Security

SecureZip: More than just data compression

SecureZip is a cut above other feature-rich compression utilities for one simple reason. PKware developers have figured out how to make digital signing and asymmetric encryption simple to use.

I've been using PKware's PKZIP for as long as I care to remember. I like it and wasn't even thinking about switching. That all changed, after I read a forum post by TechRepublic member Deepsand. I learned that PKware was touting a secure compression utility called SecureZip:

"Supports passphrase and digital signature-based encryption, or both simultaneously."

Why that's important to me was echoed by PKware's COO Tim Kennedy:

"86 percent of more than 100 respondents were very concerned or extremely concerned about their confidential personal information falling into the wrong hands, almost one-third admitted they don't use any tools to ensure that the files they send and store are protected."

Why is that?

It's not that people are oblivious to the security risks of sending e-mail or files over the Internet in the clear. It's because encryption technology isn't simple to use and there's a lack of interoperability between applications. Quite honestly, different encryption applications don't play nice with each other, so a consensus is required on what technology and software to use. Finally, those that have attempted documentation encryption, will attest to the fact that installing the application and setting up a PKI is more than cumbersome.

To see what I mean, let's take a look at Public Key Infrastructure (PKI) as it's the preferred method to securely send e-mail or files over the Internet. SourceForge describes PKI as:

"PKI is Information Technology infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted Authority.

Public and private keys are like two halves of a single key. PKI encryption algorithms are designed such that a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message. Think of a bank vault or safe that can only be unlocked by two individuals using two different but complementary keys. Neither of those keys can be used by itself to unlock the vault.

In practice, individuals wishing to exchange encrypted e-mail will agree to mutually trust one or more Certificate Authorities(CA) by downloading and installing each trusted Authority's root certificate on their computers. They will each obtain their own personal digital certificate from a trusted Certificate Authority, and install them on their respective computers."

That doesn't sound easy to me and I know of precious few encryption applications that automate the process to a point where the user is only required to make a few intuitive decisions.

SecureZip does

I'm amazed at how transparent setting up a SecureZip PKI really is. Everything is based on your name and e-mail address. The following four steps are all that's required to create the required key pair. Beginning with entering your name and e-mail address:

Next the application installer asks if you would like to accept the SecureZip digital ID offered by Comodo:

Since Comodo is a certificate authority, they need your consent to a subscriber and export control agreement:

Finally the installer asks if you want to backup the private half of the key pair:

That's it. Now you have a fully-functional PKI-key pair that will allow you to digitally sign and encrypt files with using the AES 256 algorithm.

It takes at least two

Now comes the tricky part, convincing your colleagues that this is important, ultimately getting them to install SecureZip. It has to help, knowing that installing SecureZip is a breeze, far easier than any other encryption/compression scheme I've come across.

Using SecureZip encryption

Using SecureZip to encrypt files is simple as well. No need to locate any digital certificate files. Remember everyone's public key is associated with their e-mail address. So when you're encrypting a document, all that's required is to enter that person's e-mail address in the following window:

SecureZip will then search the global directory at Comodo for the proper public key. Once found, SecureZip will use it to encrypt the document. That's it, and once the file is encrypted, only the person with the private half of that key pair will be able to decrypt it.

Additional features

SecureZip has a myriad of features (I'm still trying to figure them all out), making it to one of the most useful data compression/encryption utilities I know of.

Still, the intent of this article was to focus on the simplicity of installing a PKI key pair. In my opinion it's SecureZip's main selling point. What am I saying, SecureZip is free.

Final thoughts

Getting users to encrypt documents before they leave the protective confines of the local network is a tough sell. It's added work that doesn't show any real benefit until something bad happens.

I've been fairly successful in convincing my friends to switch over to SecureZip. We find it especially helpful as most of us use Web-based e-mail which disallows the use of most signing or encryption applications. Yet SecureZip allows us to exchange sensitive files simply and efficiently.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

94 comments
DougRch
DougRch

Asymetric and certificate based PKI hasn't been easy enough to use and that's why we still don't see widespread use after 30 years. Voltage SecureMail at www.voltage.com/vsn is great email and file encryption solution. Your email address is your public key instead of a PGP key or a certificate. You can send ad-hoc email to anyone and recipients don't need any special software to read and reply securely. Encrypted mail is only stored in a sender's sent folder or a recipient's inbox.

Neon Samurai
Neon Samurai

It's a you or Chad topic that came to mind; Truecrypt VS Bitlocker. What got me thinking about this was how Win7's bitlocker will allow full disk encryption. When the user forgets there passphrase, the admin can simply unlock the certs through administrative rights similar to resetting a password forgotten by the user. With Truecrypt, a forgotten passphrase blocks system bootup and use of the recovery disk since there is no administrator rights above that to unlock the certs. Is this something that will cause MS shops and enterprise to favor bitlocker. Are all other aspects equal or does one provide better encryption over the other beyond enterprise happy management? It's not something that will effect our office until Win7 becomes the platform of choice but I'm starting into reading on the two now so I can have a solid grasp of both when the inevitable discussion comes up. Just an idea that may be an interesting article. (Now; where do we go when we don't know the answer? Google! Off I go.) (Edit): hm.. maybe a topic that's been done to death already unless Win7 does something differently than Vista. The search brings up a long list of relevant hits.

