encryption programs 2

[hoose]

hi everyone

I'm working on a research study where researchers need to send data back to our research office from the field. Due to the small scale of the research team, we have decided to use email to transfer our data. I need to encrypt our data before transfer.

Does anyone know a good (inexpensive, secure, and easy) way to go about this?

Thanks

 

[carrr]

Here's a freeware prog...you don't say what email program you're intending to use.

http://www.freedownloadscenter.com/...yption_Plus_for_Email__Freeware_Version_.html

There's a lot of stuff out there if you Google...

 

[dilettante]

There is a drawn out discussion on the use of PKZip standard encryption in thread83-614089.

There is a writeup on this under "Secure Data Exchange" in Word format at:

http://www.angelfire.com/mi4/bvo/papers.html

The main issues with the conventional zip encryption are outlined there, along with ways to circumvent the known problems. But you might look at current versions of either PKZip or WinZip. They both offer types of encryption that are (so far) believed not to have the problems the standard zip encryption has.

In any case you still need to use high-quality passwords: lengthy ones to defeat brute-force cracking, non-word "random" ones to defeat dictionary attacks, and limit the number of uses of a password to limit the cost if one is leaked by somebody.

Another choice might be RAR (or WinRAR), which works in a similar manner but has (supposedly) better security than standard zip encryption.

http://www.rarlab.com/

I found some free stuff here too:

http://www.angelfire.com/ct3/encryption/page1.htm

I don't think the archivers (various Zip utilities, RAR, etc.) can integrate into email clients a la PGP, but they are a lot simpler to manage than dedicated encryption tools such as those based on asymmetric keys.

So keeping in mind the need for good password management something like this might meet your requirements (inexpensive, secure, easy). If you can handle the restrictions discussed in the thread cited above you can use free products such as FreeByte Zip or the InfoZip tools:

http://www.freebyte.com/freeware/

http://www.info-zip.org/pub/infozip/Info-ZIP.html

You have to understand the limitations and exercise the proper care using any encryption tool. But you might be quite happy with a product like PGP (or GPG, sort of a free clone).

 

[pansophic]

I use the Linux version of GnuPG (GNU Privacy Guard) and love it. There is a Windows port available on Source Forge. It provides strong Asymmetric Key encryption that can be implemented automatically in Kmail and several other mail clients (I'm told). I have mine set up to automatically encrypt to email addresses for which I have a key.

It is compatible with PGP, so if a user would rather use PGP, it is fine.

http://sourceforge.net

http://sourceforge.net/projects/winpt/

http://sourceforge.net/projects/gwp/

You have to read the docs though. Kmail doesn't support attachment encryption by default and you have to go through some gyrations getting it to work. But the email encryption is completely integated.


pansophic

 

[dilettante]

Yep, I haven't worked with it yet but I hear a lot of good things about GPG so far too. I still think the average office worker or student who isn't into computers is going to balk at the setup and the process of dealing with asymmetric keys though. And if you are in a larger organization try getting something like PGP past your "desktop guardians" and their software policies.

I made a foolish assumption about Windows in my post above, but one of the good things about Zip encryption (properly used of course) is its platform neutrality. RAR is getting some good multiplatform representation too of course, and PGP/GPG are pretty widely represented if you need "real" encryption.

 

[pansophic]

I actually run into more people who block zip than pgp in their mail guardians, especially if the PGP is ASCII armored.

I've failed to see the difficulty in setting up keys. You really run a program, push the little generate key button, and move your mouse or type at the keyboard until it says OK.

Distributing the keys can be difficult for the computer handicapped, but even that is not much more difficult than attaching a file to an email.


pansophic

 

[hoose]

thanks for all the help

i have one more question though.

I am unable to get email accounts set up for the researchers (they are contract employees and the computer unit will only give email accounts to full time employees).
Which is a huge pain as the field researchers are not computer literate and will have difficulty encrypting a file manually.

Does anyone know of security problems with free, web based email? (yahoo, etc)

 

[diogenes10]

Thread83-524009 might be helpful.

 

[chiph]

Does anyone know of security problems with free, web based email? (yahoo, etc)

Not if you encrypt the message first! (type message in Notepad or MS-Word, save to disk, encrypt file, send file as attachment).

Obviously, using something like Outlook or Eudora that PGP/GPG integrates with would be easiest for a novice, as you typically just check an option on the toolbar to encrypt the message. If the recipient is found in your keyring, you're done. If the recipient isn't found, then a name-lookup is done against the PGP directories. Which, while the user doesn't have to do anything, is time-consuming.

Of the major web-based email programs, I get all kinds of spam off my Hotmail account (very annoying), but have yet to get any thru my Yahoo account.

Chip H.

