To fully maximize SecureZIP certificate-based data encryption, you may want to use the Microsoft Active Directory as a central repository for digital certificates – LDAP. The Active Directory already hosts all the users in your organization and can be leveraged to associate a digital certificate with each user account. Before you begin the association of a digital certificate with each user account, there are few steps you must take.
Step 1: You must acquire the digital certificates for all end-users from either Comodo’s integration with SecureZIP or from another Certificate Authority (CA).
Step 2: Once all end-user certificates have been acquired and installed, export the public keys from the end-user workstations and make them available on the Windows Server with Active Directory. Please refer to “Local Certificate Store Administration” in section #4 of this training manual for the process of exporting public keys.
Figure 54: Active Directory Console
Click on “View” and select “Advanced Features.”
Figure 56: Active Directory User Tree
Select a user that you wish to assign the public key for and select “Properties.”
Figure 57: Active Directory User Selection
Figure 58: Active Directory User Properties
Figure 59: Active Directory User Properties
Click on “Add from File” and browse to the location where you have saved the file containing the public key for the end-user.
Figure 60: Associating Public Key for User
Figure 61: Associating Public Key for User
Repeat the above steps for all the users in the active directory and associate their respective certificates.
Once all the associations are complete, take note of the group tree structure as you will be required to enter the information as the LDAP settings when configuring the SecureZIP Enterprise Policy Manager. In the above example, the LDAP settings for SecureZIP are as follows:
Figure 62: SecureZIP LDAP Setup
Notice the base values are matched with the Active Directory tree structure. You will be required to define the base when configuring SecureZIP for LDAP lookups. For the
organization-wide implementation of SecureZIP Enterprise Policy Manager, it is recommended to choose the “current logged-on account” setting for the login. Once the SecureZIP Enterprise Policy Manager LDAP setup is complete, do a “Query Server” to test if the applied settings are returning expected results.
encrypted or digitally signed ZIP files. A digital certificate provides an alternative to using a password when securing data. In order to encrypt files to send to someone else, you can either encrypt using a password or you can use their public key. The recipient can only open the files you send if they are provided the password or if they have the private key corresponding to the public key used for encryption.
Using passwords is easy, but it is difficult to safely exchange a password and even more difficult to remember it over time. Digital certificates provide stronger protection and eliminate difficulties associated with using a password. A digital certificate consists of a private key and a public key. Your private key is something which you hold securely and use to decrypt ZIP files or to digitally sign ZIP files for authentication purposes. Your public key is given to others that need to encrypt ZIP files that you are allowed to open. View the SecureZIP tutorial for more information on using digital certificates at http://www.pkware.com/documents/flash/flash_tutorial.html
FAQ #2: My SecureZIP digital certificate is about to expire. How do I renew it?
A digital certificate’s life span is defined by the issuing organization. When the certificate expires, you should renew your certificate to receive a new certificate good for the next term. Renewal is required to ensure the integrity of the certificate you use. Each term, a new certificate is issued to you as a means of confirming you remain the authorized user of the certificate issued in your name. This provides assurances to those people receiving signed ZIP files from you that you are who you say you are.
Approximately two weeks before your certificate expires, SecureZIP will display a reminder prompt informing you that the certificate you are using is about to expire. SecureZIP will report this for your SecureZIP certificate as well as for certificates you may have received from other vendors.
Contact the FAA Technical Support Line to inquire about renewing your personal digital certificate.
FAQ #3: After my certificate expires, can I still decrypt my ZIP files?
Yes. In fact, you should retain your expired digital certificate for as long as you anticipate you will need to decrypt data that was encrypted for that certificate. When you receive a new
certificate through a renewal process, it will not open data you have encrypted with your expired certificate. You should always retain each certificate to ensure you can always open all of your encrypted ZIP files.
via Contingency Key usage.
FAQ #5: What is a split archive? How do I create a split archive?
A split archive is a .ZIP file that is broken into smaller segments. A split archive is useful if you plan to place the file onto removable media later or want to send a large archive as an email attachment and your mail system has restrictions on the size of attachments.
FAQ #6: What are the current file size and number limitations in PKZIP and SecureZIP?
Currently PKZIP can support up to 250,000 files in a single archive; the total file size limit to compress is 18 petabytes.
FAQ #7: When does PKZIP/SecureZIP create temporary files? Can someone who accessed my temporary files read my data?
There are several operations for which PKZIP/SecureZIP creates temporary files:
• Opening and editing archived files without first extracting them: When you double-click a file in an archive to open it in its associated application, SecureZIP creates a temporary copy of the archived file for you to work on. This file is uncompressed and unencrypted while you are working on it.
• Updating an archive: When you update an archive, PKZIP/SecureZIP first creates and updates a temporary copy of the archive. When the update is completed, the original archive is replaced with the updated copy. Data in the temporary file is encrypted if it was encrypted in the archive you are updating. Similarly with new or updated files for the archive - they are encrypted in the temporary file if they are to be encrypted in the
updated archive.
• Creating a spanned archive: A temporary file is created to span an archive in segments across multiple discs or other media. Data in the temporary file is encrypted if it is to be encrypted in the final archive.
FAQ #8: I received a non-FIPS encrypted ZIP file that SecureZIP is not able to decrypt. Why?
SecureZIP is configured to process FIPS enabled options. One of the FIPS requirements is to ensure that both incoming and outgoing data is protected utilizing FIPS algorithms. If the
forgotten or a decryption key lost - while still strongly protecting the data.