encrypting emails - can this be done?

[hswihart10]

I am being asked to figure this out pretty quick so I am going to see if you guys have any ideas along with just researching it myself. An employee at my company needs for her department to be able to send emails that are encrypted to various companies. She says that she gets emails from companies that are encrypted and says she was never required to initially download any type of software to view the encrypted emails. Is there such a product? I found PGP but it does require the receiver to download a small app once to view the encrypted emails. She does not want the receiver of her encrypted emails to download anything to read them.

 

[dput]

We use PGP to encrypt our e-mails with our needed partners.

Dan

 

[tfg13]

I would ask for a contact from the company she received this email from, to find out what the other company is using. I've never really heard of a program that doesn't require some sort of download or app to unencrypt an encrypted email. Just doesn't make sense of how that was possible.

Your company doesn't use PKI at all do they? If your company does, check to see if there is a "trust" set up with this other company.....

 

[Grenage]

Indeed, if you didn't need something at the other end for decryption... well it wouldn't be very good encryption at all.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[SamBones]

This isn't actually encrypting the email, but you can put your correspondence in a Word or Notepad document, put it in WinZip, and encrypt it there. The only software they'll need on the other end is WinZip which is pretty common. Just send them the zip file with the encrypted file in it and then call them and give them the password.

 

[rkolva]

MS Office password protection is not very secure either. Do a search for Word password crack and you'll find dozens, in not hundreds, of links to break the password of MS Office files, some of them free. Might as well not even bother to password protect it.

If you have someone who knows a little C/C++ you can use Bruce Scheier's source code to create a Blowfish tool or find many free tools that will encrypt/decrypt files for you. You'll still need to work out a common key to share with the people you exchange the email with.

Then again if you have to go to that much effort you may just as well find a free version of PGP and install it.

Ralph Kolva

 

[SamBones]

I'm not talking about MS Office encryption, I'm talking about WinZip's encryption. It uses both 128 bit and 256 bit AES. From the WinZip help files...

AES encryption: AES is the Advanced Encryption Standard, which is the result of a three-year competition sponsored by the U.S. Government's National Institute of Standards (NIST). This encryption method, also known as Rijndael, has been adopted by NIST as a Federal Information Processing Standard.

WinZip supports AES encryption in two different strengths: 128-bit AES and 256-bit AES. These numbers refer to the size of the encryption keys that are used to encrypt the data. 256-bit AES is stronger than 128-bit AES, but both of them can provide significantly greater security than the standard Zip 2.0 method.

This should be more than enough for your typical sensitive email exchange between companies.

 

[hswihart10]

Thank you very much for your help! I am just going to use PGP.

 

[rkolva]

I see, my mistake. Rijndael, like Blowfish is a top notch encryption algorithm. I wouldn't hesitate to trust either and you'll probably find that most encryption tools will allow you to choose between several recognized algorithms.

You'll still have to share the key between users and if an unintended user gets a hold of it you're security is totally hosed.

Ralph Kolva

 

[trollacious]

I have read about encryption programs that create executables with the encrypted data as part of the program. The program is the decryptor, with the data that verifies the password is stored in the program, along with the encrypted information. Since the decryption program is part of the message, nothing has to be installed on the recipient's computer.

Lee

 

[tfg13]

So, you would want a user clicking on an executable? Most companies block executables at the mail server, with good cause.
As for your comments, I'm kind of confused with your statements. "There are encryption programs that create executables with the encrypted data as part of the program." Okay, I can dig that, however, your next sentence, "The program is the decryptor", HUH? Did you just say that the program needs to decrypt the message, by checking data in the executable? Wouldn't that require software on the recipients computer, or the program to be launched from the recipient's PC? Wouldn't that require some additions to the capabilities of the recipient's PC to recognize the program?

 

[trollacious]

The executable program sent to someone contains the decryptor, the password checking (I'd guess some kind of hash value of the original password), and the encrypted file. Clicking on the executable prompts for a password, then decrypts the file if the password is correct. I've read about this on tech boards for medical transcriptionists. This is how some of them transmit files to technology-deficient doctors or other medical staff without forcing the medical professionals to install specific decryption software on their computers. Yes, there sometimes is a problem with email clients not accepting executables, but that's more easily handled than getting some people to install software on their computer and then how to use it.

Programs that make distributable setup files (setup compilers, like Inno Setup, for example) to install programs do the same kind of thing, with the setup program running, unpacking and installing everything based on data included in the final executable. You can add any data you want to the end of an executable, and the executable can read itself like any data file and extract data from itself.

Lee

 

[CobolKid]

The senders browser may be encrypting the content with a cert. Given the proper circumstances, the decryption could occur with the appearance of being "automatic".

Steve

 

[trollacious]

Here's the medical transcriptionist bulletin board thread discussing this:

http://www.mtchat.com/ubbthreads/sh...&page=1&view=collapsed&sb=5&o=&fpart=1#188447

Lee

 

[Grenage]

It's never an ideal way of transfering truly confidential data. You don't want to be transfering the key along with the package, you're back to basic brute force then.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[rkolva]

Sounds a lot like what SamBones was suggesting. I use PKZip, not WinZip, but can't WinZip add encryption to a self extracting archive? That's essentially what this MEP software sounds like it's doing. Just and compression tool with AES that creates a self extracting archive file.

The comments about emailing exe files may still cause you some problems. I use gmail and it blocks exe and ZIP extensions. I seem to recall that one of our client's virus scanners even blocked an exe with a renamed extension, there was no way to get a self extracting archive file to them through email. My guess is that MEP would probably not get through to that client either. BTW, our clients are clinical research centers who are very security conscience due to HIPPA.

Ralph

 

[trollacious]

The password is obviously NOT transferred with the message, only a hash value of the password, or some other one-way value that's created from the password. It would be no more susceptible to brute force cracking than any other method of transferring secure data.

Email scanners and filters can be configured to allow different things to pass, and it would be up to the client to get things set up to allow the data to be emailed in the format they require or want.

Lee

 

[Grenage]

It would be no more susceptible to brute force cracking than any other method of transferring secure data

I beg to differ, as would many others I think!


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.