Product review of CryptoGram

[InfoSec News <isn () C4I ORG>]

http://www.washingtonpost.com/wp-dyn/articles/A29277-2000Nov15.html

[While I'm not a trademark attorney, But I think I see a lawsuit
possibly brewing from the folks at Counterpane over the name of this
product.  -WK]


By John Breeden II
Government Computer News
Thursday , November 16, 2000 ; Page E11

Have you ever seen an air courier with a briefcase handcuffed to his
arm? CryptoGram operates a lot like that.

It locks down e-mail attachments and uploaded files so only users with
the correct keys can see inside. Others see unintelligible garbage, if
they can get the files open at all.

But first, users have to get past CryptoGram's poor documentation--the
manual is so difficult to read in spots that it might as well be
encrypted itself. Its diagrams are downright illegible.

Fortunately, the program is simple to use: Select a file and
right-click on it to invoke its back-end engine, which does 168-bit
Triple Data Encryption Standard encryption. Other security elements in
the program hamper use of code-breaking systems, a factor that
influenced my favorable grade.

After CryptoGram counts three improper decryption entries, it doubles
the amount of time before it will recognize each new attempt.

At first this is hardly noticeable, because the interval is only a few
seconds. But as math students know, doubling and redoubling numbers
quickly makes them astronomical. It brings to mind the fable about the
man who invented the game of checkers to amuse a powerful king. As his
reward, the inventor asked for only a single grain of rice for the
first square of the game, two for the second, double again for the
third and so on for all 64 squares.

The king readily agreed, not imagining that by the 64th square he
would owe quintillions of grains of rice. He learned his math lesson
the hard way, and so would a code breaker. Pretty soon, he would be
waiting years between hack attempts.

CryptoGram's interface is quite good and flexible. You create the
crypto keys on floppy disks for distribution to your authorized users.
There could be one key for all department heads and another for all
program officials, for example. If only the program officials were
allowed to open a particular document, it would be encrypted for their
key.

Each token, generally a floppy disk, is password-protected, which
reduces worries about what could happen if third parties obtained a
token. Tokens, however, can be dispensed with altogether if the sender
of an encrypted file uses CryptoGram's self-extracting file option,
which relieves the recipient of the need for a copy of the program.

To make a self-extracting file, the sender creates a pass phrase,
which must be at least 10 characters long and can be a maximum of 100
characters. The phrase might be something such as "13 eggs make a
baker's dozen," which combines case-sensitive capitalization and
numbers, or something simpler, such as "I enjoy hamburgers."

The sender transmits the pass phrase to the recipient by a separate
route. After the recipient gets the attachment and follows an
automatic prompt to enter the decryption phrase, the attachment will
open as usual. But if the phrase isn't entered exactly, an error
message will appear and the attachment will remain encrypted. The same
time-doubling feature after three errors applies here, too.

A final feather in CryptoGram's cap is that it can be set to
automatically encrypt any data dropped into encrypted folders or any
e-mail before transmission.

In my tests, this did not appreciably lengthen the time it took to
send 100 encrypted 14-megabyte files.

The program also can invalidate a user's log-in after a certain period
of inactivity. Subsequently, the user will be locked out even if the
proper token is presented and must then enter a password.

Unfortunately, this automatic log-out feature is tied to the Microsoft
Windows screen saver and presents a small vulnerability.

Whatever activation interval the user has chosen for the screen saver
is the maximum inactivity allowed. But Windows screen saver controls
are unprotected, and a data thief could just watch for an opportunity
to turn off the screen saver, then wait for a period of unattended use
to take over the system. The burden falls on the user to log out when
leaving the computer--and many people could come to trust CryptoGram's
timed log-out and not realize that its controls are unprotected.

CryptoGram is a surprisingly useful program for the price of $49. For
users working over insecure communications networks, it's a good
shield. An enterprise edition of CryptoGram adds a centralized key
generation tool and a key recovery mechanism.

CryptoGram

SpartaCom Inc., Tucson

Phone number: 520-670-7100

Web address: www.spartacom.com

Price: $49

Box score: A

Pro:

+ Triple DES encryption

+ Recipients need not have CryptoGram software

Con:

- Poor user manual

- Automatic log-out tied to unsecured screen saver

Real-life requirements: Win9x or NT 4.0, 32 MB of RAM, 3 MB of free
storage, CD-ROM drive for installation

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".