Re: easiest and best email encryption plug-in

From: John Elsbury (johne@sovereign.co.nz)
Date: 03/12/02 

From: johne@sovereign.co.nz (John Elsbury)
Date: Tue, 12 Mar 2002 02:00:27 GMT

On 11 Mar 2002 16:06:51 GMT, phn@icke-reklam.ipsec.nu wrote:

<snip>
>
>Well, if the virus-scan can decrypt the mail, i would not call them
>secure. ( any breakin into one machine will jeopardize everyones security)

It doesn't have to. It works like this:

The E-mail content management software's job is to accurately parse
e-mail content and attachments and verify compliance with specified
policies: for example, blocking viruses, blocking scripts,
quarantining specified image types, blocking e-mail containing
specified expressions, and so on. Typically it will also include an
SMTP relay function.

For this to be effective, the software has to be able to see the
e-mail message header, body, and attachments. If a body or
attachment is encrypted then this cannot be done.

The solution is to move key management to the content management
software. In the case of a scheme using secure mime, the external
party acquires a certificate and sends it to the relay administrator.
The relay end - typically a corporate - sends a certificate (possibly,
but not necessarily, self-signed) to the external party. Rules are
set up to specify encryption and/or digital signing of outgoing mail
to that external party. From then on, the relay component decrypts
(etc) incoming mail then passes it to the content management engine.
Outgoing mail is likewise checked by the content management engine (if
required by policy) then signed and encrypted.

This is referred to as "proxy encryption". It has the big advantage
that (at least internally) the key management process is hidden from
the user: while it also permits the elimination of risky items,
typically attachments, before they pass into the organisation.

Typically it doesn't matter that the process is not true "end-to-end"
encryption, as the last leg in the journey is within the corporate
security domain.

Relevant Pages

  • Re: Analog Hole Bill Would Require Secret Tech No One Can Examine
    ... >> Nobody has managed to crack VideoCipher encryption on C-band satellite ... >> Nobody managed to crack the triple-DES protection on Divx DVDs. ... triple-DES is used for key management. ... > large enough, someone may eventually hack. ...
    (sci.electronics.design)
  • RE: Signing before Encryption and Signing after Encryption
    ... private key MUST have been used, ... Signing before Encryption and Signing after Encryption ... Key management is a bugger, ...
    (Security-Basics)
  • RE:Encrypting data on fileserver
    ... walking out with a fileserver. ... Tell management that there are dangers in encrypting filesystems. ... need to encrypt the fileserver because of PCI requirements. ... from an encryption key being hosed, or one of many other potentially ...
    (Security-Basics)
  • Re: Remote access from Internet
    ... A relay (management) server actually opens up a lot of possibilities: look on it as added, centralised value - you can do far more there than you can at each remote site, including logging, account management, upgrades, etc etc etc. ... The project, however, is supposed to include a quick and simple implementation of basic networking. ... the relay serverare secure. ... I'm sure you know not to be tempted to try to be secure through obscurity, or to try to write your own... ...
    (comp.arch.embedded)
  • Re: Exchange Error Translation needed
    ... relay through me, but since I have relay off, is this just a ... Someone attempted to relay spam through your server and your server ... Management" tools where it is called "First Organization". ... Microsoft Small Business Specialist Partner ...
    (microsoft.public.windows.server.sbs)