Information Security News mailing list archives
Product review of CryptoGram
From: InfoSec News <isn () C4I ORG>
Date: Fri, 17 Nov 2000 01:54:26 -0600
http://www.washingtonpost.com/wp-dyn/articles/A29277-2000Nov15.html [While I'm not a trademark attorney, But I think I see a lawsuit possibly brewing from the folks at Counterpane over the name of this product. -WK] By John Breeden II Government Computer News Thursday , November 16, 2000 ; Page E11 Have you ever seen an air courier with a briefcase handcuffed to his arm? CryptoGram operates a lot like that. It locks down e-mail attachments and uploaded files so only users with the correct keys can see inside. Others see unintelligible garbage, if they can get the files open at all. But first, users have to get past CryptoGram's poor documentation--the manual is so difficult to read in spots that it might as well be encrypted itself. Its diagrams are downright illegible. Fortunately, the program is simple to use: Select a file and right-click on it to invoke its back-end engine, which does 168-bit Triple Data Encryption Standard encryption. Other security elements in the program hamper use of code-breaking systems, a factor that influenced my favorable grade. After CryptoGram counts three improper decryption entries, it doubles the amount of time before it will recognize each new attempt. At first this is hardly noticeable, because the interval is only a few seconds. But as math students know, doubling and redoubling numbers quickly makes them astronomical. It brings to mind the fable about the man who invented the game of checkers to amuse a powerful king. As his reward, the inventor asked for only a single grain of rice for the first square of the game, two for the second, double again for the third and so on for all 64 squares. The king readily agreed, not imagining that by the 64th square he would owe quintillions of grains of rice. He learned his math lesson the hard way, and so would a code breaker. Pretty soon, he would be waiting years between hack attempts. CryptoGram's interface is quite good and flexible. You create the crypto keys on floppy disks for distribution to your authorized users. There could be one key for all department heads and another for all program officials, for example. If only the program officials were allowed to open a particular document, it would be encrypted for their key. Each token, generally a floppy disk, is password-protected, which reduces worries about what could happen if third parties obtained a token. Tokens, however, can be dispensed with altogether if the sender of an encrypted file uses CryptoGram's self-extracting file option, which relieves the recipient of the need for a copy of the program. To make a self-extracting file, the sender creates a pass phrase, which must be at least 10 characters long and can be a maximum of 100 characters. The phrase might be something such as "13 eggs make a baker's dozen," which combines case-sensitive capitalization and numbers, or something simpler, such as "I enjoy hamburgers." The sender transmits the pass phrase to the recipient by a separate route. After the recipient gets the attachment and follows an automatic prompt to enter the decryption phrase, the attachment will open as usual. But if the phrase isn't entered exactly, an error message will appear and the attachment will remain encrypted. The same time-doubling feature after three errors applies here, too. A final feather in CryptoGram's cap is that it can be set to automatically encrypt any data dropped into encrypted folders or any e-mail before transmission. In my tests, this did not appreciably lengthen the time it took to send 100 encrypted 14-megabyte files. The program also can invalidate a user's log-in after a certain period of inactivity. Subsequently, the user will be locked out even if the proper token is presented and must then enter a password. Unfortunately, this automatic log-out feature is tied to the Microsoft Windows screen saver and presents a small vulnerability. Whatever activation interval the user has chosen for the screen saver is the maximum inactivity allowed. But Windows screen saver controls are unprotected, and a data thief could just watch for an opportunity to turn off the screen saver, then wait for a period of unattended use to take over the system. The burden falls on the user to log out when leaving the computer--and many people could come to trust CryptoGram's timed log-out and not realize that its controls are unprotected. CryptoGram is a surprisingly useful program for the price of $49. For users working over insecure communications networks, it's a good shield. An enterprise edition of CryptoGram adds a centralized key generation tool and a key recovery mechanism. CryptoGram SpartaCom Inc., Tucson Phone number: 520-670-7100 Web address: www.spartacom.com Price: $49 Box score: A Pro: + Triple DES encryption + Recipients need not have CryptoGram software Con: - Poor user manual - Automatic log-out tied to unsecured screen saver Real-life requirements: Win9x or NT 4.0, 32 MB of RAM, 3 MB of free storage, CD-ROM drive for installation ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Product review of CryptoGram InfoSec News (Nov 17)