email cryptography essential

Discussion in 'Other Ghost Security Software' started by Jo M, Nov 8, 2004.

Thread Status:
Not open for further replies.
  1. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi,

    I have tried out Crypto Suite but was very surprised that it does not include email cryptography capability! Ever since I read "The Code Book" by Simon Singh I have wanted to have and use some form of cryptography such as described, using the Public and Private key system. It's also great fun to try out the various Enigma emulators out there on the net! But Enigma was broken!

    But as far as I can see Crypto Suite just doesn't even try to fit the bill?? Just concentrating on encrypting data on your computer and concentrating on passwords. Passwords are no good for communication because you have the problem of getting the password to the receiver securely! It doesn't matter how long the password is or how many bits of encryption strength there are if the "enemy" or "competitor" or the American Secret Services have the password!!

    I have bought the Action Pack plus Process Guard, but I won't consider CyptoSuite until it does have email capability! And please, please please forget about an Outlook plug in!! Why bother putting a leaking bucket into a safe? It will leak right out anyway!

    Do produce an "Extension" for Thunderbird! and "plug ins" for any other reasonably secure email clients! Why not tell your users the truth that if they want security then don't use Outlook(express) or Internet Explorer!

    The only Cryptographic extension for Thunderbird right now consists of two *.xpi files for Thunderbird plus GnuPG has to be manually taken from its Linux roots and hacked into Windows in order to support the extension. The Walkthrough's and helpfiles I've seen look horrifying! Plus I'm not sure about GnuPG as it doesn't use "paid for" encryption standards! So there is a real need for such a product. And if I could simply install it in the normal way I wouldn't mind paying even though other extensions are free!

    Regards Jo M ;)
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Jo M, CryptoSuites is Jason's personal project, email is one of the things on his to do list, so hopefully, when he gets some free time more enhancements will follow.

    If your data needs to be secure how about useing CS's chat server for exchanging the keys for a CS encrypted file? The encypted file can be sent by normal email and the key via Encrypted chat. OK so the recipient would also require CryptoSuite but if your data was that important then it is a small price to pay. :)

    HTH Pilli
     
  3. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Obviously a PC well set up is an essential base for a private communication.
    A PC with unnecessary servers and services turned off or removed!
    Outlook Express removed!
    Firewall, tuned to stealth ALL ports!
    AV

    TDS 3 :D
    Wormguard :D
    Process Guard :D and

    Benign to strip out all HTML, MIME and scripts of all kinds from incoming mail
    These are the essential basis or "Non-Leaking Bucket" to base a private communication program in.

    P.S. Just a thought. If you do include an email module then please don't make it so that it would be stripped out by Benign (which I have set to it's MAX strength as detailed above!) I believe that PGP can use either a MIME technique or an "Inline" technique. Please make sure you have an "inline" method too!

    Regards Jo M
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Who said that?

    DCS welcome user input & constructive criticism :)

    Cheers. Pilli
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The report bad post icon is on every post. It allows people who read threads to report a bad post. Doesn't necessarily mean your post is bad of course. :)

    Encrypted email is still a mostly PGP specific feature. What I mean by that is encrypted normal email is already done very well by all the PGP versions and PGP clones, you can find plugins, clients, etc, which already support it. It seems a bit of a waste of time to reimplement something that is already well supported.

    What I would be interested in is possibly making a new encrypted email network which could not be spammed/abused, however a proprietary network would probably not be too well received by the majority of people. :)

    Finally, CryptoSuite does use public key encryption for the chat, and if you use a password it is not vulnerable to any online based attacks including "man in the middle".
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,

    I can't express how much I agree with that. Yesterday I had started collecting a pile of links to RCSs, rants etc. which basically all said that PGP/MIME is the way to go.

    The only thing I could even imagine being a reasonably development strategy for CS would be an interface to PGP/GPG. So that CS could handle PGP/GPG archives and keyrings, and would maybe function itself as a PGP/GPG plugin. (But I do think that you'd have to either spend relatively much effort just dealing with the dozens of plugin interfaces, or have some generic encryption procedure (like putting a cipher of some visually marked text in the clipboard, then to be insterted in the mail client) that will still be rather complicated or will not be accepted by more than a few mail clients (like - how will that clipboard thing work with pgp/mime, normally the mail client tries to deal with mime parts invisibly to the user).

    Encrypted volumes and maybe handling pgp/gpg archives/keyrings would be of more importance to me than having a mail client plugin.


    Just my 2 cents,
    Andreas
     
  7. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Jason,

    thanks for the reply. PGP it would seem does all the things I want? Crypto Suite it would seem does not do all the things I want? So use PGP?

    Elsewhere you have said that your CrytoSuite has more and better algorithms than PGP. Do you stand by that?

    The export of PGP (paid for version) is controlled by the US Government, which makes me less than keen to trust it. Also it makes me less than keen to support it financially!!

    The freeware PGP gets round this by being compiled elsewhere from the freeware source code. But it is not quite as functional as the paid for version. I think its still not as many "bits" as CryptoSuite! And uses only one algorithm not two?

