RE: PGP email encryption

• Previous message: Alvin Oga: "Re: PGP email encryption"
• In reply to: Alvin Oga: "Re: PGP email encryption"
• Next in thread: Alvin Oga: "Re: PGP email encryption"
• Reply: Alvin Oga: "Re: PGP email encryption"
• Reply: AragonX: "RE: PGP email encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 15 Sep 2005 23:32:34 +0200
To: 'Alvin Oga' <alvin.sec@Virtual.Linux-Sec.net>

Thank you for your detailed answer!
The reason I asked this question in the first place was because the answers
I got (and keep getting) from the technical team and sales team at PGP were
inconclusive, and certainly WAY off what you are saying.

There IS a web client to PGP, and one way to use "email encryption" in PGP
(according to the tech team at PGP) is to have the PGP server catch the
message after it passed through, say, my exchange server, and instead of
sending that message, send another message (notification message) to the
receiving end - with a link. The link will lead the user to read the message
off the "web messenger" on the PGP server through HTTPS. The access is done
using a user entered pass phrase (which according to what you said - is very
bad.)

So again - that's the answer I got from the tech team to PGP - are THEY
wrong? Cause I am going out of my mind trying to understand how this works.

There are, of course, 2 other ways of using "email encryption" in PGP. One
is to use what they call the "Satellite" and the other is to send the email
as an encrypted attachment that requires a pass phrase to open.

Sincerely yours,
Meni Milstein
www.msec.co.il
meni@msec.co.il
P.O. Box 1124 Ramat Hasharon, Israel 47100
 

 
-----Original Message-----
From: Alvin Oga [mailto:alvin.sec@Virtual.Linux-Sec.net]
Sent: Thursday, September 15, 2005 9:52 PM
To: Meni Milstein
Cc: security-basics@securityfocus.com; Alvin Oga
Subject: Re: PGP email encryption

hi ya meni

On Thu, Sep 15, 2005 at 07:13:00AM +0200, Meni Milstein wrote:
> This client is basically dealing with world-wide customers and is looking
> for the easiest way to send encrypted emails over the internet.

cat message | pgp | mutt -s "encrypted email" recipient.com

> Looking at a project like PGP, where you install the PGP Universal on a
> dedicated server, I really can't find much of a difference between having
a
> secured email server with web access. and here's why.

secured email server is NOT the same as a pgp server

pgp servers:
        http://encrypted-email.net/Servers/

        commercial encrypted email servers run say $25K - $100K range
        so your messages better be worth that expense ... or you can
        build almost the ssame identical system with open source

for web access, i presume you mean mail over the web, like hotmail/yahoo

        http://www.Linux-Sec.net/Mail/WebMail/
        - there's a couple of encrypted webmail apps

> PGP works (basically) as a mail relay.

pgp works as a sender ( mta ) and/or as a receipient ( mua )

        http://encrypted-email.net/PGP/
        http://encrypted-email.net/Servers/
        http://encrypted-email.net/Clients/

> You send an email to someone and that
> someone receives a notification that a secure email message has been sent
to
> him.

if that email did NOT go to the receipient directly, it means
a 3rd party can attempt to decrypt the message

if the encrypted email is sitting in the recepients mail servers,
they'd presumably have those servers physically and electronically
secure to minimized crackers

> He then follows a link to read the message

bad idea ... for "security"

> through some kind of web
> access client that is actually located on MY PGP dedicated server. So the
> message contents don't really leave my organization.

in that case, you're looking for them to come to your mail servers
to get their email .. which means they have an account on your machine
        ( bad idea )

> If I were to create a simple mail server,

good idea..

> say on a linux box, with SSL
> capabilities, I would then theoretically have the same secure environment
> would I not?

secure as good or bad as your level of "security expertise"

> After all, the encrypting possibilities provided by PGP are
> more or less standard, aren't they?

the encryption is standardized..

the key people use is easily crackable if "people" decide what it is
vs basically not-crackable when using truely random keys
and we'll ignore all the determined 2- and 3-letter agencies to read your
encrypted emails

> Also - what if I were to implement POP3 capabilities to that linux mail
> server? Wouldn't using SSL POP3 and SSL SMTP access give me more or less
the
> same protection?

no ... that is just users loggin in to get their email vis secure pop

the encrypted email is NOT the same protection as secure pop

- ssl is semi broken

- pgp encryption is mostly non-breakable

> As far as I can see, aside for the fact that PGP sends a notification to
the

pgp does NOT send notificaiton .. you are configuring your servers to do odd
things

> receiving user about the new message, PGP gives me no added value (for
email
> protection).

pgp gives tons of added value to hide the content of the messages

you can easily break the users login and passwd but it is still unlikely
that you can decrypt the emails that was encrypted with truely random keeys
and random pass phrases

> Am I wrong?

yes and no .. depending on which part and methodology

c ya
alvin

• Previous message: Alvin Oga: "Re: PGP email encryption"
• In reply to: Alvin Oga: "Re: PGP email encryption"
• Next in thread: Alvin Oga: "Re: PGP email encryption"
• Reply: Alvin Oga: "Re: PGP email encryption"
• Reply: AragonX: "RE: PGP email encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]