryption protects
data being sent and received, but does not block access to the
computer.
Based on this information, and if you cannot get VeriSign's Public-Key
or Microsoft's Symmetric encryption to work, I recommend using
pcANYWHERE encryption.
For more information on what types of encryption that pcANYWHERE
supports, I recommend the following document that is available on our
Knowledge Base:
What Type of Encryption does pcANYWHERE Use?
http://service1.symantec.com/SUPPORT/pca.nsf/docid/1996122712827
If you would like to read additional material on telecommuting
security, I recommend the following article in our White Pages area
for pcANWWHERE32:
Understanding Security for Telecommuters Using pcANYWHERE, WinFax Pro,
and Norton AntiVirus
http://www.symantec.com/pcanywhere/index_whitepapers.html
Please note that the last link is a downloadable text file in Adobe
Acrobat Reader (*.PDF) file format.
---------------------------
Larry McDowall
Symantec Online Support
Symantec Corporation
Please continue to post your messages to the public discussion groups as Symantec does not provide support via private email.
If you have difficulty getting a response, please read the following article:
Tips on Using Symantec's Online Tech Support Discussion Groups
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1998527114414
For free technical support newsletters, Knowledge Base support articles, our Online Support Genie, and FAQs, visit our technical support page:
Technical Support
http://www.symantec.com/techsupp/
---------------------------