Motor said:
Forgive me for asking.....where can I get information on 'digital
encryption' used by commercial business? My local Medical Facility is no
longer accepting cash, (but will digitize and transmit checks), as
payments. The 'encryption' newsgroups are apparently not available on
the AIOE servers. I googled but answers were too far over my head. TIA
This article discusses how to send an XRay, and it mentions PGP. As far
as I know, you can get a copy of PGP for free. (I've never used it.)
Of all the mechanisms, this would be the easiest to manage.
http://ezinearticles.com/?What-Are-...ing-X-Rays-Electronically-(Emails)&id=6780826
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
The basic mechanism falls along these lines. The message is
processed with a Public Key, at the sending end. This encrypts
the message. At your end, you possess the Private Key, and only
the Private Key can decrypt the message. You can send the file,
in its encrypted form, as an attachment to an email.
If you were at the ISP, and snooping on the emails, the attachment
would look like "digital noise". So if a person were to take what
they thought was an image file, and looked at it on the screen,
it would just look like speckles of noise. That's encryption.
The weakness is, if the sending party encrypts with the wrong
Public Key, then a third party can intercept the communication
and decode it with the Private Key that matches the bogus Public Key.
If you were able to physically hand a person your Public Key, then
that solves that problem. Otherwise, it's certificates (or other stuffs)
that I don't understand.
I presume that when you get PGP, at the very least it should offer
to create public and private keys. You could then hand-carry the
public key to the other party, as a means to secure the email
attachments. You never give anyone your private key. If your private
key is exposed (i.e. computer is stolen), then you'd revoke the
public key (so no one attempts to encrypt with that one, again).
A non-hand-carried scheme, allows some automation of the revoking
step.
As far as I know, the Public Key is something that could be left dangling
on a Key Server. But then, the problem is, making sure that when someone
wants to use your Public Key, to encrypt a message, they get "the right you".
*******
A second method of securing communications, over a web browser, is HTTPS.
So that's a solution for a "non-email" approach. HTTPS is something
you might use with your bank.
And as you can see in this thread, there's plenty of fun to be had,
trying to ascertain whether everything is on the up and up.
http://support.mozilla.org/en-US/questions/802938
*******
A third method, is to set up a VPN, or virtual private network. Imagine
if you will, a "pipe" which connects you directly to the medical facility.
All the packets in the pipe are encrypted. Using such a setup, you could
use regular web protocols (HTTP), as the pipe handles the issue of
encryption. I used such a VPN setup, when I was doing "work at home". A
server at work, did the encryption. I effectively had a pipe that ran
from home to work, where my ISP could not tap into the conversation. On
my end, a Java program did the encryption of the data payload. I used
to run XWindows protocol over that link, so I could use CAD tools remotely.
The problem with doing that, is, for as long as the VPN is set up, *all*
your network traffic gets routed through the VPN. So if you were "working"
and "looking at porn" over your employer's VPN connection, they would have
a plaintext record of the IP addresses you were visiting. So, if I was using
my VPN connection to work, it had best be for work purposes, and not
for mixed purposes of any type. A VPN can be set up in seconds, so it's
not a problem to drop it moments after you're done with the secure
communications. (Connect VPN to medical facility, do unsecured transaction,
drop VPN to medical facility.)
I don't expect they're going to agree to this, so we'll just leave this
as a fun example.
*******
Some ISPs in the past, chose to throttle communications of certain types.
For example, BitTorrent. A user might attempt to circumvent that, by using
a VPN to a proxy server in another country. The ISP sees nothing but
"digital noise" in the packets. But the ISP, if they wanted, could
throttle any encrypted pipes they might see going by. That's not likely
to be an issue in 2013, but if the performance level of your VPN is
very low, or the VPN "times out" on you, then you'd have your suspicions.
Some countries have strict rules on encryption. If you lived in such
a country, you'd be best off driving to the clinic and getting the
info by hand.
I expect PGP is a solution you could discuss with the other party.
If they know about it, maybe they'll be able to help you set it up.
Just remember to keep the private key, private.
In this commercial PGP product, the Public Key is broadcast by means
of a Key Server. And you can see how other people, gain access to your
Public Key information, indexed by user name and email address. All
that the Public Key does, is give them a means to send you encrypted
communications, so it has no value in and of itself. The part I don't
like about this scheme, is leaving an email address out there. I would
much rather hand-carry the key to the other party (as then, no details
like your email address, are sitting on a key server).
http://www.symantec.com/business/support/index?page=content&id=HOWTO41894
"Enter a full name and email address you would like associated with the key"
Another usage for PGP, is for "signing" USENET postings. In an attempt
to prevent forgeries, a person could sign a message, and you'd see a
"hex block" at the end of a message. If you said something outrageous
in a text message, other people could check that PGP signature, as
proof it was really you who sent it. I don't see too many people
these days, who bother with that mechanism. But a person who was
harassed enough, might resort to using it. I really have no idea,
how many people are set up to check such signatures.
This is another example of secured email. This one is based on GPG.
It's easy to drown in this crap
I had a buddy who liked setting
this stuff up. Mainly for the thrill of setting it up, I expect.
http://en.wikipedia.org/wiki/Enigmail
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
HTH,
Paul
