Email Encryption

OK Miriam, I guess you've got our attention, go ahead.

If I am worried about my inability to "protection for your e-mail communication to keep it from unwanted eyes" I mail a letter.

Thanks anyway.

The great Carnac says: "I see a sales pitch in the future of this thread".

Possibly there will be a sales pitch coming. Now that PGP encryption is no longer free, there is instead TrueCrypt.

Our work email package (Goldmine) has a built-in encryption feature which nobody uses.

We assume that any email can be printed out and stored or copied and that anything we send could potentially end up in a competitors in tray (and it has by way of printed copy, not e-mail, rendering encryption pointless).

Like posting on a public forum, always assume the worst when composing messages.

Jack - A defense contractor

An email encrypted with a public-- key cannot be printed or read by someone who does not have the corresponding private key.

The beauty of encryption like RSA is that the key does not need to be transmitted. The sender does not even need the key to encrypt the email, the public encryption key is used.

The only one who needs to have the key is the intended recipient.

And when the intended recipient is one of say 10,000 industry contacts in an email database for a business this works how?

And when the intended recipient prints the document out this document is protected how?

Lets keep it real, the only thing encryption is going to protect business correspondence against is email sent to the wrong recipient. Intercepting corporate emails is hardly widespread (be it for corporate espionage or just plain old scamming).

Jack - Just offering a different point of view.

No, you are exactly right. It will not work if either end is unwilling or unable to follow security protocol the protocols are not established.

.

It also won't work is they can't be trusted not to personally divulge the information, or if they allow people without clearance rifle through their stuff.

.

I do get your point. The implementation seems unfeasible, and the reward seems dubious.

Encryption has its place, but it is the minority exception rather than the rule, even in business.

It works, for example, through the use of common access cards and dedicated certificate servers.

The US military has millions of seats using this exact method and deploys its networks through fixed and mobile assets worldwide.

simple.

The great thing about email public/private key encryption is that it's free.

I used this system for awhile but ultimately found it not worth the bother - one more password to remember, for no real benefit. It is foolish to consider that email is a private communication. It is a permanent record, and like anything written, has legal consequences if they apply. If the email contains anything legally significant then it can be accessed anyway by warrants or whatever if it applies.

I love the concept of freedom and privacy on the internet, but it is much better not to say anything in an email that you wouldn't want exposed, than it is to use encryption supposedly to use email for anything you really want kept private. That applies equally to socially inappropriate statements as it does to legal matters.

I agree with you completely that you shouldn't commit to writing things that you would not want exposed.

But, I think the following might be incorrect:

'....If the email contains anything legally significant then it can be accessed anyway by warrants or whatever if it applies.....'

If the only person that knows the key pleads the 5th, a warrant will not be useful. There are methods of encryption available that without the key, while technically not unbreakable, unless someone got extremely lucky, it would take a ridiculous amount of time to break using the computing power available today.....far far too long for any court case.

Popular protocols for email encryption include:Identity based encryptionMail sessions encryptionPGPS/MIMETLS

What about the E-mail Charter? "If you want me to read something, keep it brief." - Winston Churchill.

_{<unsubscribes>}

'...while keeping secret a private key they can use to decrypt such messages or to digitally encrypt .....'

This doesn't make much sense for public key encryption.....

It wouldn't be very secure to use your private key to encrypt a message. In fact since the public key could be used to reveal the contents of the email, even calling it 'encrypted' is dubious. Everyone has access to the product of your primes, which will decode a message 'encrypted' by the private key, so really it isn't really 'encrypting', it is merely 'encoding'.

The only reason to encode something with a private key is to provide a form of signature to authenticate the writer of the email holds the private key, but it offers no security for the message.

Some computer technicians,under the disguise of repairing the computer can download files/pictures/videos from the hard disk and take with him. How to prevent it. They might say they are checking for virus or defect.

Generally the larger the company the more is spent on IT, generally this means that big companies with a lot of valuable information to protect have their own IT department or dedicated 3rd party IT support (rather than just hiring from the phonebook when something goes wrong).

There have been cases (I believe) of rival companies sending sales people in with USB sticks and copying files of the companies network, but general caution and a watchful eye is usually enough.

Other companies have implemented a "disable all USB access" on company computers to prevent this and employee theft (with mixed results), but this is not really a good solution.

I mentioned about PC and Lap tops in homes. Not only in USB also in CD drive they can insert a CD and download saying they are using a diagnostic software to check the computer.

Encrypt your hard drive. Of course, if you are taking your computer to a repair tech to get it fixed (i.e., running again) then they will need access to the hard drive and subsequent OS, won't they.

The easiest thing to do would be to watch them do their work. You take a risk any time you let someone you don't really know use your computer. If you are that worried about it, learn how to repair your own!

