Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Email Encryption

Options
  • 09-06-2006 7:42pm
    #1
    DublinWriter
    Registered Users Posts: 9,557 ✭✭✭


    Basically, I'm a bit cheesed of with Microsoft's approach to email encryption.

    I'm designing an application that automatically accepts an encrypted file via email.

    Company A (my client) accepts an encrypted file from company B via POP3/SMTP.

    Company B possess Company A's public key.

    However, company B need to have a digital certificate of their own in order to get Outlook to encrypt the file in the first place. I mean, WTF?

    I've decided to use 128-bit DES3 anyway (the encryption algorithm Outlook uses).

    But is there a simpler way for Company B to encrypt their email? Any handy open-source command-line utilities anyone could recommend?


Comments

  • Options
    #2
    bpmurray
    Registered Users Posts: 1,275 ✭✭✭bpmurray


    For really, really good security, Lotus Notes is probably the best out there. However, it's an expensive solution for E-mail only.

    If you're doing this kind of thing on a shoestring, you could try hacking at sendmail to see if you can add an extra layer of encryption.


  • Options
    #3
    ikoonman
    Registered Users Posts: 250 ✭✭ikoonman


    You could always intercept the email on the client before it's send via SMTP and encrypt it with your own custom encryption using Layered Service Providers.


  • Options
    #4
    DublinWriter
    Registered Users Posts: 9,557 ✭✭✭DublinWriter


    ikoonman wrote:
    You could always intercept the email on the client before it's send via SMTP and encrypt it with your own custom encryption using Layered Service Providers.

    Nice idea, but I don't have any control of what my client's clients use email wise. I'm just basically exploring options and want to keep the solution as generic and as simple as possible.


  • Options
    #5
    stevenmu
    Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    You seem to be talking about 2 different things, emailing an encrypted file, and sending an encrypted email. If the file being emailed is encrypted before being attached to a mail, then presumabley the email itself won't need encryption and you won't have to worry about how outlook handles it, digital signatures etc.


  • Options
    #6
    pH
    Registered Users Posts: 4,188 ✭✭✭pH


    DublinWriter wrote:

    I've decided to use 128-bit DES3 anyway (the encryption algorithm Outlook uses).

    But is there a simpler way for Company B to encrypt their email? Any handy open-source command-line utilities anyone could recommend?

    Yes the GNU Privacy guard (GNUpg). Add this using Enigmail to Thunderbird and you're done (What are you using outlook for anyway!)


  • Advertisement
  • Options
    #7
    democrates
    Closed Accounts Posts: 2,046 ✭✭✭democrates


    In fairness MS are not to blame, that's standard practice since long before they started using the technology.

    If bob encrypts a file with alices public key then only alice can read it with her private key, fine.
    But alice has no idea who sent it, anyone could have her public key. Secrecy of the payload has been achieved during transmission, but not the identity of the sender. How secure is that?

    However if bob also uses his private key in the encryption, then alice can open it with her private key and bobs public key, and know it came from bob. Secure.

    Management need to understand that in order to set up secure email as described, both sender and receiver have to set up for it and exchange public keys. GnuPG is ideal as pH said, there's also a free plugin for outlook.

    An alternative might be to set up an ssl form on alice's website, give logons for senders or have them register and email them a password (note this does not verify the sender id., eg anyone can set up a hotmail account under someone elses name), and allow them to upload files. These can be encryted on the site and emailed to alice. I haven't done it before so I won't insist it's a secure system but it's something I might look into if the problem were on my desk.

    Assuming Alice is your customer, what solution you pick depends on how many Bobs there are, and if they are once-off senders or do so on a continuing basis. EG it's not feasible to expect thousands of once-off senders to set up GnuPG, but 20 regular senders may be convinced.


  • Options
    #8
    DublinWriter
    Registered Users Posts: 9,557 ✭✭✭DublinWriter


    pH wrote:
    Yes the GNU Privacy guard (GNUpg). Add this using Enigmail to Thunderbird and you're done (What are you using outlook for anyway!)

    I've no control over what software my client's clients can or should use.

    I'll just make sure they get my client's public DES3 key and let them decide for themselves what to use.


  • Options
    #9
    stevenmu
    Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    It's quite a while since I've done anything with encryption so I could be way out here, but two things are jumping to mind. One is that the DES3 key should be 192 bit (64x3), if not it's going to be padded. The other, more important, thing is that I thought DES3 was synchronous encryption, as in it use one key to encrypt and decrypt, not a public/private key system ?


  • Options
    #10
    DublinWriter
    Registered Users Posts: 9,557 ✭✭✭DublinWriter


    stevenmu wrote:
    I thought DES3 was synchronous encryption, as in it use one key to encrypt and decrypt, not a public/private key system ?

    This is what I'm trying to find out!

    Outlook uses it by default, so I'm sure there's a public-key element to it.


Advertisement