Ocie3
Ocie3

Episode #201 of the Security Now! podcast (last Thursday) apparently has a complete discussion of SecureZip and its features: http://www.grc.com/securitynow.htm I've downloaded it, but I haven't listened to it yet.

pkwarepr
pkwarepr

For clarification: PKWARE offers a free version for perpetual non-commercial use called SecureZIP Express. You can download it at www.securezip.com PKWARE offers a free 30-day trial version of SecureZIP Standard at www.pkware.com/download-software SecureZIP Standard provides the ability to securely save and send files directly from Microsoft Office applications, including Word, Excel, and PowerPoint. The product offers data protection across all major computing platforms. For enterprise customers, PKWARE offers a free 30-day trial version of SecureZIP? Enterprise at www.pkware.com/download-software SecureZIP Enterprise includes centralized policy management and contingency key processing. The product offers data protection across all major computing platforms.

blackrussian
blackrussian

How Comodo verifies your e-mail ownership? What prevents a man in the middle to create a certificate with your email? How is the private key protected and where it is stored? (I think PKI is so complex because the problems are not that simple)

rufusion
rufusion

"What am I saying, SecureZip is free." Er, no it's not. You can download a free 30-day evaluation/trial license. After that, you legally have to pay for it - $39.95 for a single-user license. You're not suggesting your readers engage in software piracy, are you?

Deadly Ernest
Deadly Ernest

this one shown is for Windows and I can't find any information on the web site about system requirements.

Michael Kassner
Michael Kassner

I'm really impressed with SecureZip. It's a great data compression application that includes simple-to-use symmetric and asymmetric encryption. Besides it's free. Have you used it? I'd love to hear your thoughts and comments about SecureZip.

Michael Kassner
Michael Kassner

I haven't researched it yet. But that's what I'm talking about. That concept is even simpler. Thanks Doug, I appreciate the heads up.

Michael Kassner
Michael Kassner

I be a bit biased. I've used both and if I was going to use full disk encryption, I definitely use TrueCrypt. For reasons why, check out Steve Gibson's podcast of episode 133 or this transcript. I found the same results that he refers to. http://www.grc.com/sn/sn-133.htm I have it in my schedule though as it's a great topic. Thanks Neon.

Michael Kassner
Michael Kassner

Steve and Leo are a must listen to for me every week. I 've not missed an episode since they started. Thanks for reminding me. I hadn't listened to it yet either.

pkwarepr
pkwarepr

Certificates issued by Comodo through SecureZIP are verified using the standard request/response email validation method as is used by all leading public certificate authorities (VeriSign, Thawte,...) issuing email certificates today. This method requires a response from the email address of the user. This is standard practice today for obtaining a level 1 (email validated) certificate. SecureZIP does work with certificates from other X.509 certificate authorities following users to obtain their certificates using the level of identity validation they require. The private key is maintained by default on Windows in the Windows Certificate Store and is protected by the users Windows access credentials. This can be enhanced by adding either medium or strong private key protections through Windows, or alternatively using a hardened smart card or smart token for storing a private key.

Michael Kassner
Michael Kassner

Thank you for asking these questions. I wanted to keep the article rather generic, so I appreciate the opportunity to expand on some details now. How Comodo verifies your e-mail ownership? During the installation process, SecureZip requires that you install a key that they send to the e-mail address that was entered in the initial step. If the key is not entered or entered incorrectly the install fails. What prevents a man in the middle to create a certificate with your email? This is possible with any kind of exchange of information. I'm not exactly familiar with the inner workings of SecureZip. But the fact that you have to enter a key that's sent to the e-mail address registered in the first step makes it difficult for a MitM attack to succeed. Unless the attacker has obtained your SSL certificates or username and password for your e-mail application. How is the private key protected and where it is stored? The SecureZip certificate is stored in the Windows Certificate repository along with all other digital certificates, so by association it has the same amount of security. I hope that helps answer your questions. I'm by no means an expert and if you aren't satisfied, I will try my best to contact PKWare and get the answers.

jbettle
jbettle

you can't get another certificate for it without revoking the original. Then the certificate is a completely different one, so the original files cannot be decrypted.

pkwarepr
pkwarepr

PKWARE indeed offers a free version for perpetual non-commercial use called SecureZIP Express. You can download it at www.securezip.com In addition, PKWARE offers free 30-day trial versions of the more feature rich SecureZIP Standard and SecureZIP Enterprise at www.pkware.com/download-software SecureZIP? Standard provides the ability to securely save and send files directly from Microsoft Office applications, including Word, Excel, and PowerPoint. The product offers data protection across all major computing platforms. SecureZIP Enterprise includes centralized policy management and contingency key processing. The product offers data protection across all major computing platforms.

Jaqui
Jaqui

and if you use kde, the kgpg application adds right click option to encrypt file. just generate a gnupgp keypair, then pick the file / archive to encrypt and bam!, there is a file .asc that is the encrypted file. the issue: you have to use the person you are sending it to public key or they won't be able to decrypt it.

Michael Kassner
Michael Kassner

As of yet. There are enterprise versions for Linux/Unix servers. I've asked PKware and hopefully they will release something soon.

cpr
cpr

How would this product work with someone who has multiple email accounts (personal, business, website, etc.)? Install the software for each email account? Notify all your customers? Free SecureZip software for each email account? Pay for SecureZip software for each email account? Consolidate all emails under 1 SecureZip software licence. Etc. Just a comment

Ron_007
Ron_007

Good article, we have to keep pushing email encryption, so any opportunity to get people to start using it at home for free is a good start. A couple of comments touched on a feature you didn't mention. Digital Signatures. They are related to encryption. A hash value is generated using your private key and the contents of the email. The benefit is that a digitally signed document cannot be modified and still match the original hash value so it may be considered legally equivalent to a signed paper document (depending on legal precedent in you local). I checked and Secure Zip offers this feature. So, ideally, you would first digitally sign the document with your private key, then encrypt it with the recipients public key and presto chango your digital email is now the equivalent of a signed paper document delivered by courier, secure and non-repudiable. Unfortunately for me it appears that SecureZip won't work for me since I use browser based email. I'll find the "right" FireFox addon one of these days.

