automated email encryption?

[Lv4]

Hey gang, the wonderful folks at FDIC have decided that my company needs to have encrypted emails from one of our products. While I don't have an issue with this finding, I do have a problem with implementation of this.

The app is a home grown application of ours that uses MS Outlook to send and receive emails. I have seen the PGP plugin for Outlook before, but I seem to remember that it required user interaction in order to use it and that just isn't going to work with the massive amounts of email we deal with daily. So, what I need is something like that (being a plug in for Outlook is useful) that is automated, meaning that every email is encrypted.

I did a google search and found some stuff by Mail Marshal but so far I don't have a lot of details about nor have I heard of it before.

So has anyone used Mail Marshal before? Do you recommend it?

Is there a PGP type plug in, or setting that I'm missing to automate? Is there another company out there doing what I need? Do you folks have any suggestions? TIA, again

[g00n]

a system to automatically encrypt an e-mail with 1 key and send it to numerous people?

could it be a perl based system?

you could write a perl script that can do that for you... just need some modules.. Crypt::OpenPGP and one of the mail modules...

unless i'm missing the point here..

[Lv4]

no, that sounds good... of course I don't program, but I do have a developer here that is a PERL maniac that I'll have to ask about this

I just found out that only some of the emails sent through this system will be need to be encrypted while others won't be touched. I guess that could be done through PERL too... once again I'll talk to the dev when he gets back from lunch. Thanks for the suggestion g00n!

[mmelby]

The only way to be really secure is to use Public/Private key encryption. The upside to this is that it is secure. The downside is that there will have to be some key management involved.

CA used to have a system based on PGP that was server based and did not require user interaction. PGP has now started thier own company. Their Enterprise version includes a Key server and an SDK that you could probably use to accomplish your goal. I imagine that there is still going to be some administration/interaction as somebody is going to have to manage the keys.

PGP's web site is www.pgp.com

Good luck

[proactive]

If you don't want to spend a lot of time coding there is an excellent MS product called CAPICOM, a high level programming library that can easily encrypt/decrypt using X509 certificates located in you computers certificate store. You know the list of certificates that can be found using Internet Explorer (Tools | Internet Options | Content | Certificates). I've used CAPICOM a couple of times, and it's possible to make a workin app in a few hours. It's well documented at MSDN, and you can code in Visual Basic or Visual C++.

You will of course need a certificate, but you can issue them yourself by creating a standalone MS CA server found on MS 2000 Server & Adv. Server. Or you can buy a certificate from Verisign or some other provider.

I know you requested a PGP solution but X509 is pretty much the same thing.

Here is a link to the Capicom reference: http://msdn.microsoft.com/library/de..._reference.asp

And good luck!

[Lv4]

well when I says user interaction I mean as in a user actually having to click a button to encrypt/decrypt emails, I understand there is always administrative interaction in a PKI setup.

I'll check out PGP's stuff, the PHP dev is back today so I'll talk to him and I'll also look up the CAPICOM stuff. Right now it's just in the research phase for me, but yesterday the CxO's had a bug up their collective butts and wanted information immediately, lol.

Thanks once again for your timely answers to my, sometimes, silly questions I'll be doing lots of research I'm sure and I'll be sure to post back to this thread with my findings.

[dragonx81]

help im lost

[cupojoe24]

"Is there another company out there doing what I need? Do you folks have any suggestions?"

You may want to check this out. http://www.pcguardian.com/software/email_e.html

Great cheap solution. Plug in for Outlook and Lotus available. Uses Public and Private keys without the need for key management. Pretty easy to use and simple to administrate.

[Lv4]

thanks cupojoe24, I'll go check that out.

A quick update since this made it back to the front page. I've talked with the PGP folks and they can't do what we need right now. They do have an SDK coming out for their latest version, 8.0.4, but it might be a month or so before that happens. Of all things they told me to call Network Associates, the folks that used to own PGP, because they thought NAI may be able to help us with their command line encryption software.

Well NAI isn't even sure if they can do what we need. They are sending me a copy of their API and engine for our developers to work with. It looks like it will take a bit of rethinking of our software on our side to make this all work.

I looked at Mail Marshall, and they can possibly work but it will require new hardware and a different database than what we already use... which is additional cost for licensing.

Anyway, the stickler of the situation is this: Let's say we have 10,000 emails that have to go out to clients. Out of those 10k only about 2000 of them will need to be encrypted. What we are thinking of doing is creating a database on our side that has the clients that have requested encryption and their private key information in it. So every time an email has to be sent out our application will check the database for that user ID, if it exists then we encrypt it and send it out, if that user doesn't exist then we just send it out with truncated data like we have been doing all along. I'm thinking that NAI's engine and API will help out well here, and my PHP developer is looking in to what would be needed for him to make an app to do that and how robust of an application he could develop. We send out a TON of email every day.


Anyway, I'm still researching this idea so the project hasn't even made it out of the first stage of it's life cycle.