Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

E-mails from notes are just as vunerable as others,,,, right? 4

Status
Not open for further replies.

Nate1749

Programmer
Nov 1, 2002
204
US
We're trying implement some encryption software in both our work environment and a company who we work closly with and regularly transmit confidential information with.

We decided on a program called DigiSecret by Tamos to encrypt all of our files so that we can safely send them through e-mail.

When we asked the other company to purchase this software their IT's reply was that they will not purchase nor support any encryption software, because Notes is very secure and has never been hacked.

I couldn't believe that was an IT's response, so before I reply I want to clarify some things.

Notes (domino) works the same way as outlook (exchange) does in the way that it handls e-mail in a security sense. Meaning, Notes doesn't encrypt it's messages nor attachments within them, correct?

I think their IT department may think we're talking about something like PGP, but really this program functions more like WinZip. The approach we're taking with DigiSecret is our e-mail will still be left vulnerable, but no confidential information will be in them only within the attached files which will be encrypted.

If Notes does function like outlook, then there is basically no security and anyone with a packet sniffer could view this information, correct?

-Nate
 
notes supports sMIME for sending and receiving internet email, which will allow digitally signing and encrypting of messages send to the internet, by adding an internet certificate to the user's id file (and choosing to sign/encrypt the message before sending it).

Without an internet certificate email sent out to the internet will be clear text, just like any other email solution.

The administration help database contains information on how to setup your server and clients with internet certificates.

for notes 2 notes traffic you can choose to encrypt your message before sending, but there's also the option to configure the domino servers to use encryption for network traffic.

PGP also offers integration with notes regarding signing and encrypting messages.

Woonjas
IRC: #notes on EFNet
 
"Without an internet certificate email sent out to the internet will be clear text, just like any other email solution."

How do I know if they use internet certificates or not when sending us e-mail? We have never received or had to install anything on our side of things.

You mean the e-mails they send us are encrypted along the way (if they're using sMIME) then when they reach our server they decrypt themselves so they can be read?

-Nate
 
I understand Notes has a long history of security awareness and was among the early adopters of public key cryptography. It can handle 2 levels of key, one for domestic U.S. use only, and the other for international use.
 
Nate1749 :

Emails are clear text, unless the sender and receiver agree to a common encryption protocol and have each other's encryption certificate.
Which means that if you do not have your correspondant's certificate installed on your mail client (or server), then you do not have encrypted email.
Email does not encrypt "along the way", nor does it decrypt itself. Email encryption is an active process, and sometimes a great nuisance.
Notes can make it transparent, but if and only if you are corresponding with another Notes user AND you have his Public Key in your own Address Book - and vice-versa. If all those conditions are realised, then encrypted mail is an option-click away.
In any other situation, you have to "manually" agree on a common encryption tool, create and acquire the keys to each other's encryption certificate, and THEN you can send encrypted mail. By the way, if security is your problem, I would avoid sending an encryption key over the Web in an unencrypted mail. Or via FTP download via an unsecure portal.

cdingman :

Actually, Notes can handle a few more levels than that, since the international version has been declined in 64-bit, 48-bit and 36-bit versions, plus a few more I do not remember just right now.
The US domestic version used to be the only one using full 128-bit encryption, but I think that has changed due to a (russian ?) laboratory having published a home-grown, 128-bit RSA-compatible encryption algorythm. When that happened, the USA had to ask itself what it preferred : allowing its 128-bit algorythm to be used abroad, or losing a worldwide security market. I trust the answer is obvious.

Pascal.
 
Nate1749 is the closest response to the issue. In a 'nut shell', Lotus Notes can provide encryption and signing within the same Notes domain if the Client and Server have been configured to do so. However, mail sent to an address interpreted by the Notes Mail Client/Server process as external (i.e. does not come from any internal or externally cross certified address books) is treated as Internet Mail and signing and encryption (even if configured) is stripped off. You therefore are limited in options for genuine secure e-Mail but 1)PGP 8 which can encrypt attachments or even blocks of text within the body of the e-Mail or 2)PKIMagic ( which has been the best PKI certificate solution for Notes for years are both worth exploring (we have tried them ourselves).

Hope this helps
 
cazulp

Notes CAN cross-certify different organizations (not the same as domains, though many people use the terms interchangeably).

I think you have hit apon another option here - native Notes to Notes mail is another way to pass secure mail over the internet (which is after all, just a very big TCP network).

Other than that, SMIME mail IS encrypted over the internet.

cheers

Find me @ onlinecorporatesoftware.com
 
Thanks so much, this is what I thought (always plain text unless both agree on some type of encryption standard; have keys/certificates), but their IT department told me different. Very scary since this is the IT department of a international fortune 500 company.... ikes.... ALso, thanks for all the extra technical detail on Notes; I only knew general concepts, not all this,,,, THANKS!!

-Nate
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top