groffg
groffg

The feature-rich PGP product sounds more useful for this purpose, specifically the "Universal server" component. It uses the same PKI/asymmetric concept; in environments using PGP Universal Server, emails can be configured at the enterprise level to automatically encrypt and decrypt on end-users' machines. But... it's not free. Individuals can just use PGP's (no-longer-advertised) freeware version (their Desktop version w/o a license, or following the 30-day expiration). You can still send/receive encrypted emails/attachments, but it's a more manual process. Like others have said, GPG might be a suitable alternative as well.

eryk81
eryk81

I don't know how strong it is or if can be striped out, but you can use 7-Zip to add a password to a standard zip file and the person on the other end wouldn't have to install any additional software to view the contents of the file. When extracting or opening the file, windows will prompt you for a password. 7-Zip is also free.

James Brown
James Brown

I'm concerned about whether the 'free' version will remain free and whether the CA will continue to offer key pairs for free (a ridiculous concept in the first place since a key pair is trivial to generate). As stated in the screen shots you show, the CA is under no obligation to continue to offer keys or key storage for free. It seems clear to me that this product is ripe for a 'bait and switch' operation. Get people hooked on the free version then either withdraw it or start charging for key generation or storage. I think the first step is to get your users to recognize that this (data security) is a significant issue. The second step is to get them to use whatever tools you settle on. If that is SecureZip (and you are willing to live with the potential consequences), fine. If you want to use a paid product (whether the paid version of SecureZip or any of the other similar commercial products), that's great too. If you want to use some of the open source alternatives (OpenGPG, Windows Privacy Tray, etc.), that's fine too. Another issue I see with SecureZip is that it fills a non-existent niche. You seem to be suggesting that it be used to secure information sent via email as an attachment. What about the email body itself? SecureZip doesn't seem to address that (but OpenGPG does). I personally think that ALL email should be encrypted by default if for no other reason than to give the folks at the NSA/CIA/FBI/DHS heartburn when they try to (illegally) spy on Americans. So, SecureZip doesn't really fill the 'secure email' niche. Your second suggestion, although not covered very completely, is to secure data on your own drive. Again, I agree with the concept but there are open source tools that do a much better job. TrueCrypt leaps to mind. Again, I think that the majority (the data portion) of every laptop hard drive should be encrypted using TrueCrypt. You can run the tool in a mode that would be essentially transparent to the user but would protect the data from theft at the airport, hotel, or taxi cab. Again, SecureZip doesn't really fill the niche here either. It is much harder to use than TrueCrypt (or other products) to secure data on your own drive. In short, I like the concept of making data security and encryption easier to use, but I don't really see much value in SecureZip. On the other hand, I see a great potential for abuse both by PKWare itself (starting to charge for 'free' services, and possible access to your data) and by third parties (man in the middle attacks, etc.). Anytime you make security easier, you lose some of that security. The easier you make it, the more security you lose. If data encryption is too easy, then it becomes insecure because of the human factor. One example: if I just automatically trust that the public key that SecureZip finds in the CA database actually belongs to the email recipient, then I end up sending my 'secure' data to someone who is impersonating the recipient. And all the attacker had to do was download the free SecureZip tool and create an account with the target recipient's email address. Wow, that was simple! Thanks, - James

Neon Samurai
Neon Samurai

ok, more like ten because the same article came up in a few different locations. Bitlocker stores the certs on secondary media or within the AD data for ease of recovery. To me, that simply means that your owned once the server admin account is popped. With Truecrypt, breaking my admin account simply means you now have to start breaking the AES 256 on my password manager's database. Off to read the grc.com link. Look forward to the article if you find results in enough content to publish.

blackrussian
blackrussian

First off, thank you all for answering my questions, it looks like SecureZIP is much more solid product than the impression projected by the initial posting. Good deal. Just FYI, Comodo has a very bad track record: https://www.networking4all.com/en/ssl+certificates/ssl+news/comodo/ So, just stay away from them. I use Thawte myself for personal X.509 certs, and they are still free...

Ocie3
Ocie3

Episode #201 of the Security Now! podcast (last Thursday) apparently has a complete discussion of SecureZip and its features: http://www.grc.com/securitynow.htm I've downloaded it, but I haven't listened to it yet.

Deadly Ernest
Deadly Ernest

several minutes checking nine different pages on that stupid company's web site and STILL haven't found a page that gives the actual price of the server product. I can only surmise the product is SO expensive they dare not tell you the price until after they butter you up a lot - result, I no longer have any interest in this product at any price unless free. Any company that doesn't give you easy and quick access to prices is NOT worth dealing with.

Michael Kassner
Michael Kassner

SecureZip doesn't encrypt the e-mail. We encrypt the attachments. So we make the attachment the actual main body of the e-mail. That's why it works for any Web-based e-mail.

Michael Kassner
Michael Kassner

Digital signatures and I'm sorry I must have mislead you. SecureZip doesn't encrypt email automatically. I use Web-based e-mail as well. My associates and I prefer encrypting the document and then sending it as an attachment with a minimal blurb in the e-mail body. We even change the zip extension to something else avoid DPI

Michael Kassner
Michael Kassner

For you. Take a typical user and ask that person to load a PGP product and SecureZip. What do you think the outcome will be?