    In my country (UK) there is a major US internet listening facility! It is strongly believed that there is a mutual agreement between the US and UK governments to get round each countries privacy laws by the US service doing anything illegal on UK citizens and vice versa! So basically it is believed/known? that the US listening facility records and filters every email sent at least in the UK and posibly elsewhere too!

    While I don't have any secrets worth them taking this trouble! I don't like all my mail being "machine read" and filtered. According to UK law I have a right to privacy of my mail! at least unless I started to communicate with a known terrorist! in which case I would be required to hand over any encryption key used. But at least with email encryption they are not routinely "machine reading" ALL my mail. They can "machine read" all the headers sources and destinations, but would need a court order to force me to allow them to open a specific email.

    I am willing to accept that "in order to allow anti-terrorism services to work". However I suspect that this WILL be used wrongly at some stage (if it hasn't already!). It is in the nature of a secret service that they will do objectively wrong things and get away with it and cover it up!

    These are the reasons why for me at least email cryptography is essential in a cryptography product. I will not buy it without it!

    I agree with you that any email cryptography should be compatible with PGP, so that users with PGP and CryptoSuite could communicate privately.

    I like your idea about a more secure, encrypted email protocol! A very good idea! I have posted elsewhere about my surprise on using Port Explorer's "Socket Spy" to find that not only is the text of the email sent to my ISP's server in "Plain Text" (unless you use cryptography) but that the password was "Plain Text" too! (regardless of whether you use cryptography!!!)

    It would seem few if any ISP's support any security at all with regard to email. So if you came up with something that worked and could be applied universally (ie NOT a paid for proprietary technology) then this would be a valuable service to all internet users!!! It might be possible to licence it to the email servers? and get us users to "pay for it" through our ISP's? Then it could still be used by the "Freeware Brigade".

    I still stand by my first comment that a Cryptographic "suite" is not complete and is not properly a "suite" without email cryptography. Chat is no substitute!

    I won't buy this!

    Regards Jo M
     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    off-topic a bit:
    try to find out whether your ISP (or, to be exact, your mail service provider) offers TLS/SSL-secured mail retrieval (sometimes called pop3s, maybe you can find more information by referring to the standard portnumber for it, 995). AFAIU, this is the most advanced/standardized/widely used technique of avoiding having to login with plaintext passwords. Another possibility might be SSH logins with port-forwarding. Actually the same applies for email-sending, telnet and ftp sessions as well (use smtps, ssh and sftp where possible).
    Of course, your mail clients will have to support that as well. (or use a proxy that supports it - hamster is such a thing (see link below)).


    I'll try to collect more information about these issues (maybe also about gpg algorithms - www.gnupg.org/features.html says gpg is fully OpenPGP (RFC 2440) compliant, supports ElGamal, DSA, RSA, AES (Rijndael), 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER (where CryptoSuite uses a combination of AES and Twofish) (and, via third-party extension, IDEA). Various mail clients use it to generate inline pgp, pgp/application, pgp/mime or even s/mime encoded/signed mails.)


    I hope to be able to add more to this thread soon.
    HTH,
    Andreas

    PS. Hamster, a local mail server/proxy might be a good place to start: http://www.tglsoft.de/ or http://sites.inka.de/ximera/hamster-en.html
     
  9. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Thanks Andreas1,

    a very helpful reply. I look forward to your further research! :)
     
  10. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I don't think I ever said has "more and better algorithms", rather the default (and at the moment only) encryption strength is greater in CryptoSuite than most other software packages at the time (and even now I would suggest), including PGP.


    Yes but making a new protocol requires a lot of support and you basically need to be someone like Microsoft to get the kind of support required. However it might be a good project even for internal use over here and for our beta testers.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    While I agree it would be a fine feature, for me 98% of my email, I really don't care who reads it. For that which I really want to keep private, I just put the information in a doc file and encrypt into a self extracting exe which can be attached. Oh, I rename the exe to something that email filters don't care about. Is it as clean as the contained email, no. But it does work.
     
  12. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Peter,

    interesting idea, but I would have thought that any self respecting anti-virus would home in on it straight away as a supected virus:-
    1) it is a hidden *.exe file
    2) change of extension
    3) it is encrypted

    If I were to get such a file I would Shift/Del it straight away even if the anti virus or TDS didn't flag it up! Except you would have stopped me doing that because of the change of extension. Presumably then this method would only be of use if the person receiving the mail knew it was coming and how to treat it!

    Regards Jo M
     
  13. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi, anyone,

    in another thread I have been given the following link

    I think it might be even more interesting than PGP!?

    Regards Jo M
     
  14. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi, Jo M,

    I don't think so. the main differences between S/MIME (what safe-mail is using for mailing to non-safe-mail-members) and PGP/MIME is that S/MIME uses a X.509 PKI (Public Key Infrastructure) that involves Trust-Centers issuing Certificates, whereas PGP/MIME relies on PGP's "web of trust" (where keys are signed when the signer is 100% sure of the identity of the keyholder and the signatures are propagated along with the keys). In terms of crypto strength, PGP/MIME offers a few more (and stronger) algorithms, but the defaults are roughly comparable. There is a certain amount of commercial pressure behind S/MIME; certainly the companies in the digital certificate business like the idea. In the free software community, at least, GPG usage appears to exceed S/MIME usage in a big way.

