Email Encryption

[Guest]

Does Windows XP Home or Professional have a built-in Email Encryption utility?

Thanks for any help.

Ted

 

[Ted Zieglar]

XP comes with an e-mail program called Outlook Express. In Outlook
Express, open the Help file and read about digital IDs.

Nonetheless, you may prefer the advanced features of a third party
program. I wish I could recommend such a program for you, however I do
not use encrypted mail.

 

[Vanguard]

Does Windows XP Home or Professional have a built-in Email
Encryption utility?

Thanks for any help.

Ted

Use a x.509 cert with your e-mail program. You can free e-mail certs
at Thawte (bought by Verisign). PGP will work with some e-mail
clients, too. Certs work by giving out your public key to whomever
you want to send YOU encrypted e-mail. They use your public key to
encrypt their e-mail that they then send to you, and then you use your
private key to decrypt it. No one can decrypt the e-mail that was
encrypted using your public key unless they have your private key.
You send the other person a digitally signed e-mail, they save the
cert (often by saving your e-mail info in their e-mail program), and
then later use it to encrypt whatever they send you.

 

[privacy concerned]

I would suggest you try Secured eMail (www.securedemail.com). It's
stable and has a very high level of security. Instead of building upon
certificates which, if broken or stolen, will open up _all_ your
emails, Secured eMail uses System SKG to create a new dynamic key each
time. You open the emails using a password, and you don't have to
remember the password if you've opened one email from a recipient
before.
I'm not that good at their technology, go read about it yourself on
securedemail.com/semtech.asp instead.

It looks Secured eMail is fundamentally a symmetric key encryption
system. It requires exchange of a symmetric key or "Shared Secret". It
is far less desirable than public key encryption. If you exchange the
shared secret with email, then there is no security at all because the
email can be intercepted. For this reason, they recommend exchanging
the shared secret by phone or fax. This will be very cumbersome and you
cannot do this securely either, because the phone and fax may be
wire-tapped.

Public key based systems, such as S/MIME and PGP are much more
superior. Because the only thing that needs to be exchanged is the
public key, which will not compromise the private needed to decrypt the
message. The problem with S/MIME and PGP, however, is that they are
very difficult to setup and use. They cannot "send to anyone" - if the
recipient does not have a public key, the message cannot be sent.

EaSecure (see http://www.easecure.com/) provides the same grade of
public key encryption as S/MIME and PGP but is made extremely easy to
use and it allows "send to anyone" not requiring the recipient to have
a public key before the message can be sent. If the recipient does not
have a public key, the message will be protected by a one-time password
which will be sent to the recipient in a separate email. When the
recipient opens the first EaSecure message using the one-time password,
the recipient's public key will be automatically generated and
certificates will be automatically installed. After that, all EaSecure
messages sent to that recipient will be encrypted by the recipient's
public key. In addition, all one-time passwords for the same email
address will expire and become useless. All EaSecure messages,
including previously received messages and future messages will become
safe. Nobody can open them anymore, except the intended recipient who
has the private key. The exchange of public keys is also automatically
carried out through the EaSecure key server.

Disclaimer: I have an interest or is associated with EaSecure
Corporation. However, all my postings here are my personal views and
should not be mistaken as the official views of the EaSecure
Corporation. EaSecure Corporation will not be liable for anything I say
or do here.

 

[privacy concerned]

And on that note; I have cracked a PGP key. It didn't take that long.
Can't remember how long exactly, but it was less than a few weeks.

Wow! How many bits does that PGP key have? You should become instantly
famous if you can crack a PGP key of more than 600 bits in less than a
few weeks!

The latest public key cracking result is the 633-bit RSA-200 (See
http://www.rsasecurity.com/rsalabs/node.asp?id=2879 ). It took
equivalent of 55 years on a single 2.2 GHz Opteron CPU.

Now nobody is using keys less than 633-bit any more. For example,
EaSecure's default key length is 2048-bit and you can change it to up
to 4096 bit.

 

[privacy concerned]

I have zero idea, considering I haven't used it for well over 2 years.
It's not like I bought anything just for testing - perhaps it was
limited to a low number of bits in a trialversion?
I'm guessing that if it is what you say it is, then I must have been
using something that was substantially limited.

55 years however... seems really low, considering this (one of our
cryptographers calculated this - I can't explain it so don't ask):

It is not calculated. It is actually cracked. But this is only for 633
bit public key. To crack a 2048-bit public key would be 2(to the power
of)1000 times harder, unless there are some break through in factoring
techniques.

If you had a network of 100'000'000'000(to the power of)32 computers,
and each computer can crack 100 billion keys/second, it would take
roughly 31,709 Quadrillion years to crack the encryption of _one_
secured email.

What a big number - Very impressive!!!!

We consider that to be better than "pretty good".
When you've spent all those years cracking one email, you will have to
spend an equal amount of time on the next email. This is because of the
unique, patented System SKG, in combination with AES256 and SHA-1.
Unless of course you manage to figure out the shared secret, which is
why:

We advice any and all people to use characters and lengths of passwords
that noone can remember or would have difficulties typing. This would
include hebrew characters etc.
The reason we can do this, is because the shared secret never has to be
remembered.

So all the security rests on the shared secret. How many characters of
shared secret does one need to get the security level you are talking
about? I can tell you will need 100'000'000'000(to the power of)32
typists, typing at 100 billion keys/second for 700 Quadrillion years to
enter that shared secret in order to get the security level you are
talking about. Trying to throw big numbers will not fool anybody.

