NetSec Letter #8, 17 May 2001: Other Solutions for Secure E-mail

Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/

This month’s column is a bit backwards. Usually, I end with pointing you towards other articles I have written. This month I have to start that way. Because this month’s column is sort of a postscript to a just-published magazine article I wrote and best understood in light of a few previous columns.

The topic is secure e-mail clients, and the premises–from “E-mail Security, Why Don’t We Bother” ( http://www.avolio.com/columns/email-security.html) and “E-mail Security, Part 2: Speed Bumps” ( http://www.avolio.com/columns/emailsecpart2.html)–are simple:

Secure e-mail has been around for a decade and is readily available.
Our e-mail is important enough to be protected.
Secure e-mail products require dealing with certificates, exchanging them in some secure way and those can be cumbersome and difficult for the non-technical user (and some technical ones).

May 2001’s Information Security Magazine contains a feature article I wrote with my friend, and The Internet Security Conference’s, Dave Piscitello ( http://www.corecom.com). Its title is “E-mail Security: Signed, Sealed, and Delivered” ( http://www.infosecuritymag.com/articles/may01/features_email_security.shtml) . In it, Dave and I discuss and rate e-mail security solutions, including–but beyond–PGP and S/MIME. Now… the postscript. I wanted to mention/review one other secure e-mail solution that we heard of too late to include.

PC-Encrypt’s A-lock

A salesman from PC-Encrypt Inc. pointed us to their web page and a small application called A-Lock ( http://www.pc-encrypt.com/). I downloaded a deceptively small (274 KB) install file. Literally in less than a minute of downloading and installing, I was ready and able to send A-Lock encrypted e-mail.

Registration is straightforward. The site asks you for your name, e-mail address, and country. I cannot find a Privacy Statement on their web page, and they really do need one to indicate what they do and promise not to do with this information. At registration you’ll be asked to enter a 4- digit access code. You will want to remember this. The site generates a random “password exchange key” which A-Lock automatically finds on the page (with a mouse click) and installs. (I’ll explain why you need this in a bit.) If you ever lose or want to replace your password exchange key, you’ll need this 4-digit number.

To send encrypted e-mail to anyone, the A-lock application must be running. It sits on your task bar waiting for instructions. You simply type your e-mail message as usual, using any Windows e-mail client. When you are ready, you click on the icon and choose “Encrypt/Decrypt.” The program window pops up and asks you for a “password”–a value that will be used as the secret key to encrypt the message (yes, no public keys, no digital certificates). It takes text from the window that has focus and encrypts the contents and replaces the plain text with cipher text.

Here is an example of what might show up in your e-mail:

<<START_PC_Encrypt_DATA>> KgAAAHwBAADP6O4YVBXw3IKsmNMGf+9BiZlrHeGyEAecAk7z9O8OgTdNAGO oslXR0Y8rjmRhAxyfwzGJ9CnxSgIq1YAn0OgiIWP0wB7Am3HaoK8J/athjy tT5rcTN5ZHA24WMInI8KHZmtFbzJHcJHIPcaKoVzwpeqQtZ526CucrAQzyA AAAAECpc+Ny6GhxjQF/sucXZxfu6LPDar/xJKYJBBj8Sy3Sks9cr4lWBbrh xFLYRgIYhSGxcyN9nvmqswU6ffj3bH6uXkUraP7NK9OA/Kza3EWGwJffHij DmOJ06P1i8Qol5TkGGq+QjXPp1kuuLwVdzBMWa3VOCjG//IpW50wamdLn2d ujSNkGf3iQtXYlpxmQS+Zdw7nnNVrsDermfR8d1c6GYfm314ubUcXY2q1ZG UIojlTlVOqMyMGM5lG1KCqo3E7l/ky/NrVBMcQt8/1aojD4xC2e3wFtKKPW Sr5sUIWpbZzZDqdgi9r0Us08kyvyxrbKD9EqX73jHtHkzuBMz096e3EgWwH DWOgJmsOUt0yCleH6E1zKhCBqhwoPVaDzQYvF1bWjVSJB+hfEaPRjfmzfiK rEFpS/ppEN2S4ReU73Lsia0eXE5YPTUaXP0e14neTfjpXCmscEMtiF9TFoO tYgni70kvir+HPbxSWpq/Hz2cO9t1ZKRWngrOMu/fvvui4eD368c3leOKZp LeMk/OsOnkTKrSgArJwyl+oxvgK25wa7mlfF6A5HUOtYTyRTSRB2tZ9jk9K 16VWB/J13LiyHTBYCctcXzvt7dgQmyQY1sC1FnOos/xWB6HWSLCLNgsw+W0 dqq22y/JqLlebwAKCn5BME/4qXjsJq2swekxzEX3kvwq5wJrqphSr751xgq muWxjsEPcgEaHoDmDoyLogvdYqwx4NgYxVNC390pOtSbNroSBLcKTN4hDrr bQGqQOdXmnwgY0fjA3HJP4Le1g5dfRDS2q7YHni6fdSqdI04T7Vmwjdy2Px a8uGZpmwjK9qUKWshQPjUyO9f41Ai89U= <<END_PC_Encrypt_DATA>>

