When you start ReSecCo for the first time it checks if you have installed a suitable version of Gnu Privacy Guard (GnuPG or GPG). GnuPG is an open source implementation of Phil Zimmermann's PGP (Pretty Good Privacy) program, developed in the 1990s. ReSecCo uses GnuPG caused by the necessity to enable users to review the integrity of code that shall ensure security of communication. Therefore I decided to link to the gnuPG project's site and ask you to download the security engine directly from there. It is very important not to use proprietary solutions in security contexts. Any crtyptological functions we offer are wrapped GnuPG. Your communication will be ensured, we guarantee that. ReSecCo needs a gnuPG version 2 or later which covers the openPGP engine and the PKCS7 (x.509) PKI.
If ReSecCo does not find a suitable version of gnuPG on your computer ReSecCo switches to a download dialogue where you can download the gnuPG. There are two ways: You may use the easy way (download and install by one click) or you may visit the GnuPG project's page on the internet where you can get useful information and documentation about GnuPG.
ReSecCo needs gnuPG. Installation of gnuPG is obligatory.
I recommend the download from the gnuPG site and its automatical installation. When the installation is completed and the computer needs no reboot click on "OK". If the setup program announces a need of restarting the computer (if a gnuPG version is working) click on "Cancel" (after restart of the computer the setup will be completed).
The configuration routine that always works when you start the program checks the integrity of your configuration.
If you have installed GnuPG or when it was already there ReSecCo asks for the folder which shall hold the GnuPG key rings. I suggest this solution:
1. Use an USB stick.
2. Insert the new respectively empty stick and check which drive letter Windows has assigned to the stick.
3. Choose this drive in ReSecCo and create a new folder like "gnuPG".
4. Choose this new folder.
Why that? You can remove the stick and take it along. In case of loss of your computer (you may forget it on the train or it might be stolen) the one who finds it or a thief will not get your data. Moreover you can use your security equipment on other computers instantly at work.
Of course you also can use the folder destined by GnuPG. This is "[Users]\[Username]Appdata\Roaming\GnuPG". If you prefer this you may quit the choose folder dialogue by clicking "Cancel".
If you are already working with GnuPG choose the existing key ring folder, usually "[Users]\[Username]Appdata\Roaming\GnuPG" or copy the content of the existing folder (before or while you determine the folder in ReSecCo) into the new folder. This is important because in the next step the ReSecCo Key (WiSiKo Key) will be created. This openPGP key pair has to be integrated within the key ring.
Within step 3 you will create your ReSecCo key (WiSiKo key). It is a normal openPGP key pair. It will not be used to communicate but will serve ReSecCo to encrypt your ReSecCo databases, the ReSecCo archives and the passwords of your mail-accounts. Moreover the ReSecCo key contains license information provided you have bought one. To create the key in this case you must just enter a passphrase.
Within GnuPG we talk about passphrases. These are (if wanted) whole sentences but they may consist of a normal password too. Depending on how you use your computer the passphrase can be simple. It will not be transmitted on the internet but protects access to your private key on a hard disk or a stick.
If you want to install ReSecCo on more than one computer with the same ReSecCo key you can export the existing ReSecCo key (the UID is "WiSiKo License") into a file and read it in further installations. In this case do not enter a passphrase but click on "Key import".
If you have bought a license you will be prompted for a passphrase to protect your safe key ("WiSiKo Tresor"). The "Safe" is a folder within ReSecCo that is additionally encrypted useful if you have information that never ever should be viewed by anyone.
Step 5 displays the folder holding the ReSecCo databases, the archive files and the spellchecking dictionaries.
When the configuration is completed ReSecCo starts. But there are some more things to do afterwards:
Assignment of email accounts and email addresses
You may arrange as many email accounts within ReSecCo as desired. Change to "Settings - Email accounts". You will find a predefined item "Historical". This is a virtual account which gathers former email engagements that do not exist furthermore. Pay attention to the fact that email addresses gathered under "Historical" must be out of usage. Addresses under "Historical" are only used to classify imported old emails. Access data are not needed or wanted.
To establish a current email account click on "New email account". Name the new account by doing an entry into the field "Notation".
You may elicit the proper name of the "Incoming mail server" from your email provider. Mostly it is named on the internet page of the provider as details about "POP3 access". The German provider GMX pop3 server's name is "pop.gmx.net", GoogleMail pop3 server's name is "pop.googlemail.com". If you are operating an own mail server you should know the correct name. Mostly it is just the name of the domain e.g. "lamprecht-software.de". ReSecCo just supports the POP3 protocol, IMAP is not supported by ReSecCo as a matter of principle.
The item "Transport security" should be "SSL/ TLS". Most providers are blocking connections without transport security settings since the year 2014. The "Port" reserved for secured connections is 995, unsecured connections have to use port 110.
You got the "Login name" from your provider. Mostly it is simply your email adress or the customer id.
Another password (than the passphrase): This password will be transmitted over internet and should not be simple. The advice of most providers that it should contain capitals, minuscules, digits and special characters is very reasonable. Because: If Mallory guesses the password of your email account he can login there, read your mails and may send his own spam or malware to anyone. ReSecCo holds your passwords encrypted.
The entries you have to make about the outgoing mail server (smtp) correspond to the entries mentioned above.
You may elicit the proper name of the "Outgoing mail server" from your email provider. Mostly it is named on the internet page of the provider as details about "smtp access". The German provider GMX smtp server's name is "mail.gmx.net", GoogleMail smtp server's name is "smtp.googlemail.com". If you are operating an own mail server you should know the correct name. Mostly it is just the name of the domain e.g. "lamprecht-software.de".