Michael Kassner
Michael Kassner

But you have the age-old cryptographic problem of getting the password to the remote party. That's why PKI was developed in the first place. It eliminates that need. Also, unless you use AES 256, I'd be very suspect of the other encryption algorithms.

santeewelding
santeewelding

Just when I think I know everything, I don't.

Ocie3
Ocie3

Quote: ".... And all the attacker had to do was download the free SecureZip tool and create an account with the target recipient's email address. Wow, that was simple!" Not so simple! Impersonation could work if the intended recipient is not yet using Secure Zip, and does not have an e-mail address in the Comodo (?) database for their name (which the sender of the message uses). To impersonate the intended recipient, you would have to establish an e-mail account with an ISP by using the intended recipient's identity, then configure your installation of SecureZip to create the corresponding certificate, etc. I haven't examined SecureZip yet personally, but it seems likely that PKWare anticipated this possibility and implemented some feature to forestall it that the reviewer did not mention. Be that as it may, if the intended recipient is already using SecureZip, then you would have to convince the sender of the message to use your e-mail address (and public key) instead of the ones already in use for the party whom you are impersonating. That could be easy, or it could end with your imprisonment. The only challenge that I see is the fact that two or more people who are using SecureZip can, and likely will, have the same name -- but not the same personal e-mail address (which is always unique!). So one might send a message that is encrypted with the public key of the intended recipient, but accidentally send the message to another person who has the same or a similar name (overlooking the differences in their respective e-mail addresses). But the unintended party that does receive it cannot, of course, decrypt the message since their private key is not the one for the public key that was used to encrypt the message. The worse case scenario is using the public key of the wrong person to encrypt the message, then sending it to their e-mail address as well. So the system is not idiot-proof.

pkwarepr
pkwarepr

SecureZIP does provide encryption of the body of email messages and attachments. Also, we are not looking to bait and switch anyone. We offer SecureZIP Express which is a free version for perpetual non-commecial use You can download it at www.securezip.com. In addition, we offer free, 30-day trial versions of our more feature rich SecureZIP Standard and SecureZIP Enterpise. PKWARE offers free 30-day trial versions of SecureZIP Standard and SecureZIP Enterprise at www.pkware.com/download-software (note: select appropriate computing platform) SecureZIP Standard provides the ability to securely save and send files directly from Microsoft Office applications, including Word, Excel, and PowerPoint. The product offers data protection across all major computing platforms. SecureZIP Enterprise includes centralized policy management and contingency key processing. The product offers data protection across all major computing platforms.

Michael Kassner
Michael Kassner

Yet, my answer would be that you are fully capable of all the complicated processes required to become secure. What about the millions of users that aren't or don't want to be computer savvy. It's not that simple there is the additional step of an e-mail being sent to the e-mail address on the cert application.That has to be entered into the installation app. Then the system is certified. Finally, there are multiple ways to solve this. I suggest that most of them are complicated and cumbersome. That's why I don't see any of your suggestions being overwhelmingly accepted by users. I was just pointing out a simple option that might be better accepted.

pkwarepr
pkwarepr

PKWARE offers a free version for perpetual non-commercial use called SecureZIP Express. You can download it at www.securezip.com PKWARE offers a free 30-day trial version of our more feature rich SecureZIP Standard and SecureZIP Enterprise at www.pkware.com/download-software (Note: select your desired computing platform) SecureZIP Standard provides the ability to securely save and send files directly from Microsoft Office applications, including Word, Excel, and PowerPoint. The product offers data protection across all major computing platforms. SecureZIP Enterprise includes centralized policy management and contingency key processing. The product offers data protection across all major computing platforms.

Michael Kassner
Michael Kassner

If you have an issue with the CA, use your own that's not a problem. As an aside, I know of precious few CAs that haven't had issues.

Deadly Ernest
Deadly Ernest

answer. I was talking about the company itself. They have the main page where they go on about their products, they have several other pages where they rave about the products, but lets take the shortest route. Home page raves about the products - click on Store (you already know all about it and just want to buy it, that's why you're bypassing the advertising areas) - you get a new page with the same rave about the product (as if you could get this far without having seen that info), this page is only half the screen on my system, but that may be because they designed it for a lower resolution monitor - no issues there; it has a box area for each product with a big logo a couple of links, and mostly blank in the box - and no price. -- One of the links does take you to the next page with the price you gave the link to. But the page before that with the list of products should have had a price on it for each product. Now, lets go down the line of a normal person looking at the site for the first time. Home page with rave review, - choose Secure Zip and follow the link to another page with a more detailed rave review, - select a product (say SecureZip for desktop) and get another page with a repeat of the rave review and a little more info, this has links to several other page on tech specs etc and one that says 'Buy Now' (one would expect that to take you to the page with the pricing, right: wrong, - this takes you to another page with the six product boxes listing the six products and you now have to follow another link to get the price. Gee, I get to select which product I want three times before they tell me how much. Most on-line stores take you straight to the price list when you click on Buy Now. bad site design and layout. By the time I get to see the price I'm p'ed off about going through extra pages and downloads and losing time - not conductive to making the clients happy by constantly telling them the same thing either.

Michael Kassner
Michael Kassner

You asked for a price and there was a page with the price on. I'm not sure how I can further help you.

Deadly Ernest
Deadly Ernest

on it at all. A very odd way of doing business, why have two pages where I can do? Anyway, at US$395 that equals A$800 to A$900 depending upon the exchange rate at time of purchase plus taxes etc, means about A$1,000 by the time I get to see it, I'm not buying. That's about seven week's food for the household.