Okay, so how does the other user get the password? There are a few possible ways:

You stick a line of plain text in your message after encryption that gives a hint. Not terribly secure, but perhaps secure enough for some purposes. For example, “The name of the sushi place at which we ate in Vegas last week.” (Hint: for those readers who didn’t eat with Dave and me, it was “Shiba.” You can use this to decrypt the above text if you get the A-lock software.)
You share the secret out of band (telephone, in person, etc.).
If both of you are registered users, you let their web system pick the password. This is the only circumstance in which their site gets involved. You go to their “key exchange” web page, entering your (registered) e-mail address and that of the people with whom you want to share the secret. If any is not a registered A-Lock user, you’ll be given the opportunity to send them an “invitation” to get A-Lock for himself. The system generates a long, random secret/password, instead of an easily guessed word. It e- mails the generated password in an encrypted message to you and everyone else listed. Remember that registered users are given that all-important password exchange key.

When you (or one of your intended correspondents) receive the e-mail, a click on the A-Lock icon will save the password into your “Password Book,” allowing you to organize passwords by name or group and automatically select their use.

Verdict

I agree with their web page. A-Lock is “Simple, straightforward and secure.” It is easy to install, and very easy to use. It can provide iron-clad security, but even in the case of using a shared secret such as “the place we had sushi in Vegas,” the security is probably good enough for many uses, and much better than what most of us use… which is nothing.

The lack of use and support for public keys makes much easier to support on an enterprise basis, but harder to scale. For a company of 1000 individuals this is a blessing and a curse. For people just starting out with secure e- mail, especially for those without a PKI and those who must share encrypted e-mail with clients and partners in other organizations, it is a win. Users can stick with their favorite, different e-mail programs, and still interoperate securely.

There is not a Mac version, but then Mac users are used to this. Nor is there a version for any flavors of UNIX.

There are a few glitches they need to fix: the sequence of the input boxes for entering a password goes from “password entry” to “Password Book” selector, to “Confirm password” when you tab through–it should go from “password entry” to “Confirm password.” Also, it would be nice to be able to highlight a section–a paragraph, for example–and just have that text encrypted. The program grabs and encrypts all of the e-mail text. These are minor, hence “glitches,” but changes would be beneficial.

A companion program, PC-ENCRYPT, will encrypt files, such as those you might send as attachments. (David Strom reviewed this product for TechTarget, and you can find his review by looking for his by line on searchSecurity.com. I’d paste the URL here, but it is ugly-long and will probably change.)

Promotions, Self and Otherwise:

The Internet Security Conference ( tisc.corecom.com) will be held June 4-8, at the Century Plaza Hotel in LA. It is notable that I will NOT be there. I’ve always attended before, and I hate it that I can’t be there, but a graduation, birthday, and anniversary will keep me home. I like TISC because of its size. You can actually talk in social settings with some of the most knowledgeable folks in computer and network security, rather than just enjoying hearing them speak in a large auditorium. I like it because of the terrific topics, instructors, and invited papers track. I reviewed some of those papers, and will really miss seeing them presented.

Readers can receive a 10 percent discount on conference registration. Visit the web page above. When you register, use the discount code “FMA-10.”

Some other columns I wrote:

A column for WatchGuard on digital signatures and the US e-signature http://www.avolio.com/columns/esig.html.

A column for searchSecurity.com discussing various ways to allow remote access to corporate e-mail for the telecommuter and the road-warrior http://www.avolio.com/columns/RemoteE-mailAccess.html.

I will be presenting a web-based talk at searchSecurity.com on May 31 called “Introduction to Public Key Cryptography.” See http://searchSecurity.com/ under “Upcoming Event” for details.