Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Encrypted Emails?

  1. #1

    Encrypted Emails?

    OK everyone, this is a "is this possible" type of question:


    I'm the techie guy at a bank - my boss wants to know what would be involved in being able to send Encrypted emails to our customers when sending them online internet banking passwords and what not. I explained to her (and want to know if I'm right) that, in order to do this, not only would we have to have the encryption software (and I know a few good ones), but so would the receiving end as well. Therefore, we could send an encrypted email, but the problem would be that at the other end, they wouldn't have the software to decode it.

    Is this correct - or is there software out there that we could purchase that will encrypt the email - send it to the user, and be able to be opened - even if it is with a user id and password?

    Just wondering?

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Well you could use PGP which uses public/private keys. Best of all, it's free. WinPT is a GREAT PGP client too!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    I have played with a software package before which would allow you to send encrypted e-mail without the 'client' having the same package installed at their end. (you might have to give me a while to find it again). The draw back here, was the end result was an executable attachment. Most corporations will block these out right because of obvious virus threats. Home users, should also do the same if they can, but even if they don't, a lot may not open the attachment, for the same reasons (viruses).
    I'll have a look and see if I can find the name of the package I was testing (I think it was freeware as well).

    Cheers:

    /edit

    OK I think this was the package I was testing:

    [QUOTE]The award winning encryption tool Mooseoft Encrypter encrypts your sensitive files with 6 well known encryption algorithms to choose from. You can choose between Blowfish, Cast128, GOST, Square, Rijndael and Twofish. In addition, you can also wipe files,send encrypted files via e-mail, create secure passwords and more. With Mooseoft Encrypter, you can also package one or more files and create a self-decrypting exe file, that prompts the person that opens the file for a password before allowing access to the content. Using this method, the recipient does not have to have the decryption software installed, just needs to know the correct password. All this from one, simple to use tabbed interface. You can also bind the encrypted files to you hardware.QUOTE]

    You can get more info. HERE

    DjM

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    **Thread moved from Antionline: How do I? to Newbie Security**
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    PGP is not free for corporate use. You do need to license it.

    Still it's probably your best bet as it's got a very passionate following and it is industry standard. So answers to your support issues and add-ons are readily available.

    peace
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Korp,

    from the WinPT website:

    Windows Privacy Tools (WinPT) is a collection of multilingual applications for easy digital encryption and signing of content.
    It's GnuPG-based, compatible with OpenPGP compliant software (like PGP) and free for commercial and personal use under the GPL. For more information, please see the manual's section on What's WinPT.

    www.winpt.org
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    PGP, the software made by PGP Corp (not so long ago by network associates), is not free for corporate/commercial use. -Howerver- PGP, the protocol, is open and is freely implemented in GPG and WinPT for example...

    Ammo

    And about the problem in question, well, it's pretty much a catch 22 situation:

    Even with self decrypting archive (PGP can do this, in the form of an .exe) you would have to exchange a key (symetric or not), in this case a password, in order for the recipient to be able to decrypt it (the password is the key). But since you're already trying to send a password to the recipient... :/ See what I mean?

    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Ok, the two major technologies for encrypted emails are PGP and S/MIME. Some mail clients support one or the other "out of the box", many plug ins are available which support them.

    HOWEVER, both have a major drawback.

    When sending someone encrypted email, you need to encrypt it such that only they can decrypt it, right? This means you have to use a key which is SPECIFIC TO THEM, so that nobody else can read the messages.

    PGP uses mutually trusting people, and S/MIME uses certification authorities. However the two methods are similar in their use of public / private keys.

    Now most people don't HAVE a key pair / certificate.

    There are two issues really

    - Getting people to create or otherwise obtain a public / private key pair
    - Being sure that the public key that they give you actually *IS* their public key, not somebody else's, who is intercepting the email (man-in-the-middle)

    Experience suggests that even technical people have a great deal of difficult doing these things. Assuming the software works perfectly (which it doesn't always), there is still a fair bit of admin work to do in order to set up people's keys.

    I have used this in several cases:

    1. Nominet (the UK's domain name agency) uses public keys to identify its members. They then send signed (but not encrypted) messages in order to register and modify domains.

    Nominet use PGP (or they did last time I checked) - they've been doing this for about 6-7 years now, and it works fairly well.

    They get each of their members to set up a PGP key pair, email a human the public key, and the human rings them back, and speaks to another human to verify that the key recieved is the genuine one (and asks a few pieces of information only the real company would know).

    Automated messages can then be sent with the private key to do stuff machine - machine.

    Bear in mind that the humans who were involved in this transaction are all highly technical people - programmers or sysadmins.

    2. Orders for an online store

    - Here we used S/MIME - the store uses SSL and gets the order details and immediately sends them out in an S/MIME email to the fulfilment houses.

    Although S/MIME is supported out of the box on Outlook and Outlook express, it took me a lot of effort to get the non-technical people at the other end to do the few simple steps to install it correctly.

    ----

    bottom line:

    It is possible, but requires a lot of work to set up, and ongoing maintenance work (despite your best efforts, people *will* lose their private key)

  9. #9
    Thank you for all of your posts. All of this was very educational. By the sounds of the later few posts, it was as I feared - the other end, even if not needing the software itself, would need to be told the key, therefore, to send the a password for internet banking, encrypt it, and have to communicate the password to un-encrypt it via email or phone makes the whole thing slightly not worth it to us.

    I guess in the end, I was just wondering if the technology was there yet to encrypt an email in such a way that you specified only one email address to be able to open the email - or something of the sort - but apparently we are not quite there yet. Maybe in a few more years.

    To let everyone know our policy now, we send the userid to the user (usually their social) sometimes even just telling them its your social without actually listing it and then send the password in a separate email. That way, if someone were to get a hold of one or the other, they would need to be good enough to get both in order to use it.

    For now, I think that security will have to do unless we can think of a way around the need for a key on the other end.

    But again, thanks.

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    elrey- I would think that sending banking passwords via email is a very very bad idea. I know if my bank were to do that I would get very upset. My bank will send user ID's through email, but passwords/pins are always sent via snail mail in a secured envelope. The problem with email is that it is all clear text, very few systems use secure SMTP protocols. So let's say that a hacker has access to the network of your ISP, they could theoretically capture all TCP/IP traffic coming off of your email server at port 25 and get everybodies user name and password. Regardless of them being sent in seperate emails. Email is a very insecure method of sending anything that is of some type of importance. Even if the user name is not sent in the message, you can easily find peoples socials with a little bit of work.

    The more likely scenario is that a hacker would have the ability to scan traffic coming through the ISP(most banks have better security than an ISP) and get the password/pin information that way.

    Obviously I am in no position to tell your bank what to do, but I would rethink sending that type of information via email.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •