I've been using PKware's PKZIP for as long as I care to remember. I like it and wasn't even thinking about switching. That all changed, after I read a forum post by TechRepublic member Deepsand. I learned that PKware was touting a secure compression utility called SecureZip:
"Supports passphrase and digital signature-based encryption, or both simultaneously."
Why that's important to me was echoed by PKware's COO Tim Kennedy:
"86 percent of more than 100 respondents were very concerned or extremely concerned about their confidential personal information falling into the wrong hands, almost one-third admitted they don't use any tools to ensure that the files they send and store are protected."Why is that?
It's not that people are oblivious to the security risks of sending e-mail or files over the Internet in the clear. It's because encryption technology isn't simple to use and there's a lack of interoperability between applications. Quite honestly, different encryption applications don't play nice with each other, so a consensus is required on what technology and software to use. Finally, those that have attempted documentation encryption, will attest to the fact that installing the application and setting up a PKI is more than cumbersome.
To see what I mean, let's take a look at Public Key Infrastructure (PKI) as it's the preferred method to securely send e-mail or files over the Internet. SourceForge describes PKI as:
"PKI is Information Technology infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted Authority.
Public and private keys are like two halves of a single key. PKI encryption algorithms are designed such that a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message. Think of a bank vault or safe that can only be unlocked by two individuals using two different but complementary keys. Neither of those keys can be used by itself to unlock the vault.
In practice, individuals wishing to exchange encrypted e-mail will agree to mutually trust one or more Certificate Authorities(CA) by downloading and installing each trusted Authority's root certificate on their computers. They will each obtain their own personal digital certificate from a trusted Certificate Authority, and install them on their respective computers."
That doesn't sound easy to me and I know of precious few encryption applications that automate the process to a point where the user is only required to make a few intuitive decisions.SecureZip does
I'm amazed at how transparent setting up a SecureZip PKI really is. Everything is based on your name and e-mail address. The following four steps are all that's required to create the required key pair. Beginning with entering your name and e-mail address:
Next the application installer asks if you would like to accept the SecureZip digital ID offered by Comodo:
Since Comodo is a certificate authority, they need your consent to a subscriber and export control agreement:
Finally the installer asks if you want to backup the private half of the key pair:
That's it. Now you have a fully-functional PKI-key pair that will allow you to digitally sign and encrypt files with using the AES 256 algorithm.It takes at least two
Now comes the tricky part, convincing your colleagues that this is important, ultimately getting them to install SecureZip. It has to help, knowing that installing SecureZip is a breeze, far easier than any other encryption/compression scheme I've come across.Using SecureZip encryption
Using SecureZip to encrypt files is simple as well. No need to locate any digital certificate files. Remember everyone's public key is associated with their e-mail address. So when you're encrypting a document, all that's required is to enter that person's e-mail address in the following window:
SecureZip will then search the global directory at Comodo for the proper public key. Once found, SecureZip will use it to encrypt the document. That's it, and once the file is encrypted, only the person with the private half of that key pair will be able to decrypt it.Additional features
SecureZip has a myriad of features (I'm still trying to figure them all out), making it to one of the most useful data compression/encryption utilities I know of.
Still, the intent of this article was to focus on the simplicity of installing a PKI key pair. In my opinion it's SecureZip's main selling point. What am I saying, SecureZip is free.Final thoughts
Getting users to encrypt documents before they leave the protective confines of the local network is a tough sell. It's added work that doesn't show any real benefit until something bad happens.
I've been fairly successful in convincing my friends to switch over to SecureZip. We find it especially helpful as most of us use Web-based e-mail which disallows the use of most signing or encryption applications. Yet SecureZip allows us to exchange sensitive files simply and efficiently.
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.