It is possible to just encrypt certain files/folders, leaving the OS unencrypted....but as most shops are staffed by idiots, a disk format is often the first job they do, so you should be holding your data elsewhere before bringing it for repair.

A disk defrag then "wipe" will then erase all the free space, once the data has been fully removed and placed elsewhere....but if properly encrypted, it should not be readable by nosey parkers even if left on the disk......

Good security involves 2 sets x 3 copies of all important data, each set located in a different location....

I'm not averse to the notion of a good wipe, but smearing it about a little helps. A quick visit to our cousins in zoos will reveal that they also know this. Total security is a big hammer and a few seconds in the back yard. Slight retraction, even that may not be good enough thesedays. The secret is out at the very second it's committed to any form of communication.

Email encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them; while keeping secret a private key they can use to decrypt such messages or to digitally encrypt and sign messages they send. Many complex subject involve with email encryption. But now many free and paid tool will be found on the web that can easily encrypt and safely send any mail.

PGP pretty much led the way for free encryption.

It'd be better to write your own encryption routine and use a one-time pad system. With much media already digitized, the task is easier. For instance, Laverne and Shirley could agree to use the current day's edition of the Wimbotsham Argus. That particular paper is not available online, but I'm sure you get the drift.

Another possibilty (just for example) is to work on the basis that everybody expects, and looks for, hi-tech encryption. I could write what seems like banal drivel to my companion. We may have agreed that characters such as '.' and ',' equate to the dots and dashes of morse code. There are infinite possibilities.

Possibly more important is knowing if anybody else has cracked your code. One way to detect this is sending 'low-grade', junk (though it has to be plausibly interesting) info once in a while - then sit back and see if anybody acts in a manner to indicate that they have intercepted and decrypted it.

Having done all that, you can then worry about whether the 'enemy' are parked in a van nearby monitoring your keyboard strokes.

'....One way to detect this is sending 'low-grade', junk (though it has to be plausibly interesting) info once in a while - then sit back and see if anybody acts in a manner to indicate that they have intercepted and decrypted it.....'

.

This shouldn't lull you into a sense of security. It would be foolish for anyone investing the time, resources, and risk to intercept and decrypt secret messages, to hastily act or otherwise show their hand.

This holds true whether you are talking about legal investigations, espionage (industrial or otherwise), or war. During WWII England sacrificed the lives of citizens and its armed forces by not warning of attacks which they knew about via their ability to decrypt German Enigma messages. At other times, while they would not disclose knowledge of an impending attack, they would have patrol flights schedules as precisely the right time to notice and give alert to that attack.

Anyone deciding to act on their keen interest of knowing the secrets some other person is taking steps to hide, has probably already considered many of the same things that might run through the mind of the person hiding the information.

Very good points, but I have two question (sorry, they're not intended to sound 'offish'/'hostile', but I can't think of better wording).

Why cite Blighty as an example ? I'm sure you know full well that such actions are not nation-specific. Statements such as "During WWII England sacrificed the lives of citizens" are not conducive to reasoned discussion (although I may have ignored that if you prefaced it "by way of example").

The point I was trying to make in suggesting the leak of useless info was that security needs testing. It was not intended to mean that one simple method means 'hey, we're good to go, nobody can breach us'. There is a whole world of bluff, double-bluff, triple-bluff etc etc. A comparison to security naivity, would be people (there are many) who think that one particular brand of computer security software will keep them safe. I'm sure you must have encountered the, 'I'm safe, I'm running McAcme' mentality. No single approach is safe.

Do you have an alternative suggestion for security testing ?

Hey, no need to apologize for sounding 'offish' or 'hostile'. I should be able to support the claims I make without feeling personally offended. Also, my reply to your comment could be (mis)read as 'hostile', your reply would be hard to judge as inappropriate.

.

I didn't intend to imply the actions were nation-specific,and it was merely an example. I did not specify it as such because I figured everyone would be sure that I know full well that such actions are not nation specific.

.

Anyway I didn't mean to denigrate you original comment. My reply was simply a word of caution...not necessarily to you, but in general, against short selling determined efforts at espionage.

.

As to alternate suggestions:

The more information available on who might be trying to break your security, the more numerous the options for increasing your security.

Counter-espionage springs to mind. After all, if you find some of your own files, while you are sneakily rifling through their files, it is a pretty good indicator that your suspicions were right all along: the no-good-dirty-rotten-dishonest-sneaks have been spying on you! Bastards. Who would do such a thing?

Lawfully testing one's security is most often relegated to attempting to defeat the security.

It's about 2 a.m. here, so I'll have to catch up with y'all after some kip. That's if I'm really living in the UK...........

The trick I always liked for clever secret message hiding technique is the message in a message by the use of apparent padding and then encrypting the whole message. Somebody intercepting the message and decrypting the whole transmission may not understand which message is the padding or critical message.

The trick I always liked for clever secret message hiding technique is the message in.....

pmsl !