Atlantis Word Processor Encryption 2

[JimInKS]

I have been looking for an easy and inexpensive way for nurses in the field to e-mail patient notes.

I found Atlantis (

http://www.rssol.com/)that

looks like a neat little word processor and claims to have strong encryption.

Does anyone know anything about Atlantis or of a way to verify their encryption claims?

 

[Salem]

Well you should read this FAQ to assist with your research

http://www.interhack.net/people/cmcurtin/snake-oil-faq.html

The points which I think you need to focus on

== Secrecy vs. Integrity: What are you trying to protect?
I would imagine that for patient information, you would want to make sure that the messages are authentic.
Undetected tampering with the message is at least as serious as unwanted disclosure.

== Keys vs. Passphrases
They may have a 256 bit key, but your users are going to be using typically quite short pass phrases. If they use the passphrase as the key (this is a big NO-NO), then a passphrase of "fred" is about 10 bits, not 256 bits.

== Secret Algorithms
Their web page mentions "the Atlantis encryption function". Is this secret, or is it an implementation of one of the standard algorithms like DES?

== Recoverable Keys
Ask if they have any means to recover an encrypted message. If they have, then it isn't secure.

Personally, I would use a specific encryption product like PGP just for the encryption. If you like the word processor as a word processor, thats fine - but verifying its encryption credentials could be rather more difficult, with no guarantee of a passing grade.

 

[SgtB]

Look into PGP

http://www.pgpi.org

Version 7.03 is free.

I'll see your DMCA and raise you a First Amendment.

http://www.anti-dmca.org

 

[pansophic]

The real question is what is your goal? Their claim is that they use 256-bit encryption, which, as stated earlier means absolutely 0.

They probably mean that they are using a 256-bit key, but they amusingly make no claims as to the algorithm. You'd like to think that they are using AES (Rijndael) in the 256-bit key mode, but if they were, you'd think that they would claim it. AES is available as a Crypto Service Provider in Windows, but not in the 256-bit key version (that I know of). 128-bit key AES is supported and bundled with IE 5.01 and newer.

Are you attempting to comply with HIPPA requirements? If so, you will probably be better off with a solution such as PGP, or a VPN (site-to-site or client-to-site). Anything that is non-voluntary and preferrably uses non-repeating keys.


pansophic

 

[JimInKS]

Thank you all for your responses. You have addressed most of my concerns and I guess I know what the right answer is. Using software from an untrusted source is not a good idea, especially when security and privacy are the goals.

What I was looking for was a simple way to provided some reasonable level of protection to data in transit. Atlantis seems to fit this niche pretty well. A simple, small, portable word processor with encryption.

In my case a nurse in the field could type notes with a simple word processor, 'secure' the document with a simple passphrase that had been agreed upon, and e-mail the document to the office. The notes would then be cut and pasted into the patient official record by a transcriptionist.

If we proceed in this area I will probably end up with a PGP solution of some kind.