 

[chiph]

Here's my message from above, after being encrypted with PGP (in ASCII mode so it doesn't give Tek-Tips any problems)

-----BEGIN PGP MESSAGE-----
Version: PGPfreeware 7.0.3 for non-commercial use <

http://www.pgp.com>

qANQR1DBwU4D6CbIhr95npkQCACrzfhe83dpxbGNlF9s4EmhCJk3y7pLwH0xjxqo
JQ25cz10j7jCVFJWUSbMCV8wNK++9vQOlBcF/iGYjkxdYBt7rO3K/D1lIbldGGNn
k6olGFicI4CFEvyqJh/IFT0utWaoJbimYhzN5rbv22xkGDDEFmq8tDjopeY2ANnF
A06res2OI0bkkaYWMoWsrd9LCPBF4dKnLz0+OL+EOGmFdVjLYaOUIvwgY7MvBDd0
AbpZw2qvTphGSSbGpBBrqxju0z1ukYbDmWwBTN00Ko9PErDNjTYYba8i5cwnj8fa
SoQWiBsOoBH6sXAri1W4S1kl9VX6IgNuVyKplP1EQA5O4+1/B/4vMuTPSgkkorRb
5X9fdJOkKFLolgJdWCrMKvKD8CP+rSA6/X6phGS44zYkwioslAxeBY/t+22Cr/ki
0Zpjcak+syxOo2icfnNrCCpNd6+XgxoerQS0pTNHNDIrQDgpvSUcouPaK12Pur9F
rPhJ5rI2F4ze12SStwXaOLxtepWmdjGL1tafN74HN+/I8co66iPftNBBLB1BmMNB
kmYkUpV6rc9dMBbNNs9t6i1zbENNBhlGsUZNdOIEdhTrdY9jyYZAX445RxP40V60
3iurKPPFzw+kIRk5JvoKCgQMTHXwM7eulChZd6U2v2yfp6mSOQ/niIy+tKV53mvA
o4yGh3r5ycExsr4Q1CLGqbfJxEMJ3hCt4otvK5ezXZcYnaqSJwagHxcLVlF60VQy
F6CnC7ssKxdIUEOUbc/0viGyKjF+Vs6k+cR6RWZg3kD9uerNjJuTU7T8OeQBsNuR
bjrRp+lFQq4kk3mB+GX0/80Mah7aqEAwRvyGlc6gFd6axVK9YZHOmnBhvi9zIQrx
alWY0g6RXq4DUqTalUWZxyZ35J0VYDsj946CvqvQuvVHWqqAQ7USy5UP6gv90ulP
RvIDq3yvTpamSKmSRx79x3lpP+UdiDmnEex+sgz1+C+5xfFifUy6KKh5MWMD5YLn
jGf9R4u1wuSXgzu0WYLYsqUKKyxVEVeaQ1l0OUyLsMydm/V9pr7J/n2nqhw3djFj
hOOnfnGPND5D5Ny2Cf1zAW2nwVfD3MO8N4GuGTq+yyVg/4N4OVoiGOtisVHJrBVy
B6x96pzRY1myYluwT6PWKMRRtfpriYwKN+A04oEg2fdD5KzMDDeHtbfYh/SzbDOI
VwBuqJ/Ou/gUkY1Ybp9PRWXD3AAHXvQTja5WHrN4djwhiCIaZ15C4z0gkQ2IuvVf
fEYUn8bRPvtLs18UF174dBm8kQY/QSUnnDa9GUDobV1z/f8VBHlMgcC2ss8gYulE
KEK4jR+wr3B/YhTeyNMb4NAKf1myPNt+xSc=
=DWGL
-----END PGP MESSAGE-----

 

[bbandolero]

Even though I prefer PGP (GPG) over other solutions (I am a security practioner), in your particular situation you could use Digital IDs (PKI Digital Certificates).

Make sure you have a yahoo or hotmail account for each participating party. Configure it to allow POP3 messages download.

Then for each party's machine: 1) Configure Outlook Express for the new party´s account. 2) Test it. 3) Go to Tools/options/Security and in Secure Mail section go to Get Digital ID and get a 60-day free trial Verisign Digital ID (follow Verisign instructions to get it and install it) When installing, make sure you select to ask a password when using the digital ID.

Exchange signed messages with each party to make sure you have their Digital IDs and their public keys (Tools/&quot;Digitally Sign using SMIME&quot.

When sending messages, just instruct the other parties to select Tools/&quot;Encrypt message using SMIME&quot; option to make sure the message is encrypted. There is a visual icon indicating the option is selected.

Good luck.

bbandolero

 

[hoose]

thanks everyone for your help, i didn't realize there was so much out there.

dan

 

[pansophic]

There was an article posted in Federal Computer Week about a product from ArticSoft called FileAssurity. ArticSoft also makes an OpenPGP solution that is supposedly capable of being integrated with Web mail.

http://www.fcw.com/geb/articles/2003/0804/web-mich-08-06-03.asp

Good luck!


pansophic