Cyptography

[Medley of extemporanea]

Lets talk about Encryption for email. Do any of you guys use it?

[Ismahan]

Nice usefull topic Haniif WellDone.... I didnot encrypt any mail, but I read about this topic once (I was so evil to try to hack my teacher's email) ..... so With Windows you have two main choices for signing and encrypting email with the standard mailers (Netscape, Outlook, Outlook Express, Eudora, etc.). The first is an X.509 digital certificate, and the second is PGP (or GnuPG in the future) and there is a web based encrypted email service available. X.509 digital certificates are extremely easy to use, and most mail clients have built in support, so there is no need to get a software package such as PGP and install it at both ends.You can easily generate an X.509 certificate, take the file and load it into a client machine (typically the mail program or www program can make use of it). This however makes the assumption that only one person will be using the workstation, and that the machine cannot be misused by others. This is really only useful on a home PC (that is secure), or if you lock your office door and never let anyone in and have a secured PC. In a business environment the certificates could be useful as identification of the machine (but not as identification of the user), in Internet Explorer for example you can mark the private key non-exportable, meaning to copy the certificate off the client workstation and put it on another will slow down most attackers. In other words digital certificates loaded onto client machines are useless, in fact they can be worse then useless because they are usually not protected sufficiently (i.e. with a passphrase) so an attacker can steal the certificate and impersonate the user. The better solution is to store the X.509 certificate on a smartcard, this allows a much more secure method of generating and storing certificates, as well as being far more portable. The main problem currently with smartcards is the lack of smartcard readers on computers. and about (PGP) Pretty Good Privacy was one of the original programs that made email encryption possible, however it was difficult to use, had to be installed by the user (unlike email clients shipping with X.509 support), and was generally a pain to use. This has changed in recent years, with the current version of PGP at 6.5.2, integrating it with most mailers (Outlook, Netscape and Eudora notably) is a painless task, even for novice users. Once you have downloaded the software simply double click on it to install, you will be lead through a rather normal Windows software install, however when you get to the components choice box you should uncheck anything you do not plan to use, especially support for mailers you do not have since PGP will be unable to find them, and the install will complain. Also if you do not need the VPN client, do no install it, it has a tendency to cause networking issues. The install will prompt you to either import an existing keyring (which if you are new to PGP you will not have), or create a new set of keys. I would advise using a 1024 or 2048 bit keylength for "daily" use, 4096 bit keys are slow to use and realistically if an attacker can factor a 2048 bit key in a reasonable amount of time they have probably found some flaw in PGP. You should send your keys to the keyserver when prompted to do so, as it will make it possible for other people to get your keys without having to go to you (so for example if I receive email from you, and I see it is PGP signed, I can retrieve your key from a keyserver and verify the signature, and in turn encrypt my reply to you).

If you want to find someone else's key either right click on the PGP tray icon and choose "PGPKeys" or go to the Windows Start menu and select "PGPKeys". Once in PGPKeys you select "Server", "Search", select a keyserver (ldap://certserver.pgp.com is a default so many people use it), and enter the email address you are searching for, it should be in the User ID of their key (since email addresses area relatively unique identifier). You will be present with a list of keys matching your criteria, simply right click on the key you wish to have, and choose "Import", and that is it. When you use this key to verify digitally signed email from the person the mail software will complain about it being an untrusted key, by default foreign keys are untrusted unless they are signed by someone you trust (such as a friend, or yourself). To get rid of this (i.e. I and my boss exchange a lot of encrypted email), sign their key with a non exportable signature, in "PGPKeys" simple right click on the key, choose "Sign", do NOT check the box saying "Allow signature to be exported. Others may rely upon your signature", and then choose the key to sign it with, and enter your password. You should never sign a key with an exportable signature unless you have met face to face with the person, proven your ID to each other, and then signed your keys.

When signing and decrypting email you will be prompted for your password, which can be annoying, PGP can cache the password, however be careful. If you enter your password and then leave your email client running and leave the computer unattended someone could use it and send email from you that is digitally signed (thus impersonating you). If you turn on the password saving feature you should be careful to always shutdown your mail client when you leave the computer unattended. To set the cache time simply go to the PGP settings (in Outlook it is "Tools", "PGP", "Options", then the "General" tab), and simply set the cache time to an appropriate length. If you want to be safe do not cache the signing passphrase, this way you can read email encrypted with your private key and not have to enter the password for your private key constantly, but you will be prompted for your password when you try to send signed email.

Finally Hushmail is a new contender in the web based email wars. It however offers something that none of the other web based email sites offer, and that is signed and encrypted email to other Hushmail users. Hushmail uses a java applet that is downloaded to your PC with your keypair, when you send and receive email within Hushmail it is signed and encrypted, providing for a high degree of security despite it's web based nature.

 

PEACE