Michael Kassner
Michael Kassner

The only thing I use my Iron Key for is the ToR access when I'm on the road. For data, I use Cruzer 16 GB Flash drives that I remove their applications and add TrueCrypt mobile. I have to upgrade to 6.2 yet, but 5.0 works just fine. I can't say enough about how much I like TrueCrypt. I've never had any issue with the app, and I trust all my sensitive info to it.

Neon Samurai
Neon Samurai

I knew it did full disk for the hard drive and mountable blob files for virtual drives. I assumed the aproach would be a blob file (.tc) on the removable media. Someone in an earlier discussion pointed out that it can also create self contained removable media so that's what my impending flashdrive rebuild will use. Not as shnazy as the IronKey but close enough for the cost difference. Offhand, I read a review of the IronKey the other day: http://www.ethicalhacker.net/content/view/259/1/ you might like if you've not already seen

Michael Kassner
Michael Kassner

Are self-contained. I can plug them into any computer and open the directories.

Neon Samurai
Neon Samurai

If it hasn't already been discussed by the TrueCrypt folks; it's FOSS, they must have a bug forum or similar where ideas can also be offered. With my last Truecrypt puzzle, i got to get into the command line functions. I won't have to do a verification rescue disk with each notebook setup anymore and my NAS hosted blobs get mounted automatically during startup though I've chosen to be prompted for password or cert. It's ability to enrypt a flashdrive and host the decryption front end on that same drive is next on my list. The 1 gig IronKey is nice but I'm thinking 8 gig encrypted flashdrive will be even better. Maybe 16 gig if I upgrade my flashdrive sooner rather than later. (I do an SD card in a clean little SanDisk USB reader. The plastic lid covers the SD so it's basically a flashdrive with replaceable harddrive functionality.) We also have Truecrypt on an Apple machine but using it on my Linux install hasn't happened yet. I'm torn between doing that or just going to Debian's encrypted LVM provided the Wicd network connection manager passes my testing over the next week or two. (Backtract 4 Prerelease is out too so everything is taking a back seat to playing with that little lovely.)

Michael Kassner
Michael Kassner

I agree with your comments whole-heartedly. I'm probably a bit more anal. I don't need full disk encryption as all my data is on flash drives. The flash drives are encrypted with TrueCrypt. It's much easier when traveling that way. You know my feelings about True Crypt. I just wish they would do something like SecureZip. It would be awesome.

Neon Samurai
Neon Samurai

Truecrypt on the notebook is a given and I'm now using truecrypt blob file across CIFS shares for systems where a full disk encryption is not the better choice. SSH replaces SMB/CIFS, FTP, rcp and telnet accept where absolutely not possible (eg. no OpenSSH or SSH native support for Windows although it could freely be inluded; another NIH issue perhaps?). I won't put FTP or Telnet on my hand build servers even if sftp does slow down the transfer rate. I'd drop HTTP in a heartbeat if I could and work through https on servers that have to support a browser. I still need to do an encrypted partition to mount to /home on my own machines. Email is always signed and I'd transfer with full encryption for any recipient that can receive it. I'm not the average rabbit though either as I've been mucking with the security stuff since before I knew that's what I was doing and was also able to make constantly trying to break into systems a part of my job description. (still loving the new office after almost a year) It would be interesting to see how much of the TR community is working towards more encryption though. With TR's own login form still not using HTTPS, it may actually be lower than expected though.

Michael Kassner
Michael Kassner

I agree about using technical terms here. I'd be curious to ask how many members actually use encryption right now? Do you? I don't. I have used PGP and various other e-mail encryption schemes and they aren't simple understand. They are hard to use as well. As for clicking on a digital signature working correctly that only works if the certificate is available for the application to check. If the certificate isn't stored locally the user has to find it or not trust the data that was signed. It again is cumbersome and users don't want that. I have several friends that want to use encryption all the time and we do exactly what SecureZip does. We tried the PGP style but that required us to use other than Web-based e-mail. It's easier to create the sensitive document, encrypt it and send it along as an attachment. To be extremely secure, the best approach is to use an on-line data storage service, upload the secure file and tell the recipient that the file can be retrieved. That avoids any tracing of e-mail traffic.

Neon Samurai
Neon Samurai

I was kind of sticking to the technical terms based on the website's usual readers. For a regular user explain it in simpler terms and only to the degree that was required; probably with some presentation slide pictures to help. :D I think in the case of PGP, Enigmail and PKware's tool, the regular users doesn't really have to understand the full mechanics of it. PKware's tool may simplify the central server interaction a bit more than the others but they are all worlds away from SSL or similar PKI command line tools. Actually I'm having an interesting case at the moment. A friend wants to look at using encryption more. I'll be able to confirm the complexity of right clicking a signature attached public key in the next few days. I've not previously had a chance to actually try it back and forth with another regular user and haven't taken the time to setup a dummy email of my own to muck with. Along the same similar lines, I also need to look at encrypting options for Exchange server. In that case it will be a challenge to make it seamless enough for all the users at work. The friend in the previous case is pretty savvy but the setup at work has to ideally be fully outside the user's concern. Something like always encrypting email out with some way to fail over to signed only if we don't have the info to encrypt for the recipient. Of course it's exchange so reasonably priced solutions may be hard to find though an open budget can usually solve a problem.

Michael Kassner
Michael Kassner

What you consider simple and what a normal computer user considers simple are worlds apart. Ask someone at work what a key ring is and what PKI means.