 

[privacy concerned]

It is not calculated. It is actually cracked. But this is only for 633
bit public key. To crack a 2048-bit public key would be 2(to the power
of)1000 times harder, unless there are some break through in factoring
techniques.
What a big number - Very impressive!!!!
So all the security rests on the shared secret. How many characters of
shared secret does one need to get the security level you are talking
about? I can tell you will need 100'000'000'000(to the power of)32
typists, typing at 100 billion keys/second for 700 Quadrillion years to
enter that shared secret in order to get the security level you are
talking about. Trying to throw big numbers will not fool anybody.

Sorry, I was wrong. The number you are talking about is about 10(to the
power of)480000, so you will need to type 300000 RANDOM characters. It
would be impractical to exchange such a secret over the phone or fax
and type it in.

 

[privacy concerned]

Depending on what kind of characters you use;
- only lowercase: 900 roughly.
- lowercase and capital letter mixed: 120 roughly.
- lowercase/cabital letters/numbers: 19.
- characters from all kinds of languages, including all of the above:
11.

19 lowercase/capital/numbers only gives you 62(to the power of)19 =
10(to the power of) 34. It is nothing near the number you talked about.
It is also roughly equivalent to a 113-bit symmetric key. It is far
less than 256-bit AES key used in EaSecure. Of course, symmetric key
larger than 64-bit has not been cracked so far, so Secured eMail is
safe for now. What I am against with is trying to confuse the users
with big numbers. An honest security vendor should let the users to
clearly understand the level of security their product actually
provides, not throwing big numbers to confuse them.

Nah, you're right. Throwing big numbers around won't make a difference,
but user-friendlyness does. I tried EaSecure. Didn't work too well.
Can't say I bothered for more than 20 minutes, but then again, I spent
2 minutes on Secured eMail and it just worked... so there ya go.

EaSecure does not take 20 minutes to set up. All you need to do is to
install the software and open one EaSecure message using a one-time
password and you are all set. You will be able to receive public key
encrypted messages from ALL other EaSecure users and be able to send
EaSecure messages to anyone with an email address.

With Secured eMail, however, you have to exchange and set up the shared
secret with EVERY correspondent using phone or fax, before the message
can be sent. Is this what you call "user friendly"? (I doubt anyone can
do this within 2 minutes as you claim.) This is the classical problem
of symmetric key encryption - it requires DIFFERENT shared secret for
each recipient and the shared secret must be exchanged over a secure
channel (email excluded). Public key encryption was invented to solve
this problem.

EaSecure uses public key encryption, so it does not require exchanging
of a shared secret. The public key is automatically exchanged through a
key server when you click the "send" button to send the message. There
is no need to call or fax your correspondents to exchange a shared
secret before you can send the message.

 

[privacy concerned]

EaSecure does not take 20 minutes to set up. All you need to do is to
install the software and open one EaSecure message using a one-time
password and you are all set. You will be able to receive public key
encrypted messages from ALL other EaSecure users and be able to send
EaSecure messages to anyone with an email address.
<<

Nah it doesn't take 20 minutes to set up - that only took a sec or so.
Getting it to work as you explained it however, was a bit different.
I sent an email to another email account of mine, and it didn't work.
simple as that. There were no notice about what to do or nuffin.

Can you be a little bit specific on how it did not work? Are you using
the standalone client, Outlook plugin, or Outlook Express plugin? What
happens when you send the message? Better yet, contact EaSecure
technical support (see http://www.easecure.com/support.html). They are
very helpful and response very fast.

By the way, this "one-time password" (funny, sounds alot like our
trademarked "one-time shared secret", oh well), that you are talking
about - how is that communicated?

The one-time password is sent to you with an email. If you go to the
EaSecure web site (http://www.easecure.com/ ), enter your email
address, and click "Try It Now", you will receive a one-time password
protected EaSecure message and an email with the one-time password.

When you open the EaSecure message with the one-time password, your
public/private key pair will be automatically generated and the public
key will be posted the key server for others to retrieve for sending
secure message to you. After that, all future EaSecure messages sent to
you will be encrypted by your public key that nobody can break. In
addition, the one-time password will expire immediately and cannot be
used any more, so the first one-time password protected EaSecure
message becomes safe also. Nobody can use the one-time password to open
it anymore. You will be the only person holding the key to open all the
past and future EaSecure messages sent to your email address.

This is how EaSecure achieves secure communication without requiring a
secure channel (phone or fax) to exchange a shared secret. This is the
beauty of public key encryption. One-time password just make it
extremely easy to setup and run. You only need to use the one-time
password once and you can communicate securely with everyone, unlike
Secured eMail, which requires you to set up and exchange a shared
secret with each of your correspondents.

 

[RomanK]

55 years seems really low now
I think if you crack the email after 55 years -- the information is not
really important to me

 

[privacy concerned]

55 years seems really low now
I think if you crack the email after 55 years -- the information is not
really important to me

It seems you have no idea what we are talking about in this thread. 55
years is only for 640-bit public key. Nobody is using that kind of key
anymore. EaSecure uses 2048-bit public key by default and it will take
2 to the power of hundreds, if not thousands, of times longer to crack.

 

[privacy concerned]

It seems you have no idea what we are talking about in this thread. 55
years is only for 640-bit public key. Nobody is using that kind of key
anymore. EaSecure uses 2048-bit public key by default and it will take
2 to the power of hundreds, if not thousands, of times longer to crack.

Sorry, I may have misread your post. If you mean that after 55 years
the information in the email is not important anymore, then I am 100%
with you. However, the problem may be one can use 110 computers to
crack the email in 6 months.