Security Basics mailing list archives

RE: PGP email encryption

From: Meni Milstein <meni () msec co il>
Date: Thu, 15 Sep 2005 23:32:34 +0200

Thank you for your detailed answer!
The reason I asked this question in the first place was because the answers
I got (and keep getting) from the technical team and sales team at PGP were
inconclusive, and certainly WAY off what you are saying.

There IS a web client to PGP, and one way to use "email encryption" in PGP
(according to the tech team at PGP) is to have the PGP server catch the
message after it passed through, say, my exchange server, and instead of
sending that message, send another message (notification message) to the
receiving end - with a link. The link will lead the user to read the message
off the "web messenger" on the PGP server through HTTPS. The access is done
using a user entered pass phrase (which according to what you said - is very
bad.)

So again - that's the answer I got from the tech team to PGP - are THEY
wrong? Cause I am going out of my mind trying to understand how this works.

There are, of course, 2 other ways of using "email encryption" in PGP. One
is to use what they call the "Satellite" and the other is to send the email
as an encrypted attachment that requires a pass phrase to open. 



Sincerely yours,
Meni Milstein
www.msec.co.il
meni () msec co il
P.O. Box 1124 Ramat Hasharon, Israel 47100
 

 
-----Original Message-----
From: Alvin Oga [mailto:alvin.sec () Virtual Linux-Sec net] 
Sent: Thursday, September 15, 2005 9:52 PM
To: Meni Milstein
Cc: security-basics () securityfocus com; Alvin Oga
Subject: Re: PGP email encryption


hi ya meni

On Thu, Sep 15, 2005 at 07:13:00AM +0200, Meni Milstein wrote:

This client is basically dealing with world-wide customers and is looking
for the easiest way to send encrypted emails over the internet.


cat message | pgp | mutt -s "encrypted email" recipient.com

Looking at a project like PGP, where you install the PGP Universal on a
dedicated server, I really can't find much of a difference between having

secured email server with web access. and here's why.


secured email server is NOT the same as a pgp server

pgp servers:
        http://encrypted-email.net/Servers/

        commercial encrypted email servers run say $25K - $100K range
        so your messages better be worth that expense ... or you can
        build almost the ssame identical system with open source

for web access, i presume you mean mail over the web, like hotmail/yahoo

        http://www.Linux-Sec.net/Mail/WebMail/
        - there's a couple of encrypted webmail apps

PGP works (basically) as a mail relay.


pgp works as a sender ( mta ) and/or as a receipient ( mua )

        http://encrypted-email.net/PGP/
        http://encrypted-email.net/Servers/
        http://encrypted-email.net/Clients/

You send an email to someone and that
someone receives a notification that a secure email message has been sent

to

him.


if that email did NOT go to the receipient directly, it means
a 3rd party can attempt to decrypt the message

if the encrypted email is sitting in the recepients mail servers,
they'd presumably have those servers physically and electronically
secure to minimized crackers

He then follows a link to read the message


bad idea ... for "security"

through some kind of web
access client that is actually located on MY PGP dedicated server. So the
message contents don't really leave my organization.


in that case, you're looking for them to come to your mail servers
to get their email .. which means they have an account on your machine
        ( bad idea )

If I were to create a simple mail server,


good idea..

say on a linux box, with SSL
capabilities, I would then theoretically have the same secure environment
would I not?


secure as good or bad as your level of "security expertise"

After all, the encrypting possibilities provided by PGP are
more or less standard, aren't they?


the encryption is standardized..

the key people use is easily crackable if "people" decide what it is
vs  basically not-crackable when using truely random keys  
and we'll ignore all the determined 2- and 3-letter agencies to read your
encrypted emails

Also - what if I were to implement POP3 capabilities to that linux mail
server?  Wouldn't using SSL POP3 and SSL SMTP access give me more or less

the

same protection?


no ... that is just users loggin in to get their email vis secure pop

the encrypted email is NOT the same protection as secure pop

- ssl is semi broken

- pgp encryption is mostly non-breakable

As far as I can see, aside for the fact that PGP sends a notification to

the

pgp does NOT send notificaiton .. you are configuring your servers to do odd
things

receiving user about the new message, PGP gives me no added value (for

email

protection).


pgp gives tons of added value to hide the content of the messages

you can easily break the users login and passwd but it is still unlikely
that you can decrypt the emails that was encrypted with truely random keeys
and random pass phrases

Am I wrong?


yes and no .. depending on which part and methodology

c ya
alvin

Current thread:

PGP email encryption Meni Milstein (Sep 15)
- Re: PGP email encryption Alvin Oga (Sep 15)
  - RE: PGP email encryption Meni Milstein (Sep 15)
    - Re: PGP email encryption Alvin Oga (Sep 19)
    - RE: PGP email encryption AragonX (Sep 22)
    - Re: PGP email encryption Harrison Holland (Sep 26)
    - Re: PGP email encryption Mark Ryan del Moral Talabis (Sep 26)
- <Possible follow-ups>
- RE: PGP email encryption Jason Albuquerque (Sep 26)