    Resources:

    http://www.yolinux.com/TUTORIALS/LinuxTutorialMailClients.html
    http://www.faqs.org/rfcs/rfc3156.html - PGP/MIME RFC
    http://www.faqs.org/rfcs/rfc2633.html - S/MIME RFC
    http://www.crazylinux.net/downloads/projects/PGPII.pdf
     
  15. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    PGP/MIME vs SAFe-mail.net

    Interesting Info Andreas1, Thanks. I think I will investigate that further. While I agree that PGP offers a lot, there are some weaknesses with regard to privacy (headers and passwords at your ISP) if not with regard to cryptography. These ARE covered by SAFe-mail. Leaving the NSA only knowing your IP and that you use encrypted mail!

    I have posted my results of testing out SAFe-mail with Port Explorer's "Socket Spy" in another thread:-

    https://www.wilderssecurity.com/showthread.php?t=53955&page=2&pp=25

    I see your point that it is important to compare how they treat mail to NON members as well, as this is a more real world scenario! I'll do a test on that too and see what "Socket Spy" has to say! I'll be able to see what is "gobledigook" and what is plain text! As for which is BETTER quality encryption I'll have to take somebody else's word:- perhaps yours! Until I've done some more research on it.

    Thanks again for the info, Regards Jo M

    Tests done and posted:-
    https://www.wilderssecurity.com/showthread.php?t=53955&page=2
     
    Last edited: Nov 13, 2004
  16. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Re: PGP/MIME vs SAFe-mail.net

    Hi Jo,

    Now this is getting seriously off-topic, but I could not resist:

    As for privacy you might want to do your research on this:
    As I noted above, it's essential to have your ISP offer encrypted auth. methods (normally they work with passwords, keyfiles (you put your public key in your home directory on the ISP's server) or with certificates. And I think they are pretty standard today - SSH, SMTPS, POP3S, SFTP or something comparable. That would be the first thing to check out, as it will have your headers and passwords encrypted when they leave your computer.
    Now the only thing the NSA might know is that you're sending an encrypted mail - and since they supposedly monitor your ISP's outbound channels, they can relate your sending to the final delivery to the addressee, so they also know when you sent it and who has received it. So-called "Mix" chains can take care of that, too. They accept an encrypted mail, add an encryption layer to it and forward it - with some arbitrary delay - to one of a couple of stations as the next station of the chain, which does the same. Since there are always many messages in the chain and each message is modified, delayed and then takes another route, the NSA has no way of knowing which message it was that it is just now monitoring leaving the chain to its adressee. So they still know when you sent something, but not to whom. If you have a channel established to the mix-chain that keeps transmitting bogus info as long as there's no message being sent, they won't even know when or even that you've sent something. They just know that you're generally using mix-chains. Since the software to operate such a chain is open source, there has been plenty of peer reviews vouching for its integrity.
    You'd still have to trust the operators of the chain somewhat, but not too much - after all, you've encrypted even your original message. :ninja:

    (BTW, some similar technique is being made use of for web-browsing as well - dig for JAP - Java Anon Proxy, but it's not widely deployed and currently all proxy chain sites are subject to german jurisdiction - more info to be found on their homepage.)


    Quite in consonance with the above, I would definitely prefer open technologies and, if not detrimental to either privacy or security, open standards to some propriety solution. For our topic, this at least would mean that - CryptoSuite would, if at all, better be using PGP/MIME which would require a tight integration with the various mailers (you'd have to have a mailer that supports that mime type in the first place and the attachment handling would be a complicated interaction between the mailer and CS - actually, you could just as well use gpg with some OpenPGP- PGP/MIME-compatible mailer) and authentication should be left to the mail client and to the ISP.

    Just my 0.02 Euro,
    Andreas
     
  17. Tony H

    Tony H Registered Member

    Joined:
    Dec 5, 2002
    Posts:
    32
    I think this is probably a good way to go. Is it possible that the Internet community could develop its own network?

    Most certainly some form of encrypted e-mail is required. As Jo M has already commented,

    "a Cryptographic "suite" is not complete and is not properly a "suite" without email cryptography."

    Here are some links.

    What is Echelon?
    http://news.bbc.co.uk/1/hi/sci/tech/1357513.stm

    > It was this proposal, which I believe is being renewed, which sold me on e-mail security.<

    Under the Regulation of Investigatory Powers Act 2000 (RIPA), he is entitled to decide who gets access to this sort of information, called communications data because it is supposed only to show who is talking to whom rather than reveal what was being said.
    http://news.bbc.co.uk/1/hi/technology/2850157.stm

    AO is a worldwide community of security, network and computer professionals, students and keen amateurs who come here to learn the principles and details of computer/network security.
    http://www.antionline.com/

    T.

    I just found this http://net229.darktech.org/whatis.html which is a link to a fidonet website. Fidonet, it seems, has its own mail handling system.

    T 6/12/04
     
    Last edited: Dec 6, 2004
Thread Status:
Not open for further replies.