Neon Samurai
Neon Samurai

I use the Enigma plugin for Thunderbird so my public key goes along with the email in the signature hash. After recieving the initial email signed and without risky contents, they should be able to add that into there keyring through the plugin. The harder part is getting other's to actually use it; it's a user issue more than a software issue. GnuPG I haven't used directly so I can't comment on how it's key management works. Both use a key hosting server though and in the case of Enigma, you should be able to use the tool menu to import the public key based on the person's email.

Michael Kassner
Michael Kassner

SecureZip does all of that for you transparently. You have an amazing skills set, Jaqui. I'm trying to get users to encrypt files that just want it to work and see no benefit in this.

Jaqui
Jaqui

pretty simple with gnupg also. after you make your key pair, tell it to upload to a server. then sign an email with the key to the person who needs to send you encrypted files and they can download the public key with a mouse click. if you don't upload the public key to a keyserver, then there is no way for people to get it, short of you emailing the file with it in.

Michael Kassner
Michael Kassner

I agree with you. I also agree that business types may be more motivated. but that's our fault. I just spent a weekend with some dear friends that are financial geniuses, yet were not at all aware of the need to encrypt their sensitive documents that they send to each other and institutions. Now they are. I tried the test and both preferred SecureZip. I'd like to mention that I remained neutral in my quest. They installed each with my help and felt more comfortable with SecureZip. Said it was easier to use and they liked the self extractor capability that uses a symmetric key for documents that are sent to banks. They have a method to pass secrets to those facilities. Another point, I'd like to reiterate how few people actually use an e-mail application, which biases the results toward SecureZip.

James Brown
James Brown

I think there will be two outcomes. First, I don't think a 'typical user' would understand what either tool was for, nor why they would want to use them. Second, I think the user would have an easier time installing and configuring SecureZip than a 'straight' PGP tool. I also think they would have an easier time USING the PGP tool (once properly configured) than using SecureZip. I don't think installation is as big a deal as you are making it. Most people with significant concerns about data privacy (even if only limited to email) are in a work situation. Those folks, for the most part, have access to an IT department that can setup and configure these tools. I'm all for more security in email. I think every email that is sent should be encrypted (as I said in a previous post). If SecureZip encourages people to do that, I think that's a great thing.

Michael Kassner
Michael Kassner

And I guess I should have been more specific in that regards.

James Brown
James Brown

I encourage skepticism about crypto algorithms. There is a lot of hype and snake oil out there. However, there are also other valid crypto systems out there besides AES. Twofish, blowfish, serpent, etc. are all valid and useful encryption algorithms. Just because a system is not using AES does not mean it is trash. Obviously, finding out what they are using and researching that algorithm is vital to the security of the system.

Neon Samurai
Neon Samurai

My friend got is updated PGP install yesterday and sent over a signed email. I rightclicked on the .asc attachement in Thunderbird. I clicked on "import into my OpenPGP" and sent back a fully encrypted email. I thought it would be more cumbersome if only due to using his retail PGP and my non-retail Enigmail plugin. When sending an email, I just have to put a check mark beside "encrypt" though I could set it to do so by default also. I can't compare this to PKware's tool yet but I think it's time to drop it on the test VM and have a look.

Neon Samurai
Neon Samurai

I'm actually a little surprised that it's not come up in my normal reading. Isn't stealth separate from treachery though stealth being valuable during treachery? The one is concerned with being unseen or undetected where the other is striking a blow from an unexpected position commonly associated with breaking loyalty.

Michael Kassner
Michael Kassner

The password shared? I'm trying to find unique examples of how people go about sharing symmetric passwords.

Michael Kassner
Michael Kassner

I don't always make the leap that stealth is always associated with treachery. Isn't it more of a dichotomy? I guess I'm too focused on the use of stealth in IT.

Michael Kassner
Michael Kassner

I use SMS passwords all the time myself as symmetric encryption is simpler. Yet, completely transparent options are needed. I'm standing firm on that. There's no other logical reason why encryption isn't far more prevalent right now, other than being to difficult to use.

eryk81
eryk81

The way that was devised was a pre-shared piece of information that was then designated as the password. As for automatic shared trusted password, there isn't one.

Neon Samurai
Neon Samurai

Here's hoping they manage to be the truecrypt for mail and file transfer. In terms of options for transferring symmetric keys, that was a complete tangent off the question assuming both sides value the transfer enough to share the password through external means. In my case, based on having used Interac emailed money transfer many times in the past. The password is only relevant until the recipient accepts the transfer so a quick SMS works and both parties value the financial figure being moved.

Michael Kassner
Michael Kassner

Exactly what PKI does. The public key is used to encrypt a session key that's used to encrypt the data. It's done that way as symmetric encryption is more efficient. I understand that there are ways to accomplish password transfer securely. But as I continue to say it has to be streamlined or no one will use it. I think I have a pretty good argument as no one is really using it right now.

Neon Samurai
Neon Samurai

If it's a one time only phone SMS can be separate enough from the email or other internet transports. This is assuming you know the person is right there ready to receive the message rather than leave it lingering for days on the phone. Once it's used, it's no longer a risk. For ongoing things like an encrypted file that can be retrieved and opened by a third party after the initial use; phone works well. Then the risk is voice bugging by the provider or well funded gov/crime organizations. Of course, one could always use asymmetric to encrypt the message containing the symmetric key phrase to unlock the encrypted file. But that just seems like overkill. ;)

santeewelding
santeewelding

The equation of state I use subsumes stealth under treachery, along with, oh, explosively obvious violence, among others.

Michael Kassner
Michael Kassner

Stealth obviously plays a big part in transferring a secret. I also will argue that treachery doesn't have a place in the equations. In fact it almost seems to be the direct opposite of what is trying to be accomplished.