The item "Transport security" should be "SSL/ TLS". Most providers are blocking connections without transport security since the year 2014. The "Port" reserved for secured connections is 465, unsecured connections have to use port 25.
Login data and password for incoming mails and outgoing mails are mostly equal. You may check "Login as into POP3" to adopt these data.
If you check "Incoming mail (POP3)" ReSecCo will fetch mails from this server, checking "Outgoing mail (SMTP)" means that you are able to send mails from this server.
You may assign one or more email addresses to an email account. These email addresses must be really bound to the email account. If you use an account of an email provider you may bind just one email address to this account. If you are operating an own server you can sign alias addresses that regulary have the same domain ending e.g. on the domain "lamprecht-software.de" -> "firstname.lastname@example.org", "email@example.com", "firstname.lastname@example.org" etc. To assign an email address to ReSecCo click on "New email address" and insert the new address. If you want to alter an address later you must delete the old address first and then enter the altered address.
You may assign crytological keys to every email address. Further down in this section we will declare how that works.
Establishing an identity
Identities in ReSecCo denominate your email presence. ReSecCo forces honesty on the internet, email is part of it. But be aware: denominating your identity is not a strong security attribute. As any other component of an email it is deceivable. But it helps. Beneath your digital signature it demonstrates your seriousness. You may assign more than one identity to an (outgoing) email address. You may operate with various identities on the same address e.g. as aprivate individual or as treasurer of a club. Your identity data will be attached to any email you will send as a vCard file. If your communication partner uses ReSecCo or WiSiKo the published data will be imported automatically into his ReSecCo (or WiSiKo) address book. You may assign a photo or a logo to your "identity". Be aware that the size of your mail will increase the more as size of information within the "identity" needs. If you are able you should add photos or logos as links to your web page. Simply insert the url into the fields "URL" instead of loading these data.
Just the fields labeled in red have to be filled.
Create your openPGP key
The ReSecCo key is just needed for internal purposes. It is not eligible to use it for communication purposes. To establish a key usable to communicate secured you have to create a key. Change to "openPGP"-"Own openPGP keys": You will see the key "(1) WiSiKo License". Click on "Show key" to view details. You will notice that the email address is " - ".
As " – " is not a valid email address you cannot use this key to communicate.
Remain in "openPGP"-"Own openPGP keys" and click on "Create new key pair".
The appearing dialogue awaits information on these items:
Algorithm. RSA/RSA is recommended. RSA (named bythe developers Ron Rivest, Adi Shamir und Len Adleman) is the most used algorithm today. It seems that DSA (Digital Sign Algorithm) or Elgamal are only offered to fulfill tradition.
Key size. You will hear everywhere that the more is the better. There is a relationship between key size, speed and security of a key. But: as bigger the key the slower it works. Working with keys is not only your thing, your communication partner has to work with it, too. But you should choose a minimal size of 2048 bit.
Name/ Notation. Obligatory! Usual are "[given name] [family name]" or "[name], [given name]". Company names may be used but I recommend a usage just if special reasons are intended (e.g. certifying or licensing).
Supplement/ comment. Not a must be. This is the place to name a company, profession or title.
Email address. Obligatory!
Expiration. I recommend 10 years or longer. If your key expires every half year you will have to update it to every communication partner every half year.
Passphrase. The passphrase protects you secret key, it is not used for communication. Communication itself is protected by the key. The passphrase may be as simple as the implausibility you may loose your key.
If these entries are done click on "Create new key pair". Some time later you will find your key under "Own openPGP keys" and "Foreign/ public openPGP keys"
A key created with ReSecCo will be self signed.
You may attend a crypto campaign like the campaign of the German provider United Internet and hold already a suitable key pair on your email address...
Call "Mailvelope" in your browser (if you use Firefox it is the padlock symbol displayed at the right in your browser's toolbar) and choose "Options". Then choose "Export".
Within ReSecCo change to "Own openPGP keys" and click on "Import key pair". When you have selected the favoured file click on the button "Import key pair".
When you have created a key pair or have imported one you should assign it to an email address. Change to "Settings - Email accounts" and select the email address that fits the key.
Assign the key to the email address.
Place your trust in a few openPGP authorities
You will have heard about attacks against email users which are aimed on blackmailing these users. You will have experience that 80% of your incoming mails are not wanted mails and you may have experience with disinformation transmitted by mail. I think that it is most important to reestablish email as a trusted channel of communication, more important than encryption and other measures to protect ourselves against activities of secret services. An email signed with a key that is just self certified is, concerning trust, worthless. The key has to be checked by you or by an institution that you trust. Such institutions are certificate authorities, well known in the world of commercial certificates but nearly unknown within the openPGP system. I know two instances which are engaged in spreading openPGP certificates, these are the German ct' magazine and the Australian CA Cert. A new player is me. Check the policies published on their web sites to get answers about the modalities. I suggest that you trust these authorities. In detail they are "(1) ct magazine CERTIFICATE", "(1) CA Cert Signing Authority" and " (1) WiSiKo Certificates". You can certify one or more of these keys within the "openPGP - Foreign/ public keys" section. Mark one of these keys and click on "Certify key (UID)".
- „Marked user-id“
- Choose one of your keys you wish to certify with
- "Level of trust" "full"
- "Depth of trust" "2 I trust any key certified by this key"
- "Internal certification (not exportable)"
- Check "Set level of trust"
Click on "Certify".