[Dshield] Encryption

Stephane Grobety security at admin.fulgan.com
Mon Dec 15 16:07:15 GMT 2003

Many things will influence what option you should choose, but here are
a few commonly used ones:

1/ S/MIME (Secure MIME): Based on the PKCS "Standards" defined by RSA.
This uses the root CA model and user certificates. Basically, a
centrally trusted entity delivers certificates to users. These
certificates are all signed by the CA hat guarantee the sender's
identity. The advantages here are that it's very easy to deploy: all
you have to do is deploy the CA root certificate and public key,
something that might already be done if you purchase your certificate
to a public, well-known CA (Verisign, Thawte, etc) or if you're using
an Active Directory network with key integration. The disadvantage is
that it can be expensive to maintain if you decide to purchase the
certificate and that some "scope" issue can make it's signature
functionality a bit insecure in some cases. It's supported out of the
box by Outlook, outlook express and exchange and, though CriptoAPI, it
can support a wide range of options (roaming profile, smart card
certificate store, USB cryptographic token storage, etc.) For end
users, it use is transparent if properly setup.

2/ PGP: This system use a "personal keyring" system where each user is
responsible for verifying the origine of the key and, generally
speaking, managing them. It's very well suited for small operations
with low volume of encrypted messages handeled by technically saavy
people (you can teach almost anyone to use them, but it depends so
much on the user doing the administration of his keyring that I
wouldn't advise anyone to use it for real security with "standard"
users). Many open-source mail program support it and plugins exists
for outlook and outlook express. However, the "original" GP
application has been purchased by various corporations, ending in the
hands of a company called "PGPCorp" which now sells it for 50$
(personal) to 325$ (Corporate plateform) per user. You can still find
free implementations out there but, so far, I have failed to find one
that is both free and easy enough to use to be put into the hands of
anyone that doesn't really LIKES to mess up with things (too bad: the
old 7.0.3 version from network Associated was very nice).

3/ ASP solutions: Technologically speaking, it's the simplest
solution of all, has clearly defined costs and can be more secure
than any of the other two above. the idea is to outsource your
messaging to a company that provide secure Email services and to make
sure you provide a mailbox to each user with whom you want to talk.
You then restrict the service to accept only local messages (that is,
messages from local, authenticated users) and you have a central,
secure way of communicating without the costs of implementing and
managing it yourself. Of course, you're not getting all that for
nothing. Beside the obvious (per-user, recurring cost of renting the
service), there is also a few lees obvious problems: First, the remote
service can access all your messages. this can or cannot be acceptable
depending on what your requirements are. Second, adding a user to the
system can take some time as you need to purchase the license. Third,
you need a secure communication channel with your user for the
initial setup.

Personally, if I had to do it myself, I would go for S/MIME with
purchased certificates if I only need to secure communication between
a few users (internals and externals), S/MIME with my own CA if I had
to implement that into a medium or large company for all internal user
users and a few external ones and PGP if I was to do that for free for
a few users (willing to learn) or for situation where I want to secure
a machine-to-machine transfer and S/MIME is not applicable.

Good luck,

BJ> Thanks to all on the list for security info; you've been very helpful
BJ> to non-IT users like me.
BJ> Does anyone have a link or advice on encryption? Our business
BJ> would like to begin encrypting sensitive e-mail. Currently using
BJ> Outlook 2K & Outlook Express 2K.
BJ> Keep up the good fight!
BJ> Bob
BJ> 'I don't get even; I get odder'

Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the list mailing list