Re: PGP email encryption

[Alvin Oga <alvin.sec () Virtual Linux-Sec net>]

hi ya meni

On Thu, Sep 15, 2005 at 07:13:00AM +0200, Meni Milstein wrote:
> This client is basically dealing with world-wide customers and is looking
> for the easiest way to send encrypted emails over the internet.

cat message | pgp | mutt -s "encrypted email" recipient.com 

> Looking at a project like PGP, where you install the PGP Universal on a
> dedicated server, I really can't find much of a difference between having a
> secured email server with web access. and here's why.

secured email server is NOT the same as a pgp server

pgp servers:
        http://encrypted-email.net/Servers/

        commercial encrypted email servers run say $25K - $100K range
        so your messages better be worth that expense ... or you can
        build almost the ssame identical system with open source

for web access, i presume you mean mail over the web, like hotmail/yahoo

        http://www.Linux-Sec.net/Mail/WebMail/
        - there's a couple of encrypted webmail apps

> PGP works (basically) as a mail relay.

pgp works as a sender ( mta ) and/or as a receipient ( mua )

        http://encrypted-email.net/PGP/
        http://encrypted-email.net/Servers/
        http://encrypted-email.net/Clients/


> You send an email to someone and that
> someone receives a notification that a secure email message has been sent to
> him.

if that email did NOT go to the receipient directly, it means
a 3rd party can attempt to decrypt the message

if the encrypted email is sitting in the recepients mail servers,
they'd presumably have those servers physically and electronically
secure to minimized crackers

> He then follows a link to read the message

bad idea ... for "security"

> through some kind of web
> access client that is actually located on MY PGP dedicated server. So the
> message contents don't really leave my organization.

in that case, you're looking for them to come to your mail servers
to get their email .. which means they have an account on your machine
        ( bad idea )

> If I were to create a simple mail server,

good idea..

> say on a linux box, with SSL
> capabilities, I would then theoretically have the same secure environment
> would I not?

secure as good or bad as your level of "security expertise"

> After all, the encrypting possibilities provided by PGP are
> more or less standard, aren't they?

the encryption is standardized..

the key people use is easily crackable if "people" decide what it is
vs  basically not-crackable when using truely random keys  
and we'll ignore all the determined 2- and 3-letter agencies to read your
encrypted emails

> Also - what if I were to implement POP3 capabilities to that linux mail
> server?  Wouldn't using SSL POP3 and SSL SMTP access give me more or less the
> same protection?

no ... that is just users loggin in to get their email vis secure pop

the encrypted email is NOT the same protection as secure pop

- ssl is semi broken

- pgp encryption is mostly non-breakable

> As far as I can see, aside for the fact that PGP sends a notification to the

pgp does NOT send notificaiton .. you are configuring your servers to do odd things

> receiving user about the new message, PGP gives me no added value (for email
> protection).

pgp gives tons of added value to hide the content of the messages

you can easily break the users login and passwd but it is still unlikely
that you can decrypt the emails that was encrypted with truely random keeys
and random pass phrases

> Am I wrong?

yes and no .. depending on which part and methodology

c ya
alvin