Michael Kassner
Michael Kassner

If you use symmetric encryption, how do you normally pass the password to the recipient?

eryk81
eryk81

I was doing some work for a customer and they needed an easy (not so savvy computer users on both sides of the email) and coast effective way to secure an email with customer documents and records. I was playing with 7-Zip's compression options for a separate project and saw that it allows for password protection (bottom right hand corner after adding a file). If you use's the standard zip-cypto, then the receiving party just needs to enter a password. If you use AES-256 then the receiving party needs to have 7-Zip installed. Thank you for posting back.

Michael Kassner
Michael Kassner

Have someone with my exact name. I just hope the e-mail providers are diligent enough to not allow us both to have the same addr or that neither of us use the exact name as part of the addr.

Deadly Ernest
Deadly Ernest

are intentionally impersonating you for some gain. It's way to easy to have the same name by chance or to pick a new name that's already in use. My own name is NOT that common, yet I know of several people with it, three of which are relatives the others are no relative that we can ascertain. All have birth certificates in that name too. Add in I use a variant of my name as a nom de plum and recently found out there is another persons who's a writer with that name too. You could claim I'm impersonating him, but I'm not as I didn't know he existed when I chose the nom de plum - based on my real name too.

Michael Kassner
Michael Kassner

Your logic is as mine is. Impersonation attacks are no better or worse with SecureZip than any other email transfer of information. Especially if SSL Web-based e-mail is used. IMO.

Ocie3
Ocie3

The SecureZip e-mail verification step establishes (1) that the e-mail address, that has been entered as one with which the user will be sending and receiving messages, does exist, and (2) that the user has access to the inbox for that e-mail address. The step does not verify anyone's "identity". However, it _might_ inquire whether the user's name, also entered before the step, is known to the ISP which provides the e-mail account. In that regard, the ISP might have taken some measures toward "verifying the identity" of their customer when the e-mail account was created, although the customer is not necessarily the actual user of the account. Of course, as you have pointed-out, it could be relatively easy for an ISP or IT department "insider" to intercept e-mail messages -- preventing them from being transmitted to the intended recipient, and perhaps re-routing them to another party instead. However, actually impersonating the intended recipient and/or impersonating the sender, and creating and/or altering messages as well as reading them, requires more skill, time and effort than just intercepting the messages. You really do need to know the context for the message contents. You probably must use the style, practices and idiosyncracies of the person that you are impersonating to compose and/or to alter the messages. In effect, with each message that you write or alter, you are creating a forgery. Not many network system technical professionals are very good at that, but maybe they have companions that are. Regardless, if interceptions occur after messages are encrypted, then intercepting them would likely be meaningless unless the impersonator does have the private key that corresponds to the public key with which they are encrypted. As noted previously, an impersonator would most likely need to use social engineering to get that private key. If an impersonator uses SecureZip, then they are issued a unique public and private key pair even if the one whom they impersonate is already using SecureZip. In any case, -> THE RESPECTIVE E-MAIL ADDRESSES WILL BE UNIQUE

Michael Kassner
Michael Kassner

Your arguments are valid, but you need to refocus. It's not just SecureZip that's your target. That same issue applies to any one of many online application methods. All digital certs except the EV style (more vetting) are handled the same way.

James Brown
James Brown

If someone can't intercept your message then there is no point in securing it in the first place since it is already secure by definition. However, in the real world where security products are useful, it is fairly easy to intercept an email. This could be done by someone at your ISP (or your company IT department) or a variety of people between you and the recipient. In those cases, setting up an account with SecureZip using the correct recipient email address is pretty simple. You just grab the confirmation email (which Michael has now told us about) and off you go. If nothing else, it is a great DOS attack where your friends start sending you encrypted messages which you can't decrypt. I don't know what Comodo's / PKWare's policies and procedures are for dealing with impersonation but they better be pretty good. I assume they have one as well as a policy for dealing with people who lost their private key (and can thus, never access any of their files encrypted with that key). What happens if I contact Comodo and tell them "I'm Michael Kassner and someone has impersonated me. Please cancel my public key and remove me from the database so I can create a new account."? Who do they believe? How do they resolve the dispute? What happens in the interim while they try to sort it all out? Thanks, - James

James Brown
James Brown

I'm glad to hear that SecureZip has a certification step. That makes it a little less likely that someone could impersonate someone else. I assume that certification email expires at some point as well to prevent a DOS attack. So, I assume that the 4 step process you showed in the original article is actually at least 5 or 6 steps. We are moving closer and closer to the steps necessary to use any of the other similar encryption tools. I'm sorry but the ease-of-use for SecureZip seems pretty similar that of TrueCrypt (for drive or partition encryption / local storage) or Windows Privacy Tray (for email encryption / signing). Windows Privacy Tray includes plugins for popular mail clients so encryption and/or signing is automatic. Local data encryption with TrueCrypt is completely transparent after setup (it doesn't get any easier than that). As you said in the article, the key element here (and the biggest hurdle) is to get people to believe that the extra effort to use security is worth it. It is an age-old problem that hasn't gone away. We still have people who write their password on a sticky note on the side of the monitor. What can you do? Thanks, - James

Michael Kassner
Michael Kassner

I was remiss in my article to mention that before the application will complete the install an e-mail message is sent to the address that was input in to the installer. That e-mail has a key and that key has to be input into the installer before the installer goes any further. That's the verification process. I apologize for having neglected to include that aspect.

James Brown
James Brown

Michael, My comments were in reply to what I assume is a PKWare official (user pkwarepr). Let me briefly address your reply by the numbers. 1. PKWare says it will always be free but the official legal ramblings contradict that. I'm simply pointing this out. It can be "held against PKWare because the verbage is: 'PKWare is in no way obligated ...'." Either it is free (and they ARE obligated) or it isn't and they are not. You can't have it both ways. 2. The product is not free for commercial use. Your article, I felt, had a commercial bent and thus was a little off when you said there was a free version (for non-commercial use). 3. You didn't, but PKWarePR did: "SecureZIP does provide encryption of the body of email messages and attachments." I simply asked them (or someone) to show us how to do that. 4. Enthusiasm is great but I just thought it was a little over the top for a product that I feel is very similar to others already on the market. I felt your article was aimed at professionals, not home users, who have the minimal IT support needed to use some of the other products. Specifically I mentioned OpenGPG with Windows Privacy Tray as an example. I feel it is no more difficult to setup and use than SecureZip and I feel it has some advantages over SecureZip in some areas. I don't want to get into an online argument over all this. I was just attempting to point out, in my original post, that there were alternatives to SecureZip that were less expensive and that were similarly easy to use. I was also suggesting some issues that concern me about SecureZip. If you disagree, I'm okay with that.

seanferd
seanferd

are best taken up with PKWare. Otherwise, Michael is quite an enthusiastic individual, when it comes to ideas, apps, and whatnot, which might be very useful.

Michael Kassner
Michael Kassner

To your opinion to be sure. I also appreciate your comments as they force me to reevaluate what I had written. I fail to make certain associations that you do: 1. All certificate authorities that offer free certificates have that same CYA verbiage. I don't see where that should be held against PKware. 2. I guess I'm guilty of having colleagues. We are all independent of any business and I'm not affiliated in any way with PKware. So I don't see where your comment has any significance. 3. I never said that SecureZip would encrypt message body. In fact I mentioned on multiple occasions that I don't have that option as I use Web-based email. 4. Again I guess I am guilty for being enthused about something that allows an increased level of security for people that aren't as well-versed in IT as you are. I see that you disagree, yet I don't see any mention of a solution that offers the same results using the same amount of effort.

James Brown
James Brown

1. If it is PKWare's intention to keep the free version free, then may I suggest that you make appropriate arrangements with your CA and remove the rather daunting warning in the install process which clearly says that it may not remain free. "This is a limited time offer and may be expired. PKWARE is in no way obligated to extend the offer" seems fairly clear to me. Perhaps I'm missing some nuance of "may be expired" which actually means "perpetually free." 2. I also note that SecureZip is only free for non-commercial use. However, the body of the original article is clearly targeted at business users (words like "colleagues", etc.). So, I go back to what other users have said. In the context of the article, no there is NOT a free version (for commercial use). It is, at best, a trial version for commercial use. 3. If SecureZip can be used to encrypt the message body, may I suggest an addendum to the article, or a second article, showing how to use SecureZip to encrypt the body of an email. It would be nice to show this from multiple mail clients (Outlook 2000 and later, Thunderbird, GMail via the web interface, etc.). Also, a paragraph or two about how one might use this portably on multiple machines or from a flash drive would be handy. Look, I don't have any major gripes with SecureZip. However, I think the article is a little over-the-top in it's enthusiasm for the product. Is it nice? Yes, I suppose. Is it some huge leap forward in security and ease of use? No, sorry, I don't think so.

James Brown
James Brown

Michael, I see SecureZip as filling two needs. First, to encrypt email and second to encrypt files stored locally. You quoted PKware?s COO Tim Kennedy "... one-third admitted they don?t use any tools to ensure that the files they send and store are protected." My original post attempted (apparently unsuccessfully) to point out that these are different needs and that there are tools available to fill each need. TrueCrypt, IMHO, is a better tool for protecting data stored locally because it can be used transparently to encrypt a 'drive' (a partition, etc.) rather than having to explicitly put documents in and out of an archive (zip file). If I somehow inferred that TC was a good tool for email encryption, I apologize. I never intended to give that impression. BTW, if you/the editors would like an article (or a mini-series) on different ways to use TC, feel free to contact me privately. I'd be happy to do a guest piece on TechRepublic. Thanks, - James

Michael Kassner
Michael Kassner

I was just trying to get the poster to explain why that was said.

groffg
groffg

I use TrueCrypt as well--and like it--but TC is disk encryption software (protecting "data at rest"--DAR), not for data that is transmitted on the network or for data that otherwise leaves the protected storage device.

Michael Kassner
Michael Kassner

I would love to learn how TrueCrypt is able to supply the same functionality as SecureZip? I'm a huge fan of TrueCrypt and consider it to be the number one TPV application bar none. I wish TrueCrypt has these features.

James Brown
James Brown

I agree that security is complicated. And I agree that SecureZip has done a reasonably good job of making it simple to use. However, I don't think it is leaps and bounds above the other commercial and open source products out there. Is it nice that they have integrated the key lookup into the archiving tool? Yes. Have they made it fairly simple to create or lookup a key? Yes. Do other products share these features? Some yes, some no. I would disagree with your inference that there is not a similar simple solution(s) to this same problem(s) already available. I think there are several including OpenGPG, Windows Privacy Tray, and TrueCrypt. I would even go so far as to say that some are easier to use under certain circumstances. Thanks for a good article. Anything that brings the necessity of secure communication to people's attention is a good thing. SecureZip certainly fills that bill and if it encourages people to learn about and use security, then it's well worth it. Thanks, - James

Timbo Zimbabwe
Timbo Zimbabwe

They have labelled it as an eval copy. I saw nothing about it expiring, just some functionality is disabled in the eval (free) version. Thanks for sharing, Michael.

Editor's Picks